As intended, Jonathan Chait’s denunciation of the “PC language police” – a trite note of self-victimization he’s been sounding for decades – provoked intense reaction: much criticism from liberals and praise from conservatives (with plenty of exceptions both ways). I have all sorts of points I could make about his argument – beginning with how he tellingly focuses on the pseudo-oppression of still-influential people like himself and his journalist-friends while steadfastly ignoring the much more serious ways that people with views Chait dislikes are penalized and repressed – but I’ll instead point to commentary from Alex Pareene, Amanda Marcotte and Jessica Valenti as worthwhile responses. In sum, I fundamentally agree with Jill Filipovic’s reaction: “There is a good and thoughtful piece to be written about language policing & ‘PC’ culture online and in academia. That was not it.” I instead want to focus on one specific point about the depressingly abundant genre of journalists writing grievances about how they’re victimized by online hordes, of which Chait’s article is a very representative sample:
When political blogs first emerged as a force in the early post-9/11 era, one of their primary targets was celebrity journalists. A whole slew of famous, multi-millionaire, prize-decorated TV hosts and newspaper reporters and columnists – Tom Friedman, Tim Russert, Maureen Dowd, John Burns, Chris Matthews – were frequently the subject of vocal and vituperative criticisms, read by tens of thousands of people.
It is hard to overstate what a major (and desperately needed) change this was for how journalists like them functioned. Prior to the advent of blogs, establishment journalists were largely immunized even from hearing criticisms. If a life-tenured New York Times columnist wrote something stupid or vapid, or a Sunday TV news host conducted a sycophantic interview with a government official, there was no real mechanism for the average non-journalist citizen to voice critiques. At best, aggrieved readers could write a Letter to the Editor, which few journalists cared about. Establishment journalists spoke only to one another, and careerist concerns combined with an incestuous chumminess ensured that the most influential among them heard little beyond flowery praise.
Blogs, and online political activism generally, changed all of that. Though they tried – hard – these journalists simply could not ignore the endless stream of criticisms directed at them. Everywhere they turned – their email inboxes, the comment sections to their columns, Q-and-A sessions at their public appearances, Google searches of their names, email campaigns to their editors – they were confronted for the first time with aggressive critiques, with evidence that not everyone adored them and some even held them in contempt (Chait’s bizarre belief that “PC” culture thrived in the early 1990s and then disappeared until recently is, like his whole grievance, explained by his personal experience: he heard these critiques while a student at the University of Michigan, then was shielded from all of it during most of the years he wrote at The New Republic, and now hears it again due to blogs and social media).
What made the indignity so much worse was that the attacks came from people these journalists regard as nobodies: just average people, non-journalists, sometimes even anonymous ones. What right did they have even to form an opinion, let alone express one? As NBC News star Brian Williams revealingly put it in 2007:
You’re going to be up against people who have an opinion, a modem, and a bathrobe. All of my life, developing credentials to cover my field of work, and now I’m up against a guy named Vinny in an efficiency apartment in the Bronx who hasn’t left the efficiency apartment in two years.
That sort of sneering from establishment journalists was commonplace once they realized that they had critics and that ignoring them was no longer an option. Seemingly every week, a new column appeared in the NYT, Washington Post, or Time lamenting the threat to journalism and democracy and All Things Decent posed by the hordes of unhinged, uncredentialed losers who now had undeserved platforms to say mean things about honored journalists.
It was pure petulance and entitlement: they elevated a trivial feeling of personal offense (some unknown, uncredentialed person online said something mean to me) into something of great societal significance (this is a huge threat to all things Good). This grievance became so pervasive that pejorative journalistic caricatures of bloggers as nameless, angry losers became a cliché (and it continues now even when many of them have been forced by commercial realities to become bloggers themselves).
Social media – in particular Twitter – has greatly exacerbated this syndrome. Twitter by its nature is a confrontational medium. Its design ensures that anyone can force anyone else – no matter how prominent or established – to hear unrestrained criticisms about them from those with no established platform. It’s theoretically possible to use Twitter so as to avoid most such attacks, but one has to make a concerted and disciplined effort to do so, and it is usually much easier said than done. If one uses Twitter – as journalists are all but forced these days to do – then one will inevitably hear some aggressive and even vicious attacks.
Beyond being confrontational, Twitter is also distortive: it can make a small handful of loud, persistent people seem like an army, converting a fringe view into one that appears pervasive (my favorite example: MSNBC’s Steve Kornacki felt compelled to gravely address the Twitter complaint that a journalist must always use the title “President” when referring to Obama lest one be guilty of disrespect, even racism). That, in turn, can cause journalists to feel besieged – like the whole world is railing against them – when, in reality, it’s just several malcontents or, at most, a couple dozen people voicing a criticism that most of the world will never hear, let alone care about.
But this dynamic has made many journalists – and other prominent, powerful people – feel very unfairly maligned. And that, in turn, causes many of them to denounce the hordes and sound the alarm bell about the dangers created by all of this opinion-anarchy. It’s so common to read some new column or post by some writer or other luminary lamenting the dangers of online abuse aimed at them. It’s all grounded in self-absorbed grievance and entitlement (someone like me does not deserve this and should not have to put up with it) masquerading as something more consequential (free speech, journalism, democracy are imperiled!).
Let’s acknowledge some valid points among this strain of commentary, including Chait’s article. Certain groups of writers – racial and religious minorities, women, LGBT commentators – are subjected to a particularly noxious form of abuse, even when they have prominent platforms. The use of social media to bully kids or other powerless people is a serious menace. Online vigilante mobs can be as blindly authoritarian and bloodthirsty as the real-world version. Some journalists, pundits, party operatives and online activists frivolously exploit (and thus trivialize) serious accusations of bias, racism, and gender discrimination for rank partisan gain or cheap point-scoring against adversaries in much the same way that some Israel defenders routinely exploit anti-Semitism accusations against critics to delegitimize substantive critiques (thus dangerously draining the accusation of its potency as a weapon against actual anti-Semitism). All of that, I’d venture, is what Filipovic meant when she said: “There is a good and thoughtful piece to be written about language policing & ‘PC’ culture online and in academia.”
But the general journalistic complaint about uppity online hordes – and certainly Chait’s epic whine – is grounded in a much more pedestrian and self-regarding concern: anger over being criticized in less than civil and respectful tones by people who lack any credentials (and thus entitlement) to do so. This genre of journalistic grievance, in most cases, is nothing more than unhappiness over the realization that many people dislike what you say, or even dislike you, for reasons you regard as invalid. There’s just nothing more to it than that, no matter how much they try to dress it up as something lofty and profound.
I empathize with the experience (though not with the grievance). Literally every day, I come across online attacks on me that are either based on outright fabrications or critiques I perceive to be fundamentally unfair or inaccurate. Not infrequently, the abuse aimed at me contains anti-gay venom. I’ve watched as my Brazilian partner was attacked by a popular online Democrat (and plenty of others) in the most blatantly racist ways. As is true for everyone, it’s easy to predict that criticizing certain targets – President Obama, Israel, “New Atheists” – will guarantee particularly vitriolic and sustained attacks. Way more times than I can count, I’ve been called a racist for voicing criticisms of Obama that I also voiced of Bush, and an anti-Semite for criticizing militarism and aggression by Israel. All of that can create a disincentive for engaging on those topics: the purpose of it is to impose a psychic cost for doing so, and one is instinctively tempted to avoid that.
Of course, all of that can be unpleasant or – if one allows it to be – worse than unpleasant. Like everyone, I’m human and hold some of my critics in contempt and view some attacks as malicious if not formally defamatory. I’m not exempt from any of those reactions.
But that’s the price one pays for having a platform. And, on balance, it’s good that this price has to be paid. In fact, the larger and more influential platform one has, the more important it is that the person be subjected to aggressive, even harsh, criticisms. Few things are more dangerous than having someone with influence or power hear only praise or agreement. Having people devoted to attacking you – even in unfair, invalid or personal ways – is actually valuable for keeping one honest and self-reflective.
It would be wonderful on one level if all criticisms were expressed in the soft and respectful tones formalized in the U.S. Senate, but it’s good and necessary when people who wield power or influence are treated exactly like everyone else, which means that sometimes people say mean and unfair things about you in not-nice tones. Between erring on the side of people with power being treated with excess deference or excess criticisms, the latter is vastly preferable. The key enabling role of the government, media and other elites in the disasters and crimes of the post-9/11 era, by itself, leaves no doubt about this. It also proves that one of the best aspects of the internet is that it gives voice to people who are not credentialed – meaning not molded through the homogenizing grinder of establishment media outlets.
There are definitely people – most of them unknown and powerless – whose ability to speak and participate in civic affairs are unfairly limited by these sorts of abusive tactics. But whatever else is true, Jon Chait of New York Magazine, long of The New Republic, is not one of them. Neither is his friend Hanna Rosin of Slate. Neither is Andrew Sullivan – published by Time, The Atlantic, The New York Times, major book publishing companies, and pretty much everyone else and featured on countless TV shows – despite his predictably giddy standing and cheering for Chait’s victimization manifesto. Nor is torture advocate Condoleezza Rice of Stanford or HBO host Bill Maher. Nor, despite attacks at least as serious and personal, am I. Nor are most of the prominent journalists and other influential luminaries who churn out self-pitying screeds about the terrible online masses and all the ways they are unfairly criticized and attacked.
Being aggressively, even unfairly, criticized isn’t remotely tantamount to being silenced. People with large and influential platforms have a particular need for aggressive scrutiny and vibrant critique. The world would be vastly improved if we were never again subjected to the self-victimizing whining of highly compensated and empowered journalists about how upset they are that people say mean things online about them and their lovely and talented friends.
Photo: Bryan Bedder/Getty
People often tell reporters things their employers, or their government, want to keep suppressed. But leaking can serve the public interest, fueling revelatory and important journalism.
This publication was created in part as a platform for journalism arising from unauthorized disclosures by NSA contractor Edward Snowden. Our founders and editors are strongly committed to publishing stories based on leaked material when that material is newsworthy and serves the public interest. So ever since The Intercept launched, our staff has tried to put the best technology in place to protect our sources. Our website has been protected with HTTPS encryption from the beginning. All of our journalists publish their PGP keys on their staff profiles so that readers can send them encrypted email. And we’ve been running a SecureDrop server, an open source whistleblower submission system, to make it simpler and more secure for anonymous sources to get in touch with us.
But caution is still advised to those who want to communicate with us without exposing their real-world identities.What Not To Do
If you are a whistleblower trying to figure out the best way to contact us, here are some things you should not do:
Don’t contact us from work. Most corporate and government networks log traffic. Even if you’re using Tor, being the only Tor user at work could make you stand out. If you want to leak us documents that exist in your work environment, first remove them from work and submit them using a personal computer on a different network instead.
Don’t email us, call us, or contact us on social media. Most of the ways that people communicate over the Internet or phone networks are incredibly insecure. Even if you take the time to learn how to encrypt your communications with us, your metadata will remain in the clear. From the standpoint of someone investigating a leak, who you communicate with and when is all it takes to make you a prime suspect, even if the investigators don’t know what you said.
Don’t tell anyone that you’re a source. Don’t risk your freedom by talking to anyone about leaking documents. Even if you plan on coming out as the leaker at some point in the future, you have a much better chance of controlling the narrative about you if you are deliberate.
As journalists we will grant anonymity to sources if the circumstances warrant it — for example, when a source risks recrimination by disclosing something newsworthy. If we make such an agreement with you, we will do everything in our power to prevent ourselves from being compelled to hand over your identity.
That said, in extreme cases, the best way to protect your anonymity may be not to disclose your identity even to us.What To Worry About
And here are some things you should be aware of:
Be aware of your habits. If you have access to secret information that has been leaked, your activities on the internet are likely to come under scrutiny, including what sites (such as The Intercept) you have visited or shared to social media. Make sure you’re aware of this before leaking to us, and adjust your habits well before you decide to become our source if you need to. Tools like Tor (see below) can help protect the anonymity of your surfing.
Compartmentalize and sanitize. Keep your leaking activity separate from the rest of what you do as much as possible. If you need to use email, social media, or any other online accounts, don’t use your normal accounts that are connected to you. Instead, make new accounts for this purpose, and don’t login to them from networks you normally connect to. Make sure you don’t leave traces related to leaking laying around your personal or work computer (in your Documents folder, in your web browser history, etc.).
If possible, use a completely separate operating system (such as Tails, discussed below) for all of your leaking activity so that a forensics search of your normal operating system won’t reveal anything. If you can’t keep things completely separate, then make sure to clean up after yourself as best as you can. For example, if you realized you did a Google search related to leaking while logged into your Google account, delete your search history. Consider keeping all files related to leaking on an encrypted USB stick rather than on your computer, and only plug it in when you need to work with them.
Strip metadata from documents. Many documents, including PDFs, images, and office documents, include metadata that could be used to deanonymize you. Our policy is to remove metadata ourselves before publishing anything, but you might want to remove it yourself. Tails (discussed below) includes a program called Metadata Anonymization Toolkit that can strip metadata from a variety of types of documents. If you’re somewhat techie you can convert your documents to PDFs and then use pdf-redact-tools to completely remove any information hiding in them. You could also choose to go analog: print out a copy of the documents and then re-scan them before submitting them to us (but be careful to securely shred your printout and not leave traces in your printer’s/scanner’s memory).How To Actually Leak
Now that we have that straight, here’s how to go about contacting us securely:
Go to a public WiFi network. Before following any further directions, grab your personal computer and go to a network that isn’t associated with you or your employer, such as at a coffee shop. Ideally you should go to one that you don’t already frequent. Leave your phone at home, and buy your coffee with cash.
Get the Tor Browser. You can download the Tor Browser here. When you browse the web using the Tor Browser, all of your web traffic gets bounced around the world, hiding your real IP address from websites that you visit. If your network is being monitored, the eavesdroppers will only know that you’re using Tor but not what you’re doing. Websites that you visit will only know that you’re using Tor, but not who you are (unless you tell them). It sounds complicated, but it’s actually quite easy to use. In order to start a conversation with us using our SecureDrop server, you must use Tor.
Consider using Tails instead. If you are worried about your safety because of the information you’re considering leaking, it might be prudent to take higher security precautions than just using Tor Browser. If someone has hacked into your computer, for example, they’ll be able to spy on everything you do even if you’re using Tor. Tails is a separate operating system that you can install on a USB stick and boot your computer to. Tails is engineered to make it hard for you to mess up:
- Tails leaves no traces that it was ever run on your computer
- It’s non-persistent, which means that if you got hacked last time you were using Tails, the malware should be gone the next time you boot up
- All Internet traffic automatically goes through Tor, so it’s much harder to accidentally de-anonymize yourself
- It has everything that you need to contact us through SecureDrop built-in, as well as other popular encryption tools
- It’s the operating system that Edward Snowden, Glenn Greenwald, Laura Poitras, and I used to keep the NSA journalism safe from spies
It sounds complicated, and it is. But if you’re risking a lot, it’s probably worth the effort. You can find instructions for downloading and installing Tails here.
Use SecureDrop to communicate with us. You can use our SecureDrop server to securely and anonymously send us messages, read replies, and upload documents. If you have access to information that you’re considering leaking, you can use SecureDrop to just start a conversation with us until you’re comfortable sending in any documents. Or you could choose to dump a set of documents and never check back again.
You can access our SecureDrop server by going to http://y6xjgkgwj47us5ca.onion/ in Tor Browser. This is a special kind of URL that only works in Tor (even though the URL starts with “http://” and not “https://”, the connection between Tor Browser and our SecureDrop server is encrypted). This is what you’ll see:
To learn more about safely using SecureDrop as a source, check the official guide for sources document.
If you’d like to submit tips to us and your anonymity isn’t important, you can email email@example.com. If you’d like to use PGP encryption, you can find every journalist’s PGP public key on their staff profile.
Questions? Have further advice for would-be leakers? Post them in the comments below.
Canada’s leading surveillance agency is monitoring millions of Internet users’ file downloads in a dragnet search to identify extremists, according to top-secret documents.
The covert operation, revealed Wednesday by CBC News in collaboration with The Intercept, taps into Internet cables and analyzes records of up to 15 million downloads daily from popular websites commonly used to share videos, photographs, music, and other files.
The revelations about the spying initiative, codenamed LEVITATION, are the first from the trove of files provided by National Security Agency whistleblower Edward Snowden to show that the Canadian government has launched its own globe-spanning Internet mass surveillance system.
According to the documents, the LEVITATION program can monitor downloads in several countries across Europe, the Middle East, North Africa, and North America. It is led by the Communications Security Establishment, or CSE, Canada’s equivalent of the NSA. (The Canadian agency was formerly known as “CSEC” until a recent name change.)
The latest disclosure sheds light on Canada’s broad existing surveillance capabilities at a time when the country’s government is pushing for a further expansion of security powers following attacks in Ottawa and Quebec last year.
Ron Deibert, director of University of Toronto-based Internet security think tank Citizen Lab, said LEVITATION illustrates the “giant X-ray machine over all our digital lives.”
“Every single thing that you do – in this case uploading/downloading files to these sites – that act is being archived, collected and analyzed,” Deibert said, after reviewing documents about the online spying operation for CBC News.
David Christopher, a spokesman for Vancouver-based open Internet advocacy group OpenMedia.ca, said the surveillance showed “robust action” was needed to rein in the Canadian agency’s operations.
“These revelations make clear that CSE engages in large-scale warrantless surveillance of our private online activities, despite repeated government assurances to the contrary,” Christopher told The Intercept.
The ostensible aim of the surveillance is to sift through vast amounts of data to identify people uploading or downloading content that could be connected to terrorism – such as bomb-making guides and hostage videos.
In the process, however, CSE combs through huge volumes of data showing uploads and downloads initiated by Internet users not suspected of any wrongdoing.
In a top-secret PowerPoint presentation, dated from mid-2012, an analyst from the agency jokes about how, while hunting for extremists, the LEVITATION system gets clogged with information on innocuous downloads of the musical TV series Glee.
CSE finds some 350 “interesting download events” each month, the presentation notes, a number that amounts to less than 0.0001 per cent of the total collected data.
The agency stores details about downloads and uploads to and from 102 different popular file-sharing websites, according to the 2012 document. Only three of those websites are named: RapidShare, SendSpace, and the now defunct MegaUpload.
SendSpace said in a statement that “no organization has the ability/permission to trawl/search Sendspace for data,” adding that its policy is not to disclose user identities unless legally compelled. Representatives from RapidShare and MegaUpload had not responded to a request for comment at time of publication.
LEVITATION does not rely on cooperation from any of the file-sharing companies. A separate secret CSE operation codenamed ATOMIC BANJO obtains the data directly from internet cables that it has tapped into, and the agency then sifts out the unique IP address of each computer that downloaded files from the targeted websites.
The IP addresses are valuable pieces of information to CSE’s analysts, helping to identify people whose downloads have been flagged as suspicious. The analysts use the IP addresses as a kind of search term, entering them into other surveillance databases that they have access to, such as the vast repositories of intercepted Internet data shared with the Canadian agency by the NSA and its British counterpart Government Communications Headquarters.
If successful, the searches will return a list of results showing other websites visited by the people downloading the files–in some cases revealing associations with Facebook or Google accounts. In turn, these accounts may reveal the names and the locations of individual downloaders, opening the door for further surveillance of their activities.
Since the secret 2012 presentation about LEVITATION was authored, both RapidShare and SendSpace have toughened security by encrypting users’ connections to their websites, which may have thwarted CSE’s ability to target them for surveillance. But many other popular file-sharing sites have still not adopted encryption, meaning they remain vulnerable to the snooping.
As of mid-2012, CSE was maintaining a list of 2,200 particular download links that it regarded as connected to suspicious “documents of interest.” Anyone clicking on those links could have found themselves subject to extra scrutiny from the spies.
While LEVITATION is purportedly identifying potential terror threats, Canadian legal experts consulted by CBC News were concerned by the broad scope of the operation.
“The specific uses that they talk about in this [counter-terrorism] context may not be the problem, but it’s what else they can do,” said Tamir Israel, a lawyer with the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic. Picking which downloads to monitor is essentially “completely at the discretion of CSE,” Israel added.
The file-sharing surveillance also raises questions about the number of Canadians whose downloading habits could have been swept up as part of LEVITATION’s dragnet.
By law, CSE isn’t allowed to target Canadians. In the LEVITATION presentation, however, two Canadian IP addresses that trace back to a web server in Montreal appear on a list of suspicious downloads found across the world. The same list includes downloads that CSE monitored in closely allied countries, including the United Kingdom, United States, Spain, Brazil, Germany and Portugal.
It is unclear from the document whether LEVITATION has ever prevented any terrorist attacks. The agency cites only two successes of the program in the 2012 presentation: the discovery of a hostage video through a previously unknown target, and an uploaded document that contained the hostage strategy of a terrorist organization. The hostage in the discovered video was ultimately killed, according to public reports.
A CSE spokesman told The Intercept and CBC News in a statement: “CSE is legally authorized to collect and analyze metadata, including from parts of the Internet routinely used by terrorists. Some of CSE`s metadata analysis activities are designed to identify foreign terrorists who use the Internet to conduct activities that threaten the security of Canada and Canadian citizens.
“CSE does not direct its activities at Canadians or anyone in Canada, and, in accordance with our legislation, has a range of measures in place to protect the privacy of Canadians incidentally encountered in the course of these foreign intelligence operations.”
The spokesman declined to comment on whether LEVITATION remained active, and would not provide examples of useful intelligence gleaned from the spying, or explain how long data swept up under the operation is retained.
Discussion of “operations, methods or capabilities,” the spokesman said, would breach the Security of Information Act, a Canadian law designed to protect state secrets.
The post Canada Casts Global Surveillance Dragnet Over File Downloads appeared first on The Intercept.
Der neue griechische Außenminister Nikos Kotzias (erster von links) und der russische Faschist Dugin (Zentrum), April 2013, Griechenland. Sie sind beide durch den russischen Oligarchen Konstantin Malofejew verbunden, der wegen seiner Finanzierung der russischen Extremisten in der Ostukraine Einreisesperre für die EU und Norwegen besitzt.
In der Nacht vom 26.Januar auf den 27.Januar wurde im Gedenken, an die von NS Deutschland verfolgten Menschen und die unsagbaren Grausamkeiten die ihnen wieder fuhren, im Leine-Weser-Bergland einige Kriegsdenkmäler umgewandelt. Um der Menschen zu gedenken, die wirklich unter Krieg und Faschismus leiden und gelitten haben.
Die furchtbaren verbrechen die, die Nazis begannen haben dürfen nie vergessen werden und sich nie wiederholen. Und gerade deswegen, ist es unserer Meinung nach, heutzutage wichtig ein Zeichen gegen Antisemitismus, Rassismus, Faschismus Homophobie und Sexismus zu setzen.
Zeiten wo Organisationen wie Pegidia so erschreckend stark sind, wo jährlich viele tausend Menschen im Mittelmeer ertrinken, weil ihnen eine legale einreise nach Europa verwehrt wird. Wo ans Tageslicht kommt das Menschen die hier Schutz suchen in den ihnen zugewiesenen Unterkünften vom Wachpersonal misshandelt werden. Wo Menschen Abgeschoben werden und Naziterroristen jahrelang morden konnten ohne das der Staat sich dafür interessierte einzugreifen.
Unsere Solidarität gilt allen die Aufgrund ihrer Herkunft ,Religion, Kultur ihres Geschlechts, ihrer sexuellen Ausrichtung oder ihres sozialen Statusses diskriminiert benachteiligt und verfolgt werden. Allen die in Menschenwürde, Freiheit Solidarität, Gleichheit und Geschwisterlichkeit zusammenleben wollen.
Nie wieder Faschismus nie wieder Krieg!
Schwarz-LilA-Antifa am Thüsterberg und Ith
Monday’s guilty verdict in the trial of former CIA officer Jeffrey Sterling on espionage charges — for talking to a newspaper reporter — is the latest milepost on the dark and dismal path Barack Obama has traveled since his inaugural promises to usher in a “new era of openness.”
Far from rejecting the authoritarian bent of his presidential predecessor, Obama has simply adjusted it, adding his own personal touches, most notably an enthusiasm for criminally prosecuting the kinds of leaks that are essential to a free press.
The Sterling case – especially in light of Obama’s complicity in the cover-up of torture during the Bush administration – sends a clear message to people in government service: You won’t get in trouble as long as you do what you’re told (even torture people). But if you talk to a reporter and tell him something we want kept secret, we will spare no effort to destroy you.
There’s really no sign any more of the former community organizers who joyously declared on his first full day in office that “there’s been too much secrecy in this city… Starting today, every agency and department should know that this administration stands on the side not of those who seek to withhold information but those who seek to make it known.”
Instead, as author Scott Horton explained to me a few weeks ago, Obama’s thinking on these issues was swayed by John Brennan, the former senior adviser he eventually named CIA director. And for Brennan and his ilk, secrecy is a core value — partly for legitimate national security reasons and partly as an impregnable shield against embarrassment and accountability.
The Sterling case was until recently an even more direct attack on a free press, as Obama administration prosecutors repeatedly demanded testimony from New York Times reporter James Risen, who wrote about the botched plot against the Iranian government that they charged Sterling with divulging.
Risen’s testimony was crucial to their case, they said – although evidently it wasn’t. And their argument was that U.S. law recognizes no such thing as reporter’s privilege when a journalist received what the government considers an illegal leak.
Attorney General Eric Holder finally retreated from that particular attack on press freedom earlier this month, as my colleague Lynn Oberlander explained. Holder also announced revisions of DOJ policy on questioning journalists or obtaining information from media organizations about their sources. But as Oberlander put it, “the policy still leaves a fair amount of leeway for national security investigations — some of the most important reporting often based on confidential sources.”
Stephen Kim, a former State Department official who pled guilty to leaking classified information to a Fox News reporter, faces 13 months in prison.
And Thomas Drake, a former NSA official who provided classified information about mismanagement at his agency to a Baltimore Sun reporter, endured a four-year persecution by the government that the federal judge in his case called “unconscionable,” before prosecutors dropped all 10 felony charges and settled for a single guilty plea on a misdemeanor. The government’s message nevertheless was loud and clear. As secrecy expert Steven Aftergood told me: “In every significant sense, the government won, because it demonstrated the price of nonconformity.”
All of this has been happening during a two-decade-long shift in the cultural norms of the U.S. government, whereby reporters are now routinely blocked from communicating with staff unless they are tracked and/or monitored by public relations controllers.
And government officials are being told very clearly that their personal right to free speech does not extend to their work life, nowhere more clearly than in the intelligence community, where a new directive forbids employees from discussing “intelligence-related information” with a reporter unless they have specific authorization to do so, even if it’s unclassified.
By contrast, neither Obama nor Holder ever seriously contemplated any kind of prosecution or accountability for the application of torture – a heinous assault on human rights – that was rampant during the Bush era. Holder repeatedly and effusively ruled out any possible prosecution of those who followed orders they were told were legal. And Obama made it clear that he would not second-guess the people who gave the orders – a prima facie case of what my colleague Glenn Greenwald calls elite immunity.
Looking ahead to 2016, the prospects are grim. None of the major candidates for president have said anything half as powerful about openness, transparency and accountability as Obama did. And look where that got us.
Photo of Jeffrey Sterling, second from left, leaving Alexandria Federal Courthouse: Kevin Wolf/Associated Press
The post Torture If You Must, But Do Not Under Any Circumstances Call the New York Times appeared first on The Intercept.
British and Canadian spy agencies accumulated sensitive data on smartphone users, including location, app preferences, and unique device identifiers, by piggybacking on ubiquitous software from advertising and analytics companies, according to a document obtained by NSA whistleblower Edward Snowden.
The document, included in a trove of Snowden material released by Der Spiegel on January 17, outlines a secret program run by the intelligence agencies called BADASS. The German newsweekly did not write about the BADASS document, attaching it to a broader article on cyberwarfare. According to The Intercept‘s analysis of the document, intelligence agents applied BADASS software filters to streams of intercepted internet traffic, plucking from that traffic unencrypted uploads from smartphones to servers run by advertising and analytics companies.
Programmers frequently embed code from a handful of such companies into their smartphone apps because it helps them answer a variety of questions: How often does a particular user open the app, and at what time of day? Where does the user live? Where does the user work? Where is the user right now? What’s the phone’s unique identifier? What version of Android or iOS is the device running? What’s the user’s IP address? Answers to those questions guide app upgrades and help target advertisements, benefits that help explain why tracking users is not only routine in the tech industry but also considered a best practice.
For users, however, the smartphone data routinely provided to ad and analytics companies represents a major privacy threat. When combined together, the information fragments can be used to identify specific users, and when concentrated in the hands of a small number of companies, they have proven to be irresistibly convenient targets for those engaged in mass surveillance. Although the BADASS presentation appears to be roughly four years old, at least one player in the mobile advertising and analytics space, Google, acknowledges that its servers still routinely receive unencrypted uploads from Google code embedded in apps.
For spy agencies, this smartphone monitoring data represented a new, convenient way of learning more about surveillance targets, including information about their physical movements and digital activities. It also would have made it possible to design more focused cyberattacks against those people, for example by exploiting a weakness in a particular app known to be used by a particular person. Such scenarios are strongly hinted at in a 2010 NSA presentation, provided by agency whistleblower Edward Snowden and published last year in The New York Times, Pro Publica, and The Guardian. That presentation stated that smartphone monitoring would be useful because it could lead to “additional exploitation” and the unearthing of “target knowledge/leads, location, [and] target technology.”
The 2010 presentation, along with additional documents from Britain’s intelligence service Government Communications Headquarters, or GCHQ, showed that the intelligence agencies were aggressively ramping up their efforts to see into the world of mobile apps. But the specifics of how they might distill useful information from the torrent of internet packets to and from smartphones remained unclear.Encrypting Data in Transit
The BADASS slides fill in some of these blanks. They appear to have been presented in 2011 at the highly secretive SIGDEV intelligence community conference. The presentation states that “analytics firm Flurry estimates that 250,000 Motorola Droid phones were sold in the United States during the phone’s first week in stores,” and asks, “how do they know that?”
The answer is that during the week in question, Flurry uploaded to its own servers analytics from Droid phones on behalf of app developers, one phone at a time, and stored the analytics in their own databases. Analytics includes any information that is available to the app and that can conceivably help improve it, including, in certain instances with Flurry, the user’s age and gender, physical location, how long they left the app open, and a unique identifier for the phone, according to Flurry materials included in the BADASS document.
By searching these databases, the company was able to get a count of Droid phones running Flurry-enabled apps and, by extrapolating, estimate the total number of Droids in circulation. The company can find similar information about any smartphone that their analytics product supports.
Not only was Flurry vacuuming sensitive data up to its servers, it was doing so insecurely. When a smartphone app collects data about the device it’s running on and sends it back to a tracking company, it generally uses the HTTP protocol, and Flurry-enabled apps were no exception. But HTTP is inherently insecure—eavesdroppers can easily spy on the entire digital conversation.
If the tracking data was always phoned home using the HTTPS protocol—the same as the HTTP protocol, except that the stream of traffic between the phone and the server is encrypted—then the ability for spy agencies to collect tracking data with programs like BADASS would be severely impeded.
Yahoo, which acquired the analytics firm Flurry in late 2014, says that since acquiring the company they have “implemented default encryption between Flurry-enabled applications and Flurry servers. The 2010 report in question does not apply to current versions of Flurry’s analytics product.” Given that Yahoo acquired Flurry so recently, it’s unclear how many apps still use Flurry’s older tracking code that sends unencrypted data back to Yahoo’s servers. (Yahoo declined to elaborate specifically on that topic.)
The BADASS slides also use Google’s advertisement network AdMob as an example of intercepted, unencrypted data. Free smartphone apps are often supported by ads, and if the app uses AdMob then it sends some identifying information to AdMob’s servers while loading the ad. Google currently supports the ability for app developers to turn on HTTPS for ad requests, however it’s clear that only some AdMob users actually do this.
When asked about HTTPS support for AdMob, a Google spokesperson said, “We continue our ongoing efforts to encrypt all Google products and services.”
In addition to Yahoo’s Flurry and Google’s AdMob, the BADASS presentation also shows that British and Canadian intelligence were targeting Mobclix, Mydas, Medialets, and MSN Mobile Advertising. But it’s clear that any mobile-related plaintext traffic from any company is a potential target. While the BADASS presentation focuses on traffic from analytics and ad companies, it also shows spying on Google Maps heartbeat traffic, and capturing “beacons” sent out when apps are first opened (listing Qriously, Com2Us, Fluentmobile, and Papayamobile as examples). The BADASS presentation also mentions capturing GPS coordinates that get leaked when opening BlackBerry’s app store.
In a boilerplate statement, GCHQ said, “It is longstanding policy that we do not comment on intelligence matters. Furthermore, all of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight.” Its Canadian counterpart, Communications Security Establishment Canada, or CSEC, responded with a statement that read, in part, “For reasons of national security, CSE cannot comment on its methods, techniques or capabilities. CSE conducts foreign intelligence and cyber defence activities in compliance with Canadian law.”
Julia Angwin, who has doggedly investigated online privacy issues as a journalist and author, most recently of the book “Dragnet Nation,” explains that “every type of unique identifier that passes [over the internet] unencrypted is giving away information about users to anyone who wants it,” and that “the evidence is clear that it’s very risky to be throwing unique identifiers out there in the clear. Anyone can grab them. This is more evidence that no one should be doing that.”Building Haystacks to Search for Needles
The BADASS program was created not merely to track advertising and analytic data but to solve a much bigger problem: There is an overwhelming amount of smartphone tracking data being collected by intelligence agencies, and it’s difficult to make sense of.
First there are the major platforms: iOS, Android, Windows Phone, and BlackBerry. On each platform, a range of hardware and platform versions are in use. Additionally, app stores are overflowing; new apps that track people get released every day. Old apps constantly get updated to track people in different ways, and people use different versions of apps for different platforms all at once. Adding to the diversity, there are several different ad and analytics companies that app developers use, and when those companies send tracking data back to their servers, they use a wide variety of formats.
With such an unwieldy haystack of data, GCHQ and CSEC, started the BADASS program, according to the presentation, to find the needles: information that can uniquely identify people and their devices, such as smartphone identifiers, tracking cookies, and other unique strings, as well as personally identifying information like GPS coordinates and email addresses.
BADASS is an an acryonym that stands for BEGAL Automated Deployment And Survey System. (It is not clear what “BEGAL” stands for, in turn.) The slideshow presentation is called “Mobile apps doubleheader: BADASS Angry Birds,” and promises “protocols exploitation in a rapidly changing world.”Exploiting Protocols in a Rapidly Changing World
Analysts are able to write BADASS “rules” that look for specific types of tracking information as it travels across the internet.
For example, when someone opens an app that loads an ad, their phone normally sends an unencrypted web request (called an HTTP request) to the ad network’s servers. If this request gets intercepted by spy agencies and fed into the BADASS program, it then gets filtered through each rule to see if one applies to the request. If it finds a match, BADASS can then automatically pull out the juicy information.
In the following slide, the information that is potentially available in a single HTTP request to load an ad includes which platform the ad is being loaded on (Android, iOS, etc.), the unique identifier of the device, the IMEI number which cell towers use to identify phones that try to connect to them, the name and version of the operating system that’s running, the model of the device, and latitude and longitude location data.
Similar information is sent across the internet in HTTP requests in several different formats depending on what company it’s being sent to, what device it’s running on, and what version of the ad or analytics software is being used. Because this is constantly changing, analysts can write their own BADASS rules to capture all of the permutations they can find.
The following slide shows part of the BADASS user interface, and a partial list of rules.
The slideshow includes a section called “Abusing BADASS for Fun and Profit” which goes into detail about the methodology analysts use to write new BADASS rules.
By looking at intercepted HTTP traffic and writing rules to parse it, analysts can quickly gather as much information as possibly from leaky smartphone apps. One slide states: “Creativity, iterative testing, domain knowledge, and the right tools can help us target multiple platforms in a very short time period.”Privacy Policies That Don’t Deliver
The slides also appear to mock the privacy promises of ad and analytics companies.
Companies that collect usage statistics about software often insist that the data is anonymous because they don’t include identifying information such as names, phone numbers, and email addresses of the users that they’re tracking. But in reality, sending unique device identifiers, IP addresses, IMEI numbers, and GPS coordinates of devices is far from anonymous.
In one slide, the phrase “anonymous usage statistics” appears in conspicuous quotation marks. The spies are well aware that despite not including specific types of information, the data they collect from leaky smartphone apps is enough for them to uniquely identify their targets.
The red box, which is present in the original slides, highlights this part: “None of this information can identify the individual. No names, phone numbers, email addresses, or anything else considered personally identifiable information is ever collected.”
Clearly the intelligence services disagree.
“Commercial surveillance often appears very benign,” Angwin says. “The reason Flurry exists is not to ‘spy on people’ but to help people learn who’s using their apps. But what we’ve also seen through Snowden revelations is that spy agencies seek to use that for their own purposes.”The Web has the Exact Same Problems
While the BADASS program is specifically designed to target smartphone traffic, websites suffer from these exact same problems, and in many cases they’re even worse.
Websites routinely include bits of tracking code from several different companies for ads, analytics, and other behavioral tracking. This, combined with the lack of HTTPS, turns your web browser into a surveillance device that follows you around, even if you switch networks or use proxy servers.
In other words, while the BADASS presentation may be four years old, and while it’s been a year and a half since Snowden’s leaks began educating technology companies and users about the massive privacy threats they face, the big privacy holes exploited by BADASS remain a huge problem.
Photo, top: Christopher Furlong/Getty Images
The post Secret ‘BADASS’ Intelligence Program Spied on Smartphones appeared first on The Intercept.