2nd Circuit Decision in the Microsoft Ireland Warrant Case

The 2nd Circuit Opinion (pdf; 43 pages)


Microsoft Corporation v. United States of America – Wikipedia

The Microsoft Ireland Case: A Brief Summary (July 15, 2016) – LawFare

News Reports:

Microsoft Wins Appeal on Overseas Data Searches (July 14, 2016) – New York Times

Analysis and Criticism:

Reactions to the Microsoft Warrant Case (July 15, 2016) – LawFare

Second Circuit: Warrants Cannot be Used to Compel Disclosure of Emails Stored Outside the United States (July 14, 2016) and Does It Matter Who Wins the Microsoft Ireland Warrant Case? (July 23, 2016) – Orin Kerr in The Washington Post

Microsoft Just Won a Big Victory Against Government Surveillance — Why It Matters (July 15, 2016) – Daniel Solove at TeachPrivacy

The Microsoft Ireland Case and the Future of Digital Privacy (July 18, 2016) – Jennifer Granick at JustSecurity

Three Key Takeaways: The 2d Circuit Ruling in The Microsoft Warrant Case (July 14, 2016) – Jennifer Daskal at JustSecurity

Microsoft v. USA: A Win for Privacy, or Is It? (July 14, 2016) – Omer Tene at IAPP

Microsoft Case Shows the Limits of a Data Privacy Law (July 18, 2016) – New York Times


Microsoft’s President Explains the Company’s Quiet Legal War for User Privacy (July 22, 2016) – The Washington Post

U.S. Government Presents Draft Legislation for Cross-Border Data Requests (July 16, 2016) – David Kris at LawFare


Quote of the Day – on Online Commercial Surveillance:

From the ever interesting Maciej Ceglowski at his Idle Words:

“The proximate reasons for the culture of total surveillance are clear. Storage is cheap enough that we can keep everything. Computers are fast enough to examine this information, both in real time and retrospectively. Our daily activities are mediated with software that can easily be configured to record and report everything it sees upstream. But to fix surveillance, we have to address the underlying reasons that it exists. These are no mystery either. State surveillance is driven by fear. And corporate surveillance is driven by money.”

Read the whole thing, including details of his six, sensible, suggested fixes: (1) the right of users of an online site or service to download data (in usable format) that was provided to or collected by the online site or service; (2) the right at any time to delete one’s account (and all associated personal information) from an online service; (3) a ban on selling or sharing behavioral data, as well as relatively short limits on its storage (e.g., 90 days); (4) physical turn-internet-connectivity-off switches for IoT connected devices (which should be required to remain functioning in the off state); (5) a ban on third-party ad tracking (with sites only able to target ads based on page content itself and information the site has about the visitor), and (6) legally enforceable privacy promises with significant penalties that act as meaningful deterrents.

Also: Watch his presentation on “The Website Obesity Crisis” at Vimeo (53 minutes)

Problems with Current Crypto Implementation

Academic Paper: “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice” (pdf; 13 pages), published earlier this year, but presented at a recent conference

General Explanation (by two of the fourteen co-authors of the academic paper): How is NSA Breaking So Much Crypto? – Freedom to Tinker

EFF’s Two Part Explainer: Logjam, Part 1: “Why the Internet is Broken Again” and Logjam, Part 2: “Did the NSA Know the Internet Was Broken”

EFF’s Practical Advice: How to Protect Yourself from NSA Attacks on 1024-bit DH

Bruce Schneier: Breaking Diffie-Hellman with Massive Precomputation (Again) and his previous post The Logjam (and Another) Vulnerability against Diffie-Hellman Key Exchange


Quote of the Day:

“Usability is critical. Lots of good crypto never got widely adopted as it was too hard to use; think of PGP. On the other hand, Tails is horrifically vulnerable to traditional endpoint attacks, but you can give it as a package to journalists to use so they won’t make so many mistakes. The source has to think ‘How can I protect myself?’ which makes it really hard, especially for a source without a crypto and security background. You just can’t trust random journalists to be clueful about everything from scripting to airgaps. Come to think of it, a naive source shouldn’t trust their life to securedrop; he should use gpg before he sends stuff to it but he won’t figure out that it’s a good idea to suppress key IDs. Engineers who design stuff for whistleblowers and journalists must be really thoughtful and careful if they want to ensure their users won’t die when they screw up. The goal should be that no single error should be fatal, and so long as their failures aren’t compounded the users will stay alive.”

— Ross Anderson at Light Blue Touchpaper


Second Circuit Bulk Collection Decision (link roundup)

The Opinion: pdf (110 pages)

News Reports:

NSA Program on Phone Records is Illegal, Court Rules – Washington Post

NSA Phone Program is Illegal, Appeals Court Rules – Wall Street Journal

Audio Summary for Laypersons: Professor William McGeveran on Wisconsin public radio (approx. 10 minutes)

Analysis and Opinion:

Second Circuit Rules that Section 215 Does Not Authorize Telephony Bulk Collection Program – Marty Lederman at Just Security

Second Circuit Rules, Mostly Symbolically, that Current Text of Section 215 Doesn’t Authorize Bulk Surveillance – Orin Kerr in the Washington Post

Court Backs Snowden, Strikes Secret Laws – Noah Feldman at BloombergView

Background Legal Paper by an Attorney for one of the Amici Curiae: Bulk Metadata Collection: Statutory and Constitutional Considerations by Laura Donohue (2013)(pdf download at the link)

Impact on Patriot Act Section 215 Status/Sunset:

How the Second Circuit’s Decision Changes the Legislative Game – Liza Goiten at LawFare

The Second Circuit and the Politics of Surveillance Reform – Steve Vladeck at Just Security


If the Supreme Court Tackles the NSA in 2015, It’ll be One of these Five Cases – The Hill


President Obama on Surveillance, Cybersecurity and Related Matters

Re/code’s Kara Swisher interviews the President at Stanford University on February 13th (25 minute video).

00:20    Cybersecurity breaches
04:17    U.S. offensive capabilities
06:22    U.S. cybercommand
08:02    Government relationship with Silicon Valley
10:51    Encryption and Backdoors
15:24    Privacy and Data Ownership
18:13    Immigration, STEM, diversity, loss of U.S. tech leadership
23:22    President’s personal tech habits


President Obama’s Cyber Pitch Misses Mark in Silicon Valley – The Hill

What President Obama is Getting Wrong about Encryption – The Washington Post

Proposed “USA Freedom Act” – Link Roundup (updated with death of the bill in 113th Congress)

Background: U.S. Senate Bill Proposes Sweeping Curbs on NSA surveillance – Reuters’ news report.

Update: On November 18, 2014, the Senate voted to end further discussion of the proposed Act during the 113th United States Congress. Critical NSA Reform Bill Fails in the Senate – Wired

Text: txt, pdf and html versions at Congress.gov.

Summary of the Bill: Senator Leahy’s NSA Reform Bill: A Quick and Dirty Summary — LawFare

Position of the Electronic Frontier Foundation: EFF’s Decision to Support the Bill and The New Senate USA FREEDOM Act: A First Step Towards Reforming Mass Surveillance at EFF’s DeepLinks blog.

Other Commentary: Our Privacy and Liberty Still at Risk, Even if Leahy NSA Bill Passes – Elizabeth Goitein of the Brennan Center for Justice.

Debate (audio): Stewart Baker, former NSA general counsel, debating Harley Geiger, Deputy Director for the Freedom, Security and Surveillance Project at the Center for Democracy and Technology (Steptoe Cyberlaw Podcast); debate sponsored by the Federalist Society).


Matthew Green on Email Encryption

“The path to a proper encrypted email system isn’t that far off. At minimum, any real solution needs:

‘A proper approach to key management. This could be anything from centralized key management as in Apple’s iMessage — which would still be better than nothing — to a decentralized (but still usable) approach like the one offered by Signal or OTR. Whatever the solution, in order to achieve mass deployment, keys need to be made much more manageable or else submerged from the user altogether.’

‘Forward secrecy baked into the protocol. This should be a pre-condition to any secure messaging system.’

‘Cryptography that post-dates the Fresh Prince. Enough said.’

‘Screw backwards compatibility. Securing both encrypted and unencrypted email is too hard. We need dedicated networks that handle this from the start.'”

— Professor Matthew Green, Johns Hopkins University, writing at his blog: A Few Thoughts on Cryptographic Engineering.

The Importance of Privacy

National security reporter, Barton Gellman, responding in a Washington Post Q&A to the question of why anyone should care about U.S. government surveillance if they have nothing to hide:

“Information is power. The US government (and US companies) now learn more about us than anyone has ever known about anyone, and secrecy prevents us from learning what they do. That puts us, in effect, behind a one way mirror. As a citizen who wants to hold my government to account, I find that troubling. I am not saying that the government is abusing the power it has accrued. Sometimes the scandal is what’s legal, especially if lawmakers and citizens had no reasonable opportunity to learn what the executive branch believed it was authorized to do. But abuse is not far behind us in our history. Spying on enemies was one of the Articles of Impeachment against Nixon, and the FBI’s Hoover died in the lifetime of many people still living. I don’t know whether I’ve ever met someone who truly has nothing to hide. If you think that’s you, post a link to everything on your phone, your computer, your email accounts and your web browsing and purchasing history. And even if you have no secrets, you’re probably in possession of the secrets of others — the friend who is going to leave her husband, or wants to find a new job, or just got diagnosed with something she does not want people to know about. Privacy is relational. We may tell things to our friends we don’t tell our parents or our kids, and so on. I want control of my own secrets, personal and professional. That’s the bottom line.”

Also worthwhile: Barton Gellman’s 2003 lecture at Princeton on “Secrecy, Security and Self-Government: An Argument for Unauthorized Disclosures” (transcript: Part I and Part II), as well as Conor Friedersdorf’s Why the Press Can Publish Any Classified Material It Likes in The Atlantic.


A Fundamental Problem with the NSA’s Domestic Bulk Data Collection

NSA = J. Edgar Hoover On SteroidsThe Big Picture:

“With a few hundred cable probes and computerized decryption, the NSA can now capture the kind of gritty details of private life that J. Edgar Hoover so treasured and provide the sort of comprehensive coverage of populations once epitomized by secret police like East Germany’s Stasi. And yet, such comparisons only go so far. After all . . . . J. Edgar Hoover still only knew about the inner-workings of the elite in one city: Washington, D.C. To gain the same intimate detail for an entire country, the Stasi had to employ one police informer for every six East Germans — an unsustainable allocation of human resources. By contrast, the marriage of the NSA’s technology to the Internet’s data hubs now allows the agency’s 37,000 employees a similarly close coverage of the entire globe with just one operative for every 200,000 people on the planet. In the Obama years, the first signs have appeared that NSA surveillance will use the information gathered to traffic in scandal, much as Hoover’s FBI once did.”

Read the whole thing. Domestic bulk data collected by the NSA conveys immense power on those with access to this information and will be prone to political (and financial) abuse. History demonstrates that the lure of such data for improper purposes likely will be irresistible. Hoover stayed in office for decades, aided in large part by the information the the FBI had collected on politicians of the day. Imagine what could be done with the data collected by the NSA.


Today’s Must Read on the NSA

“The NSA has become too big and too powerful. What was supposed to be a single agency with a dual mission — protecting the security of U.S. communications and eavesdropping on the communications of our enemies — has become unbalanced in the post-Cold War, all-terrorism-all-the-time era . . . . The result is an agency that prioritizes intelligence gathering over security, and that’s increasingly putting us all at risk. It’s time we thought about breaking up the National Security Agency.” Bruce Schneier at CNN.Opinion with practical suggestions for reform.



Cyber Law, Tech and Policy

General Interest


Developments on the NSA Surveillance Front

The Case for NSA Reform – by Senator Patrick Leahy and Congressman Jim Sensenbrenner:

“[W]e were the primary authors of the USA PATRIOT Act . . . . [W]e strongly agree that the dragnet collection of millions of Americans’ phone records every day — whether they have any connection at all to terrorism — goes far beyond what Congress envisioned or intended to authorize. More important, we agree it must stop. [Today] we will introduce bicameral, bipartisan legislation that will put an end to the National Security Agency’s indiscriminate collection of personal information. Our proposal, the USA FREEDOM Act, provides stronger privacy safeguards with respect to a range of government surveillance programs. While the USA FREEDOM Act ends the dragnet collection of telephone records, it preserves the intelligence community’s ability to gather information in a more focused way, as was the original intent of the PATRIOT Act. Our bill also ensures that this program will not simply be restarted under other legal authorities, and includes new oversight, auditing and public reporting requirements. No longer will the government be able to employ a carte-blanche approach to records collection or enact secret laws by covertly reinterpreting congressional intent. And to further promote privacy interests, our legislation establishes a special advocate to provide a counterweight to the surveillance interests in the FISA Court’s closed-door proceedings.”

The USA Freedom Act: pdf

See also:

The White House on Spying: New York Times Editorial Board

Spycraft: how do we fix a broken NSA? – Reformers are still struggling to imagine an NSA that doesn’t overstep the constitution: Russell Brandon at The Verge.

Counterpoint: We Need an Invasive NSA by Harvard Law Professor Jack Goldsmith


Sounds About Right:

Amateur Hour in Intelligence Gathering

“The NSA spied on other people too much, and it bungled the protection of its own secrets. Imprudence matched with incompetence doesn’t lead to anything good. We need a thorough airing out of this mess, with personnel changes where appropriate, so that the NSA can stop doing things it ought not to be doing and instead spend its energy making sure that it does a good job on what we really need it to do . . . . It’s time to call in some grown ups to clean up the mess: we would suggest a series of congressional hearings combined with a blue ribbon, bipartisan commission to review what’s happened, to consult with our key allies, and to make recommendations. We need to do this not because intelligence gathering is bad and NSA surveillance is unnecessary. We need to do it because intelligence gathering and surveillance are so important, but so dangerous, that they must be done right.”

—   Walter Russell Mead at ViaMedia