Mobile would be great for taking this kind of approach to bug hunting.
Especially since Android just launched a (proper) bug bounty program . A ton of old problems are new again on Android, especially due to the fact a significant percentage of the OS stuff is being re-implemented in Java (IPC, sandboxing, etc). The more I dig into it the more I'm convinced very few people are conducting serious security reviews outside of Google.
> is this any different than what would happen if a dedicated attacker came after the most valuable data in your company?
Well, most SF/HN startups data wouldn't get people killed if leaked to the wrong hands, whereas OPM had sensitive information on spies/foreign agents/etc where that is a serious possibility.
The question I'm curious about is what if a Silicon Valley style startup was going to start a company holding ID information for gov workers? Including potentially identities of people whose livelihood depends on secrecy. I'd imagine they would be investing quite heavily in security. But it is plausible even that wouldn't stop nation-state attackers...
The problem is that you people like to extrapolate from one small scenario where the law will work without considering the greater practicality or long-term effectiveness of the law. The scenarios ignore basic facts about humans and technology. The simple fact is humans are resourceful and criminals have proven to be very dedicated.
Consider two things,
> in particular, it would take a lot to convince me that private ownership of assault rifles is anything but bad news.
The technological different between an 'assault rifle' and a semi-automatic hunting rifle is very small. As Cody Wilson has demonstrated, with a few 3d-printed parts you can turn a simple rifle - which is already restricted by law from being an assault rifle - into a fully blown assault rifle with a relatively small amount of technical knowledge.
The same was true for decades with anyone with metal machining skills.
So how much of a difference will it make if the tech available is merely restricted and not banned? If you can easily modified the technology?
b) The proposed encryption laws must insist that they won't interfere with American corporations from creating, selling, and exporting encryption to valid purchasers. The development of better-and-better encryption will not stop. It will still be one of Americas greatest exported technologies. An industry the US dominates (software).
So now taking that into consideration, will it be feasible to stop criminals from getting access to encryption?
Similar to encryption, America is the largest exporter of weapons in the world - unlike the UK or Scandinavian countries.
The simple fact is that there will be a huge market of both weapons and people (with specialized-skills) which will leak their guns/knowledge onto the black market. Combine that with the internet and decentralized tech and you have a very challenging regulation environment.
At best, it will be become yet another 'arms race' between criminals/police that is ultimately a net-negative investment for society (see: drugs).
> The same was true for decades with anyone with metal machining skills.
This. Also consider there are people with machine shops all over the country that make AR-15's from scratch. These are so-called "custom" firearms. Would we have to go around shutting down all machine shops if we outlawed "black" (named for the blueing) guns?
Just a reminder about FISA's historical performance:
> Between 2001 and 2012, the FISA judges approved 20,909 surveillance and property search warrants - an average of 33 a week. During that 12-year period, the judges denied just 10 applications. Prosecutors withdrew another 26 applications.
> From 2007 to 2012, FISA judges also approved 532 "business record" warrant applications, the category used in the order that directed Verizon to release metadata on all phone calls inside the United States. No business record warrants were rejected.
and, on the judges perception of themselves:
> Walton, the senior judge on FISA, declined to be interviewed. In a statement, he said: "The perception that the court is a rubber stamp is absolutely false. There is a rigorous review process of applications submitted by the executive branch, spearheaded initially by five judicial branch lawyers who are national security experts, and then by the judges, to ensure that the court's authorizations comport with what the applicable statutes authorize."
I can tell you from first hand experience that getting a warrant TO the FISA court from a sponsoring agency is a massive bureaucratic battle in and of itself.
Reason being, the agency powers that be don't want to send something up that will be disapproved because it takes significant time and effort of general counsel and leadership of these agencies to process, implement and track to maintain compliance - even if the warrant is reasonably broad.
So these numbers really don't mean anything in terms of just "blanket surveillance." The bar for even getting something to the court, in my experience, is incredibly high and you typically need very high ranking people to sign off on it. Which means your evidence, reason for doing and ensuring that it is within the boundaries of EO 12333 and a million other regulations, has to be pretty airtight.
Imagine a system that works as follows. You can have people assassinated. In order to do so, however, you need to fill in a hundred-page form with exhaustive details of your personal finances, your medical history, and the contents of your computers' hard drives; and then you need to play six sets of tennis against a strong player and win at least two; and then you need to play a 7-game chess match against a holder of FIDE's International Master title, and win at least two. Oh, and then there's a fee of $100k. Once you've done this, your application takes six months to be processed. Every week during this time, you get a callback and are asked intrusive personal questions about your sex life, your religion, and how you have voted in past elections. And then, at the end of the six months, the person named on the form gets assassinated by government agents.
Can we agree that (1) this would be a "massive bureaucratic battle", and (2) the bar would be "incredibly high" ... but (3) this shouldn't reassure us much, because jumping through the bureaucratic hoops and meeting those difficult criteria doesn't actually constitute good reason for having your target assassinated?
Your comments about the FISA court seem a little like this. Let's stipulate that getting approval is a tiresome process, and that there are difficult criteria to meet. That doesn't in any way guarantee that it only happens in cases where it's actually a good idea.
That's a terribly analogy. The bureacracy isn't there as just a speedbump. It's there to make sure you don't waste time on cases doomed to fail. Secondly, surveillance is an essential tool in fighting crime. Assassinations are not.
> "Secondly, surveillance is an essential tool in fighting crime."
This is a very dubious assertion. I'm not aware of any evidence that mass surveillance deters or prevents crime at all, much less is "an essential tool" for doing so.
But even if one, for the sake of argument, concedes the point that mass surveillance does significantly deter or prevent crime, you still have a system set up where the costs of that surveillance (loss of privacy, loss of accountability for abuses of power, introducing/secretly discovering backdoors, etc) are borne by the least powerful--ordinary citizens--while the benefits of mass surveillance (concentration of power, ability to bribe/extort/intimidate rivals, being seen as "doing something" about terrorism, etc) accrue only to those who are already powerful.
That is the real problem with mass surveillance. It creates a positive feedback loop that only exacerbates existing power imbalances, inevitably leading to corruption and capricious injustices by those who are most able to get away with it. Having a speedbump on the road to that inevitable destination, even a big one, is not much of a consolation if the heading is still the same.
Exactly that, as long as you have those who have access and those that don't you have something to be exploited. There you move towards a great divided in power, towards total lack of privacy or you don't gather the data. I think the later is actually the least likely. There are a lot of really powerful things you can do with good data, that seems worthwhile. The issue is then exploitation of that knowledge. For sure advantage will be had by someone, question is extent of imbalance and lack of privacy.
> I'm not aware of any evidence that mass surveillance deters or prevents crime at all, much less is "an essential tool" for doing so.
Oh, you think you are sneaky. This is so carefully worded. You explicitly twist the words of the GP, where they use "fighting crime" you turn that to meaning "deters of prevents crime." They mention "surveillance", and you turn that into "mass surveillance."
That's like me saying "I don't see how fingerprint analysis helps to deter or prevent crimes." Oh sure, it helps capture people after the fact, but I don't think there has ever been evidence show that fingerprint analysis has actually deterred or prevented crime.
So, while you can stand their, smug with your "technically correct" remark, the reality is "surveillance is an essential tool in fighting crime" has been proven to be correct time and time again, and has been instrumental in handing convictions for a long, long time.
However, you also don't provide much proof that "surveillance is an essential tool in fighting crime". Its efficiency to deter/prevent crime, or even to help catch offenders a posteriori, is also highly debatable (I guess it's more likely to be helpful for the latter, but that still makes the definition of "fighting crime" rather vague as well).
There is another way in which the analogy is flawed. The analogy states that after the six months, when the forms have been reviewed or approved, the target dies.
If this is to be analogous to bulk surveillance, the assassination agency would have to discover that the target had actually died in an accident eight months ago, just before the forms were submitted, and they would simply retroactively dismiss any wrongful death or homicide cases that may be ongoing.
The panopticon operators are asking forgiveness rather than permission, and only for those specific instances where the surveillance needs to be laundered from illegally gathered to warrant-authorized.
As such, I have no faith that the spying has ever stopped, or slowed, or even decreased its rate of growth. The steep bureaucratic hurdle does nothing to prevent it. The most it does is limit the amount of information that can be moved from the shadows into the sunshine via that method, and strongly encourages less costly alternatives to actually honoring the law. One such workaround is "parallel construction", where the illegal spying is converted into an anonymous tip to another "innocent" agency of the state, who then gets reasonable suspicion on a pretext charge--like failure to signal a lane change, plus the invocation of the magical ritual phrase "I smell marijuana"--and then the road-patrol cop somehow finds 20 kilograms of cocaine in the trunk.
Fixing or eliminating the FISA court won't stop the behavior. Only actual accountability for the people actually doing the dirty deeds will help.
So let me get this straight, to prevent agents from wasting time on cases that are doomed to fail, they make sure that agents waste large amounts of time going through bureaucracy for legitimate cases that will probably win?
That's a straw man argument. Andrew said that the reason the court doesn't decline a lot of requests warrants is because the cases that are not "airtight" never make it to the court. I think this is a fair response to the original comment analyzing the court's "historical performance" as being too lax.
Good question. I don't know if we should, although I've heard similar things said about requests to non-FISA judges, as well. It makes sense to me that if investigators' careers involve learning to cross their t's and dot their i's before they go to a judge requesting an intercept, and they spend years doing it, they get good at it.
Separately from belief, which is somewhat subjective (i.e. it involves more inputs than is practical to list in a discussion), it's important to realize that on a logical level, there are at least two interpretations to a 99% acceptance rate: (1) the bar is really low and (2) there are pre-filters. The certainty with which I often hear (1) being declared or implied seems to miss this point.
You make good points to ponder. In this sort of situation I find that looking at the outcome or the end result provides more information towards the intent or competency of the subject questioned. In my opinion the only real reason for a FISA court existence is to prevent civil laws from being broken.
Has the FISA court overstepped the constitution in favor of securing our liberty? Has the FISA court been successful in securing privacy for those they serve?
I don't believe you, sorry. You may be telling the truth but there are so many lies we've been told that I just don't.
Sorry, that's how it is and I'm sure a very large number of people would agree with that.
The FISA court /is/ a rubber stamp, how do we know? Ed Snowden told us about all the incredible amounts of overreach that the FISA court approved in secret.
We're at far more risk from public servants with delusions of grandeur and infallibility going unchecked than lunatics with bombs. Lunatics with bombs cannot destroy democracy & freedom.
“The Constitution is not an instrument for the government to restrain the people, it is an instrument for the people to restrain the government - lest it come to dominate our lives and interests.”
― Patrick Henry
This is exactly the case. The reason there are almost no denials is that there would have been a great amount of due diligence performed to ensure that FISA collection was warranted. The fact that there are any denials after such analytic rigor takes place, suggests that the FISA court is not a rubber stamp.
Every single year people who are read onto FISA must complete a comprehensive course on how to deal with FISA data, and it's not taken lightly. People lose their job over mishandling of this type of data, for reasons such as: poor query construction, failure to timely delete accidental collection on US Persons, or collecting without prior justification.
> failure to timely delete accidental collection on US Persons
You mean that rule which previously said you had to delete accidental collected information regarding US persons after 6 months? That rule was changed a year ago to 5 years, and in 4 years there won't be any systems left that can delete information and the 5 years will be extended again and again, in the same way as copyright.
It's believable that FISA approval is hard to get, but it's not reassuring. What gets through FISA and what people want the government to do don't match well at all. We've already seen leaked examples of what gets through FISA, and a lot of them are sweeping, invasive, and don't respect the US persons standard in the ways most people would like.
Basically, there's no way to claim the system works when we can watch it produce bad results.
The issue seems to be what is considered warranted/justified. Legal vs Moral
If the rules/procedures/expectations are well defined, one will attain a great rate of success simply by virtue of having a system which can be predicted ( failing candidates early, prior to submission ). This doesn't mean that the system is a rubber stamp, simply that it is reasonably consistent and that the expectations are clear.
This view of rigor/justice contradicts perhaps a common sense understanding which could be rephrased perhaps along the lines of 'should this be warranted/justified?'
It is frustrating perhaps as a result of this mismatch.
The problem with your argument is that nobody can legally validate it's central premise, because nobody is allowed to review applications to the FISC.
Unless you have some sort of inside track, I must ask you how you know that applications are thorough and well constructed? Because the only way to be sure is to allow for public scrutiny, but the whole point of the FISC is to avoid this.
The NSA has re-interpreted the meaning of the word "relevant" (for investigation) in order to collect millions of people's data at once. How can the FISA judges ever approve that?
Also, you're forgetting that a federal Court has just said that the Patriot Act NEVER allowed for bulk collection. Yet the FISA Court allowed it. Why?! But that's what you get with a secret spy Court that has no accountability.
I've been thinking about this for a while. This is a very compelling argument.
You must have left on horrible terms though, the FISA court has just approved tracking your personal calls. I realize it's not personal, heck, they did the same to me. Nonetheless, there is a warrant to track your personal data. I'm not sure how reliable you could be. Why would they collect your data if you aren't under investigation?
Anyway, this is a stupid ranty argument appealing to emotion rather than logic. Bulk collection seems wrong in a way i have a hard time articulating.
Honestly, this isn't meaningful reassurance. I'll grant that the FISA approval rate is a bad number to look at - most approval systems eventually get into a pattern where people only submit things that will get approved.
On the other hand, saying that it's hard to get something to the court means basically nothing unless we trust that the bureaucracy and the court share our standards for "good requests". Having seen what things the FISA court has approved in the past, we can say that the system doesn't work simply because it already hasn't worked.
If this is true, it doesn't help at all. Getting a patent approved by the USPTO takes literally years (plural plus). Yet look at all the terrible patents and how the patent system has essentially become the opposite of encouraging innovation.
Government agencies will use FISA because it's there and they know it will get them what they want regardless of whether it makes sense to do it or not, leaked documents have shown.
I believe you misunderstood him. He seems to be saying that almost no invalid requests were submitted, because there was a rigorous review before submission. The court might not be a rubber-stamp, but the agencies happened to only send reasonable requests, so they got approved.
This is a great summary of the problem, and of why we're talking at cross purposes. Defending the accuracy of the FISA decisions only defends points one, while almost everyone attacking the court is talking about point two.
Whoever mentions the numbers on how few applications were rejected as an argument seemingly can't be talking about point two. And that was what prompted this particular discussion, so I don't think you can claim the people involved are talking about point two.
Not sure if you read the OP, but it made it clear the conflicting ruling was from the Second Circuit, not the Supreme Court. Also, the Second Circuit ruling was based on Congress not being clear on what was allowed; now that Congress passed another law that extends bulk collection for 6 months, that argument no longer applies.
Maybe so, but what evidence does the public have of that claim? We get only the tiniest peeks at this process, and they look terrible, and then we're told "it's not so bad, you don't have enough information to know."
Which is exactly what people have complained about.
I stop you right at the term 'court'. The doors are locked and all proceedings are done in secret with no counterparty. I say this 'court' doesn't conform to its definition of a "place where justice is administered". Maybe "court theatre" or "cargo cult court" might be a more accurate term ?
If the evidence bar is so high, why exactly have there never been any arrests made using the data? That is an awful lot of people affected negatively for a zero benefit program. You would think a massive bureaucratic battle to only submit valid warrants would result in at least one arrest.
>why exactly have there never been any arrests made using the data?
To clarify the statements in press have been that no terrorists have been arrested based on the data. That is not the same as never having arrests.
There have been plenty of domestic arrests but they don't typically fall under the "terrorism" scope because of the nature of the act. Espionage etc... can be proven with this data and actions can be taken (like arrests) more quickly and easily than determining if someone is going to attack something a la terrorism.
They have been hiding the activities of FISA by using parallel construction as the basis for arrests: 1) Get dirt on someone illegaly. 2) Find a legal avenue to discover that same information now that you know it's there. That protects their collection methods when defendants try to find out how they were nabbed. The FISA warrant never has to be disclosed if no one outside the community knows it exists. Consequently they are never "officially" used for an arrest.
So the justification of the warrants is to use a "national security" cover for spying on people while evading discovery for when we don't actually use it for national security? That sounds pretty impeachable to me.
The problem with an explanation like that is three-fold:
1. It applies to agencies you know and more specifically parts of those agencies you have experience with. Many federal agencies have demonstrated that the left hand and the right hand don't always talk.
2. Other agencies are free to apply different policies (cough NSA cough DEA cough) that aren't in line with say, the FBI's policies.
3. This does not change the fact that the FISA court acts as a rubber stamp, the bulk majority of what it rubber-stamps might have met the requirement of EO 12333, some of ought might also have been legal under the constitution and existing laws or maybe the judges are so blasé that they just assume that most of what they see must be OK, it got there after all.
Well, it's also very high. Obviously, because these are highly trained, hard working, excessively competent, law enforcement agents who wouldn't suspect a person if he weren't doing something wrong. Who's got the time for that what with them being chronically under-funded, under-trained, and under-staffed. /s
Ok, let's assume anecdotally that this is true. This is your experience.
How would this be any different from the bar that a prosecutor has for bringing a criminal trial to court? Lost time, lost reputation, chance of losing the election. Every time a prosecutor decides to go all in, they're taking what could be a huge risk -- if not in that particular case then in the aggregate.
Yet we see much different numbers from courts when an open adversarial system is used.
So a reasonable outside observer is left to conclude that either the federal government is full of incredibly competent legal minds, for whom the slightest mistake would be anathema -- or it's a rigged game. Doesn't matter what they bring.
I understand I'm making a bit of a false dichotomy for rhetorical effect, but my argument is still sound. One of these options is much more likely than the other one.
That's not a fair comparison, because the FISA court isn't proving guilt, it's requesting a warrant by attempting to prove reasonable suspicion. It would be a fair comparison if you compared them to the percentage-granted for regular search-warrants, and what I can find online seems to indicate that it's fairly high for those as well, again because they're not proving guilt.
And we're expected to believe that the three letter agencies just sit around, twiddling their thumbs, patiently waiting all those months for FISA approval before commencing surveillance on their targets?
A pair of judges every six months with 800 applications to review? Or a pair of judges every month with 150 applications to review? In what time period? Do they spend an hour? A whole day? A whole week? All we have to go on is one vague article.
...and that article suggests that (if we accept they rotate duty and meet monthly say) they spend, on average, (8 hours / 133 * 60 minutes) ~3.5 minutes carefully evaluating each application. If not, it's ~30 seconds per application.
So are the numbers wrong? Or is the bold assertion that they 'carefully review each application' completely farcical?
30 seconds to rubber stamp an application sounds about right to me.
The point remains; there is no 'fulltime' FISA court.
Periodically the presiding judges get together and process a bulk of applications all at once.
> A pair of judges ... Do they spend an hour? A whole day? A whole week? All we have to go on is one vague article.
The FISC has its own website which happens to answer your question right on the "About" page:
The Court sits in Washington D.C., and is composed of eleven federal district court judges who are designated by the Chief Justice of the United States. Each judge serves for a maximum of seven years and their terms are staggered to ensure continuity on the Court. By statute, the judges must be drawn from at least seven of the United States judicial circuits, and three of the judges must reside within 20 miles of the District of Columbia. Judges typically sit for one week at a time, on a rotating basis.
> ...and that article suggests that (if we accept they rotate duty and meet monthly say) they spend, on average, (8 hours / 133 * 60 minutes) ~3.5 minutes carefully evaluating each application. If not, it's ~30 seconds per application.
No, the article says 33 per week. The judges aren't meeting together every few months; the sitting judge is replaced by the next every week or so. Assuming an 8 hour work day and 33 warrants per week, that (8 * 5) / 33 = 1.2 hours per warrant on average.
All the real work is being done by clerks and staff attorneys. The judges just show up to read the briefs and sign the orders. I doubt the judges themselves are spending much more than 15 minutes on each warrant. The court staff are likely spending 4-12 man-hours on each warrant, mostly filling in the blanks on forms and boilerplate.
And their jobs are not really to weigh the merits, but to cover the judge's ass, just in case something really egregious comes back that points at their bench.
As they preside over a secret court that determines whether the low standard of reasonable suspicion has been passed, the judges barely need to spend any time at all actually judging anything. The worst that can happen is that the trial judge might exclude the evidence collected on their warrant, and that's about as damaging to their careers as an ingrown hair.
I'm not sure you could find a cushier job if you designed one from scratch.
On the other hand, we do have expiry (by default) of the secrecy surrounding regular warrants when they're executed, plus the ability to challenge them at trial and in appellate proceedings, with the result that there's an enormous amount of regular case law about them, even though all of them were originally issued ex parte.
So that is very different.
The main exception that we know about in the regular criminal justice system has been cell site simulators and cell site location information, where the government tried super-hard to prevent people from knowing that this information was being collected or challenging its collection or use.
It's about stuffing databases full of surveillance information gathered by the NSA; databases which are shared with law enforcement agencies across the country. Those agencies then use the data to mine for leads, stage fake context searches, seize peoples' property, and put people on criminal trial; all while denying collusion with the surveillance state. I'm supposed to think this is all okay because, 'hey, they're guilty, right?' except that 1. This is explicitly prohibited by the Bill of Rights and 2. They aren't always guilty.
So how does the FISA court determine that "3-hop" people (millions) are "suspicious, then?
The standard for an NSA "general warrant" is FAR, and I mean FAR weaker than for a regular warrant. Literally orders of magnitudes weaker, to the point you could barely consider it a "standard". Especially when the FISA court approves for for 3 months at once (and now for 6).
What kind of "warrant" is that? Does that sound reasonable to you?
I hate to break it to you, but organizations and agencies are basically using humans to further their own desires, such as to continue existing and expand their powers. You can see this in organizations ranging from companies to government agencies. And Big Data is like crack cocaine to them. Do you really think you can cut off their access to something so eminently collectable? Do you think if it technology has enabled it, then organizations won't find a way to use it? If the USA spy agencies don't do it, the Chinese and Russians will. The details of some domestic law doesn't matter, they'll just find ways around it. At the end of the day, the organizations need the data. Humans can only fight organizations with other organizations... humans that try to get in the way on their own are eliminated and replaced.
> comport with what the applicable statutes authorize
If the statutes are extremely broad and permissive of surveillance, then he could well be telling the truth - FISA could be rigorously scrutinising every request and finding that the statutes permit almost all of them.
The resistance to the Bill of Rights was based on this very notion, the fear that adding an enumeration of some rights would eventually be seen as an enumeration of all rights and that any rights not explicitly enumerated would be considered as lesser rights not protected by the Constitution.
Of course, a right being clearly stated in the Constitution doesn't do much to protect it either. Consider all the limits on gun ownership that run counter to the second amendment. Even someone who is against guns should be of the view that a Constitutional amendment should be needed to allow for limits like those we currently have. For example, banning a mentally ill person from owning a gun or charging a licensing fee to own a gun. Both of these exists and are not considered to infringe on second amendment rights. Now imagine if the same logic was applied to other rights, such as a fee to vote or not allowing free speech to those deemed to have a mental illness (never mind the difficulty in determining what constitutes a mental illness).
Even if it was ultimately valuable in that way, cold war espionage was still an extremely expensive theatrical game of back and forth - often piggy-backing on morally-questionable methodology in order to get those results.