Mass Interception

Every day, billions of emails and phone calls flow through communications networks in countries across the world. Now, one American company has built technology capable of spying on them all — and business is booming.

Verint, a leading manufacturer of surveillance technologies, is headquartered in Melville, New York, in a small cluster of nondescript buildings that also includes the office of a multinational cosmetics supplier and some electronics companies.

Among Verint’s products are unremarkable security cameras and systems that enable call center managers to monitor their workers. But it also sells some of the world’s most sophisticated eavesdropping equipment, creating a line of spy tools designed to help governments and intelligence agencies snoop on communications across an entire country.

Verint sells what it calls “monitoring centers” that “enable the interception, monitoring, and analysis of target and mass communications over virtually any network.” These systems are designed to be integrated within a country’s communications infrastructure and, according to Verint’s website, are currently used in more than 75 nations.

The technology Verint designs doesn’t just target specific criminal groups or terrorists. It can be tailored to intercept the phone calls and emails of millions of everyday citizens and store them on vast databases for later analysis.

Verint boasts in its marketing materials that its “Vantage” monitoring center enables “nationwide mass interception” and “efficiently collects, analyzes, and exposes threats from billions of communications.” And if that’s not enough to satisfy spy agencies’ thirst for intelligence, Verint has more to offer. The company says it can also help governments automatically identify people from the sound of their voice using speech identification software, intercept the cellular and satellite mobile phone communications of “mass populations over a wide area” using a covert portable device, and provide data-mining tools to build detailed profiles about criminals and other “negative influencers” in real time.

The National Security Agency in the United States has reportedly purchased Verint snooping equipment, as have authorities in Mexico. However, the use of such technology in the US is a legally contentious issue. Mass monitoring of solely domestic calls and emails would be prohibited under the Fourth Amendment, which protects against unwarranted searches and seizures. But a controversial clause in a 2008 amendment to the Foreign Intelligence and Surveillance Act means mining communications as they pass between the United States and countries of interest like Pakistan and Yemen can be deemed technically permissible.

(Other countries have few regulations in this area, if any at all. Libyan dictator Muammar Gaddafi was able to get his hands on French mass surveillance gear in 2006, which was subsequently used domestically to indiscriminately track dissidents and other regime opponents.)

With revenues of more than an estimated $840 million in 2012 according to public accounts, Verint has at least 16 offices in countries including Japan, China, Russia, Israel, Australia, Canada, Germany, France, the United Kingdom, and the Philippines.

The company’s accounts reveal that its communications intelligence solutions have generated a significant proportion of revenue and have been selling better than ever in recent years. Between 2006 and 2011, for instance, Verint’s annual communications intelligence sales rocketed by almost 70 percent from $108 million to $182 million. And 2012 looks to be another good year, with a projected increase of about 13 percent looking likely based on the figures published for the first three quarters. Most of the company’s communications surveillance sales in 2012 were made in the Americas (53 percent). EMEA (Europe, the Middle East, and Africa) comprise approximately a 27 percent of its sales, and APAC (Asia-Pacific region) a further 20 percent.

I contacted Verint to seek more information about its advanced eavesdropping tools. In particular, I wanted to know whether it follows the U.S. government’s "Know Your Customer" guidelines, which are designed to help businesses avoid selling goods to countries or customers where they might have an “inappropriate end-use.” But Verint declined to answer a series of detailed questions for this story and turned down an interview request. A public relations representative acting on behalf of the company told me that “due to the sensitive nature of these solutions, they [Verint] tend not to seek deeper coverage of this area of the business.”

Governments across the world are using Verint’s technology to sift through masses of intercepted communications — that much is certain. The rest, at least for now, remains a tight-lipped secret.

Cyberwar's Secret Trade

Behind computer screens from France to Fort Worth, Texas, elite hackers hunt for security vulnerabilities worth thousands of dollars on a secretive unregulated marketplace.

Using sophisticated techniques to detect weaknesses in widely used programs like Google Chrome, Java, and Flash, they spend hours crafting “zero-day exploits” — complex codes custom-made to target a software flaw that has not been publicly disclosed, so they can bypass anti-virus or firewall detection to help infiltrate a computer system.

Like most technologies, the exploits have a dual use. They can be used as part of research efforts to help strengthen computers against intrusion. But they can also be weaponized and deployed aggressively for everything from government spying and corporate espionage to flat-out fraud. Now, as cyberwar escalates across the globe, there are fears that the burgeoning trade in finding and selling exploits is spiralling out of control — calls for new laws to rein in the murky trade.

Some legitimate companies operate in a legal gray zone within the zero-day market, selling exploits to governments and law enforcement agencies in countries across the world. Authorities can use them covertly in surveillance operations or as part of cybersecurity or espionage missions. But because sales are unregulated, there are concerns that some gray market companies are supplying to rogue foreign regimes that may use exploits as part of malicious targeted attacks against other countries or opponents. There is also an anarchic black market that exists on invite-only Web forums, where exploits are sold to a variety of actors — often for criminal purposes.

The importance of zero-day exploits, particularly to governments, has become increasingly apparent in recent years. Undisclosed vulnerabilities in Windows played a crucial role in how Iranian computers were infiltrated for surveillance and sabotage when the country’s nuclear program was attacked by the Stuxnet virus (an assault reportedly launched by the United States and Israel). Last year, at least eight zero days in programs like Flash and Internet Explorer were discovered and linked to a Chinese hacker group dubbed the “Elderwood gang,” which targeted more than 1,000 computers belonging to corporations and human rights groups as part of a shady intelligence-gathering effort allegedly sponsored by China.

The most lucrative zero days can be worth hundreds of thousands of dollars in both the black and gray markets. Documents released by Anonymous in 2011 revealed Atlanta-based security firm Endgame Systems offering to sell 25 exploits for $2.5 million. Emails published alongside the documents showed the firm was trying to keep “a very low profile” due to “feedback we've received from our government clients.” (In keeping with that policy, Endgame didn’t respond to questions for this story.)

But not everyone working in the business of selling software exploits is trying to fly under the radar — and some have decided to blow the whistle on what they see as dangerous and irresponsible behaviour within their secretive profession.

Adriel Desautels, for one, has chosen to speak out. The 36-year-old “exploit broker” from Boston runs a company called Netragard, which buys and sells zero days to organizations in the public and private sectors. (He won’t name names, citing confidentiality agreements.) The lowest-priced exploit that Desautels says he has sold commanded $16,000; the highest, more than $250,000.

Unlike other companies and sole traders operating in the zero-day trade, Desautels has adopted a policy to sell his exploits only domestically within the United States, rigorously vetting all those he deals with. If he didn’t have this principle, he says, he could sell to anyone he wanted — even Iran or China — because the field is unregulated. And that’s exactly why he is concerned.

“As technology advances, the effect that zero-day exploits will have is going to become more physical and more real,” he says. “The software becomes a weapon. And if you don’t have controls and regulations around weapons, you’re really open to introducing chaos and problems.”

Desautels says he knows of “greedy and irresponsible” people who “will sell to anybody,” to the extent that some exploits might be sold by the same hacker or broker to two separate governments not on friendly terms. This can feasibly lead to these countries unwittingly targeting each other’s computer networks with the same exploit, purchased from the same seller. “If I take a gun and ship it overseas to some guy in the Middle East and he uses it to go after American troops — it’s the same concept,” he says.

The position Desautels has taken casts him as something of an outsider within his trade. France’s Vupen, one of the foremost gray-market zero-day sellers, takes a starkly different approach. Vupen develops and sells exploits to law enforcement and intelligence agencies across the world to help them intercept communications and conduct “offensive cyber security missions,” using what it describes as “extremely sophisticated codes” that “bypass all modern security protections and exploit mitigation technologies.”

Vupen’s latest financial accounts show it reported revenue of about $1.2 million in 2011, an overwhelming majority of which (86 percent) was generated from exports outside France. Vupen says it will sell exploits to a list of more than 60 countries that are members or partners of NATO, provided these countries are not subject to any export sanctions. (This means Iran, North Korea, and Zimbabwe are blacklisted — but the likes of Kazakhstan, Bahrain, Morocco, and Russia are, in theory at least, prospective customers, as they are not subject to any sanctions at this time.)

“As a European company, we exclusively work with our allies and partners to help them protect their democracies and citizens against threats and criminals,” says Chaouki Bekrar, Vupen’s CEO, in an email. He adds that even if a given country is not on a sanctions list, it doesn’t mean Vupen will automatically work with it, though he declines to name specific countries or continents where his firm does or does not have customers.

Vupen’s policy of selling to a broad range of countries has attracted much controversy, sparking furious debate around zero-day sales, ethics, and the law. Chris Soghoian of the ACLU — a prominent privacy and security researcher who regularly spars with Vupen CEO Bekrar on Twitter — has accused Vupen of being “modern-day merchants of death” selling “the bullets for cyberwar.”

“Just as the engines on an airplane enable the military to deliver a bomb that kills people, so too can a zero day be used to deliver a cyberweapon that causes physical harm or loss of life,” Soghoian says in an email. He is astounded that governments are “sitting on flaws” by purchasing zero-day exploits and keeping them secret. This ultimately entails “exposing their own citizens to espionage,” he says, because it means that the government knows about software vulnerabilities but is not telling the public about them.

Some claim, however, that the zero-day issue is being overblown and politicized. “You don’t need a zero day to compromise the workstation of an executive, let alone an activist,” says Wim Remes, a security expert who manages information security for Ernst & Young.

Others argue that the U.S. government in particular needs to purchase exploits to keep pace with what adversaries like China and Iran are doing. “If we’re going to have a military to defend ourselves, why would you disarm our military?” says Robert Graham at the Atlanta-based firm Errata Security. “If the government can’t buy exploits on the open market, they will just develop them themselves.” He also fears that regulation of zero-day sales could lead to a crackdown on legitimate coding work. “Plus, digital arms don’t exist — it’s an analogy. They don’t kill people. Bad things really don’t happen with them.”

*****

So are zero days really a danger? The overwhelming majority of compromises of computer systems happen because users failed to update software and patch vulnerabilities that are already known about. However, there are a handful of cases in which undisclosed vulnerabilities — that is, zero days — have been used to target organizations or individuals.

It was a zero day, for instance, that was recently used by malicious hackers to compromise Microsoft’s Hotmail and steal emails and details of the victims' contacts. Last year, it was reported that a zero day was used to target a flaw in Internet Explorer and hijack Gmail accounts. Noted “offensive security” companies such as Italy’s Hacking Team and the England-based Gamma Group are among those to make use of zero-day exploits to help law enforcement agencies install advanced spyware on target computers — and both of these companies have been accused of supplying their technologies to countries with an authoritarian bent. Tracking and communications interception can have serious real-world consequences for dissidents in places like Iran, Syria, or the United Arab Emirates. In the wrong hands, it seems clear, zero days could do damage.

This potential has been recognized in Europe, where Dutch politician Marietje Schaake has been crusading for groundbreaking new laws to curb the trade in what she calls “digital weapons.” Speaking on the phone from Strasbourg, France*, Schaake tells me she’s concerned about security exploits, particularly where they are being sold with the intent to help enable access to computers or mobile devices not authorized by the owner. She adds that she is considering pressing for the European Commission, the EU’s executive body, to bring in a whole new regulatory framework that would encompass the trade in zero days, perhaps by looking at incentives for companies or hackers to report vulnerabilities that they find.

Such a move would likely be welcomed by the handful of organizations already working to encourage hackers and security researchers to responsibly disclose vulnerabilities they find instead of selling them on the black or gray markets. The Zero Day Initiative, based in Austin, Texas, has a team of about 2,700 researchers globally who submit vulnerabilities that are then passed on to software developers so they can be fixed. ZDI, operated by Hewlett-Packard, runs competitions in which hackers can compete for a pot of more than $100,000 in prize funds if they expose flaws. “We believe our program is focused on the greater good,” says Brian Gorenc, a senior security researcher who works with the ZDI.

Yet for some hackers, disclosing vulnerabilities directly to developers lacks appeal because greater profits can usually always be made elsewhere. When I ask Vupen’s Bekrar what he thinks of responsible disclosure programs, he is critical of “lame” rewards on offer and predicts that for this reason an increasing number of skilled hackers in the future will “keep their research private to sell it to governments.” It may also be the case that, no matter what the financial incentive, for some it will always be more of a thrill to shun the “responsible.” So even if regulators internationally were to somehow curb exploit sales, it’s likely it would only have a tangible impact on legitimate companies like Vupen, Endgame, Netragard, and others. There would remain a burgeoning black market, in which vulnerabilities are sold off to the highest bidder. This market exists in an anarchic pocket of the Internet, a sort of Wild West, where legality is rarely of paramount importance — as former Washington Post reporter Brian Krebs recently found out for himself.

Krebs, who regularly publishes scoops about zero days on his popular blog, has on several occasions been besieged by hackers after writing about vulnerabilities circulating on the black market. Krebs says his website came under attack last year after he exposed a zero day that was being sold on an exclusive, invite-only Web forum. “They don’t like the attention,” he says. The hackers were able to find Krebs’ home IP address. Then, they began targeting his Internet connection and taunting him. Krebs was eventually forced to change his router and has since signed up for a service that helps protect his online identity. But he says he still receives malware by email “all the time.”

It’s difficult to imagine how the aggressive black market that Krebs encountered could ever be efficiently curtailed by laws. That is why the best way for vulnerabilities to be fully eliminated — or at least drastically reduced — would perhaps be to place a greater burden on the software developers to raise standards. If only developers would invest more in protecting user security by designing better, safer software and by swiftly patching security flaws, the zero-day marketplace would likely be hit by a crushing recession.

At present, however, that remains an unlikely prospect. And unfortunately it seems there’s not a great deal you can do about it, other than to be aware of the risk.

“Most organizations are one zero day away from compromise,” Krebs says. “If it’s a widely used piece of software, you’ve just got to assume these days that it’s got vulnerabilities that the software vendors don’t know about — but the bad guys do.”

This article first appeared at Slate.

GPS Tracking, USA

The tools once reserved for intelligence operatives have become increasingly cheap and available in recent years, and perhaps no one has benefited from this more than private investigators who make their money by monitoring suspected cheaters. No longer do they have to sit outside a seedy motel for hours, trying to take pictures of a philandering husband and his mistress entering a room together. They need only attach a GPS device to the suspected adulterer’s car, and the client’s suspicions can be confirmed.

In a landmark ruling in January, the US Supreme Court held that law enforcement use of GPS trackers to monitor movements constitutes a “search.” That means the technology falls under the Fourth Amendment’s protections against unreasonable searches and seizures, making it difficult for police to put a tracker on a car without first obtaining a warrant. But for private individuals, laws around the use of GPS trackers remain patchy, differing state to state.

Take California, Texas, Virginia, and Minnesota. These states allow private individuals to use tracking devices where the owner of a vehicle consents to it being monitored. Where there is no consent, it is considered a misdemeanor that can result in a fine and a jail sentence of six to 12 months. If a vehicle is jointly owned — say, by a husband and wife — and one owner wants to secretly track the other, it’s a murky area that’s as ethically dubious as it is legally contentious. However, that isn’t stopping private investigators — some of whom appear willing to track any vehicle regardless of its ownership.

In a bid to find out whether private eyes are adhering to the law, earlier this month I decided to dabble in a bit of undercover investigating of my own. Posing as a suspicious wife and using a fake email address, I wrote to a number of PIs in the states with the strictest laws on the use of GPS surveillance trackers. Those I randomly selected were all advertising a GPS service openly on their websites, and I emailed to request a quote for how much it would cost to “GPS monitor movements of my husband's car” over a two-week period.

Of the 20 investigators I contacted, 16 replied, and only one declined to offer me some sort of GPS tracking citing legal concerns. The majority of the PIs said they would do it on the condition that my name was on the title of the car, with some offering to provide a DVD of its movements and others offering “real-time” surveillance of the vehicle for me to watch live via cellphone or computer.

Two separate investigators in California I approached expressed no immediate concern for the state’s GPS tracking law, which unequivocally outlaws tracking a car without the consent of its owner. Still using the fake name and email address, I asked whether the investigators would be willing and able to monitor more than one vehicle at a time. “There is another person who I believe is involved with my husband and it would be useful for me to check her car's movements at the same time as my husband's,” I wrote.

The response from Irvine, Calif.-based Hudson Investigations was a straight yes. “I could do it for $1200 including install and removal,” company boss Rick Hudson, a former Orange County police officer, told me. I received a similarly affirmative answer from Western Investigations, a firm headquartered near San Diego that claims on its website to be one of the most experienced PI agencies in California. “You are looking at a total of $1,800 for 2 vehicles for 2 weeks of the tracking,” Western Investigations’ general manager wrote. “We will give you access to monitor it yourself during the entire course of the investigation. And if you would like a location history report at the conclusion of the investigation, we can do so as well.”

When I subsequently contacted Western Investigations under my real name about this story, I asked whether it was aware the service I requested is classified as a misdemeanor under California’s penal code. “If I gave you the wrong impression then I was mistaken,” the GM wrote back in an email, insisting that the company would not install a tracking device without the consent of the registered owner. Western Investigations’ owner Patrick Schneemann then told me in a separate message, “I can assure you that our company policy is that we do not use GPS in our investigations unless we have consent from the owner of the vehicle.”

Rick Hudson at Hudson Investigations said he was sure he had mentioned the legal constraints in his emails (he didn’t) and said that he wouldn’t put a tracker on any vehicle without signing a GPS agreement with the customer that says that they have the authorisation. Hudson added that he gets “so many calls regarding these tracking units that it's crazy.”

Other PI companies were reluctant to directly help me track the vehicles but instead offered to sell or rent me GPS tracking equipment. This would mean any unlawful use of the tracker would be on my shoulders and not those of a PI. In one instance, even after I informed Texas-based LP Dynamics that I was looking to track two vehicles, one of which had no ownership connection to me, I was offered "2 passive GPS units" for $125 each. A company representative emailed: "Just place on a vehicle, remove when you want and download to your computer to see where they have been." When I later contacted the company for this story, CEO Michael Morrison emailed that "we are a licensed private investigation corporation and not an attorney." Morrison rightly stated that LP Dynamics follows Texas law "to the letter" because the penal code covers only the installation of tracking systems but not the sale of the devices. This could be considered something of a legal loophole.

The solitary exception was California-based Orange Investigations, run by former military policeman Ryan Garrahy. Of the 16 that responded to me, Garrahy was the only PI to completely stonewall my request. Orange Investigations has previously provided GPS tracking for its clients, but Garrahy said he has stopped doing so “at this particular time” because of concerns about a possible rise in civil suits linked to the Supreme Court decision in January.

*****

Overall, the impression I got was that it was not difficult to find companies willing to help me track any vehicle, which could potentially result in a misdemeanor being committed. Even the investigators who were more cautious, telling me that they would only track a vehicle I had an “ownership interest” in, were on shaky ground. Though a case in Minnesota last year ruled that it was acceptable to use a GPS tracker on your spouse if you co-own the car, there is far from a legal consensus on the matter in other states.

Austin, Texas-based criminal lawyer Ian Inglis told me he thought that the Texas statute on tracking wasn’t constructed with joint ownership in mind. “Even if there’s no criminal liability, there could be some civil liability, and it might look bad in a divorce, too,” Inglis said. “Whether it’s your husband or wife, it’s a bad idea to track anybody’s car without their permission.”

In California, similarly, it’s a gray area. Hanni Fakhoury, staff attorney at the Electronic Frontier Foundation, said he wasn’t aware of any statutory California law that addressed the joint ownership question. Fakhoury referred to Georgia v. Randolph, a Supreme Court case where it was ruled that there needed to be joint agreement for the lawful search of a jointly owned property. According to Fakhoury, the joint consent deemed necessary in Randolph is consistent with other California law and so could feasibly apply to the use of trackers on a jointly owned vehicle. (Californian wiretap law, for instance, requires both parties to a conversation to consent to having the conversation recorded — unlike federal wiretap law, which only requires one party to consent.)

Contentious legal issues aside, what’s clear is that the use of GPS tracking devices is very far from being under control. While law enforcement agencies are now bound to consider the trackers as covered by the Fourth Amendment, in the private domain there’s a lack of clarity when it comes to the regulation. Where there are laws, in some cases they are being ignored, and where there is any ambiguity, it is being exploited — often by individuals who stand to make a profit.

As is frequently the case in the realm of surveillance, the technology is out of step with the law. High-tech tracking tools that would a decade ago have rarely been used outside police and military circles are available today to anyone with a credit card and access to the Internet. The technology is continuing to advance and is simultaneously becoming cheaper. And that’s not going to change any time soon.

SpyBase, a surveillance gadgets retailer based out of Torrance, Calif., has seen in recent years a rapid increase in sales of GPS trackers, a trend that’s continuing. The store’s owner, who didn’t want to be named, told me GPS trackers were his “best-sellers,” and that a sophisticated $299 real-time tracker called the PTX 5 was his customers’ favorite.

“PIs, police, private citizens,” he said. “It’s a very big market.”

This article first appeared at Slate.

Counter Surveillance

Lately, Mike Janke has been getting what he calls the “hairy eyeball” from international government agencies. The 44-year-old former Navy SEAL commando, together with two of the world’s most renowned cryptographers, was always bound to ruffle some high-level feathers with his new project — a surveillance-resistant communications platform that makes complex encryption so simple your grandma can use it.

After more than two years of preparation, last month the finished product hit the market. Named Silent Circle, it is in essence a series of applications that can be used on a mobile device to encrypt communications — text messages, plus voice and video calls. Currently, apps for the iPhone and iPad are available, with versions for Windows, Galaxy, Nexus, and Android in the works. An email service is also soon scheduled to launch.

The encryption is peer to peer, which means that Silent Circle doesn’t centrally hold a key that can be used to decrypt people’s messages or phone calls. Each phone generates a unique key every time a call is made, then deletes it straight after the call finishes. When sending text messages or images, there is even a “burn” function, which allows you to set a time limit on anything you send to another Silent Circle user — a bit like how “this tape will self destruct” goes down in Mission: Impossible, but without the smoke or fire.

Silent Circle began as an idea Janke had after spending 12 years working for the US military and later as a security contractor. When traveling overseas, he realised that there was no easy-to-use, trustworthy encrypted communications provider available to keep in touch with family back home. Cellphone calls, text messages, and emails sent over the likes of Hotmail and Gmail can just be “pulled right out of the air,” according to Janke, and he didn’t think the few commercial services offering encryption — like Skype and Hushmail — were secure enough. He was also made uneasy by reports about increased government snooping on communications. “It offended what I thought were my God-given rights — to be able to have a free conversation,” Janke says. “And so I began on this quest to find something to solve it.”

Janke assembled what he calls an “all-star team”: Phil Zimmermann, a recent inductee to the Internet’s Hall of Fame, who in 1991 invented PGP encryption, still considered the standard for email security. Jon Callas, the man behind Apple’s whole-disk encryption (which is used to secure hard drives in Macs across the world), became Silent Circle’s chief technology officer. Other employees were top engineers and ex-special-forces communications experts based in England, Latvia, and Germany. Together, they designed their own software, created a new encryption protocol called SCimp, registered their company offshore and outside US jurisdiction, then built up their own network in Canada. (They eventually plan to expand to Switzerland and Hong Kong.)

Though many encryption options already exist, they are often difficult to use, which is a barrier for those without the skills, patience, or time to learn. Silent Circle helps remove these hurdles. As a result, organisations that have a real need for secure communications but have maybe not understood how to implement them are coming forward and expressing interest in Silent Circle.

Janke says he’s already sold the technology worldwide to nine news outlets, presumably keen to help protect their journalists’ and sources’ safety through encryption. (ProPublica, for one, confirmed it’s had “preliminary discussions” with Silent Circle.) A major multinational company has already ordered 18,000 subscriptions for its staff, and a couple of A-list actors, including one Oscar winner, have been testing the beta version. The basic secure phone service plan will cost $20 a month per person, though Janke says a number of human rights groups and NGOs will be provided with the service for free.

The company has also attracted attention from 23 special operations units, intelligence agencies, and law enforcement departments in nine countries that are interested in using Silent Circle to protect the communications of their own employees — particularly on the personal devices that they use at home or bring to work. Some of these same agencies, perhaps unsurprisingly, have contacted Janke and his team with concerns about how the technology might be used by bad guys. Because Silent Circle is available to just about anyone, Janke accepts there is a real risk that a minority of users could abuse it for criminal purposes. But he argues you could say the same thing about baseball bats and says if the company is ever made aware someone is using the application for “bad illegal things” — he cites an example of a terrorist plotting a bomb attack — it reserves the right to shut off that person’s service and will do so “in seven seconds.”

The very features that make Silent Circle so valuable from a civil liberties and privacy standpoint make law enforcement nervous. Telecom firms in the United States, for instance, have been handing over huge troves of data to authorities under a blanket of secrecy and with very little oversight. Silent Circle is attempting to counter this culture by limiting the data it retains in the first place. It will store only the email address, 10-digit Silent Circle phone number, username, and password of each customer. It won’t retain metadata (such as times and dates calls are made using Silent Circle). Its IP server logs showing who is visiting the Silent Circle website are currently held for seven days, which Janke says the company plans to reduce to just 24 hours once the system is running smoothly.

Almost every base seems to have been covered. Biannually, the company will publish requests it gets from law enforcement in transparency reports, detailing the country of origin and the number of people the request encompassed. And any payment a person makes to Silent Circle will be processed through third-party provider Stripe, so even if authorities could get access to payment records, Janke says, “that in no way gives them access to the data, voice, and video the customer is sending-receiving ... nor does it tie the two together.” If authorities wanted to intercept the communications of a person using Silent Circle, it is likely they’d have to resort to deploying Trojan-style tools — infecting targeted devices with spyware to covertly record communications before they become encrypted.

Among security geeks and privacy advocates, however, there’s still far from consensus how secure Silent Circle actually is. Nadim Kobeissi, a Montreal-based security researcher and developer, took to his blog last month to pre-emptively accuse the company of “damaging the state of the cryptography community.” Kobeissi’s criticism was rooted in an assumption that Silent Circle would not be open source, a cornerstone of encrypted communication tools because it allows people to independently audit coding and make their own assessments of its safety (and to check for secret government backdoors). Christopher Soghoian, principal technologist at the ACLU's Speech Privacy and Technology Project, said he was excited to see a company like Silent Circle visibly competing on privacy and security but that he was waiting for it to go open source and be audited by independent security experts before he would feel comfortable using it for sensitive communications.

When I asked Janke about this, he said he recognised the importance of the open-source principle. He says the company, contrary to Kobeissi’s assertion, will be using a noncommercial open-source license, which will allow developers to “do their own builds” of Silent Circle. “We will put it all out there for scrutiny, inspection, and audit by anyone and everyone,” he added.

Another factor is that a number of countries are pushing for new surveillance laws that will force many communications providers to build in backdoors for wiretapping. The Silent Circle team has been following these developments closely, and it seems to have played into the decision to register offshore and locate its multimillion-dollar network outside US jurisdiction. Janke says he has consulted with Canada’s privacy commissioners and understands that the new effort to upgrade surveillance capabilities in Canada will not affect the company because its technology is encrypted peer-to-peer (making it technically incapable of facilitating a wiretap request even if it receives one).

But what if, one day down the line, things change and Canada or another country where Silent Circle has servers tries to force them to build in a secret backdoor for spying? Janke has already thought about that — and his answer sums up the maverick ethos of his company.

“We won’t be held hostage,” he says, without a quiver of hesitation. “All of us would rather shut Silent Circle down than ever allow a backdoor or be bullied into an ‘or else’ position.”

In an age of ever-increasing surveillance, it’s a gutsy stance to take. Perhaps Big Brother has finally met its match.

This article first appeared at Slate.

England's Far Right

In towns and cities across England, there are small pockets of men who are filled with seething rage. Threatening acts of violence, they pose for photographs holding guns and discuss potential targets on Internet forums. Despite what you might think, these men are not Islamic jihadists who sympathise with the terror group al-Qaida. They are “white nationalists” – extreme right-wing neo-Nazis who are growing increasingly bold and volatile.

Since 2010, far-right groups in the UK have become more and more fragmented. The British National Party (BNP) had enjoyed a small growth in popularity in the years prior to 2010. But the birth of the anti-Islamism organisation the English Defence League (EDL) in 2009 gradually drew many away from the BNP and towards grassroots street protest. Today, both the BNP and the EDL are in decline – though not because those on the extreme right have changed their views. The BNP now accepts black and Asian members, and the EDL has formed a “Jewish division.” For many on the hard right, who are devoutly racist and anti-Semitic, that is intolerable. As a result, small factions are choosing to take matters into their own hands.

“They are turning not to a popular Islamophobia so much as to real neo-Nazi extreme right wing,” says Dr Paul Jackson, director of the University of Northampton’s radicalism and new media unit. “Because the main EDL social movement itself has really lost its momentum, it has increasingly created the opportunity for these new groups to develop in localised pockets.”

Calling themselves names like the Infidels and the Combined Ex Forces, the splinter groups frequently exhibit hatred of anyone non-white – particularly Asians. Based across England, with hubs in Liverpool and Greater Manchester, some members have strong ties to the neo-Nazi National Front, which became notorious in the 1970s for demanding that all “coloured immigrants” be shipped out of Britain.

In previous decades other extreme far-right collectives, like the so-called Aryan Strike Force or Combat 18, have perpetrated and plotted acts of violence. However, the Internet has helped the latest incarnations of these far-right groups spread their ideas and build networks in new ways, according to Dr Jackson. “Disaffected people are vulnerable to it,” he says. “It’s so easily available online and can have quite a strong impact.”

One of the most active groups in England is the North West faction of the Infidels. The shadowy group says it is made up of “right-wing patriots, loyalists, and nationalists” who will “stand with anyone willing to fight the enemies of Britain and for the right of its indigenous people.” The Infidels say they are against “the Islamic takeover of parts of the UK,” multiculturalism, immigration and “the militant left.”

A Facebook page created by members of the Liverpool and Wirral branch of the Infidels displays a clear commitment to violence. The page, “liked” by more than 500 people, contains warnings about impending “civil unrest” alongside images of petrol bombs and men wielding rifles. Last month the group posted an image of the Houses of Parliament exploding in flames below the message “one day you lot will pay!” The group has also posted the home addresses of people apparently deemed legitimate targets for future vigilante attacks, such as, in one case, two Asian Rochdale councillors.

Last year, the government helped launch a campaign called Measuring Anti-Muslim Attacks (MAMA), designed to encourage the reporting of hate crimes. Fiyaz Mughal, the campaign’s director, says he has recently witnessed an “unbelievable” increase in anti-Muslim sentiment.

“It’s shocking because we’ve started to see over the last six months in particular is people being more violent in their threats online,” Mughal says. “It’s moving towards a much more violent and extreme outcome.”

MAMA is receiving anything between ten and 25 reports of anti-Muslim extremism every day, with specific “cluster points” in Glasgow, West Yorkshire, West Midlands, Luton, Greater Manchester, and Derbyshire. The organisation says it has managed to get seven people convicted for spreading hatred online, with other cases involving EDL sympathisers in Luton ongoing. But according to Mughal, the police are still sometimes behind the curve when it comes to the far-right threat – with their resources focused more heavily on looking for potential terrorists among radical Islamist groups.

Despite that criticism, the government insists it is focused on tackling right-wing extremism. “The government condemns extremism in all its forms,” a Home Office spokesperson says. “There is no place for violence, criminality and disorder in our society and police have a range of powers to tackle it.”

The threat of serious far-right violence is certainly genuine. This was affirmed tragically in Norway on 22 July last year, when Anders Breivik launched a rampage that resulted in the deaths of 77 people. Breivik justified his massacre by blaming multiculturalism and politicians who had allowed high-levels of immigration. Among some members of the extreme-right in England, Breivik is seen as a hero – a soldier who performed an act of war they would like to see repeated elsewhere.

Last month, Walsall-based kickboxer Darren Clifft started a petition to free Breivik from prison, describing the convicted killer’s massacre as “self defence” and “inspirational.” 23-year-old Clifft, who is affiliated with the Infidels, posted pictures of himself doing a Nazi salute while wearing a Ku Klux Klan outfit (see image above). In May he wrote that he had been dreaming about becoming a suicide bomber, in one post on Facebook writing: “I've had these dreams about blowing people up for weeks.”

In other cases, EDL members have posed in photographs wielding guns and threatening bomb attacks. In April, Kenny Holden, a 30-year-old man from South Shields, warned that he was going to set off a “pipe bomb” in an Asian area of the city. He said that if he could obtain a gun, he was ready to go on a shooting spree “Olso style” – an apparent reference to Breivik. Holden was later arrested and charged with two counts of sending offensive or menacing messages.

The controversy, however, is not only consigned to a fringe element of the far right. Prominent EDL supporter Michael Wood, who last year co-founded the British Freedom Party in a bid to challenge the BNP, caused upset following comments made about Breivik. In the aftermath of the massacre, he wrote on Twitter: “Couldn't care less that #Breivik went radio rental on leftist youths. He knew they would grow up to betray Norway #EDL."

What did Wood mean exactly? “Breivik was a Frankenstein borne out of Scandinavian liberal attitudes towards mass immigration and the integration of Muslim migrants,” he says in an interview conducted by email. “What his attack has done, is forced Norwegians to rethink the course they're taking and to question whether Breivik has a point about immigration and the future that awaits Norway – in my view he is right on several points. So when I say that I don't care, I mean that it is not my responsibility to apologise for Anders Breivik, it is the EU and the Norwegian leftists who should apologise.”

The viewpoint held by Wood is one shared by many of those on the far right. The position is that Breivik was somehow forced into his act of mass violence by the multiculturalism espoused by liberal politicians. On the far-right Internet forum StormFront, UK-based users commented after Breivik’s attacks that his victims, some of whom were as young as 14, were “not innocent” because they were political activists who would eventually go on to “encourage more and more Islamists into their country.” One user, named NickGrifford, wrote: “Many will suffer before the end, but the many have brought it upon themselves.”

Given this level of sympathy for Breivik’s actions, the obvious question is whether a single “lone wolf” attack from a far-right fanaticist is possible on British shores. The heightening anti-Muslim sentiment, paired with the growth of a number of factions seemingly willing to perpetrate acts of violence, mean it is alarmingly difficult to rule out.

“Although we haven’t seen any major terrorist attacks from the far-right yet, part of the thing about social media is that it enables them to encourage and communicate with each other – to engineer things to happen,” says Matthew Collins, a researcher for Hope Not Hate, a campaign group that monitors far-right extremism. “Some of these groups – they’re little more than racist drug gangs. And that’s exactly what makes them so dangerous.”

Menwith Hill

Situated awkwardly in the heart of rolling green English countryside is the United States’ largest overseas intelligence station. Surrounded by farmland and sheep, hundreds of National Security Agency staff go to work every day at RAF Menwith Hill, where they eavesdrop on communications intercepted by satellite dishes contained in about 30 huge golf ball-like domes.

Used by the NSA since the 1960s, Menwith Hill is an important spy center. But there is growing disquiet in Britain over whether intelligence gathered at the base is being used to help with the CIA’s controversial clandestine drone strikes. And the government is keeping mum.

Earlier this month, Ken Macdonald, former chief prosecutor for England and Wales, spoke out on the subject in an interview with the London Times. He told the newspaper he believed there was compelling evidence that Britain was providing the United States with information subsequently used to help with drone attacks in countries like Pakistan. Because the United Nations says that the CIA’s covert drone campaign possibly violates international law, the allegation was politically explosive. The implication is that the British government could itself be complicit in unlawful drone bombings, which in Pakistan alone since 2004 have killed up to an estimated 3,337 people, among them hundreds of civilians.

Prior to Macdonald thrusting the issue into the spotlight, it had been simmering for some time. In May, a Pakistani student whose father was killed in a suspected U.S. drone attack launched legal action against the British government in a bid to expose whether it hands over intelligence for drone attacks on terrorist suspects. And a study published in March claimed the Menwith Hill base was being expanded to “support 'real-time' U.S. military actions, including drone attacks and those carried out by special operations forces.”

What goes on inside the Menwith station is impossible to know for sure. However, according to a 2001 European Parliament report, it is part of a surveillance network called ECHELON, situated to intercept communications routed over the Indian and Atlantic oceans. Former NSA employee Margaret Newsham, who worked at Menwith Hill 20 years ago, told CBS it monitored Russian and Chinese communications (but on one occasion spied on U.S. Sen. Strom Thurmond). And the Federation of American Scientists has claimed it is capable of intercepting an astonishing two million communications an hour.

If these reported capabilities are correct, it seems highly plausible that the base’s satellites are today intercepting at least some communications from the Middle East — which could help how the CIA picks its targets for drone strikes in countries such as Pakistan, Yemen and Somalia.

It’s also plausible that any intercepts gathered at Menwith play a crucial — not just contributory — role. In April, the Washington Post revealed that the White House had approved drone strikes in Yemen based solely on intelligence signatures. These are defined, according to the Post, as patterns of behavior indicative of a plot against U.S. interests “detected through signals intercepts, human sources and aerial surveillance.”

This brand of intelligence-led warfare has already led Germany to limit information it shares with the United States. The British government, however, does not take the same position — and is contributing to the secrecy that surrounds drone operations.

Fabian Hamilton, a member of the British Parliament, asked the government earlier this month whether Menwith Hill plays a role in the planning and deployment of drones in Afghanistan, Pakistan, Yemen, and Somalia. The response? He was not permitted to know. “For operational and security reasons we do not comment on the specific activities carried out at RAF Menwith Hill,” said Andrew Robathan, minister of state for the armed forces.

The secrecy is a problem, for basic democratic reasons if nothing else. It’s obvious that the British government wants to protect Menwith Hill’s activities on national security grounds, which might be justifiable to some extent. But if a foreign military is using a base in the English countryside to help conduct covert wars in far-flung lands, that’s a different matter altogether — and surely the British public has a right to know about it.

This article first appeared at Slate.com

Anniversary of Occupy

It inspired people from Manchester to Moscow, led to thousands of arrests, and continues to generate debate. The Occupy protest movement, founded to oppose corporate greed and inequality, is this week celebrating its first anniversary. For many of those involved it has been an emotional and life-changing journey.

Occupy began in earnest on 17 September last year, when a group of protesters descended on New York’s Wall Street financial district. Angry over the banking industry’s role in the global financial crisis, the protesters wanted to come together to address what they called the “corrosive power of major banks and multinational corporations over the democratic process.”

Inspired by the Arab Spring and a massive Spanish protest movement that had bloomed earlier in 2011, the Occupiers formed a make-shift tent-city a stone’s throw from Wall Street, where public assemblies and discussions were held. As the size of the camp quickly grew, international media attention soon followed. Before long, Occupy became a contagious phenomenon, spreading across America and across borders to more than 80 countries on almost every continent.

Ed Needham, 45, remembers the birth of Occupy well. The 45-year-old communications strategist was attending a conference for organisations working for progressive causes in Washington DC. He was approached by an activist who told him about a new protest called Occupy Wall Street in New York, which had begun a few days earlier. He decided to visit, was immediately impressed by what he saw, and joined in with the protest.

“For me Occupy represented a reaction to where we were as a society,” Needham says, recalling his first impressions. “I just thought that this was an extremely historical moment and that instead of some fly by night political party initiative or something, that this was the beginning of a social movement. And everything that has happened since has affirmed that.

“Rather than people coming together under the many different organisations or political entities, people were coming together under a much larger banner. It happened in a way that I think really captured the imagination of where we were – and still are – as a nation in terms of what has happened to us over the last 30 years.”

A crucial aspect of the Occupy movement was its cross-generational appeal. In the first few days it was characterised mainly as a youth movement, but as it grew that changed. Organised labour groups eventually got involved, as did senior citizens, war veterans, high-profile academics, musicians – even people who had worked within the financial sector. “At that point it just took off because people could no longer characterise the people down at the square as a bunch of hippie kids,” Needham says.

To date, there have been more than an estimated 7000 arrests of activists participating in Occupy protests across the US. The main camp in New York was evicted in November, but today the movement continues. The activists are currently collaborating on international actions to mark the one-year anniversary, and they still meet regularly and organise protests outside banks and run “teach-in” educational groups about economic issues.

Though some activists are pessimistic about the level of change they have managed to achieve, most believe that at the very least they have managed to shape mainstream political discussion by putting more focus on problems related to inequality. New splinter groups have also taken shape due to Occupy, with activists using different protest tactics to voice their discontent about the current status quo.

Los Angeles-based artist Alex Schaefer garnered media attention last year for expressing his indignation at the greed of the banking sector in a creative manner – by painting pictures of banks on fire. Schaefer is hugely frustrated at how little has been done in America to hold the financial sector to account for bringing the country’s economy to its knees, and he recently started a new trend that is beginning to catch on in various cities. He calls it “chalking” – a form of civil disobedience that involves drawing information about bank wrongdoing in chalk on pavements outside bank buildings.

“It needs to be a constant reminder,” Schaefer says. “It’s a different protest than a march. This is a way to just casually do it consistently. I wish every bank would wake up to this on this sidewalk every morning.”

So far Schaefer has been arrested once for vandalism, but the charges were eventually dropped. He says the tactic was in part borne out of a deep dissatisfaction that nothing was being done to address the issues raised by the Occupy movement.

“Nothing has changed, it’s ridiculous,” he says. “Occupy is an uphill battle. The problem is that Occupy was only a fraction of the population. There are so many more people out there that need to get upset before a change is going to happen.”

In England, activists speak of the same frustration. Occupy spread to London in October last year, with a large encampment established outside St Paul’s Cathedral near the city’s stock exchange. Small campsites eventually formed in a number of cities across Britain – from Glasgow and Edinburgh in Scotland to Liverpool, Manchester, Birmingham, and Sheffield in England. But most of the camps were either evicted or slowly disbanded as the cold bite of winter set in – and some protesters feel that they failed to agree on a coherent message across the different sites.

“Even from London to the regions there was a huge difference in scope and aims,” says Daniel, 34, an activist from Liverpool who spent time at Occupy protests in England and America. “I felt aspects I was experiencing at occupations abroad, particularly in the US, did not translate locally. What we saw regionally was more a kind of nebulous protest, and the camps ended up quite detached from the global movement.”

Daniel says that he found Occupy in London to be “quite brilliant” and well organised. An empty office block that was squatted by the activists in London’s financial district and turned into a giant makeshift community centre called the Bank of Ideas also impressed him. However, in Liverpool he says groups including the Socialist Workers’ Party “appeared intent on co-opting, while not overtly supporting the movement, which was predictable and divisive.” And at some Occupy camps he visited, the initial energy which had catalysed the movement became diluted.

Other protesters had similarly negative experiences of camps outside London. In Birmingham, activist Tom Holness said the camp had included people who believed in “Jewish banking conspiracies” and a member of the far-right English Defence League, which dissuaded new people from joining. “The Facebook pages were a mess of arguments and conspiracy theories and that put a lot of people off,” he says.

Yet despite its flaws, Occupy as a movement is likely to persist in some form at least for the foreseeable future. The issues driving it, such as rising unemployment and a growing disparity between rich and poor, have not been addressed. And many activists, though they are tired and frustrated, are still intent on pushing for change.

In Spain, the movement that preceded Occupy may offer a glimpse of what is to come. Thousands took to the streets across the country last summer to protest against austerity measures, corporate power and political corruption, camping out in public squares and holding lengthy debates in a bid to find solutions to economic problems. Calling themselves the Indignados (the indignant) they continue to organise demonstrations and political actions, weary but energised by groups in other parts of the world.

“It’s been absolutely inspiring to see how some other movements have been out in the States and in London and everywhere,” says Beatriz Pérez, a 31-year-old activist who has been involved with the Indignados movement since it began in May last year. “We share the sense of frustration and rage with a lot of other people.”

As a result of the Indignados movement, locally organised public assemblies are now held regularly in cities including Madrid and Barcelona for anyone to come and address grievances. Though unemployment is soaring in Spain and the protesting has not managed to achieve substantive political changes, it has brought people together in a way that has in itself had a positive and lasting impact.

“Life in Spain, in Madrid, has changed a little bit for everyone that has been in the movement,” says Pérez. “I feel like in my city there is a lot more love out there – it’s a romantic thing to say but that’s how I feel. It’s less individualistic here than it was. And I think that has got to be a very good thing for our lives.”