TIME Congress

House Votes to End Bulk Collection of American Phone Records

The NSA's new spy data collection center is seen just south of Salt Lake City on May 7, 2015 in Bluffdale, Utah.
George Frey—Getty Images BLUFF DALE, UT - MAY 7: The NSA's new spy data collection center is seen just south of Salt Lake City May 7, 2015 in Bluffdale, Utah. Reportedly, the center is the largest of its kind with massive computer power for processing data. A New York Court of appeals ruled that the NSA's bulk collection of phone data is illegal. (Photo by George Frey/Getty Images

The USA Freedom Act would end the mass collection of phone metadata by the NSA

(WASHINGTON) — The House voted by a wide margin Wednesday to end the National Security Agency’s bulk collection of Americans’ phone records and replace it with a system to search the data held by telephone companies on a case-by-case basis.

The 338-to-88 vote set the stage for a Senate showdown just weeks before the Patriot Act provisions authorizing the program are due to expire.

If the House bill becomes law, it will represent one of the most significant changes stemming from the unauthorized disclosures of former NSA contractor Edward Snowden. But many Senate Republicans don’t like the measure, and Senate Majority Leader Mitch McConnell has introduced a separate version that would keep the program as is. Yet, he also faces opposition from within his party and has said he is open to compromise.

President Barack Obama supports the House legislation, known as the USA Freedom Act, which is in line with a proposal he made last March. The House passed a similar bill last year, but it failed in the Senate.

Most House members would rather see the Patriot Act provisions expire altogether than re-authorize NSA bulk collection, said Rep. Adam Schiff, ranking Democrat on the intelligence committee. “I think the Senate is ultimately going to pass something like the USA Freedom Act,” he said.

The issue, which exploded into public view two years ago, has implications for the 2016 presidential contest, with Republican candidates staking out different positions.

The revelation that the NSA had for years been secretly collecting all records of U.S. landline phone calls was among the most controversial disclosures by Snowden, a former NSA systems administrator who in 2013 leaked thousands of secret documents to journalists.

The program collects the number called, along with the date, time and duration of call, but not the content or people’s names. It stores the information in an NSA database that a small number of analysts query for matches against the phone numbers of known terrorists abroad, hunting for domestic connections to plots.

Officials acknowledge the program has never foiled a terrorist attack, and some within the NSA had proposed abandoning it even before it leaked — on the grounds that its financial and privacy costs outweighed its counterterrorism benefits.

Proponents of keeping the program the way it is argue that the rise of the Islamic State group and its efforts to inspire Westerners to attack in their own countries make it more important than ever for the NSA and FBI to have such phone records at their disposal to map potential terrorist cells when new information surfaces. And they say there is no evidence the program has ever been misused.

Under the House measure, the NSA would no longer collect and store the records, but the government still could obtain a court order to obtain data connected to a specific number from the phone companies, which typically store them for 18 months.

If the legislation is enacted, “Americans will now rest easy knowing that their calls and other records will not be warehoused by the government, no matter how careful the government is in their procedures to access those files,” said Rep. Jim Himes, a Connecticut Democrat on the intelligence committee.

The House measure also provides for a panel of experts to advocate for privacy and civil liberties before the secret intelligence court that oversees surveillance programs. And it allows the government to continue eavesdropping on foreign terrorists without a warrant for 72 hours after they enter the U.S., giving authorities time to obtain such a warrant.

The Senate will have a short window to act before Patriot Act provisions authorizing the phone records program and other counterterrorism-related measures expire June 1. If McConnell’s bill passes to reauthorize the law with no changes, that would be seen as a crushing defeat for surveillance opponents.

On Tuesday, NSA Director Admiral Mike Rogers and FBI Director Jim Comey briefed senators on the program. Afterward, Sen. Bob Corker of Tennessee told reporters the NSA was not collecting all the data it should be. He declined to be specific, saying the briefing was classified, but he appeared to be addressing the fact that the collection does not include most mobile calls in an era when many people have stopped using landlines.

“The way it’s being implemented today, I don’t see how it’s … useful at all to the American people,” said Corker, who wants to reauthorize the current law. “And I’m shocked, shocked … by the small amount of data that is even part of the program. It needs to be ramped up.”

U.S. officials have confirmed the mobile records gap, saying it stemmed from technical and policy issues that ultimately would have been addressed absent the Snowden leak. Under the House’s USA Freedom Act, they said, the NSA would expand its queries to include mobile records, creating a potentially more effective program. But they have expressed concerns about working out an arrangement with phone providers to standardize the data so the information can quickly be searched.

Those officials, not authorized to comment publicly by name, spoke only on condition of anonymity.

___

Associated Press writer Deb Riechmann contributed to this report.

TIME Books

Without Edward Snowden, Our System Could Have Failed

Ronald Goldfarb is a veteran Washington, DC attorney, literary agent and author of After Snowden: Privacy, Secrecy, and Security in the Information Age. He served in the Justice Department in the Robert F. Kennedy administration.

Snowden's actions may have resulted in positive change that proves our tripartite system works

Every time you pick up a phone, dial a number, write an email, travel on a bus carrying a cell phone, swipe a card somewhere, you leave a trace, and the government has decided that it’s a good idea to collect it all, everything, even if you’ve never been suspected of a crime.”

“…it was the creeping realisation that no one else was going to do this. The public had a right to know about these programmes. The public had a right to know that which the government is doing in its name…”

—Edward Snowden, German TV interview, January 2014

The tripartite nature of American government is on display. Congress is contemplating extending the Patriot Act, allowing it to expire, or reforming it by June 1. A federal court yesterday concluded that the controversial s.215 of the Patriot Act allowing secret meta data gathering of phone records by the government was illegal. The 2nd Circuit Court of Appeals did not specifically rule that the Patriot Act was unconstitutional, though critics of the Act will certainly see the suggestion in this opinion.

In a 97-page unanimous opinion in a case entitled ACLU v. Clapper, et. al., the prestigious 2nd Circuit Court of Appeals in New York City reversed an earlier trial court ruling, and held that s. 215’s bulk telephone data program is subject to judicial review. In the core of this opinion, Judge Gerard Lynch wrote that “the program exceeds the scope of what Congress has authorized.” The opinion discussed the history of the earlier Church Committee hearings about historic abusive surveillance practices of intelligence agencies, and the evolution of the FISA Act (1978) allowing secret ex parte proceedings, and the Patriot Act now under review in Congress.

The court decision dealt with the meta data practices of Verizon performed at the government’s order, and revealed by The Guardian with information leaked by Edward Snowden. The order applies to other service providers, as well, by implication.

The government argued that any complaint about its practices had to be made to the FISA court. The 2nd Circuit concluded that its judicial review was appropriate. And I would note that this court was far more “judicial” than the ex parte, secret hearings conducted by FISA “courts.”

The circuit court ruled that the government’s position—that its standard for collecting metadata conforms with prevailing search and seizure law—was wrong. “Unprecedented and unwarranted” were the words used. The court found that the “sheer volume of information sought is staggering,” and that the amount and nature of the data collected was qualitatively too broad and vague, neither within proper bounds nor limited to data required for fighting the war on terror. The government’s procedures, the court ruled, are “inconsistent with the very concept of an investigation”, lacking specificity, relevance, time limitations.

The court concluded that “to allow the government to collect phone records only because they may be relevant to a possible authorized investigation in the future “is impermissible, irreconcilable with the statute.” Congress can’t be deemed to have approved a program of which many members were unaware, and which was “shrouded in secrecy,” the court added, agreeing with critics that congressional oversight of national security surveillance procedures since 9/11 has been lacking. In an observation critical of the process of congressional oversight in national security matters, the court remarked that suggesting legislative approval of the questionable practices “would ignore reality.”

Its conclusion: S.215 “does not authorize the telephone metadata program.” It refused to deal with claims that S. 215 violated the First and Fourth Amendments, noting that Congress is considering the future of the Patriot Act and may act on these questions imminently. The court deemed it prudent to allow for that debate in Congress which may “profoundly alter the legal landscape.”

Edward Snowden must be smiling today as he remains in his prolonged exile in Russia. All the reforms of the excesses of data surveillance he revealed indicate that his disclosures have had the impact that motivated him. Top UN officials have questioned the practices of member states which violate core privacy rights; reformative laws are pending in Congress; a White House panel has called for 46 reforms of prevailing practices; Congressional oversight of national security procedures has been questioned by prestigious experts in the field. None of this would have happened if Snowden had not committed his audacious act of civil disobedience. His influence has been historic. His answer on German TV to those who argue that Snowden is a traitor: “If I am a traitor, who did I betray? I gave all my information to the American public.” And to the world, as it turned out.

Our country sometimes acts precipitously in times of great provocation, as it did with Japanese-Americans after Pearl Harbor, for example; but in time we make amends for these excesses. Some of our actions after 9/11, extreme rendition, for example, and excessive surveillance techniques now under consideration in Congress and the federal courts, may result in reform of illegal procedures Mr. Snowden exposed. Good signs that our tripartite system works.

Ronald Goldfarb is a veteran Washington, DC attorney, author, and literary agent. He served in the Justice Department in the Robert F. Kennedy administration. His book, After Snowden: Privacy, Secrecy, and Security in the Information Age, will be published next week.

Contributors to After Snowden are: Thomas Blanton, director of the National Security Archive; Hodding Carter III, professor of leadership and public policy at the University of North Carolina; David Cole, professor at Georgetown University Law Center; Jon Mills, dean emeritus, professor of law, and director of the Center of Governmental Responsibility at the University of Florida’s Fredric G. Levin College of Law; Barry Siegel, director of the University of California, Irvine, Literary Journalism Program; and Edward Wasserman, dean of the Graduate School of Journalism at the University of California, Berkeley.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

TIME National Security

Court Rules Against NSA’s Bulk Collection of Phone Records

This undated photo provided by the National Security Agency (NSA) shows its headquarters in Fort Meade, Md.
NSA/Getty Images This undated photo provided by the National Security Agency (NSA) shows its headquarters in Fort Meade, Md.

The Patriot Act "cannot bear the weight the government asks us to assign to it," the court said

The National Security Agency’s mass collection of phone call records without a search warrant is illegal, an appeals court ruled on Thursday.

The Second Circuit Court of Appeals said the practice, largely exposed to the public by the Edward Snowden leaks two years ago, is not authorized by Section 215 of the Patriot Act passed by Congress, as the government claims.

The decision returned the case, brought by civil rights groups, to a lower court judge. But it neither ordered the data collection to stop immediately nor passed judgement on the constitutionality of the data collection, saying that Congress could still try to pass a measure that does sanction the practice.

“We hold that the text of § 215 cannot bear the weight the government asks us to assign to it, and that it does not authorize the telephone metadata program,” the court wrote in its ruling.

The ruling comes as Congress considers whether to extend the Patriot Act by June, including with potential revisions to limit the government’s data collection. Anthony Romero, the executive director of the American Civil Liberties Union, which brought the case, said in a statement that Thursday’s ruling should guide that process.

“The current reform proposals from Congress look anemic in light of the serious issues raised by the Second Circuit,” Romero said. “Congress needs to up its reform game if it’s going to address the court’s concerns.”

In a statement to TIME, National Security Council spokesperson Ned Price said it was still evaluating the decision.

“Without commenting on the ruling today, the President has been clear that he believes we should end the Section 215 bulk telephony metadata program as it currently exists by creating an alternative mechanism to preserve the program’s essential capabilities without the government holding the bulk data,” Price said. “We continue to work closely with members of Congress from both parties to do just that, and we have been encouraged by good progress on bipartisan, bicameral legislation that would implement these important reforms.”

MONEY privacy

Will the New Consumer Privacy Bill Protect You?

person using smartphone in dark
Kohei Hara—Getty Images

A proposed law would beef up your rights when your data is leaked or stolen.

Legislation that would establish new nationwide privacy protections for American consumers was introduced by a group of high-profile Democratic senators on Thursday, including Pat Leahy (Vermont) and Elizabeth Warren (Massachusetts). The Consumer Privacy Protection Act would establish federal standards for notification of consumers when their data is lost or stolen, greatly expand the definition of private information beyond financial data, and allow existing state privacy laws to remain in force. Geolocation data and images would be covered by its data leak disclosure rules, for example.

“Today, data security is not just about protecting our identities and our bank accounts, it is about protecting our privacy. Americans want to know not just that their bank account and credit cards are safe and secure, they want to know that their emails and their private pictures are protected as well,” Sen. Leahy said. “Companies who benefit financially from our personal information should be obligated to take steps to keep it safe, and to notify us when those protections have failed.”

Consumer groups cheered the proposal, saying it offered a fresh approach to consumer privacy.

“This is a step forward. This is the first time you get something new in federal legislation. Usually it scales back (protections) in state law,” said Justin Brookman, director of consumer privacy at the Center for Democracy and Technology. “It’s good to see some new thinking on the issue, something that actually adds new protections for a lot of people.”

“Everyone from the NSA to the local grocer has become a consumer of our data. So many pieces of our data are being collected, stored, shared and sold, either without our knowledge or ability to understand the process,” said Adam Levin, privacy expert and chairman and founder of Credit.com. “It is long overdue that we expand the definition of ‘personally identifying information’ as well as the protections necessary to safeguard our privacy and data security and require quick notification when our PII is exposed.”

The legislation would require social media firms or cloud email providers to notify consumers if their accounts are compromised, Brookman said. Currently, most disclosure rules apply only to financial information such as credit card numbers.

The legislation comes on the heels of a similar White House proposal called “The Consumer Privacy Bill of Rights Act of 2015,” but goes several steps further than the administration’s proposal, said Susan Grant of the Consumer Federation of America. The White House proposal would allow federal law to supersede state laws, potentially diminishing consumer rights. It also requires demonstration of actual harm before requiring notice.

“(We believe) that federal legislation will only be helpful to consumers if it provides them with greater privacy and security protection than they have today. Most of the bills that we have seen in Congress would actually weaken existing consumer rights and the ability of state and federal agencies to enforce them,” Grant said. “(This bill) takes the right approach, requiring reasonable security measures, providing strong consumer protection and enforcement, and only pre-empting state laws to the extent that they provide less stringent protection.”

Most significant: The legislation creates entire new classes of protected information. Private information is divided into seven categories. Compromise of any one of them would require companies to notify consumers. They are:

  1. Social Security numbers and other government-issued identification numbers;
  2. Financial account information, including credit card numbers and bank accounts;
  3. Online usernames and passwords, including email addresses and passwords;
  4. Unique biometric data, including fingerprints;
  5. Information about a person’s physical and mental health;
  6. Information about a person’s geolocation;
  7. Access to private digital photographs and videos.

Leahy has repeatedly proposed legislation since 2005 that would establish a nationwide notification standard called the Personal Data Privacy and Security Act; it has not passed. While co-sponsors of this new bill include Al Franken (Minn.), Richard Blumenthal (Conn.), Ron Wyden (Ore.) and Edward J. Markey (Mass.), there are, notably, no Republican co-sponsors. That probably dooms the bill, says Brookman.

“They didn’t get a GOP co-sponsor, and that’s not a great sign. Still, having the bill out there is good for dialog on the issue,” he said.

More from Credit.com

This article originally appeared on Credit.com.

TIME intelligence

McConnell Introduces Bill to Extend Surveillance Under Patriot Act

Senate Majority Leader Mitch McConnell, R-Ky., speaks to the media following the Senate Republicans' policy lunch in the Capitol on April 21, 2015.
Bill Clark—AP Senate Majority Leader Mitch McConnell, R-Ky., speaks to the media following the Senate Republicans' policy lunch in the Capitol on April 21, 2015.

The bill comes amid a bipartisan effort to curb the NSA's expansive collection of Americans' phone records

Senate Majority Leader Mitch McConnell introduced a bill Tuesday evening that would renew several sections of the Patriot Act, which grants expansive powers of surveillance to intelligence agencies, that are set to expire this summer.

Among the act’s provisions that would be renewed until 2020 rather than expiring in June is Section 215, the National Journal reports. The hotly contested authority laid the legal groundwork for the National Security Agency’s sweeping collection of metadata from millions of Americans’ phone records.

The bill appears to challenge a bipartisan effort to amend Section 215 with stricter guidelines on what information intelligence agents can collect and retain.

TIME Innovation

Five Best Ideas of the Day: February 26

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

1. It’s time to break up the NSA.

By Bruce Schneier at CNN

2. By prescribing appearances, sororities are contributing to a culture of segregation.

By Clio Chang in U.S. News and World Report

3. In Egypt, the U.S. still values security over human rights.

By the Editorial Board of the Washington Post

4. Bartering for eggs is saving giant turtles in Cambodia.

By Yoeung Sun at Conservation International

5. How does Internet slang work its way into American Sign Language?

By Mike Sheffield, Antwan Duncan and Andrew Strasser in Hopes and Fears

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

TIME Security

SIM Card Company Says the NSA Probably Hacked It

Mobile phone SIM card
David Gould—Getty Images

But it denies the NSA got access to billions of people's mobile communications

One of the world’s largest manufacturers of SIM cards has acknowledged evidence of security agency attacks on the company’s internal networks, but it’s denying that American and British intelligence agents were able to get access to billions of mobile phone users’ secure data.

Gemalto, a French-Dutch supplier of SIM cards, found “reasonable grounds” of an attack by U.S. National Security Agency and its British counterpart, the Government Communications Headquarters (GCHQ) following an internal investigation into a series of security incidents. The audits came after online publication The Intercept reported on what it said was a joint British-American operation to covertly hack Gemalto’s stash of SIM encryption keys, based on documents leaked by Edward Snowden.

SIM cards are small encrypted devices inside cell phones that carry users’ unique identifier codes on a network. Breaking their encryption could allow intelligence agencies or hackers easier access to targets’ mobile communication.

In particular, Gemalto cited two “sophisticated intrusions” in 2010 and 2011, one of which involved sending malware-infected attachments from faked company email addresses. Gemalto acknowledged that the breaches may have enabled a third party such as the NSA to spy on internal communications from company employees, but denied the breach led to a massive loss of encryption keys. The Intercept previously reported that the NSA and GCHQ stole encryption codes as Gemalto sent them to device makers like China’s Huawei.

“The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys,” read a statement from the company.

TIME intelligence

Obama to Limit Data Collection by Intelligence Agencies

The National Security Agency (NSA) headquarters in Fort Meade, Md.
Getty Images The National Security Agency (NSA) headquarters in Fort Meade, Md.

Modest reforms will also establish White House oversight over surveillance of foreign leaders

Intelligence agencies will have to delete extraneous data on private citizens and limit storage of data on foreigners to five years, the Obama administration is expected to announce Tuesday, as part of a new batch of modest restrictions on intelligence gathering efforts.

The reforms will also initiate regular White House reviews over surveillance programs targeting foreign leaders, the New York Times reports. President Barack Obama abruptly cancelled one such program targeting German Chancellor Angela Merkel in 2013, after leaked documents revealed that the National Security Agency had tapped her cell phone records.

However, the administration stopped short of addressing the scope of the NSA’s collection of “metadata” on cell phone records, which sparked a controversy after it was revealed that the program encompassed millions of Americans’ cell phone records.

Read more at the New York Times.

 

TIME foreign affairs

The Government Must Show Us the Evidence That North Korea Attacked Sony

President Obama Holds News Conference At The White House
Leigh Vogel—WireImage President Barack Obama holds a press conference during which he discussed Sony Pictures' decision not to release "The Interview" in wake of the alleged North Korean hacking scandal at The White House on December 19, 2014 in Washington, DC.

Bruce Schneier is a security technologist and fellow at the Berkman Center for Internet and Society at Harvard Law School.

American history is littered with examples of classified information pointing us towards aggression against other countries—think WMDs—only to later learn that the evidence was wrong

When you’re attacked by a missile, you can follow its trajectory back to where it was launched from. When you’re attacked in cyberspace, figuring out who did it is much harder. The reality of international aggression in cyberspace will change how we approach defense.

Many of us in the computer-security field are skeptical of the U.S. government’s claim that it has positively identified North Korea as the perpetrator of the massive Sony hack in November 2014. The FBI’s evidence is circumstantial and not very convincing. The attackers never mentioned the movie that became the centerpiece of the hack until the press did. More likely, the culprits are random hackers who have loved to hate Sony for over a decade, or possibly a disgruntled insider.

On the other hand, most people believe that the FBI would not sound so sure unless it was convinced. And President Obama would not have imposed sanctions against North Korea if he weren’t convinced. This implies that there’s classified evidence as well. A couple of weeks ago, I wrote for the Atlantic, “The NSA has been trying to eavesdrop on North Korea’s government communications since the Korean War, and it’s reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un’s sign-off on the plan. On the other hand, maybe not. I could have written the same thing about Iraq’s weapons-of-mass-destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that.”

The NSA is extremely reluctant to reveal its intelligence capabilities — or what it refers to as “sources and methods” — against North Korea simply to convince all of us of its conclusion, because by revealing them, it tips North Korea off to its insecurities. At the same time, we rightly have reason to be skeptical of the government’s unequivocal attribution of the attack without seeing the evidence. Iraq’s mythical weapons of mass destruction is only the most recent example of a major intelligence failure. American history is littered with examples of claimed secret intelligence pointing us toward aggression against other countries, only for us to learn later that the evidence was wrong.

Cyberspace exacerbates this in two ways. First, it is very difficult to attribute attacks in cyberspace. Packets don’t come with return addresses, and you can never be sure that what you think is the originating computer hasn’t itself been hacked. Even worse, it’s hard to tell the difference between attacks carried out by a couple of lone hackers and ones where a nation-state military is responsible. When we do know who did it, it’s usually because a lone hacker admitted it or because there was a months-long forensic investigation.

Second, in cyberspace, it is much easier to attack than to defend. The primary defense we have against military attacks in cyberspace is counterattack and the threat of counterattack that leads to deterrence.

What this all means is that it’s in the U.S.’s best interest to claim omniscient powers of attribution. More than anything else, those in charge want to signal to other countries that they cannot get away with attacking the U.S.: If they try something, we will know. And we will retaliate, swiftly and effectively. This is also why the U.S. has been cagey about whether it caused North Korea’s Internet outage in late December.

It can be an effective bluff, but only if you get away with it. Otherwise, you lose credibility. The FBI is already starting to equivocate, saying others might have been involved in the attack, possibly hired by North Korea. If the real attackers surface and can demonstrate that they acted independently, it will be obvious that the FBI and NSA were overconfident in their attribution. Already, the FBI has lost significant credibility.

The only way out of this, with respect to the Sony hack and any other incident of cyber-aggression in which we’re expected to support retaliatory action, is for the government to be much more forthcoming about its evidence. The secrecy of the NSA’s sources and methods is going to have to take a backseat to the public’s right to know. And in cyberspace, we’re going to have to accept the uncomfortable fact that there’s a lot we don’t know.

Bruce Schneier is a security technologist, a fellow at the Berkman Center for Internet and Society at Harvard Law School and the CTO of Co3 Systems Inc. He blogs at schneier.com and tweets at @schneierblog.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

MONEY privacy

Security Flaws Let Hackers Listen in on Calls

German researchers say the network that allows cellphone carriers to direct calls to one another is full of security holes.

Your browser is out of date. Please update your browser at http://update.microsoft.com