All posts by Lawrence Christopher Skufca, J.D.

My name is Lawrence Christopher Skufca. I am currently a civil rights activist and pro bono legal advocate in the Camden, New Jersey area. I hold a Juris Doctor in Law from Rutgers School of Law – Camden; a Bachelor of Arts in Political Science from Furman University; and an Associate of Arts in Social Sciences from Tri-County Technichal College.

EFF Joins ACLU in Amicus Brief Supporting Warrant Requirement for Cell-Site Simulators

Home

DECEMBER 29, 2015 | BY JENNIFER LYNCH

EFF, ACLU, and ACLU of Maryland filed an amicus brief today in the Maryland Court of Special Appeals in the first case in the country (that we know of) where a judge has thrown out evidence obtained as a result of using a cell-site simulator without a warrant.

In the case, Baltimore Police used a Hailstorm—a cell-site simulator from the same company that makes Stingrays—to locate Kerron Andrews, the defendant. The police not only failed to get a warrant to use the device, they also failed to disclose it to the judge in their application for a pen register order. And it appears they even failed to tell the State’s attorney prosecuting Mr. Andrews’ case.

Luckily Mr. Andrews’ intrepid defense attorney suspected the police might have used a stingray and sent a discovery request asking specifically if they had. The prosecution stalled for months on answering that request, but, on the eve of trial, one of the investigators responsible for Baltimore PD’s stingrays finally testified in court not only that he’d used the device to find Mr. Andrews, but that he’d specifically not disclosed it in any report filed about Andrews’ arrest. The judge concluded the police had intentionally withheld information from Mr. Andrews—a clear violation of his constitutional rights.

This August, another Baltimore judge granted the defense’s request to suppress all evidence the police were able to get as a direct result of using the stingray. The judge held the use of the device without a warrant violated Andrews’ Fourth Amendment right to be free from unlawful searches and seizures. Unsurprisingly, the government appealed.

Cell-site simulators, also commonly known as IMSI catchers or stingrays, masquerade as legitimate cell phone towers, tricking phones nearby into connecting to the device instead of the tower operated by the phone company. This allows police to log the identifying numbers of mobile phones in the area and to pinpoint their locations. Police often use cell-site simulators when they are trying to find a suspect and know his phone’s identifying information.

As we learned from USA Today, the Baltimore PD has been using cell-site simulators extensively (and secretly) for at least the last eight years. A detective testified that Baltimore officers had used cell-site simulators more than 4,300 times since 2007. Like other law enforcement agencies around the country, Baltimore has used its devices for major and minor crimes—everything from trying to locate a man who had kidnapped two small children to trying to find another man who took his wife’s cellphone during an argument (and later returned it). And, like other law enforcement agencies, the Baltimore PD has regularly withheld information about Stingrays from defense attorneys, judges, and the public.

Stingrays are especially pernicious surveillance tools because they collect information on every single phone in a given area—not just the suspect’s phone—this means they allow the police to conduct indiscriminate, dragnet searches. They are also able to locate people inside traditionally-protected private spaces like homes, doctors’ offices, or places of worship—in Mr. Andrews’ case the investigators used the Stingray to pinpoint his location to within a specific apartment. Stingrays can also be configured to capture the content of communications.

This is why it’s imperative that police not only obtain a warrant based on probable cause before using a cell-site simulator but also commit to minimization procedures, including immediately deleting information about all phones not covered by the warrant and limiting the time period during which the device is used. These are not novel or onerous requirements—the Wiretap Actrequires similar procedures. And in fact, both the Department of Justice and the Department of Homeland Security recently committed to following similar procedures whenever their agents use stingrays.

We hope the Maryland Court of Special Appeals will agree that the warrantless use of a stingray is unconstitutional and uphold the lower court ruling suppressing the evidence.

How Secure Are You Online: The Checklist

Think you do enough to secure your passwords, browsing, and networking? Prove it.

Not all computer security is about tin foil hats and anonymous browsing. Everyone who uses a computer has a horse in the security race. For the purpose of this post, we’re breaking down online security into four essential parts: passwords, browsers, at-home Wi-Fi and networking, and browsing on public Wi-Fi. Within those categories we’ll give you a checklist of everything you should do, from the bare minimum to the tin-foil-hat best.

Think you’ve done your due diligence with your security? Jump to any of the four sections below to see how you stack up (and boost your security where you may be lacking):

Password Security Checklist

How Secure Are You Online: The Checklist

Password security has been popping upa lotin the news recently, but how much you should care is entirely dependent on what you do online.

The Bare Minimum of Password Security

Just because you don’t use a lot of online services doesn’t mean you can neglect basic password security. Sure, you don’t need to take any complicated measures, but everyone should at least do a couple things.

  • Pick strong passwords: Regardless of what your password is for, it’s always good to pick a strong, random password. Don’t use your child’s name, or a birthday.
  • Use unique passwords for every site:Don’t ever reuse the same email and password combo on multiple services. It might seem like it doesn’t matter, but if a hacker gets your account information on one site, that means they can use that login information on every other site you’re registered at. Keep all your passwords different.
  • Use Should I Change My Password? to track security breaches: If you don’t keep up with tech news you probably don’t see most minor security breaches. To help out, the webapp Should I Change My Password? notifies you when a major service is hacked.

That’s the minimum you should do if you want to play it safe and secure with your passwords. But you can do better than that. Let’s step up your game.

Level Up: You’re a Password Pro

If you’re the type to conduct a lot of work online, then you need more complicated security measures. With that in mind, you should do the steps mentioned above, and a few other things.

  • Use two-factor authentication whenever possible: Two-factor authentication is a simple way to lock your computer to an account so you have to verify your identity when you log onto a different computer. Not all services have it, but Google, LastPass, Facebook, Dropbox, and more all do. Use it.
  • Use a password manager: We get it, you have a lot of passwords and you don’t want to remember them all. Instead of reusing the same junky password, a password manager is a simple way to save them all securely. We like LastPass, but KeePass, and 1Password are equally solid solutions.
  • Shut down and unlink services you don’t use: If you’re the type to try out a lot of different webapps or mobile apps then you probably have a ton of passwords scattered around everywhere. When you decide you don’t want to use a service anymore, remember to delete your account. This way, if the service is hacked you don’t have to fumble around trying to remember your login information. For added protection, make sure you clean up your app permissions on Facebook and Twitter.
  • Use misleading password hints: Finally, don’t answer password hints truthfully. Instead, you can use word association, or just pick a random response (that you’ll remember).

If you’re doing all of the above, your passwords are about as safe as they can get. Nice work, and stay vigilant!

Browser Security ChecklistHow Secure Are You Online: The Checklist

With all your passwords in check it’s time to ensure your browsing is both secure and private. Of course, many people don’t care about privacy, but security—even after your passwords are in order—is still important.

The Bare Minimum of Browser Security

Password security is just part of the battle. You also want to make sure your browser is secure. This is what everyone should be doing:

  • HTTPS Everywhere: You likely know by now that you should never hand over personal info unless you’re doing so over a secure connection (HTTPS in the browser URL). The HTTPS Everywhere browser extension highlights secure sites, and ensures you’re always on HTTPS whenever it’s available (including on social networks, shopping sites, and more).
  • Log out of your accounts: If you’re sharing a computer in a house full of people, or you do most of your browsing on a public computer, always remember to logout of any account you use. It’s a simple, obvious step, but it’s worth repeating to yourself until you remember. When you don’t log out of an account, you’re giving authorization to snoop.
  • Understand the basics of online fraud: Phishing scams, malware, and other nasty things are all easy to detect if you keep a cautious eye on what your browser is doing at all times. Be skeptical of odd emails, brush up on the FTC’s guide to identity theft, and don’t trust your personal information to any website that doesn’t use HTTPS.

The basics of browser security are great for most people, but if you want to keep advertisers and The Man off your back, you need to take a few more measures.

Level Up: Keep Everyone from Tracking You

We know that pretty much everyone is tracking your every move on the web. The data collected from your browsing is used for ads, targeted coupons, and plenty more. Let’s put a stop to that.

  • Adblock Plus: Adblock Plus isn’t just an ad blocking extension, it also helps keep the likes of Twitter, Facebook, and Google+ from transmitting data about you.
  • Ghostery: Ghostery is an extension that’s all about eliminating tracking cookies and plug-ins used by ad networks. With Ghostery installed, no advertiser can snoop on what you’re doing online.
  • Do Not Track Plus: Do Not Track is an extension that eliminates sites with Facebook and Google+ buttons from tracking you. By default, a data exchange happens when you visit a site with one of these buttons, even if you don’t click on them. Do Not Track stops that from happening.

The above extensions and measures can ensure you have a private and secure browsing experience. But if you really want to keep your browsing away from prying eyes, you have to go anonymous.

Next Level: Go Anonymous

Completely anonymous browsing isn’t for everyone, nor is it for every situation. However, it can come in handy when you’re torrenting, when you don’t want to give away your location, and if you just plain don’t like somebody watching over your shoulder. Here’s what you’ll need.

  • Tor Browser: Tor is the easiest to use anonymous browser. When you use Tor for browsing, you don’t get plugins, your traffic is automatically encrypted, and your browsing is always anonymous.
  • Use VPN services to secure everything you do: VPN services are a great way to create secure connections across the internet. Using a VPN means you’re encrypting all the data transferred online. We like Hamachi becauseit’s incredibly easy to use, but any of these five will do the trick.
  • Use BTGuard for anonymous torrenting: Peer-to-peer file sharing is great, but since it’s often used for piracy you might want to keep your downloads private. BTGuard does just that through a proxy server (which helps keep you anonymous). The service is $59.95 a year, but it’s worth it to avoid throttling from your Internet Service Provider.

Home Network Security Checklist

How Secure Are You Online: The Checklist

Once your internet data is secure it’s time to secure your data on your home computer. This means backing everything up, and keeping your network safe from prying eyes.

The Bare Minimum of Network Security

If you don’t use your computer for much more than browsing the web, creating a couple documents, and storing family photos, then you don’t need to do much to keep everything safe.

  • Keep your software up to date: Software updates aren’t just about adding new features, they’re often about patching security holes. Thankfully, the update process is very simple. On Windows, click the Start Menu > All Programs > Windows Update. On Mac, click the Apple menu, and choose Software Update. Both update programs run periodically on their own, but it’s always good to check for a new update if you hear about a security issue.
  • Change your router’s security settings: If you’re still running your router’s default settings, then pretty much anyone can get into your home network and peek in on your computers. It’s not hard to crack WEP passwords or WPA passwords, but you should at least enable a non-default password and network name on your router.
  • Backup your photos and documents: Perhaps you’re not all that worried about what would happen if your $200 computer dies because you don’t do that much with it. Still, chances are you have a resume or some vacation photos on the hard drive. Backing up those few important files is easy. Cloud storage like Dropbox, Box, and Skydrive take very little time to set up. Once you do, your few important documents will be saved online.
  • Prevent downloaded software from installing automatically: Malware often comes in the form of a download you don’t notice happening, but it’s easy to stop. On Windows, disabling AutoRun can stop around 50% of Malware threats, and all you need is the free software Disable Autorun. On Mac, downloads shouldn’t run automatically, but if you’re using OS X Mountain Lion you can set up GateKeeper (System Preferences > Security & Privacy > General) to only allow applications from the Mac App Store for added security.

These are just the basics. If your computer is your livelihood, you need to do a few more things to keep your data secure.

Level Up: You’re a Network Security Pro

Whether you work from home, or you’re simply on a work computer all day long, keeping your data secure and safe is important. On top of everything above, you also want to add a few more security measures.

  • Create automated backups with Crashplan: If your computer contains everything you need to work, then you need a solid full system backup solution. We like Crashplan because it’s cheap, automated, and works on every operating system.
  • Set folder specific permissions: If you’re sharing your computer with a household of people, but need to ensure your work documents are safe, then setting up permissions is the easiest way to do it. In Windows, right-click the folder, go to Properties, and open the Security settings. Then click the edit setting and select your user name to lock the folder to you. On Mac, right-click a folder, click Get Info, and change the settings under Sharing & Permissions. For extra security, you can easily set up encryption with Truecrypt.
  • Know how someone would break into your computer (and keep it from happening to you): It’s surprisingly easy to a Mac. Once you know how someone could get into your system, it’s relatively easy to prevent. On Windows, you can usually get away with a long password, and on Mac you can set up FireVault to secure your
    data (System Preferences > Security).
  • Upgrade your router’s security: As we mentioned above, hacking into a wireless network is incredibly easy. One way to secure your router is to upgrade its firmware with DD-WRT or Tomato. Upgrading your router cankeep you safe from at least one type of hack.

The above is more than enough for most people on their home network, but what about when you need to leave the house?

Public Wi-Fi Security Checklist

How Secure Are You Online: The Checklist

Using public Wi-Fi exposes everything you do online (and your computer itself) to anyone else on the network. We’ve shown you how people sniff out your passwords on public Wi-Fi before, and it’s suprisingly simple. Let’s stop that from happening to you.

Bare Minimum of Public Wi-Fi Security

Let’s say you occasionally check email on public Wi-Fi when your internet is down or you’re on vacation. You’re always tempting fate when you don’t completely lock down your computer, but here’s the minimum amount of effort you should always do.

  • Always use HTTPS: We mentioned HTTPS Everywhere above, but it’s worth repeating here. If you’re checking your email, or doing anything else with a password on a public network, always use HTTPS.
  • Turn off sharing: When you’re at home you might share your files with other people on your network. That’s great, but you don’t want that on public Wi-Fi. Disable it before you even connect. In Windows, open Control Panel, then head to Network and Internet > Network and Sharing Center. Then click Choose Homegroup and Sharing Options > Change Advanced Settings. Turn off file sharing, print sharing, network discovery, and the public folder. On Mac, open System Preferences > Sharing, and make sure all the boxes are unchecked.
  • Don’t connect to Wi-Fi unless you need it: This might seem like common sense, but if you’re not actually using the internet connection, turn it off. In Windows, right-click the wireless icon in the taskbar and turn it off. On a Mac, click the Wi-Fi button in the menu bar, and turn off Wi-Fi.

Doing these three things will keep most of your data secure when you’re just popping in to quickly check your email. If you’re using free Wi-Fi in a dorm or apartment building, you need a stronger solution.

Level Up: You’re a Public Wi-Fi Pro

If you’re on public Wi-Fi a lot, it’s best to really lock down and encrypt your data. In addition to the steps above (particularly turning off file sharing and HTTPS), you can lock out anyone pretty easily.

  • Encrypt everything with Hamachi and Privoxy: The easiest way to cut off outsiders from peeking into your private data when you’re on a public network is with the free VPN Hamachi, and the web proxy Privoxy. Setup isn’t much more complicated than a few clicks, and the end result is secure connections for all your browsing.
  • Encypt it further with an SSH SOCKS proxy: If you don’t want to use a VPN, another option is to roll your own SSH SOCKS proxy. This encrypts all your web browsing and redirects it through a trusted computer.

That’s all you really need to do when you’re on public Wi-Fi to keep your browsing encrypted and safe. However, you can take it another step and go completely anonymous.

Next Level: Grab Your Tin Foil Hat, We’re Going Untraceable

Perhaps you really don’t want anyone tracking what you’re doing on a public Wi-Fi network or worse, public computer. This sounds nefarious, but it’s handy for things like checking your bank account on a public computer.

The simplest way to go completely anonymous is with a custom build of Linux called Tails installed on a USB or CD. We’ve walked you through the setup process before and it’s very easy. With Tails you get a custom operating system with built-in anonymous browsing, encryption for email and chat, file encryption, and a ton of software. You can load Tails up on your own computer, or a public one. With Tails, you not only browse without leaving a trace, you also secure everything you do.

Security is important to everyone from the tech illiterate to the tech savvy. The precautions you decide to make are your own choice, but always keep in mind that you security online is just as important (if not more) than the security in your own home.

 

 

Browse Like Bond: Use Any Computer Without Leaving a Trace with Tails

If James Bond logs on to a computer, he doesn’t want to leave a bunch of files, cookies, or…Read more

The Pros and Cons of Using Tor

Camden Civil Rights Project

Researched, compiled and edited by L. Christopher Skufca

With the numerous methods incorporated by malicious hackers, the NSA, the FBI and even local law enforcement agencies to access your private data, Tor is the best alternative for anonymously surfing the internet. Fundamentally, Tor is secure; however, Tor itself can’t guarantee your privacy and security. Additional security measures must be taken to protect your anonymity. The experts at Information Security Stack Exchange provide guidance on best practices for preserving your online anonymity while using Tor.

 What is Tor and How Does it Work?

Tor is free software for enabling anonymous online communication. Tor is intended to protect the personal privacy of users, as well as their freedom and ability to conduct confidential communication, by keeping their Internet activities from being monitored. Tor protects anonymity by directing Internet traffic through a free, worldwide, volunteer network consisting of more than six thousand relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis. It is legally used by millions worldwide to circumvent censorship and to stay safe from online snooping.

What Is Tor and Should I Use It?

Tor is an acronym for The Onion Router, encryption technology which was  developed in the mid-1990s by United States Naval Research Laboratory for the purpose of protecting U.S. intelligence communications online. In 2004, the Naval Research Laboratory released the code for Tor under a free license, and in 2006 a Massachusetts-based 501(c)(3)  research-education nonprofit organization called The Tor Project was founded. Its stated purpose is the research and development of online privacy tools.

The routing method utilized by the Tor network disguises your identity by moving traffic across different Tor servers, and encrypting that traffic, making it difficult to trace communications back to the original source. In an onion network, like that used by Tor, electronic data, including the destination IP address, is encapsulated in layers of encryption, analogous to layers of an onion. The encrypted data is then transmitted through a series of network nodes called onion routers, each of which “peels” away a single layer, uncovering the data’s next destination. Each relay decrypts a layer of encryption to reveal only the next relay in the circuit in order to pass the remaining encrypted data on to it. The sender remains anonymous because each intermediary knows only the location of the immediately preceding and following nodes. The final relay decrypts the innermost layer of encryption and sends the original data to its destination without revealing, or even knowing, the source IP address.

Anyone who tries to identify the user would see traffic coming from random nodes on the Tor network, rather than the source computer. Because the routing of the communication is partly concealed at every hop in the Tor circuit, this method eliminates any single point at which the communicating peers can be determined through network surveillance that relies upon knowing its source and destination.

To access the Tor network, you simply need to download the Tor browser. Everything you do in the browser goes through the Tor network and doesn’t need any setup or configuration from you. One drawback of using Tor is that users experience a much more sluggish internet experience since their data is being transferred through multiple relays.

What Tor Is Good For

Tor is most useful for concealing internet browsing habits. Used in conjunction with additional security measures Tor can also be useful in protecting the anonymity of your communications with a third party. Tor has been utilized by researchers, journalists, whistleblowers, attorneys and even law enforcement officers hoping to conceal their IP address from detection.

There are several legitimate purposes for wanting to protect your online anonymity. Much of the Tor Project’s funding comes from federal grants issued by agencies, such as the U.S. State Department, that claim a vested interest in supporting safe, anonymous speech for dissidents living under oppressive regimes. It is used by human rights workers, activists, journalists and whistleblowers worldwide. Tor is also a useful tool for legal practitioners seeking to protect privileged attorney client communications and has been used as an effective tool for protecting the anonymity of undercover law enforcement officers and police informants.

However, in the wrong hands, Tor has also been used for more nefarious purposes. Tor’s technology can be utilized to provide anonymity to websites and other servers configured to receive inbound connections which are only accessible by other Tor users. These are called hidden services. Rather than revealing a server’s IP address (and thus its network location), a hidden service is accessed through its onion address. The Tor network understands these addresses and can route data to and from hidden services, even those hosted behind firewalls or network address translators (NAT), while preserving the anonymity of both parties. These hidden service sites create an opening for criminal activity, such as happened with the Silk Road exchange site caught which was shut down for trafficking illicit drugs. Tor’s hosting capabilities have also served as platforms for  child pornography and illegal arms trading.

The Limitations of Tor

Anonymity is not the same as security. While it is difficult to hack the encryption of the Tor network, a network is only as secure as the technology used to access the network.

Exploiting Applications

In a 2012 child pornography sting, the FBI utilized a hacking tool created by Metasploit called a “Decloaking Engine” to infect the servers of three different hidden Tor sites, which would then target anyone who happened to access them. The network investigative technique (NIT) used a Flash application that would ping a user’s real IP address back to an FBI controlled server, rather than routing their traffic through the Tor network and protecting their identity.

Again, in June 2013, network security analyst, Professor Alan Woodward of University of Surrey,  highlighted the danger of using JavaScript and other add-in applications:

“Be aware, a browser’s JavaScript engine, plug-ins like Adobe Flash, external applications like Adobe Reader or even a video player could all potentially “leak” your real IP address to a website that tries to acquire it. The Tor browser bundle has JavaScript disabled by default and plug-ins can’t run. If you try to download and open a file on another application the browser will warn you.  However, anyone who has spent any time browsing the web knows that there is a great temptation to install add-ins or enable JavaScript in order to access content. Don’t succumb to the temptation if you are serious about remaining anonymous.”

Woodward’s warning proved to be timely; in August 2013, the FBI was able to exploit  a security flaw in the modified Firefox 17 browser included with the Tor Browser Bundle, a collection of programs designed to make it easy for people to install and use the software. Representatives of Tor responded to the breach with the following statement:

“From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the Web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR [extended support release], on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.”

The good news is that they went for a browser exploit, meaning there’s no indication they can break the Tor protocol or do traffic analysis on the Tor network. Infecting the laptop, phone, or desktop is still the easiest way to learn about the human behind the keyboard.

Tor still helps here: you can target individuals with browser exploits, but if you attack too many users, somebody’s going to notice. So even if the NSA aims to surveil everyone, everywhere, they have to be a lot more selective about which Tor users they spy on.

Two months later, in October 2013, The Guardian released an NSA presentation,  provided by  whistleblower Edward Snowden, revealing an NSA program targeting Tor users by exploiting the Tor browser bundle. The NSA attacks were designed to identify Tor users and the hidden sites they visited.

As The Guardian reported, this type of “man-on-the-side” style attack on Tor users cannot be pulled off by just anyone because it requires the assistance of internet service providers (ISP’s):

“(man-on-the-side attacks)  are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a “race condition” between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack…

According to a top-secret operational management procedures manual provided by Snowden, once a target is successfully exploited it is infected with one of several payloads. Two basic payloads mentioned in the manual, are designed to collect configuration and location information from the target computer so an analyst can determine how to further infect the computer.

These decisions are made in part by the technical sophistication of the target and the security software installed on the target computer; called Personal Security Products or PSP, in the manual.”

Motherboard points to a 2013 FBI sting which utilized this method:

The FBI’s big child porn bust this summer also raised some suspicion from privacy advocates over how easy it is for the Feds to infiltrate Tor. The FBI managed to crack the anonymous network by injecting malware into the browser, in order to identify what it called “the “largest child porn facilitator on the planet.” In the process, the malware revealed the IP addresses of hundreds of users.

On January 05, 2016, Motherboard reported that the FBI conducted a network attack which targeted over a thousand computers and was was able to deanonymize visitors to a Tor hidden site called Playpen, allegedly one of the largest sites hosting child pornography on the Darkweb. According to the article, “the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4,” during which time, “the FBI deployed what is known as a network investigative technique (NIT), the agency’s term for a hacking tool.” According to the complaint filed by the FBI, “approximately 1300 true internet protocol (IP) addresses were identified during this time.”

Tor explicitly warns against installing or enabling browser plugins. The Tor Browser is configured to block browser plugins such as Flash, RealPlayer, and Quicktime, because they can be manipulated into revealing your IP address. Therefore, Tor does not recommend installing additional addons or plugins into their Browser, as these may harm your anonymity and privacy by bypassing network protocols.

End Node Decryption

Tor has a known weakness: The last node through which traffic passes in the network has to decrypt the communication before delivering it to its final destination. Someone operating that node can see the communication passing through this server.

In 2007, Swedish security researcher, Dan Egerstad was able to intercept passwords and email messages from government agencies by running Tor exit nodes. According to Egerstad, many who use Tor mistakenly believe it is an end-to-end encryption tool. As a result, they aren’t taking the precautions they need to take to protect their web activity. University of Surrey professor, Alan Woodward, cautions that Tor volunteers are anonymous and therefore, users “do not choose which exit node you use so you cannot guarantee who it is that is actually running that node.”  Woodward also remarked that Tor’s random routing between nodes makes it unlikely that anyone could target a specific individual in this way, unless they run a large proportion of the Tor nodes that are out there. Taking additional steps to encrypt data could also mitigate this risk.

Study on Traffic Correlation Attacks

In August 2013, Tor accounts increased by over 100%, leading many to suspect that Edward Snowden’s  June 2013 revelations of the vast NSA surveillance program had led more internet users to protect their privacy. However, the sudden uptick in Tor users may be better explained by a joint research project designed to identify the effectiveness of these type of end node relay attacks.

In November of 2013, the US Naval Research Laboratory and Georgetown University in Washington, D.C. issued a joint report entitled “Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries.”  The report focuses on traffic correlation attacks against Tor users,  by network adversariessuch as such as corporations, intelligence and law enforcement agencies, or governments.  

A network adversary is a network operator with ample network resources to observe a large portion of the underlying network over which Tor traffic is transported through controlling one or more autonomous systems or internet exchange points. Within the Internet, an autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the Internet. An Internet exchange point (IXP) is a physical infrastructure through which Internet service providers (ISPs) and Content Delivery Networks (CDNs) exchange Internet traffic between their networks (autonomous systems or ASes).

In layman’s terms, the study found that the more entrance and exit nodes a network adversary is capable of controlling, either through Tor exit relays or the destination servers themselves, the greater the probability the targeted communications will pass through a resource controlled by the attacker, exposing a Tor user (and their communications) to identification.

According to the report, “A network adversary leverages their position as a carrier of network traffic to correlate Tor traffic streams that cross their network at some point between the client and guard and exit and destination pairs.” As the researchers remark, “Tor does not currently implement any protection against adversaries who operate ASes or IXPs.”

In traffic correlation attacks, an adversary has the bandwidth capacity to run voluminous relays in the Tor network in order to deanonymize  an individual user. The researchers report:

“Onion routing is vulnerable to an adversary who can monitor a user’s traffic as it enters and leaves the anonymity network; correlating that traffic using traffic analysis links the observed sender and receiver of the communication. Øverlier and Syverson first demonstrated the practicality of the attack in the context of discovering Tor Hidden Servers. Later work by Murdoch and Danezis show that traffic correlation attacks can be done quite efficiently against Tor.”

Since network adversaries can monitor entrance and exit traffic on any of the routers they control, the more points within their control, the greater their ability to expose a Tor users’ identity. Researchers found that, “sending many streams over Tor induces higher rates of circuit creation, increasing the number of chances the adversary has to compromise one. Alternatively, the specific destination addresses and ports that users connect to affect the probability a malicious exit is chosen because allowed exit policies differ from relay to relay.”

This is important because information travels through the encrypted layers of the Tor network through Internet Exchange Points (IXPs) or autonomous systems (ASes) that control multiple routers, such as ISPs. Since attackers can theoretically see exit or entrance traffic on any of the routers they control, logically, the more points of control, the faster and easier it is to expose a Tor users’ identity. As Meghan Neal at Motherboard points out, “Hypothetically, a state-sponsored cyberattacker could control all of the routers in the country.” Therefore, US intelligence agencies which have innumerable routers at their disposal would have a tremendous advantage in deanonymizing users and tracking their communications across the Tor network.

The Tor Project, itself, openly acknowledges:

“Just using Tor isn’t enough to keep you safe in all cases. Browser exploits, large-scale surveillance, and general user security are all challenging topics for the average internet user. These attacks make it clear that we, the broader internet community, need to keep working on better security for browsers and other internet-facing applications.”

Therefore, it is highly recommended that Tor users always take additional security precautions by using an anonymous proxy tool, such as a  virtual private network (VPN) and HTTPS encryption whenever possible as added layers of protection.

If you are not already using a VPN or HTTPS, you should be. If a site offers HTTPS, just go to https://www.thewebsite.com instead of just plain old http. To help ensure private encryption to websites, the Tor Browser includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website.

Using Tor Could Increase the Possibility that You are Targeted

Edward Snowden revealed in October 2013, the online anonymity Tor network is a high-priority target for the National Security Agency. In support, The Guardian released “Tor Stinks,” an NSA presentation (vintage June 2012) outlining current and proposed strategies for exploiting the network. The work of attacking Tor is done by the NSA’s application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world.” Therefore, someone like the NSA or FBI can tell if you’re a Tor user making them more likely to target you.

Furthermore, an NSA document obtained by the Guardian in June 2013, titled Minimization Procedures Used by the National Security Agency in Connection with Acquisitions of Foreign Intelligence, reveals that using online anonymity services such as Tor or sending encrypted e-mail and instant messages are grounds for US-based communications to be retained by the National Security Agency even when they’re inadvertently collected.

Of concern, the NSA Minimization Procedures provide no ascertainable guidelines for protecting against warrantless domestic surveillance. Section 5 clearly reveals domestic communications are being monitored en masse and allows for the collection and dissemination of information relating to “evidence of a crime” to law enforcement agencies, whether or not a warrant has been obtained or an individual is the target of a current investigation. The procedures make no distinction between suspected terrorist or non-terrorist activity, or violent and non-violent offenses.

In August 2013, Reuters reported that law enforcement officers have been instructed to mislead judges and prosecutors by recreating the investigative trail to effectively cover up where the information obtained through NSA surveillance originated. An internal Special Operations Division (SOD) document obtained by Reuters reads: “Remember that the utilization of SOD cannot be revealed or discussed in any investigative function.” The document specifically directs agents to omit the SOD’s involvement from investigative reports, affidavits, discussions with prosecutors and courtroom testimony. Agents are also instructed to use a deceptive technique known as parallel construction to misrepresent that the evidence provided by SOD was collected through “normal investigative techniques.”

Likewise, Section 4, which deals with attorney-client communications, provides scarce safeguards for protecting attorney client privilege. Section 4 specifies that an analyst must cease monitoring communications between a person “known to be indicted in the United States” and their legal representative. However, there is no such protection for suspects who have not yet been indicted and the instruction or for privileged communications in civil or commercial proceedings.

Finally, a 2014 report published by German security researchers revealed the NSA internet database program XKeyscore, contains a piece of source code with rules for automatically capturing information about people who used Tor and privacy-focused operating system Tails. One rule seems to “fingerprint” people who visit the Tor website, as well as people who search for information about Tails or visit places known to have information on it, including the Linux Journal, where anything in the “Linux” category of articles is flagged. Fingerprints are flags that allow NSA agents to identify and track users across the web.

Tor As a Tool for Journalists and Whistleblowers

In 2014, The Guardian launched a secure platform for whistleblowers to confidentially submit sensitive documents to the newspaper’s reporters. According to The Guardian:

The SecureDrop open-source whistleblowing platform provides a way for sources, who can choose to remain anonymous, to submit documents and data while avoiding virtually all of the most common forms of online tracking.

It makes use of well-known anonymising technology such as the Tor network and the Tails operating system, which was used by journalists working on the Snowden files.

The SecureDrop platform was initially developed by the US developer and open source activist, Aaron Swartz, who committed suicide in 2013 after facing criminal prosecution under the Computer Fraud and Abuse Act for downloading mass quantities of academic research articles. To Date, the SecureDrop directory includes such familiar media sources as The Guardian, The Intercept, The New Yorker, The Sun and the Washington Post.

Is Tor Simply a Honeypot Run by U.S. Intelligence and Law Enforcement?

There is a legitimate concern among privacy advocates that Tor may simply be a honeypot for identifying illicit activities due to its historical and financial ties with the U.S. intelligence and law enforcement communities. Onion routing was originally developed in the mid-1990s by United States Naval Research Laboratory for the purpose of protecting U.S. intelligence communications online. Yasha Levine of Panda points out:

“Tor’s original — and current — purpose is to cloak the online identity of government agents and informants while they are in the field: gathering intelligence, setting up sting operations, giving human intelligence assets a way to report back to their handlers — that kind of thing. This information is out there, but it’s not very well known, and it’s certainly not emphasized by those who promote it.”

In addition, Tor’s own website states, “A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently.” The site adds, “Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.”

Furthermore, Tor’s onion routing technology was originally funded by the Office of Naval Research and DARPA. Early development was spearheaded by Paul Syverson, Michael Reed and David Goldschlag — all military mathematicians and computer systems researchers working for the Naval Research Laboratory, located within the Anacostia-Bolling military base in Washington, D.C.

In 2004, the Naval Research Laboratory released the code for onion routing under a free license, and in 2006 a Massachusetts-based 501(c)(3)  research-education nonprofit organization called The Tor Project was founded. Since its inception, the vast majority of Tor Project funding has been provided by the Department of Defense and the US State Department:

  • In 2006, Tor was funded was through a no-bid federal contract awarded to Roger Dingledine’s consulting firm, Moria Labs;
  • In 2007, all of Tor’s funding came from the federal government via two grants.  $250,000 came from the International Broadcasting Bureau (IBB), a CIA spinoff that now operates under the Broadcasting Board of Governors,  and just under $100,000 came from Internews, an NGO aimed at funding and training dissidents and activists abroad. Tor’s subsequent tax filings show that grants from Internews were conduits for “pass through” grants from the US State Department;
  • In 2008, Tor received $527,000 from IBB and Internews, which represented 90% of its funding;
  • In 2009,  approximately 90% of Tor’s funding came from the State Department, through a $632,189 grant described in tax filings as a “Pass-Through from Internews Network International.” Another $270,000 came via the CIA-spinoff IBB. In addition, the Swedish government contributed $38,000, while Google provided another $29,000;
  • In 2010,  Tor received $913,000 from the State Department and $180,000 from IBB— representing 84% of Tor’s $1.3 million in total funds listed on tax filings.
  • In 2011, Tor received  $730,000  via Pentagon and State Department grants, $150,000 came from IBB and Swedish International Development Cooperation Agency (SIDA), Sweden’s version of USAID, gave Tor $279,000;
  • In 2012, Tor’s funding nearly doubled, as it recieved $876,099 from the DoD, $353,000 from the State Department, $387,800 from the IBB, $318,000 from SIDA and $150,000 from an RFA grant for Tor’s OONI Project.

The question is whether you can trust that a program which originated within the U.S. intelligence community, for use by US intelligence and law enforcement agencies and receives the majority of its funding from the Department of Defense and the State Department is sufficiently independent from these agencies to reasonable protect the privacy and anonymity of dissident journalists, activists and government whistle blowers.  Your level of trust is most likely commensurate with the severity of the penalty that exposure would bring about.

For those of you not involved in criminal activity, exposing high level corruption or seeking to disclose state secrets, the following recommendations submitted on an Answers forum for network analysts should suffice in protecting your privacy.

 

A Guide for Safe Tor Use

by Michael Hampton

As a very long time Tor user, the most surprising part of the NSA documents for me was how little progress they have made against Tor. Despite its known weaknesses, it’s still the best thing we have, provided it’s used properly and you make no mistakes.

Since you want security of “the greatest degree technically feasible”, I’m going to assume that your threat is a well-funded government with significant visibility or control of the Internet, as it is for many Tor users (despite the warnings that Tor is not sufficient to protect you from such an actor.

Consider whether you truly need this level of protection. If having your activity discovered does not put your life or liberty at risk, then you probably do not need to go to all of this trouble. But if it does, then you absolutely must be vigilant if you wish to remain alive and free.

I won’t repeat Tor Project’s own warnings here, but I will note that they are only a beginning, and are not adequate to protect you from such threats.

Your Computer

To date, the NSA‘s and FBI’s primary attacks on Tor users have been MITM attacks (NSA) and hidden service web server compromises (FBI) which either sent tracking data to the Tor user’s computer, compromised it, or both. Thus you need a reasonably secure system from which you can use Tor and reduce your risk of being tracked or compromised.

  1. Don’t use Windows. Just don’t. This also means don’t use the Tor Browser Bundle on Windows. Vulnerabilities in the software in TBB figure prominently in both the NSA slides and FBI’s recent takedown of Freedom Hosting.
  2. If you can’t construct your own workstation capable of running Linux and carefully configured to run the latest available versions of Tor, a proxy such as Privoxy, and a web browser (with all outgoing clearnet access firewalled), consider using Tails or Whonix instead, where most of this work is done for you. It’s absolutely critical that outgoing access be firewalled so that third party applications cannot accidentally leak data about your location.
  3. If you are using persistent storage of any kind, ensure that it is encrypted. Current versions of LUKS are reasonably safe, and major Linux distributions will offer to set it up for you during their installation. TrueCrypt might be safe, though it’s not nearly as well integrated into the OS. BitLocker might be safe as well, though you still shouldn’t be running Windows. Even if you are in a country where rubber hosing is legal, such as the UK, encrypting your data protects you from a variety of other threats.
  4. Remember that your computer must be kept up to date. Whether you use Tails or build your own workstation from scratch or with Whonix, update frequently to ensure you are protected from the latest security vulnerabilities. Ideally you should update each time you begin a session, or at least daily. Tails will notify you at startup if an update is available.
  5. Be very reluctant to compromise on JavaScript, Flash and Java. Disable them all by default. If a site requires any of these, visit somewhere else. Enable scripting only as a last resort, only temporarily, and only to the minimum extent necessary to gain functionality of a web site that you have no alternative for.
  6. Viciously drop cookies and local data that sites send you. Neither TBB nor Tails do this well enough for my tastes; consider using an addon such asSelf-Destructing Cookies to keep your cookies to a minimum. Of zero.
  7. Your workstation must be a laptop; it must be portable enough to be carried with you and quickly disposed of or destroyed.
  8. Don’t use Google to search the internet. A good alternative is Startpage; this is the default search engine for TBB, Tails, and Whonix. Plus it won’t call you malicious or ask you to fill out CAPTCHAs.

Your Environment

Tor contains weaknesses which can only be mitigated through actions in the physical world. An attacker who can view both your local Internet connection, and the connection of the site you are visiting, can use statistical analysis to correlate them.

  1. Never use Tor from home, or near home. Never work on anything sensitive enough to require Tor from home, even if you remain offline. Computers have a funny habit of liking to be connected. This also applies to anywhere you are staying temporarily, such as a hotel. Never performing these activities at home helps to ensure that they cannot be tied to those locations. (Note that this applies to people facing advanced persistent threats. Running Tor from home is reasonable and useful for others, especially people who aren’t doing anything themselves but wish to help by running an exit node, relay, or bridge.
  2. Limit the amount of time you spend using Tor at any single location. While these correlation attacks do take some time, they can in theory be completed in as little as a day. And while the jackboots are very unlikely to show up the same day you fire up Tor at Starbucks, they might show up the next day. I recommend for the truly concerned to never use Tor more than 24 hours at any single physical location; after that, consider it burned and go elsewhere. This will help you even if the jackboots show up six months later; it’s much easier to remember a regular customer than someone who showed up one day and never came back. This does mean you will have to travel farther afield, especially if you don’t live in a large city, but it will help to preserve your ability to travel freely.
  3. When you go out to perform these activities, leave your cell phone turned on and at home.

Your Mindset

Many Tor users get caught because they made a mistake, such as posting their real email address in association with their activities. You must avoid this as much as possible, and the only way to do so is with careful mental discipline.

  1. Think of your Tor activity as pseudonymous, and create in your mind a virtual identity to correspond with the activity. This virtual person does not know you and will never meet you, and wouldn’t even like you if he knew you. He must be kept strictly mentally separated.
  2. If you must use public internet services, create completely new accounts for this pseudonym. Never mix them; for instance do not browse Facebook with your real email address after having used Twitter with your pseudonym’s email on the same computer. Wait until you get home.
  3. By the same token, never perform actions related to your pseudonymous activity via the clearnet, unless you have no other choice (e.g. to sign up for a provider who blocks Tor), and take extra precautions regarding your location when doing so.
  4. If you need to make and receive phone calls, purchase an anonymous prepaid phone for the purpose. This is difficult in some countries, but it can be done if you are creative enough. Pay cash; never use a debit or credit card to buy the phone or top-ups. Never insert its battery or turn it on if you are within 10 miles (16 km) of your home, nor use a phone from which the battery cannot be removed. Never place a SIM card previously used in one phone into another phone. Never give its number or even admit its existence to anyone who knows you by your real identity. This may need to include your family members.

Hidden Services

These are big in the news lately, with the recent takedown of at least two high-profile hidden services, Silk Road and Freedom Hosting. The bad news is, hidden services are much weaker than they could or should be. The good news is, the NSA doesn’t seem to have done much with them (though the NSA slides mention a GCHQ program named ONIONBREATH which focuses on hidden services, nothing else is yet known about it).

In addition, since hidden services must often run under someone else’s physical control, they are vulnerable to being compromised via that other party. Thus it’s even more important to protect the anonymity of the service, as once it is compromised in this manner, it’s pretty much game over.

The advice given above is sufficient if you are merely visiting a hidden service. If you need to run a hidden service, do all of the above, and in addition do the following. Note that these tasks require an experienced system administrator; performing them without the relevant experience will be difficult or impossible.

  1. Do not run a hidden service in a virtual machine unless you also control the physical host. Designs in which Tor and a service run in firewalled virtual machines on a firewalled physical host are OK, provided it is the physical host which you are in control of, and you are not merely leasing cloud space.
  2. A better design for a Tor hidden service consists of two physical hosts, leased from two different providers though they may be in the same data center. On the first physical host, a single virtual machine runs with Tor. Both the host and VM are firewalled to prevent outgoing traffic other than Tor traffic and traffic to the second physical host. The second physical host will then contain a VM with the actual hidden service. Again, these will be firewalled in both directions. The connection between them should be secured with IPSec, OpenVPN, etc. If it is suspected that the host running Tor may be compromised, the service on the second server may be immediately moved (by copying the virtual machine image) and both servers decommissioned. Both of these designs can be implemented fairly easily with Whonix.
  3. Hosts leased from third parties are convenient but especially vulnerable to attacks where the service provider takes a copy of the hard drives. If the server is virtual, or it is physical but uses RAID storage, this can be done without taking the server offline. Again, do not lease cloud space, and carefully monitor the hardware of the physical host. If the RAID array shows as degraded, or if the server is inexplicably down for more than a few moments, the server should be considered compromised, since there is no way to distinguish between a simple hardware failure and a compromise of this nature.
  4. Ensure that your hosting provider offers 24×7 access to a remote console (in the hosting industry this is often called a KVM though it’s usually implemented via IPMI which can also install the operating system. Use temporary passwords/passphrases during the installation, and change them all after you have Tor up and running (see below). The remote console also allows you to run a fully encrypted physical host, reducing the risk of data loss through physical compromise; however, in this case the passphrase must be changed every time the system is booted (even this does not mitigate all possible attacks, but it does buy you time).
  5. Your initial setup of the hosts which will run the service must be over clearnet, albeit via ssh; however, to reiterate, they must not be done from home or from a location you have ever visited before. As we have seen, it is not sufficient to simply use a VPN. This may cause you issues with actually signing up for the service due to fraud protection that such providers may use. How to deal with this is outside the scope of this answer, though.
  6. Once you have Tor up and running, never connect to any of the servers or virtual machines via clearnet again. Configure hidden services which connect via ssh to each host and each of the virtual machines, and always use them. If you must connect via clearnet to resolve a problem, again, do so from a location you will never visit again.
  7. Hidden services must be moved regularly, even if compromise is not suspected. A 2013 paper described an attack which can locate a hidden service in just a few months for around $10,000 in cloud compute charges, which is well within the budget of even some individuals. It is safer, though not at all convenient, to move the hidden service at least monthly. Ideally it should be moved as frequently as possible, though this quickly veers into the impractical. Note that it will take approximately an hour for the Tor network to recognize the new location of a moved hidden service.

Conclusion

Anonymity is hard. Technology alone, no matter how good it is, will never be enough. It requires a clear mind and careful attention to detail, as well as real-world actions to mitigate weaknesses that cannot be addressed through technology alone. As has been so frequently mentioned, the attackers can be bumbling fools who only have sheer luck to rely on, but you only have to make one mistake to be ruined. We call them “advanced persistent threats” because, in part, they are persistent. They won’t give up, and you must not.

 

 

The Hunted and the Hated: An Inside Look at the NYPD’s Stop-and-Frisk Policy

An exclusive audio recording obtained by The Nation of a stop-and-frisk carried out by the New York City Police Department reveals the humiliation and degradation caused by broken windows policing strategies which are being implemented in urban areas throughout America.

The day after The Nation published this video, it sparked a heated debate during a meeting of the City Council’s public safety committee. Since then, the New York Police Department’s stop, question and frisk tactic gained national notoriety and became a major factor in the city’s 2013 mayoral race. Footage and audio from this video were incorporated into a PSA video by the artist Yasiin Bey, and, perhaps most significantly, and the video was mentioned in the August 2013 decision of the landmark federal case Floyd v. City of New York, which found stop and frisk to be unconstitutional and racially discriminatory.

On June 3, 2011, three plainclothes New York City Police officers stopped a Harlem teenager named Alvin and two of the officers questioned and frisked him while the third remained in their unmarked car. Alvin secretly captured the interaction on his cell phone, and the resulting audio is one of the only known recordings of stop-and-frisk in action.

In the course of the two-minute recording, the officers give no legally valid reason for the stop, use racially charged language and threatened Alvin with violence. Early in the stop, one of the officers asks, “You want me to smack you?” When Alvin asks why he is being threatened with arrest, the other officer responds, “For being a fucking mutt.”

Later in the stop, while holding Alvin’s arm behind his back, the first officer says, “Dude, I’m gonna break your fuckin’ arm, then I’m gonna punch you in the fuckin’ face.”

“He grabbed me by my bookbag and he started pushing me down. So I’m going backwards like down the hill and he just kept pushing me, pushing me, it looked like he we was going to hit me,” Alvin recounts. “I felt like they was trying to make me resist or fight back.”

Alvin’s treatment at the hands of the officers may be disturbing but it is not uncommon. According to their own stop-and-frisk data, the NYPD stops more than 1,800 New Yorkers a day. A New York Times analysis recently determined that more than 20 percent of those stops involve the use of force. And these are only the numbers that the Department records.  Anecdotal evidence suggests both figures are much higher.

In this video, exclusive to TheNation.com, Alvin describes his experience of the stop, and working NYPD officers come forward to explain the damage stop-and-frisk has done to their profession and their relationship to the communities they serve. The emphasis on racking up stops has also hindered what many officers consider to be the real work they should be doing on the streets. The video sheds unprecedented light on a practice, cheered on by Mayor Michael Bloomberg and Police Commissioner Ray Kelly, that has put the city’s young people of color in the department’s crosshairs.

Those who haven’t experienced the policy first-hand “have likened Stops to being stuck in an elevator, or in traffic,” says Darius Charney, senior staff attorney at the Center for Constitutional Rights. “This is not merely an inconvenience, as the Department likes to describe it. This is men with guns surrounding you in the street late at night when you’re by yourself. You ask why and they curse you out and rough you up.”

“The tape brings to light what so many New Yorkers have experienced in the shadows at the hands of the NYPD,” says Ben Jealous, President of the NAACP. “It is time for Mayor Bloomberg to come to grips with the scale of the damage his policies have inflicted on our children and their families. No child should have to grow up fearing both the cops and the robbers.”

“This audio confirms what we’ve been hearing from communities of color, again and again,” says Donna Lieberman, executive director of the NYCLU. “They are repeatedly subjected to abusive and disrespectful treatment at the hands of the NYPD. This explains why so many young people don’t trust the police and won’t help the police,” she adds. “It’s not good for law enforcement and not good for the individuals who face this harassment.”

The audio also betrays the seeming arbitrariness of stops and the failure of some police officers to fully comprehend or be able to articulate a clear motivation for carrying out a practice they’re asked to repeat on a regular basis.

And, according to Charney, the only thing the police officers do with clarity during this stop is announce its unconstitutionality.

“We’ve long been claiming that, under this department’s administration, if you’re a young black or Latino kid, walking the street at night you’re automatically a suspicious person,” says Charney, who is leading a class-action lawsuit challenging the NYPD’s stop-and-frisk practices. “The police deny those claims, when asked. ‘No, that’s not the reason we’re stopping them.’ But they’re actually admitting it here [on the audio recording]. The only reason they give is: ‘You were looking back at us…’ That does not rise to the level of reasonable suspicion, and there’s a clear racial animus when they call him a ‘mutt.’”

The audio was recently played at a meeting of The Morris Justice Project, a group of Bronx residents who have organized around the issue of stop-and-frisk and have been compiling data on people’s interactions with police. Jackie Robinson, mother of two boys, expected not to be surprised when told about the contents of the recording. “It’s stuff we’ve all heard before,” she said at the gathering. Yet Robinson visibly shuddered at one of the audio’s most violent passages. She had heard plenty about these encounters, but had never actually listened to one in action.

“As a mother, it bothers you,” says Robinson. “The police are the ones we’re supposed to turn to when something bad happens. Of all the things I have to worry about when my kids walk out the door, I don’t want to have to worry about them being harmed by the police. It makes you feel like you can’t protect your children. Something has to be done.”

Officers who carry out such belligerent stops face little accountability under the NYPD’s current structure. The department is one of New York City’s last agencies to operate without independent oversight, leaving officers with no safe place to file complaints about police practice and systemic problems.

“An independent inspector general would be in a position to review NYPD policies and practices—like the recorded stop-and-frisk shown here—to see whether the police are violating New Yorkers’ rights and whether the program is in fact yielding benefits,” says the Brennan Center’s Faiza Patel. “An inspector general would not hinder the NYPD’s ability to fight crime, but would help build a stronger, more effective force.”

NYPD spokespeople have said that stop-and-frisk is necessary to keep crime down and guns off the street. But those assertions are increasingly being contradicted by the department’s own officers, who are beginning to speak out about a pervasive culture of number-chasing.

Two officers from two different precincts in two separate boroughs spoke toThe Nation about the same types of pressures put on officers to meet numerical goals or face disciplinary action and retaliation. Most chillingly, both officers use the word “hunt” when describing the relentless quest for summonses, stops and arrests.

“The civilian population, they’re being hunted by us,” says an officer with more than ten years on the job. “Instead of being protected by us, they’re being hunted and we’re being hated.”

The focus on numbers, and the rewards for those who meet quotas has created an atmosphere, another veteran officer says, in which cops compete to see who can get the highest numbers, and it can lead to the kind of arbitrary stop that quickly became violent in this recording.

“It’s really bad,” says the officer after listening to the audio recording. “It’s not a good thing at all. But it’s really common, I’m sorry to say. It doesn’t have to be like that.”

Lieberman from the NYCLU agrees: “It’s time for the Mayor and the Police Commissioner to stop trying to scare New Yorkers into accepting this kind of abuse, and to recognize that there is a problem.”

Additional reporting by Erin Schneider. To see this and other related media, go to: facebook.com/stopandfriskmedia or e-mail stopandfriskmedia at gmail dot com

 

The Target: Stop-and-Frisk’s Damaging Toll on Families and Communities

On August 12, a federal judge ruled the New York Police Department’s policy of “stop, question and frisk” unconstitutional and racially discriminatory. In her decision in the case of Floyd v. City of New York, Judge Shira A. Scheindlin validated many of the complaints coming from civil rights organizations, grassroots groups and politicians who have rallied against the policy and its destructive effects on low-income communities of color.

But more than a year before opening arguments began in the Floyd lawsuit, New York City Council members and community advocates were discussing their own policy ideas to address years of corruption in the department.

The result was two pieces of legislation, collectively known as the Community Safety Act, that the City Council began debating last year seeking to curb a range of abuses and address other NYPD policy problems before they escalate to the point of federal intervention.

The first piece would establish an independent inspector general to investigate and review police policy and practice and make non-binding recommendations to the mayor and police commissioner. The second would expand the categories of individuals protected from profiling and make enforceable an anti-profiling law that is already on the books.

Though the federal monitor imposed by Judge Scheindlin’s decision will seek to fix how the NYPD currently employs stop-and-frisk, it is these bills, councilmembers believe, that could have more impact on the long-term health of the department, and make it more accountable to the public.

The City Council voted on the two bills in June. And despite receiving the full endorsement of only one of the top New York City mayoral candidates (Bill de Blasio), and being denounced by Mayor Michael Bloomberg as “dangerous and irresponsible,” the council passed the bills by wide margins.

Their passage into law, however, is by no means assured. Mayor Bloomberg vetoed the legislation in July. And he, along with the city’s largest police union, the Patrolmen’s Benevolent Association, has announced his determination to sway the outcome of a veto override vote scheduled in the City Council this Thursday.

“This is a fight to defend your life and your kids’ lives. You can rest assured that I will not give up for one minute,” Bloomberg said at a June press conference.

Though the margin of the council’s June vote on the bills was wide enough to beat a veto, they could go down to defeat if the anti-profiling bill loses just one vote, or if the inspector-general bill loses eight. But if the current majorities hold, the bills will be signed into law, and it would be the second rebuke in as many weeks of the policing tactics of an administration that prides itself on its crime-fighting prowess.

Despite the life-and-death rhetoric from the mayor, it is these personal stakes that the bills’ backers see as the main reason for the mayor’s increasingly acerbic public comments and outright misinformation on the subject in recent weeks.

“He’s afraid of someone saying ‘not everything you did in policing worked,’” says Councilmember Jumaane Williams, a co-sponsor of the legislation. “A real leader can say, ‘Look, we tried a couple things. They didn’t all work out. And the ones that didn’t work out we tried to fix and work with the community on how to fix it.’ But he just didn’t do that, which caused us to be where we are now.”

Indeed, at a post-verdict press conference last week, the mayor became angry and agitated when asked about the pending legislation. The mayor’s message is clear: any extra departmental oversight will prohibit officers from doing their jobs and innocent civilians and officers will die.

“It’s disappointing the amount of fear-mongering that I’ve seen among the mayor and [Police Commissioner Ray Kelly],” says Williams. “ ’The sky is going to fall. Everything bad is going to happen.’ What they’re saying is that we have to profile in order to continue to do police work, and that’s just not acceptable. Otherwise, why are you worried about a profiling bill that just says you can’t profile?”

Though the anti-profiling bill is most vulnerable to the veto, it’s the one seen as most important by many lawyers because of the allowance that civilians can bring claims of profiling before a state court, and a judge can order binding remedies. It is also the one being most misrepresented by opponents.

A PBA delegate reached by The Nation, who spoke on the condition of anonymity because he was not authorized to speak on behalf of the union, said that though he is against profiling, he’s also against the anti-profiling bill because he believes it would penalize individual officers.

Yet according to the bill’s language, officers will not be liable for monetary damages or subject to punishment by the judge.

For his part, Mayor Bloomberg has erroneously stated that the bill would bar officers from using descriptions of age or race when identifying a suspect.

“His staff had to tell him to stop saying that, because it isn’t true,” says Councilmember Brad Lander, a co-sponsor of the legislation. “It’s one thing for the New York Post, or the PBA to be saying this, but the mayor?”

The profiling bill is also one that gives hope to people who’ve been stopped and frisked wrongfully and regularly, like Keeshan Harley, an 18-year-old from Brooklyn who says he’s been stopped by the NYPD nearly 150 times.

“If they stop me without proper cause or without fair reasoning, if it’s just because I’m a young black male in Brooklyn, that’s the reason they stop me, then I have the right to bring them to court,” says the teen.

The fact that the mayor and the commissioner are not even open to a dialogue on the subject or attentive to citizens like Harley has frustrated Lander, who says the two have shown contempt for the City Council for merely doing its job of representing constituents’ concerns.

“And not only has the mayor been dismissive of the council, he’s shown a disregard for common sense,” exemplified, Lander said, when he madecomments on a recent radio talk show that whites (not blacks and Latinos) are the ones who are stopped too much.

Mayor Bloomberg also recently argued that the addition of an inspector general would result in too many layers of oversight. But according to Lander, “Inspectors general are present in every other major police department around the country and every federal law enforcement and intelligence agency. There is no example of an officer being confused about whose orders to follow.” The monitor will be focusing narrowly on stop-and-frisk, Lander said, while the inspector general would be “looking at the full array of programs and policies on the NYPD, including Muslim surveillance, quotas, statistics fixing, etc.”

“The history of law enforcement shows that a longer term legal framework for strong oversight and civil rights protection are what’s needed for effective and constitutional policing,” and that’s what these bills are intended to achieve, he says.

The big vote that will determine many upcoming issues revolving around the NYPD will come next month during the primaries for the next mayor—he or she will choose the next police commissioner, and decide whether to pursue Mayor Bloomberg’s appeal of the federal court’s decision in the Floyd case. And positions on public safety appear to be a priority for prospective voters, as the candidate who has distanced himself most from Mayor Bloomberg’s policies is now a serious contender to be the mayor’s successor: Public Advocate Bill de Blasio.

But in the meantime, this Thursday’s City Council vote on whether to override Bloomberg’s veto of the Community Safety Act bills is the one to watch, because the new mayor, whoever they may be, would be bound by this new legislation.

 

DNA Evidence Can Be Fabricated, Scientists Show

By ANDREW POLLACK

AUG. 17, 2009

Scientists in Israel have demonstrated that it is possible to fabricate DNA evidence, undermining the credibility of what has been considered the gold standard of proof in criminal cases.

The scientists fabricated blood and saliva samples containing DNA from a person other than the donor of the blood and saliva. They also showed that if they had access to a DNA profile in a database, they could construct a sample of DNA to match that profile without obtaining any tissue from that person.

“You can just engineer a crime scene,” said Dan Frumkin, lead author of the paper, which has been published online by the journal Forensic Science International: Genetics. “Any biology undergraduate could perform this.”

Dr. Frumkin is a founder of Nucleix, a company based in Tel Aviv that has developed a test to distinguish real DNA samples from fake ones that it hopes to sell to forensics laboratories.

The planting of fabricated DNA evidence at a crime scene is only one implication of the findings. A potential invasion of personal privacy is another.

Using some of the same techniques, it may be possible to scavenge anyone’s DNA from a discarded drinking cup or cigarette butt and turn it into a saliva sample that could be submitted to a genetic testing company that measures ancestry or the risk of getting various diseases. Celebrities might have to fear “genetic paparazzi,” said Gail H. Javitt of the Genetics and Public Policy Center at Johns Hopkins University.

Tania Simoncelli, science adviser to the American Civil Liberties Union, said the findings were worrisome.

“DNA is a lot easier to plant at a crime scene than fingerprints,” she said. “We’re creating a criminal justice system that is increasingly relying on this technology.”

John M. Butler, leader of the human identity testing project at the National Institute of Standards and Technology, said he was “impressed at how well they were able to fabricate the fake DNA profiles.” However, he added, “I think your average criminal wouldn’t be able to do something like that.”

The scientists fabricated DNA samples two ways. One required a real, if tiny, DNA sample, perhaps from a strand of hair or drinking cup. They amplified the tiny sample into a large quantity of DNA using a standard technique called whole genome amplification.

Of course, a drinking cup or piece of hair might itself be left at a crime scene to frame someone, but blood or saliva may be more believable.

The authors of the paper took blood from a woman and centrifuged it to remove the white cells, which contain DNA. To the remaining red cells they added DNA that had been amplified from a man’s hair.

Since red cells do not contain DNA, all of the genetic material in the blood sample was from the man. The authors sent it to a leading American forensics laboratory, which analyzed it as if it were a normal sample of a man’s blood.

The other technique relied on DNA profiles, stored in law enforcement databases as a series of numbers and letters corresponding to variations at 13 spots in a person’s genome.

From a pooled sample of many people’s DNA, the scientists cloned tiny DNA snippets representing the common variants at each spot, creating a library of such snippets. To prepare a DNA sample matching any profile, they just mixed the proper snippets together. They said that a library of 425 different DNA snippets would be enough to cover every conceivable profile.

Nucleix’s test to tell if a sample has been fabricated relies on the fact that amplified DNA — which would be used in either deception — is not methylated, meaning it lacks certain molecules that are attached to the DNA at specific points, usually to inactivate genes.

A version of this article appears in print on , on page D3 of the National edition with the headline: Scientists Show That It’s Possible to Create Fake DNA Evidence.

How (and why) to set up a VPN today

Marissa Mayer made Yahoo’s VPN famous by using it to check on the work habits of her employees. Lost amid today’s VPN conversation, however, is the fact that virtual private networks are much more than just pipelines for connecting remote employees to central work servers.

And that’s a damn shame, because VPNs can be helpful tools for protecting online privacy, and you need not be an office drone to enjoy their benefits.

A VPN, as its name suggests, is just a virtual version of a secure, physical network—a web of computers linked together to share files and other resources. But VPNs connect to the outside world over the Internet, and they can serve to secure general Internet traffic in addition to corporate assets. In fact, the lion’s share of modern VPNs are encrypted, so computers, devices, and other networks that connect to them do so via encrypted tunnels.

Why you want a VPN

You have at least four great reasons to start using a VPN. First, you can use it to connect securely to a remote network via the Internet. Most companies maintain VPNs so that employees can access files, applications, printers, and other resources on the office network without compromising security, but you can also set up your own VPN to safely access your secure home network while you’re on the road.

Second, VPNs are particularly useful for connecting multiple networks together securely. For this reason, most businesses big and small rely on a VPN to share servers and other networked resources among multiple offices or stores across the globe. Even if you don’t have a chain of offices to worry about, you can use the same trick to connect multiple home networks or other networks for personal use.

This diagram illustrates the difference between using an unencrypted connection and using a VPN-secured Internet connection at your average coffee shop.

Third, if you’re concerned about your online privacy, connecting to an encrypted VPN while you’re on a public or untrusted network—such as a Wi-Fi hotspot in a hotel or coffee shop—is a smart, simple security practice. Because the VPN encrypts your Internet traffic, it helps to stymie other people who may be trying to snoop on your browsing via Wi-Fi to capture your passwords.

Fourth and finally, one of the best reasons to use a VPN is to circumvent regional restrictions—known as geoblocking—on certain websites. Journalists and political dissidents use VPNs to get around state-sponsored censorship all the time, but you can also use a VPN for recreational purposes, such as connecting to a British VPN to watch the BBC iPlayer outside the UK. Because your Internet traffic routes through the VPN, it looks as if you’re just another British visitor.

Pick your protocol

When choosing a networking protocol for your VPN, you need worry only about the four most popular ones. Here’s a quick rundown, including the strengths and weaknesses of each.

Point-to-Point Tunneling Protocol (PPTP) is the least secure VPN method, but it’s a great starting point for your first VPN because almost every operating system supports it, including Windows, Mac OS, and even mobile OSs.

Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPsec) are more secure than PPTP and are almost as widely supported, but they are also more complicated to set up and are susceptible to the same connection issues as PPTP is.

Secure Sockets Layer (SSL) VPN systems provide the same level of security that you trust when you log on to banking sites and other sensitive domains. Most SSL VPNs are referred to as “clientless,” since you don’t need to be running a dedicated VPN client to connect to one of them. They’re my favorite kind of VPN because the connection happens via a Web browser and thus is easier and more reliable to use than PPTP, L2TP, or IPsec.

An SSL VPN server is designed to be accessed via Web browser and creates encrypted channels so that you can safely access the server from anywhere.

OpenVPN is exactly what it sounds like: an open-source VPN system that’s based on SSL code. It’s free and secure, and it doesn’t suffer from connection issues, but using OpenVPN does require you to install a client since Windows, Mac OS X, and mobile devices don’t natively support it.

In short: When in doubt, try to use SSL or OpenVPN. Keep in mind that some of the services highlighted in the next section don’t use these protocols. Instead, they use their own proprietary VPN technology.

Now, let’s talk about how to create and connect to your own VPN. If you want simple remote access to a single computer, consider using the VPN software built into Windows. If you’d like to network multiple computers together quickly through a VPN, consider installing stand-alone VPN server software.

If you need a more reliable and robust arrangement (one that also supports site-to-site connections), consider using a dedicated VPN router. And if you just want to use a VPN to secure your Internet traffic while you’re on public Wi-Fi hotspots and other untrusted networks—or to access regionally restricted sites—consider subscribing to a third-party hosted VPN provider.

Set up a simple VPN with Windows

Windows comes loaded with a VPN client that supports the PPTP and L2TP/IPsec protocols. The setup process is simple: If you’re using Windows 8, just bring up the Search charm, type VPN, and then launch the VPN wizard by clicking Set up a virtual private network (VPN) connection.

You can use this client to connect securely to other Windows computers or to other VPN servers that support the PPTP and L2TP/IPsec protocols—you just need to provide the IP address or domain name of the VPN server to which you want to connect. If you’re connecting to a corporate or commercial VPN, you can contact the administrator to learn the proper IP address. If you’re running your own VPN server via Windows, you can figure out the server’s IP address by typing CMD in the Search charm, launching the Command Prompt, and typing ipconfig. This simple trick comes in handy when you’re setting up your Windows PC as a VPN server, and then connecting to it so that you can securely, remotely access your files from anywhere.

Windows has a built-in VPN client, but you’ll need to provide the connection information (namely, the IP address) for the VPN server you want to use.

Quick note: When setting up incoming PPTP VPN connections in Windows, youmust configure your network router to forward VPN traffic to the Windows computer you want to access remotely. You can do this by logging in to the router’s control panel—consult the manufacturer’s instructions on how to do this—and configuring the port-forwarding or virtual-server settings to forward port 1723 to the IP address of the computer you wish to access. In addition, PPTP or VPN pass-through options need to be enabled in the firewall settings, but usually they’re switched on by default.

If you’re using Windows 7 and you need to connect to a VPN or to accept incoming VPN connections in that OS, check out our guide to setting up a VPN in Windows 7.

 

Use third-party software to create a VPN server

If you’d like to create a VPN between multiple computers to share files and network resources without having to configure your router or to dedicate a PC to act as the VPN server, consider using third-party VPN software. Comodo Unite, Gbridge, andTeamViewer are all decent, reliable, and (most important) free.

LogMeIn Hamachi is a simple, elegant, and secure VPN client that’s free for up to five users.

You can also use LogMeIn Hamachi for free with five or fewer users, but it’s good enough that if you have more than five PCs you want to link up securely—say, as part of your small-but-growing business—you should consider paying for the full service.

Go whole hog with your own VPN router

If you want to get your hands dirty while providing robust remote access to an entire network, or if you wish to create site-to-site connections, try setting up a router on your network with a VPN server and client. If you’re working on a budget, the cheapest way to set up your own dedicated VPN router is to upload aftermarket firmware that enables VPN functionality, such as DD-WRT or Tomato, to an inexpensive consumer-level router.

The ZyXel USG20W VPN router is a smart investment if you want to set up your own dedicated VPN at home or in the office.

You can also purchase a specially designed router (commonly called a VPN router) with a VPN server built in, such as the ZyXel ZyWall 802.11n Wireless Internet Security Gigabit Firewall (USG20W), Cisco Wireless Network Security Firewall Router (RV220W), or Netgear ProSecure UTM Firewall with Wireless N (UTM9S).

When you’re choosing a VPN router and third-party router firmware, make sure they support the VPN networking protocol you need for your devices. In addition, check the VPN router to verify how many simultaneous VPN users it supports.

Let a third-party VPN provider worry about it

If you merely want VPN access to cloak your Internet traffic while you’re using public Wi-Fi or another untrusted network, or to access regionally restricted sites, the simplest solution is to use a hosted VPN provider. Hotspot Shield is my favorite, as it offers both free and paid VPN services for Windows, Mac, iOS, and Android. HotSpotVPN,StrongVPN, and WiTopia are other paid services we’ve reviewed in the past.

EFF
The Onion Router is an excellent, free utility that anonymizes your Internet activity through a series of servers scattered around the world.

If you want to keep your browsing activity anonymous but can’t spare the cash for a paid VPN, check out the Onion Router, a network of servers that can anonymize your Internet traffic for free. Visit the TOR website and download the latest browser bundle, and then start browsing with the TOR extensions enabled. The software will encrypt your connection to the TOR server before routing your Internet traffic through a randomized series of servers across the globe, slowing your browsing speed but cloaking your online activity from prying eyes.

No matter how you choose to go about it, start using a VPN today. It takes a bit of work up front, but spending the time to get on a VPN is one of the smartest, simplest steps you can take toward making your online activities more secure.

 

Eric Geier Contributor

Follow me on Google+

Eric Geier is a freelance tech writer as well as the founder of NoWiresSecurity, a cloud-based Wi-Fi security service, and On Spot Techs, an on-site computer services company.

More by

FBI Taps Hacker Tactics to Spy on Suspects

Law-Enforcement Officials Expand Use of Tools Such as Spyware as People Under Investigation ‘Go Dark,’ Evading Wiretaps

Updated Aug. 3, 2013 3:17 p.m. ET

Law-enforcement officials in the U.S. are expanding the use of tools routinely used by computer hackers to gather information on suspects, bringing the criminal wiretap into the cyber age.

Federal agencies have largely kept quiet about these capabilities, but court documents and interviews with people involved in the programs provide new details about the hacking tools, including spyware delivered to computers and phones through email or Web links—techniques more commonly associated with attacks by criminals.

People familiar with the Federal Bureau of Investigation’s programs say that the use of hacking tools under court orders has grown as agents seek to keep up with suspects who use new communications technology, including some types of online chat and encryption tools. The use of such communications, which can’t be wiretapped like a phone, is called “going dark” among law enforcement.

The FBI develops some hacking tools internally and purchases others from the private sector. With such technology, the bureau can remotely activate the microphones in phones running Google Inc.’s Android software to record conversations, one former U.S. official said. It can do the same to microphones in laptops without the user knowing, the person said. Google declined to comment.

The bureau typically uses hacking in cases involving organized crime, child pornography or counterterrorism, a former U.S. official said. It is loath to use these tools when investigating hackers, out of fear the suspect will discover and publicize the technique, the person said.

The FBI has been developing hacking tools for more than a decade, but rarely discloses its techniques publicly in legal cases.

Earlier this year, a federal warrant application in a Texas identity-theft case sought to use software to extract files and covertly take photos using a computer’s camera, according to court documents. The judge denied the application, saying, among other things, that he wanted more information on how data collected from the computer would be minimized to remove information on innocent people.

Since at least 2005, the FBI has been using “web bugs” that can gather a computer’s Internet address, lists of programs running and other data, according to documents disclosed in 2011. The FBI used that type of tool in 2007 to trace a person who was eventually convicted of emailing bomb threats in Washington state, for example.

The FBI “hires people who have hacking skill, and they purchase tools that are capable of doing these things,” said a former official in the agency’s cyber division. The tools are used when other surveillance methods won’t work: “When you do, it’s because you don’t have any other choice,” the official said.

Surveillance technologies are coming under increased scrutiny after disclosures about data collection by the National Security Agency. The NSA gathers bulk data on millions of Americans, but former U.S. officials say law-enforcement hacking is targeted at very specific cases and used sparingly.

Still, civil-liberties advocates say there should be clear legal guidelines to ensure hacking tools aren’t misused. “People should understand that local cops are going to be hacking into surveillance targets,” said Christopher Soghoian, principal technologist at the American Civil Liberties Union. “We should have a debate about that.”

Mr. Soghoian, who is presenting on the topic Friday at the DefCon hacking conference in Las Vegas, said information about the practice is slipping out as a small industry has emerged to sell hacking tools to law enforcement. He has found posts and resumes on social networks in which people discuss their work at private companies helping the FBI with surveillance.

A search warrant would be required to get content such as files from a suspect’s computer, said Mark Eckenwiler, a senior counsel at Perkins Coie LLP who until December was the Justice Department’s primary authority on federal criminal surveillance law. Continuing surveillance would necessitate an even stricter standard, the kind used to grant wiretaps.

But if the software gathers only communications-routing “metadata”—like Internet protocol addresses or the “to” and “from” lines in emails—a court order under a lower standard might suffice if the program is delivered remotely, such as through an Internet link, he said. That is because nobody is physically touching the suspect’s property, he added.

An official at the Justice Department said it determines what legal authority to seek for such surveillance “on a case-by-case basis.” But the official added that the department’s approach is exemplified by the 2007 Washington bomb-threat case, in which the government sought a warrant even though no agents touched the computer and the spyware gathered only metadata.

In 2001, the FBI faced criticism from civil-liberties advocates for declining to disclose how it installed a program to record the keystrokes on the computer of mobster Nicodemo Scarfo Jr. to capture a password he was using to encrypt a document. He was eventually convicted.

A group at the FBI called the Remote Operations Unit takes a leading role in the bureau’s hacking efforts, according to former officials.

Officers often install surveillance tools on computers remotely, using a document or link that loads software when the person clicks or views it. In some cases, the government has secretly gained physical access to suspects’ machines and installed malicious software using a thumb drive, a former U.S. official said.

The bureau has controls to ensure only “relevant data” are scooped up, the person said. A screening team goes through all of the data pulled from the hack to determine what is relevant, then hands off that material to the case team and stops working on the case.

The FBI employs a number of hackers who write custom surveillance software, and also buys software from the private sector, former U.S. officials said.

Italian company HackingTeam SRL opened a sales office in Annapolis, Md., more than a year ago to target North and South America. HackingTeam provides software that can extract information from phones and computers and send it back to a monitoring system. The company declined to disclose its clients or say whether any are in the U.S.

U.K.-based Gamma International offers computer exploits, which take advantage of holes in software to deliver spying tools, according to people familiar with the company. Gamma has marketed “0 day exploits”—meaning that the software maker doesn’t yet know about the security hole—for software including Microsoft Corp.’s Internet Explorer, those people said. Gamma, which has marketed its products in the U.S., didn’t respond to requests for comment, nor did Microsoft.

Write to Jennifer Valentino-DeVries at Jennifer.Valentino-DeVries@wsj.com and Danny Yadron at danny.yadron@wsj.com

“If we desire respect for the law, we must first make the law respectable.” – U.S. Supreme Court Justice Louis D. Brandeis