Security

How bad can the new spying legislation be? Exhibit 1: it's called the USA Liberty Act

Freedom doesn't mean what you think it does


Analysis The US Senate Judiciary Committee has unveiled its answer to a controversial spying program run by the NSA and used by the FBI to fish for crime leads.

Unsurprisingly, the proposed legislation [PDF] reauthorizes Section 702 of the Foreign Intelligence Surveillance Act (FISA) – which allows American snoops to scour communications for information on specific foreign targets.

It also addresses the biggest criticisms of the FISA spying: that it was being used to build a vast database on US citizens, despite the law specifically prohibiting it; was being abused to do a mass sweep of communications, rather than the intended targeting of individuals; and that there was no effective oversight, transparency or accountability built into the program.

But in case you were in any doubt that the new law does not shut down the expansive – and in some cases laughable – interpretations put on FISA by the security services, you need only review the proposed legislation's title: the USA Liberty Act. Nothing so patriotic sounding can be free from unpleasant compromises.

And so it is in this case. While the draft law, as it stands, requires the FBI to have "a legitimate national security purpose" before searching the database and to obtain a court order "based on probable cause" to look at the content of seized communications, it still gives the domestic law enforcement agencies the right to look at data seized on US citizens by the NSA. And agents only need supervisory authority to search for US citizens' metadata.

Huh

That is very, very far from what FISA was intended to do: the clue being in the "F" for "Foreign" in FISA. This legislation would legitimize the highly questionable interpretation that the NSA and FBI decided to place on Section 702: that the information gathered under FISA didn't require another step of authorization to look for American citizens' information – something that many claim breaks the Fourth Amendment on unreasonable search.

This legislative approach lends weight to the argument pushed by the security services in the wake of other illegal spying operations: that metadata is sufficiently innocuous that it does not require legal protections. That is a conclusion that many civil liberties and privacy groups fiercely disagree with.

Wonder why Congress doesn't clamp down on its gung-ho spies? Well, wonder no more

READ MORE

The "safeguards" set out in the proposed law are similar to those introduced to other spying programs: the surveillance services must keep records of their queries and submit to Congressional oversight; and the Director of National Intelligence (DNI) must report to Congress twice a year on the number of US citizens whose communications are collected, and the number of requests that identified US citizens.

Again, though, there is implicit acceptance of the snoopers' questionable assumptions over Section 702 built into this approach. The details on US citizens are referred to as being "incidentally collected" – language that is used by the security services to justify not providing constitutional protections.

There is also precious little evidence that forcing the DNI to provide a report to Congress has a knock-on impact on the spies' accountability or transparency. All it has resulted in so far is the DNI either outright lying to Congress, or pretending to having heard a different question to the one asked.

Blind eye

In asking the DNI to provide the number of US citizens who communications have been collected in the previous six months, the bill's sponsors have also purposefully ignored one of the most visible efforts by the people's representatives to keep the security services in check.

For several years, Congress has been asking for the NSA and others to provide a figure on the number of American citizens included in the existing 702 database, and they have played years of games in response. Ultimately, the spies simply refused to provide a figure, sparking something close to apoplexy in Senator Ron Wyden (D-OR).

The remaining changes follow a similar pattern: more window-dressing than real reform.

The bill does specifically prohibit the NSA from collecting so-called "about" communication – where anyone even mentioning a specific target could also have their communications stored. But the NSA has already agreed to that change, largely because it was never going to withstand legal scrutiny.

It uses the same formulation as other spying program reforms and allows for a representative of civil liberties groups to argue in front of the secretive Foreign Intelligence Surveillance Court (FISC) as it makes a determination. But, as has been repeatedly noted by such groups, that role is strictly limited. There is no right for that representative to attend hearings; the representative does not have the right to access all the relevant information; and the court is not obliged to listen to, act on, or even reference their arguments. The situation is ripe for abuse.

The bill extends whistleblower protections given to government employees to private contractors that work for the intelligence community. Which sounds good but, again, a look at what has happened in the real world means such protections are likely to be no more than window dressing. No one working for the security services will seriously imagine that attempting to use whistleblower protections will do anything but paint a giant Edward Snowden-shaped target on their back. At least not without a number of public signs of a change in culture – and we have yet to see any.

Return of the PCLOB

And finally, the bill reintroduces the Privacy and Civil Liberties Oversight Board (PCLOB) back into the mix after it was effectively killed off by Congress for daring to criticize other illegal spying programs. The PCLOB was stripped of many of its power – and this bill does not return them. It is notable that President Trump also nominated an NSA-friendly person to chair the PCLOB.

The oversight board has no real independent power and no one worth their salt would apply to fill the empty positions on the panel having seen what was done to the previous directors when they challenged the status quo. In short, it is yet another fig leaf.

And so the USA Liberty Act is exactly what you imagine it to be: a piece of law written to give the illusion of reform by adding reports and paperwork, and yet quietly retains highly questionable spying programs – keeping the real levers of power in the hands of the security services and the Congressmen who wrote the law. ®

Send us news
86 Comments

How can we recruit for the future if it takes an hour to send an email, asks Air Force AI bigwig in viral open letter

Billions spent on weapons and boondoggles while staff battle away on cheapo PCs

A US Air Force director of ops this week blasted the Pentagon for failing to overhaul its outdated computer IT infrastructure after his work machine apparently took an hour to send an email and completely froze when he tried to use Microsoft Excel.

"I am writing an open letter echoing some recent service member frustrations regarding computers in the Department of Defense. It's titled: 'Fix Our Computers', Michael Kanaan wrote in a post circulated widely on LinkedIn and Twitter.

Kanaan, who is a director of operations at the USAF-MIT Artificial Intelligence Accelerator in Boston, lamented how he and his colleagues are facing an uphill battle trying to do their jobs due to old, slow computers and laptops packed with bloatware.

Continue reading

Intel fails to get Spectre, Meltdown chip flaw class-action super-suit tossed out

Cheesed-off customers have 'alleged enough facts at this stage' to allow legal battle to continue, says judge

Intel will have to defend itself against claims that the semiconductor goliath knew its microprocessors were defective and failed to tell customers.

On Wednesday, Judge Michael Simon, of the US District Court of Oregon, partially denied the tech giant's motion to dismiss a class-action lawsuit arising from the 2018 public disclosure of Meltdown and Spectre, the family of data-leaking chip microarchitecture design blunders.

The Register broke the Meltdown story on January 2, 2018, as Intel and those who confidentially reported the security vulnerability were preparing to disclose them. The following day, Google's Project Zero published details of Meltdown and its cousin Spectre, revealing that efforts to make CPU cores faster using speculative execution have opened them up to side-channel attacks that can read memory that should be out of reach and leak confidential information.

Continue reading

FCC pulls the plug on China Unicom's permission to provide telecoms in the US

As commissioner suggests watchdog gets ability to crack down further on China-controlled data centers

Citing national security concerns, America's Federal Communications Commission has barred Chinese carrier China Unicom from providing telecoms services in the United States.

China Unicom Americas touts a wide range of technology services, and bills itself as "the trusted partner of US-based businesses seeking one-stop connectivity with China and beyond."

But the FCC believes no US business should trust China Unicom, for communications at least. The watchdog has investigated the provider's operations since early 2021, when it signaled its preference for revoking the carrier's authorization to operate telecommunications services in the Land of the Free. That's an authorization that's been in place for about 20 years.

Continue reading

US DoD staffer with top-secret clearance stole identities from work systems to apply for loans

Plus: Apple patches exploited-in-the-wild bug, White House zero-trust order, and more

In brief A US Department of Defense staffer with top-secret clearance stole the identities of dozens of people from a work SharePoint system to apply for loans totaling nearly a quarter of a million dollars.

Kevin Lee, 41, of Chula Vista, southern California, pleaded guilty on Wednesday to wire fraud.

Lee, who worked for Uncle Sam's Defense Contract Management Agency (DCMA) as an analyst, raided the organization's Microsoft SharePoint system for people's private data to pull off his nefarious scheme. It's said that he applied for and was able to get as much as $244,500 in loans under other people's names to cover his own debts, personal expenses, and bills.

Continue reading

Carked it, Diem? Zuckerberg's grand cryptocurrency thing may sell off assets for $200m

Facebook-born blockchain payment system's day well and truly seized

Diem, the spurned cryptocurrency payment system spawned under the name Libra by Mark Zuckerberg's Facebook (itself now operating as Meta) will reportedly sell its assets to Silvergate Capital Corporation. 

Silvergate, which announced a partnership with the Diem Association in May 2021, is negotiating with Diem to buy its technology for something like $200m, according to reports from Bloomberg, the Wall Street Journal, and Politico.

The deal has not yet been publicly finalized but it may be soon – a Diem spokesperson declined comment when asked to confirm the reports but said he'd be in touch immediately if the situation changes.

Continue reading

FPGA now means Finally, PRC Grants Approval: China OKs AMD's $35bn Xilinx buy

hurdles <= hurdles - 1;

Chip megadeals have become daunting, with governments looking at transactions suspiciously, though AMD can breathe a sigh of relief: the path to acquire FPGA giant Xilinx is now clearer.

The National Anti-Monopoly Policy Bureau of the State Administration for Market Regulation of the People's Republic of China has approved the $35bn all-stock takeover that was announced in October 2020, according to an 8-K filing [PDF] by AMD with the US Securities and Exchange Commission.

In late December, AMD said it had to delay closing the deal as China's regulators were still reviewing the proposal. The US and EU have already approved the acquisition; AMD now expects the merger to close in the first quarter of 2022 thanks to the Middle Kingdom's approval.

Continue reading

Thanks for the memory: Samsung says DRAM, NAND profits up Q-on-Q, sales down as global supply chain bites

Expects more stability but warns of potential fab lockdowns on road ahead

Samsung blamed disruptions in the global supply chain for failing to meet its own guidance for DRAM and NAND shipments during final three months of 2021, nevertheless racked up a record quarterly sales at group level.

The South Korean megacorp said Q4 2021 delivered revenue of ₩76.57 trillion ($63.8bn), up 24 per cent year-on-year, and an operating profit of ₩13.87trn ($11.6bn), up almost 5 per cent.

Indicating the volatility in the sector, Semiconductor unit turnover was up 43 per cent year-on-year to ₩26.01trn ($21.6bn) but fell 2 per cent on the prior quarter. Similarly, the Memory division grew 44 per cent year-on-year to ₩19.45trn ($16.16bn), but fell 7 per cent sequentially.

Continue reading

For first time in 31 years, stable Linux kernel version has over 999 commits – but not everyone heard about it

'Script was adding the cc: to msg.000 not msg.0000'

A small SNAFU in Linux kernel land meant that a notification regarding the stable review cycle for the 5.16.3 release didn't reach everyone it should have.

For the first time in the 31-year history of the Linux kernel, there were over 999 commits to a stable version, which caused a very minor problem.

Greg Kroah-Hartman, lead maintainer of the -stable branch, has a set of scripts which CC various interested parties when there's been a new release.

Continue reading

Targeted ransomware takes aim at QNAP NAS drives, warns vendor: Get your updates done pronto

Nasty demands hefty Bitcoin ransom

QNAP has urged NAS users to act "immediately" to install its latest updates and enable security protections after warning that product-specific ransomware called Deadbolt is targeting users' boxen.

"DeadBolt has been widely targeting all NAS exposed to the internet without any protection and encrypting users' data for Bitcoin ransom," warned the Taiwanese company in a statement late yesterday.

The ransomware leaves a note demanding payment of 0.03 Bitcoins.

Continue reading

Instant Ump: HP Inc's subscription ink services hiking prices from next month

Customers in mid-tier band facing up to 50% higher fees... and they're delighted

HP is hiking the UK price of Instant Ink monthly plans by more than 50 per cent in some cases, although the company website is still showing the cost of the soon-to-be out-of-date bands.

The subscription service was launched in the UK in 2014, and "eliminates ink anxiety" according to the US vendor, with a small cartridge in the box re-ordering ink before it runs out. HP also said it "slashes ink costs" in half when compared to the cost per page using most low-end colour inkjet toners.

There were 10 million plus subscribers [PDF] to the service globally as of October 2021, according to HP's Securities Analyst Meeting. The firm said revenues generated by Instant Ink in fiscal '21 were forecast to grow 30 per cent year-on-year to more than $500m. HP reported pre-tax profit from printing for the whole financial year of $3.635bn, up from $2.49bn a year earlier.

Continue reading

Toaster-friendly alternative web protocol Gemini attracts criticism for becoming exclusive clique

While creators were stripping away annoying styling, users started to make Geminispace a bunker, says engineer

Project Gemini is a new internet protocol designed to be simpler and lighter to make it easier for people to design, run, and use their own websites.

Described by network engineer Stéphane Bortzmeyer at FOSDEM 2021 as a new ultra-simple protocol that is modern but "looks retro," it was designed to help the user opt out of "pervasive user tracking [and]... distractions from the actual content."

Some of those with a penchant for irritating spelling call it the "smol web." It's light enough for vintage computers, and easy to create both clients and pages. It's not designed to replace the web, but as an adjunct to it. It also makes it much easier to host your own site. As the project points out, it's "heavier than gopher... lighter than the web, [and] will not replace either."

Continue reading