FROM: THE WHITE HOUSE
February 15, 2015
FACT SHEET: Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems
Today the White House issued a Presidential Memorandum to promote economic competitiveness and innovation while safeguarding privacy, civil rights, and civil liberties in the domestic use of Unmanned Aircraft Systems (UAS).
This Presidential Memorandum builds on efforts already underway to integrate UAS into the national airspace system (NAS). The Federal Aviation Administration has authorized the testing of UAS at six sites around the country in December 2013 as part of its efforts to safely integrate UAS into the NAS, as required by the Federal Aviation Administration Modernization and Reform Act of 2012.
UAS are a potentially transformative technology in diverse fields such as agriculture, law enforcement, coastal security, military training, search and rescue, first responder medical support, critical infrastructure inspection, and many others.
The Administration is committed to promoting the responsible use of this technology, strengthening privacy safeguards and ensuring full protection of civil liberties.
The Presidential Memorandum released today ensures that the Federal Government’s use of UAS takes into account these important concerns and in service of them, promotes better accountability and transparent use of this technology, including through the following:
First, the Presidential Memorandum requires Federal agencies to ensure that their policies and procedures are consistent with limitations set forth in the Presidential Memorandum on the collection and use, retention, and dissemination, of information collected through UAS in the NAS.
Second, the Presidential Memorandum requires agencies to ensure that policies are in place to prohibit the collection, use, retention, or dissemination of data in any manner that would violate the First Amendment or in any manner that would discriminate against persons based upon their ethnicity, race, gender, national origin, religion, sexual orientation, or gender identity, in violation of law.
Third, the Presidential Memorandum includes requirements to ensure effective oversight.
Fourth, the Presidential Memorandum includes provisions to promote transparency, including a requirement that agencies publish information within one year describing how to access their publicly available policies and procedures implementing the Presidential Memorandum.
Fifth, recognizing that technologies evolve over time, the Presidential Memorandum requires agencies to examine their UAS policies and procedures prior to the deployment of new UAS technology, and at least every three years, to ensure that protections and policies keep pace with developments.
Consistent with these objectives, the Presidential Memorandum additionally requires the Department of Commerce, through the National Telecommunications and Information Administration, and in consultation with other interested agencies, to initiate a multi-stakeholder engagement process within 90 days to develop a framework for privacy, accountability, and transparency issues concerning the commercial and private use of UAS in the NAS.
Showing posts with label PRIVACY. Show all posts
Showing posts with label PRIVACY. Show all posts
Tuesday, February 17, 2015
Wednesday, May 28, 2014
FEDERAL TRADE COMMISSION SAYS DATA BROKERS NEED TO BE MORE TRANSPARENT
FROM: U.S. FEDERAL TRADE COMMISSION
FTC Recommends Congress Require the Data Broker Industry to be More Transparent and Give Consumers Greater Control Over Their Personal Information
Agency Report Shows Data Brokers Collect and Store Billions of Data Elements Covering Nearly Every U.S. Consumer
In a report issued today on the data broker industry, the Federal Trade Commission finds that data brokers operate with a fundamental lack of transparency. The Commission recommends that Congress consider enacting legislation to make data broker practices more visible to consumers and to give consumers greater control over the immense amounts of personal information about them collected and shared by data brokers.
The report, “Data Brokers: A Call for Transparency and Accountability” is the result of a study of nine data brokers, representing a cross-section of the industry, undertaken by the FTC to shed light on the data broker industry. Data brokers obtain and share vast amounts of consumer information, typically behind the scenes, without consumer knowledge. Data brokers sell this information for marketing campaigns and fraud prevention, among other purposes. Although consumers benefit from data broker practices which, for example, help enable consumers to find and enjoy the products and services they prefer, data broker practices also raise privacy concerns.
“The extent of consumer profiling today means that data brokers often know as much – or even more – about us than our family and friends, including our online and in-store purchases, our political and religious affiliations, our income and socioeconomic status, and more,” said FTC Chairwoman Edith Ramirez. “It’s time to bring transparency and accountability to bear on this industry on behalf of consumers, many of whom are unaware that data brokers even exist.”
The report finds that data brokers collect and store billions of data elements covering nearly every U.S. consumer. Just one of the data brokers studied holds information on more than 1.4 billion consumer transactions and 700 billion data elements and another adds more than 3 billion new data points to its database each month.
Among the report’s findings:
Data brokers collect consumer data from extensive online and offline sources, largely without consumers’ knowledge, ranging from consumer purchase data, social media activity, warranty registrations, magazine subscriptions, religious and political affiliations, and other details of consumers’ everyday lives.
Consumer data often passes through multiple layers of data brokers sharing data with each other. In fact, seven of the nine data brokers in the Commission study had shared information with another data broker in the study.
Data brokers combine online and offline data to market to consumers online.
Data brokers combine and analyze data about consumers to make inferences about them, including potentially sensitive inferences such as those related to ethnicity, income, religion, political leanings, age, and health conditions. Potentially sensitive categories from the study are “Urban Scramble” and “Mobile Mixers,” both of which include a high concentration of Latinos and African-Americans with low incomes. The category “Rural Everlasting” includes single men and women over age 66 with “low educational attainment and low net worths.” Other potentially sensitive categories include health-related topics or conditions, such as pregnancy, diabetes, and high cholesterol.
Many of the purposes for which data brokers collect and use data pose risks to consumers, such as unanticipated uses of the data. For example, a category like “Biker Enthusiasts” could be used to offer discounts on motorcycles to a consumer, but could also be used by an insurance provider as a sign of risky behavior.
Some data brokers unnecessarily store data about consumers indefinitely, which may create security risks.
To the extent data brokers currently offer consumers choices about their data, the choices are largely invisible and incomplete.
To help rectify a lack of transparency about data broker industry practices, the Commission encourages Congress to consider enacting legislation that would enable consumers to learn of the existence and activities of data brokers and provide consumers with reasonable access to information about them held by these entities.
For data brokers that provide marketing products, Congress should consider legislation to:
Centralized Portal. Require the creation of a centralized mechanism, such as an Internet portal, where data brokers can identify themselves, describe their information collection and use practices, and provide links to access tools and opt- outs;
Access. Require data brokers to give consumers access to their data, including any sensitive data, at a reasonable level of detail;
Opt-Outs. Require opt-out tools, that is, a way for consumers to suppress the use of their data;
Inferences. Require data brokers to tell consumers that they derive certain inferences from from raw data;
Data Sources. Require data brokers to disclose the names and/or categories of their data sources, to enable consumers to correct wrong information with an original source;
Notice and Choice. Require consumer-facing entities – such as retailers – to provide prominent notice to consumers when they share information with data brokers, along with the ability to opt-out of such sharing; and Sensitive Data. Further protect sensitive information, including health information, by requiring retailers and other consumer-facing entities to obtain affirmative express consent from consumers before such information is collected and shared with data brokers.
For brokers that provide “risk mitigation” products, legislation should:
When a company uses a data broker’s risk mitigation product to limit a consumers’ ability to complete a transaction, require the consumer-facing company to tell consumers which data broker’s information the company relied on;
Require the data broker to allow consumer access to the information used and the ability to correct it, as appropriate.
For brokers that provide “people search” products, legislation should:
Require data brokers to allow consumers to access their own information, opt-out of having the information included in a people search product, disclose the original sources of the information so consumers can correct it, and disclose any limitations of an opt-out feature.
The nine data brokers in the study are Acxiom, CoreLogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf and Recorded Future. In December 2012, the Commission voted to issue orders requiring these data brokers to produce the information that was used in the study.
The Commission vote approving the issuance of the report was 4-0, with Commissioner McSweeny not participating.
Saturday, May 24, 2014
FTC TESTIFIES BEFORE SENATE HOMELAND SECURITY SUBCOMMITTEE REGARDING ONLINE ADVERTISING
FROM: FEDERAL TRADE COMMISSION
FTC Outlines Recommendations for Online Advertising In Testimony Before Senate Homeland Security Subcommittee
Testifying on behalf of the Commission before the Senate Committee on Homeland Security and Governmental Affairs’ Permanent Subcommittee on Investigations, Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection, outlined steps the agency is taking to address concerns related to online advertising through enforcement and consumer education.
The testimony highlights work by the Commission on three consumer protection issues affecting the online advertising industry: privacy, spyware and other malware, and data security.
In the area of privacy, the testimony notes the recommendations put forth in the Commission’s 2012 privacy report, which encourages businesses to provide consumers with simpler and more streamlined privacy choices about their data, through a robust universal choice mechanism for online behavioral advertising.
The testimony also addresses a number of privacy cases brought by the FTC against companies in the online advertising industry. For example, the testimony describes the FTC’s 2012 settlement with Google, in which the company agreed to pay a $22.5 million civil penalty to resolve charges that it misrepresented to some consumers that it would not place tracking cookies or serve targeted ads to them.
The testimony also describes the FTC’s cases to combat spyware and other malware. These cases support three core principles: first, that a consumer’s computer belongs to him or her, and it must be the consumer’s choice whether to install software; second, that buried disclosures about material information necessary to correct an otherwise misleading impression are not sufficient in connection with software downloads; and third, that a consumer should be able to disable or uninstall any software they do not want on their computer.
The testimony also highlights the FTC’s extensive consumer education work aimed at helping consumers avoid and detect spyware and other malware, including its sponsorship of OnGuardOnline.gov.
On the topic of data security, the testimony underscores the Commission’s enforcement actions, noting that the agency has obtained settlements in 53 data security cases, including recent cases against the mobile app company Snapchat, as well as with Credit Karma, Fandango and home security camera maker TRENDnet.
The testimony recommends expanding efforts to educate both consumers and businesses, and also encourages industry self-regulation efforts aimed at protecting consumers from malicious online advertisements.
In addition, the testimony renews the Commission’s call for the enactment of a strong federal data security and breach notification law, noting that a national law would simplify compliance for businesses while ensuring that all consumers are protected. The testimony also notes that supplementing the Commission’s existing data security authority with the ability to seek civil penalties in appropriate circumstances would provide a deterrent to those engaging in unlawful conduct that puts consumers’ personal data at risk.
The Commission vote approving the testimony and its inclusion in the formal record was 5-0.
Monday, April 28, 2014
STOLEN LAPTOPS AND ACCOUNTABILITY FOR NON-ENCRYPTED COMPUTERS UNDER HIPAA
FROM: U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
April 22, 2014
Stolen laptops lead to important HIPAA settlements
“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.
OCR received a breach notice in February 2012 from QCA Health Plan, Inc. of Arkansas reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car. While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to a $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI. QCA is also required to retrain its workforce and document its ongoing compliance efforts.
Tuesday, February 25, 2014
AG HOLDER WANTS NATIONAL STANDARD FOR REPORTING CYBERATTACKS
FROM: U.S. JUSTICE DEPARTMENT
Monday, February 24, 2014
Attorney General Holder Urges Congress to Create National Standard for Reporting Cyberattacks
In a video message released today, Attorney General Eric Holder called on Congress to create a strong, national standard for quickly alerting consumers whose information may be compromised by cyberattacks. This legislation would strengthen the Justice Department's ability to combat crime, ensure individual privacy, and prevent identity theft, while also helping to bring cybercriminals to justice.
The complete text of the Attorney General’s weekly address is available below:
“Late last year, Target – the second-largest discount retailer in the United States – suffered a massive data breach that may have compromised the personal information of as many as 70 million people, in addition to credit and debit card information of up to 40 million customers. The Department of Justice is currently investigating this breach, in close coordination with the U.S. Secret Service. And we are moving aggressively to respond to hacking, cyberattacks, and other crimes that harm American consumers – and expose personal or financial information to those who would take advantage of their fellow citizens.
"As we’ve seen – especially in recent years – these crimes are becoming all too common. And they have the potential to impact millions of Americans every year. Just days after the Target breach was made public, another major retailer – Neiman Marcus – reported that it also suffered a suspected cyberattack during the holiday season. And although Justice Department officials are working closely with the FBI and prosecutors across the country to bring cyber criminals to justice, it’s time for leaders in Washington to provide the tools we need to do even more: by requiring businesses to notify American consumers and law enforcement in the wake of significant data breaches.
“Today, I’m calling on Congress to create a strong, national standard for quickly alerting consumers whose information may be compromised. This would empower the American people to protect themselves if they are at risk of identity theft. It would enable law enforcement to better investigate these crimes – and hold compromised entities accountable when they fail to keep sensitive information safe. And it would provide reasonable exemptions for harmless breaches, to avoid placing unnecessary burdens on businesses that do act responsibly.
“This legislation would strengthen the Justice Department’s ability to combat crime and ensure individual privacy – while bringing cybercriminals to justice. My colleagues and I are eager to work with Members of Congress to refine and pass this important proposal. And we will never stop working to protect the American people – using every tool and resource we can bring to bear.”
Monday, February 24, 2014
Attorney General Holder Urges Congress to Create National Standard for Reporting Cyberattacks
In a video message released today, Attorney General Eric Holder called on Congress to create a strong, national standard for quickly alerting consumers whose information may be compromised by cyberattacks. This legislation would strengthen the Justice Department's ability to combat crime, ensure individual privacy, and prevent identity theft, while also helping to bring cybercriminals to justice.
The complete text of the Attorney General’s weekly address is available below:
“Late last year, Target – the second-largest discount retailer in the United States – suffered a massive data breach that may have compromised the personal information of as many as 70 million people, in addition to credit and debit card information of up to 40 million customers. The Department of Justice is currently investigating this breach, in close coordination with the U.S. Secret Service. And we are moving aggressively to respond to hacking, cyberattacks, and other crimes that harm American consumers – and expose personal or financial information to those who would take advantage of their fellow citizens.
"As we’ve seen – especially in recent years – these crimes are becoming all too common. And they have the potential to impact millions of Americans every year. Just days after the Target breach was made public, another major retailer – Neiman Marcus – reported that it also suffered a suspected cyberattack during the holiday season. And although Justice Department officials are working closely with the FBI and prosecutors across the country to bring cyber criminals to justice, it’s time for leaders in Washington to provide the tools we need to do even more: by requiring businesses to notify American consumers and law enforcement in the wake of significant data breaches.
“Today, I’m calling on Congress to create a strong, national standard for quickly alerting consumers whose information may be compromised. This would empower the American people to protect themselves if they are at risk of identity theft. It would enable law enforcement to better investigate these crimes – and hold compromised entities accountable when they fail to keep sensitive information safe. And it would provide reasonable exemptions for harmless breaches, to avoid placing unnecessary burdens on businesses that do act responsibly.
“This legislation would strengthen the Justice Department’s ability to combat crime and ensure individual privacy – while bringing cybercriminals to justice. My colleagues and I are eager to work with Members of Congress to refine and pass this important proposal. And we will never stop working to protect the American people – using every tool and resource we can bring to bear.”
Wednesday, January 29, 2014
SPYEYE MALWARE DISTRIBUTOR PLEADS GUILTY TO FRAUD CHARGES
FROM: JUSTICE DEPARTMENT
Tuesday, January 28, 2014
Cyber Criminal Pleads Guilty to Developing and Distributing Notorious Spyeye Malware
Aleksandr Andreevich Panin, a Russian national also known as “Gribodemon” and “Harderman,” has pleaded guilty to conspiracy to commit wire and bank fraud for his role as the primary developer and distributor of the malicious software known as “SpyEye,” which, according to industry estimates, has infected over 1.4 million computers in the United States and abroad.
Acting Assistant Attorney General Mythili Raman of the Department of Justice’s Criminal Division, U.S. Attorney Sally Quillian Yates of the Northern District of Georgia and Acting Special Agent in Charge Ricky Maxwell of the FBI’s Atlanta Field Office made the announcement.
“Given the recent revelations of massive thefts of financial information from large retail stores across the country, Americans do not need to be reminded how devastating it is when cyber criminals surreptitiously install malicious codes on computer networks and then siphon away private information from unsuspecting consumers,” said Acting Assistant Attorney General Raman. “Today, thanks to the tireless work of prosecutors and law enforcement agents, Aleksandr Panin has admitted to his orchestration of this criminal scheme to use ‘SpyEye’ to invade the privacy of Americans by infecting their computers through a dangerous botnet. As this prosecution shows, cyber criminals – even when they sit on the other side of the world and attempt to hide behind online aliases – are never outside the reach of U.S. law enforcement.”
“As several recent and widely reported data breaches have shown, cyber-attacks pose a critical threat to our nation’s economic security,” said U.S. Attorney Yates. “Today’s plea is a great leap forward in our campaign against those attacks. Panin was the architect of a pernicious malware known as ‘SpyEye’ that infected computers worldwide. He commercialized the wholesale theft of financial and personal information. And now he is being held to account for his actions. Cyber criminals be forewarned: you cannot hide in the shadows of the Internet. We will find you and bring you to justice.”
“This investigation highlights the importance of the FBI’s focus on the top echelon of cyber criminals,” said Acting FBI SAC Maxwell. “The apprehension of Mr. Panin means that one of the world’s top developers of malicious software is no longer in a position to create computer programs that can victimize people around the world. Botnets such as SpyEye represent one of the most dangerous types of malicious software on the Internet today, which can steal people’s identities and money from their bank accounts without their knowledge. The FBI will continue working with partners domestically and internationally to combat cyber-crime.”
According to the charges and other information presented in court, SpyEye is a sophisticated malicious computer code that is designed to automate the theft of confidential personal and financial information, such as online banking credentials, credit card information, usernames, passwords, PINs, and other personally identifying information. The SpyEye virus facilitates this theft of information by secretly infecting victims’ computers, enabling cyber criminals to remotely control the infected computers through command and control (C2) servers. Once a computer is infected and under their control, cyber criminals can remotely access the infected computers, without authorization, and steal victims’ personal and financial information through a variety of techniques, including “web injects,” “keystroke loggers,” and “credit card grabbers.” The victims’ stolen personal and financial data is then surreptitiously transmitted to the C2 servers, where it is used to steal money from the victims’ financial accounts.
Panin was the primary developer and distributor of the SpyEye virus. Operating from Russia from 2009 to 2011, Panin conspired with others, including codefendant Hamza Bendelladj, an Algerian national also known as “Bx1,” to develop, market and sell various versions of the SpyEye virus and component parts on the Internet. Panin allowed cyber criminals to customize their purchases to include tailor-made methods of obtaining victims’ personal and financial information, as well as marketed versions that specifically targeted designated financial institutions. Panin advertised the SpyEye virus on online, invitation-only criminal forums. He sold versions of the SpyEye virus for prices ranging from $1,000 to $8,500. Panin is believed to have sold the SpyEye virus to at least 150 “clients,” who, in turn, used them to set up their own C2 servers. One of Panin’s clients, “Soldier,” is reported to have made more than $3.2 million in a six-month period using the SpyEye virus.
According to industry estimates, the SpyEye virus has infected more than 1.4 million computers in the United States and abroad, and it was the preeminent malware toolkit used from approximately 2009 to 2011. Based on information received from the financial services industry, over 10,000 bank accounts have been compromised by SpyEye infections since 2013 alone. Some cyber criminals continue to use SpyEye today, although its effectiveness has been limited since software makers have added SpyEye to malicious software removal programs.
In February 2011, pursuant to a federal search warrant, the FBI searched and seized a SpyEye C2 server allegedly operated by Bendelladj in the Northern District of Georgia. That C2 server controlled over 200 computers infected with the SpyEye virus and contained information from numerous financial institutions.
In June and July 2011, FBI covert sources communicated directly with Panin, who was using his online nicknames “Gribodemon” and “Harderman,” about the SpyEye virus. FBI sources then purchased a version of SpyEye from Panin that contained features designed to steal confidential financial information, initiate fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service (DDoS) attacks from computers infected with the malware.
On Dec. 20, 2011, a Northern District of Georgia grand jury returned a 23-count indictment against Panin, who had yet to be fully identified, and Bendelladj. The indictment charged one count of conspiracy to commit wire and bank fraud, 10 counts of wire fraud, one count of conspiracy to commit computer fraud, and 11 counts of computer fraud. A superseding indictment was subsequently returned identifying Panin by his true name.
Bendelladj was apprehended at Suvarnabhumi Airport in Bangkok, Thailand, on Jan. 5, 2013 and was extradited from Thailand to the United States on May 2, 2013. His charges are currently pending in the Northern District of Georgia.
Panin was arrested by U.S. authorities on July 1, 2013, when he flew through Hartsfield-Jackson Atlanta International Airport.
The investigation also has led to the arrest of four of Panin’s SpyEye clients and associates in the United Kingdom and Bulgaria.
On Jan. 28, 2014, Panin pleaded guilty to conspiring to commit wire and bank fraud. Sentencing for Panin is scheduled for April 29, 2014, before United States District Judge Amy Totenberg of the Northern District of Georgia.
The case is being investigated by the FBI. Assistant United States Attorney Scott Ferber of the Northern District of Georgia, Trial Attorney Ethan Arenson of the Criminal Division’s Computer Crime and Intellectual Property Section and Senior Litigation Counsel Carol Sipperly of the Criminal Division’s Fraud Section are prosecuting the case. Former Assistant United States Attorney Nicholas Oldham also participated in the prosecution while with the Criminal Division.
Valuable assistance was provided by the Criminal Division’s Office of International Affairs and the following international law enforcement agencies: The United Kingdom’s National Crime Agency, the Royal Thai Police-Immigration Bureau, the National Police of the Netherlands - National High Tech Crime Unit (NHTCU), Dominican Republic’s Departamento Nacional de Investigaciones (DNI), the Cybercrime Department at the State Agency for National Security-Bulgaria and the Australian Federal Police (AFP).
Valuable assistance also was provided by the following private sector partners: Trend Micro’s Forward-looking Threat Research (FTR) Team, Microsoft’s Digital Crimes Unit, Mandiant, Dell SecureWorks, Trusteer and the Norwegian Security Research Team known as “Underworld.no”.
Tuesday, January 28, 2014
Cyber Criminal Pleads Guilty to Developing and Distributing Notorious Spyeye Malware
Aleksandr Andreevich Panin, a Russian national also known as “Gribodemon” and “Harderman,” has pleaded guilty to conspiracy to commit wire and bank fraud for his role as the primary developer and distributor of the malicious software known as “SpyEye,” which, according to industry estimates, has infected over 1.4 million computers in the United States and abroad.
Acting Assistant Attorney General Mythili Raman of the Department of Justice’s Criminal Division, U.S. Attorney Sally Quillian Yates of the Northern District of Georgia and Acting Special Agent in Charge Ricky Maxwell of the FBI’s Atlanta Field Office made the announcement.
“Given the recent revelations of massive thefts of financial information from large retail stores across the country, Americans do not need to be reminded how devastating it is when cyber criminals surreptitiously install malicious codes on computer networks and then siphon away private information from unsuspecting consumers,” said Acting Assistant Attorney General Raman. “Today, thanks to the tireless work of prosecutors and law enforcement agents, Aleksandr Panin has admitted to his orchestration of this criminal scheme to use ‘SpyEye’ to invade the privacy of Americans by infecting their computers through a dangerous botnet. As this prosecution shows, cyber criminals – even when they sit on the other side of the world and attempt to hide behind online aliases – are never outside the reach of U.S. law enforcement.”
“As several recent and widely reported data breaches have shown, cyber-attacks pose a critical threat to our nation’s economic security,” said U.S. Attorney Yates. “Today’s plea is a great leap forward in our campaign against those attacks. Panin was the architect of a pernicious malware known as ‘SpyEye’ that infected computers worldwide. He commercialized the wholesale theft of financial and personal information. And now he is being held to account for his actions. Cyber criminals be forewarned: you cannot hide in the shadows of the Internet. We will find you and bring you to justice.”
“This investigation highlights the importance of the FBI’s focus on the top echelon of cyber criminals,” said Acting FBI SAC Maxwell. “The apprehension of Mr. Panin means that one of the world’s top developers of malicious software is no longer in a position to create computer programs that can victimize people around the world. Botnets such as SpyEye represent one of the most dangerous types of malicious software on the Internet today, which can steal people’s identities and money from their bank accounts without their knowledge. The FBI will continue working with partners domestically and internationally to combat cyber-crime.”
According to the charges and other information presented in court, SpyEye is a sophisticated malicious computer code that is designed to automate the theft of confidential personal and financial information, such as online banking credentials, credit card information, usernames, passwords, PINs, and other personally identifying information. The SpyEye virus facilitates this theft of information by secretly infecting victims’ computers, enabling cyber criminals to remotely control the infected computers through command and control (C2) servers. Once a computer is infected and under their control, cyber criminals can remotely access the infected computers, without authorization, and steal victims’ personal and financial information through a variety of techniques, including “web injects,” “keystroke loggers,” and “credit card grabbers.” The victims’ stolen personal and financial data is then surreptitiously transmitted to the C2 servers, where it is used to steal money from the victims’ financial accounts.
Panin was the primary developer and distributor of the SpyEye virus. Operating from Russia from 2009 to 2011, Panin conspired with others, including codefendant Hamza Bendelladj, an Algerian national also known as “Bx1,” to develop, market and sell various versions of the SpyEye virus and component parts on the Internet. Panin allowed cyber criminals to customize their purchases to include tailor-made methods of obtaining victims’ personal and financial information, as well as marketed versions that specifically targeted designated financial institutions. Panin advertised the SpyEye virus on online, invitation-only criminal forums. He sold versions of the SpyEye virus for prices ranging from $1,000 to $8,500. Panin is believed to have sold the SpyEye virus to at least 150 “clients,” who, in turn, used them to set up their own C2 servers. One of Panin’s clients, “Soldier,” is reported to have made more than $3.2 million in a six-month period using the SpyEye virus.
According to industry estimates, the SpyEye virus has infected more than 1.4 million computers in the United States and abroad, and it was the preeminent malware toolkit used from approximately 2009 to 2011. Based on information received from the financial services industry, over 10,000 bank accounts have been compromised by SpyEye infections since 2013 alone. Some cyber criminals continue to use SpyEye today, although its effectiveness has been limited since software makers have added SpyEye to malicious software removal programs.
In February 2011, pursuant to a federal search warrant, the FBI searched and seized a SpyEye C2 server allegedly operated by Bendelladj in the Northern District of Georgia. That C2 server controlled over 200 computers infected with the SpyEye virus and contained information from numerous financial institutions.
In June and July 2011, FBI covert sources communicated directly with Panin, who was using his online nicknames “Gribodemon” and “Harderman,” about the SpyEye virus. FBI sources then purchased a version of SpyEye from Panin that contained features designed to steal confidential financial information, initiate fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service (DDoS) attacks from computers infected with the malware.
On Dec. 20, 2011, a Northern District of Georgia grand jury returned a 23-count indictment against Panin, who had yet to be fully identified, and Bendelladj. The indictment charged one count of conspiracy to commit wire and bank fraud, 10 counts of wire fraud, one count of conspiracy to commit computer fraud, and 11 counts of computer fraud. A superseding indictment was subsequently returned identifying Panin by his true name.
Bendelladj was apprehended at Suvarnabhumi Airport in Bangkok, Thailand, on Jan. 5, 2013 and was extradited from Thailand to the United States on May 2, 2013. His charges are currently pending in the Northern District of Georgia.
Panin was arrested by U.S. authorities on July 1, 2013, when he flew through Hartsfield-Jackson Atlanta International Airport.
The investigation also has led to the arrest of four of Panin’s SpyEye clients and associates in the United Kingdom and Bulgaria.
On Jan. 28, 2014, Panin pleaded guilty to conspiring to commit wire and bank fraud. Sentencing for Panin is scheduled for April 29, 2014, before United States District Judge Amy Totenberg of the Northern District of Georgia.
The case is being investigated by the FBI. Assistant United States Attorney Scott Ferber of the Northern District of Georgia, Trial Attorney Ethan Arenson of the Criminal Division’s Computer Crime and Intellectual Property Section and Senior Litigation Counsel Carol Sipperly of the Criminal Division’s Fraud Section are prosecuting the case. Former Assistant United States Attorney Nicholas Oldham also participated in the prosecution while with the Criminal Division.
Valuable assistance was provided by the Criminal Division’s Office of International Affairs and the following international law enforcement agencies: The United Kingdom’s National Crime Agency, the Royal Thai Police-Immigration Bureau, the National Police of the Netherlands - National High Tech Crime Unit (NHTCU), Dominican Republic’s Departamento Nacional de Investigaciones (DNI), the Cybercrime Department at the State Agency for National Security-Bulgaria and the Australian Federal Police (AFP).
Valuable assistance also was provided by the following private sector partners: Trend Micro’s Forward-looking Threat Research (FTR) Team, Microsoft’s Digital Crimes Unit, Mandiant, Dell SecureWorks, Trusteer and the Norwegian Security Research Team known as “Underworld.no”.
Thursday, December 19, 2013
FTC OFFICIAL TESTIFIES BEFORE SENATE COMMITTEE REGARDING DATA BROKERS
FROM: U.S. FEDERAL TRADE COMMISSION
FTC Testifies on Data Brokers Before Senate Committee on Commerce, Science and Transportation
The Federal Trade Commission provided information to Congress today on the status of its work regarding companies that collect and aggregate consumers’ information and then resell it, known as data brokers.
Testifying on behalf of the Commission before the Senate Committee on Commerce, Science and Transportation, Bureau of Consumer Protection Director Jessica Rich told lawmakers about the FTC’s past and present efforts related to the privacy practices of the data broker industry.
“Because data brokers generally never interact directly with consumers, consumers are typically unaware of their existence, much less the variety of ways they collect, analyze, and sell consumer data,” the testimony states.
The testimony notes that FTC’s work in the data broker industry is not a recent development, pointing to work done by the Commission in the 1990s looking at the privacy practices of data companies not covered under the Fair Credit Reporting Act (FCRA).
In addition, the testimony points to recommendations made by the Commission in its 2012 report on privacy issues about improving the transparency of data brokers’ practices and giving consumers greater control over how their information is used. The recommendations made in the report included giving consumers reasonable access to the data maintained about them by data brokers. The report also noted that the Commission has long supported legislation both to improve consumers’ access rights to data and to improve the transparency of industry practices.
The testimony goes on to address the Commission’s ongoing initiatives regarding data brokers using a three-pronged strategy made up of enforcement actions, research and reports, and education for consumers and businesses.
In describing the FTC’s enforcement efforts in the data broker industry, the testimony notes that the agency has brought nearly 100 cases and obtained more than $30 million in civil penalties for violations of the FCRA. Among the cases highlighted in the testimony are the Commission’s 2012 consent decree with online data broker Spokeo, its case against app developer Filiquarian, and the Commission’s recent consent decree with Certegy Check Services, which resulted in a $3.5 million FCRA fine.
The testimony describes the Commission’s ongoing study of the data broker industry, conducted under its authority in Section 6(b) of the FTC Act. The study is examining the practices of nine companies, and the Commission expects to issue a report outlining the findings in the coming months. In addition, the testimony notes the FTC’s upcoming series of workshops to be held in 2014 on emerging privacy issues, including alternative scoring products sold by data brokers, which are used to predict trends and behaviors of consumers.
Finally, the testimony addresses the Commission’s work in educating businesses and consumers about privacy issues in the data broker industry. The testimony highlights warning letters sent by Commission staff to data brokers that provided tenant-screening services as well as to to marketers of mobile apps that provide employment screening services.
The testimony also mentions a recent undercover effort by Commission staff to determine if data brokers who said they were not covered under FCRA were willing to sell information for FCRA-covered purposes. As a result, ten warning letters were issued to companies.
“These enforcement, policy, and education efforts demonstrate the Commission’s continued commitment to understanding and addressing consumer privacy issues posed by the data broker industry,” the testimony states.
The Commission vote approving the testimony and its inclusion in the formal record was 4-0.
FTC Testifies on Data Brokers Before Senate Committee on Commerce, Science and Transportation
The Federal Trade Commission provided information to Congress today on the status of its work regarding companies that collect and aggregate consumers’ information and then resell it, known as data brokers.
Testifying on behalf of the Commission before the Senate Committee on Commerce, Science and Transportation, Bureau of Consumer Protection Director Jessica Rich told lawmakers about the FTC’s past and present efforts related to the privacy practices of the data broker industry.
“Because data brokers generally never interact directly with consumers, consumers are typically unaware of their existence, much less the variety of ways they collect, analyze, and sell consumer data,” the testimony states.
The testimony notes that FTC’s work in the data broker industry is not a recent development, pointing to work done by the Commission in the 1990s looking at the privacy practices of data companies not covered under the Fair Credit Reporting Act (FCRA).
In addition, the testimony points to recommendations made by the Commission in its 2012 report on privacy issues about improving the transparency of data brokers’ practices and giving consumers greater control over how their information is used. The recommendations made in the report included giving consumers reasonable access to the data maintained about them by data brokers. The report also noted that the Commission has long supported legislation both to improve consumers’ access rights to data and to improve the transparency of industry practices.
The testimony goes on to address the Commission’s ongoing initiatives regarding data brokers using a three-pronged strategy made up of enforcement actions, research and reports, and education for consumers and businesses.
In describing the FTC’s enforcement efforts in the data broker industry, the testimony notes that the agency has brought nearly 100 cases and obtained more than $30 million in civil penalties for violations of the FCRA. Among the cases highlighted in the testimony are the Commission’s 2012 consent decree with online data broker Spokeo, its case against app developer Filiquarian, and the Commission’s recent consent decree with Certegy Check Services, which resulted in a $3.5 million FCRA fine.
The testimony describes the Commission’s ongoing study of the data broker industry, conducted under its authority in Section 6(b) of the FTC Act. The study is examining the practices of nine companies, and the Commission expects to issue a report outlining the findings in the coming months. In addition, the testimony notes the FTC’s upcoming series of workshops to be held in 2014 on emerging privacy issues, including alternative scoring products sold by data brokers, which are used to predict trends and behaviors of consumers.
Finally, the testimony addresses the Commission’s work in educating businesses and consumers about privacy issues in the data broker industry. The testimony highlights warning letters sent by Commission staff to data brokers that provided tenant-screening services as well as to to marketers of mobile apps that provide employment screening services.
The testimony also mentions a recent undercover effort by Commission staff to determine if data brokers who said they were not covered under FCRA were willing to sell information for FCRA-covered purposes. As a result, ten warning letters were issued to companies.
“These enforcement, policy, and education efforts demonstrate the Commission’s continued commitment to understanding and addressing consumer privacy issues posed by the data broker industry,” the testimony states.
The Commission vote approving the testimony and its inclusion in the formal record was 4-0.
Friday, December 13, 2013
JUSTICE OFFICIALS TESTIFY BEFORE SENATE JUDICIARY COMMITTEE ABOUT FISA COURT
FROM: U.S. JUSTICE DEPARTMENT
Deputy Attorney General James M. Cole, Director Keith B. Alexander and General Counsel Robert S. Litt Testify Before the U.S. Senate Judiciary Committee
Washington, D.C. ~ Wednesday, December 11, 2013
Thank you for inviting us to continue our discussions with this Committee on our efforts to enhance public confidence in the important intelligence collection programs that have been the subject of unauthorized disclosures since earlier this year: the collection of bulk telephony metadata under the business records provision found in Section 215 of the USA PATRIOT Act, and the targeting of non-U.S. persons overseas under Section 702 of FISA. As we have emphasized in previous appearances before this and other Committees, we remain committed, as we review any modifications to these authorities, both to protecting privacy and civil liberties in the conduct of our intelligence activities, in a manner consistent with the Constitution, the law and our values, and to ensuring that we continue to have the authorities we need to collect important foreign intelligence to protect the country from terrorism and other threats to national security. We also remain committed to working closely with this Committee as any modifications to these activities are considered.
A key step in promoting greater public confidence in these intelligence activities is to provide greater transparency so that the American people, as well as ordinary citizens around the world, understand what the activities are, how they function, and how they are overseen. As you know, many of the reports appearing in the media concerning the scope of the Government’s intelligence collection efforts have been inaccurate, including with respect to the collection carried out under Sections 215 and 702. In response, the Administration has released substantial information since June to increase transparency and public understanding, while also working to ensure that these releases are consistent with national security. We welcome the opportunity to discuss ways to make more information about intelligence activities conducted under FISA available to the public in a meaningful and responsible way. At the same time, we are mindful of the need not to publicly disclose information that our adversaries could exploit to evade surveillance and harm our national security. There is no doubt that the recent unauthorized disclosures about our surveillance capabilities risk causing substantial damage to our national security, and it is essential that we not take steps that will increase that damage.
In keeping with this balance, in June the President directed the Intelligence Community to make as much information about the Section 215 and Section 702 programs available to the public as possible, consistent with the need to protect national security and sensitive sources and methods. Since then, the Director of National Intelligence has declassified and publicly released substantial information in order to facilitate informed public debate about these programs. Among other things, the Government has declassified and disclosed the primary and secondary orders from the FISA Court that describe in detail how the bulk telephony metadata collection program operates and the important restrictions on how the data collected under the program are accessed, retained, and disseminated. The Government has also released two recent FISA Court opinions, as well as an Administration white paper, that articulate in detail the legal authority and rationale for this program. We have also declassified and released to the public several other FISA Court opinions and orders concerning the two programs, including detailed discussions of compliance issues that have arisen during the programs’ history and the Government’s responses to these incidents. We have declassified and released extensive materials that were provided to the Congress in conjunction with its oversight and reauthorization of these authorities. Finally, just this week we have declassified and released additional materials, including FISA Court opinions relating to a separate program (no longer in operation) to collect certain internet metadata in bulk pursuant to court orders issued under the pen register/trap and trace provision of FISA (Section 402). Our efforts to promote greater transparency through declassification and public release of relevant documents are not yet complete. We will continue our efforts to promote greater transparency through declassification and public release of relevant documents, while carefully protecting information that we cannot responsibly release because of national security concerns. These efforts are an important means of enhancing public confidence that the Intelligence Community is using its legal authorities appropriately, which has become increasingly important in the wake of confusion, concerns, and misunderstandings caused by the recent and continuing unauthorized disclosures of classified information.
As part of our ongoing efforts to increase transparency, the Director of National Intelligence has also committed to providing annual public reports that include nationwide statistical data on the Intelligence Community’s use of certain FISA authorities. Specifically, for each of the following categories of FISA and related authorities, beginning in January 2014 and on an annual basis thereafter, the Intelligence Community will release to the public the total number of orders issued during the prior twelve-month period and the number of targets affected by these orders:
FISA orders based on probable cause (Titles I and III and Sections 703 and 704 of FISA).
Directives under Section 702 of FISA.
FISA Business Records orders (Title V of FISA).
FISA Pen Register/Trap and Trace orders (Title IV of FISA).
National Security Letters issued pursuant to 12 U.S.C. § 3414(a)(5), 15 U.S.C.
This information will enable the public to understand how often the Intelligence Community uses these authorities nationwide, how many persons or entities are targeted by these efforts, and how these figures change over time. The Director of National Intelligence has concluded that providing this information on a nationwide basis is an acceptable course in light of the goal of public transparency, without unduly risking national security.
We also understand the concerns that specific companies have expressed as to their ability to inform their customers of how often data is provided to the Government in response to legal process. In light of those concerns, we have authorized companies to report within certain ranges the total number of federal, state, and local law enforcement and national security legal demands they receive on a nationwide basis, and the number of user accounts affected by such orders. This allows companies to illustrate that those demands affect only a tiny percentage of their users, even taking all of the demands together, and thus to refute inaccurate reports that companies cooperate with the Government in dragnet surveillance of all of their customers. At the same time, this approach avoids the disclosure of information to our adversaries regarding the extent or existence of FISA coverage of services or communications platforms provided by particular companies
The scope of the voluntary disclosures by the Executive Branch concerning sensitive intelligence collection activities carried out under FISA is unprecedented. We hope that the information we have released, and will continue to release, will allow the public to understand better how our intelligence collection authorities are used. We also hope the public will appreciate the rigorous oversight conducted by all three branches of government over our intelligence activities, a whole of government approach that is unique and exacting in comparison to the many governments that conduct similar intercept programs with substantially less stringent oversight. The extensive oversight that we conduct helps to ensure that our activities protect national security, balance important privacy considerations, and operate lawfully.
In addition to the unprecedented steps we have taken to promote transparency, we are open to working with Congress on legislation designed to increase public confidence in these intelligence activities and enhance the protection of privacy and civil liberties. Regarding Section 215, we would consider statutory restrictions on querying the data that are compatible with operational needs, including perhaps greater limits on contact chaining than what the current FISA Court orders permit. We could also consider a different approach to retention periods for the data—consistent with operational needs—and enhanced statutory oversight and transparency measures, such as annual reporting on the number of identifiers used to query the data. To be clear, we believe the manner in which the bulk telephony metadata collection program has been carried out is lawful, and existing oversight mechanisms protect both privacy and security. However, there are some changes that we believe could be made that would enhance privacy and civil liberties as well as public confidence in the program, consistent with our national security needs.
On the issue of FISA Court reform, we believe that the ex parte nature of proceedings before the FISA Court is fundamentally sound and has worked well for decades in adjudicating the Government’s applications for authority to conduct electronic surveillance or physical searches in the national security context under FISA. However, we understand the concerns that have been raised about the lack of independent views in certain cases, such as cases involving bulk collection, that affect the privacy and civil liberties interests of the American people as a whole.
Therefore, we would be open to discussing legislation authorizing the FISA Court to appoint an amicus , at its discretion, in appropriate cases, such as those that present novel and significant questions of law and that involve the acquisition and retention of information concerning a substantial number of U.S. persons. Establishing a mechanism whereby the FISA Court could solicit independent views of an amicus in cases that raise broader privacy and civil liberties questions, but without compromising classified information, may further assist the Court in making informed and balanced decisions and may also serve to enhance public confidence in the FISA Court process.
While we remain open to working with Congress to effectuate meaningful reforms along the lines just described, we do not support legislation that would have the effect of ending the Section 215 program, which the Government continues to find valuable in protecting national security. And, while we support increased transparency, we do not support legislation that would require or permit public reporting of information concerning intelligence activities under FISA that could be used by our adversaries to evade surveillance, or which otherwise raises practical and operational concerns. The bill approved by the Senate Intelligence Committee includes a number of constructive provisions that we support and that we think will enhance protections for privacy and civil liberties without harming national security.
Finally, we want to address the Committee’s interest in the legal standard for collection of records under Section 215. As the Administration explained in a white paper that it published in August, the telephony metadata program satisfies the statutory requirement that there be “reasonable grounds to believe” that the records collected are “relevant to an authorized investigation . . . to obtain foreign intelligence information . . . or to protect against international terrorist or clandestine intelligence activities.” The text of Section 215, considered in light of the well-developed understanding of “relevance” in the context of civil discovery and criminal and administrative subpoenas, as well as the broader purposes of the statute, indicates that there are “reasonable grounds to believe” that the records at issue here are “relevant to an authorized investigation.” Specifically, in the circumstance where the Government has reason to believe that conducting a search of a broad collection of telephony metadata records will produce counterterrorism information—and that it is necessary to collect a large volume of data in order to employ the analytic tools needed to identify that information—the standard of relevance under Section 215 is satisfied, particularly in light of the strict limitations on the use of the data collected and the extensive oversight of the program.
As noted above, two decisions of the FISA Court that have recently been declassified by the Government and released publicly by the Court explain why the collection of telephony metadata in bulk is constitutional and is authorized under the statute. These opinions reflect the independent conclusions of two federal judges serving on the FISA Court that the Government’s request for the production of call detail records under Section 215 meets the relevance standard and all other statutory requirements. Moreover, these opinions conclude that because the Government seeks only the production of telephony metadata, and not the content of communications, there are no Fourth Amendment impediments to the collection. Indeed, 15 separate judges of the FISA Court have held on 35 occasions that Section 215 authorizes the collection of telephony metadata in bulk in support of counterterrorism investigations. Last week, a district court in a criminal case in California also held that the collection of telephony metadata in bulk under Section 215 is consistent with the Fourth Amendment.
We appreciate that privacy concerns persist about the telephony metadata collection program, even considering the limited data the Government receives, the stringent constraints set by the FISA Court on how it is used, and the aforementioned legal rulings that have consistently upheld its legality. But we hope you will weigh those concerns against the increased risks to national security if this capability were terminated with no equivalent program that addresses what the 9/11 Commission pointed out as a critical gap in the ability of the intelligence community to detect and “connect the dots” for foreign terror plots against our homeland. This program fills a significant gap in our ability to identify terrorist communications and, together with other authorities, can help us identify and disrupt terrorist plots, thus fulfilling the vision of the 9/11 Commission, which implored the Government to undertake mechanisms and collaboration which would prevent the recurrence of another 9/11.
We look forward to answering any questions you might have about these important intelligence collection programs and related issues. We understand that there are a variety of views in the Congress and among the American people about these activities, and we look forward to discussing these issues with this Committee as new legislation concerning these activities is considered. We hope that, with the assistance of this Committee, we can ensure that these programs are on the strongest possible footing, from the perspective of both national security and privacy, so that they will continue to enjoy Congressional support in the future. Thank you.
Deputy Attorney General James M. Cole, Director Keith B. Alexander and General Counsel Robert S. Litt Testify Before the U.S. Senate Judiciary Committee
Washington, D.C. ~ Wednesday, December 11, 2013
Thank you for inviting us to continue our discussions with this Committee on our efforts to enhance public confidence in the important intelligence collection programs that have been the subject of unauthorized disclosures since earlier this year: the collection of bulk telephony metadata under the business records provision found in Section 215 of the USA PATRIOT Act, and the targeting of non-U.S. persons overseas under Section 702 of FISA. As we have emphasized in previous appearances before this and other Committees, we remain committed, as we review any modifications to these authorities, both to protecting privacy and civil liberties in the conduct of our intelligence activities, in a manner consistent with the Constitution, the law and our values, and to ensuring that we continue to have the authorities we need to collect important foreign intelligence to protect the country from terrorism and other threats to national security. We also remain committed to working closely with this Committee as any modifications to these activities are considered.
A key step in promoting greater public confidence in these intelligence activities is to provide greater transparency so that the American people, as well as ordinary citizens around the world, understand what the activities are, how they function, and how they are overseen. As you know, many of the reports appearing in the media concerning the scope of the Government’s intelligence collection efforts have been inaccurate, including with respect to the collection carried out under Sections 215 and 702. In response, the Administration has released substantial information since June to increase transparency and public understanding, while also working to ensure that these releases are consistent with national security. We welcome the opportunity to discuss ways to make more information about intelligence activities conducted under FISA available to the public in a meaningful and responsible way. At the same time, we are mindful of the need not to publicly disclose information that our adversaries could exploit to evade surveillance and harm our national security. There is no doubt that the recent unauthorized disclosures about our surveillance capabilities risk causing substantial damage to our national security, and it is essential that we not take steps that will increase that damage.
In keeping with this balance, in June the President directed the Intelligence Community to make as much information about the Section 215 and Section 702 programs available to the public as possible, consistent with the need to protect national security and sensitive sources and methods. Since then, the Director of National Intelligence has declassified and publicly released substantial information in order to facilitate informed public debate about these programs. Among other things, the Government has declassified and disclosed the primary and secondary orders from the FISA Court that describe in detail how the bulk telephony metadata collection program operates and the important restrictions on how the data collected under the program are accessed, retained, and disseminated. The Government has also released two recent FISA Court opinions, as well as an Administration white paper, that articulate in detail the legal authority and rationale for this program. We have also declassified and released to the public several other FISA Court opinions and orders concerning the two programs, including detailed discussions of compliance issues that have arisen during the programs’ history and the Government’s responses to these incidents. We have declassified and released extensive materials that were provided to the Congress in conjunction with its oversight and reauthorization of these authorities. Finally, just this week we have declassified and released additional materials, including FISA Court opinions relating to a separate program (no longer in operation) to collect certain internet metadata in bulk pursuant to court orders issued under the pen register/trap and trace provision of FISA (Section 402). Our efforts to promote greater transparency through declassification and public release of relevant documents are not yet complete. We will continue our efforts to promote greater transparency through declassification and public release of relevant documents, while carefully protecting information that we cannot responsibly release because of national security concerns. These efforts are an important means of enhancing public confidence that the Intelligence Community is using its legal authorities appropriately, which has become increasingly important in the wake of confusion, concerns, and misunderstandings caused by the recent and continuing unauthorized disclosures of classified information.
As part of our ongoing efforts to increase transparency, the Director of National Intelligence has also committed to providing annual public reports that include nationwide statistical data on the Intelligence Community’s use of certain FISA authorities. Specifically, for each of the following categories of FISA and related authorities, beginning in January 2014 and on an annual basis thereafter, the Intelligence Community will release to the public the total number of orders issued during the prior twelve-month period and the number of targets affected by these orders:
FISA orders based on probable cause (Titles I and III and Sections 703 and 704 of FISA).
Directives under Section 702 of FISA.
FISA Business Records orders (Title V of FISA).
FISA Pen Register/Trap and Trace orders (Title IV of FISA).
National Security Letters issued pursuant to 12 U.S.C. § 3414(a)(5), 15 U.S.C.
This information will enable the public to understand how often the Intelligence Community uses these authorities nationwide, how many persons or entities are targeted by these efforts, and how these figures change over time. The Director of National Intelligence has concluded that providing this information on a nationwide basis is an acceptable course in light of the goal of public transparency, without unduly risking national security.
We also understand the concerns that specific companies have expressed as to their ability to inform their customers of how often data is provided to the Government in response to legal process. In light of those concerns, we have authorized companies to report within certain ranges the total number of federal, state, and local law enforcement and national security legal demands they receive on a nationwide basis, and the number of user accounts affected by such orders. This allows companies to illustrate that those demands affect only a tiny percentage of their users, even taking all of the demands together, and thus to refute inaccurate reports that companies cooperate with the Government in dragnet surveillance of all of their customers. At the same time, this approach avoids the disclosure of information to our adversaries regarding the extent or existence of FISA coverage of services or communications platforms provided by particular companies
The scope of the voluntary disclosures by the Executive Branch concerning sensitive intelligence collection activities carried out under FISA is unprecedented. We hope that the information we have released, and will continue to release, will allow the public to understand better how our intelligence collection authorities are used. We also hope the public will appreciate the rigorous oversight conducted by all three branches of government over our intelligence activities, a whole of government approach that is unique and exacting in comparison to the many governments that conduct similar intercept programs with substantially less stringent oversight. The extensive oversight that we conduct helps to ensure that our activities protect national security, balance important privacy considerations, and operate lawfully.
In addition to the unprecedented steps we have taken to promote transparency, we are open to working with Congress on legislation designed to increase public confidence in these intelligence activities and enhance the protection of privacy and civil liberties. Regarding Section 215, we would consider statutory restrictions on querying the data that are compatible with operational needs, including perhaps greater limits on contact chaining than what the current FISA Court orders permit. We could also consider a different approach to retention periods for the data—consistent with operational needs—and enhanced statutory oversight and transparency measures, such as annual reporting on the number of identifiers used to query the data. To be clear, we believe the manner in which the bulk telephony metadata collection program has been carried out is lawful, and existing oversight mechanisms protect both privacy and security. However, there are some changes that we believe could be made that would enhance privacy and civil liberties as well as public confidence in the program, consistent with our national security needs.
On the issue of FISA Court reform, we believe that the ex parte nature of proceedings before the FISA Court is fundamentally sound and has worked well for decades in adjudicating the Government’s applications for authority to conduct electronic surveillance or physical searches in the national security context under FISA. However, we understand the concerns that have been raised about the lack of independent views in certain cases, such as cases involving bulk collection, that affect the privacy and civil liberties interests of the American people as a whole.
Therefore, we would be open to discussing legislation authorizing the FISA Court to appoint an amicus , at its discretion, in appropriate cases, such as those that present novel and significant questions of law and that involve the acquisition and retention of information concerning a substantial number of U.S. persons. Establishing a mechanism whereby the FISA Court could solicit independent views of an amicus in cases that raise broader privacy and civil liberties questions, but without compromising classified information, may further assist the Court in making informed and balanced decisions and may also serve to enhance public confidence in the FISA Court process.
While we remain open to working with Congress to effectuate meaningful reforms along the lines just described, we do not support legislation that would have the effect of ending the Section 215 program, which the Government continues to find valuable in protecting national security. And, while we support increased transparency, we do not support legislation that would require or permit public reporting of information concerning intelligence activities under FISA that could be used by our adversaries to evade surveillance, or which otherwise raises practical and operational concerns. The bill approved by the Senate Intelligence Committee includes a number of constructive provisions that we support and that we think will enhance protections for privacy and civil liberties without harming national security.
Finally, we want to address the Committee’s interest in the legal standard for collection of records under Section 215. As the Administration explained in a white paper that it published in August, the telephony metadata program satisfies the statutory requirement that there be “reasonable grounds to believe” that the records collected are “relevant to an authorized investigation . . . to obtain foreign intelligence information . . . or to protect against international terrorist or clandestine intelligence activities.” The text of Section 215, considered in light of the well-developed understanding of “relevance” in the context of civil discovery and criminal and administrative subpoenas, as well as the broader purposes of the statute, indicates that there are “reasonable grounds to believe” that the records at issue here are “relevant to an authorized investigation.” Specifically, in the circumstance where the Government has reason to believe that conducting a search of a broad collection of telephony metadata records will produce counterterrorism information—and that it is necessary to collect a large volume of data in order to employ the analytic tools needed to identify that information—the standard of relevance under Section 215 is satisfied, particularly in light of the strict limitations on the use of the data collected and the extensive oversight of the program.
As noted above, two decisions of the FISA Court that have recently been declassified by the Government and released publicly by the Court explain why the collection of telephony metadata in bulk is constitutional and is authorized under the statute. These opinions reflect the independent conclusions of two federal judges serving on the FISA Court that the Government’s request for the production of call detail records under Section 215 meets the relevance standard and all other statutory requirements. Moreover, these opinions conclude that because the Government seeks only the production of telephony metadata, and not the content of communications, there are no Fourth Amendment impediments to the collection. Indeed, 15 separate judges of the FISA Court have held on 35 occasions that Section 215 authorizes the collection of telephony metadata in bulk in support of counterterrorism investigations. Last week, a district court in a criminal case in California also held that the collection of telephony metadata in bulk under Section 215 is consistent with the Fourth Amendment.
We appreciate that privacy concerns persist about the telephony metadata collection program, even considering the limited data the Government receives, the stringent constraints set by the FISA Court on how it is used, and the aforementioned legal rulings that have consistently upheld its legality. But we hope you will weigh those concerns against the increased risks to national security if this capability were terminated with no equivalent program that addresses what the 9/11 Commission pointed out as a critical gap in the ability of the intelligence community to detect and “connect the dots” for foreign terror plots against our homeland. This program fills a significant gap in our ability to identify terrorist communications and, together with other authorities, can help us identify and disrupt terrorist plots, thus fulfilling the vision of the 9/11 Commission, which implored the Government to undertake mechanisms and collaboration which would prevent the recurrence of another 9/11.
We look forward to answering any questions you might have about these important intelligence collection programs and related issues. We understand that there are a variety of views in the Congress and among the American people about these activities, and we look forward to discussing these issues with this Committee as new legislation concerning these activities is considered. We hope that, with the assistance of this Committee, we can ensure that these programs are on the strongest possible footing, from the perspective of both national security and privacy, so that they will continue to enjoy Congressional support in the future. Thank you.
Saturday, June 29, 2013
GEN. DEMPSEY SAYS CYBERCOM BECOMMING MORE PROMINENT
FROM: U.S. DEPARTMENT OF DEFENSE
Dempsey: Cybercom Likely to Continue Gaining Prominence
By Claudette Roulo
American Forces Press Service
WASHINGTON, June 27, 2013 - U.S. Cyber Command, currently a subunified command under U.S. Strategic Command, likely will one day become a separate command, the chairman of the Joint Chiefs of Staff said here today.
Noting that the cyber threat will only continue to grow, Army Gen. Martin E. Dempsey told attendees at a Brookings Institution forum that he anticipates a day when operations in cyberspace become a dominant factor in military operations.
"But, at this point, Stratcom, with its global reach responsibilities, as well as its space responsibilities, is also able to manage the workload that comes with being the next senior headquarters to Cybercom," the chairman said. "I'm actually content [with] the way we're organized right now."
The chairman noted that the national effort to protect critical civilian infrastructure lags behind the military's efforts to secure its own networks, largely because information about cyber threats isn't being shared with the government.
"Right now, threat information primarily runs in one direction: from the government to operators of critical infrastructure," he said. Changing this will require legislation, he added.
The nation's top military officer said he's confident that indicators of an impending attack can be shared in a way that preserves the privacy, anonymity, and civil liberties of network users.
Cybercom will assume a new importance when that conduit opens, the chairman said. "If we get the kind of information sharing we need, that could be a catalyst for changing the organization, because the span and scope of responsibility will change," he explained.
Dempsey: Cybercom Likely to Continue Gaining Prominence
By Claudette Roulo
American Forces Press Service
WASHINGTON, June 27, 2013 - U.S. Cyber Command, currently a subunified command under U.S. Strategic Command, likely will one day become a separate command, the chairman of the Joint Chiefs of Staff said here today.
Noting that the cyber threat will only continue to grow, Army Gen. Martin E. Dempsey told attendees at a Brookings Institution forum that he anticipates a day when operations in cyberspace become a dominant factor in military operations.
"But, at this point, Stratcom, with its global reach responsibilities, as well as its space responsibilities, is also able to manage the workload that comes with being the next senior headquarters to Cybercom," the chairman said. "I'm actually content [with] the way we're organized right now."
The chairman noted that the national effort to protect critical civilian infrastructure lags behind the military's efforts to secure its own networks, largely because information about cyber threats isn't being shared with the government.
"Right now, threat information primarily runs in one direction: from the government to operators of critical infrastructure," he said. Changing this will require legislation, he added.
The nation's top military officer said he's confident that indicators of an impending attack can be shared in a way that preserves the privacy, anonymity, and civil liberties of network users.
Cybercom will assume a new importance when that conduit opens, the chairman said. "If we get the kind of information sharing we need, that could be a catalyst for changing the organization, because the span and scope of responsibility will change," he explained.
Subscribe to:
Posts (Atom)