Archive

Archive for the ‘spying’ Category

American Spies: how we got to mass surveillance without even trying

February 14, 2017 Leave a comment

Review: law prof explains how the road to bad law is paved with good intention

While American Spies was written prior to Donald Trump winning the 2016 presidential election, it has become vital and relevant under the new Republican administration.

Jennifer Stisa Granick is one of the premiere legal minds currently trying to grok the intersection between surveillance, privacy, and public policy. She serves as the Director of Civil Liberties at the Stanford Center for Internet and Society. Before that, she worked at the Electronic Frontier Foundation.

In her book, Granick presents an expansive overview of the national-security legal landscape. However, despite being geared largely toward attorneys and academics, American Spies can be easily understood by anyone with even a passing familiarity with touchstone concepts that have graced the pages of Ars Technica in recent years, including Edward Snowden, Section 702, and Executive Order 12333.

The fiery counsel wastes no time in laying out her argument:

Modern surveillance is regulated by a confusing patchwork of laws that nevertheless fails to provide meaningful limits on government power, and which therefore invites abuse. After September 11th, laws that should have protected people’s privacy and stopped surveillance abuses were weakened via the USA PATRIOT Act. When technology and economics gave spies vastly more power, rather than have law step up to the challenge of constraining that power, Congress and the courts did nothing, or the laws were softened even further. American spies have flooded into the power vacuum left by powerful technology and weak legal protections.

In short, American law as it stands is largely insufficient to deal with the crushing weight and power of American spies.

Jeu de mots

While Chapter 1 is largely a summary of Snowden-era programs and revelations, Chapter 2 is the part of Granick’s book that made me sit up and take notice.

She argues that a huge gulf separates how words are used by the intelligence community and the general public. For example: “surveillance.” Granick uses it in the way that Ars (and probably most people) use it: “Surveillance means government collection of private and personal information: address books, buddy lists, photos, phone numbers, web history, geolocation data, and more.”

But within government circles, surveillance means something very specific: it’s shorthand for “electronic surveillance” (ELSUR) as governed by the Foreign Intelligence Surveillance Act (FISA).

She writes:

By using “surveillance” to mean only ELSUR governed by FISA, officials can say that they do not conduct “surveillance” even when they are collecting personal data like phone numbers, Internet transactional records, face prints, or geolocation data. The intelligence community might call its acquisition of this kind of information “collection,” which sounds milder than “surveillance”… The word “bulk” is another opportunity for mischief. People use the word “bulk” as a synonym for massive, vast, or large-scale collection. But the intelligence agencies have a special definition of the word “bulk.” They only use “bulk” to mean acquisition that takes place without using a selection term or “discriminator.”

In other words, grabbing everything is bulk. But if the government uses search terms, keywords, or selection terms, it’s not bulk. So, if, when wiretapping a particular fiber optic cable, the NSA selects or “tasks” all communications with the word “Syria” or “China” in them, the NSA lawyers might not call that “bulk,” even though hundreds of millions of innocent people’s irrelevant messages are going to be collected and analyzed. Similarly, the government won’t say that its collection is indiscriminate if it uses any kind of selection term.

This becomes more concerning when the government makes it hard to answer the basic question, “Who is a United States person?” Such people have inherent privacy protections, and a “United States person” is generally believed to mean American citizens, American permanent residents (green-card holders), and American companies. But there might be more to it. That’s because, according to the Department of Justice Office of the Inspector General, there’s a classified directive that further explains who a US person is, but it contains a few sentences that are redacted.

Granick reasons that this nomenclature obfuscation isn’t just due to bureaucratic legalese. Rather, it’s part of a broader strategy to keep not only the public in the dark, but the legislative and judicial branches as well.

Granick concludes:

The evidence suggests that the misdirection is intentional, at least on the part of some officials. The misstatements go well beyond the kind of obfuscation needed to keep terrorists complacent about using surveilled networks. American spies know they have to maintain public acquiescence, and they believe that if people knew the truth, the programs would lose support.

An ever-bigger haystack

Beyond nomenclature, Granick offers a three-part criticism of national security law as it stands, revolving around mathematics, notification, and the opaque nature of the law.

She begins by saying that the entire concept of “collect it all” is not just wrong-headed, it’s also counterproductive. As experts like Bruce Schneier have been saying for years, probability and statistics show us that throwing billions of dollars to conduct mass surveillance to locate something that simply doesn’t happen all that often (terrorism) is largely pointless.

And the “collect it all” credo has crept far beyond the search for terrorists. As Ars has reported for years, this mentality has percolated down to the most local level of law enforcement. Police in cities across America routinely use license plate readers to investigate crimes. However, data from several cities show that the “hit rate,” or match between an unknown plate and a stolen or wanted car, is nearly always less than one percent. (In Oakland, California, it’s 0.16 percent.)

Granick explains that law enforcement agencies don’t want to stop this “collect it all” train, lest they be blamed for people dying. And yet abuses are common.

Ars readers may remember the National Security Agency’s LOVEINT scandal, in which intelligence staffers used the agency’s vast spy infrastructure to target their ex-partners. As far as we are aware, no one knows what punishments, if any, were doled out to those NSA staffers.

“Finally, there are no remedies for people who suffer from violations of those rules,” Granick concludes. “Violations may or may not be reported or cataloged. Victims are not informed. Without the threat of exposure and punishment, there is little incentive for analysts to rigorously follow the rules.”

Worse still is that, while courts ostensibly provide oversight, judges often don’t find out what has gone wrong until a national security official tells them. And even when judges do get upset, no meaningful punishments have ever been doled out for those who stretch the law.

“[Judges] also don’t want to stop the spying because they’re told that if they do, some people could die,” she concludes. “So they expand the NSA’s authority, issue more complex rules, and let the surveillance go forward.”

Finally, she reaches a troubling realization: that the nexus between the law, surveillance, privacy, and national security still lacks clear-cut boundaries. Crucially, these discussions often happen without the benefit of public scrutiny. Many of these court cases are sealed or happen under the umbrella of national security classification, such that the citizenry doesn’t know exactly what’s going on.

In sum, there is much uncertainty in surveillance law. Does the Fourth Amendment protect data stored on the Internet? Is massive spying constitutionally different from the collection of one person’s data? How do FISA and ECPA apply to information for which the expectation of privacy is not legally settled given the third-party doctrine? If the Fourth Amendment doesn’t apply to foreigners abroad what does that mean for foreigners living in the United States and for the Americans that talk with them?

Today, we live under a confusing, convoluted, and technologically outdated legal regime that has left American privacy with uncertain legal protection. The uncertainty is exacerbated by the fact that so much surveillance–both law enforcement and intelligence–is secretly authorized via sealed and ex parte court proceedings.

Baby steps

After all of this, don’t be surprised if you’re demoralized. The wheels of justice move at a glacial pace compared to the breakneck speed of technology. The Supreme Court doesn’t often rule on landmark issues of privacy, which means that older legal theories (like the “third-party doctrine”) remain good law.

American Spies is mostly descriptive and less prescriptive. Granick doesn’t address a possible solution until the end of the book. She knows that any revisions to national policy are “a job for Congress.” However, in the modern American political climate, Congress can barely agree on the time of day, much less comprehensive privacy law reform. While there are some efforts in the right direction (the “Email Privacy Act” just passed the House of Representatives last week), no cohesive, substantial movement exists within Congress to change the law.

Yes, there are groups like the Electronic Frontier Foundation and the American Civil Liberties Union that are lobbying and litigating to nudge the government in the right direction. However, much of Congress still generally lacks the computer literacy skills to fully understand what the risks are and what steps need to be taken. Legislators like Rep. Ted Lieu (D-Los Angeles) often seem to be speaking about the benefits of encryption in a vacuum. (Also, seriously, how many top government officials are still using AOL accounts?)

Granick makes no mention of how these surveillance-policy reforms may be another decade or more away. However, there is a bright spot: a few cities like Seattle and Oakland have taken up efforts to more closely monitor how surveillance is conducted locally, and they have attempted to exert meaningful civilian oversight. So, think globally, act locally?

NSA to share data with other agencies without “minimizing” American information

January 16, 2017 Leave a comment

Rules opposed by civil liberties and privacy advocates.

On Thursday The New York Times reported that the Obama administration had recently finalized rules to give the National Security Agency (NSA) more leeway in sharing its vast trove of intercepted communications with the 15 other government agencies that make up the Intelligence Community.

Previously, agencies like the Drug Enforcement Agency and the Federal Bureau of Investigation would have to request information on a target from the NSA. The NSA, in turn, would retrieve communications pertaining to that target and scrub the documents of information that was considered irrelevant to the search, including the names of innocent Americans—a process called “minimization.” Now, that middle step has been cut out. The agencies need only get approval from the NSA to access its data, and agents from the agencies are expected to carry out minimization on their own.

As The New York Times puts it, “Essentially, the government is reducing the risk that the NSA will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people.” Although the agency analysts who will have access to the NSA’s surveillance powers are directed to ignore and redact information pertaining to innocent Americans, if they see evidence of criminal acts in the data they access, they are directed to hand it over to the Justice Department.

The move has been anticipated for a yearThe New York Times reported on the draft proposal back in February 2016—but in mid-December Director of National Intelligence James Clapper approved the new rules, which will amend Reagan-era executive order 12333, and last week Attorney General Loretta Lynch finally signed off on them as well. Congressional approval was not necessary to implement the changes.

Several agencies already have access to the NSA’s raw data under the Foreign Intelligence Surveillance Act (FISA). These new rules don’t change who has access to FISA data, but they allow national security analysts to access communications made over satellite transmission, as well as phone calls, e-mails that cross international borders, and e-mails that are sent between foreigners that pass through American networks. Analysts from other agencies may “search the raw data using an American’s identifying information only for the purpose of foreign intelligence or counterintelligence investigations,” according to the Times.

The rules have been opposed by civil rights and privacy advocates as lacking protections to prevent abuse. In a statement, American Civil Liberties Union legislative counsel Neema Singh Guliani said, “The procedures released today allow more agencies to directly access information collected by the NSA without a warrant under procedures that are grossly inadequate. This raises serious concerns that agencies that have responsibilities such as prosecuting domestic crimes, regulating our financial policy, and enforcing our immigration laws will now have access to a wealth of personal information that could be misused. Congress needs to take action to regulate and provide oversight over these activities.”

Obama Gifts Donald Trump Expanded Surveillance Powers

January 14, 2017 Leave a comment

surveillance

In its final days, the Obama administration has gifted the incoming Trump administration the power to intrusively invade the privacy of American citizens by lifting the limits on what NSA can do with collected data.

Newly approved procedures gives more surveillance powers to the intelligence community by allowing the National Security Agency (NSA) to share globally intercepted communications data with all other US intelligence agencies before applying privacy protections.

As NSA whistleblower Edward Snowden, whose only wish is not to see the U.S. turn into a totalitarian state, points out in a tweet Thursday: “Obama just unchained NSA from basic limits on passing raw intercepts to others.

Thanks Obama for saving us from the evil metadata that lurks on the internet and for locking them up for future determination by US intelligence agents.

Let’s just “hope” these agents and law enforcement authorities are intelligent enough to secure the servers and show some respect for people’s rights while passing around the family album among the community.

“Yes we can,” only hope.

AntiMedia reports:

The recent approval of new procedures for an existing executive order will allow the NSA to share the private data it collects with all 16 agencies of the United States intelligence community. The 23-page outline of the new procedures lifts previous limits placed on the way information was filtered before being disseminated to individual agencies.

As he hands the White House to Trump, Obama just unchained NSA from basic limits on passing raw intercepts to others,” NSA whistleblower Edward Snowden tweeted Thursday.

Gone are the already-flimsy privacy protections that required NSA analysts to review data before handing it over to other agencies like the CIA, DEA, DHS, or others. Whereas prior restrictions required analysts to shield the identities of innocent parties and other personal data before sharing only the information deemed pertinent, there are now no filters whatsoever.

All agencies will have the freedom to dig through “raw signals intelligence information” under the new procedures, which were signed by Attorney General Loretta E. Lynch. After evaluating the information, the agencies can apply rules “minimizing” violations of privacy. That’s correct — only after privacy has been violated can it be protected. That’s not exactly how it works, but it is now the law according to Section 2.3 of Executive Order 12333.

The document was originally signed on December 15, 2016, by the director of national intelligence, James R. Clapper Jr. According to Clapper’s general counsel, Robert S. Litt:

This is not expanding the substantive ability of law enforcement to get access to signals intelligence. It is simply widening the aperture for a larger number of analysts, who will be bound by the existing rules.

ACLU lawyer Pat Toomey disagrees, explaining:

Rather than dramatically expanding government access to so much personal data, we need much stronger rules to protect the privacy of Americans. Seventeen different government agencies shouldn’t be rooting through Americans’ emails with family members, friends and colleagues, all without ever obtaining a warrant.

The new procedures require agencies to submit written requests to the NSA describing the raw signals intelligence sought, how it will be used, how it will further its mission in a significant way, and why the information could not be obtained through other sources. While the purpose of Executive Order 12333 is to target foreign and counter-intelligence only, if an agency uncovers information that incriminates an American citizen, the agency is required to turn the evidence over to the Justice Department. Many of the requirements listed in the document for targeting American citizens have been redacted.

And if all else fails, any U.S. Intelligence Agency can legally obtain personal information on any citizen with no warrant under Section 702 of the FISA Amendments Act. However, with these new procedures in place, that may not be necessary anymore.

If Barack Obama is so concerned about a Trump presidency, why is he giving the future president such a terrifying amount of power?

The FBI Is Apparently Paying Geek Squad Members To Dig Around In Computers For Evidence Of Criminal Activity

January 11, 2017 Leave a comment

From the maybe-these-are-the-‘smart-people’-who-can-fix-Comey’s-encryption-&# dept

Source: Tech Dirt

Law enforcement has a number of informants working for it and the companies that already pay their paychecks, like UPS, for example. It also has a number of government employees working for the TSA, keeping their eyes peeled for “suspicious” amounts of cash it can swoop in and seize.

Unsurprisingly, the FBI also has a number of paid informants. Some of these informants apparently work at Best Buy — Geek Squad by day, government informants by… well, also by day.

According to court records, Geek Squad technician John “Trey” Westphal, an FBI informant, reported he accidentally located on Rettenmaier’s computer an image of “a fully nude, white prepubescent female on her hands and knees on a bed, with a brown choker-type collar around her neck.” Westphal notified his boss, Justin Meade, also an FBI informant, who alerted colleague Randall Ratliff, another FBI informant at Best Buy, as well as the FBI. Claiming the image met the definition of child pornography and was tied to a series of illicit pictures known as the “Jenny” shots, agent Tracey Riley seized the hard drive.

Not necessarily a problem, considering companies performing computer/electronic device repair are legally required to report discovered child porn to law enforcement. The difference here is the paycheck. This Geek Squad member had been paid $500 for digging around in customers’ computers and reporting his findings to the FBI. That changes the motivation from legal obligation to a chance to earn extra cash by digging around in files not essential to the repair work at hand.

More of a problem is the FBI’s tactics. While it possibly could have simply pointed to the legal obligation Best Buy has to report discovered child porn, it proactively destroyed this argument by apparently trying to cover up the origin of its investigation, as well as a couple of warrantless searches.

Setting aside the issue of whether the search of Rettenmaier’s computer constituted an illegal search by private individuals acting as government agents, the FBI undertook a series of dishonest measures in hopes of building a case, according to James D. Riddet, Rettenmaier’s San Clemente-based defense attorney. Riddet says agents conducted two additional searches of the computer without obtaining necessary warrants, lied to trick a federal magistrate judge into authorizing a search warrant, then tried to cover up their misdeeds by initially hiding records.

The “private search” issue is mentioned briefly in OC Weekly’s report, but should be examined more closely. Private searches are acceptable, but the introduction of cash payments, as well as the FBI having an official liaison with Best Buy suggests the searches aren’t really “private.” Instead, the FBI appears to be using private searches to route around warrant requirements. That’s not permissible and even the FBI’s belief that going after the “worst of worst” isn’t going to be enough to salvage these warrantless searches.

As Andrew Fleischman points out at Fault Lines, the government’s spin on the paid “private search” issue — that it’s “wild speculation” the Best Buy employee was acting as a paid informant when he discovered the child porn — doesn’t hold up if the situation is reversed. AUSA Anthony Brown’s defensive statement is nothing more than the noise of a double standard being erected.

Flipping the script for a minute, would an AUSA say it was “wild speculation” that a man was a drug dealer when phone records showed he regularly contacted a distributor, he was listed as a drug dealer in a special book of drug dealers, and he had received $500.00 for drugs? Sorry to break it to you, Mr. Brown, but once you start getting paid for something, it’s tough to argue you’re just doing it for the love of the game.

In addition to these problems, the file discovered by the Best Buy tech was in unallocated space… something that points to almost nothing, legally-speaking.

[I]n Rettenmaier’s case, the alleged “Jenny” image was found on unallocated “trash” space, meaning it could only be retrieved by “carving” with costly, highly sophisticated forensics tools. In other words, it’s arguable a computer’s owner wouldn’t know of its existence. (For example, malware can secretly implant files.) Worse for the FBI, a federal appellate court unequivocally declared in February 2011 (USA v. Andrew Flyer) that pictures found on unallocated space did not constitute knowing possession because it is impossible to determine when, why or who downloaded them.

This important detail was apparently glossed over in the FBI’s warrant application to search Rettenmaier’s home and personal devices.

In hopes of overcoming this obstacle, they performed a sleight-of-hand maneuver, according to Riddet. The agents simply didn’t alert Judge Marc Goldman that the image in question had been buried in unallocated space and, thus, secured deceitful authorization for a February 2012 raid on Rettenmaier’s Laguna Niguel residence.

Courts have shown an often-excessive amount of empathy for the government’s “outrageous” behavior when pursuing criminals. The fact that there’s child porn involved budges the needle in the government’s direction, but the obstacles the FBI has placed in its own way through its deceptive behavior may prevent it from salvaging this case.

The case is already on very shaky ground, with the presiding judge questioning agents’ “odd memory losses,” noting several discrepancies between the FBI’s reports and its testimony, and its “perplexing” opposition to turning over documents the defense has requested.

In any event, it appears the FBI has a vast network of informants — paid or otherwise — working for both private companies and the federal government. Considering the FBI is already the beneficiary of legal reporting requirements, this move seems ill-advised. It jeopardizes the legitimacy of the evidence, even before the FBI engages in the sort of self-sabotaging acts it appears to have done here.

Underneath it all is the perplexing and disturbing aversion to adhering to the Fourth Amendment we’ve seen time and time again from law enforcement agencies, both at local and federal levels. Anything that can be done to avoid seeking a warrant, and anything that creates an obfuscatory paper trail, is deployed to make sure the accused faces an even more uphill battle once they arrive in court.

The Surveillance State Did Not Disappear With The Trump Victory

January 9, 2017 Leave a comment

Surveillance photo

(SHTFplan.com) One of the things Donald Trump has really done correctly is to assess his future arena in the areas of intelligence-gathering and operational security.  Trump wants to return to a “courier” method of transmitting sensitive information and classified documents for the purpose of reducing the amount of material that can be hacked or stolen.  There is a subtlety about this for a caveat, in case the compliment has bloomed flowers in your thoughts: the NSA $50 billion facility for collection and storage of data in Utah won’t be shutting down anytime soon.

As Snowden’s exposes clearly pointed out, the government has clearly followed Petraeus’ glowing “internet of things” yellow brick road to form an integrated, interconnected surveillance state.  All CCTV (closed circuit television) systems, all merchants with cameras, all law enforcement cameras…all of the camera surveillance systems everywhere are either tied into data collection immediately or can be accessed for use at a later time.

The latest “Jason Bourne” movie clearly illustrates how the government can utilize devices such as cellular telephones (especially the ones with cameras) to track movements, record conversations, and be a “piggyback” to relay information to a nearby computer or a camera.  This isn’t the future: this is now.

There is an older piece written by Michael Snyder in June of 2013 entitled 27 Edward Snowden Quotes About U.S. Government Spying That Should Send a Chill Up Your Spine.  The information in this article is directly from Edward Snowden that revealed exactly what the government has been doing regarding their total surveillance program…

H.R. 4919 Passes House Allowing Government to Microchip Citizens with “Mental Disabilities”

December 19, 2016 Leave a comment

Source: Q-TV

Though the bill only targets those with conditions such as Alzheimers and autism, critics say the bill’s passage will open a “pandora’s box” of invasive government surveillance.
H.R. 4919: https://www.congress.gov/bill/114th-congress/house-bill/4919
Nwo Report: http://www.nworeport.me
Twitter: https://twitter.com/NwoReport
Facebook: https://www.facebook.com/Nwo-Report-1505570316361450/

CLAIM: UBER Employees Secretly Tracked Celebs, Politicians, Ex-Spouses…

December 12, 2016 Leave a comment

Caption: Ward Spangenberg, who was hired by Uber in March 2015, says he frequently objected to what he believed were reckless and illegal practices. Spangenberg was fired and is now suing the ride-hailing behemoth.

For anyone who’s snagged a ride with Uber, Ward Spangenberg has a warning: Your personal information is not safe.

Internal Uber employees helped ex-boyfriends stalk their ex-girlfriends and searched for the trip information of celebrities such as Beyoncé, the company’s former forensic investigator said.

“Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses,” Spangenberg wrote in a court declaration, signed in October under penalty of perjury.

After news broke two years ago that executives were using the company’s “God View” feature to track customers in real time without their permission, Uber insisted it had strict policies that prohibited employees from accessing users’ trip information with limited exceptions.

But five former Uber security professionals told Reveal from The Center for Investigative Reporting that the company continued to allow broad access even after those assurances.

Thousands of employees throughout the company, they said, could get details of where and when each customer travels. Those revelations could be especially relevant now that Uber has begun collecting location information even after a trip ends.

Spangenberg is suing the San Francisco-based ride-hailing behemoth for age discrimination (he’s 45) and whistleblower retaliation. He has worked information security jobs for a variety of tech companies. Uber tasked him with helping develop security procedures and responding to problems from around the world.

In addition to the security vulnerabilities, Spangenberg said Uber deleted files it was legally obligated to keep. And during government raids of foreign Uber offices, he said the company remotely encrypted its computers to prevent authorities from gathering information.

After beginning in March 2015, Spangenberg said he frequently objected to what he believed were reckless and illegal practices, and Uber fired him 11 months later.

“I also reported that Uber’s lack of security, and allowing all employees to access this information (as opposed to a small security team) was resulting in a violation of governmental regulations regarding data protection and consumer privacy rights,” he stated in the declaration, referring to requirements that companies notify consumers of any breach of personal information.

Michael Sierchio, a tech industry veteran who was a senior security engineer at Uber from early 2015 until June of this year, agreed that Uber had particularly weak protections for private information.

“When I was at the company, you could stalk an ex or look up anyone’s ride with the flimsiest of justifications,” he said. “It didn’t require anyone’s approval.”

In a statement, Uber said it maintains strict policies to protect customer data and comply with legal proceedings. It acknowledged that it had fired employees for improper access, putting the number at “fewer than 10.”

“We have hundreds of security and privacy experts working around the clock to protect our data,” Uber said in a statement.

“This includes enforcing strict policies and technical controls to limit access to user data to authorized employees solely for purposes of their job responsibilities, and all potential violations are quickly and thoroughly investigated,” the company said.

Uber would not give more details on its technical controls. In practice, the security sources said, Uber’s policy basically relies on the honor system. Employees must agree not to abuse their access. But the company doesn’t actually prevent employees from getting and misusing the private information in the first place, the security sources said.

Uber has a history of data problems

As Uber has rapidly grown to more than 40 million users worldwide, the gig-economy giant has also been dogged by leaks, hacks and privacy scandals.

In 2014, BuzzFeed reported that an Uber official had tracked its reporter’s movements without her permission, around the same time another executive suggested digging up dirt on critical journalists. The controversy – and an entrepreneur’s claim that he was tracked as well – drew attention to the company’s internal God View tool, which provided a real-time aerial view of Uber cars in a city and details of who was inside of them.

It later came out that a data breach that year exposed the personal information of more than 100,000 drivers.

After the embarrassments of 2014, Uber hired chief security officer Joe Sullivan, a prominent tech figure who previously held that post at Facebook and used to be a federal prosecutor. His team drew heavily from Facebook, including chief information security officer John “Four” Flynn.

The Federal Trade Commission, the consumer protection agency, is investigating Uber’s information security practices and recently deposed Sullivan, according to security sources.

Spangenberg and Sierchio – as well as three other former Uber security professionals granted anonymity to confirm their accounts – describe a startup culture that pushed back against security protections in favor of unbridled growth.

“Early on, ‘growth at all costs’ was the mantra, so you can imagine that security was an afterthought,” said Sierchio, whose tech career includes designing video games for Atari in the early 1980s.

Even after Uber assembled a security team, the pushback continued when employees raised concerns, he said.

“One of the things I was told is, ‘It’s not a security company,’” Sierchio said. Spangenberg said he was told the same thing.

As disclosures about God View sizzled on the internet in 2014, the company posted a statement saying that, “Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes.”

Lawmakers, including Sen. Al Franken, D-Minnesota, demanded details about those “legitimate business purposes.” Franken later wrote he was “concerned about the surprising lack of detail in their response.”

Sierchio, who said he was pushed out in June, said the company’s policy limiting access was “never enforced.”

After an investigation by New York Attorney General Eric Schneiderman, Uber settled in January and promised to limit accessto real-time trip data “to designated employees with a legitimate business purpose.”

Even after the attorney general settlement, Spangenberg and Sierchio said thousands of employees could still search Uber’s database to get real-time ride information. The company said it complies with the settlement.

Uber did adopt some reforms. There was a pop-up message warning employees that their activity was being monitored, but few took it seriously, Spangenberg said. Another change flagged searches for customers considered “MVPs.” But that didn’t protect anyone not labeled an MVP, Spangenberg said.

It also changed the name of God View to Heaven View, Spangenberg said.

An internal audit team searched for abnormalities in all the database activity to nab employees tracking customer data illicitly, said Spangenberg, who assisted the investigations. Those they caught were referred to HR to be fired, he said.

“If you knew what you were doing, you could get away with it forever,” Spangenberg said. “The access is always there, so it was a matter of whether you got caught in the noise.”

Many employees, Uber said, need access for reasons such as providing customer refunds and investigating traffic accidents. The company added that it blocks some teams of employees from getting the data without approval, though it did not specify which teams or how the approval process works.

Drivers’ personal details, including Social Security numbers, were also available to all Uber employees, Spangenberg said in his declaration.

Spangenberg said he argued for shutting off access to sensitive data for those who didn’t need it.

“I would say, ‘We can’t keep this information, you can’t allow this information to be stored like this, you can’t leave it all connected like this,’” he said.

Uber, in its statement, said, “We have made significant investment in tightening our access controls during the past several years. Allegations that simply acknowledging our policy in a pop-up window would provide access to customer data for unauthorized employees are not correct in our current environment.”

According to his lawsuit, Uber told Spangenberg he was fired for violating a code of conduct and reformatting his computer, which erases everything on it. He said he deleted and began rebuilding his laptop because it had crashed, and that it was common practice.

He also got in trouble for accessing emails that dealt with his own job performance review. Spangenberg said he was only testing out a program to search company emails. The whole thing was a pretext, he said, to get rid of him.

In court filings, Uber responded that it “generally denies each and every allegation” made by Spangenberg.

Lawsuit says Uber destroyed documents

Spangenberg accuses Uber of destroying information he believed it was obligated to preserve. “Uber routinely deleted files which were subject to litigation holds, which was another practice I objected to,” his declaration says.

A company can face legal penalties or be held in contempt of court for scrubbing evidence it was supposed to keep.

Among his duties, Spangenberg said he was also a point person when foreign government agencies raided company offices abroad.

“Uber would lock down the office and immediately cut all connectivity so that law enforcement could not access Uber’s information,” his declaration states.

In May 2015, for example, the tax agency Revenu Quebec raided Uber’s Montreal office to gather evidence of tax evasion. Spangenberg said he worked from San Francisco to encrypt the office’s computers.

“My job was to just make sure that any time a laptop was seized, the protocol locked the laptops up,” he said.

Indeed, Quebec investigators – armed with a warrant to copy information from Uber computers – went back to a judge to say the computers had been remotely restarted and apparently encrypted, according to court records. They got permission to take the computers with them, but the machines are of little value if the information on them stays encrypted.

Efforts to encrypt data once a government search is in process “raises red flags and serious concerns,” said Judith Germano, a cybersecurity expert and former federal prosecutor.

A company could argue it was protecting sensitive information, she said. But if a judge determined it was a deliberate effort to hide evidence, the judge could impose legal sanctions or fines, and order the company to decrypt the data.

In its statement, Uber said, “We’ve had robust litigation hold procedures in place from our very first lawsuit to prevent deletion of emails relevant to ongoing litigation.” Uber said it has an obligation to protect personal information and that “we cooperate with authorities when they come to us with appropriate legal process.”

Uber challenged the Quebec search warrants in court, but in May, a Canadian judge wrote in French that Uber’s actions had “all the characteristics of an attempt to obstruct justice,” suggesting that “Uber wanted to shield evidence of its illegal conduct.” Uber is still appealing.

Looking back, Spangenberg describes a tangle of questionable practices and gaping vulnerabilities.

“The only information, truthfully, that I ever felt was safe inside of Uber is your credit card information,” he said. “Because it’s not stored by Uber.”

 

%d bloggers like this: