In a blog post this month, search giant Google revealed that it sounded warnings against being targeted by ‘government-backed attackers’ to at least 500 users in India between July to September 2019.

In a security update put up by its Threat Analysis Group (TAG) which works to counter government-backed hacking against itself and its users, it said that the group tracked more than 270 targeted or government-backed groups from more than 50 countries. Apart from intelligence collection and stealing intellectual property, these groups, TAG says, have goals of targeting dissidents and activists, spreading coordinated disinformation and carrying out destructive cyber-attacks.

Google said that between the periods of July to September this year, it sent out more than 12,000 warnings to users in 149 countries saying that they were targeted by government-backed attackers. The number of warnings, it said was approximately sent out in the same period of 2018 and 2017.

It issued warnings to more than 1000 users in the United States of America (USA) and Pakistan, with other vulnerable regions being Canada, Nigeria, Egypt, Turkey, Saudi Arabia, Iran and the United Kingdom (UK).

Last year, a report by Business Standard revealed that a research by RSA Security had shown that india was among the top four nations targeted by phishing attacks after Canada, USA and the Netherlands.

It moved from the fourth to the second spot this year according to another research by RSA Security.

The statement by Google read, “We’ve had a long-standing policy to send users warnings if we detect that they are the subject of state-sponsored phishing attempts, and have posted periodically about these before.”

The post by Google explained that 90 percent of the users were targeted via ‘credential phishing emails’ that are attempts at obtaining the target’s password and other account information to hack into their account.

To protect itself from the same, Google said it encouraged ‘high-risk’ users like journalists, human rights activists and political campaigns to enroll in the Advanced Protection Program (APP) – designed for the highest-risk accounts – which utilizes hardware security keys and provides the strongest protections available against phishing and account hijackings.

The press release by Google comes close on the heels on the WhatsApp Spyware row, where WhatsApp had revealed that the NSO group’s surveillance spyware Pegasus was used to spy on human rights activists and journalists in India.

Early reports on Pegasus came out when a human rights activist in the UAE, Ahmed Mansoor was targeted with an SMS link on his iPhone. Apple had then responded by pushing out an update to “patch” the issue, The Indian Express reported.

In December 2018, Montreal-based Saudi activist Omar Abdulaziz filed charges against the NSO Group, alleging that his phone had been hacked using Pegasus, and conversations that he had with his friend, the murdered Saudi dissident journalist Jamal Khashoggi, snooped on. Khashoggi was slaughtered by Saudi agents at the kingdom’s consulate in Istanbul on October 2, 2018; Abdulaziz said he believed his phone was hacked in August that year.

Citizen Lab, the University of Toronto’s interdisciplinary laboratory had helped uncover that Indian lawyers, academics, Dalit activists and journalists like Anand Teltumbde, Nihalsing Rathod, Shalini Gera, Degree Prasad Chouhan among others, who were associated with the Bhima Koregaon matter and detained, were being spied upon through Pegasus.

The Wire also earlier this month reported of Yahoo sending out warnings against ‘government-backed actors’ to an associate professor at the Indian Institute of Science Education and Research in Kolkata, a 42-year-old Partho Sarothi Ray.

Ray, is not just a professor, but also a well-known civil rights activist and a founder member of a Leftist Magazine called Sanhati. He had earlier protested against the Trinamool Congress (TMC) over its decision to evict slum dwellers in Kolkata and was jailed for 10 days. He is also part of a collective that provides legal help to incarcerated people suffering from state persecution – mostly Adivasis, Dalits and religious minorities, called the Persecuted Prisoners Solidarity Committee (PPSC). He has also been on the radar of the police and the Union home ministry who had asked the West Bengal government to keep a watch on him.

But the nail in the coffin regarding hisaccount being hacked could be his association with Sudha Bharadwaj, who has been arrested in the Bhima Koregaon case and who helps him out with PPSC work. 

In June this year, announcing new security features in AOL mail and Yahoo mail,Verizon had put out a press release saying it had notified tens of thousands of users – including journalists, activists and officials with sensitive information – since 2015, that they may have been targeted by a ‘government-backed’ actor.

Their release said, “For many of our users, knowledge itself is also a powerful tool in account security and can even have implications for a user’s physical security. A journalist reporting on corruption of an oppressive government regime may learn that they need to take steps to ensure their digital and physical security. The same could be true for a free expression advocate challenging government censorship.We’re committed to protecting the security and safety of our users, and believe this expanded system demonstrates that commitment. As always, stay paranoid!

The TAG team of Google whose daily work involves “detecting and defeating threats, and warning targeted users and customers about the world’s most sophisticated adversaries, spanning the full range of Google products including Gmail, Drive and YouTube” said that going forward it will share more technical details and data about the threats it detects and counters to advance the broader digital security discussion.

The complete blog by Google’s Threat Analysis Group (TAG) can be read here.

Related:
The Daily Fix: If BJP government hasn’t used Pegasus Whatsapp spyware to snoop, why won’t it say so?
Did GOI just admit in Lok Sabha to using Pegasus to spy on activists?
What is Ravishankar Prasad Hiding on WhatsApp Hack?
Who Benefits? The Question Nobody’s Asking in the WhatsApp Hacking Case
Whatsapp Spyware Attack: Bhima-Koregaon activists being spied on by the Centre?
Open Letter to the Government of India from Pegasus Targeted Persons

The post ‘Government-backed attacks’: Google warned 500 Indians against hacking appeared first on SabrangIndia.

As a scholar and lawyer who started researching and writing about the history and meaning of the Fourth Amendment to the Constitution more than 30 years ago, I immediately saw how the FBI versus Apple controversy earlier this year was bringing the founders' fight for liberty into the 21st century. My study of that legal battle caused me to dig into the federal government’s actual practices for getting email from cloud accounts and cellphones, causing me to worry that our basic liberties are threatened.
 

A new type of government search

The federal government is getting access to the contents of entire email accounts by using an ancient procedure – the search warrant – with a new, sinister twist: secret court proceedings.

The earliest search warrants had a very limited purpose – authorizing entry to private premises to find and recover stolen goods. During the era of the American Revolution, British authorities abused this power to conduct dragnet searches of colonial homes and to seize people’s private papers looking for evidence of political resistance.

To prevent the new federal government from engaging in that sort of tyranny, special controls over search warrants were written into the Fourth Amendment to the Constitution. But these constitutional provisions are failing to protect our personal documents if they are stored in the cloud or on our smartphones.

Fortunately, the government’s efforts are finally being made public, thanks to legal battles taken up by Apple, Microsoft and other major companies. But the feds are fighting back, using even more subversive legal tactics.
 

Searching in secret

To get these warrants in the first place, the feds are using the Electronic Communications Privacy Act, passed in 1986 – long before widespread use of cloud-based email and smartphones. That law allows the government to use a warrant to get electronic communications from the company providing the service – rather than the true owner of the email account, the person who uses it.

And the government then usually asks that the warrant be “sealed,” which means it won’t appear in public court records and will be hidden from you. Even worse, the law lets the government get what is called a “gag order,” a court ruling preventing the company from telling you it got a warrant for your email.

You might never know that the government has been reading all of your email – or you might find out when you get charged with a crime based on your messages.
 

Microsoft steps up

Much was written about Apple’s successful fight earlier this year to prevent the FBI from forcing the company to break the iPhone’s security system.
But relatively little notice has come to a similar Microsoft effort on behalf of customers that began in April 2016. The company’s suit argued that search warrants delivered to Microsoft for customers' emails are violating regular people’s constitutional rights. (It also argued that being gagged violates Microsoft’s own First Amendment rights.)

Microsoft’s suit, filed in Seattle, says that over the course of 20 months in 2015 and 2016, it received more than 3,000 gag orders – and that more than two-thirds of the gag orders were effectively permanent, because they did not include end dates. Court documents supporting Microsoft describe thousands more gag orders issued against Google, Yahoo, Twitter and other companies. Remarkably, three former chief federal prosecutors, who collectively had authority for the Seattle region for every year from 1989 to 2009, and the retired head of the FBI’s Seattle office have also joined forces to support Microsoft’s position.
 

The feds get everything

This search warrant clearly spells out who the government thinks controls email accounts – the provider, not the user. U.S. District Court for the Southern District of New York

It’s very difficult to get a copy of one of these search warrants, thanks to orders sealing files and gagging companies. But in another Microsoft lawsuit against the government a redacted warrant was made part of the court record. It shows how the government asks for – and receives – the power to look at all of a person’s email.

On the first page of the warrant, the cloud-based email account is clearly treated as “premises” controlled by Microsoft, not by the email account’s owner:
 

“An application by a federal law enforcement officer or an attorney for the government requests the search of the following … property located in the Western District of Washington, the premises known and described as the email account [REDACTED]@MSN.COM, which is controlled by Microsoft Corporation.”
 

The Fourth Amendment requires that a search warrant must “particularly describe the things to be seized” and there must be “probable cause” based on sworn testimony that those particular things are evidence of a crime. But this warrant orders Microsoft to turn over “the contents of all e-mails stored in the account, including copies of e-mails sent from the account.” From the day the account was opened to the date of the warrant, everything must be handed over to the feds.

The warrant orders Microsoft to turn over every email in an account – including every sent message. U.S. District Court for the Southern District of New York

Reading all of it

In warrants like this, the government is deliberately not limiting itself to the constitutionally required “particular description” of the messages it’s looking for. To get away with this, it tells judges that incriminating emails can be hard to find – maybe even hidden with misleading names, dates and file attachments – so their computer forensic experts need access to the whole data base to work their magic.

If the government were serious about obeying the Constitution, when it asks for an entire email account, at least it would write into the warrant limits on its forensic analysis so only emails that are evidence of a crime could be viewed. But this Microsoft warrant says an unspecified “variety of techniques may be employed to search the seized emails,“ including “email by email review.”

The right to read every email. U.S. District Court for the Southern District of New York

As I explain in a forthcoming paper, there is good reason to suspect this type of warrant is the government’s usual approach, not an exception.
Former federal computer-crimes prosecutor Paul Ohm says almost every federal computer search warrant lacks the required particularity. Another former prosecutor, Orin Kerr, who wrote the first edition of the federal manual on searching computers, agrees: “Everything can be seized. Everything can be searched.” Even some federal judges are calling attention to the problem, putting into print their objections to signing such warrants – but unfortunately most judges seem all too willing to go along.
 

What happens next

If Microsoft wins, then citizens will have the chance to see these search warrants and challenge the ways they violate the Constitution. But the government has come up with a clever – and sinister – argument for throwing the case out of court before it even gets started.

The government has asked the judge in the case to rule that Microsoft has no legal right to raise the Constitutional rights of its customers. Anticipating this move, the American Civil Liberties Union asked to join the lawsuit, saying it uses Outlook and wants notice if Microsoft were served with a warrant for its email.

The government’s response? The ACLU has no right to sue because it can’t prove that there has been or will be a search warrant for its email. Of course the point of the lawsuit is to protect citizens who can’t prove they are subject to a search warrant because of the secrecy of the whole process. The government’s position is that no one in America has the legal right to challenge the way prosecutors are using this law.
 

Far from the only risk

The government is taking a similar approch to smartphone data.

For example, in the case of U.S. v. Ravelo, pending in Newark, New Jersey, the government used a search warrant to download the entire contents of a lawyer’s personal cellphone – more than 90,000 items including text messages, emails, contact lists and photos. When the phone’s owner complained to a judge, the government argued it could look at everything (except for privileged lawyer-client communications) before the court even issued a ruling.

The federal prosecutor for New Jersey, Paul Fishman, has gone even farther, telling the judge that once the government has cloned the cellphone it gets to keep the copies it has of all 90,000 items even if the judge rules that the cellphone search violated the Constitution.

Where does this all leave us now? The judge in Ravelo is expected to issue a preliminary ruling on the feds' arguments sometime in October. The government will be filing a final brief on its motion to dismiss the Microsoft case September 23. All Americans should be watching carefully to what happens next in these cases – the government may be already watching you without your knowledge.

Author is W. Lee Burge Chair in Law & Ethics; Director, National Institute for Teaching Ethics & Professionalism, Georgia State University

This article was first published on The Conversation

The post FBI: We can read all your email, and you’ll never know appeared first on SabrangIndia.