Snowden calls for whistle-blower protection

The Guardian Published an article entitled "Snowden Calls for Whistle-Blower Shield"  by Spencer Ackerman and Ewan MacAskill.  The implication is that the country may have been spared the embarrassment of the exposure of the classified documents he released, if there had been a good, protected process for whistle-blowing that would have protect him from retaliation and  actually do a serious investigation into the accusations. John Crane, a former pentagon IG investigator also revealed that he thought the whistleblower protections were also not effective.  He revealed a specific example of Thomas Drake who blew a whistle, and then was retaliated against.

I'm skeptical if Snowden would have actually used a whistle-blower channel, even if it did protect him, and initiate an effective investigation.  However I do agree it it VERY difficult for someone to report a problem.  It is particularly difficult for someone with enhanced security clearances.  When someone is briefed into a particular security compartment, only a very few people are allowed to know that secret.  So, from a security standpoint, it would be a violation (subject to fine and imprisonment) to tell anyone outside of that small group of compartment-briefed individuals about fraud, waste, or abuse related to that compartment.
Also, if a contractor (as Snowden was), the whistleblower would not be just risking retaliation to him/herself, but would also be putting the contractor's whole company at risk.  In the "best case" result for a whistleblower in a classified program, the individual would "only" lose a security clearance.  However, in reality, that would kill the person's career in the Government and/or with the contractor.  And it would probably prevent the person from ever being hired again.  That is a terrible price to pay for doing, what should be considered to be, a public duty.  There were several times in my military career, and also while working as a contractor, that I firmly believed I could have (should have?) reported waste or abuse concerning programs, but, at the time, I thought that someone at a higher level of command must have, from a higher perspective, saw justification of some sort in continuing what appeared to me to be an unnecessary plan of action.  In hindsight, it is clear that in several of those cases, my concerns were shown to have been valid, and programs were cancelled--but not until immense amounts of money had been spent/wasted.

This article also pointed out the problem of retaining documentation that substantiates the fraud waste or abuse.  Whistleblowers are told to hang on to documentation of the problem, but then could be accused of inappropriately handling classified information.  If whistleblowers concerns are found to be true, the individual could still be retaliated against for mishandling the material...even if it wasn't made public!

I do believe that NSA had exceeded their authority in spying on Americans.  Snowden was probably correct and it was appropriate for him, or someone else to report the violations.  James Clapper did, in fact, lie to congress in the hearings.  But, as he said, he was in a very difficult position.  The "government" was, and still is, monitoring the phone calls, emails, and physical location (metadata) of suspects at all levels of government, not just the Federal government.  The Federal Government is aiding city, state, and county agencies and police in doing it with license plate readers, cell phone "stingray" systems, and other devices.  While using those systems, the government(s) inadvertently collect similar information about millions of "non-suspects" at the same time.  While the agencies may not use or catalog that information, it has been collected and could be used against a citizen.  A huge amount of the information that is collected, seems to be in support of our Government's war on drugs.  That whole war could be considered another form of fraud, waste, and abuse.  And I still think it is being waged to line the pockets of the many who believe they are  helping our country, but who are also earning a lot of money from the "war" as currently being waged.

I've often thought that the Government needed a separate agency to act as an overall inspector-general to whom whistleblowers could make secret reports without fear of retaliation.  However would it be part of the administration?  part of congress?  or part of the Judiciary branch of government?  None of those options sound like they would work!   The best we have is the "4th branch" -- or dedicated corps of journalists!

Cracked San Bernadino iPhone

Apparently the FBI has successfully "cracked" the San Bernardino Shooter's iPhone, as has been stated in many news reports, including this one:  Now, as predicted, the FBI wants to crack more phones, and many other agencies want to do it also.  Since everyone is now aware that the phones can be cracked, it is probably just a matter of time until other countries agencies and "bad guys" around the world figure out how to do it also.  So now our phones aren't safe from our own government, foreign governments, and soon from hackers.
It is interesting that the FBI has not mentioned that they were able to obtain any useful information from the County-provided iPhone used by the San Bernardino shooters.  

Hacking Your Phone -- 60 Minutes Program April 2016

On April 17, Sharon Alfonsi on 60 minutes had a segment called "Hacking Your Phone"   She reported that hackers have discovered a flaw in the "SS7" system that controls all phones throughout the world that allows anyone with knowledge of the flaw to gain complete access to a phone.  The hacker can listen to our calls, copy all of our emails and texts and see all of our passwords.   She arranged a demonstration where hackers John Herring and John Oberheide hacked Congressman Ted Lieu's phone.  They could even remotely install malware onto the Congressman's phone that would allow them access to the phone's camera and were able to see everything his camera was pointing at without the Congressman's knowledge the phone was active.

So this shows that even with encryption and all of the modern security features of our phones, "bad guys" can get into our phones.  What should we do?  Should we stop all internet activity from our phones?  This remarkable revelation may put a serious damper on the movement to do everything using our mobile phones. That could, in turn, affect the overall economy.
It appears that phone companies are aware of the flaw, and have known about it for a long time. They were quoted as saying that it is a vulnerability in Europe, but not the US ---but the demonstration was, in fact, done in the US with US carriers.  So we know our US system is vulnerable.

I am suspicious that our Federal Government agencies:  FBI, NSA, CIA, Treasury Dept, Homeland Security etc may be aware of the flaw, and if so, are actively exploiting it both within the US and around the world as well.  I also suspect that the US Carriers are forbidden by those agencies from revealing that fact, or the fact of the SS7 flaw, because those agencies would like to continue to use it against the organizations and individuals that those agencies believe are "bad guys."   Those agencies do everything they can to protect their secret access to our phones.  Today's USA Today had a column by Brad Heath entitled "FBI Urges Agents to Keep Secrets - From Each Other .  I also suspect that what they are hiding is the fact that they can hack into our phones and our car's "On-Star" type systems and don't want citizens and defense attorneys to know they can do it.

Near the end of the 60 minutes report, Congressman Ted Lieu said that if our intelligence agencies know about this flaw and didn't report it, that they should be fired.  I believe Congress should investigate to find out if, in fact, agencies are exploiting this flaw.  If they are using it, some leaders should be fired.

I also think Congress should push immediately to close the "flaw" in SS7, and if necessary should appropriate resources to do it.   We really need some sort of independent agency to test all such communication systems and devices for serious flaws and make sure they are, in fact, secure. 

FBI vs Apple

The FBI selected the San Bernardino shooting as a "poster child" for their cause to open up encrypted phones to Government snooping.  FBI for the past year has been complaining about the need for access to encrypted phones.  This situation looked like the perfect Trojan Horse for them to use the horrible nature of the crime as leverage to build public consensus to force companies to provide the Government a back door to our phones.

Other than the horror of the shootings, there is probably little merit to getting into the phones.  The two shooters, Syed Rizwan Farook and his wife Tashfeen Malik, are dead, and they made sure that their personal phones were totally destroyed.  That certainly makes it appear that those phones were probably the location of any information that might incriminate others.  This phone is a county government phone.

Also, in this case, the Government made two serious mistakes.  First, San Bernardino County should have paid the small additional amount for the Apple-provided service that would allow the County to always be able to track and open the employee's phone.  Second, the Government shouldn't have changed the iphone cloud password (see this Wired link).  That made it impossible with the current technology to get into the phone in question.  So, the Government made 2 serious mistakes, and now wants to put all phone owners at risk to be able to get into that phone and possibly find that there might have been someone else partially involved with the crime.

Of course, the FBI knows that as soon as Apple would create the capability to break into this phone, they would be following up with hundreds of more requests.  Other US police agencies would also want to get into our phones.  Every country where Apple sells it's phones (probably all countries) would also demand the same capability or they would "ban" apple from selling in their country.  Apple, of course, would have to comply.  From then on, nobody who travels to those countries would be safe from foreign government snooping through their phones. Worldwide privacy would be gone!

Why the Fight over Encryption is at an Impasse

MIT's Technology Review had a good article by Tom Simonite that summarizes the standoff between the Government agencies and technology companies over encryption of communication and files.  See this article.

The Government agencies claim that they need to be able to decrypt and monitor all of our phone calls, emails, texts, and computer files in order to "fight terrorism."  The privacy advocates, and technology companies say that if our Government is given a "backdoor" into all communication encryption, other governments will ask for the same thing.  Also then there would be nothing to stop "bad actors" from either stealing, or figuring out that same back door, and be able to interfere with all of our personal communications, banking, trade secrets etc.  

Tom Simonite implies that he thinks that the issue will not be decided until we have a new president in office.  He believes that Trump and Rubio would side with the Government, while Cruz and Sanders would side with the tech/privacy advocates.  Hillary Clinton has a vague "in between" stance. 

The Government agencies claim that if they had access to encrypted messages, calls, and files, they could prevent acts of terrorism.  They say they are still having difficulty opening files related to the San Bernardino shootings.  I'm very skeptical that they will be able to identify and prevent acts of terrorism before they occur.  However I can see that it is useful after the fact to use when prosecuting criminals.  The problem is to identify conversations related to planning a crime and separating it from all of the other general noise in the system.

I believe everyone should have access to the toughest encryption possible for our calls, texts, emails and computer & cloud files.   

California Considering Requiring all Cell Phones to have "back door" to encryption.

Sunday 24 Jan 2016 Los Angeles Times had a report by Melanie Mason that said:  "Lawmaker targets smartphone encryption."  Assemblyman Jim Cooper of Elk Grove is sponsoring a bill  (AB1681)to require all cell phones produced in the state to have an ability to be decrypted using a "back door" by police agencies.  The bill also requires smartphones sold to be able to be remotely disabled.
Assemblyman Jim Cooper is a retired Captain in the Sacramento Sheriff's Department, and states this capability is necessary to stop human trafficking.  Yes, I think it might help the police stop human trafficking.  I suspect their real reason is to use it in  their terribly frustrating "war on drugs."  He is probably using the human trafficking example as a Trojan horse to get such a bill passed, since most people would be against human trafficking, but probably less than half of the voting population is in favor of continuing the war on drugs.  We really cannot trust our prosecutors and police to not "stretch" the use of this "crime fighting tool if they got it.  They would eventually use it to become a serious abuse of powers.  Every time they have been granted an additional power, they have abused it, such as the RICO laws, property confiscation,  and the "3 Strikes" law.  The requirement in this law to be able to remotely disable a smartphone is described as disabling it for "unauthorized users" -- but that also implies that the police could disable the phone to prevent someone from erasing incriminating information on it.

It is also very strange that a Democrat would be sponsoring a bill to tear down our individual rights -- that is usually what Republicans advocate.  Cooper also claims that the big tech companies are putting profits over people by fighting such a proposal.  I would put it the other way -- his bill puts the profits of the immense "police/counter drug" industry over the rights of individuals.

Samantha Corbin, from the Electronic Frontier Foundation, disagrees.  I also disagree with the proposal.  We need to draw a line in the sand for our individual rights for privacy.  It is a difficult area to figure out where to draw that line -- but this is one of them.  There are a lot of flaws in the proposal:
1. If police do have a court order to be permitted to explore the contents of a cell phone, then there are computer resources that must be available to help them do it by "brute force" decryption.  Yes, the police department may have to pay either private companies, or NSA to perform the task.  Criminals using mobile phones have to use some sort of password, and it is possible to crack fairly long passwords within 24 hours or processing using modern computers and algorithms.
2. If a back door is put into encryption of all mobile phones sold in California, anyone with criminal intent will buy their cell phones from out of the state -- or out of the country if all states passed similar laws.
3. If such a law was passed, that same "back door" could be used by others.  What is to stop political opponents from using it to spy on competitors?  What happens when the "back door" is discovered by someone and made public on the internet?  
4. Third-party applications could be installed on phones that would add another layer of encryption on top of the manufacturer's encryption.  If such a bill passed, most of us, and certainly most criminals would begin using such applications.  Yes, it would encumber the use of the phones, but the cost would be reasonable compared to the risks involved.

The right answer is to pass a law that requires an owner of a mobile phone to unlock a phone when presented with a legal search warrant with probable cause.  The owner should be entitled to at least one appeal, where counter argument could be presented before having to unlock the device.  The search warrant should be written to only look for certain information, and not be permitted access to everything on the phone.  If the owner of the device refuses to unlock the phone, there should be some sort of immediate jail sentence (if nothing else but "contempt of court")  and the owner should be fined and required to reimburse the cost expended to "crack" the encryption using high-powered computers and algorithms.

Special Place in Hell

Wow, this really looks like the Government over reaching to quash freedom of press, freedom of speech!  Matt Welch of Reason.com was given a subpoena to provide identifying information for people who had posted comments on his website! See this opEd in the LA Times.  The Attorney General and New York State attempted to obtain that information with a subpoena!  They even issued a "gag order" to Reason.com to prevent them from telling anyone about it, or notifying the people who had written the comments.
I do agree with many that Ross William Ulbricht got an absurdly severe sentence for operating a website.  Yes drug dealers may have used his website.  But dealers also use AT&T's phone lines, but does AT&T executives go to prison?  Dealers were probably very cagey.  Yes he may have known about money laundering going on with bitcoins.  But that is pretty hard to track also.  Is it a web site's responsibility to police all traffic on it?  I also don't think that the police actions to stop money laundering have ever been tested in the Supreme Court.  I think that simply handling money exchanges would be found legal under the US Constitution.
I also wonder if Shaun W. Bridges, the Treasury agent who was involved in the investigation may have "contaminated" the evidence against Ulbricht. He managed to steal a lot of "bitcoin" himself, and has been sentenced.
At any rate, I really am amazed that the Government would go after someone who writes a comment "There's a Special Place in Hell" for the judge.  The mere fact that someone in the Government attempted to do that, should be a crime.  But I doubt that whoever issued that subpoena or gag order will ever be tried or convicted of a crime.

Police "slow" to comply with 'Stingray' policies

Jeff McDonald reported in today's (1/14/2016 )San Diego Union Tribune that the San Diego Police Department (SDPD) has been very slow to comply fully with the state law that requires them to publicly post information about their use of 'Stingray' cell phone tracking systems they use.  The Stingray systems are mobile devices that allow the user to intercept cell phone calls and track the user's locations.  Stingray systems also allow the user to disrupt, or block phone calls from specific cell phones.  They can force cell phones to increase their transmitter power, force them to use weaker encryption keys, and, with that information, can actually listen in on cell phone calls.
The Federal Government encouraged local governments to acquire and use the devices by offering generous "grants to help them buy the devices from Harris Corp.  Apparently the Department of Homeland Security and FBI are behind that effort.  The article says 17 states are using the devices.  I suspect that more states are using them without their citizen's knowledge, and given that the Federal agencies are pushing the state and local police to use them, probably the NSA, CIA, FBI, DHS, ATF, Border Patrol, etc are also using the devices.
Of course the agencies justify their use of these devices to protect America from terrorists.  But I suspect their primary use is simply to track and catch recreational drug smugglers and marketers as part of their endless  (and very profitable)"war on drugs."

For years, state and local police departments have been using stingray systems to track and eavesdrop on citizens without wiretap approvals, or warrants.  I'm sure all of those agencies knew that the use of the systems was against the law, and against the basic premises of our US Constitution, but they felt their "higher purpose" (war on drugs) was an end that justified the use of these means. I'm sure they can claim they caught some "bad guys" using stingrays, and they may also claim that there have only been a few "abuses" of the systems.  But who knows?  What kind of checks and balances have been built into the use of the systems to verify that some police officer might not have tracked his wife or girlfriend?  How do we know someone hasn't used it to get information about a political opponent or business competitor?  
The State of California Government wanted to put some controls on this technology to reduce the chance of abuse.  Senate Bill 741 was signed into law on October 8 2015 which makes it a crime to possess or use such a tracking device without going through the procedures defined in the law.  Police have already had 3 months to comply with the law, but according to this article, most have only paid lip service to the law, and have not complied with the intent and spirit of it.   I'm pretty sure that if I had and used such a device myself, I would probably have the device confiscated, be arrested and thrown in jail under this law.  But, of course, the police can take their time to comply with the law.  They clearly do not want the public to know that they are using the device, who they share the information with (probably all Federal agencies), and how long or where they keep the data they collect.  It does make sense to not let the supposed bad guys know about the system, because it would be easy to simply turn off cell phones and not be tracked.  Since so many cars now have similar trackable communications systems (such as "On Star," "Ford Order," "Toyota Safety Connect," "Nissan Vehicle Tracking Recovery System - VTRS,"  or Chrysler's MOPAR Electronic Vehicle Tracking System ), I suspect that these stingray systems can also track vehicles using similar technology, they may also be able to eavesdrop on conversations held within the car.  Nobody has seemed to bring that subject up.
This California law affects State and local police agencies, but probably does not affect Federal agencies.  So I'm not sure we have a chance of protecting our public's right to privacy with just a state law.    George Orwell's "1984" dystopian world came 30 years later than he predicted.  And instead of carrying out a continuous war against two other continental alliances, we are carrying out war against "drugs" and "terrorism."  Yes, we aren't looking for "thoughtcrimes" but we are trying to identify and stop crimes before they happen.  We try to catch people selling chemicals that might be used in fabricating drugs.  We try to stop money flow that might happen to be related to drug smuggling or donations to Palestinian causes.  We try to stop people from recruiting others to join ISIS fighters. These are all similar to "thoughtcrimes" and now we are using technology to track our citizens without their knowledge.