Australia - Digital Privacy Ends 13 Oct

Data retention and the end of Australians' digital privacy August 29, 2015 Quentin Dempster Contributing editor The digital privacy of Australians ends from Tuesday, October 13. http://www.smh.com.au/technology/technology-news/data-retention-and-the-end-of-australians-digital-privacy-20150827-gj96kq.html Authorised agencies to view metadata > ASIO (Australian Security Intelligence Organisation) > Australian Federal Police > All state and territory police forces > The Australian Commission for Law Enforcement Integrity > Australian Crime Commission > Australian Customs and Border Protection Service > Australian Securities and Investments Commission > Australian Competition and Consumer Commission > NSW Crime Commission > NSW Independent Commission Against Corruption > NSW Police Integrity Commission > Queensland Crime and Corruption Commission > West Australian Corruption and Crime Commission > South Australian Independent Commission Against Corruption > Any other agency the Attorney General publicly declares ---------------------- ꕤ ---------------------- ꕤ

ANDREA VANCE - 'NZ spies want greater powers'

NZ spies want greater powers ANDREA VANCE Last updated 12:18, August 13 2015 Grapes grow in a vineyard around the GSCB monitoring station in the Waihopai Valley near Blenheim. STEPHEN RUSSELL/FAIRFAX MEDIA Grapes grow in a vineyard around the GSCB monitoring station in the Waihopai Valley near Blenheim. The release of a "hit list" by Islamic State with a Kiwi's name on it comes as New Zealand's spy agencies demand greater surveillance powers. Emergency anti-terror laws passed last year were promoted as measures to stop foreign fighters leaving for conflicts in Syria and Iraq. However, they also allowed the Security Intelligence Service (SIS) to monitor any terrorist suspects for 24 hours without a warrant. Additionally the reforms permitted the spy agency to conduct video surveillance on private property in cases of suspected terrorism. The new laws came on the back of expanded powers handed to the Government Communications Security Bureau (GCSB) in 2013. Caught out illegally spying on Kiwis, the foreign agency was now sanctioned to use its technology and agents to carry out surveillance on behalf of the police, SIS and Defence Force. Terrorism suppression legislation, passed in the wake of the 9/11 attacks, designated terrorist groups and created offences around financing and allowed for the freezing of assets. It also incorporated international obligations, establishing offences relating to recruiting, bombing and handling explosives. It also meant planning a terrorist act, or making a "credible" threat, was illegal even if it was not carried out. Five years later, the law was amended and now allowed for the Prime Minister to designate which groups were considered terrorists, where previously it was the role of the high court. A review of that legislation was abandoned by the Government in 2012. Interception warrants - for monitoring communications - could be done under a range of laws such as the SIS and GCSB Acts and the International Terrorism (Emergency Powers) Act 1987. But security services were pushing for more, arguing current laws were outdated and did not keep pace with technology. Canada, Australia and the UK are in the process of pushing through tough anti-terror laws which they said were needed to counter jihadis. British Prime Minister David Cameron last month outlined a five-year plan to counter extremism, focused on how ideology was communicated - but critics fear it would curb freedom of speech. The GCSB legislation established a review of the security services, which was currently being carried out by former deputy prime minister Sir Michael Cullen and lawyer Dame Patsy Reddy. On Tuesday, SIS director Rebecca Kitteridge said the legislation governing her agency needed to change. SIS and GCSB minister Chris Finlayson refused to rule out expanded surveillance powers when questioned in Parliament this week. SOURCE http://www.stuff.co.nz/national/politics/71090362/nz-spies-want-greater-powers ---------------------- ꕤ ----------------------    Foreign intel - GCSB - here Internal intel - NZSIS - here Hon Christopher Finlayson, Attorney-General- here ---------------------- COMMENT Wow, that was some interesting NZ information in the look ups. Both agencies have a record of spectacularly overstepping their bounds and unlawfully violating civil liberties, yet more power is sought. Some confusion on my part as to who is responsible.  If I understand correctly, it's John 'Teflon' Key, according to convention (Wikipedia). But it looks like responsibility for intel has maybe been hand-balled. Assume from the article that the minister responsible for both agencies is the attorney-general, Christopher Finlayson.  Did Key handball it to the attorney-general, or is Key ultimately responsible and overseeing the attorney-general? Alternatively, is this really attorney-general territory in practice? It looks like Finlayson's minister in charge of SIS (Security Intelligence Services), going by his profile.  Don't see anything re the foreign intel agency, GCSB. Freedom of speech Civil liberties are definitely on the line, if this lot's going to have a crack at controlling how ideology is communicated' expanding their already considerable powers. Everybody's freedom of speech is civil liberties are at risk - not just a select group, because anybody can become be designated a 'threat' - eg.  NZSIS designated 20 apartheid protesters of the 1980s as 'subversives' and put them on what is presumably a secret surveillance list. Edit:  GCSB - also caught spying illegally / see Kitteridge Report. For government agencies known to spy on activists, animal activists and, by implication, NZ political parties (see Gillchrist 10 years paid NZ govt spy & the NZSIS), these organisations (and the govt that controls them) ought to be kept in check, rather than awarded further powers.   They've already have proven they don't abide by existing laws.  'More' power isn't what they need. NZSIS spying on students and university staff, under the pretext of protecting New Zealanders from 'weapons of mass destruction' is hilarious.  Don't know whether the humour's in the Wikipedia entry, or if they really did use that insane excuse.  Didn't look further than the Wikipedia entry. If it's left to John Key and his government to designate 'terrorist' targets for surveillance by these agencies, the danger is that Teflon will chose on the basis of political considerations - like preservation of power.  lol Note also:  anyone who is deemed a political or like threat (as in threat to maintenance of power, cover-ups etc), is likely labelled 'terrorist'. For example, Julian Assange (WikiLeaks) was labelled 'terrorist' by the Americans ... for exposing US war crimes!   People, this is comedy gold. Instead of writing that propaganda show for the BBC, mocking the serious danger Assange is in, had those entertainment writers given even a cursory look at intelligence agencies, they'd have found themselves comedy gold.    Never going to happen.  Just as mainstream journalism seldom challenges those in power in any meaningful way, entertainment writers apparently also dare not challenge the powerful.  Like hyenas, they despicably attack the target of the powerful. --- Hey, New Zealand This Is What Happens When Intel Agencies Have Unchecked Power spying and monitoring of pipeline critics was illegal and had a "chilling" effect on Canadians' freedom of expression and freedom of association complaint against RCMP and CSIS for 'illegal' monitoring of peaceful activists government spied on these people and shared information about the activities of environmental groups with petroleum companies. MORE - here + MORE ELSEWHERE There's a Secret Hearing Into Allegations Canada Illegally Spied on Environmental Activists PS This post is a mess, but I'll let it stand as testimony to my stupidity.  lol Don't know what I was thinking.  Must have got confused by the mention of the UK implementations.   Same deal, whether it's speech or privacy issue, so it all stands. PPS If they're using the argument that "current laws were outdated and did not keep pace with technology," they're probably wanting to amp up digital surveillance in NZ, I'm guessing. ꕤ

HORNET Onion Routing - Tor Rival?

http://searchsecurity.techtarget.com/news/4500250948/Tor-anonymity-called-into-question-as-alternative-browser-surfaces HORNET -- a Tor alternative? In other Tor news, researchers from the Swiss Federal Institute of Technology and University College London introduced an alternative onion network dubbed HORNET. Short for high-speed onion routing at the network layer, it offers the same promise of anonymous browsing but with better scaling, stronger privacy and higher speed -- researchers claimed it can process anonymous traffic at over 93 Gbps. Researchers also said each HORNET node can process anonymous traffic for "a practically unlimited number of sources." Like Tor, HORNET uses a group of relay nodes to mix and encrypt traffic -- and hide users' locations and IP addresses -- in layers to ensure anonymity. However, researchers say it is not plagued with the decreased speed that Tor and other anonymity networks regularly experience. The low-latency onion routing system "uses only symmetric cryptography for data forwarding yet requires no per-flow state on intermediate nodes," researchers wrote. "Unlike other onion routing implementations, HORNET routers do not keep overflow state or perform computationally expensive operations for data forwarding, allowing the system to scale as new clients are added. "It is designed to be highly efficient; instead of keeping state at each relay, connection state (such as onion layer decryption keys) is carried within packet headers, allowing intermediate nodes to quickly forward traffic for large numbers of clients." Because the system does not store per-session states, it also providers "stronger security guarantees" than other onion network options. The researchers also claimed it is less vulnerable to identity-revealing attacks such as session linkage and packet correlation. However, it is not completely immune to attack; confirmation attacks leveraging flow analysis, timing analysis and packet tagging can potentially be successfully executed to determine identity. "However," researchers wrote, "HORNET raises the bar of deploying such attacks for secretive mass surveillance: the adversary must be capable of controlling a significant percentage of ISPs often residing in multiple geopolitical boundaries, not to mention keeping such massive activity confidential." Users should not jump on the bandwagon yet, however; HORNET has not yet been peer-reviewed. http://searchsecurity.techtarget.com/news/4500250948/Tor-anonymity-called-into-question-as-alternative-browser-surfaces MORE Tor Browser Challenger: HORNET stands for High-speed Onion Routing at the NETwork layer http://cointelegraph.com/news/115001/hornet-high-speed-protocol-for-a-fully-encrypted-anonymous-internet Researchers claim they’ve developed a better, faster Tor HORNET, a high-speed onion routing network, could be deployed on routers as part of the Internet. http://arstechnica.com/information-technology/2015/07/researchers-claim-theyve-developed-a-better-faster-tor/ --------------------- COMMENT Potential vulnerability points mean nothing to me. I just think it's cool something new is out. Wonder who gets to review Hornet and if there's any built-in backdoors? LOL Tor anonymity network - here.

SINGAPORE - SURVEILLANCE STATE

https://www.digitalnewsasia.com/digital-economy/singapore-is-using-spyware-and-its-citizens-cant-complain #WikiLeaks #HackingTeam #Singapore - #Surveillance state, NO: *privacy right *prior judicial auth. req. (leg'n) #Law #Privacy #Singapore regulatory structure re #surveillance = Executive branch controlled / little judicial oversight #Singapore #SURVEILLANCE incls: CCTV drones Internet / comm. / access SIM card reg. ID req. register websites big data analytics #Singapore #SURVEILLANCE 'PacketShape'  {Blue Coat Systems Inc, USA-based provider} monitoring various, incl: Facebook Twitter Google Mail Skype #Singapore * Has NOT ratified: International Covenant on Civil & Political Rights (ICCPR) https://www.digitalnewsasia.com/digital-economy/singapore-is-using-spyware-and-its-citizens-cant-complain --------------------- COMMENT Mass surveillance must be a given in a country like Singapore, with no constitutional or other legislative checks on monitoring of citizens (and no ratification of the human rights covenant, either). The degree of surveillance and the lack of civil rights goes back to colonial rule.   --------------------- Modern Singapore founded in 1819 as British colony (by Sir Stamford Raffles) wikipedia

WikiLeaks - Hacking Team Leak - Release Verified as Legitimate / Singapore Surveillance

Singapore is using spyware, and its citizens can’t complain By Gabey GohAug 03, 2015 Behind the surveillance curtain Meanwhile, Goh Su Gim (pic), the security advisor at cybersecurity firm F-Secure in Asia, has examined the Hacking Team documents that have been leaked online, and said he believes them to be legitimate. “Especially the source code and their Galileo product architecture – it is exactly how security researchers have expected it to be,” he told DNA. “Many have compiled the source code and replicated what products Hacking Team has been selling to the [Singapore] Government,” he added. The leaked Hacking Team information also includes email threads that point to other Singaporean agencies showing an interest in the Italian company’s spyware, according to Goh. These agencies include the Centre for Strategic Infocomm Technologies (CSIT), part of the Ministry of Defence; and the Infocomm Technology Division (ICTD) of the Ministry of Home Affairs (MHA) back in 2013. Goh noted that an Israeli company, Nice Systems which specialises in telephone voice recording, data security and surveillance, serves as a partner working with Hacking Team to sell to CSIT and MHA. “Interestingly, the MHA was interested in its IPA device (Injection Proxy Appliance),” he said. “This is a networking device, typically installed alongside an Internet service provider’s servers, that can hijack targets’ Internet traffic without their knowing, and surreptitiously deliver malware to their device or computer. “Tricking a target into opening a file or going to a phishing site may be not be as easy, and this is the perfect appliance to intercept Internet activity on the fly – for example, if a target wants to watch a video or download a new app, the IPA could intercept and prompt the target to install a booby-trapped version of Adobe Flash with the spyware. “It is also interesting to note at the end of the [leaked] email, [there is the statement]: ‘(As always, but especially in this country, confidentiality is a must. Thanks.)’,” he added. Why the IDA? There were no further documents available to show whether discussions with the CSIT and MHA panned out and were converted to sales, Goh conceded. He said that the F-Secure team was also unable to independently confirm whether the IDA and other agencies in South-East Asia, besides the publicly published list of clients available on the Internet, were or are Hacking Team customers. However, Goh noted that given what Hacking Team offers, it may seem more relevant for CSIT and MHA to purchase such tools in the name of homeland security. “But the IDA is a statutory board of the Singapore Government, under the Ministry of Communications and Information, whose mission is to develop information technology and telecommunications within Singapore – with a view to servicing citizens of all ages and companies of all sizes. “With that said, since it is not an enforcement agency – there is no use for a surveillance tool, unless it is used for research purposes,” he said. The IDA did not respond to DNA’s repeated requests for comment. https://www.digitalnewsasia.com/digital-economy/singapore-is-using-spyware-and-its-citizens-cant-complain?page=0%2C1 -------- -------- -------- COMMENT Thought this a cool article, as the WikiLeaks publication of the Hacking Team data has been independently verified as legitimate. Israeli involvement is interesting. The rest (surveillance capabilities) just freaks me out.  LOL More re:  SINGAPORE SURVEILLANCE

Google Compute Engine - Cloud Computing & Customer Held Encryption Keys / Red Herrings

Google has just done something that’s going to annoy the US and UK governments Business Insider     Alastair Stevenson, Business Insider     Jul. 29, 2015, 11:15 AM    2 UK Prime Minister David Cameron is not going to like this. Google has rolled out a security service for its business customers that could put a serious downer on the UK government’s plans to increase law enforcement’s surveillance powers. The service was revealed by Google product manager Leonard Law in a blog post and is currently in beta form. It will let businesses running the company's Google Compute Engine create their own encryption keys. Encryption is a security technology that scrambles digital information using specialist mathematics. It makes it so only people in possession of a specific unlock key or password can read the encrypted information. Google’s move may not sound like a big deal to people outside the technology community, but the implications for the move are pretty massive. What the Google Compute Engine is Google’s Compute Engine is the basis of the company's cloud computing platform. Cloud computing is a special type of technology that uses a network of remote servers hosted on the internet to run computer processes traditionally done on a device’s internal hardware. In theory, this means cloud computing customers can get high-powered computer performance, or run complex tasks beyond normal hardware’s capabilities without having to buy lots of equipment. As well as Google, which uses the tech to power many of its own services, such as YouTube, numerous big-name companies including Coca Cola, Best Buy, Rovio, Avaya and Ocado also use the Compute Engine. How it links to government surveillance The widespread use of Google’s cloud tech means it handles vast amounts of  user data. Data running through the platform can include things like customer records, account information and, at times, the user's geographic location. PRISM documents leaked by Edward Snowden in 2013 revealed intelligence agencies, such as the NSA and GCHQ, have been siphoning vast amounts of web user information from Google's cloud platform – as well as many other cloud service providers. The move makes sense, as the Compute Engine’s large customer base lets the agencies collect data from multiple companies and services from one central source. A game of cat and mouse Google already encrypts services running through its Compute Engine by default. This partially protects customers as it means agencies like the NSA or GCHQ cannot read the data without knowing which encryption key was used. However, the tactic is not foolproof, as the NSA and GCHQ can use legal requests, such as letters sent under the US Foreign Intelligence Surveillance Act (FISA), to force Google to unlock or hand over unencrypted copies of the data. This issue was set to get even worse in the UK and US as both governments have hinted at plans to make it easier for law enforcement and intelligence agencies. Law enforcement agencies within the US have been lobbying for the US government to control business use of encryption since the PRISM leaks emerged. FBI director of counter-terrorism Michael Steinbach warned lawmakers that strong encryption technology allows terrorists "a free zone by which to recruit, radicalize, plot and plan," in June. UK prime minister David Cameron has hinted at plans to hamper the use of encryption. Cameron told Parliament he wants to "ensure that terrorists do not have a safe space in which to communicate," on June 6. How companies having their own keys will hamper surveillance Experts within the security community have argued that Google’s move will cause problems for the UK government’s plans. FireEye global technical lead Simon Mullis explained to Business Insider this is because it will make it so Google won’t be able to decrypt the data, even if ordered to. “Essentially the access to, ownership and management of the keys used to encrypt all data within Google Cloud is now handled by the end-customer," he said. "[This will] make it harder for any external agencies such as law enforcement or intelligence services to gain access to the decrypted data as there are fewer parties [people able to unlock the data] involved.” As a result, if law enforcement wanted access to the encrypted Compute Engine data, they would have to mount individual requests to each customer, a practice that would slow their surveillance operations. Business Insider has reached out to the UK Prime Minister's press team for comment on how custom encryption keys will impact Cameron's plans. Google is one of many technology companies working to fight the UK and US government’s surveillance plans. A group of 140 companies, including Google, Microsoft, Apple and Facebook, sent an open letter to President Obama in May urging him to reject the encryption proposals, fearing they would damage the US economy. Apple CEO Tim Cook claimed law enforcement’s hostility towards encryption is dangerous in June. SOURCE http://www.techinsider.io/google-has-offered-compute-engine-customers-advanced-encryption-powers-2015-7 --------------------- COMMENT 'Terrorists' is the big stick / leverage go-to for governments to demand access. If I were a company, I would prefer complete control of my own data.  Relying on cloud computing doesn't appeal, even though it may be cheaper.  And why would you trust any company that can unencrypt your data?  But I guess the advantage might be in passing the buck.  As in, if data is compromised, you can maybe blame it on the third party cloud host & they get lumped with compensation payouts? This is a good companion article regarding encryption offerings:   The Red Herring of Digital Backdoors and Key Escrow Encryption Bill Blunden EXTRACTS By concentrating on key escrow the CEOs of Silicon Valley are able to conjure up the perception of an adversarial relationship with federal agencies. This is absolutely crucial because tech companies need to face the public wearing a white hat. In the aftermath of the PRISM scandal, where C-suite types were caught colluding with the government on a first-name basis, American executives are frantically trying to convince people on behalf of quarterly revenue that they’re siding with consumers against spying. An interesting but fundamentally flawed narrative, given how much economic espionage the government conducts and how much spying corporate America does. Who do you think benefits from this sort of mass surveillance? All told it’s likely that private sector involvement henceforth will transpire off stage. Far removed from the encryption debate. Rather than forgo the benefits of aggressive spying, CEOs will merely conceal their complicity more deeply while making lots of noise for rubes about encryption. In this sense zero-day bugs offer the added benefit of plausible deniability. That is, backs doors based on zero-day bugs are vital spy tools that masquerade as mere accidents. Only fitting, one might conclude, as spies and magicians are kindred spirits performing artful tricks that beguile more susceptible members of the audience. http://www.counterpunch.org/2015/07/29/the-red-herring-of-digital-backdoors-and-key-escrow-encryption/ I really like this guy's articles.

Tor Vulnerability - Traffic Analysis Identifies Guard Servers

Vulnerability could make Tor, the anonymous network, less anonymous     by  Barb Darrow     @gigabarb July 29, 2015, 5:27 PM EDT The bad news; MIT and QCRI researchers found a vulnerability in the Tor network. The good news: they also found a fix. The Tor network—used by activists, journalists, law enforcement, and yes, criminals—is famous for cloaking web surfers’ identities and locations. And, apparently, it contains a vulnerability that poses a risk to all that protective anonymity, according to researchers at MIT and the Qatar Computing Research Institute (QCRI). The good (or bad) news—depending on how you view Tor— is they say they’ve also come up with a fix to the problem that they will demonstrate at the Usenix Security Symposium next month, according to an MIT News story “Shoring up Tor.” An estimated 2.5 million people—including journalists, political activists, terrorists or just consumers who don’t want to share their browsing histories with Facebook or other commercial entities—use Tor daily. And that is why the network is of keen interest not only to “repressive” regimes like Russia and Iran but to governments a lot closer to home, including our own. Not to put too fine a point on this, but one person’s activist could be another person’s terrorist, but I digress. DigitalTrends has a good description of the Tor basics:     Tor works by anonymizing the transport of your data. Like an onion, Tor encrypts the data you send through the web in multiple layers. Your data is then “relayed” through other computers. Each relay sheds one layer then finally arrives at the source in full form. The software bounces users around a network of open connections run by volunteers all over the globe. This prevents people from spying on your Internet connection and discovering sites you visit. Tor scrambles information that could pinpoint your exact physical location. By using a Tor-configured browser, the user enters her request, and it is automatically swaddled in those encryption layers and is sent it to the next, randomly chosen machine that runs Tor. This machine, called “the guard,” peels off the first encryption layer and forwards the still-masked request on until it finally reaches a randomly chosen “exit” machine that strips off the final layer encryption to reveal the destination. Only the guard machine knows the sender and only the exit machine knows the requested site; no single computer knows both. The network also offers “hidden services” that enable an activist to aggregate sensitive news reports and make them available to select users, but not the world at large. That is, the archive is not searchable or available on the public Internet. The creation of those collection points, which involves the building of what Tor calls a “circuit” of machines, offered the researchers a way to snoop on Tor. By connecting a ton of their own machines to the network and then analyzing traffic, they were able to identify likely guard machines. From the MIT report:     The researchers showed that simply by looking for patterns in the number of packets passing in each direction through a guard, machine-learning algorithms could, with 99 percent accuracy, determine whether the circuit was an ordinary Web-browsing circuit, an introduction-point circuit, or a rendezvous-point circuit. Breaking Tor’s encryption wasn’t necessary.     Furthermore, by using a Tor-enabled computer to connect to a range of different hidden services, they showed that a similar analysis of traffic patterns could identify those services with 88 percent accuracy. That means that an adversary who lucked into the position of guard for a computer hosting a hidden service, could, with 88 percent certainty, identify it as the service’s host. The researchers, including Albert Kwon, an MIT graduate student in electrical engineering and computer science, and Mashael AlSabah, assistant professor of computer science at Qatar University, and a QCRI researcher, said the fix lies in obscuring data traffic patterns to and from the guard machines in a way that renders such “traffic fingerprinting” ineffective. If the network sends around enough dummy packets so that all the data sequences look the same to prying eyes, problem solved, and anonymity remains safe. SOURCE http://fusion.net/story/175068/sorry-the-way-you-type-is-exposing-your-identity-online-even-if-youre-browsing-anonymously/ --------------------- COMMENT Tor anonymity browser: search/request via Tor browser, wrapped in encryption layers first server = random 'guard' server (knows where request came from) next server = does not know location of request or request final server = random 'exit' server knows the request no single server knows both location & search/request runs data via network of open connections / servers run by volunteers all over globe  So: scrambles info that could pinpoint your physical location anonymises the transport of your data encrypts the data you send (& relays through the web in multiple layers) each relay sheds one layer relay finally arrives at source in full form Thought this was interesting.  Imagine the Tor people are adapting to the fake packet fix, whatever that is.   My reference to 'server' should probably read 'node' in the Tor network, I would think.  ------- ------- ------- Data transferred by computer is sent via 'packets'.  Due to size constraints, data sent out is broken up and reassembled at the destination. TCP / IP TCP/IP protocols guide how data is sent TCP = Transmission Control Protocol (reliability of data / checks data for errors & resends if required)  IP = Internet Protocol (more direct 'step closer' transmission of data) TCP/IP = two separate protocol - used together Most common TCP/IP protocols: HTTP  - b/w client (ie browser) & server / non-secure data transmissions HTTPS - b/w client & server / SECURE data transmissions - eg. credit card transaction data or other private data   FTP - b/w two or more computers:  one computer sends data to (or receives data from) another computer DIRECTLY. web client =  browser web server = receives client/browser requests & relays data back to web client/browser These are just notes for my benefit.  Hoping I have the info. straight.  LOL    --------------------- MORE MIT researchers figure out how to break Tor anonymity without cracking encryption http://www.extremetech.com/extreme/211169-mit-researchers-figure-out-how-to-break-tor-anonymity-without-cracking-encryption Researchers mount successful attacks against Tor network—and show how to prevent them http://phys.org/news/2015-07-mount-successful-tor-networkand.html

UK - Privacy International - Surveillance Industry - Surveillance General

Meet the privacy activists who spy on the surveillance industry by Daniel Rivero Illustration by Shutterstock, Elena Scotti/Fusion April 6, 2015 http://fusion.net/story/112390/unveiling-secrets-of-the-international-surveillance-trade-one-fake-company-at-a-time/ LONDON– On the second floor of a narrow brick building [...] Once he’s infiltrated the trade show, he’ll pose as an industry insider, chatting up company representatives, swapping business cards, and picking up shiny brochures that advertise the invasive capabilities of bleeding-edge surveillance technology. Few of the features are ever marketed or revealed openly to the general public, and if the group didn’t go through the pains of going undercover, it wouldn’t know the lengths to which law enforcement and the intelligence community are going to keep tabs on their citizens. “I don’t know when we’ll get to use this [company], but we need a lot of these to do our research,” Omanovic tells me. (He asked Fusion not to reveal the name of the company in order to not blow its cover.) The strange tactic– hacking into an expo in order to come into close proximity with government hackers and monitors– is a regular part of operations at Privacy International, a London-based anti-surveillance advocacy group founded 25 years ago. Omanovic is one of a few activists for the group who goes undercover to collect the surveillance promotional documents. “At last count we had about 1,400 files,” Matt Rice, PI’s Scottish-born advocacy officer says while sifting through a file cabinet full of the brochures. “[The files] help us understand what these companies are capable of, and what’s being sold around the world,” he says. The brochures vary in scope and claims. Some showcase cell site simulators, commonly called Stingrays, which allow police to intercept cell phone activity within a certain area. Others provide details about Finfisher– surveillance software that is marketed exclusively to governments, which allows officials to put spyware on a target’s home computer or mobile device to watch their Skype calls, Facebook and email activity. The technology buyers at these conferences are the usual suspects — the Federal Bureau of Investigation (FBI), the UK’s Government Communications Headquarters (GCHQ), and the Australian Secret Intelligence Service– but also representatives of repressive regimes —Bahrain, Sudan, pre-revolutionary Libya– as the group has revealed in attendees lists it has surfaced. At times, companies’ claims can raise eyebrows. One brochure shows a soldier, draped in fatigues, holding a portable device up to the faces of a sombre group of Arabs. “Innocent civilian or insurgent?,” the pamphlet asks. “Not certain?” “Our systems are.” The treasure trove of compiled documents was available as an online database, but PI recently took it offline, saying the website had security vulnerabilities that could have compromised information of anyone who wanted to donate to the organization online. They are building a new one. The group hopes that the exposure of what Western companies are selling to foreign governments will help the organization achieve its larger goal: ending the sale of hardware and software to governments that use it to monitor their populations in ways that violate basic privacy rights. The group acknowledges that it might seem they are taking an extremist position when it comes to privacy, but “we’re not against surveillance,” Michael Rispoli, head of PI’s communications, tells me. “Governments need to keep people safe, whether it’s from criminals or terrorists or what it may be, but surveillance needs to be done in accordance with human rights, and in accordance with the rule of law.” The group is waging its fight in courtrooms. In February of last year, it filed a criminal complaint to the UK’s National Cyber Crime Unit of the National Crime Agency, asking it to investigate British technology allegedly used repeatedly by the Ethiopian government to intercept the communications of an Ethiopian national. Even after Tadesse Kersmo applied for– and was granted– asylum in the UK on the basis of being a political refugee, the Ethiopian government kept electronically spying on him, the group says, using technology from British firm Gamma International. The group currently has six lawsuits in action, mostly taking on large, yet opaque surveillance companies and the British government. Gamma International did not respond to Fusion’s request for comment on the lawsuit, which alleges that exporting the software to Ethiopian authorities means the company assisted in illegal electronic spying. “The irony that he was given refugee status here, while a British company is facilitating intrusions into his basic right to privacy isn’t just ironic, it’s wrong,” Rispoli says. “It’s so obvious that there should be laws in place to prevent it.” PI says it has uncovered other questionable business relationships between oppressive regimes and technology companies based in other Western countries. An investigative report the group put out a few months ago on surveillance in Central Asia said that British and Swiss companies, along with Israeli and Israeli-American companies with close ties to the Israeli military, are providing surveillance infrastructure and technical support to countries like Turkmenistan and Uzbekistan– some of the worst-ranking countries in the world when it comes to freedom of speech, according to Freedom House. Only North Korea ranks lower than them. PI says it used confidential sources, whose accounts have been corroborated, to reach those conclusions. Not only are these companies complicit in human rights violations, the Central Asia report alleges, but they know they are. Fusion reached out to the companies named in the report, NICE Systems (Israel), Verint Israel (U.S./ Israel), Gamma (UK), or Dreamlab (Switzerland), and none have responded to repeated requests for comment. The report is a “blueprint” for the future of the organization’s output, says Rice, the advocacy officer. “It’s the first time we’ve done something that really looks at the infrastructure, the laws, and putting it all together to get a view on how the system actually works in a country, or even a whole region,” says Rice. “What we can do is take that [report], and have specific findings and testimonials to present to companies, to different bodies and parliamentarians, and say this is why we need these things addressed,” adds Omanovic, the researcher and fake company designer. The tactic is starting to show signs of progress, he says. One afternoon, Omanovic was huddled over a table in the back room, taking part in what looked like an intense conference call. “European Commission,” he says afterwards. The Commission has been looking at surveillance exports since it was revealed that Egypt, Tunisia, and Bahrain were using European tech to crack down on protesters during the Arab Spring, he added. Now, PI is consulting with some members, and together they “hope to bring in a regulation specifically on this subject by year’s end.” *** Privacy International has come a long way from the “sterile bar of an anonymous business hotel in Luxembourg,” where founder Simon Davies, then a lone wolf privacy campaigner, hosted its first meeting with a handful of people 25 years ago. In a blog post commemorating that anniversary, Davies (who left the organization about five years ago) described the general state of privacy advocacy when that first meeting was held:     “Those were strange times. Privacy was an arcane subject that was on very few radar screens. The Internet had barely emerged, digital telephony was just beginning, the NSA was just a conspiracy theory and email was almost non-existent (we called it electronic mail back then). We communicated by fax machines, snail mail – and through actual real face to face meetings that you travelled thousands of miles to attend.” Immediately, there were disagreements about the scope of issues the organization should focus on, as detailed in the group’s first report, filed in 1991. Some of the group’s 120-odd loosely affiliated members and advisors wanted the organization to focus on small privacy flare-ups; others wanted it to take on huge, international privacy policies, from “transborder data flows” to medical research. Disputes arose as to what “privacy” actually meant at the time. It took years for the group to narrow down the scope of its mandate to something manageable and coherent. Gus Hosein, current executive director, describes the 90’s as a time when the organization “just knew that it was fighting against something.” He became part of the loose collective in 1996, three days after moving to the UK from New Haven, Connecticut, thanks to a chance encounter with Davies at the London Economics School. For the first thirteen years he worked with PI, he says, the group’s headquarters was the school pub. They were fighting then some of the same battles that are back in the news cycle today, such as the U.S. government wanting to ban encryption, calling it a tool for criminals to hide their communications from law enforcement. “[We were] fighting against the Clinton Administration and its cryptography policy, fighting against new intersections of law, or proposals in countries X, Y and Z, and almost every day you would find something to fight around,” he says. Just as privacy issues stemming from the dot com boom were starting to stabilize, 9/11 happened. That’s when Hosein says “the shit hit the fan.” In the immediate wake of that tragedy, Washington pushed through the Patriot Act and the Aviation and Transportation Security Act, setting an international precedent of invasive pat-downs and extensive monitoring in the name of anti-terrorism. Hosein, being an American, followed the laws closely, and the group started issuing criticism of what it considered unreasonable searches. In the UK, a public debate about issuing national identification cards sprung up. PI fought it vehemently. “All of a sudden we’re being called upon to respond to core policy-making in Western governments, so whereas policy and surveillance were often left to some tech expert within the Department of Justice or whatever, now it had gone to mainstream policy,” he says. “We were overwhelmed because we were still just a ragtag bunch of people trying to fight fights without funding, and we were taking on the might of the executive arm of government.” The era was marked by a collective struggle to catch up. “I don’t think anyone had any real successes in that era,” Hosein says. But around 2008, the group’s advocacy work in India, Thailand and the Philippines started to gain the attention of donors, and the team decided it was time to organize. The three staff members then started the formal process of becoming a charity, after being registered as a corporation for ten years. By the time it got its first office in 2011 (around the time its founder, Davies, walked away to pursue other ventures) the Arab Spring was dominating international headlines. “With the Arab Spring and the rise of attention to human rights and technology, that’s when PI actually started to realize our vision, and become an organization that could grow,” Hosein says. “Four years ago we had three employees, and now we have 16 people,” he says with a hint of pride. *** “This is a real vindication for [Edward] Snowden,” Eric King, PI’s deputy director says about one of the organization’s recent legal victories over the UK’s foremost digital spy agency, known as the Government Communications Headquarters or GCHQ. PI used the documents made public by Snowden to get the British court that oversees GCHQ to determine that all intelligence sharing between GCHQ and the National Security Administration (NSA) was illegal up until December 2014. Ironically, the court went on to say that the sharing was only illegal because of lack of public disclosure of the program. Now that details of the program were made public thanks to the lawsuit, the court said, the operation is now legal and GCHQ can keep doing what it was doing. “It’s like they’re creating the law on the fly,” King says. “[The UK government] is knowingly breaking the law and then retroactively justifying themselves. Even though we got the court to admit this whole program was illegal, the things they’re saying now are wholly inadequate to protect our privacy in this country.” Nevertheless, it was a “highly significant ruling,” says Elizabeth Knight, Legal Director of fellow UK-based civil liberties organization Open Rights Group. “It was the first time the [courts have] found the UK’s intelligence services to be in breach of human rights law,” she says. “The ruling is a welcome first step towards demonstrating that the UK government’s surveillance practices breach human rights law.” In an email, a GCHQ spokesperson downplayed the significance of the ruling, saying that PI only won the case in one respect: on a “transparency issue,” rather than on the substance of the data sharing program. “The rulings re-affirm that the processes and safeguards within these regimes were fully adequate at all times, so we have not therefore needed to make any changes to policy or practice as a result of the judgement,” the spokesperson says. Before coming on board four years ago, King, a 25-year old Wales native, worked at Reprieve, a non-profit that provides legal support to prisoners. Some of its clients are at Guantanamo Bay and other off-the-grid prisons, something that made him mindful of security concerns when the group was communicating with clients. King worried that every time he made a call to his clients, they were being monitored. “No one could answer those questions, and that’s what got me going on this,” says King. Right now, he tells me, most of the group’s legal actions have to do with fighting the “Five Eyes”– the nickname given to the intertwined intelligence networks of the UK, Canada, the US, Australia and New Zealand. One of the campaigns, stemming from the lawsuit against GCHQ that established a need for transparency, is asking GCHQ to confirm if the agency illegally collected information about the people who signed a “Did the GCHQ Illegally Spy On You?” petition. So far, 10,000 people have signed up to be told whether their communications or online activity were collected by the UK spy agency when it conducted mass surveillance of the Internet. If a court actually forces GCHQ to confirm whether those individuals were spied on, PI will then ask that all retrieved data be deleted from the database. “It’s such an important campaign not only because people have the right to know, but it’s going to bring it home to people and politicians that regular, everyday people are caught up in this international scandal,” King says. “You don’t even have to be British to be caught up in it. People all over the world are being tracked in that program.” Eerke Boiten, a senior lecturer at the interdisciplinary Cyber Security Centre at the University of Kent, says that considering recent legal victories, he can’t write off the effort, even if he would have dismissed it just a year ago. “We have now finally seen some breakthroughs in transparency in response to Snowden, and the sense that intelligence oversight needs an overhaul is increasing,” he wrote in an email to me. “So although the [British government] will do its best to shore up the GCHQ legal position to ensure it doesn’t need to respond to this, their job will be harder than before.” “Privacy International have a recent record of pushing the right legal buttons,” he says. “They may win again.” A GCHQ spokesperson says that the agency will “of course comply with any direction or order” a court might give it, stemming from the campaign. King is also the head of PI’s research arm– organizing in-depth investigations into national surveillance ecosystems, in tandem with partner groups in countries around the world. The partners hail from places as disparate as Kenya and Mexico. One recently released report features testimonials from people who reported being heavily surveilled in Morocco. Another coming out of Colombia will be more of an “exposé,” with previously unreported details on surveillance in that country, he says. And then there’s the stuff that King pioneered: the method of sneaking into industry conferences by using a shadow company. He developed the technique Omanovic is using. King can’t go to the conferences undercover anymore because his face is now too well known. When asked why he started sneaking into the shows, he says: “Law enforcement doesn’t like talking about [surveillance]. Governments don’t talk about it. And for the most part our engagement with companies is limited to when we sue them,” he laughs. When it comes to the surveillance field, you would be hard pressed to find a company that does exactly what it says it does, King tells me. So when he or someone else at PI sets up a fake company, they expect to get about as much scrutiny as the next ambiguous, potentially official organization that lines up behind them. Collectively, PI has been blacklisted and been led out of a few conferences over the past four years they have been doing this, he estimates. “If we have to navigate some spooky places to get what we need, then that’s what we’ll do,” he says. Sometimes you have to walk through a dark room to turn on a light. Privacy International sees a world with a lot of dark rooms. “Being shadowy is acceptable in this world.” http://fusion.net/story/112390/unveiling-secrets-of-the-international-surveillance-trade-one-fake-company-at-a-time/ Highlights are for me.  Link to source article for an easier read. Great article.  Not sure I'll remember all of this information. Prior advocacy work: India Thailand Philippines More investigations coming: Kenya Mexico  Colombia   Completed report:  heavily surveilled in Morocco (strong USA ally, with heavy French & Spanish trade, credit and investment). StingRays are used routinely by Chicago Police Dept: Chicago PD seized drug money = first purchases 2005 incl. StingRay surveillance' digital 'hoovers' http://inthesetimes.com/article/17808/who-do-you-protect-who-do-you-surveil  Central Asia report software companies that have not responded: NICE Systems (Israel) Verint Israel (US / Israel) Gamma (UK) Dreamlab (Switzerland) Most of Privacy International legal actions have to do with fighting the “Five Eyes” - ie.  "intertwined intelligence networks of the UK, Canada, the US, Australia & New Zealand." Six court actions in progress currently. Sales to repressive governments include: Bahrain Sudan Libya (pre-revolutionary) Turkmenistan Uzbekistan Egypt, Tunisia & Bahrain - used European surveillance technology (crackdown protesters). European Commission -  has been looking at surveillance export. Expansive surveillance set down by: Patriot Act (USA) Aviation and Transportation Security Act (USA) Intelligence sharing between USA (NSA) and UK (GCHQ) ruled illegal prior 2014 because undisclosed.  However: "Now that details of the program were made public thanks to the lawsuit, the court said, the operation is now legal and GCHQ can keep doing what it was doing." That outcome sounds rather bizarre to me.

Don't Get Angry: Encrypt

AUSTRALIAN DIGITAL RAPE BY BRADIS & CO Why people ignore data retentions many perils >> http://www.smh.com.au/business/why-people-ignore-data-retentions-many-perils-20150330-1m9gtb.html REMEDY Gnu Privacy Guard  (GnuPG aka GPG)  Encryption   https://www.gnupg.org/  http://en.wikipedia.org/wiki/GNU_Privacy_Guard Werner Koch caught my eye the other day, so I thought GnuPG (aka GPG) might be potential go-to encryption software. German, Werner Koch has authored this software based on open source GNU operating system software (by an MIT guy, Richard Stallman).  Being open source software is supposed to be a positive because it allows outsiders to spot vulnerabilities in code (I think). Werner Koch previously received grants from the German government (but they expired some time ago).  Koch is still kicking on, single-handedly patching the GnuPG program, but short on funding. TOR Anonymising  https://www.torproject.org/ Tor - Explained  .......................................................................... Tor originated with the US Navy and has received US govt funding.   Gee, even as I'm keying this in, Russian software is looking more and more appealing because I'm wondering if there's German backdoors in the encryption software and anticipating some NSA trick when it comes to the Tor anonymising software (see Silk Road FBI busts). I don't know enough to assess the merits of GnuPG or Tor (and wouldn't have a clue where to find Russian software), so this is pretty much it for the options (I think) ... except that you can use PGP (Pretty Good Privacy) instead of the GnuPG. Nope.  It looks like Philip Zimmerman has sold up, so GnuPG it is ... unless you're prepared to trust a US company:  Symantec. ...........................................................................  Photo: Alex Ellinghausen COPYRIGHT DISCLAIMER Copyright Disclaimer under section 107 of the Copyright Act 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, education and research. Regarding the SMH article, 'rape by Bradis & Co' is my take rather than SMH's ... just so there's no confusion.  ;) That's pretty much what it is when everybody has been placed under state surveillance. State surveillance without cause or consent is an abuse of power.  To be the subject of such an abuse of power is to live in a prison state. The snail-mail version of this would have been going on back in the 50s and 60s, when the Australian govt was in full surveillance and political suppression and sabotage mode, to blot out the 'evil' of communism. But it isn't Russians and communists looking evil now; it's the totalitarian West. Instead of getting angry but then just accepting the inevitable prison population living conditions: a) use technology to secure privacy; & b) vote for non-mainstream politicians, rather than the corporate and US lackeys who have spent years spying on their own citizens (and nations abroad). Did a bit of a summary on encryption basics the other day ... but I think I've forgotten it already, so I'm going to have to start all over.  Intend to keep at it until I get some kind of feel and overview for privacy tech basics, from a consumer perspective.  Only I'm rather lazy ... The above links are just a starter and I don't really know what I'm on about, so it's best to do your own research. Discovered that free Russian e-mail services bypass the intrusions of freebie Western e-mail services.  English log-in is available. VIDEO GPG for Journalists - Windows edition | Encryption for Journalists | Anonymous 2013 from anon108 on Vimeo.