Phones Leave a Telltale Trail
By EVAN PEREZ and SIOBHAN GORMAN
The April robbery at the Cartier store in Chevy Chase, Md., was brazen and quick. After grabbing 13 watches valued at $131,000, the suspects fled in a waiting car and melted into traffic. It was one of more than a dozen similar capers that had stumped police and the Federal Bureau of Investigation.
But, in recent weeks, the FBI was able to arrest two men. Cellphone records from Deutsche Telekom AG's T-Mobile USA and Sprint Nextel Corp. placed the suspects near the Cartier store at the time of the robbery, as well as near other heists, the FBI alleged in court filings. The T-Mobile records also allegedly showed the phone moving along the same path traveled by the suspects as police chased them.
Paula Broadwell's affair with former CIA Director David Petraeus was uncovered last year as a result of phone metadata in a stalking inquiry.
This kind of information is at the center of the debate unleashed after a contractor leaked the details of the National Security Agency's phone-data collection program. The NSA program wasn't used in the ongoing robbery investigation, but the concept is the same. The so-called metadata represents one element of the voluminous digital trail left by most Americans in their daily lives. Each individual crumb might seem insignificant, but combined and analyzed, this data gives police and spies alike one of the most powerful investigative tools ever devised.
The data doesn't include the speech in a phone call or words in an email, but includes almost everything else, including the model of the phone and the "to" and "from" lines in emails. By tracing metadata, investigators can pinpoint a suspect's location to specific floors of buildings. They can electronically map a person's contacts, and their contacts' contacts.
Senator Discusses Why NSA Powers Should Be Curbed
The Numbers Guy: Ethics Aside, Is NSA's Spy Tool Efficient?
Holder Says Prism Subject to Oversight
Seib & Wessel: The Snowden Affair
The NSA, through secret court orders served to U.S. telecommunications firms, scoops up metadata relating to almost all calls made into and within the U.S., which it can later query as part of a terror investigation. U.S. officials say that kind of work, in concert with other techniques, has helped thwart "dozens" of terrorist plots in the U.S. and overseas. Critics charge it represents an invasion of privacy.
The typical smartphone user can give off a total of nearly 100 pieces of highly technical data through calls, texts and other activities, according to research by Tracy Ann Kosa, a digital-privacy expert at the University of Ontario. This information includes the time that phones make contact with cellphone towers, the direction of the tower with respect to the phone and the signal strength at the time.
Ms. Kosa said much of the data is "insignificant on its own." But "every little piece counts," she said. "Think of it like footsteps—or calories."
One of the most dramatic examples of how metadata can be used came in the criminal investigation that separately uncovered retired Gen. David Petraeus's extramarital affair and ended his tenure as Central Intelligence Agency director.
An FBI investigation into a stalking complaint led agents to obtain location data from email addresses used to send the alleged threats, according to U.S. law-enforcement officials. FBI agents discovered the sender had used computers at a several hotels. Agents asked the hotels to provide lists of guests who'd used business centers around that time. That led them to Paula Broadwell, Mr. Petraeus's biographer. The data was used as probable cause to obtain a court order to monitor Ms. Broadwell's email accounts. Agents soon realized from her emails that the two were having an affair.
The woman who received the allegedly harassing emails, Tampa socialite Jill Kelley, said in a lawsuit filed later against the FBI that the bureau's investigation took off after agents took a single IP address from an email sent to her last June. The FBI said it closed the stalking investigation without filing any charges.
A U.S. law-enforcement official said the Petraeus case should not lead to privacy worries. The official said law enforcement is required to have a specific investigative purpose to collect and look at metadata.
Intelligence and law-enforcement agencies have been using metadata in their investigations for decades. Central Intelligence Agency officers routinely rifle through so-called pocket litter found on captured terrorist suspects and give information such as phone numbers to the NSA.
A cat-and-mouse game has evolved, with terror suspects frequently swapping SIM cards, or phone identification cards, to confuse intelligence agencies, former officials said. The U.S. has countered by devising how to monitor the phone and the SIM card separately.
"You keep pulling the thread. It's critical stuff," one former senior intelligence official said. "In every major terrorist operation or capture operation, metadata has played a huge role."
Some of the most important metadata, cellphone location information, varies depending on the area covered by a cell tower. In rural areas, one tower may serve wide swaths of territory, but in urban areas, towers are more targeted.
The number of cellular base stations that serve a single floor of an office building equaled or surpassed the number of standard cell towers in 2010 and continues to grow, University of Pennsylvania engineering professor Matt Blaze told Congress last year.
The increase in metadata has transformed the way intelligence agencies conduct investigations with domestic data. Traditionally, investigators had to meet various legal standards to collect any data, such as connecting the data they wanted to seize with a specific suspect.
Under the NSA phone program, the government collects domestic phone metadata without a specific investigative lead. Trained analysts only search the database in conjunction with a terrorism investigation, authorities say.
Intelligence agencies "basically reimpose at the level of analysis the standards you might ideally have for collection," said Timothy Edgar, a former top national-security privacy lawyer in the Bush and Obama administrations.
Mr. Edgar said the increasingly specific location data raises concerns about potential violations of Fourth Amendment protections against unreasonable searches and seizures. Once a person can be located within a building, the monitoring more closely resembles a search that would traditionally require a warrant.
The NSA program is accompanied by privacy restrictions, Obama administration officials say. To search the database, the government must have "reasonable suspicion" that the basis for the query is "associated with a foreign terrorist organization," they say. Search warrants approved by the secret Foreign Intelligence Surveillance Court are required before the contents of the calls may be monitored.
Some useful metadata isn't retained very long by phone companies, according to people familiar with the evidence-gathering. That could explain why in court orders phone companies have been instructed to turn over information daily.
The program's supporters note the Supreme Court has ruled the public has no reasonable expectation of privacy for information it turns over to a third party, such as a phone company. That 1979 ruling, however, predated cellphones. Moreover, cellphone technology has changed dramatically since the inception of the NSA data program in the early 2000s.
"On one hand, this could equip the government to electronically follow you around in public," said Jeremy Bash, until recently Pentagon chief of staff. "But even if they were to physically follow you around, you would not need a warrant for that," he said.
Mr. Bash added it is nonetheless "a fair question" whether metadata should trigger heightened Fourth Amendment scrutiny, because communications technology has changed so much.
"It's possible that 'dataveillance' could come under higher judicial scrutiny," he said, using a new term of art that means the ability to surveil people through their data trail.
A Call to Arms for Banks\
By MICHAEL R. CRITTENDEN
WASHINGTON—U.S. regulators are stepping up calls for banks to better-arm themselves against the growing online threat hackers and criminal organizations pose to individual institutions and the financial system as a whole.
The push comes as government officials grow increasingly concerned about the ability of a cyber attack to cause significant disruptions to the financial system. Banks such as J.P. Morgan Chase & Co., Bank of America Corp. BAC -1.06% and Capital One Financial Corp. COF -2.15% have been targeted by cyber assaults in recent years, including potent "denial-of-service" strikes that took down some bank websites off-and-on for days, frustrating customers. Banks have spent millions of dollars responding to or protecting against such attacks, including a wave of attempted online assaults targeting major banks beginning last year that U.S. defense officials say had the backing of the Iranian government.
Regulators are warning banks to better-arm themselves against the online threat from hackers. U.S. authorities intensify efforts to find Americans hiding money in tax havens. Photo: Getty Images.
The warnings reinforce the message from Washington that the private sector has primary responsibility for fending off attacks, even from groups the U.S. believes are tied to a foreign government. Some banks have bristled at the suggestion they can fend off a foreign nation and have asked the U.S. to intervene to mitigate such attacks, either by blocking the attacks or moving against those mounting them.
A banking industry official said the onus can't just be on banks to combat cyber attacks. "It needs to be collaborative; the industry can't take on foreign countries alone," the official said.
The U.S. has increasingly adopted a hard line toward firms whose systems are violated, holding companies more accountable for protecting themselves. Last year, the Federal Trade Commission filed a lawsuit against Wyndham Worldwide Corp. WYN -0.86% alleging the hotel chain failed to protect the credit-card information of its consumers. In 2011, the Securities and Exchange Commission issued guidance requiring companies to disclose to investors more details when their computer systems have come under attack by hackers.
Regulators and the banking industry are coordinating efforts to respond to the growing threat, including a major cyber "war game" exercise slated for later this month involving top regulators, the Department of Homeland Security and major banks. Organized by the Securities Industry and Financial Management Association and titled "Quantum Dawn 2," the exercise is supposed to replicate a large, coordinated cyber attack to test the industry's response.
Officials from the Treasury Department and other financial regulators have been conducting regular classified and non-classified briefings with bank officers about the increased likelihood banks of all sizes could come under attack. Treasury Secretary Jacob Lew last week met with roughly 40 executives in New York to discuss concerns, one in a series of meetings Mr. Lew has had on the topic with government and business leaders, according to the Treasury Department.
Last week, the Federal Reserve and other banking regulators formed a new "cyber security" working group to highlight the issue and better coordinate government responses. And earlier this week, the Office of the Comptroller of the Currency hosted a call with more than 1,000 community bankers, warning that cyber attacks are on the rise—particularly among small banks—as the number of potential targets expands.
"You have to think of cyber-risk as part of the other overall risks at your bank," said Valerie Abend, the OCC's senior critical infrastructure officer.
Regulators are counseling bank executives to change the way they think about cyber attacks, she said, and consider them as they do more traditional risks, such as lending and interest-rate risk, when making strategic decisions. As with regulators' recent push to step up enforcement of antimoney-laundering rules, banks are being told that they'll be judged on their preparation against cyber attacks when examiners gauge a bank's operational risk. Executives are being told to train workers on potential risks posed by hackers, and to be proactive in communicating risks to customers and employees.
The Financial Stability Oversight Council, which Mr. Lew leads, cited cyber security as one of its key "emerging threats" this year. Mr. Lew raised the issue of cyber theft of trade secrets with his Chinese counterparts on a recent visit to Beijing.
While no specific incident is behind the focus on cyber security, regulators are concerned that the number of cyber attacks spawned by increasingly sophisticated hackers, criminal organizations, hactivist groups and nation-states is going to rise. The OCC said in its presentation to bankers that cyber attacks overall, including on banks, increased 42% in 2012, ranging from malicious software or phishing attacks, to well-publicized denial-of-service attacks.
The threat became apparent late last year when Iranian hackers conducted a wave of cyber attacks targeting major U.S. banks. The attacks disrupted banks' websites, flooding them with high volumes of traffic in order to render them unavailable, and leading to warnings from U.S. officials to halt.
Karl Schimmeck, SIFMA's vice president of financial-services operations, said the industry needs to gird itself for the reality of cyber incursions.
"We're a big target…. People don't go out and physically rob banks anymore. This is the best way to get access to what banks have" including money and critical information, Mr. Schimmeck said.
Hong Kong (CNN) -- When U.S. citizen Edward Snowden decided to flee to Hong Kong because of its "spirited commitment to free speech and the right of political dissent," he may not have anticipated that some in the city would launch a protest backing him.
Several hundred demonstrators took to Hong Kong's streets in the rain Saturday voicing support for Snowden a week after the 29-year-old computer technician, who is believed to be hiding out somewhere in the city, revealed himself as the source of leaked documents exposing an international surveillance program of internet and telephone communications operated by the U.S. National Security Agency (NSA).
The revelation of his presence -- as well as his claims that Hong Kong had been subject to the surveillance -- has sparked heated speculation whether Hong Kong, a special administrative region -- one that is semi-autonomous -- of the People's Republic of China, would prove to be a safe haven for him. Snowden said his intention was to "ask the courts and people of Hong Kong to decide my fate."
Former U.S. spy talks Snowden's future Support for Edward Snowden in Hong Kong Snowden: U.S. hacked targets in China Could the NSA leaker defect to China?
"We're rallying in order not to disappoint him and to ask Hong Kong to protect his well-being, not to extradite him, and to uphold Hong Kong law," said blogger, activist and protest organizer Tom Grundy.
Amid the blowing of whistles and chants of "Protect Snowden!" and "NSA has no say!" the protest brought together representatives from 27 civil rights, labor rights, and left-wing democratic groups, as well as many ordinary members of the public as well as media. Under the drizzling sky, protesters determined to show their support held laminated placards and umbrellas painted with slogans.
Adi Koul and Jesus Meza, students from the University of Texas at Austin who are studying abroad in Hong Kong, said they found the protest "really refreshing."
"As Americans, it's kind of disheartening to know [the surveillance program] is going on behind our backs and we don't have a say in it," said Koul. "It's empowering to see people who aren't necessarily American fighting for something they feel is a universal human right."
Ruth Jopling brought her daughters, Amber, aged eight, and three-year-old Jade, along to the protest; the children held cut-out masks on sticks bearing Snowden's image. "It's not just about our generation, but the next generation as well," Jopling said. Amber echoed her mother's sentiment: "When I grow up, I can tell my children about this."
Organizers claimed an overall turnout of 900 protesters; police said the demonstration had a peak turnout of 300 -- a relatively small showing compared to major protests in Hong Kong, which have attracted hundreds of thousands of people. Grundy said plans for the protest only began on Monday, and that he would be pleased if 1,000 people turned out in the end.
The three-hour protest, which kicked off in a garden in the city's business district and went on to the U.S. consulate and the Hong Kong government headquarters, failed to gain a strong sense of momentum, hampered in part by the narrow looping route allocated by the city's authorities. At each rallying point, only a small group was able to gather around to hear the keynote speakers; most protesters were relegated to standing single or double file some distance away. By the time the protest moved outside the government headquarters to deliver an open letter to the city's leader, Chief Executive C.Y. Leung, the crowd had dropped to about 100 people.
Snowden's arrival in the city has heightened simmering fears about the ever-encroaching hand of Beijing in the city's affairs and freedoms.
While Hong Kong has its own de facto constitution, judiciary, and legal system under the "one country two systems" policy, a deep mistrust runs in the city toward the government under Leung, who is widely viewed as being under the thumb of the Chinese central government.
In a televised interview with Bloomberg Wednesday, Leung repeatedly insisted he "does not comment on individual cases," when asked how Hong Kong would handle Snowden's case. His stonewalling infuriated many Hong Kongers.
"Judging from [this interview], I think he's waiting for instructions from Beijing," said Oiwan Lam, a blogger and activist with in-media, the civil advocacy group that organized the protest with Grundy.
Holder: Leaks 'extremely damaging' Vetting federal contractors Inside the mind of Edward Snowden NSA leaker, girlfriend still in hiding
According to Hong Kong law, if the U.S. was to request the city to surrender Snowden, Beijing could step in only if its defence or foreign affairs would be significantly affected by Hong Kong's actions. Beijing is not allowed to interfere with any asylum proceedings.
Nevertheless, many have expressed fears that Beijing will quietly influence Hong Kong's handling of Snowden's case.
"Hong Kong's decisions are all based on the Chinese government," said Sherry Hung, 24, a graduate student at Hong Kong Baptist University. "I don't think Hong Kong can help Snowden," she added, although she said it was important to show her support at the protest.
Others also note that Hong Kong has a track record of cooperating with the United States. In particular, they fear Hong Kong will not respect due process in the Snowden case, instead enabling him to be quietly whisked away. Local media in Hong Kong last year reported on the case of a Libyan dissident who launched legal action against the city's government, accusing them of aiding in his "extraordinary rendition" and subsequent torture in prison.
"The biggest Western government -- the U.S government -- is his enemy. Now he can only count on us, the power of Hong Kong civil society and our legal system," Ip Lam Chong of in-media told protesters. "I see this incident as a stress test for Hong Kong society and its legal system."
Claudia Mo, a member of the Hong Kong legislature who addressed the protesters, said the city of Hong Kong "owes Snowden at least some response."
"The U.S is supposed to be the champion of democracy, but it's been conducting blanket surveillance on a global scale," she said. "If the guy at the top has access to all our lines of communication, how is... anyone ever going to start a revolution?"
當有用戶利用下載訊息（Download your information）工具時，他們就會收到其他用戶的電郵地址和電話號碼。fb昨日發現相關的漏洞，已於24小時內作出修正。受影響的用戶，已經收到電郵通知，相信資料未有落入不法之徒手中。有香港網民表示，昨日早上9時收到facebook電郵，指相信她的個人聯絡資料被一個fb用戶意外讀取。
fb今次私隱漏洞是參與該公司白帽黑客計劃（White hat hacker）的道德黑客揭發，每次成功揭發者可收至少500美元（3,900港元）。