Cryptography experts pen open letter against NSA surveillance

By Tom Warren

nsa stock

The pressure on the US government to reform the NSA’s surveillance programs is growing. Apple, Google, and Microsoft all called for change last month alongside apetition from international authors calling for an end to mass surveillance. President Obama announced big changes to government surveillance programs, but most of them centered around the NSA’s bulk collection of Americans’ phone records, not its spying on internet communications. In an open letter published on Friday, more than 50 cryptography experts are asking the US government to make more changes to protect privacy.

“The value of society-wide surveillance in preventing terrorism is unclear, but the threat that such surveillance poses to privacy, democracy, and the US technology sector is readily apparent,” the authors of the open letter state. “Because transparency and public consent are at the core of our democracy, we call upon the US government to subject all mass-surveillance activities to public scrutiny and to resist the deployment of mass-surveillance programs in advance of sound technical and social controls.”


Although the letter doesn’t mention Obama, it’s clear the president’s recent speech has not eased concerns from cryptographers over the weakening of encryption standards. An independent review panel has recommended that the NSA be separated from NIST’s cryptography approval process, and that the NSA should not hold encrypted communication as a way to avoid retention limits. The signatories back the five principles put forth by Apple, Google, Microsoft, and others last month, noting they “provide a good starting point.”

Dr. Ronald Rivest is one of the key signatories on the list of more than 50 cryptographers, alongside MIT professor Hal Abelson, a founding director of the Free Software Foundation. Rivest, also a MIT professor, is one of the inventors of the RSA algorithm and founders of RSA Security. The RSA security firm was forced to deny last month that it entered into a contract it knew would provide the NSA a backdoor into one of its security systems. The controversy sparked concerns around the NSA’s involvement with the NIST cryptography approval process.

Other signatories include former federal employees, and The Washington Post notes that some have received funding from defense agencies for research. “The choice is not whether to allow the NSA to spy,” the authors of the open letter explain. “The choice is between a communications infrastructure that is vulnerable to attack at its core and one that, by default, is intrinsically secure for its users.”

full story:

This $50 Box Will Cover Your Online Tracks—If You Don’t Mind Waiting Around

The Safeplug box plugs into your router and reroutes its traffic through Tor, helping users escape detection. But be warned, it takes some time.

By Rachel Z. Arndt

The way most of us surf the web now, traffic takes a pretty direct route. The request you make for a website goes directly from your computer to a server and comes back again, delivered in the form of whatever website you’re visiting. And everything is out in the open, which means anyone who wants to catch a glimpse of your location can do so. But when the request is more like an onion, wrapped in layers of encryption and moved around a roundabout route from your computer to the end server, it becomes almost completely anonymous.

That’s the thinking behind online-anonymity-enabling Tor Project (short for The Onion Routing Project), which is now packaged in hardware form in the Safeplug, a device made by Pogoplug. The $49 box plugs directly into an Internet router and reroutes traffic on that network through Tor, which began with funding from the U.S. Naval Research laboratory (and has popped up in the general consciousness this year as the way to get onto the now defunct Bitcoin marketplace Silk Road). Internet traffic that moves through the Tor network passes, encrypted, through a series of relays before it reaches the intended server and is sent back. So instead of taking a straight path, data move in twists and turns, throwing off would-be stalkers.

Until now, the only way to use Tor has been through the Tor browser. It can be unfamiliar and intimidating to the non-tech-savvy (and some won’t find it terribly aesthetically pleasing). Safeplug takes away that barrier to entry and annoyance. Once the Linux-based box is plugged in, it takes about two minutes to configure it through your browser of choice, whether Chrome, Firefox, Safari, or Internet Explorer. And that’s that.

As Safeplug promises, the setup is a breeze. The trouble is in the actual browsing. It’s not the fault of the device, but rather the system it uses. Because it beams your Internet traffic around a twisting path of randomly picked servers on the way to its destination, it’s slow-going. With Safebox plugged in, it took more than a minute to load via an internet connection that runs at about 40 Mbps. There’s some relief in that you can set Safebox to run only on a certain browser and, within that browser, choose websites that bypass Tor. But if you are truly concerned about privacy, you’d want all of your traffic to be encrypted and rerouted, so not running Tor would defeat the purpose.

Another problem comes from connecting the Safeplug to more than one router. I ran into trouble after I’d activated with one router, disconnected it, and plugged it into a second router. The Safeplug stays attached to whatever router it was connected to during initial setup. So when I went through the setup again, with a different router, everything looked successful until I was supposed to hit the settings screen, the final webpage of configuration. It was blank. To make it work, I had to go to my router’s webpage and find the Safeplug’s IP address in the list of connected DHCP clients. Using that address, I could again access the Safeplug settings.

The best use of this tech might be sparing use: Keep the Safeplug attached to a single router, and keep it running not in your favorite browser but in your second favorite one. That way, when you really want to cover your tracks, you can switch over to the oniony browers, and the rest of the time you can browse happily and speedily in your normal browser.

full story:

US willing to hold talks with Edward Snowden, but only if he pleads guilty first

By Chris Welch

edward snowden (wikileaks)

The US Justice Department says it will hold talks with Edward Snowden’s lawyers, but only under one condition: the NSA contractor-turned-whistleblower must return home and plead guilty to the charges against him. Snowden is currently living under asylum in Russia to avoid charges of espionage after he famously leaked thousands of documents outlining the alarming surveillance practices of the US government. Some lawmakers and civil liberties groups have called for the Obama administration to grant Snowden clemency for his actions, which put a spotlight on controversial data collection and mass snooping tactics of the NSA. President Obama himself recently said he doesn’t have a straight yes or no answer as it relates to clemency for Snowden. “This is an active case, where charges have been brought,” he said during a wide-ranging interview with The New Yorker.

But Attorney General Eric Holder has taken a much firmer stance; he says clemency is off the table, and it was never a plausible option to begin with. “We’ve always indicated that the notion of clemency isn’t something that we were willing to consider,” he said at the University of Virginia on Thursday. “Instead, were he coming back to the US to enter a plea, we would engage with his lawyers.” Holder also makes it clear that Snowden wouldn’t be given any special treatment. Despite the high profile nature of the case, those discussions would be the “same with any defendant who wanted to enter a plea of guilty,” he said.

For his part, Snowden says he isn’t coming back anytime soon — but he realizes it would be the preferred outcome for everyone involved. In an online Q&A yesterday, he said, “Returning to the US, I think, is the best resolution for the government, the public, and myself, but it’s unfortunately not possible in the face of current whistleblower protection laws, which through a failure in law did not cover national security contractors like myself.” Under current laws, Snowden claims there’s “no chance to have a fair trial, and no way I can come home and make my case to a jury.”

Facebook Backdoor Gives Clues To Private Email Addresses

by Adam Tanner, Contributor

If you forget your Facebook profile name, you can enter your name, email or phone number into a page called Find Your Account to find your Facebook profile and some alternative email addresses, which are partially obscured such as j*******

The same technique works if you type in other people’s details. Then Facebook can act as a Caller ID and produce a photo, name or clues about a private email. That could help if someone telephones but does not leave a message, or if you want to find a private email address from a company email.

As a test I looked up Gary King, one of two dozen who hold Harvard’s prestigious title of University Professor. His email address is listed on his public webpage. A search of Find Your Account leads to his Facebook profile photo and revealing clues to his alternative email addresses.

I repeated the process for several other people. It did not find everyone– perhaps the telephone numbers or email addresses were not linked with Facebook — but in many cases it did, including for a well-known private detective in Las Vegas whose photo I was able to see.

“This is an interesting case where a feature aimed at giving users a better service actually exposes their private data,” said Michael Bar-Sinai, a software engineer at Harvard’s Institute for Quantitative Social Science where King serves as director.

He pointed out his privacy settings allowed only friends of friends – not everyone – to look him up with his email address or his phone number. Yet a search finds his photo, name and partial email addresses.

In many cases, “Find Your Address” would not reveal any startling information. However, often a little bit of personal information here and there allows outsiders to gain a far 


more intimate portrait of us than we imagine. One chapter in my upcoming book tries to find a woman whose thumbnail-size image is posted on a Yelppage. Tiny clues in obscure places help reveal her double life on the steamier side of the Internet.

Asked about the information shown by Find Your Account, a Facebook spokesman who did not want to be named said: “Certain information on Facebook—such as your name, profile photo, and networks (if you choose to add any)—is treated as public because it plays a crucial role in helping your friends and family connect with you. In this case, showing a profile photo helps people avoid accidentally initiating a password reset for the wrong account.”

This page describes what Facebook considers public information. Users can adjust their privacy settings with details given here to mask the name and photo from being visible in the password recovery process.

“If you use the password recovery feature to search for someone who has modified these settings such that you can’t look them up using this information, you will see only ‘Facebook User’ and will not be able to view their name, profile photo, or networks,” the spokesman said.

Still, the partial email address remains visible. So using his phone number, I looked up the spokesman via Find Your Account. His name and photo were not given, but I could easily guess what his private Gmail address is from the partially masked information. It showed the first letter of his first name, stars, and the last letter of his uncommon surname followed by

“We show obscured email addresses in the password reset flow because our experience with helping many people recover their accounts over the years suggests that this information is important for helping people find the account recovery message we send,” he said. “Many people have multiple email addresses and don’t always remember which one is registered with Facebook.”

In the case of Professor King, his photo is available elsewhere and he posts his university email on his web page. His private email addresses – for which Facebook provided some clues — would be harder to locate. But he is relaxed about this information being visible.

King cited outgoing Microsoft CEO Steve Ballmer as someone who has made his email address public and referred to that fact in interviews. Ballmer “said he does the same and has no problems.  I get a lot of email, but just like he said, people tend to be respectful,” King said. “I sign out of every automated mailing, which cuts things down some.”

full story:

5 Changes President Obama Wants To Make to NSA’s Surveillance Programs

In a major address this morning, President Obama tried to soothe Americans’ fears about NSA spying by promising these changes.

By Davey Alba

President Barack Obama speaks about the National Security Agency (NSA) at the Justice Department, on January 17, 2014 in Washington, DC.
Mark Wilson/Getty Images

Earlier this morning, President Obama spoke about a number of reforms he wants to make to the National Security Agency’s surveillance programs, which have been widely criticized since Edward Snowden’s leaked on the extent of agency’s spying operations. Almost every week now, it seems, new revelations emerge, ranging from the bulk collection of telephone metadata to capturing information from computers that aren’t even connected to the Internet through radio waves sent out by the machines.

With dissent mounting, President Obama took to the podium once more to try to mitigate public concerns. Here are the five crucial things you need to know about the announcement. (You can also read the full text of Obama’s speech here, or read the presidential policy directive on surveillance, which has been posted online.)

1. An End to the NSA’s Bulk Data Collection Program

The biggest reform announced today was the end of the bulk data collection program under section 215 of the Patriot Act. Quick refresher: This was the program that enabled the NSA to review the telephone connections of many Americans‚Äînot the actual content of the phone calls, but the phone numbers and the times and lengths of the calls. That may seem benign, but one can glean a huge amount of information from this metadata, and the revelation was arguably the most important Snowden leak. According to President Obama, this program will come to a halt. It’s unclear how long it will take before bulk data collection is completely overhauled‚Äîthe process could take months if not more‚Äîbut in the meantime, new restrictions will be put into place to limit the government’s access to this data.

2. Continued Access to Call Records Under a New System

President Obama doesn’t want to cut off the government’s access to this data completely, though. The government will establish a new system for holding the phone records, but it’s so far unclear what form that system will take. Some possibilities mentioned included asking the phone companies to hold onto customer data and hand it over to the government whenever a court order mandates it, or creating an entirely new body that would act as the keeper of the massive database of phone records.

3. New Limitations on Spying on U.S. Allies

The Snowden documents revealed that the NSA had digital snooped on foreign leaders, most famously German Chancellor Angela Merkel, whose cell phone was being monitored. Obama has ordered that that the heads of states that are friendly with the United States will be completely off-limits for electronic surveillance by the government. Of course, this measure is a bit murky; why gets to decide who are the “close” allies of the U.S.?

4. A Panel of Public Advocates for Cases in Surveillance Courts

If Obama’s recommendation comes to fruition, third-party public advocates will be present at each request for data in the FISA courts‚Äîthose special federal courts that handle secret requests for surveillance warrants against suspected enemies of the U.S. However, this initiative requires action by Congress before it can become standard procedure.

5. Privacy Protections for Foreigners

Obama is also calling for a reform of the Section 702 program targeting foreign individuals, which allows the government to snatch up communications of foreigners who have information about national security. The President says that unless there is a major threat to national security, foreigners shouldn’t have a reason to fear being spied on. The rules will be developed and crystallized in the next few months.

Read more: 5 Changes President Obama Wants To Make to NSA’s Surveillance Programs – Popular Mechanics
Follow us: @PopMech on Twitter | popularmechanics on Facebook
Visit us at

NSA collects millions of text messages daily in ‘untargeted’ global sweep

• NSA extracts location, contacts and financial transactions
• ‘Dishfire’ program sweeps up ‘pretty much everything it can’
• GCHQ using database to search metadata from UK numbers

by  in New York

Texting on BlackBerry mobile phone

The NSA has made extensive use of its text message database to extract information on people under no suspicion of illegal activity. Photograph: Dave Thompson/PA

The National Security Agency has collected almost 200 million text messages a day from across the globe, using them to extract data including location, contact networks and credit card details, according to top-secret documents.

The untargeted collection and storage of SMS messages – including their contacts – is revealed in a joint investigation between the Guardian and the UK’s Channel 4 News based on material provided by NSA whistleblower Edward Snowden.

The documents also reveal the UK spy agency GCHQ has made use of the NSA database to search the metadata of “untargeted and unwarranted” communications belonging to people in the UK.

The NSA program, codenamed Dishfire, collects “pretty much everything it can”, according to GCHQ documents, rather than merely storing the communications of existing surveillance targets.

The NSA has made extensive use of its vast text message database to extract information on people’s travel plans, contact books, financial transactions and more – including of individuals under no suspicion of illegal activity.

An agency presentation from 2011 – subtitled “SMS Text Messages: A Goldmine to Exploit” – reveals the program collected an average of 194 million text messages a day in April of that year. In addition to storing the messages themselves, a further program known as “Prefer” conducted automated analysis on the untargeted communications.


An NSA presentation from 2011 on the agency’s Dishfire program to collect millions of text messages daily. Photograph: Guardian

The Prefer program uses automated text messages such as missed call alerts or texts sent with international roaming charges to extract information, which the agency describes as “content-derived metadata”, and explains that “such gems are not in current metadata stores and would enhance current analytics”.

On average, each day the NSA was able to extract:

• More than 5 million missed-call alerts, for use in contact-chaining analysis (working out someone’s social network from who they contact and when)

• Details of 1.6 million border crossings a day, from network roaming alerts

• More than 110,000 names, from electronic business cards, which also included the ability to extract and save images.

• Over 800,000 financial transactions, either through text-to-text payments or linking credit cards to phone users

The agency was also able to extract geolocation data from more than 76,000 text messages a day, including from “requests by people for route info” and “setting up meetings”. Other travel information was obtained from itinerary texts sent by travel companies, even including cancellations and delays to travel plans.


A slide on the Dishfire program describes the ‘analytic gems’ of collected metadata. Photograph: Guardian

Communications from US phone numbers, the documents suggest, were removed (or “minimized”) from the database – but those of other countries, including the UK, were retained.

The revelation the NSA is collecting and extracting personal information from hundreds of millions of global text messages a day is likely to intensify international pressure on US president Barack Obama, who on Friday is set to give his response to the report of his NSA review panel.

While US attention has focused on whether the NSA’s controversial phone metadata program will be discontinued, the panel also suggested US spy agencies should pay more consideration to the privacy rights of foreigners, and reconsider spying efforts against allied heads of state and diplomats.

In a statement to the Guardian, a spokeswoman for the NSA said any implication that the agency’s collection was “arbitrary and unconstrained is false”. The agency’s capabilities were directed only against “valid foreign intelligence targets” and were subject to stringent legal safeguards, she said.

The ways in which the UK spy agency GCHQ has made use of the NSA Dishfire database also seems likely to raise questions on the scope of its powers.

While GCHQ is not allowed to search through the content of messages without a warrant – though the contents are stored rather than deleted or “minimized” from the database – the agency’s lawyers decided analysts were able to see who UK phone numbers had been texting, and search for them in the database.

The GCHQ memo sets out in clear terms what the agency’s access to Dishfire allows it to do, before handling how UK communications should be treated. The unique property of Dishfire, it states, is how much untargeted or unselected information it stores.

“In contrast to [most] GCHQ equivalents, DISHFIRE contains a large volume of unselected SMS traffic,” it states (emphasis original). “This makes it particularly useful for the development of new targets, since it is possible to examine the content of messages sent months or even years before the target was known to be of interest.”

It later explains in plain terms how useful this capability can be. Comparing Dishfire favourably to a GCHQ counterpart which only collects against phone numbers that have specifically been targeted, it states “Dishfire collects pretty much everything it can, so you can see SMS from a selector which is not targeted”.

The document also states the database allows for broad, bulk searches of keywords which could result in a high number of hits, rather than just narrow searches against particular phone numbers: “It is also possible to search against the content in bulk (e.g. for a name or home telephone number) if the target’s mobile phone number is not known.”

Analysts are warned to be careful when searching content for terms relating to UK citizens or people currently residing in the UK, as these searches could be successful but would not be legal without a warrant or similar targeting authority.

However, a note from GCHQ’s operational legalities team, dated May 2008, states agents can search Dishfire for “events” data relating to UK numbers – who is contacting who, and when.

“You may run a search of UK numbers in DISHFIRE in order to retrieve only events data,” the note states, before setting out how an analyst can prevent himself seeing the content of messages when he searches – by toggling a single setting on the search tool.

Once this is done, the document continues, “this will now enable you to run a search without displaying the content of the SMS, especially useful for untargeted and unwarranted UK numbers.”

A separate document gives a sense of how large-scale each Dishfire search can be, asking analysts to restrain their searches to no more than 1,800 phone numbers at a time.


An NSA slide on the ‘Prefer’ program reveals the program collected an average of 194 million text messages a day in April 2011. Photograph: Guardian

The note warns analysts they must be careful to make sure they use the form’s toggle before searching, as otherwise the database will return the content of the UK messages – which would, without a warrant, cause the analyst to “unlawfully be seeing the content of the SMS”.

The note also adds that the NSA automatically removes all “US-related SMS” from the database, so it is not available for searching.

A GCHQ spokesman refused to comment on any particular matters, but said all its intelligence activities were in compliance with UK law and oversight.

But Vodafone, one of the world’s largest mobile phone companies with operations in 25 countries including Britain, greeted the latest revelations with shock.

“It’s the first we’ve heard about it and naturally we’re shocked and surprised,” the group’s privacy officer and head of legal for privacy, security and content standards told Channel 4 News.

“What you’re describing sounds concerning to us because the regime that we are required to comply with is very clear and we will only disclose information to governments where we are legally compelled to do so, won’t go beyond the law and comply with due process.

“But what you’re describing is something that sounds as if that’s been circumvented. And for us as a business this is anathema because our whole business is founded on protecting privacy as a fundamental imperative.”

He said the company would be challenging the UK government over this. “From our perspective, the law is there to protect our customers and it doesn’t sound as if that is what is necessarily happening.”

The NSA’s access to, and storage of, the content of communications of UK citizens may also be contentious in the light of earlier Guardian revelations that the agency was drafting policies to facilitate spying on the citizens of its allies, including the UK and Australia, which would – if enacted – enable the agency to search its databases for UK citizens without informing GCHQ or UK politicians.

The documents seen by the Guardian were from an internal Wikipedia-style guide to the NSA program provided for GCHQ analysts, and noted the Dishfire program was “operational” at the time the site was accessed, in 2012.

The documents do not, however, state whether any rules were subsequently changed, or give estimates of how many UK text messages are collected or stored in the Dishfire system, or from where they are being intercepted.

In the statement, the NSA spokeswoman said: “As we have previously stated, the implication that NSA’s collection is arbitrary and unconstrained is false.

“NSA’s activities are focused and specifically deployed against – and only against – valid foreign intelligence targets in response to intelligence requirements.

“Dishfire is a system that processes and stores lawfully collected SMS data. Because some SMS data of US persons may at times be incidentally collected in NSA’s lawful foreign intelligence mission, privacy protections for US persons exist across the entire process concerning the use, handling, retention, and dissemination of SMS data in Dishfire.

“In addition, NSA actively works to remove extraneous data, to include that of innocent foreign citizens, as early as possible in the process.”

The agency draws a distinction between the bulk collection of communications and the use of that data to monitor or find specific targets.

A spokesman for GCHQ refused to respond to any specific queries regarding Dishfire, but said the agency complied with UK law and regulators.

“It is a longstanding policy that we do not comment on intelligence matters,” he said. “Furthermore, all of GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee.”

GCHQ also directed the Guardian towards a statement made to the House of Commons in June 2013 by foreign secretary William Hague, in response to revelations of the agency’s use of the Prism program.

“Any data obtained by us from the US involving UK nationals is subject to proper UK statutory controls and safeguards, including the relevant sections of the Intelligence Services Act, the Human Rights Act and the Regulation of Investigatory Powers Act,” Hague told MPs.

full story: