• How Prism might work, and why that matters to Congress and you

    Bobby Yip / Reuters

    Photos of Edward Snowden, a contractor at the National Security Agency, and U.S. President Barack Obama are printed on the front pages of local English and Chinese newspapers in Hong Kong in this photo illustration.

    By Bob Sullivan, Columnist, NBC News

    How does Prism work? We have precious few details about the technical workings of the National Security Agency's global surveillance program, despite all the leaks and all the media coverage. That leaves the public and the technology community much like the blind men and the elephant.

    Details matter. Depending on which part of the elephant you touch, Prism is either a system that lets the NSA read, see and hear anything online at any time or a tool that streamlines the legal process by which federal agents execute court orders to obtain digital evidence while hunting foreign enemies.

    A hazy digital line separates these two possibilities, but the distinction matters both politically and legally. Congress will be unable to defend a program that allows U.S. spies to copy everything Google, Yahoo, and Microsoft know about us and store it forever in its new, super-secret Utah facility for later fishing expeditions. But there are well-established precedents that clear the way for federal agents to ask private companies to turn over their data specific to investigations.

    Given that Prism’s self-identified leaker Edward Snowden worked in information technology (he was fired from his job at Booz Allen Hamilton Tuesday), it's disappointing that he has not yet managed to leak more technical specifics about how the program works. Here's what we know so far:

    The FBI has launched a massive worldwide hunt for Edward Snowden, the 29-year-old NASA contractor who has turned the massive U.S. intelligence community inside out. NBC's Andrea Mitchell reports.

    Ashkan Soltani is an independent privacy consultant and consumer advocate and former Federal Trade Commission investigator. He says it's possible all these assertions are correct. Depending on what data the NSA needs, it employs some or all of those methods to get it.

    "It probably varies from company to company, based on what the company is willing to do," he said. "But the way I think it works is agents issue a directive to the company, and someone at the company, or a contractor on site, or a (computer program) collects those records and loads them into a box the NSA can access."

    No technologist interviewed for this story believes the NSA simply vacuums up every piece of data from all tech companies. Despite advances in storage and transmission speeds, that would still be technically challenging and probably unnecessary. Why recreate Google when the agency can just ask Google for the data it wants? 

    Early versions of the Prism story asserted that the tech giants involved voluntarily participated in the program and were unaware of the queries made by agents. But most of the firms said they'd never heard of Prism, and that they don't allow unfiltered access to data. Both can be true, Soltani said.

    "The NSA doesn't want companies to know the targets of their investigations, so I think they issue broad directives to the companies," he said. For example, rather than saying, “Give us all Bob Sullivan’s emails from last month,” the NSA hides its true intentions by saying “Give us all email written by someone with the initials B.S. last month.”

    It's also possible that Prism is an internal code name the NSA uses, and firms that installed locked mailboxes had no idea they were participating in Prism.

    "Assuming everyone is telling the truth, this is how I think it works," Soltani said. "And while we may disagree, there's certainly a way to imagine Prism is perfectly legal, based on the laws Congress has passed."

    There's plenty of precedent for technology companies giving streamlined data access to law enforcement. Last year, the American Civil Liberties Union released a study showing that wireless firms give thousands of location records to local and federal investigators; some even have website portals where the records can be ordered in bulk.

    It's uncomfortable seeing such mass surveillance in action, and it might be enough to stir renewed public debate on the topic, but Prism is the logical conclusion of laws Congress has passed and the natural tendency of law enforcement to push the envelope when investigating crimes.

    “Prism didn't shock me at all. When I read the FISA Amendment Act ... I see Prism with my eyes," said Chris Soghoian, privacy rights expert with the American Civil Liberties Union.

    If companies must act on each data request the government makes, they have the opportunity to step in and object. That might be a weak protection, but it is a protection. And it's a far cry from NSA agents simply rooting around Google at any time for anything.

    Soghoian and Soltani are concerned that leaks about Prism have directed attention away from an earlier leak showing the NSA has obtained millions of phone records detailing U.S. users' calls from Verizon. A leaked secret court order indicates Verizon is giving the NSA details about every call placed in the U.S.

    "When I look at the Patriot Act, I don't see that. That shocks me. It’s terrifying," Soghoian said. "What really matters, the million dollar question, isn't who has direct access to the data. It's the scale and volume of information being shared."

    Still, if Prism is as broad-reaching as some have suggested, that's a concern for Soltani.

    "The American public had previously, maybe unknowingly, relied on technical and financial barriers to protect them from large scale surveillance by the government," Soltani said. "However, these implicit protections have quickly eroded in recent years as technology industry advances have trickled down to the intelligence agencies, and as a result, changed the delicate balance of power.”

    The argument we are now having, pitting civil liberties advocates against law enforcement, probably should have happened in 2008, when the FISA law was substantially revised to clear the way for tools like Prism. As the costs associated with massive surveillance and data storage continue to drop, experts warn that it’s inevitable that privacy invasions will rise, unless unchecked.

    “We need to remember that this is a trend with a firm lower bound — once the cost of surveillance reaches zero we will be left with outdated laws as the only remaining barrier,” Soltani said.

    The demand for private intelligence contractors grew quickly after 9/11, leading to a large number of young, smart hires, many of whom have top secret clearances. Now, intelligence agencies say they could not function effectively without the expertise of these hires. NBC's Lisa Myers reports.

    Follow Bob Sullivan on Facebook or Twitter.

    Related stories:

    Comment

    Show more
    Explore related topics: , , , , , , , , , , ,

  • Use your personal smartphone for work email? Your company might take it

    Nicolas Asfouri / AFP - Getty Images

    A woman checks her smartphone in this file image.

    By Bob Sullivan, Columnist, NBC News

    If you use your personal smartphone or tablet to read work email, your company may have to seize the device some day, and you may not get it back for months.

    Employees armed with a battery of smartphones and other gadgets they own are casually connecting to work email and other employer servers. It's a less-than-ideal security arrangement that technology pros call BYOD — bring your own device.

    Now, lawyers are warning there's an unforeseen consequence of BYOD. If a company is involved in litigation — civil or criminal — personal cellphones that were used for work email or other company activity are liable to be confiscated and examined for evidence during discovery or investigation.

    It's a possibility even technology pros rarely consider, said Michael R. Overly, a technology law expert in Los Angeles.

    "You would be very surprised to hear that even extremely sophisticated business people seem shocked when they learn their personal phone, including email, GPS data, photos ... may be subject to review in litigation involving their employer," Overly said.

    BYOD is a worldwide reality and a dramatic shift in the way companies outfit their employees with work tools. Cisco Systems Inc. released a report earlier this year saying 42 percent of all "knowledge workers" own the smartphones they use for work, and two-thirds of companies expect the employee-owned device phenomenon to increase.

    Hidden cost
    The convenience is hard to ignore, as is the personal touch — workers love picking their own phones — but of course, cost savings is the real driving force. Increasingly, companies are requiring workers to supply their own gadgets at their own cost, the way a restaurant might require waiters to purchase their own uniforms.

    Even if companies reimburse those employees, there can be a big hidden cost for workers — the possibility of losing their phone for days or months while their company combs through it for data relevant to legal action.

    “People’s lives revolve around their phone, and they are going to become more and more of a target in litigation,” Overly said. “Employees really do need to understand that .”

    Giri Sreenivas, a mobile phone security expert at Boston-area firm Rapid7, warned discovery requirements can extend far beyond email stored on smartphones.

    "Text messages and cellphone records might be subject to discovery, too, even if you never connected to company email," he said.  "If lawyers believe the device was used for work purposes, it can be (taken).”

    Race to keep up
    How could firms gain the right to rummage through the most personal items on worker’s phones — pictures, texts, social media accounts?  In many cases, it’s not a right, it’s a duty, says Overly. When a company is sued, and required to produce documents as part of a discovery process, it must make a good-faith effort to retrieve data — wherever it may be. That includes employee-owned gadgets. 

    In fact, Overly says he was part of a case recently where a judge sanctioned a company for a discovery violation because it failed to search BYOD devices during discovery. He declined to name the case.

    Companies are racing to keep up with the trend — trying to set policies, inform workers of their rights, and superimpose BYOD rules over arrangements that organically evolved within their workplaces. Increasingly, companies are requiring workers to sign agreements that alert them to the potential of personal gadget seizure, Overly said.

    Christopher Dahl runs a Seattle-based firm that specializes in digital document retrieval for lawyers called Lighthouse eDiscovery. While he says industry discussion is dominated by talk of BYOD discovery, he said gadget seizure has not become common — yet.

    "We see mobile devices infrequently. We only had one come in last month," Dahl said. "It's typically pretty rare where the company can't get the same information from another location. Companies will have to disclose that the information is on that second location (the smartphone) but typically don't have to dig into that second place."  

    Red Tape wrestling tips
    Workers wary of having their personal phone nabbed can carry two phones – one personal and one for work – but even that’s not fool-proof. An occasional connection from the personal phone to work email can make the phone subject to discovery. Going this route requires diligent work and personal separation.

    "The No. 1 thing you can do to ensure your device is not subject to seizure is to remove any sort of company account ... and then inform the company it's been removed," said Sreenivas.

    Dahl warned about accidental blending of personal and work data through a seemingly innocent USB charge connection that leads to accidental synching of data. 

    There may be a technology solution to this problem in the future. The newest Blackberry phone claims to create a work data-personal data divide, which has the potential to limit the searches that might be conducted by company lawyers

    Follow Bob Sullivan on Facebook or Twitter.

  • Is US government reading email without a warrant? It doesn't want to talk about it

    Jonathan Sanger / msnbc.com

    Catherine Crump, a staff attorney for the ACLU

    By Bob Sullivan, Columnist, NBC News

    Does the U.S. government read your email? It's a simple question, but apparently there's no simple answer. And the Justice Department and the Internal Revenue Service are reluctant to say anything on the topic.

    In March, the American Civil Liberties Union caused a nationwide stir when the advocacy group released the results of its year-long investigation into law enforcement use of cellphone tracking data. After issuing hundreds of Freedom of Information Act requests, the ACLU learned that many local police departments around the country routinely pay mobile phone network operators a small fee to get detailed records of historic cell phone location information. The data tell cops not just where a suspect might have been at a given moment, but also create the possibility of retracing someone's whereabouts for months. In most cases, law enforcement obtains the data without applying for a search warrant; generally, subpoenas are issued instead, which require law enforcement to meet a lower legal standard.

    ACLU lawyer Catherine Crump, who ran the cellphone location data investigation, is at it again. This time, she has filed similar Freedom of Information Act requests with several federal agencies, asking about their policies and legal processes for reading Internet users' emails.

    "It's high time we know what's going on," Crump told msnbc.com. "It's been clear since the 1870s that the government needs a warrant to read postal mail. There's no good reason email should be treated differently."

    There are hints that it is being treated differently, however. In a landmark 2010 case, United States v. Warshak, government investigators acknowledged that they read 27,000 emails without obtaining a search warrant, violating both the suspect's privacy and the privacy of everyone who communicated with the suspect, according to Crump.

    Evidence obtained during that email search was thrown out on appeal by the 6th U.S. Circuit Court of Appeals, but that ruling applies only to four U.S. states.

    The case opened a window into what Crump fears is a widespread practice.

    In the aftermath of the Warshak case, the Internal Revenue Service told its investigators that they should not try to obtain emails without a court order, but in doing so it hinted that other warrantless email searches had been conducted in the past.

    For now, hints are all we have. Crump's Freedom of Information Act requests -- filed in February with the FBI, the IRS, the Justice Department's Office of Legal Counsel and other agencies -- were largely ignored, she says. So on June 14, she filed a lawsuit in the Southern District of New York in an attempt to force the agencies to comply.

    "Four months have passed and I haven't gotten a single document," she said. "The American people have a right to know."

    The federal agencies have until July 19 to reply to the lawsuit. The FBI is not included in the lawsuit because it replied recently denying Crump's request, saying it was too broad. The ACLU is appealing that determination through a different legal procedure.

    Justice Department spokesman Charles Miller directed all questions about the matter to the agency's New York office. A spokeswoman for that office, Ellen Davis, said she couldn't discuss it. 

    Twitter
    Send idea E-mail a tip to Bob Sullivan

    "We do not comment on ongoing litigation," Davis said in an email.

    Julianne Breitbeil, a spokeswoman for the IRS, said federal privacy laws prevent the agency from discussing the lawsuit.

    The Justice Department and the Obama administration had a chance to settle the issue in April 2011, during a Senate hearing on the Electronic Communications Privacy Act. Instead, officials with both the Commerce and Justice departments failed to provide any clarity. Instead, a Justice Department official argued against extending Fourth Amendment protections -- specifically strict warrant requirements -- to email, saying that doing so would hinder investigations.

    "Congress should consider carefully the adverse impact on criminal as well as national security investigations if a probable-cause warrant were the only means to obtain such stored communications," James Baker, associate deputy attorney general, testified at the hearing.

    Crump interpreted the testimony as indicating that warrantless email searches by federal agents are routine.

    "It was disappointing when the Obama administration refused to commit one way or the other to obtaining a warrant," she said. "It leads me to suspect the federal government isn't getting warrants."

    The 1986 Electronic Communications Privacy Act and its subsection, the Stored Communications Act, provides some guidelines for law enforcement review of email, but those are badly out of date now. They declare that federal authorities don't need a warrant for data that's stored externally (as opposed to locally, on a person's hard drive) if it's more than 6 months old. Given the ubiquity of services like Web-based Gmail, the 180-day distinction and the local vs. network storage issues are both now largely meaningless, and that's essentially what the 6th Circuit Court found.

    The discussion of requirements for email searches is more relevant than ever, given the explosion of social networks and their semi-private conversation tools and the coming of age of cloud services, where corporations are encouraged to keep all data in shared spaces that would fall under the Stored Communications Act. Concerned that such privacy issues would slow adoption of cloud services, a coalition of cloud-friendly companies calling itself "Digital Due Process," has argued for updates to the Electronic Communication Act that would require higher legal standards for digital evidence gathering.

    A critical element of the email issue is a debate about whether the Fourth Amendment requires the government to get warrant based on probable cause in order to read a suspect’s email. To get a warrant, the government must appear before a judge, and convincingly argue that inspection a suspect’s email will probably turn up evidence of a crime.

    "The warrant and probable cause requirement safeguard Americans' privacy in two important ways. Having to go to a judge means there is someone involved whose job it is to look out for the target's rights. And having to demonstrate probable cause will reduce the chances that innocent people have their communications read," Crump said.

    The distinction is also important as the U.S. government plunges headlong into new high-tech surveillance technologies, such as its massive new million-square-foot "Utah Data Center," under construction in rural Utah for the National Security Agency. The facility is designed to help protect cyberspace, NSA official have said. But Wired Magazine published a cover story earlier this year arguing that the facility will be capable of monitoring every email and text message sent around the world -- including messages to and from U.S. citizens. It is scheduled to come online in 2013.

    The NSA denies that the facility will be used to spy on Americans, but it's hardly far-fetched to surmise it will have such capabilities. 

    Explosion of such technological capabilities is why clarifying digital Fourth Amendment rights is so critical, Crump said.

    "No data is more personal than email correspondence," she said. "Email is deeply personal and private. It is an unfiltered view of our thoughts and a catalog of our relationships stretching back for years. Government agents should not be allowed to troll through all of our most private correspondence without proving to a judge that they have probable cause to believe that a search will turn up evidence of a crime."

     *Follow Bob Sullivan on Facebook.
    *Follow Bob Sullivan on Twitter. 

  • Study: One-third snoop on lovers' texts, e-mail

    By Bob Sullivan, Columnist, NBC News

    His cell phone sits on the night table while he showers. Her e-mail is left accidentally on the computer screen while she uses the bathroom. To look or not to look?

    It's perhaps the strongest new temptation of the 21st century -- the casual glance at a lover's cell phone text messages or e-mail.  This level of snooping once required rather deliberate spy-like behavior, such as rustling through a bedroom   drawer to find stashes of old-fashioned letters. Now it can happen as quickly as an instant glance.  And, according to one new study, it's happening a lot.

    But is such amateur sleuthing a normal part of life in the digital world, or does it mean couples need professional help?

     

    A study commissioned by online gadget review site Retrevo.com found that 38 percent of people under age 25 had stolen a glance at their lover's texts or e-mails - without that person's permission or awareness. Among married adults of any age, the rate was 36 percent.

    "We were surprised to see how large the percentage was," said Manish Rathi, co-founder of Retrevo.

    California-based couples counselor Jay Slupesky was not.

    "It happens all the time," he said. "That has brought people into counseling on many occasions."

    Spousal spying can be illegal

    There are numerous examples of extreme spousal spying.  Entire Web sites are devoted to buying hidden cameras, special cell phone snooping software, cracking e-mail passwords- and all manner of cyberspying. The newest trick, says Slupesky, is for one partner to secretly enable the GPS location software on a cell phone that's designed to help parents keep track of children. Then, a jealous spouse can virtually follow their lover's every move.

    "Snooping on spouses has been taken to the next level.  The next lower level, that is," he wrote in a recent blog entry. "This … is downright creepy."

    In some cases, spousal spying is illegal.  In 2005, the Department of Justice indicted the owners of a firm named LoverSpy, which sold electronic greeting cards laced with Trojan horse software designed to track a lover's Internet activity.  Authorities also charged four LoverSpy customers with illegal wiretapping.

    While most reasonable adults would agree that going to such lengths to spy on a lover is inappropriate, the issue is not nearly so clear when considering casual glances at cell phones or e-mail inboxes.

    Healthy relationship boundaries are constantly under assault from 21st century hyper-connectivity.

    "In the past if you looked around after your lover you'd get caught. You had to look at their phone bill or rummage through someone's drawers," said Rathi.  The spying required at least some measure of premeditation.  Today, spying can be completely impulsive. "Now, it's always available, and people don't necessarily see it as spying. It's just so easy to do it. The phone is sitting right there."

    Adding fuel to the fire is the rapid growth of smartphones, which put personal e-mail and texts in one handy, easily accessible gadget.  According to The Nielsen Company, only 10 percent of U.S. adults had a smartphone during the second quarter of 2008.  By the end of last year, that number had risen to 21 percent, and by 2011, Nielsen expects half of America to be using smartphones. That's a lot of opportunity for casual spying.

    Online relationship forums are jammed with debate about the ethics and mental health impact of such snooping.  In numerous places, lovers say they discovered infidelity by snooping and swear by the tactic. But nearly as often, the spying ends poorly.  In one anonymous thread, a woman admits reading her boyfriend's text messages and says she regrets it because "I found nothing to help me nor did I find anything to make me worry about our relationship." She later admitted the snooping to her boyfriend, who felt violated.

    "One of the things you will learn in life, as a girlfriend, or a parent," responds one advice giver, "is NEVER to admit when you spy."

    But Slupesky, the therapist, says it's never a good idea to cross that line.

    "I am always opposed to spying. If you are in a loving relationship, you just don't spy on your partner," he says. If there is suspicion of infidelity, the relationship needs therapy, not snooping-. "There are better ways to address your concerns."

    He did offer a broader perspective on cell phone spying, however.

    "I think some people are feeling distance from their spouse for whatever reason, and they think if they see who their spouse is e-mailing they will feel more connected.  That happens a lot," he said. "They are looking for a way to restore the connection...it's a way of asking, 'Are you still close to me? Am I still the most important person in your life? Do you still love me?' "

    Of course, there are healthier ways to deal with those profound questions. In therapy, Slupesky always tries to get lovers to stop the spying behavior.

    "One thing I do when someone tells me they are doing that is I ask, 'Did you feel better after you looked at his phone?' They usually say, 'No.' And then I ask, 'If it doesn't make you feel better, why do you keep doing it?' "

    But often, he said, the compulsion is too strong, and the access too easy, for his patients to stop.

    While the Retrevo survey found that men and women utilize casual spying equally, Slupesky said two-thirds  of his spying patients are women.

    "Women are more likely to notice something is missing in the emotional connection, and men cheat more," he said.

    Rathi said one way to help solve the problem of casual spying is to take away the opportunity.  Smartphone users should password-protect their gadgets to avoid creating an irresistible temptation for their lovers, he said. Logging out of Web sites and e-mail accounts is also a sound, safe computing practice.

    Retrevo plans to study the spying issue annually to identify any shifts in social standards on spying.

    "The amount of time people spend using these gadgets is increasing, and the amount of data they are consuming through these devices is continuing to increase.  So I think we will see more (spying) as time goes by," he said.

    Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.