NEW YORK, N.Y. – A lawsuit challenging a law that lets the United States eavesdrop on overseas communications more widely and with less judicial oversight than in the past was reinstated Monday by a federal appeals court that said new rules regarding surveillance had put lawyers, journalists and human rights groups in a “lose-lose situation.”
The 2nd U.S. Circuit Court of Appeals said it took no position on the merits of the lawsuit brought by those in jobs that require them to speak with people overseas, saying only that the plaintiffs had legal standing to bring it against the latest version of the Foreign Intelligence Surveillance Act.
U.S. District Judge John G. Koeltl in Manhattan had sided with the government in a 2009 ruling, saying the plaintiffs lacked standing to sue since none of them could show they were subject to the surveillance. He said Americans’ fears that their conversations would be monitored and their rights violated were “purely subjective.”
Attorneys, journalists and human rights groups whose work might require speaking to possible surveillance targets had brought the lawsuit on constitutional grounds, saying new government procedures for eavesdropping on international communications forced them to take costly and burdensome steps to protect the confidentiality of their overseas communications.
In a lengthy written ruling, the 2nd Circuit said the plaintiffs had standing to sue in part because they had established that they had a reasonable fear of injury from the surveillance and had incurred costs to avoid it.
A three-judge panel of the appeals court wrote that the new regulations had “put the plaintiffs in a lose-lose situation: either they can continue to communicate sensitive information electronically and bear a substantial risk of being monitored under a statute they allege to be unconstitutional, or they can incur financial and professional costs to avoid being monitored.”
The appeals court said its ruling “does not mean that their challenge will succeed; it means only that the plaintiffs are entitled to have a federal court reach the merits of their challenge.”
A spokeswoman for government lawyers who argued the case said they had no comment.
Jameel Jaffer, deputy legal director for the American Civil Liberties Union, called the ruling a “watershed opinion.”
“For too long, the government has used unwarranted secrecy to shield intrusive surveillance programs from constitutional scrutiny,” he said. “The government’s surveillance practices should not be immune from judicial review, and this decision ensures that they won’t be.”
The plaintiffs had argued that the new procedures made it possible for the U.S. to seek to review all telephone and email communications to and from countries of foreign policy interest, including communications made to and from U.S. citizens and residents.
“This is a statute that allows the government to engage in dragnet surveillance of Americans’ international communications. As far as Americans’ international communications are concerned, the statute eliminates the probable cause and warrant requirements altogether,” Jaffer said.
The appeals court noted plaintiffs’ declarations citing individuals whose work might be affected by the eavesdropping procedures. Those individuals included a lawyer for self-professed Sept. 11 mastermind Khalid Sheik Mohammed who regularly communicates with Mohammed’s family members, experts and investigators around the world.
A lawsuit challenging the government’s right to eavesdrop on Americans without warrants under the Patriot Act was re-instated by an appeals court Monday.
Libertarians cheered the decision, which will allow Amnesty International, Human Rights Watch and other groups to continue questioning the government’s ability to listen in on phone calls and to monitor emails.
An earlier ruling by District Judge John Koeltl dismissed the lawsuit, saying the plaintiffs didn’t show they would be the subject of surveillance.
The American Civil Liberties Union and others argued they should be allowed to sue because they feared that “their communications will be monitored, and thus force them to undertake costly and burdensome measures to protect the confidentiality of international communication necessary to carrying out their jobs.”
The Second Circuit Appeals court ruled in favor of the plaintiffs, finding they have “a reasonable fear of injury.”
The three-judge panel’s 63-page decision does not comment on the merits of the lawsuit.
“The government’s surveillance practices should not be immune from judicial review, and this decision ensures that they won’t be,” ACLU deputy legal director Jameel Jaffer said.
“The law we’ve challenged permits the government to conduct dragnet surveillance of Americans’ international communications, and it has none of the safeguards that the Constitution requires.
“Now that the appeals court has recognized that our clients have the right to challenge the law, we look forward to pressing that challenge in the trial court.”
The internet security firm Comodo Group said it had been victim to a hacker attack that appeared to have been part of a larger scheme to eavesdrop on encrypted e-mail and chat communications that may have been sponsored by Iran.
Comodo, a digital certificate authority and security software maker, said on Wednesday that it unwittingly issued fraudulent digital certificates for Web sites operated by Google, Yahoo, Microsoft, Skype and Mozilla. Digital certificates are used to vouch for the authenticity of a site owner and facilitate encrypted communications between sites and their users. Comodo revoked all of the certificates immediately upon discovery of the incident and notified the site owners, the major browser makers and relevant government authorities, it said.
The firm described the attack as well-planned and deployed with “clinical accuracy” from computers located mainly in Iran, though it pointed out in a company blog post that those computers could have been used to “lay a false trail.” But it said that the characteristics of the attack, and the fact that Iran has sought to penetrate online communication services in the past, led it to “one conclusion only” — that the attack was likely to be “state-driven.”
The Iranian government, like others in the Middle East facing opposition movements leveraging the Internet to organize protests and press for democratic change, has aggressively sought to restrict and monitor Internet access by its citizens.
With the certificates, a hacker would be able to set up server computers that would appear to work for the targeted Web sites. A government that controls Internet traffic inside its country would be able to use such a server to gain access to encrypted e-mail and chat conversations and collect user names and passwords for individuals’ accounts, said Mikko H. Hypponen, chief research officer at the security firm F-Secure, in a blog post.
Even without a grip on Internet traffic, a hacker could lure dissidents or other Web users to the rogue server and then intercept their communications and account details, said Roel Schouwenberg, a senior researcher at the security firm Kaspersky. “You can ‘own’ a target without having to compromise anything at the target’s end,” he said. “It might not be easier, but it might be ‘cleaner.’”
The fraudulent certificate for Mozilla, which was for its Firefox add-on site, might have allowed the attacker, posing as Mozilla, to install malware on targeted PCs or to block the installation of Firefox extensions that help users bypass government-imposed censorship filters, Mr. Hypponen said.
“Everything points to this being an intelligence operation,” Mr. Schouwenberg said, noting that theft of certificates has become a favored tactic among governments.
The Stuxnet worm that targeted Iranian nuclear installations last year also made use of stolen certificates, though those certificates were stolen from hardware companies who owned and used them to “sign” their products, not the certificate authorities that issued them.
In this recent attack, Comodo, one of several companies with the authority to issue digital certificates to Web sites, said one of its partners in Southern Europe, a so-called registration authority, which acts as an intermediary between it and some Web-site customers, suffered a security breach on March 15. That breach allowed the hacker to set up a bogus account and quickly prompt Comodo to generate the nine certificates.
News of the breach led to calls for increased scrutiny of the entire certificate system.
“This should serve as a wake up call to the Internet,” wrote Jacob Appelbaum in a blog post for Tor Project, a nonprofit group that makes free software that dissidents, journalists and other privacy-conscious people use to surf the Web anonymously and defeat online monitoring. “We need to research, build, and share new methods for ensuring trust, identity, authenticity, and confidentiality on the Internet,” he wrote.
Comodo said it has evidence that the hacker tried to use one bogus certificate for Yahoo, but no evidence of use for the other companies singled out. Yahoo said it was aware of the incident and “will continue to monitor this closely.”
Skype also said it was monitoring the situation and had taken steps to mitigate an attack on its service. “We do not expect any issues as a result,” Skype added in a statement.
Google said it had not detected any use of fraudulent Google certificates.
The major browser makers have all issued updates for their software to block the bogus certificates. Google pushed out an update to users of its Chrome browser on March 17. Mozilla said in a blog post Tuesday that it issued an update to its Firefox browser and urged users to download it. Microsoft did the same on Wednesday.
QUEENSLAND Police have slammed an iPhone app that allows users to tap into police radio frequencies on which officers name victims of domestic violence, sexual assaults and other crimes.
The TuneIn Radio app features a pre-programmed menu from which users can listen in and record police radio frequencies in several large regional centres, including Ipswich and Redcliffe.
“There are obvious privacy concerns for victims of crime, as well as operational safety considerations and potential for impacts on ongoing investigations,” said a police spokeswoman.
The app, which also picks up thousands of commercial stations and allows users to listen in to emergency services radio, only receives analog frequencies and doesn’t pick up the Brisbane city police network, which is digitally encrypted.
Queensland Privacy Commissioner Linda Matthews said the app made it easier for people to use the information for the wrong reasons. “The technology to access these broadcasts isn’t new what’s really new is the way it broadens the accessibility.”
She said the Queensland Government could not demand Apple remove the app from its online store because privacy legislation didn’t cover the private sector.
CEDAR RAPIDS, IA (CNN) – Some employees at a medical clinic in Iowa claimed a supervisor used a baby monitor to eavesdrop on them.
According to a labor representative for the University of Iowa medical clinic employees, workers found the monitor sitting on a shelf near the reception area.
The employees think the monitor was placed there to pick up the conversations of five secretaries and clerical workers.
“If that monitor was there for even one day, that’s the potential for 100 HIPPA violations if that thing was being monitored the whole time, and that’s pretty egregious,” said union rep Jon Stellmach.
Managers of the office say the monitor was used to see if staff members were talking too much.
The supervisors say the monitor was removed after workers complained, and University of Iowa officials say the case is being handled by the human resources department.