16 Aug 2018 8:54 AM AEST – Human Rights Law Centre to speak on Identity-matching Services Bills

The Joint Intelligence and Security Committee will hold a second public hearing in Canberra tomorrow as part of its review of the Identity-matching Services Bill 2018 and the Australian Passports Amendment (Identity-matching Services) Bill 2018.

The Committee will hear from the Human Rights Law Centre, the Australian Strategic Policy Institute and the Department of Home Affairs.

Committee Chair Mr Andrew Hastie MP said that the Committee looks forward to hearing from the Human Rights Law Centre and the Australian Strategic Policy Institute.

“It is important that the Committee hear from these organisations. The Committee is especially interested in the privacy implication of biometric identity-matching and their evidence will greatly assist the Committee in preparing its report on the Identity-matching Bills before it,” Mr Hastie said.

The Committee intends to report on both bills by mid-September.

Public hearing details: 8.30am to 12.00pm, August, 17 August 2018, Committee Room 1R4, Parliament House, Canberra.

8.30am                 Human Rights Law Centre

9.15am                 Break

9.30am                 Australian Strategic Policy Institute

10.15am               Break

10.40am               Department of Home Affairs

12.00pm               Close

The hearing will be broadcast live at

Further information about the Committee’s reviews and the submissions received to date can be obtained from the Committee’s website.

Media enquiries:
Chair, Mr Andrew Hastie MP (Canning, WA) on 08 9534 8044 (Electorate office) or (02) 6277 4223 (Parliament House)

For background information:
Committee Secretariat – Parliamentary Joint Committee on Intelligence and Security – (02) 6277 2360 or email

Interested members of the public may wish to track the committee via the website. Click on the blue ‘Track Committee’ button in the bottom right hand corner and use the forms to login to My Parliament or to register for a My Parliament account.

Henry Sapiecha

How Mr.Google has kept 85K of their employees from getting phished since 2017

Physical security keys in place of passwords have proven effective for Google and other large sites.

Google has successfully kept more than 85,000 employees from getting phished on their work-related accounts since way back to 2017. According to reporting from KrebsOnSecurity, physical security keys are to thank for these successes.

Security keys are physical USB-based devices that can be used as an alternative to the standard two-factor authentication (2FA) process.

SEE: Information security policy (Tech Pro Research)

A 2FA process is meant to ensure that if a thief steals a user’s password, they aren’t able to access the user’s account because they don’t have an additional factor (e.g., the user’s mobile device) needed to complete the login process.

The security key process proves more secure. According to the report, security keys function on a multi-factor authentication known as Universal 2nd Factor (U2F). The key allows the user to log in by inserting the USB device and pushing a button on the device, which means that without the physical key, a malicious actor cannot successfully log in as the employee. This doesn’t mean that Google employees haven’t possibly clicked on a malicious link in an email, for example, but that the phishing attempt didn’t successfully exfiltrate any company data.

In addition to Google, many other high-profile sites including Facebook, GitHub, and Dropbox are supporting similar U2F processes, according to the report. U2F is currently supported by Google Chrome, Mozilla Firefox, and Opera. However, the report noted that U2F is not enabled by default in Firefox.

SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)

Software giants Microsoft and Apple have yet to roll out support for U2F browsers, but Microsoft said its upcoming Edge browser will support U2F later this year, according to the KrebsOnSecurity report. Apple hasn’t announced any plans yet on whether or not its standard Safari browser will support U2F.

Until a U2F system is commonplace and supported by all sites, users can protect themselves from phishing attacks by following these 10 tips from TechRepublic’s Brien Posey.

The big takeaways for tech leaders:

  • Google successfully protected its 85,000 employees from getting phished on their work accounts by utilizing physical security keys as part of a 2FA strategy.
  • U2F processes could become commonplace within the next few years as large companies are beginning to adopt the security measure that U2F processes offer.

Henry Sapiecha

Five Eyes, Nine Eyes & 14-Eyes Countries and VPNs Important to know when using (or planning to use) a VPN

The content herein is part of an article published in a VPN site where at the end of this short introduction there will be a link to take you to a lot more viewpoints & info. ENJOY.

This article will discuss available VPNs in relation to the 5 Eyes, the 9 Eyes and the 14 Eyes government surveillance alliances.

Encryption is the only way to protect private communications. While there are encrypted messaging systems that can be used for direct correspondence, virtual private networks (VPNs, also based on encryption) are the best tools for hiding internet activity, such as which websites are visited. Again, there are valid reasons to do so: to protect the privacy of religion, sexual orientation and sensitive medical conditions; all of which can be inferred from visited websites.


During the second world war, US and UK intelligence agencies worked closely on code-breaking. After the war, the UK center at Bletchley Park evolved into the Government Communications Headquarters (GCHQ). The American service evolved into the National Security Agency (NSA). In 1946, the working relationship between the two countries was formalized in the UKUSA agreement. It worked on signals intelligence (SIGINT); that is, the interception and analysis of adversarial telecommunications.

In order to provide global coverage for communications interception, Australia, New Zealand and Australia joined the UK and the USA – and became known as the Five Eyes.

However, such is the NSA’s global dominance of intelligence gathering, other countries have sought to cooperate in return for specific ‘threat’ information from the NSA. This has led to other SIGINT groupings: the 9 Eyes and the 14 Eyes.

The operation of these intelligence agencies was long kept secret. As global communications have increased – and as perceived threats have grown (first in the Cold War between east and west and more recently in the ‘war on terror’), the 5 Eyes in particular began to secretly use technology to gather everything for later analysis. GCHQ, for example, had a secret project called Mastering the Internet. None of this was publicly known.

In 2013, NSA whistleblower Edward Snowden leaked thousands of top secret NSA and GCHQ documents showing, for the first time, the extent to which national governments spy on everybody. It is always done in the name of ‘national security’, and both the relevant agencies and their governments insist on their right to do so.


Henry Sapiecha

Census: The ABS has been quietly holding on to our names for years

The Bureau of Statistics has been quietly hanging on to the names it collects with the census to conduct studies, despite a public commitment to destroy them.

Census changes

Find out why no one will be knocking at your door with census forms this year.

Australian statistician David Kalisch told Fairfax Media the Bureau had been keeping the names it collected for up to 18 months.

“They’ve done it under the guise of: ‘this is while we are processing the data’,” he said.

Australian statistician David Kalisch image

David Kalisch says: ‘We are now being more transparent about it’. Photo: Rohan Thomson

“They’ve done linkages, they’ve done other things. What’s happening now is we are being more transparent about it.”

The studies have been conducted despite a commitment on the ABS website that “name and address information will be destroyed once statistical processing has been completed“.

They used the names and addresses on census forms to link the census answers to department of immigration records, to school enrolment records and to the Australian Early Development Index.

The names were destroyed only after the records were linked.

Separately, and without asking for consent, the Bureau has been tracking five per cent of the population (more than one million people) through what it calls the Australian Census Longitudinal Dataset.

It has been using the names on the forms to create “linkage keys”, which enable it to follow respondents over time. Each census, the same name produces the same linkage key, enabling movements to be tracked. Once each key has been created, the name itself has been destroyed. It is impossible to reverse-engineer a key to derive the name.

“In 2016, I have decided to keep names and addresses for longer,” Mr Kalisch writes in today’s Sydney Morning Herald and Age. “This will enable the ABS to produce statistics on important economic and social areas such as educational outcomes, and measuring outcomes for migrants.”

Labelled by former Australian Statistician Bill McLennan “the most significant invasion of privacy ever perpetrated on Australians by the ABS,” the decision will formalise what was happening informally before Mr Kalisch joined the ABS in 2014. It will extend the period for research using names from 18 months to four years. All names collected will be deleted by August 2020 or when studies have been completed, whichever is the soonest.

What’s happening now is we are being more transparent about it.

Australian Statistician David Kalisch

The decision is a retreat on a announcement in December that names and addresses on census forms would be retained indefinitely.

“There are extremely robust safeguards in place to protect the privacy and confidentiality of the information collected in the census, including names and addresses,” Mr Kalisch writes in today’s Fairfax Media publications. “The ABS never has and never will release identifiable census data.”

Kat Lane, vice-chair of the Australian Privacy Foundation, said the real issue wasn’t the ABS security system. It was that there was no justification for tracking or personally identifying Australians.


Henry Sapiecha

Revealing the shadowy tech brokers that deliver your data to the NSA

These so-called “trusted third-parties” may be the most important tech companies you’ve never heard of. ZDNet reveals how these companies work as middlemen or “brokers” of customer data between ISPs and phone companies, and the U.S. government.

third-party-phone-reveal image

NEW YORK — Picture two federal agents knocking at your door, ready to serve you a top secret order from the U.S. government, demanding that you hand over every shred of data you own — from usernames and passwords, phone records, emails, and social networking and credit card data.

You can’t tell anyone, and your only viable option is to comply.

For some U.S. Internet service providers (ISP) and phone companies, this scenario happens — and often. Just one ISP hit by a broad-ranging warrant has the potential to affect the privacy of millions of Americans.

But when one Atlanta, Georgia-based Internet provider was served a top-secret data request, there wasn’t a suited-and-booted federal agent in sight.

Why? Because the order was served on a so-called “trusted third-party,” which handles the request, served fresh from the secretive Washington D.C.-based Foreign Intelligence Surveillance (FISA) Court. With permission from their ISP customers, these third-parties discreetly wiretap their networks at the behest of law enforcement agencies, like the Federal Bureau of Investigation (FBI), and even intelligence agencies like the National Security Agency (NSA).

By implementing these government data requests with precision and accuracy, trusted third-parties — like Neustar, Subsentio, and Yaana — can turn reasonable profits for their services.

Little is known about these types of companies, which act as outsourced data brokers between small and major U.S. ISPs and phone companies, and the federal government. Under the 1994 law, the Communications Assistance for Law Enforcement Act (CALEA), any company considered a “communications provider” has to allow government agencies access when a valid court order is served. No matter how big or small, even companies whose legal and financial resources are limited do not escape federal wiretapping laws.

On a typical day, these trusted third-parties can handle anything from subpoenas to search warrants and court orders, demanding the transfer of a person’s data to law enforcement. They are also cleared to work with classified and highly secretive FISA warrants. A single FISA order can be wide enough to force a company to turn over its entire store of customer data.

For Cbeyond, a Nasdaq stock exchange-listed ISP based in Atlanta, Georgia, data requests can be put almost entirely out of mind. The company generates more than $450 million in revenue each year and serves more than 50,000 business customers — primarily small to medium-sized companies — in more than a dozen U.S. states.

The ISP’s legal resources are razor thin, according to an executive at the company, who did not want to be named for the story. As a result, the company does not always directly handle government data requests.

The company outsources a good portion of its legal and compliance responsibilities to Neustar, which bought its way into the wiretapping business following its 2005 acquisition of compliance firm, Fiducianet.

Cbeyond can receive as many as five to ten subpoenas per week. These data requests are regularly forwarded to Neustar, which acts as the ISP’s “custodian of records.” They are validated, and — more often than not — data is handed over to the requesting law enforcement agency.

But on the rare occasion Cbeyond receives a top-secret FISA warrant — two per year on average, according to a senior staffer, who has direct knowledge of the matter, Neustar pulls the data from the ISPs networks and hands it to the requesting government agency.

These warrants can allow the FBI or the NSA to collect an unknown but potentially limitless amount of data on millions of Americans and foreigners.

“Hidden, but not visible”

Created by its namesake law, the Foreign Intelligence Surveillance Act in 1978, the FISA Court issues more than a thousand classified warrants a year for Americans’ data. One former NSA analyst likened it to a “kangaroo court with a rubber stamp,” as it keeps very few records, of which many are kept in the utmost secrecy and away from public scrutiny.

Only documents leaked by former U.S. intelligence contractor Edward Snowden have helped lift the lid on the shadowy world of these secret so-called FISA warrants. Signed off by the court, these warrants give the FBI and the NSA wide-ranging access to American data, in spite of Fourth Amendment protections designed to protect against overreaching domestic government surveillance.

The first classified document leaked by the former U.S. government contractor showed how the Obama administration forced Verizon to turn over its entire store of metadata on a rolling basis to the NSA.

FISA warrants are designed to be issued on individuals, or customers who store data belonging to those people who, according to the Office of the Director of National Intelligence, “are or may be” engaged in espionage, sabotage, terrorism (or aiding a terrorist), or take orders from a foreign government.

FISA-warrants-issued-by-year-since-2001 chart image

FISA warrants issued by year since 2001 (Source: Justice Dept., via Electronic Privacy Information Center)

When these secretive FISA orders are issued, there is little indication to Cbeyond, or any other local or major ISP or phone company, what the requested data may be used for. It could be for a terrorism case, or it could be a small part of an undisclosed NSA program. That also poses a problem for the companies wanting to fight back — and some companies have found the process notoriously difficult — not least because it requires an attorney with top-secret security clearance.

One of those attorneys, who declined to be named for the story because the person holds top-secret security clearance, explained that although hundreds of lawyers have the same clearance — including those serving terror suspects in Guantanamo Bay — very few have been in front of the FISA Court to defend their clients. These clearance-holding lawyers have been in high demand over the past year representing major Silicon Valley companies implicated in the NSA’s surveillance programs.

For the majority of smaller companies (as well as larger ones,  who have refused to comment  on challenging such warrants), complying with data demands may be their only option. The vast majority, however, do not have the resources to handle such requests.

“If they don’t have an internal lawyer [reviewing FISA warrants], they could use a third-party service. That third-party can’t provide legal advice, but it can create a system for reviewing the data, pulling, and processing the data,” the security clearance-holding attorney said

Enter the trusted third-party, which facilitates the data request between the two.

Neustar’s business is wide-ranging. Many industry insiders know it as a phone number portability company and the owner of top-level domain names. But its dedicated — and widely-unknown — legal and compliance division, dubbed “fiduciary” services, handles subpoenas and warrants on behalf of their customers, provides technical assistance in the lawful interception of data, and the services to carry out the surveillance demanded by the court or law enforcement agency.

“It’s not hidden, but not visible,” according to a former Neustar executive who worked in the division and who declined to be named, because the customers whose activities the division supports are ones that customers “don’t publicize very much.” These services are stigmatized particularly in the wake of the Snowden disclosures. The person said that ordinary people do not want to know that their data is up for grabs.

BuzzFeed in 2012 profiled Neustar in some depth, disclosing the scope of its legal intercept unit. The piece led the company to disclose for the first time transparency figures (more on that later).

Neustar works primarily for small to medium-sized businesses. The company said two years ago that it serves about 400 of the “thousands” of U.S. phone companies — including smaller firms like Cbeyond and Grande Communications, but also larger firms like Bright House Networks, and also Cricket, which disclosed its relationship with Neustar to Congress in May 2012 — to handle and respond to the court orders they receive. Neustar does not always act as the first go-to point for its customers.

The fiduciary division can also be held on reserve as an “overflow” in cases where its larger corporate giants may be inundated with more demands for data than usual, the former Neustar executive said.

To the degree that the company performs overflow functions for companies such as Verizon, Neustar chief privacy officer and deputy general counsel Becky Burr explained, it is “only non-criminal information,” such as civil subpoenas, often generated in bitter divorce and custody disputes.

Neustar data request figures

Neustar transparency report (August 28, 2014)
Order type 2012 2013 2014*
Administrative subpoena 19,236 28,941 16,315
Other subpoenas 10,615 9,274 3,956
Total subpoenas 29,851 38,215 20,271
Exigent circumstances 2,793 3,131 1,164
PSAP** Emergency — 911 11,368 11,041 4,638
Total emergency 14,161 14,172 5,802
Tower search 1 114 132
Court order 7,778 8,375 3,609
Search warrant 1,538 1,956 971
Total court order 9,317 10,445 4,712
Criminal — full contents 307 332 163
Criminal — pen/trap 1,971 2,596 1,249
Total intercepts 2,278 2,928 1,412
NSL orders, FISA demands/targets 0-249/0-249 0-249/0-249 n/a ****
* through August 15, 2014
** stands for “public-safety answering point” — such as 911 emergency call centers
*** per Justice Dept. requirements, only the range of FISA warrants can be issued
**** the last six months are not available as per the Justice Dept. delayed publication rule
Source: Neustar

Neustar came under fire in 2012 for withholding from the public any details on wiretap or data requests it receives on behalf of its clients.

The company disclosed, for the second time, its latest transparency figures. Burr said the company has seen a spike in lawful intercept requests since the five-year period ending 2011, thanks to the new business of a larger customer in 2011, which is not named as it was divulged off the record.

These lawful requests are authorized by a court, and can mandate a company to hand over the contents of emails and phone calls — including the time, date, and duration of calls, and the phone numbers themselves, though not the contents of the calls made.

Out of the 2,278 data requests Neustar processed in 2012, about 77 percent came from that one unnamed customer, and accounted for about 76 percent of all Neustar’s processed requests in 2013.

While the division also processes civil requests, and in rare cases handles emergency responses from law enforcement agencies — such as the immediate threat to property or life — it nonetheless handles a significant portion of its customers’ criminal requests.


Neustar’s figures show a spike in warrants since its first transparency report. The figures show that civil requests make up the bulk of Neustar’s fiduciary business, but criminal requests — including court orders and search warrants — make up about one-third of the overall requests.

As per reporting rules set out by the U.S. Department of Justice on disclosing FISA requests and National Security Letters (NSLs), which can be used to compel an ISP or phone company while gagging them from disclosing the fact, the last six-months worth of data is not available. Any requests prior to the six-month reporting rule are disclosed only a numerical range.

Although the range spans from zero, we know from Cbeyond’s case that at least one FISA warrant has been served.

The scope of other existing FISA orders are also shrouded in secrecy, along with the process by which these secret court orders are served on companies. Although U.S. residents are afforded legal protections to limit domestic government surveillance, the Obama administration has come under intense scrutiny for using secret interpretations of surveillance law to acquire Americans’ data.

The process by which FISA warrants are served on companies or individuals isn’t widely unknown, due to the restrictions on whom recipients can talk to.

In reality, it may not involve federal agents showing up at your door at all. It may be as routine as a phone call from an ISP’s third-party provider. That’s when the wiretapping can begin.

“Of what worth is our permission?”

Neustar will typically inform the ISP by phone that a warrant has been received. According to the former Neustar executive, the smaller the carrier, the greater chance Neustar’s staff will see such orders first — though, not in every case.

Despite their secrecy, what is known is that FISA warrants are generally targeted and individualized, but they can also be broad and wide-ranging. While the contents of the FISA warrant are classified, it will state the legal authority under which a wiretap can be placed.

When it’s the latter case, the law says multiple warrants can be served each year on a rolling basis to maintain fresh oversight by judges, or to form a new legal basis to acquire more data.

Companies like Neustar, Subsentio, and Yaana have staff with security clearance, allowing them to see, review, and execute the warrant.

If an order is not valid, or it has deficiencies such as inappropriate language, the third-party’s legal experts may outright reject the order — regardless of the type of order issued by the law enforcement agency.

“Every action Neustar took as an outsourced partner was really governed by the carriers’ policies and procedures,” the former Neustar executive explained. If an ISP or phone company was particularly conscious of its customers’ civil liberties, Neustar can adopt strict guidelines to meet those criteria. That said, if a customer is less than willing to uphold the rights — or was unable to pay to have the order challenged in court — Neustar may near-automatically accept each government data request.

“Of what worth is our permission when we don’t even know what we’re being asked to give access to?”
Cbeyond senior staffer

The ISP remains informed along the way, and will be the final arbiter on whether or not a data request will be accepted or rejected — regardless of its policies in directing Neustar how to act.

Neustar, like other trusted third-parties, are granted full technical access to the network of its ISP customer, either by way of the company’s own wiretap equipment or technology provided by the trusted third-party. Then, Neustar will formally request permission from the ISP’s general counsel to execute the warrant. As often is the case, no information about the FISA request is given to the company.

“Of what worth is our permission when we don’t even know what we’re being asked to give access to?” a senior staffer at Cbeyond admitted.

Neustar can in many cases execute the warrant from anywhere within the U.S., keeping within the bounds of the country’s surveillance law. But when a wiretap device is needed, they are not hard to come by. Most networking equipment makers sell devices that can be used to collect data, or used to inspect data — so-called deep-packet inspection devices, which can also be used to prevent piracy, the spread of malware, and website access, all at the Internet provider level.

Once a FISA warrant is issued, so-called “tasking” orders, which contain selectors — like a phone number or an email address — are often sent electronically to the ISP. These tell the ISP or phone company, or third-parties like Neustar, exactly where to wiretap and what data to collect to hand back to the requesting authority.

By acting as middlemen, companies like Neustar, Subsentio, and Yaana often liaise with the targeted ISP or phone company, and the law enforcement agency to act as a channel in which intercepted data can flow.

For Cbeyond, the process is relatively straightforward — it’s out of sight and (almost) out of mind. But, that’s not the case for every ISP or phone company. Each company’s infrastructure has unique requirements.

FISA requests also come at a cost on two fronts for the ISP. Neustar’s services are held on retainer, with additional costs for each warrant.

Although financial arrangements were not disclosed between Cbeyond and Neustar, the ISP’s limited annual revenue and legal resources are a driving factor behind why it has not so far challenged a FISA warrant. But, Neustar will also work with U.S. law enforcement agencies to recover costs, which they are entitled to do under the law, for data requests.

Other companies work on a case-by-case basis, or charge a little more each year instead of taking on a retainer fee.

“Maybe we should be thinking about civil liberties more”

Data requests can be refused — it’s not often that it happens, but it does. For the third-party companies, their obligations are with their client and not the law enforcement agency.

But there are limits. If the ISP or phone company decides to fight a warrant, the third-party can stand back and wash its hands of it.


Burr said Neustar “has and will” reject subpoenas that are inadequate for one reason or another. But should its clients choose to fight a FISA warrant or court order it believes to be overboard, Neustar will not join the battle in court.

Other trusted third-parties take a similar approach.

“We’re out of the picture,” said Marcus Thomas, chief technology officer at Subsentio, another trusted third-party company, founded in 2004, and based out of Littleton, Colorado.

The company has “well over 100 customers,” and mostly focused on wireless carriers and cloud providers, Thomas said on the phone. Thomas is no stranger to this field. As a former FBI assistant director, he was responsible for the bureau’s lawful interception operations. He retired in 2011.

Thomas said that Subsentio, unlike Neustar, is not a formal “custodian of records,” but it interacts with both parties to ensure the correct records and the right amount of data is transferred from the company to the law enforcement agency. The company typically handles pen registers for real-time recording of phone numbers made from a particular line, full-content wiretap orders, and FISA warrants.

Subsentio provides more than simply the legal vetting procedures for determining whether a lawful intercept can go ahead. It’s not unusual for Subsentio to provide the actual wiretap device itself, should its customer need one.

“If they choose not to implement it, they don’t authorize use to implement it,” Thomas said.

Yaana operates under a similar regime. Founded in 2007 and based in the heart of Silicon Valley, it has “dozens” of companies out of the thousands of U.S.-based ISP and phone companies. The firm also serves companies operating with a foreign presence, and supports warrants from a number of European states. Yaana’s focus is compliance in the cloud, which — according to executive vice president for regulatory affairs and standards Tony Rutkowski — the vast majority of technology companies were “slowly but surely” moving towards.

Like Neustar, Yaana acts as legal agent to its corporate customers, Rutkowski said. Thanks to its in-house “rules-based reasoning engine,” law enforcement requests can be triaged and cleared, which are then accepted or rejected by on-call staff. For subpoenas, the system is straightforward and near-autonomous. For court orders under seal — of which many are — these require the direct approval from the ISP or phone provider.

“If they haven’t seen it, we won’t approve it,” Yaana’s chief technology officer David Grootwassink explained on the phone.

However, when handling FISA warrants, there “isn’t a lot of wiggle room” except to ensure that they are valid, Grootwassink said. The FISA warrant requires the approval of the ISP or phone provider to decide whether it will comply or not. Should a company wish to fight the order, the company will not step in to fight on behalf of or alongside its ISP or phone provider client.

“It’s the provider’s problem,” Rutkowski said. “The nice part about the trusted third-party business is that just from a liability standpoint, we don’t want to be left holding the bag here.” Grootwassink agreed. “We provide the gears. We don’t get involved in fights between the governments and our clients.”

Except, according to the numerous people spoken to for this article, many of the customers to these trusted third-party firms may not have the legal expertise or resources in the first place to develop policies that are fitting for the Internet and phone customers they serve.

Because Neustar, Subsentio, and Yaana act on behalf of their clients’ best wishes, their clients themselves may be the weakest link in the privacy chain. Many of the companies outsourcing their services to a trusted third-party may not have strong policies designed to first and foremost protect the civil liberties of their customers.

These policies dictate how the trusted third-party will respond to requests ahead of time, without having to face getting dragged into the minutia of each case.

Although some ISPs have wanted to fight tooth and nail, they have not had the money to hire a top-secret cleared attorney to argue their case. Instead, they have invoked their interpretation of the First Amendment — the right to free speech — to disclose that  they have received a FISA warrant , despite the secrecy and gagging clauses that come with them.

“The nice part about the trusted third-party business is that just from a liability standpoint, we don’t want to be left holding the bag here.”
Tony Rutkowski, Yaana

Others, like Cbeyond, “haven’t examined simply saying ‘no’ and challenging them,” said the person with direct knowledge of the warrants served on the ISP.

“What we’re doing is what the rest of the American public is doing,” the person said. “We’re trusting in some way that these [warrants] are being handled in a responsible fashion.”

Because of its business clientele, higher management was “not thinking about civil liberties issues,” noting that the company near-automatically approved all requests.

“We don’t have a department designed to resist unwarranted government intrusions or to even figure out if they’re unwarranted or not,” the person said.

The onus of responsibility is with business customers it serves, Cbeyond believes — which the people argued that they likely themselves still do not have the resources to deal with such warrants. The ISP is instead focused on fighting “incessant and unrelenting regulatory attacks” from its larger corporate rivals, one of the people said.

For the end customers or ISPs and phone companies, they are not made aware that their data is being collected. In many cases, a company’s chief executive is kept out of the loop.

U.S. surveillance law restricts who can be told about classified data requests. Although the law does not preclude a company’s chief executive from knowing, Cbeyond’s chief executive Jim Geiger said on the phone he would not be informed of the receipt of any FISA warrants, nor would he know about all of the subpoenas the company gets.

“It’s a wide burden for a chief executive’s involvement of things that would suck time and energy that aren’t necessary,” he said.


“We are not a regulated industry”

Cbeyond’s approach means Neustar will accept almost every government data request it receives on behalf of the ISP — so long as they pass Neustar’s own internal legal review.

In the relationship between ISPs and phone companies and these trusted third-parties, there are few — if any — sticking points. The ISPs devolve a portion of their responsibilities to the third-party, which generates a tidy sum for their services, and the law enforcement agencies receive the data they request.

But despite this data handover process, there remains little regulation or oversight of the trusted third-party industry.

Staff members at these companies hold U.S. security clearance and are therefore legally allowed to handle and remotely execute FISA warrants and directives. They fall within the realm of rules, protocols and laws that the U.S. intelligence community abides by.

But the vast majority of their work goes unsupervised by the government.

“Even though its sounds like [trusted third-parties] are regulated or licensed… the [legal] functions weren’t fully outsourced,” the former Neustar executive said. “You didn’t as a carrier turn over your responsibilities to someone who’s licensed to do those responsibilities. You hired competent staff on an outsourced basis to do your work, and it’s all governed by the policies of the carrier.”

“Everything was just an extension of the [carrier’s] work center,” they said. “Neustar wasn’t doing anything other than work for [its] carriers.”

Neustar says it reviews, validates, and keeps audit trails for its customers. Subsentio and Yaana also audit their activities for their customers’ benefit in order to make sure the companies are not conducting activities beyond their purview.

Thomas said trusted third-parties are “not a regulated industry” and that there is no external party reviewing such work. He said that the company does not undergo any audits that would examine how they do their jobs.

“We sort-of determine our own communication and security requirements,” Thomas said. The only exception is classified work, which he said is “reviewed” periodically by the company.

The only oversight, per se, is from the public. In the wake of the Snowden leaks, many companies have bowed to public pressure and released government data request figures. Cbeyond does not currently have a transparency report, and Geiger said the company has no plans to publish one any time soon. But a company’s size is no excuse for some. Like one Utah-based ISP XMission, which has a staff just shy of 50 employees and one attorney, the company regularly updates its transparency pages — even on one occasion disclosing it had received and fulfilled an FISA warrant for one individual’s data.

Cbeyond’s business clientele were a driving reason behind Birch Communications’ bid to acquire the ISP for $323 million, which closed on July 21. Birch is now said to comply with subpoenas and warrants in-house, ending the long-standing relationship with Neustar.

In June, one month before the deal closed, not knowing what changes the new regime would bring, the senior staffer at the ISP ended the conversation to go back to work.

“We’re not thinking about civil liberties issues. Maybe we should have been thinking about it more.”


Henry Sapiecha

Cybercrime kingpins are winning the online security arms race

Cybercrime is getting larger and more team driven. It’s time to cast away the idea of the lone-wolf attacker.

shady-hooded-hacker-at-the-computer image

Online attackers do not look like this anymore.

The cliché of the hacker-in-a-hoodie lone wolf is out of date. Cybercrime gangs are now almost as sophisticated as the big businesses they are trying to steal from, leading to a new security arms race that companies are losing.

The increasing threat from organized cyber-criminals and state-sponsored cyber espionage means companies need to forget about the idea of a lone hacker, think through the credible threats to their systems, and deal with them in order to disrupt their attackers’ business models.

“It’s time to think differently about cyber risk, ditching the talk of hackers, and recognising that our businesses are being targeted by ruthless criminal entrepreneurs with business plans and extensive resources — intent on fraud, extortion, or theft of hard-won intellectual property,” said Paul Taylor, UK head of cyber security at KPMG.

According to research by KMPG and BT, 97 percent of companies surveyed said they had been the victims of digital attacks, but only 22 percent were fully prepared to deal with future attacks.

Executives said they were hampered by regulation (49 percent), legacy IT systems (46 percent) and a lack of the right skills and people (45 percent).

“The industry is now in an arms race with professional criminal gangs and state entities with sophisticated tradecraft. The 21st century cyber criminal is a ruthless and efficient entrepreneur,” said Mark Hughes, CEO of BT’s security division.

“We’re up against quite sophisticated organized criminality. Well structured, real businesses, very efficient, very effective,” said David Ferbrache, technical director of cyber security at KPMG.

According to Ferbrache, the last two years have seen some shifts in the patterns of organized cyber criminality, with fraudsters targeting top executives and trying to trick them into making bogus transfers that can cost companies millions.

“CEO frauds now have become a massive issue across many of our clients,” he said.

****A school in Estonia has started a pilot project to teach the basics of cyber security to teenagers.

“Organized crime is spending more time looking at targeting information available on social media. The phishing lures are much better crafted and tailored now, and they can pretend to be senior officers of the company when they know the chief executive is oversees at a conference,” Ferbrache warned.

According to the research, over 90 percent of companies said staff could be open to blackmail and bribery — but less than half have a strategy in place to deal with the threat.

“When you start moving into the big cash-outs, the longer-term operations — that’s the point you see insiders coming into the picture, because you want information on the fraud control measures. Sometimes the way the systems are configured helps the operation along,” said Ferbrache.

IT staff, as well as those with knowledge of finance, could be targeted: “Systems administrators, privileged users — anybody with access credentials, anybody able to initiate financial transactions, anyone who might have an understanding of the fraud control systems and the way they are configured too — they’re all useful,” he warned.

“We have traditionally thought of insiders and outsiders as two separate categories as you move up the tiers in organized crime. That’s not the case. It blurs.”

Crime groups tend to have a loose, federated business model. The heart of each gang will be the kingpin with the idea and the targets, but the organization around them will be a loose collection of different skills. That might include people developing vulnerabilities and exploits to attack services such as DDoS by the hour. Others will be experts in recruiting money mules to launder the cash, or they might be people who specialize in selling stolen information on the black market.

“The way you have to look at these organised crime groups is that most are running a portfolio of operations,” said Ferbrache.


Henry Sapiecha