Updated: Snowden documentary pulled from site (but here’s where you can still pay to watch it)

Citizenfour, the acclaimed Edward Snowden-centric documentary (and recent Academy Award winner), is now available to watch online for free at Thought Maybe. The film traces the origins of how Edward Snowden leaked numerous top-secret NSA documents and his meetings with filmmaker Laura Poitras and journalists Glenn Greenwald and Ewen MacAskill, whose work on the leaked files would eventually lead to a Pulitzer prize for public service. The filmmakers and Snowden recently participated in a Reddit AMA in which Snowden said he wished he could have leaked the documents sooner.

UPDATE: Well, that didn’t last long. Looks like the site that posted the documentary did so under dubious circumstances. If you still want to watch it, you’ll have to head to the filmmaker’s website and scan for a screening, head over to HBO Go or watch it on Channel 4 where it will be up for a few more days.

Gemalto downplays impact of NSA and GCHQ hacks on its SIM cards

Dutch digital security firm Gemalto, which is the world’s biggest manufacturer of SIM cards, has reported back on internal investigations triggered by last week’s revelations about the NSA and GCHQ hacking into its systems and stealing encryption keys that are supposed to protect phone users’ communications.

On Wednesday Gemalto said it reckoned a series of intrusions into its systems in 2010 and 2011 could have matched up with the attacks described in documents leaked by Edward Snowden and published by The Intercept. However, it downplayed the impact of the attacks on its systems and SIM encryption key transfer mechanisms, hinting that the methods described in the documents were more likely to have affected its rivals.

For a start, Gemalto said these attacks, which involved the “cyberstalking” of some of its employees in order to penetrate its systems, only affected its office networks:

The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data…

It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.

Regarding that method of targeting encryption keys in transit, Gemalto said it had put in place “highly secure exchange processes” before 2010, which explained why the documents noted how the NSA and GCHQ failed to steal the keys for certain Pakistani networks.

The company said that at the time “these data transmission methods were not universally used and certain operators and supplies had opted not to use them,” though Gemalto itself used them as standard practice, barring “exceptional circumstances.” In other words, Gemalto does it right (most of the time) while other suppliers may not have been so cautious.

Gemalto, whose stock price was whacked by last week’s revelations, also said that the attacks could only have affected 2G SIM cards, due to enhanced security measures introduced in 3G and 4G versions. “Gemalto will continue to monitor its networks and improve its processes,” it added. “We do not plan to communicate further on this matter unless a significant development occurs.”

On Tuesday, another SIM card vendor, Germany’s Giesecke & Devrient (G&D), said last week’s report had prompted it to “introduce additional measures to review the established security processes together with our customers.”

Snowden: “I should have leaked sooner”

A day after Citizenfour, a documentary in which he stars, won an Academy Award, Edward Snowden along with director Laura Poitras and journalist Glenn Greenwald sat down for a Reddit AMA.

Snowden, the former NSA-hand turned whistleblower, basically blew the lid off the National Security Agency’s intelligence-gathering procedures, embarassing the U.S. governnment, angering its allies and throwing tech vendors into a quandary over how to protect people’s data without running afoul of the government. His leaking of key information to Greenwald, Poitras and Washington Post reporter Barton Gellman, prompted some to call him a traitor while others see him as a hero fighting to protect citizens’ rights to privacy.

One burning question from the AMA was, what does Snowden, who has been in Moscow since June of 2013, regret most about the events of the past few years? Mostly that he hadn’t done what he did earlier:

Had I come forward a little sooner, these programs would have been a little less entrenched, and those abusing them would have felt a little less familiar with and accustomed to the exercise of those powers. This is something we see in almost every sector of government, not just in the national security space, but it’s very important:

Once you grant the government some new power or authority, it becomes exponentially more difficult to roll it back.

Another good tidbit: Citizenfour will not be the last film we’ll see out of this episode. Poitras said she plans to release more footage of the long Snowden interview she and Greenwald did in Hong Kong, as well as a separate interview with Snowden on the technical aspects of what he did.

“I also filmed incredible footage with Julian Assange/WikiLeaks that we realized in the edit room was a separate film,” she said.

Updated: Mozilla, Deutsche Telekom won’t release “privacy phone”

Update: Mozilla has told TechCrunch that the WSJ’s framing of this as a partnership around an actual phone was inaccurate. In other words, there’s absolutely no news here beyond the more general Firefox OS collaboration that we reported on one year ago to the day. For the record, I did contact Mozilla’s representatives to seek comment before publishing my original piece, but received no reply.

That original story follows thusly:

A year back, Deutsche Telekom and Mozilla said they were working together on privacy-centric features for Firefox OS, including “location blurring” (fine-grained control of how much location information to give to each app), guest mode, and a registration-free “find my phone” tool. It looks like that collaboration is about to bear fruit: According to a Wall Street Journal piece on Tuesday, the companies will unveil a “privacy phone” at the upcoming Mobile World Congress that will include such features. The article also notes how the T-Mobile parent and other German carriers are lobbying against the last-minute watering-down of strict new EU data protection rules that will cover web service providers such as Google and Facebook.

UK access to NSA mass surveillance data was illegal, court rules

The system through which U.K. spy agency GCHQ can access data from NSA mass surveillance programs was in violation of fundamental rights, the Investigatory Powers Tribunal has ruled. However, the limits of that finding have left human rights groups dissatisfied.

The decision came as a result of a case brought about by Privacy International, Liberty and other human rights groups regarding the Prism and Upstream programs. Prism is the scheme through which U.S. intelligence gets users’ communications from service providers in that country, and Upstream intercepts bulk data from the internet’s core infrastructure.

In December the IPT ruled that it was legal in principle for GCHQ get data from these programs now – i.e. from December 2014, in the post-Snowden world, where people actually know what’s going on — but it held back on saying whether there had been historical breaches of human rights.

Having subsequently heard out both the complainants and the intelligence agencies, the tribunal said on Friday that the data-sharing regime had violated the rights to privacy and free expression, as set out in Articles 8 and 10 of the European Convention on Human Rights. However, it reiterated that it believes the system now no longer does so.

In a statement on Friday, Privacy International said it and Pakistani NGO Bytes For All would ask the IPT, which generally acts as a secret court, to “confirm whether their communications had been unlawfully collected prior to December 2014 and, if so, demand their immediate deletion.”

The groups also disputed the December ruling’s assertion that the disclosure of “a limited subset of rules governing intelligence-sharing and mass surveillance” made everything OK. They will now appeal that ruling with the European Court of Human Rights, as will Liberty.

Here’s what Liberty legal director James Welch said in the statement:

We now know that, by keeping the public in the dark about their secret dealings with the National Security Agency, GCHQ acted unlawfully and violated our rights. That their activities are now deemed lawful is thanks only to the degree of disclosure Liberty and the other claimants were able to force from our secrecy-obsessed Government.

But the Intelligence Services retain a largely unfettered power to rifle through millions of people’s private communications – and the Tribunal believes the limited safeguards revealed during last year’s legal proceedings are an adequate protection of our privacy. We disagree, and will be taking our fight to the European Court of Human Rights.

“We must not allow agencies to continue justifying mass surveillance programs using secret interpretations of secret laws,” Privacy International deputy director Eric King added. “The world owes Edward Snowden a great debt for blowing the whistle, and today’s decision is a vindication of his actions.”

Report: US to grant foreigners limited NSA data deletion rights

The U.S. administration is set to make a few changes to the country’s mass surveillance practises, according to a New York Times report late Monday.

The piece, which appears to be based on official leaks ahead of a Tuesday announcement, suggested foreigners will get for the first time get limited rights regarding how their personal data is treated after it’s been scooped up by agencies such as the NSA. Whereas the data of Americans would be deleted after incidental collection, foreigners’ data would be deleted after five years.

This is a small step – it’s arguably better than nothing, and most countries’ surveillance operations don’t grant privacy rights to foreigners. However, that doesn’t make the NSA’s practices OK, particularly as they and their “Five Eyes” partners have unrivalled access to foreigners’ data.

Data collection still violates the right to privacy, and the discrimination between Americans and non-Americans still falls foul of the basic human rights tenet that maintains all people should enjoy equal protection under the law, as stated in Article 26 of the International Convention on Civil and Political Rights (ICCPR). As it happens, the U.S. ratified the ICCPR with one “reservation” being that discrimination is allowed when it is “rationally related to a legitimate governmental objective.” The U.S. Constitution also grants equality under the law, but its application to foreigners outside U.S. borders is a complex matter.

Then again, human rights are inalienable and countries don’t grant them – they recognize them, or not. Even if the U.S. is about to grant foreigners some legal rights regarding the deletion of their recorded/stolen personal data, the 95 percent of the world’s population living outside those borders still has good reason to complain about their treatment by the NSA.

The White House’s changes would also formalize a process about the monitoring of international leaders, that was drawn up after the embarrassing revelation — from the Snowden documents – that the NSA was spying on German Chancellor Angela Merkel. The NYT piece was fuzzy on this: It seems some leaders are off the spy list and some aren’t.

The gag orders associated with national security letters – the orders that force communications providers to hand over customer data – will also “presumptively” end after three years, the article stated, although “mid-level” intelligence agents will be able to plead for continued secrecy.

This article was updated at 4am PT to note that most countries’ surveillance operations don’t grant privacy rights to foreigners.

Report: China wants backdoors in imported tech, but only its own

Western companies are doing big business in China, but storm clouds lie on the horizon. According to a New York Times report, new banking security rules approved in the People’s Republic at the end of 2014 require those selling hardware and software to Chinese banks to install backdoors for the benefit of Chinese security services.

The rules also state that companies must “turn over secret source code [and] submit to invasive audits.” While seriously problematic for many firms, this element isn’t particularly surprising.

In the wake of Edward Snowden’s NSA revelations and the U.S.’s indictment of Chinese army officials for industrial espionage, China’s authorities have repeatedly implied that U.S. products are themselves a threat to national security, because they track users and/or may contain NSA backdoors. Reports in May 2014 suggested that China was considering banning banks from using [company]IBM[/company] servers.

On the consumer side, [company]Apple[/company] for one has already reportedly agreed to let China’s security services screen its products to ensure their safety. However, many firms may find this demand impossible to meet, due to intellectual property and security concerns.

Of course, the U.S. is also pushing companies dealing in communications devices and services to install backdoors for its own intelligence and law enforcement purposes. Both administrations – and that of the U.K. — want firms such as Apple to hand over a key to users’ private communications, even though the companies have recently been moving to a more secure end-to-end encryption model where they don’t hold any keys. This is effectively a backdoor demand, though authorities generally prefer to call it “lawful intercept.”

Draft Chinese anti-terrorism laws are pushing for the same thing. This is one of the many problems with official policies that undermine genuinely strong encryption. Particularly in a globalized trade context where your nation’s companies want to make money in foreign markets, it’s a bit hopeful to think backdoor privileges can be reserved only for your own security apparatus.

However, the Times piece talked about China’s new banking regulations forcing equipment makers to build in “ports” for official monitoring purposes. This is where things get really complicated: the rules may require companies to create special versions of their products for China, and U.S. tech firms and the Chamber of Commerce are reportedly anxious that the move may be protectionist in nature.

Levitation program tracked file-sharing sites, Snowden doc shows

The Canadian spy agency CSE monitors activity across over 100 free file upload sites, a newly-revealed PowerPoint document from NSA whistleblower Edward Snowden’s cache has shown.

The document describing CSE’s Levitation program was published on Wednesday by The Intercept, reporting alongside Canadian broadcaster CBC. Although Canada has long been known to be a member of the core Anglophone “Five Eyes” spying club, this is the first Snowden revelation putting it at the forefront of one of the Eyes’ mass surveillance programs.

Using an internet cable-tap program called Atomic Banjo, CSE’s agents were at the time of the presentation’s authoring collecting HTTP metadata for 102 cyberlocker sites, including Sendspace and Rapidshare, and tracking 10-15 million “events” each day to find “about 350 interesting download events per month.” And yes, this meant filtering out loads of TV shows and such.

According to the presentation, the technique yielded a “German hostage video” (the hostage was killed, according to The Intercept) and an “AQIM [Algerian al-Qaeda] hostage strategy”.

In total, there were 2,200 file addresses that effectively acted as traps once CSE had identified them. Once the agents have an IP address for someone downloading a suspect file, they then run a query on it through GCHQ’s Mutant Broth tool to see which ad cookies have been tracking them (insecure marketing technologies provide an easy vehicle for spying efforts), what their likely Facebook ID is, and so on.

SendSpace told CBC that no-one had permission to trawl its service for data, and internet policy lawyer Tamir Israel told the broadcaster that the program was potentially very intrusive, as CSE (known until last year as CSEC) could pick whichever documents it wanted.