Reporter covering cybersecurity

THE KEY

President Trump’s pick to replace Justice Anthony M. Kennedy on the Supreme Court is drawing fire from privacy advocates and civil libertarians who object to his strong endorsements of warrantless government surveillance as a federal judge.

During Brett Kavanaugh’s time on the U.S. Court of Appeals for the District of Columbia Circuit, he sided with the National Security Agency and law enforcement in a pair of major cases that respectively challenged the government’s ability to collect Americans' communications and location data. His detractors — from both parties in Congress — worry his confirmation could mean a powerful voice on the bench against expanding privacy protections at a time when data collection tools are becoming more sophisticated.

“Kavanaugh has shown again and again that he will side with Big Brother and big business ahead of the liberty of individual Americans,” Sen. Ron Wyden (D-Ore.), one of the Senate’s loudest critics of government surveillance, told me. “His decisions on mass surveillance and warrantless tracking of Americans’ every move are out of step with both the Fourth Amendment and the Court’s recognition that digital devices are different.”

Rep. Justin Amash (R-Mich.) also blasted Kavanaugh’s track record in Fourth Amendment cases, calling him a “disappointing pick.”

“Future decisions on the constitutionality of government surveillance of Americans will be huge,” Amash said in a Twitter thread that quoted directly Kavanaugh’s opinion on NSA surveillance. “We can’t afford a rubber stamp for the executive branch.”

The criticisms add another dimension to the all-out blitz Senate Democrats and progressive groups launched this week to derail Kavanaugh’s nomination. While the national debate has focused largely on the judge’s views on abortion rights and executive power, his stances on digital privacy and government surveillance powers are arousing controversy that could also stretch into his confirmation hearings. 

“Judge Kavanaugh’s nomination comes at a critical moment for digital rights,” said Corynne McSherry, legal director for the Electronic Frontier Foundation, a digital rights organization. “We hope the Senate will press him to articulate his views on these crucial issues.”

Privacy advocates are particularly concerned with Kavanaugh’s defense of the NSA’s bulk collection of phone records in the case Klayman v. Obama, which arose from Edward Snowden’s disclosures about the agency’s warrantless surveillance of Americans. In a concurring opinion in 2015, Kavanaugh wrote that the program was “entirely consistent with the Fourth Amendment.” He added that the Constitution “allows governmental searches and seizures without individualized suspicion when the Government demonstrates a sufficient ‘special need’ — that is, a need beyond the normal need for law enforcement — that outweighs the intrusion on individual liberty.” In this instance, he concluded, the special need was preventing terrorist attacks.

The other case in question came several years earlier in United States v. Jones, which centered on whether law enforcement needed a warrant to track people using GPS devices. Kavanaugh dissented when the D.C. Circuit declined to revisit its ruling that police had violated a suspect’s Fourth Amendment rights by tracking his car’s location without a warrant. The majority’s decision, he said, broke with precedent saying people didn’t have a “reasonable expectation of privacy” on the highway.

Those opinions could put Kavanaugh at odds with a majority on the court that has recognized broader Fourth Amendment protections as surveillance tools have advanced. When the Jones case landed at the Supreme Court in 2012, the justices ruled unanimously that law enforcement officers typically need a warrant to track people using GPS devices. In another landmark opinion two years later, the court again ruled unanimously that warrantless cellphone searches were unconstitutional in most cases. And just last month, the court ruled 5 to 4 that law enforcement generally must get a warrant to access the troves of location records from cell towers.

Kavanaugh could be a “potential vote for retrenchment on privacy and the Fourth Amendment,” said Albert Gidari, director of privacy at the Stanford Center for Internet and Society. As Kavanaugh moves through the confirmation process, he added, “I don't think there will be any surprises, as his unabashed view that national security trumps privacy is pretty clearly articulated in Klayman.”

“In short,” Gidari said, “the privacy community isn't having cocktails over this one.”

PINGED, PATCHED, PWNED

PINGED: The Justice Department is walking back a statement from prosecutors in Virginia linking a criminal identity fraud scheme to the massive hack of Office of Personnel Management records, my colleague Rachel Weiner reports.

In an unusual letter to Sen. Mark R. Warner (D-Va.), Assistant Attorney General Stephen Boyd said a press release issued last month by the U.S. Attorney's Office for the Eastern District of Virginia “implied a premature conclusion that the exclusive and known source of the stolen identities used in the . . . fraud case was the OPM data breach.” Boyd added: “Because the victims in this case had other things in common in terms of employment and location, it is possible that their data came from another source.”

This is the first time the Justice Department has explicitly said the original version of the statement was misleading or wrong, my colleague notes. Initially, the statement read that a Virginia woman had admitted she was “Guilty of Fraud Using Stolen Info from OPM Data Breach.” An updated release scrubbed that wording, noting only that some of the victims of the fraud scheme had identified themselves as victims of the OPM breach. 

PATCHED: Three Republican senators want Google's parent company Alphabet to answer questions about Gmail's privacy policy after the Wall Street Journal reported last week that third-party apps read users' emails. Republican Sens. John Thune (S.D.), chairman of the Senate Commerce Committee, Roger Wicker (Miss.) and Jerry Moran (Kan.) told Alphabet chief executive Larry Page in a letter released Tuesday that “the reported lack of oversight from Google to ensure that Gmail data is properly safeguarded is cause for concern.”

Google does little to police those developers, who train their computers — and, in some cases, employees — to read their users’ emails, a Wall Street Journal examination has found,” the Journal's Douglas MacMillan wrote on July 2. Third-party apps that pair with Gmail may scan users' email to provide shopping or travel services, according to MacMillan. Thune, Wicker and Moran said that in the wake of the Cambridge Analytica controversy, “the potential misuse of personal data held by large internet platforms and shared with third party developers is a matter of particular concern” to the Senate panel. The senators asked the company to describe the steps it takes to protect Gmail users' privacy as part of its partnerships with third-party app developers and requested answers by July 24.

PWNED: Britain's data privacy watchdog said it plans to hand the maximum possible fine to Facebook for its role in the Cambridge Analytica scandal, The Washington Post's Tony Romm and Elizabeth Dwoskin reported Tuesday. “On Tuesday, U.K. watchdogs announced a $664,000 preliminary fine — the maximum amount allowed — after finding Facebook lacked strong privacy protections and overlooked critical warning signs that might have prevented Cambridge Analytica from trying to manipulate public opinion on behalf of clients around the world, including those who sought to withdraw Britain from the European Union in 2016,” my colleagues wrote. “The penalty from the U.K. data watchdog, called the Information Commissioner’s Office, could change as the agency discusses the matter further with Facebook.”

The social network “should have done more to investigate claims about Cambridge Analytica and take action in 2015,” Facebook's chief privacy officer Erin Egan said, as quoted by Romm and Dwoskin. The British agency blamed Facebook for allowing Aleksandr Kogan, a researcher at Cambridge University, to harvest information about Facebook users's and users' friends as well for Cambridge Analytica. "The British agency said it is still weighing potential penalties against Kogan as well as Alexander Nix, the former chief executive of Cambridge Analytica," Romm and Dwoskin wrote.

PUBLIC KEY

— Cybersecurity researchers said a hacker last month sought to sell stolen documents about U.S. military MQ-9 Reaper drones for $150 on the dark web, the Wall Street Journal’s Dustin Volz reports. “There was no evidence that the hacker who acquired the Reaper drone documents was affiliated with a foreign country, or that he was intentionally seeking to obtain military documents, said Andrei Barysevich, a senior threat researcher at Recorded Future, the U.S.-based cybersecurity firm that spotted the attempted sale,” Volz wrote. “Instead, the hacker scanned large parts of the internet for misconfigured Netgear routers and exploited a two-year-old known vulnerability, involving default login credentials, to steal files from compromised machines.” The documents were allegedly stolen from the computer of an Air Force captain at Creech Air Force Base, Volz reported.

— Four Democrats on the House Science Committee asked the Government Accountability Office in a letter released Tuesday to assess cyberthreats to the U.S. electricity grid. “The ability of cyber-criminals or foreign state actors to damage or degrade public utilities and critical infrastructure networks through cybersecurity vulnerabilities and digital infiltrations is a rising and justified concern,” the lawmakers wrote. For instance, they asked the GAO to review cybersecurity threats to local utility companies. The letter was signed by Rep. Eddie Bernice Johnson (Tex.), the ranking Democrat on the House Science Committee, and Reps. Don Beyer (Va.), Marc Veasey (Tex.) and Daniel Lipinski (Ill.)

The lawmakers also requested that the GAO determine whether electricity companies use Kaspersky Lab products, a Russian company facing a government ban on federal agencies' systems. The Department of Homeland Security in September 2017 said in a statement that it was “concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies.”

— Irvine Company Retail Properties, which runs malls in California, uses automated license plate readers to collect information about customers but some groups worry that U.S. Immigration and Customs Enforcement could also access the data, the Verge's Russell Brandom reported Tuesday, citing a report from the Electronic Frontier Foundation. Irvine Company transmits the information to Vigilant Solutions, a company that also contracts with ICE, according to the EFF report. “Reached by The Verge, Irvine Company confirmed that license-plate data was being collected from three Orange County-area malls, but insisted that data was only shared with local agencies,” Brandom wrote. “'Vigilant is required by contract, and have assured us, that ALPR data collected at these locations is only shared with local police departments as part of their efforts to keep the local community safe,' the company said in a statement.”

— A former employee for LBI Inc., a defense contractor, was found guilty by a federal jury in Hartford, Conn., in a case of intellectual property theft, the Justice Department announced in a statement on Tuesday. Jared Dylan Sparks “surreptitiously uploaded thousands of LBI files to his personal account with Dropbox” before he left the company to work for another firm that was exploring similar business projects, according to the statement. “Jared Sparks stole thousands of documents — including proprietary designs and renderings — from his former employer when he left to work for a competitor,” John P. Cronan, acting assistant attorney general for the Justice Department's Criminal Division, said in a statement. “Yesterday’s verdict sends a clear message that the Department of Justice is committed to protecting American intellectual property and will aggressively prosecute those who steal it.”

— More cybersecurity news about the public sector:

A key Republican came back from the Kremlin seemingly shrugging off Russian aggression. His colleagues are confused as hell by his talk. Inside a controversial mission to Moscow.
The Daily Beast
Would integrate with Microsoft Office, email and prevent sharing of sensitive documents.
Ars Technica
As the U.S. looks to go on the offense in the cyber domain, critical questions remain unanswered around who will take the lead and how clearly to draw the rules of engagement.
FCW
PRIVATE KEY

— Facebook allowed a Russian tech giant with Kremlin links to keep collecting user data through apps it developed after a policy change was supposed to have stopped such activity, CNN reports. Per CNN's Donie O'Sullivan, Drew Griffin and Curt Devine: “Facebook told CNN that the Mail.Ru Group “developed hundreds of Facebook apps, some of which were test apps that were not made public. Only two apps were granted an extension, lasting two weeks, that would have allowed them to collect friend data beyond the cut-off date, Facebook said.” Sen. Mark R. Warner (D-Va.), the top Democrat on the Senate Intelligence Committee, says he wants to know more. “We need to determine what user information was shared with mail.ru and what may have been done with the captured data,” he told CNN.

— More news from the private sector: 

Multiple agencies have set Monday, July 16, as the deadline for the ban to be implemented in new procurements.
Nextgov
Chuck Robbins’s strategy is giving a Silicon Valley giant — one that used to benefit from technological complexity — momentum despite the growth of cloud computing.
New York Times
Facebook has faced a wave of misinformation and scam campaigns. Users may soon have more information about that unsolicited direct message, judging by a new feature Facebook is currently trying out.
Motherboard
SECURITY FAILS

— “Cryptocurrency conversion platform Bancor has suffered a ‘security breach’ that saw $13.5 million worth of digital tokens stolen,” CNBC’s Ryan Browne reported. “The Israeli start-up said Monday that a cryptocurrency wallet on its network had been compromised, leading to the theft of $12.5 million worth of ethereum and $1 million worth of the lesser-known token Pundi X.” The company tweeted on Tuesday that it was “close to reactivating” its network.

— More news about cyberthreats:

THE NEW WILD WEST

— As Trump takes part in a NATO meeting today in Brussels, it remains unclear how the organization would react in the event of a cyberattack, Fifth Domain's Justin Lynch reported Tuesday. “Questions over how NATO will respond to a cyberattack come as the alliance takes steps to bolster its digital protocols,” Lynch wrote. “In its joint air power strategy, unveiled in late June, NATO added cyberwarfare to its joint operations programs.”

—  A Chinese hacker group carried out a cyberattack campaign against Cambodia as the country gets ready to hold general elections at the end of the month, researchers at FireEye said in a report released on Tuesday. The group, identified as TEMP.Periscope, compromised systems at Cambodian institutions such as the National Election Commission, several ministries including the interior ministry and the Senate. Other targets included human rights advocates, diplomats and media organizations. The Chinese hacker group “maintains an extensive intrusion architecture and wide array of malicious tools, and targets a large victim set,” the FireEye researchers wrote. “We expect this activity to provide the Chinese government with widespread visibility into Cambodian elections and government operations,” they added.

— More cybersecurity news from abroad:

Australia is preparing to ban Huawei Technologies Co Ltd from supplying equipment for its planned 5G broadband network after its intelligence agencies raised concerns that Beijing could force the Chinese telco to hand over sensitive data, two sources said.
Reuters
An ex-employee of Israel's NSO Group was indicted last week for stealing the company's code.
CNBC
ZERO DAYBOOK

Today

Coming soon

EASTER EGGS

U.S. Army creates “third arm” for soldiers:

Watch a “haboob” sweep through Arizona:

1,300-pound 'monster' crocodile caught after eight-year hunt: