The State Department has plenty of important secrets—classified cables, foreign policy directives, embassy plans, and more. It also has a department (with a nine-word name) responsible for protecting those secrets from hackers: the Bureau of Information Resource Management's Office of Information Assurance. Yet according to an unusually scathing new report from the State Department's inspector general, this "lead office" for cybersecurity is so dysfunctional and technologically out-of-date that Foggy Bottom may be open to cyberattack.
The IG's audit of the cybersecurity office, which took place earlier this year, concluded that the office "wastes personnel resources," is unequipped to monitor $79 million in contracts, "has no mission statement," and "is not doing enough and is potentially leaving Department systems vulnerable." The report notes that department employees usually cannot find the head of the bureau because he's often not in the office, and as a result, they don't know what their work priorities are. The IG report notes that because of these problems, other parts of the department have to pick up the slack.
"This report reads like a what-not-to-do list from every policy, program, and contracting perspective," says Scott Amey, the general counsel for the Project On Government Oversight, a nonprofit watchdog group where I used to work. "With stories about foreign entities hacking US government systems and questions about non-authorized access to classified information, this latest IG report causes major concerns about the State Department’s ability to protect government systems."
Indigenous Ecuadorean leader Emergildo Criollo travels from the Amazon rainforest to California to deliver 325,000-plus letters urging Chevron to clean up its toxic oil.
Thanks to disclosures made by Edward Snowden, Americans have learned that their email records are not necessarily safe from the National Security Agency—but a new ruling shows that they're not safe from big oil companies, either.
Last month, a federal court granted Chevron access to nine years of email metadata—which includes names, time stamps, and detailed location data and login info, but not content—belonging to activists, lawyers, and journalists who criticized the company for drilling in Ecuador and leaving behind a trail of toxic sludge and leaky pipelines. Since 1993, when the litigation began, Chevron has lost multiple appeals and has been orderedto pay plaintiffs from native communities about $19 billion to cover the cost of environmental damage. Chevron alleges that it is the victim of a mass extortion conspiracy, which is why the company is asking Google, Yahoo, and Microsoft, which owns Hotmail, to cough up the email data. When Lewis Kaplan, a federal judge in New York, granted the Microsoft subpoena last month, he ruled it didn't violate the First Amendment because Americans weren't among the people targeted.
Now Mother Jones has learned that the targeted accounts do include Americans—a revelation that calls the validity of the subpoena into question. The First Amendment protects the right to speak anonymously, and in cases involving Americans, courts have often quashed subpoenas seeking to discover the identities and locations of anonymous internet users. Earlier this year, a different federal judge quashed Chevron's attempts to seize documents from Amazon Watch, one of the company's most vocal critics. That judge said the subpoena was a violation of the group's First Amendment rights. In this case, though, that same protection has not been extended to activists, journalists, and lawyers' email metadata.
The Electronic Frontier Foundation (EFF) represents 40 of the targeted users—some of whom are members of the legal teams who represented the plaintiffs—and Nate Cardozo, an attorney for EFF, says that of the three targeted Hotmail users, at least one is American. Cardozo says that of the Yahoo and Gmail users, "many" are American.
"It's appalling to me that the First Amendment has no bearing in this case, and that the judge simply assumed that all of the targets aren't US citizens—when in fact, I am," says a human rights activist from New York who has been advocating on behalf of the indigenous community, doing both volunteer and paid work, since 2005. He has never been sued by Chevron, nor been deposed. He wishes to remain anonymous—because his legal fight against the subpoena is still pending. The activist received a notice of the subpoena from Google last year (it has not been granted yet.) Chevron is seeking information including, but not limited to, the name associated with the account and where a user was every time he logged in—for the past nine years.
"Chevron is trying to crush, silence, and chill activism on behalf of the people they screwed over," the activist argues. Michelle Harrison, an attorney for EarthRights International, tells Mother Jones that her clients aren't comfortable going on record about the subpoenas they've received, because "Chevron's dogged pursuit of anyone that dares speak out against them is regrettably having precisely the chilling effect we warned the court it would."
Advocates for the plaintiffs in the Chevron case say that subpoenaing the email records is the company's latest nuclear tactic to win a lawsuit it keeps losing. Chevron was ordered to pay $9 billion in damages in 2011 and to issue a public apology. After the company refused, a judge ordered the damages to double. The Supreme Court has declined to hear Chevron's appeal. The extortion case is set to go to trial on October 15, after Kaplan—whom the Ecuadorean plaintiffs once asked to be removed from the case—refused to delay it.
Cardozo says there are 101 email addresses listed in the subpoenas to the three tech companies, but EFF has found only two that are owned by actual defendants in the lawsuit. "Subpoenas of nonparties are generally quite routine," says Eugene Volokh, a professor at the University of California-Los Angeles School of Law. But Karl Manheim, a professor at the Loyola School of Law in Los Angeles, notes, "The parties seeking the info have to establish its relevance to the case; you can't just go on a 'fishing expedition' or on a hunch."
Julian Sanchez, a research fellow at CATO, says that "even assuming the account holders aren't citizens, it doesn't automatically follow that the First Amendment is irrelevant." But he notes that while anonymous speech made by Americans is protected under the Constitution, "courts have been inconsistent in applying that protection against civil subpoenas aimed at identifying anonymous internet users." In the case Dendrite International, Inc. v. Doe No. 3, for example, an appellate court held that a company was not allowed to unmask users who had criticized the company on a Yahoo message board.
Manheim says the judge's invocation of citizenship is "wrong" in this case and the users should appeal. "The US Constitution applies to all persons (even foreign nationals) within US borders and to US persons abroad. While the targets of the subpoenas are outside of US jurisdiction, the subpoena itself is operative within the US. So the Constitution should apply." (Chevron did not respond to request for comment.)
"I think if the NSA scandal has taught us anything, anyone who says that 'it's just metadata' doesn't know what metadata is—if I want to spend the night at my friend's house and use his computer, that's my business," Cardozo says. "And if Judge Kaplan thinks seizing metadata is routine, he doesn't know how powerful it can be." The activist adds, "It's a slippery slope. Once one thing is granted, it will only be easier to ask for more."
A US appeals court has ruled that the First Amendment does not protect New York Times national security reporter James Risen from revealing the sources that gave him information about the CIA's plan to disrupt Iran's nuclear program. Risen has been issued a subpoena by the Obama Administration to testify at the trial of former CIA officer Jeffrey Sterling, who allegedly leaked unauthorized information about the program.
In a 2-1 decision, the US Court of Appeals for the Fourth Circuit overturned a 2011 ruling by a lower court that Risen had journalist's privilege to protect his sources. It also reaffirmed that the CIA can take special measures to hide the identity of current and former CIA agents who provide witness in the trial. Agents can hide their real names from the jury when testifying, and can take other security measures such as hiding behind " a screen between the trial participants and the public seating section of the courtroom" or wearing "light disguises (wigs, false beards, half glasses.)"
The majority opinion said: "There is no First Amendment testimonial privilege, absolute or qualified, that protects a reporter from being compelled to testify by the prosecution or the defense in criminal proceedings about criminal conduct that the reporter personally witnessed or participated in, absent a showing of bad faith, harassment, or other such non-legitimate motive."
The information in question is part of Risen's 2006 book, State of War: The Secret History of the C.I.A. and the Bush Administration. In it, he described the CIA operation against Iran's nuclear program as poorly run and wrote that it potentially gave valuable information to the Iranians. Risen told The Times in 2011 that, "I am going to fight this subpoena...I will always protect my sources, and I think this is a fight about the First Amendment and the freedom of the press.”
In a dissenting opinion, Circuit Judge Roger L. Gregory agreed with Risen: "The majority reads narrowly the law governing the protection of a reporter from revealing his sources, a decision that is, in my view, contrary to the will and wisdom of our Founders."
The Obama Administration indicted Sterling under the Espionage Act, a law it has wielded more than any other presidential administration. Critics of Risen's subpoena say that forcing Risen to testify, and cracking down on a national security whistleblower, is setting an alarming precedent. "I think it's possible we're headed toward a genuine crisis, where a New York Times reporter is in jail for publishing the news," says Steven Aftergood, director of the Project on Government Secrecy, a government watchdog group. He would like to the Obama Administration to withdraw the subpoena, but notes, "I'm not sure where things go from here. It's hard for me to imagine Risen saying, 'OK, I give up. Sterling was my source.' Will he go to jail? I don't know."
The last time Congress passed a sweeping electronic privacy law, the Berlin Wall was standing, Reagan was cracking down on drugs, and cassette tapes—playing Men at Work and Duran Duran—were all the rage. More than 25 years later, there are more than a few '80s-era laws on the books governing the use of technology that didn't even exist when the legislation was written. As Americans place an increasing amount of personal data in social networks, cellphones, and email accounts, privacy advocates say that it's irresponsible not to update these laws to reflect changing technology. Here's a sampling of some of the nation's most outdated tech laws:
The Computer Fraud and Abuse Act
This anti-hacking law was birthed in 1984 by a bunch of lawmakers freaked out over the movie WarGames—a clip was shown during congressional testimony—in which a teenaged hacker played by Matthew Broderick accidentally brings the United States and the Soviet Union to the brink of nuclear war.
Today, the law's broad language can technically be used to prosecute internet users for offenses that seem downright silly. Under the CFAA, it's illegal to "knowingly [access] a computer without authorization" and obtain information from a "protected computer." Here's the problem: The way you get authorization to access most web sites is to agree to a company's terms of service (that check-box you click when you sign up for an account). The CFAA allows the feds to bring criminal charges against users who break companies' terms of service, meaning that a person could face jail time, not simply a fine, for what's essentially a civil disagreement. In other words, a user of the dating site eHarmony who lies about his or her marital status is technically breaking federal law, since its terms of service read:
By requesting to use, registering to use, or using the Singles Service, you represent and warrant that you are not married. If you are separated, but not yet legally divorced, you may not request to use, register to use, or use the Singles Service…You will not provide inaccurate, misleading or false information to eHarmony or to any other user.
The law also allows the government to charge people who violate the CFAA twice for the same crime—under federal and state law—which leads to the kind of sentence faced by internet activist Aaron Swartz, who was threatened with 35 years in prison under the CFAA for allegedly stealing mass amounts of academic articles with the intention of releasing them for free to the public. Swartz committed suicide before his case went to trial. In June, a bill called Aaron's Law was introduced in the House and Senate. It would reform CFAA by fixing the terms-of-service issue—simply violating the terms would no longer be a crime; instead, a hacker would have to actually break a technological barrier (like cracking a password)—and it would also prevent users from being charged twice for the same crime.
"When the government has access to your communications records for a period of up to five years, it creates a chilling effect on your willingness to participate in political discourse and join political groups," Cindy Cohn, legal director for the Electronic Frontier Foundation, said in a press call on Tuesday. EFF also sued the NSA in 2008 over the Bush Administration's warrantless wiretapping program—a case that has yet to be resolved.
The plaintiffs allege that through the NSA's tracking program, "defendants...continue to collect, acquire, and retain, bulk communications information of telephone calls made and received by plaintiffs, their members and staffs. This information is otherwise private." They also claim that the collection of this information was "neither relevant to an existing authorized criminal investigation, nor to an existing authorized investigation to protect against international terrorism." The charges are being brought as violations to the First, Fourth and Fifth Amendments, among other laws.
The Director of National Intelligence, Keith Alexander—who is also listed on the suit—testified last month that the NSA's surveillance program has helped stopped more than 50 terror plots since 9/11. The NSA maintains that the only information that has been collected through phone surveillance is basic information called metadata, which includes information like which numbers made and received a call, when it took place, and how long it lasted.
At the call on Tuesday, representatives for the groups said that even though the coalition comes from across the political spectrum, they have one big thing in common: They feel their First Amendment rights are being squashed. Reverend Rick Hoyt from the First Unitarian Church of Los Angeles noted that the church played an important role in fighting hysteria during the McCarthy years, and he sees this as more of the same: "We're very aware how organizations can be affected by government surveillance...we want to make sure our current church members feel they have the right to associate with this church." Gene Hoffman, chairman of The Calguns Foundation, which fights gun control laws, said his members are "definitely" hesitant about calling his organization because of surveillance concerns. "It's common to have caller-ID block for our members even before this [came out.]"
Shahid Buttar, the executive director of the Bill of Rights Defense Committee, a civil rights organization that fights to end racial profiling, notes, "A lot of our members have had concerns about these kinds of activities happening for a long time, they've been dismissed for years by the broader public as paranoia... The people who suspected they were being watched, until now, couldn't prove it."