Oliver Stone Takes Aim at Government Surveillance While the DOJ Plans to Vastly Expand Government Hacking
September 18, 2016
Benjamin Lee / The Guardian & Senator Ron Wyden, Matt Blaze and Susan Landau / WIRED Magazine
At the same time Oscar-winning director Oliver Stone talks about his Edward Snowden biopic at the Toronto film festival, the US Justice Department is planning a vast expansion of government hacking. Under a new set of rules, the FBI would have the authority to secretly use malware to hack into hundreds of thousands of computers that belong to innocent third parties -- and even crime victims. The unintended consequences could be staggering.
Oliver Stone on Snowden Relevance:
'The US Government Lies All the Time'
Benjamin Lee / The Guardian
(September 10, 2016) -- Oliver Stone has taken aim at the US government for deceiving people about the levels of surveillance that exist in the country.
The Oscar-winning director was speaking at the Toronto film festival as his new film Snowden, about the controversial NSA informant Edward Snowden, received its world premiere. The drama, starring Joseph Gordon-Levitt in the lead role, tells of the former CIA employee's discovery that the agency had constructed a system to spy on the public.
"Americans don't know anything about it because the government lies about it all the time," Stone said at a press conference. "What's going on now is pretty shocking. This story not only deals with eavesdropping but mass eavesdropping, drones and cyberwarfare. As Snowden said himself the other day, 'It's out of control, the world is out of control.'"
The film also features a cameo from Snowden himself, who still resides at an undisclosed location in Russia while he searches for asylum elsewhere. Stone hopes that he may return to US ground but is doubtful.
"Obama could pardon him and we hope so," he said. "But he has vigorously prosecuted eight whistleblowers under the espionage act, which is an all-time record for an American president, and he's been one of the most efficient managers of this surveillance world. It is the most extensive and invasive surveillance state that has ever existed and he's built it up."
The film-maker, known for the politically charged dramas Nixon and JFK, finds the current situation, which he likens to a George Orwell novel, to be at odds with the world that he grew up in.
"I grew up in a world where I never thought this could happen," he said. "But from 2001 on, it's very clear that something radical has changed. There's more to it that meets the eye and whatever they tell you, you've got to look beyond."
Gordon-Levitt met with the real Snowden in preparation for the film and believes that it's his love of America that led him to leak classified information.
"I was interested in his patriotism," he said. "He was doing what he did out of a sincere love for his country and the principles that the country is founded on. There are two different types of patriotism: there's the kind when you're allegiant to your country no matter what and you don't ask any questions, but there's another type which I really wanted to show in this character.
"The privilege of being from a free country like the US is that we are allowed to ask those questions and to hold the government accountable."
When asked about Snowden's future, Gordon-Levitt said: "I know he would love to come home and I hope for that."
The film has premiered to mixed reviews at the festival, with Variety's Owen Gleiberman calling it "the most important and galvanising political drama by an American film-maker in years" yet the Hollywood Reporter's Stephen Farber labelled it "a lackluster opus".
THE FEDS WILL SOON BE ABLE TO LEGALLY HACK ALMOST ANYONE
Senator Ron Wyden, Matt Blaze and Susan Landau / WIRED Magazine
(September 14, 2016) – Digital devices and software programs are complicated. Behind the pointing and clicking on screen are thousands of processes and routines that make everything work. So when malicious software -- malware -- invades a system, even seemingly small changes to the system can have unpredictable impacts.
That's why it's so concerning that the Justice Department is planning a vast expansion of government hacking. Under a new set of rules, the FBI would have the authority to secretly use malware to hack into thousands or hundreds of thousands of computers that belong to innocent third parties and even crime victims. The unintended consequences could be staggering.
The new plan to drastically expand the government's hacking and surveillance authorities is known formally as amendments to Rule 41 of the Federal Rules of Criminal Procedure, and the proposal would allow the government to hack a million computers or more with a single warrant.
If Congress doesn't pass legislation blocking this proposal, the new rules go into effect on December 1. With just six work weeks remaining on the Senate schedule and a long Congressional to-do list, time is running out.
The government says it needs this power to investigate a network of devices infected with malware and controlled by a criminal -- what's known as a "botnet." But the Justice Department has given the public far too little information about its hacking tools and how it plans to use them. And the amendments to Rule 41 are woefully short on protections for the security of hospitals, life-saving computer systems, or the phones and electronic devices of innocent Americans.
Without rigorous and periodic evaluation of hacking software by independent experts, it would be nothing short of reckless to allow this massive expansion of government hacking.
If malware crashes your personal computer or phone, it can mean a loss of photos, documents and records -- a major inconvenience. But if a hospital's computer system or other critical infrastructure crashes, it puts lives at risk. Surgical directives are lost. Medical histories are inaccessible. Patients can wait hours for care.
If critical information isn't available to doctors, people could die. Without new safeguards on the government's hacking authority, the FBI could very well be responsible for this kind of tragedy in the future.
No one believes the government is setting out to damage victims' computers. But history shows just how hard it is to get hacking tools right. Indeed, recent experience shows that tools developed by law enforcement have actually been co-opted and used by criminals and miscreants.
For example, the FBI digital wiretapping tool Carnivore, later renamed DCS 3000, had weaknesses (which were eventually publicly identified) that made it vulnerable to spoofing by unauthorized parties, allowing criminals to hijack legitimate government searches. Cisco's Law Enforcement access standards, the guidelines for allowing government wiretaps through Cisco's routers, had similar weaknesses that security researchers discovered.
The government will likely argue that its tools for going after large botnets have yet to cause the kind of unintended damage we describe. But it is impossible to verify that claim without more transparency from the agencies about their operations. Even if the claim is true, today's botnets are simple, and their commands can easily be found online.
So even if the FBI's investigative techniques are effective today, in the future that might not be the case. Damage to devices or files can happen when a software program searches and finds pieces of the botnet hidden on a victim's computer. Indeed, damage happens even when changes are straightforward: recently an anti-virus scan shut down a device in the middle of heart surgery.
Compounding the problem is that the FBI keeps its hacking techniques shrouded in secrecy. The FBI's statements to date do not inspire confidence that it will take the necessary precautions to test malware before deploying them in the field.
One FBI special agent recently testified that a tool was safe because he tested it on his home computer, and it "did not make any changes to the security settings on my computer." This obviously falls far short of the testing needed to vet a complicated hacking tool that could be unleashed on millions of devices.
Why would Congress approve such a short-sighted proposal? It didn't. Congress had no role in writing or approving these changes, which were developed by the US court system through an obscure procedural process. This process was intended for updating minor procedural rules, not for making major policy decisions.
This kind of vast expansion of government mass hacking and surveillance is clearly a policy decision. This is a job for Congress, not a little-known court process.
If Congress had to pass a bill to enact these changes, it almost surely would not pass as written. The Justice Department may need new authorities to identify and search anonymous computers linked to digital crimes. But this package of changes is far too broad, with far too little oversight or protections against collateral damage.
Congress should block these rule changes from going into effect by passing the bipartisan, bicameral Stopping Mass Hacking Act. Americans deserve a real debate about the best way to update our laws to address online threats.
Senator Ron Wyden (@ronwyden) (D-OR) is Oregon's senior senator and serves on the Senate Select Committee on Intelligence.
Matt Blaze @mattblaze is an associate professor of computer and information science at the University of Pennsylvania.
Susan Landau (privacyink.org) is professor of cybersecurity policy at Worcester Polytechnic Institute and author, most recently, of Surveillance or Security? The Risks Posed by New Wiretapping Technologies.
Posted in accordance with Title 17, Section 107, US Code, for noncommercial, educational purposes.