News Blog

Google is now the first of the major search engines and e-mail providers to make a firm statement on the issue of the National Security Agency's wholesale surveillance of Internet content.

Google has stated it didn't help the NSA search your e-mails. More specifically the company denies participating in the NSA's Terrorist Surveillance Program. But the company's carefully worded denial might not be enough to reassure savvy readers.

The Wall Street Journal recently revealed the true extent of the NSA's surveillance system:

"According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic e-mails and Internet searches."

This builds on what we learned the previous week, when The Washington Post revealed that the primary motivation for the White House's wiretapping immunity demands is to protect those firms that assisted with illegal, mass-scale surveillance of e-mail traffic.

Google has now taken the interesting step to become the first major Internet company to deny helping the NSA. In an on-the-record e-mail with a company spokesperson on Friday, I was told that:

"Google was not part of the NSA's Terrorist Surveillance Program."

Is that enough to reassure you?

If Google was obligated to give up search/e-mail records, it is likely that this request would be made via a Patriot Act authorized National Security Letter. A recent Journalarticle confirmed as much, stating that the information gained from National Security letters ended up in the gigantic NSA databases. But recipients of those letters may not be allowed to tell anyone about it, and may in fact be forced to lie.

The owner of an ISP who received one of these secret orders explained the significant restrictions placed upon him in a letter to The Washington Post back in 2007.

Under the threat of criminal prosecution, I must hide all aspects of my involvement in the case--including the mere fact that I received an NSL--from my colleagues, my family and my friends. When I meet with my attorneys I cannot tell my girlfriend where I am going or where I have been. I hide any papers related to the case in a place where she will not look. When clients and friends ask me whether I am the one challenging the constitutionality of the NSL statute, I have no choice but to look them in the eye and lie.

If this poor gentleman had to lie to his girlfriend and family, it's possible that Google, if it did receive a FBI National Security Letter, might be placed in a similar position.

Careful wording
My original question to Google was, "Is Google sharing 'huge volumes' of search records with the government?" I never asked about the NSA's Terrorist Surveillance Program specifically.

As Salon's Glenn Greenwald has explained, the Bush administration has been very careful with its use of the term "Terrorist Surveillance Program." Many snooping activities, some of which were clearly illegal, do not come under this definition. Simply put, Google could have handed over a copy of every search request and every e-mail sent by a Gmail user to the U.S. government and it would still be able to quite correctly deny participating in the Terrorist Surveillance Program.

In any case, on January 17, 2007, Attorney General Alberto Gonzales announced that the Terrorist Surveillance Program would not be reauthorized by the president, but would be subjected to quasi-judicial oversight. So the Terrorist Surveillance Program, at least by that name, no longer exists, and Google could be actively handing over millions of e-mails, while the statement made by its PR people would be completely true.

What if Google's PR people are telling the truth? What if Google really didn't help the NSA, and that the spooks are collecting millions of search records via wiretaps placed on the Internet backbone?

It's worth pointing out that Google has stood up to the feds when they demanded search records a couple years back--but this was the DOJ, not the NSA.

The problem remains that Google is not doing a single thing to protect its customers from this kind of large-scale surveillance. While the company supports SSL-encrypted Webmail sessions, it does little to advertise it, and has taken no steps to turn it on by default.

However, the biggest problem is search. Google offers no way for its customers to search the Internet without an evil ISP (such as AT&T) from snooping in on the traffic. Google could very easily enable SSL search sessions, but has not taken any steps to do so.

When asked about the webmail security problem, and which steps customers should take to protect their search traffic from snooping Internet service providers, Google's spokesperson directed me to the company's much ridiculed YouTube Privacy channel.

I spent a few minutes browsing through the channel, but couldn't find any specific advice on protecting myself from illegal wiretaps and government surveillance. YouTube seems to be a great place to find videos of skateboarding dogs, but not such a great source of privacy tips.

For those of you who care more about your privacy than cute YouTube videos, I highly recommend the Tor anonymous web proxy, as well as the Customize Google Firefox browser extension.

Update December 18, 4:43 a.m. PST: Adds more analysis and background.

Congress won't decide until next year whether to pass a complex law that would let telephone and Internet companies off the hook from lawsuits alleging illicit cooperation with federal government spies.

After a day of back-and-forth on the Senate floor, U.S. Senate Majority Leader Harry Reid emerged on Monday evening and announced he would postpone debate on the so-called FISA Amendments Act. That bill, which has already been approved in a closed-door meeting of the Senate Intelligence Committee, would grant such corporate immunity and make it easier for the feds to snoop on phone calls and e-mails involving foreigners and Americans without a warrant, drawing rampant criticism from civil liberties groups.

The latest action is a blow to the White House, which has been pressuring Congress to enact a more lasting replacement to the Protect America Act, a wiretapping law expansion set to expire in early February.

"While we had hoped to complete the FISA bill this week, it is clear that is not possible," Reid said. "With more than a dozen amendments to this complex and controversial bill, this legislation deserves time for thorough discussion on the floor."

Reid added that he also continues to be opposed to the idea of "retroactive" immunity, which aligns him with many prominent Democratic leaders.

FISA refers to the Foreign Intelligence Surveillance Act, a 1978 law that the Bush administration argues is outdated, potentially hampering critical collection of foreign terrorists' conversations. Most members of Congress agree that certain legal changes are necessary to account for advances in communications technology. The intense rift lies in whether to make more sweeping changes, with the bulk of the controversy centering on immunity for corporate wiretap players.

Congress bowed to presidential pressure during the summer when it passed the Protect America Act, which granted many of the items on the administration's wish list. Republican leaders have generally backed renewing and expanding that legislation, but Democratic leaders say they're determined to insert more civil liberties checks in the newest version, which is intended to replace the existing law when it expires in early February.

Civil liberties groups that have sued the government, alleging privacy violations through the spying programs, proclaimed victory on Monday night. Caroline Fredrickson, director of the American Civil Liberties Union's Washington legislative office, called the turn of events "a welcome holiday present for the American people."

Earlier in the day, however, it appeared more certain that the Senate would move ahead with a vote to approve the controversial Senate measure, which would provide legal immunity to electronic communications providers that have allegedly opened up their networks to the National Security Agency and other federal spies since the September 11, 2001 attacks. Above vocal objections from some Democrats, the senators nevertheless voted 76-10 to limit debate and other stalling tactics related to the bill.

But in the end, last-minute rallying from Democrats opposed to the telecommunications immunity provisions seemed to apply the pressure needed to derail the bill's consideration.

Sen. Chris Dodd

Perhaps most notably, Sen. Chris Dodd (D-Conn.), a presidential hopeful, devoted nearly the entire day to delivering one impassioned speech after another about his opposition to granting legal immunity to telecommunications companies accused of providing illegal assistance to government spying programs. Other influential Democratic senators, including Russ Feingold (D-Wisc.), Patrick Leahy (D-Vt.), and Ted Kennedy (D-Mass.), echoed his concerns at various points during the day, while leading Republicans like Sen. Orrin Hatch (D-Utah) and Sen. Kit Bond (D-Mo.) advocated for passage of the new legislation.

"Today we have scored a victory for American civil liberties and sent a message to President Bush that we will not tolerate his abuse of power and veil of secrecy," Dodd said later, adding that he would continue to seek support for an amendment he plans to propose to strip the legal immunity from the final legislation.

What's arguably more likely is some sort of compromise that retains the legal protections in some form. President Bush has long threatened to veto any measure that does not include retroactive immunity for communications companies, and he has shown no signs of backing down so far.

Correction 2:40 p.m. PST: The original version of this story incorrectly stated the vote count. It was 76-10.

In a preliminary victory for the likes of AT&T and Verizon, the U.S. Senate has ventured a step closer to passing a law that would crush lawsuits accusing telecommunications companies of illegal cooperation with government spying programs.

By a 76-10 vote on Monday, the senators agreed to cut off the possibility of a filibuster that would delay final action on the so-called FISA Amendments Act, which the Bush administration argues is necessary to remove supposed hurdles to snooping on foreign terrorists. All 10 of the votes against limiting debate came from Democrats. (FISA refers to the Foreign Intelligence Surveillance Act, a 1978 law that sets the ground rules for intercepting communications between foreigners and U.S. persons.)

By overcoming that procedural hurdle, senators are now poised to consider several amendments and proceed to a final vote on that bill, which was originally approved by a 13-2 vote in a closed-door meeting of the Senate Intelligence Committee in late October. Critics, however, say that version gives the executive branch too much unchecked authority to eavesdrop, without a court order, on communications between Americans and people "reasonably believed to be outside the United States."

Equally controversial is the immunity provision contained in the bill. The language is crafted broadly enough to shield not only traditional telephone companies and Internet service providers, but e-mail providers, search engines, and instant-messaging services too. And the legal shield would apply not only to corporate cooperation with programs run by the National Security Agency, but also any activities at the CIA, the Defense Department, the Office of the Director of National Intelligence, the Defense Intelligence Agency, the State Department, the Treasury Department, Homeland Security and other intelligence-related organizations.

Update 12:40 p.m. PST: An aide to Senate Majority Leader Harry Reid told CNET News.com on Monday afternoon that he wasn't sure exactly when a final vote would occur. Reid has reportedly set aside 30 hours for the bill's consideration.

The measure is intended to replace a temporary law, known as the Protect America Act, which is set to expire in early February and has been attacked by civil liberties groups and some Democrats as insufficiently protective of Americans' privacy.

The Protect America Act effectively expanded the government's ability to collect, without a warrant, phone and Internet conversations in which at least one party is reasonably believed to be outside the United States. But although it immunized private companies from lawsuits going forward, it did not address what to do about scores of pending lawsuits, such as the one that the Electronic Frontier Foundation filed against AT&T, alleging illegal behavior by telephone companies.

Bush administration officials insist their spying operations will fall apart without cooperation from communications companies and that those companies were only doing their patriotic duty. The president has made it clear he will veto any legislation that fails to grant retroactive legal immunity.

But some Democratic senators attacked that reasoning on Monday, arguing that Americans need assurances that their private conversations won't be illegally tapped by their service providers. They urged pursuit of a stripped-down version of the FISA bill, recently approved by the Senate Judiciary Committee, which lacks legal immunity for telephone companies. Presidential hopeful Chris Dodd (D-Conn.), who has vowed to block passage of any bill that includes retroactive immunity, delivered a lengthy speech before the vote urging his colleagues to oppose any bill that lets telephone companies off the hook.

"I'm here because the truth is not their private property," he said, referring to Bush administration officials who have sought to suppress lawsuits against telecommunications companies on state secrets grounds.

But other key party members don't share that view. Sen. John Rockefeller (D-W.Va.), the Intelligence Committee's chairman, said some components of that bill may be offered as amendments to his committee's bill, but he appeared unwilling to budge on the idea of shielding telephone companies from lawsuits.

"Companies who participated at a great risk of exposure and financial ruin for one reason and one reason only, in order to help identify terrorists and prevent follow-on terrorist attacks, they should not be penalized for their willingness to heed the call during a national emergency," Rockefeller said on the Senate floor Monday.

Sen. Arlen Specter (R-Penn.) said he's still hoping to spearhead a sort of compromise approach aimed at stopping short of full immunity. With backing from some Democrats, including Judiciary Committee Chairman Patrick Leahy (D-Vt.), he plans to offer a "substitution" amendment, in which government lawyers would formally take the place of the telephone company or other parties being sued.

"I do not know whether there is wrongdoing or not, but I do not think it is appropriate for the government to act secretly, surreptitiously...and then come back at a later date and say please exonerate us," he said.

Whatever ends up happening in the Senate this week won't necessarily be the final word. A divided House of Representatives has already approved a rewrite of wiretapping law that does not provide legal immunity for private companies. Any differences between the final Senate version and the House bill will have to be reconciled in what appears destined to be a contentious conference.

Update 1:35 p.m. PST: Details about additional proposed amendments to the corporate immunity section of the bill began trickling out as debate continued Monday afternoon.

Sen. Dianne Feinstein (D-Calif.) said she plans to offer an amendment that attempts to place limits on the immunity protection for companies. According to the latest draft language provided by her office, companies would be eligible for that privilege only if the secret Foreign Intelligence Surveillance Court had determined that one of three things occurred: the government's written request to the company complied with federal law, the company executives were acting in "good faith," based on "a demonstrable reason to believe that compliance with the written request or directive...was permitted by law," or the company didn't "provide the alleged assistance" at all.

In addition, Dodd said he plans to team up with Sen. Russ Feingold, the Wisconsin Democrat with the distinction of being the only senator to vote against the contentious Patriot Act, to offer an amendment that would strip the entire immunity provision, which means pending suits would not be immediately tossed.

Update 7:50 p.m. PST: On Monday evening, Reid decided to shelve the vote until next year in an effort to give politicians more time to work out how to handle the thornier provisions of the bill. Click here to read our update.

With the majority of the Democrats caving in to the Bush administration's demands for full immunity for the telecom companies for-profit collusion in the NSA's illegal wiretapping program, it seems to be clear that the Fourth Amendment and federal antiwiretapping laws are no longer enough to keep our communications secure. Laws stating that "thou shalt not listen to your customers phone calls" no longer seem to have any bite. Or at least, they don't as long as teleco lobbying coupled with massive political contributions can turn once critical senators into kindly old men willing to forgive and forget.

AT&T: Your World. Delivered. To the NSA

(Credit: Electronic Frontier Foundation)

Thus, now that AT&T and Verizon are free to provide the NSA with a full copy of all Internet traffic that flows over their networks, I thought that perhaps it'd be a good idea to discuss proactive technical solutions that users can utilize to protect their own privacy. The primary focus of today's blog post is on one small area of user privacy, but one which is perhaps the least well known by the average joe, yet which is extremely vulnerable: instant messaging. The question to be answered today is: how can nontechnical users secure their own instant-messaging conversations such that an attacker is unable to listen in (be it the government or a nosy neighbor sniffing the wireless network from next door).

The major IM networks, which include AOL IM/iChat, MSN, and Google Talk (when using the gmail embedded chat function) all send data over the clear. Using IM over an unencrypted wireless network (such as at a coffee shop or hotel lobby) is an open invitation for nasty folks to read your conversations. Those people using the downloadable Google Talk client will at least have their conversations encrypted between their own computers and Google's servers - but that doesn't solve the problem of the NSA forcing/paying Google to hand over your data. Likewise, AOL confirmed in 2005 that if presented with a court order, it would let the government eavesdrop on IM conversations between customers.

The solution then, is to use an encrypted instant-messaging program--one made by a third party and not one of the major IM networks. That is, a software client with which the conversation is encrypted from one user's computer all the way to the recipient--and not just to the central servers of the IM network. While the popular Trillian multinetwork client does offer encryption, its design is flawed, and is subject to a number of attacks. The tool of choice for privacy-conscious geeks everwhere is a protocol known as Off The Record (OTR). This scheme, designed by a team of security researchers including professors Ian Goldberg and Nikita Borisov, provides a number of really cool features. The benefits of OTR include:

• Encryption: No one else can read your instant messages.
• Authentication: You are assured the correspondent is who you think it is.
• Deniability: The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
• Perfect forward secrecy: If you lose control of your private keys (such as if your computer is hacked, for example), no previous conversation is compromised.

An encrypted conversation in Adium

(Credit: The Adium Dev Team)

The OTR team don't actually produce its own instant-messaging client. Instead, they have released an open-source library that other IM programs can include--which hopefully means that as more and more clients adopt it, users will be able to conduct safe and encrypted conversations with people who use an IM program different than their own. Right now, the OTR team distribute a plugin for Pidgin, the popular multiplatform IM client. Adium, a popular IM client for Mac OS X, has OTR support built in. There are third-party plugins for the Kopete, Miranda and Trillian IM clients. Best of all: OTR is IM-protocol-independent. That is, once you have an OTR-enabled client installed, you can communicate with friends on different IM networks, be it AIM, Google Talk or others, as long as your friends also have OTR-friendly IM software.

Linux and Windows users are probably best off using the Pidgin IM client, which works with all of the popular IM networks and then installing the OTR plugin. For Linux users, it should be as simple as installing the Pidgin-OTR package with your respective package manager. Windows users will want to download the Pidgin-OTR plugin from the OTR Web site. Mac users: you're in luck. You can be lazy, and simply download Adium, which has OTR out of the box.

Once you have an OTR-enabled client installed, its as simple as clicking on the lock icon in any conversation window. You'll be asked to accept an encryption key the first time you chat--which you should verify with your pal by some form of non-IM conversation (the phone, in person, etc). After that, all future communications with that person should be encrypted without any more work. That's it. Secure communications, free from prying next-door neighbors or privacy-invading spooks.

Finally, here's a phone plan that allows you to switch from the U.S. government's Secret Internet Protocol Router Network to the Unclassified but Sensitive Internet Protocol Router Network with a single keystroke.

(Credit: General Dynamics)

The National Security Agency has authorized military and government personnel to order up a bunch of General Dynamics' Sectera Edge secure, wireless smartphones, which will not only allow them to make secure calls but also to e-mail and Web-browse in either classified or unclassified mode.

The phones will still operate right along with everyone else on the existing high-speed Global System for Mobile Communications (GSM), code division multiple access (CMDA) and Wi-Fi commercial cellular networks.

Although it looks like a regular phone, the company says the Sectera Edge is designed to rugged military specs, allowing for the wear and tear of both the office and "war fighters completing a tactical mission." And it comes with a personal organizer that includes contacts, calendar, tasks, alarms and notes so you won't forget your loved ones' birthdays in the midst of a covert operation.

Deliveries are scheduled for later this year, with sales estimated as high as $300 million over the next 5 years, according to the company. The Sectera Edge is part of the NSA's Secure Mobile Environment Portable Electronic Device program, but there are civilian models available. Did we mention the secret handshake?

Much has been made of an El Paso Times interview last week in which Director of National Intelligence Mike McConnell acknowledged the "private sector" has assisted in the president's so-called Terrorist Surveillance Program. Some opponents of the phone-call-and-email-snooping regime promptly pounced on the remarks, suggesting they implicate telephone companies like AT&T and Verizon, which have been accused in numerous lawsuits of consumer privacy violations and illicit cooperation with the Bush administration.

"Now if you play out the suits at the value they're claimed, it would bankrupt these companies," McConnell told the paper, according to a transcript. He didn't, however, mention any firms by name.

Excerpt from the Justice Department's August 29 brief in Verizon/MCI case

Arguably revelatory statements like those have prompted new questions about the Bush administration's ability to continue evoking the "state secrets" privilege in the various cases against the telcos, which are currently pending before U.S District Judge Vaughn Walker in San Francisco federal court.

The McConnell interview may play a role in Walker's courtroom on Thursday afternoon, when he's scheduled to hear arguments about dismissal of a set of now-consolidated class action suits against Verizon and then-separate MCI. Those companies have been accused of operating a content surveillance "dragnet" and of turning over subscriber records to the NSA without a warrant. (Verizon, for its part, has publicly denied providing such information to the spy agency.)

Attorneys for the plaintiffs in those suits recently submitted the McConnell transcript for the court record, in an attempt to blunt the government's contentions that proceeding with the case will endanger national security by exposing state secrets.

Not so, the Bush administration countered in a Wednesday court filing seen by CNET News.com. The Justice Department attorneys argue McConnell's statements did nothing to change the fact that it hasn't ever confirmed any of the activities alleged by the class action plaintiffs--and has, in fact, denied the existence of any sort of "dragnet." The arguments made by the class action plaintiffs rest on nothing but "speculation," the attorneys wrote. In the Justice Department's view, litigating the case would still require exposing how the program actually does work--which, it says, would in turn endanger national security.

Verizon declined to comment, but its attorneys have also argued in recent court filings that the state secrets privilege must apply. Walker, for his part, has so far declined to grant that immunity in a related high-profile case against AT&T, and a federal appeals court panel recently indicated unwillingness to side with the government on that front.

Update: Click here for CNET News.com's coverage of Thursday's court arguments about dismissal of this case.

A federal appeals court on Friday threw out a lawsuit brought by the American Civil Liberties Union and others against the Bush administration's warrantless wiretapping program.

In a 2-1 decision, the Sixth Circuit Court of Appeals in Cincinnati reversed a federal district court ruling last summer that found the National Security Agency surveillance program violated the U.S. Constitution.

The majority ruled that the ACLU and the collection of journalists, scholars, attorneys and national nonprofit organizations it represented did not have legal standing to bring their case. They had argued that the NSA program was trampling on federal laws and their constitutional rights because they had reason to believe the feds were sweeping up international communications they intended to keep private.

The two judges' reason for dismissing the case boiled down to one major point: the plaintiffs hadn't shown evidence that they have been "personally" subject to the eavesdropping program. They sent the decision back to the lower court and recommended the suit's dismissal.

One judge, however, said he fundamentally disagreed with their stance and would have chosen to uphold the lower court's ruling.

Read CNET News.com's full story here.