I have in numerous prior blog entries touched on the issues involved in protecting your intellectual property from unauthorized disclosure. Doing so is critically important to keep your technologies, designs, marketing plans and even your sales figures out of your competitors’ hands where they can damage your business’ future prospects and its competitive edge. But what about keeping your information out of a government’s hands.
In my posting dated April 23, 2012 year entitled “Protecting Your I.P. While Abroad” I pointed out that the Chinese have installed key-logging software on visitors’ laptops which renders password protection useless and quoted a McAfee official as stating that if any employee’s device was inspected at the Chinese border, it can never be plugged into that company’s network again. Although Hong Kong is considered a Special Administrative Region of the People’s Republic of China, has a separate legal system from mainland China which is based on English common law, its defense and foreign affairs policies are set by Beijing, so it is highly possible that whatever secrets Edward Snowden had with him when he arrived in Hong Kong are now known to the People’s Republic of China. As for Snowden’s visit to Russia, in that same post I quoted a former counterintelligence official as stating, “If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated.” Maybe Snowden had sufficient expertise in computer security to outwit the Russians and Chinese, but as he intended to disclose secrets, it doesn’t make sense that he would take extraordinary efforts to protect those secrets from disclosure.
As for his disclosures, I noted just last March 4th that in 2008 Congress amended the Foreign Intelligence Surveillance Act to provide that when the government conducted electronic surveillance of communications between persons located within the U.S. and persons located outside the U.S. the particular targets or facilities to be monitored did not have to be identified and that the Director of national Intelligence could apply for a mass surveillance authorization by merely attesting generally to the Foreign Intelligence Surveillance (FISA) court that a significant purpose of the acquisition is to obtain foreign intelligence information and that that information will be obtained with the assistance of an internet, telephone or wireless provider. While the government was required to attest that its procedures were designed to ensure that the monitoring was limited to targeting persons believed to be located outside the U.S., it only had to reasonably believe they were located outside the U.S. and any acquisition of any communications between individuals located solely within the U.S. must not be intentional. The court order authorizing the government to conduct the surveillance may go on for up to one year and no probable cause determination was required. In the case discussed in that blog, Amnesty International USA v. Clapper, 638 F. 3d 118 (2nd Cir. 2011) the plaintiffs argued “[a]ll telephone and e-mail communications to and from countries of foreign policy interest—for example, Russia, Venezuela, or Israel—including communications made to and from U.S. citizens and residents could be monitored and no specific showing of probable cause nor judicial review was required. The government did not challenge that characterization in those proceedings.” It was also noted in that case that in 2008 the government sought 2,082 surveillance orders from the FISA court and the court approved all but one.
In addition, in 2006 Mark Klein, a retired AT&T Communications Technician revealed that at AT&T’s office in San Francisco his job included connecting Internet circuits to a splitting cabinet that led to a secret room in that office. Klein said the split circuits included traffic from peering links connecting to other internet backbone providers, meaning that AT&T was also diverting traffic routed from its network to or from other domestic and international providers That secret room contained a sophisticated data-analysis system that was off-limits to anyone without NSA clearance. The details of this may be found at http://www.wired.com/science/discoveries/news/2006/05/70944 dated May 22, 2006.
Hence, what Edward Snowden has disclosed should not have been too much of a surprise to anyone paying attention to these issues and reading the mainstream media.
And it is not just the NSA or the Chinese or the Russians who may be watching what you type on your laptop. A British company, Gamma International UK Ltd., makes a number of products. The following may be found on its website, “The scope of Communication Interception contains a vast field of technology where Gamma International provides the appropriate solution depending on the demands and environmental conditions of the client. The field covers the following areas and products; Satellite Monitoring (Thuraya, Inmarsat), GSM, GPRS, and UMTS Tactical Off-air Monitoring, Passive Monitoring of Telephone Lines and Trunk Lines, SMS Interception, Speech Identifying Tools, Data Retention and Link Analysis and Radio Frequency Monitoring.” See http://www.gammagroup.com/communicationsmonitoring.aspx Their product line also includes, “Remote Monitoring and Deployment Solutions … used to access target Systems to give full access to stored information with the ability to take control of target systems’ functions to the point of capturing encrypted data and communications. When used in combination with enhanced remote deployment methods, the Government Agencies will have the capability to remotely deploy software on target systems.” See http://www.finfisher.com/FinFisher/en/portfolio.php
It was reported in the New York Times last March 13th that researchers at the University of Toronto and at the University of California at Berkeley had uncovered evidence that some 25 governments including Australia, Britain, Canada, Germany, India, Indonesia, Japan, Mexico, the Netherlands, the U.A.E., and the U.S. had employed spyware sold by Gamma that could grab images off computer screens, record Skype chats, turn on cameras and microphones and log keystrokes and that this technology was, according to Gamma’s managing director, sold to governments to monitor criminals such as pedophiles, terrorists, drug dealers, kidnappers and human traffickers. However, in the case of Ethiopia, that spyware was disguised in e-mails that were specifically aimed at political dissidents. See http://bits.blogs.nytimes.com/2013/03/13/researchers-find-25-countries-using-surveillance-software/ According to Mozilla, “Gamma’s spyware tries to give users the false impression that, as a program installed on their computer or mobile device, it’s related to Mozilla and Firefox, and is thus trustworthy both technically and in its content. This is accomplished in two ways; (1) When a user examines the installed spyware on his/her machine by viewing its properties, Gamma misrepresents its program as “Firefox.exe” and includes the properties associated with Firefox along with a version number and copyright and trademark claims attributed to “Firefox and Mozilla Developers” and (2) For an expert user who examines the underlying code of the installed spyware, Gamma includes verbatim the assembly manifest from Firefox software. Through these means, that spyware was used against pro-democracy activists in Bahrain.
Obviously, vigilance is required to protect your business’ secrets or, If you’re a democracy activist, your anti-government activities. It may be time to go back to such tried and true methods as disappearing ink, paper that dissolves in water and sealing an envelope with wax. Except see http://www.nytimes.com/2013/07/04/us/monitoring-of-snail-mail.html
