From Internet Uprisings to John McAfee: The Year in Privacy and Security

From gun-toting, on-the-lam tech giants to flying drones and internet uprisings, these are the privacy and security stories that dominated Threat Level in 2012.
Image may contain Machine
ccccAeryon Labs has submitted a bid to Alameda County, California to sell this 3-pound "Scout" surveillance drone.

From gun-toting, on-the-lam tech giants to flying drones and internet uprisings, these are the privacy and security stories that dominated Threat Level in 2012.

  1. It's a Bird! It's a Plane! No, It's a Government Spybot!

It's not enough that the U.S. government uses drones to pick off targets on a death wishlist -- unmanned spybots are being scooped up by municipalities across the country as if they were one-off wedding dresses at a Filene's fire sale.

The Seattle Police Department is already using them, as are the Miami-Dade Police Department and the Texas Department of Public Safety. Alameda County in California is looking to purchase them, too.

This despite the fact that privacy and security issues around the use of drones have yet to be worked out.

Earlier this year, the Government Accountability Office warned that the push to bring drone surveillance into U.S. airspace had failed to take into account either of these concerns.

"[T]here is very little in American privacy law that prohibits drone surveillance within our borders," points out Ryan Calo, the director for Privacy and Robotics at the Stanford Center for Internet and Society.

The GAO report called for the government to set guidelines on drone spying in order to "preclude abuses of the technology." But the report seemed more concerned about the negative public perception that could result from such abuses -- and how that could affect the public's acceptance of drones -- than the actual consequences of the abuse on members of the public.

FAA documents obtained by the Electronic Frontier Foundation indicate that dozens of local law enforcement agencies already fly drones in U.S. airspace. The Seattle Police Department's drone comes with four separate cameras that offer thermal infrared video, low-light "dusk-dawn" video, and a 1080p HD video camera attachment.

Commercial and government drone expenditures are expected to top $89 billion over the next 10 years.

Photo: Patrick Semansky/A

P
  1. Bradley Manning Gets His Day in Court

It's been more than two years since former Army intelligence analyst Bradley Manning was arrested and charged with leaking more than a million government documents to WikiLeaks. Military rules require the Army try a suspect within 190 days of being incarcerated, but more than 800 days after his arrest, Manning still hasn't had his trial.

What he did finally get, however, was a chance to put the military's treatment of him on trial in motion hearings held in Nov. and Dec. when his attorney David E. Coombs argued that the government subjected his client to unlawful pretrial punishment during his incarceration at a brig in Virginia.

Between July 29, 2010 and April 20, 2011, Manning was imprisoned at the Marine Corps' brig at Quantico, Virginia, where evidence presented in court showed a pattern of harsh treatment: Manning was placed on suicide and prevention of injury watch for months, despite recommendations from psychiatrists that he be taken off POI status; he was kept in solitary confinement in his cell for more than 23 out of 24 hours a day; he was was forced to sleep without a comfortable blanket and had his slumber disrupted repeatedly during the night by guards; and he was improperly forced to stand naked for morning count on a number of occasions.

The government argued that Manning's treatment was justified by odd and disruptive behavior he exhibited -- including lack of communication and indications that he might harm himself -- and that he had multiple opportunities to complain about his treatment at the time if he had wanted to, but didn't.

Coombs countered that Manning was trapped in a Catch-22 where whatever he said or did was interpreted by the military as proof that he was suicidal and disruptive and used to justify their treatment of him.

"Being watched or viewed almost as a zoo animal for that period of time has to weigh on somebody's psyche," Coombs said during the proceedings

In fact, Manning's attorney filed complaints against the brig's treatment of his client in Dec. 2010 and sent a number of letters in an effort to get Manning's POI status changed. It was in part the noise that Coombs made over his client's treatment, as well as the media attention it brought, that got the military to transfer Manning out of Quantico and to a more suitable prison at Ft. Leavenworth in Kansas, where his treatment dramatically changed for the better.

The defense also showed that some of the signs that the military took that Manning might harm himself were simply cynical statements he made in response to unreasonable treatment he received.

The nearly two-week hearing was held to hear arguments in a motion Coombs filed to get charges against Manning dropped as a result of his unlawful treatment. That's not likely to occur when the presiding military authority rules on the motion sometime in the coming weeks. While Coombs did manage to get the prosecution to concede that some of the military's treatment of Manning was overly harsh, prosecutors argued that if anything, Manning should only be entitled to have seven days shaved from his ultimate sentence if he's found guilty.

Manning will have another day in court in March when his trial is finally expected to take place.

  1. SOPA and PIPA Wake Up a Sleeping Giant

History was made on January 18 when more than 100,000 web sites around the world went dark for a day as part of the internet's first digital uprising.

The coordinated protest against the Protect IP Act and Stop Online Piracy Act didn't occur just online, however, it also sparked a massive congressional letter-writing and lobbying campaign backed by Google and some of the country's other biggest tech firms, and spilled onto the streets of New York, San Francisco and Seattle.

The Wikimedia Foundation reported that its blacked out page received more than 162 million visits, while Google collected more than 7 million signatures on a petition linked to from its homepage.

It was the kind of collective bird flip that only the internet could deliver. And it was something that Capitol Hill just couldn't ignore.

The self-serving bills backed by Hollywood companies and their lobbyists had sought to make core changes to internet infrastructure under the guise of fighting copyright infringement.

But within days after the protest occurred, Senate Majority Leader Harry Reid of Nevada killed PIPA, and SOPA toppled shortly thereafter.

"I think we're going to look back on, and see this as sort of a watershed moment," said Michael McGeary, the co-founder of EngineAdvocacy, a San Francisco-based startup working to get other startups involved in public policy making. "It's a moment in time we can say we grew out of our adolescence a little bit and are thinking about our future and how we can engage in our issues."

Online political protesting wasn't invented by the anti-PIPA/SOPA brigade. The early days of the web saw a lot of political activism with the crypto wars and the cypher-punk movement, which helped launch civil liberties groups like the Electronic Frontier Foundation, the Electronic Privacy Information Center and the Center for Democracy and Technology.

But until SOPA and PIPA became the net's most hated acronyms, there'd been nothing to galvanize the net's new generation.

Now that the sleeping giant has awoken, let's hope it never goes back to sleep.

The second of two GPS trackers found recently on the vehicle of a young man in California.

Photo: Jon Snyder/Wired.com
  1. Supreme Court Takes a Stand Against Warrantless GPS Tracking -- Sort Of

It was no doubt a heady day for law enforcement agents in numerous states around the country when they realized that they could slap GPS trackers on the vehicles of suspects and then follow their movements without ever leaving the squad room. Even better was the fact that they didn't have to show probable cause or get a warrant to do the surveillance. They could just tag a car on nothing more than a flimsy hotline tip.

But that all changed in January of this year when the Supreme Court ruled in one of the biggest electronic privacy decisions in decades that GPS vehicle tracking constituted a search.

The landmark ruling in the case of Antoine Jones, a convicted drug dealer, found that the government's use of a GPS tracker on Jones' vehicle constituted an illegal search, thus overturning Jones' conviction and life sentence.

Until the Supreme Court ruled in Jones' case, the lower courts were mixed on whether the police could secretly affix a GPS device on a suspect’s car without a warrant.

The ruling caused the FBI to immediately put the brakes on more than 3,000 trackers the agency already had out in the field, while lawyers for the Justice Department figured out what the ruling meant in practical terms.

The ruling was only a partial victory for the defenders of civil liberties, however. Left unresolved by the chief justices was the question of whether or not authorities actually needed to obtain a warrant to use GPS trackers. In the absence of a definitive decision on that ground, most agencies have decided to take the cautious route and obtain warrants anyway going forward.

But any ground gained by that GPS ruling was no help earlier this month when U.S. District Judge Ellen Segal Huvelle of the District of Columbia ruled that prosecutors could use warrantless cell-site data that they obtained in the Jones investigation in place of the discarded GPS data that had now been ruled illegal.

After federal prosecutors were served a setback by the Supreme Court's ruling on GPS data, they shifted their focus and moved to introduce new evidence against Jones that had not been introduced at Jones' original trial because prosecutors had used the GPS data instead. The government wanted to use records obtained through warrantless cell-tower locational tracking to chronicle where Jones was when he made and received mobile phone calls in 2005.

The issue came up during pre-trial proceedings in the retrial of Jones in the wake of the Supreme Court ruling that the high court's GPS decision did not apply to cell-site data.

In its argument to use the cell-site data, the Obama administration noted that the high court's ruling was based on the fact that the physical act of affixing a GPS device to a vehicle amounted to a search and therefore should generally require a warrant. "But when the government merely compels a third-party service provider to produce routine business records in its custody," the government wrote with regard to cell-site data, "no physical intrusion occurs, and the rule in Jones is therefore wholly inapplicable." (.pdf)

The Obama administration insisted that the public had no "reasonable expectation of privacy" in cellphone location data, and hence authorities could obtain documents detailing a person's movements from wireless carriers without a probable-cause warrant.

"A customer's Fourth Amendment rights are not violated when the phone company reveals to the government its own records that were never in the possession of the customer," the administration said in a court filing (.pdf).

Lawyers for Jones maintained that authorities should have obtained a probable-cause warrant for the data, saying the government "seeks to do with cell site data what it cannot do with the suppressed GPS data." (.pdf)

But Huvelle ruled for the government, sidestepping the Fourth Amendment argument entirely in her ruling.

Instead, she focused on a doctrine called the "good-faith exemption," in which evidence is not suppressed if authorities were following the law at the time. The data in Jones' case was obtained in 2005, long before the Supreme Court's ruling on GPS.

With that, prosecutors are legally in the clear to use Jones' phone location records without a warrant.

Despite Huvelle's ruling, lower courts are still divided about whether a probable-cause warrant is required to obtain cell-site data. If history foretells the future, we can expect to see this issue come before the Supreme Court as well sometime soon.

  1. Megaupload Becomes Mega Headache for U.S. Government

It must have seemed like a good idea at the time when New Zealand authorities, in cooperation with the U.S. government, sent in a swarm of 70 heavily armed police officers via helicopter to raid the New Zealand mansion of copyright scofflaw Kim Dotcom in January of this year. But that Hollywood takedown has turned out to be one major headache for both governments as the legal case against Megaupload founder Dotcom has spiraled out of control over the last twelve months.

Dotcom has scored multiple legal victories in the campaign to defend himself against what the U.S. calls the biggest copyright infringement case in history.

A court has already ruled that warrants used to conduct the raid on his residence were unlawful. And a New Zealand judge also declared that the FBI acted illegally when it cloned data on computer hard disks seized from Dotcom's residence in the raid and sent them to the U.S.

Following this, a New Zealand judge assigned to oversee the U.S. extradition proceedings against Dotcom recused himself from the case after making a public remark that the United States was "the enemy."

Auckland District Judge David Harvey was commenting at a copyright conference when he said, "We have met the enemy, and he is (the) U.S."

If all of this wasn't enough, New Zealand's Prime Minister announced more recently that an inquiry had been launched into allegations that a government intelligence service had illegally intercepted the communications of Dotcom and other individuals targeted in the case.

The wiretapping was allegedly done by the Government Communications Security Bureau, or GCSB, as part of the controversial January raid on the Dotcom mansion. The GCSB intercepted communications in an effort to help the New Zealand police locate individuals who were being sought for arrest in the Megaupload case.

Dotcom and co-defendant Bram van Der Kolk, as well as their families, are all New Zealand residents and were reportedly targeted in the communications interceptions.

“I expect our intelligence agencies to operate always within the law," Prime Minister John Key said in a statement announcing the investigation. "Their operations depend on public trust."

The Megaupload founder, along with van der Kolk, Mathias Ortmann and Finn Batato, are currently out on bail in New Zealand, awaiting a hearing in March to determine if they should be extradited to the U.S. to face charges of secondary copyright infringement for operating file-sharing websites.

The U.S. claims Megaupload facilitated copyright infringement of movies, music, television programs, electronic books, and business and entertainment software on "a massive scale." The government said Megaupload's "estimated harm" to copyright holders was "well in excess of $500 million."

If found guilty, the four could face up to 20 years in prison and million-dollar fines. But it remains to be seen what, if anything, the authorities who allegedly broke the law in trying to nab the suspects would face for their crimes.

Newton Grafitti

/Flickr
  1. Sabu and the Crackdown on Anonymous

The world of Anonymous and its offshoot LulzSec was rocked earlier this year when authorities revealed that a top LulzSec leader named Hector Xavier Monsegur, a 28-year-old New Yorker who went by the online moniker “Sabu,” had become a turncoat and was working undercover for the feds since the FBI had secretly arrested him in June 2011.

Monsegur provided agents with information that helped them arrest several suspects, including Ryan Ackroyd, aka “Kayla” of Doncaster, United Kingdom; Jake Davis, aka “Topiary” of London; Darren Martyn, aka “pwnsauce” of Ireland; Donncha O’Cearrbhail, aka “palladium” of Ireland; and Jeremy Hammond, aka “Anarchaos” of Chicago.

Hammond, a member of Anonymous is believed to be the main actor behind the hack of U.S. private intelligence company Stratfor, which resulted in the seizure of more than 5 million company e-mails, customer credit card numbers and other confidential information.

Monsegur, an unemployed father of two, led the loosely organized group of hackers from his apartment in a public housing project in New York before he was arrested and pleaded guilty to various hacking-related charges. The group had rampaged across the internet in 2011, in a 50-day series of attacks on news organizations, government websites and corporations. The hacking spree was accompanied by a lively Twitter feed and taunting public pronouncements.

After Sabu was arrested, he faced a possible maximum 124-year sentence before he started helping authorities arrest fellow members of Anonymous, AntiSec and Lulzsec.

In court records, Stephanie Christensen, an assistant U.S. attorney in Los Angeles, said Monsegur was “actively cooperating with the government" and had provided "detailed information concerning the activities of certain individuals who are suspected of being involved in the unauthorized computer intrusions or ‘hacks’ into various computer networks of several well-known corporations.”

Sabu was one of the most outspoken and brazen members of the LulzSec crew that rampaged across the internet for a brief time before several of them were arrested. However, Sabu suddenly fell silent in the summer of 2011 after other anons published his identify online. He left a parting Tweet that quoted the The Usual Suspects before reappearing several months later amid rumors that he'd been arrested.

Though Sabu denied the rumors, he couldn't shake them. Some said his behavior had changed after his disappearance, when he became more distant with other members while also encouraging more illegal activity.

According to several anons, Monsegur became interested in a wider range of operations, and some have even accused him of encouraging illegal activity.

But despite the changes and ultimate betrayal, many anons were reluctant to completely condemn him for his cooperation with the feds.

“It was either 124 years for Sabu, or 10 years each for the others,” one former AntiSec member told Wired earlier this year. “I get why he did it, but he damaged the collective because of his own problems. And Anonymous is not your personal army. Nor is antisec.”

Map showing the number and geographical location of Flame infections detected by Kaspersky Lab on customer machines.

Courtesy of Kaspersky
  1. Stuxnet and Flame: The Buddy Film

When a small antivirus firm in Belarus discovered the world's first known cyberweapon lurking on computers in Iran in 2010, a lot of mysteries surrounded the malware -- not just about who was behind the worm that came to be known as Stuxnet, but about how exactly the attackers had pulled off their sophisticated hack.

This year, some of those questions were answered when the New York Times quoted anonymous government sources acknowledging that the U.S. and Israel were behind the malware, and an advanced espionage tool was uncovered that appeared to be related to Stuxnet. The latter spy kit, dubbed Flame by researchers at Moscow-based Kaspersky Lab, which found the malware, dwarfed Stuxnet in size and used a vulnerability in Microsoft's digital certificate infrastructure to spread itself as legitimate code.

The malware was believed to have infected more than 10,000 machines in Iran, Lebanon, Syria, Sudan, and other countries in the Middle East and North Africa for at least two years and may have been used to conduct reconnaissance for the Stuxnet attack.

Although Flame had both a different purpose and composition than Stuxnet, and appeared to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicated strongly that the same nation-states behind Stuxnet were behind Flame.

Then, a few weeks after its discovery, researchers found definitive proof that the two pieces of malware were related, when they uncovered a module in Flame that contained code that was nearly identical to a module that was used in an early version of Stuxnet.

The module allowed Flame to spread via USB sticks using the AutoRun function on Windows machines and contained the same code that was used in a version of Stuxnet that was unleashed on computers in Iran in 2009 to attack Iran's uranium enrichment program. The module, which was known as Resource 207 in Stuxnet, was removed from subsequent versions of Stuxnet, but it served as a platform for what would later develop into the full-fledged Flame malware uncovered this year.

The researchers believe the attackers may have used the Flame module to kickstart their Stuxnet project before taking both pieces of malware into different and separate directions.

Police patrol outside the Ecuadorian Embassy, London, Wednesday June 20, 2012.

Photo: Tim Hales/AP
  1. Assange Seeks Asylum

Just when it seemed the Julian Assange saga couldn't get any weirder, with the WikiLeaks founder facing sex-crimes allegations in Sweden, the controversial figure fled to the Ecuadorean embassy in June to seek asylum and prevent U.K. authorities from extraditing him to the Scandinavian country for questioning.

After a tense standoff with UK authorities who threatened to remove Assange forcibly from the embassy, Ecuador granted asylum to the beleaguered Assange in August.

"The UK government should respect the decision of the Ecuadorean government," Ecuadorean Foreign Minister Ricardo Patino said at a press conference in Quito, "and offer the necessary warranties so that both governments can act adequately and properly representing the international rights and the right of asylum."

Patino said that Ecuador had considered Assange's claims that if extradited to Sweden to face an investigation for sex-crimes he would be further extradited to the U.S. where he would face political persecution and a military court trial for publishing documents that have angered the U.S. government.

"Ecuador requested some guarantees from Sweden that he wouldn't be extradited to the U.S., and they rejected any commitment in this sense," Patino said in explaining Ecuador's decision.

But those "warranties" Ecuador has sought from the UK have yet to materialize.

Following Ecuador's announcement the UK Foreign Secretary William Hague said that the UK would not allow Assange safe passage out of the UK, nor was there any legal basis requiring it to do so.

"The UK does not accept the principle of diplomatic asylum," Hague said. "It is far from a universally accepted concept: the United Kingdom is not a party to any legal instruments which require us to recognize the grant of diplomatic asylum by a foreign embassy in this country. Moreover, it is well established that, even for those countries which do recognize diplomatic asylum, it should not be used for the purposes of escaping the regular processes of the courts. And in this case that is clearly what is happening."

The two countries remain in a deadlock over what to do with Assange, while the white-haired wonder enters the seventh month of his self-imposed sentence in the Latin American country's small offices.

U.S. Army Gen. David H. Petraeus, commander of U.S. Central Command, presides over a re-enlistment and awards ceremony while visiting soldiers of Task Force Mountain Warrior.

Photo: U.S. Army Spc. Albert L. Kelley, 300th Mobile Public Affairs Detachment
  1. Paula and Petraeus

Every year careless hackers, cyberstalkers and others are undone by the digital trails they leave behind for law enforcement to collect and trace back to them.

But who would have thought the nation's top spy chief would be undone so easily by digital footprints left behind in e-mail? Or that the public would suddenly become concerned about e-mail privacy after digital missives between the spy chief and his paramour were made public.

In the irony of ironies, thedistinguished career of CIA Director and former Afghanistan war commander Army Gen. David Petraeuscame unhinged after authorities traced the location of the sender of e-mails that were written from an anonymous e-mail account to a woman in Florida.

Authorities say the location data connected to the e-mails and the e-mail account from which they were sent, helped them identify the sender as Petraeus' biographer, Paula Broadwell, who sent the e-mails after growing jealous of the Florida woman's close connections to Petraeus and other military leaders. The location data helped investigators search other e-mail accounts owned by Broadwell, including a Gmail account she used, which led them to uncover an affair between Broadwell and Petraeus.

The case showed just how easy it was to discover the personal connections that could unmask anonymous parties after FBI investigators were able to tie the emails to an account used by Broadwell and her husband and were then able to determine what other e-mail accounts had been accessed from the same computer address. Based on these connections, investigators obtained a warrant to monitor other e-mail accounts Broadwell used, including a Gmail account.

The incident caused Petraeus to resign from his position with the CIA, bringing an abrupt end to a long and storied military career. But the case seemed to have one silver lining, since it looked like attention brought to Petraeus' email exchanges might help Sen. Patrick Leahy (D-Vermont) pass an amendment to the Electronic Communications Privacy Act to force authorities to get a warrant to read e-mail or other data stored in the cloud.

In the wake of the Petraeus scandal, Leahy sought to reintroduce the amendment that he had tried unsuccessfully to pass before.

Currently, the government can obtain e-mail or other cloud documents without a warrant as long as the content has been stored on a third-party server for 180 days or more. The authorities only need to demonstrate, often via an administrative subpoena, that it has "reasonable grounds to believe" the information would be useful in an investigation.

Leahy sought to change that by slipping an amendment for ECPA into the Video Privacy Protection Act, (.pdf) which outlaws the disclosure of video rentals unless the consumer gives consent, on a rental-by-rental basis.

The sweeping digital privacy protections Leahy proposed would have required the government, for the first time, to get a probable-cause warrant to obtain e-mail and other content stored in the cloud, but even though the Senate Judiciary Committee had approved the cloud-storage privacy protections as part of the Video package a month ago, lawmakers removed it from the Video bill at the last minute before passing it.

John McAffe.

Photo: Brian FInke
  1. John McAfee Unhinged

It's hard to turn away from a train wreck. Even harder when the train wreck involves a brash-talking 66-year-old former millionaire with a penchant for tattoos, teenage girls, and posing provocatively with guns.

More than a quarter of a century ago, John McAfee founded his namesake antivirus firm, McAfee Associates, that went on to become one of the top-selling security companies before it was acquired by Intel in 2010 for $7.68 billion. McAfee cashed out long before the sale and embarked on a playboy's lifestyle that included homes and an endless stream of women in several countries.

But ever since local commandos raided his compound in Belize on charges that he was involved in drug production and sales, McAfee's life has been a Johnny Depp film-in-the-making as he courted reporters and fame, at one point playing Russian roulette with a journalist, and sunk deeper and deeper into a hyper-reality of his own making.

It was no surprise to anyone then when Belizean police announced in November that McAfee was in more trouble -- this time in connection to the murder of a neighbor who had complained about McAfee's dogs.

A bizarre chase ensued as McAfee went on the run using the press's hunger for a sensational story to fuel his escape. After faking a heart attack in Guatemala to avoid deportation to Belize, the tech pioneer landed in Florida. Now apparently penniless, McAfee says he wants to settle in England if he can't get his young Belizean girlfriends visas to the U.S.

There's no telling how McAfee's story will finally end, but one thing is certain, it won't be quiet.