Two statements that jumped out at me. 1. "I was in contact with the EFF this month regarding the issue. They referred me to some lawyers, but basically, the advice to me in general has been is that no digital information is protected from snooping unless it is stored in your home and encrypted. But even then, I am told that silent "black bag" jobs (tampering your home electronic devices) are a possibility if you are labeled a threat to national security." 2. "These people don't understand technology and don't understand what they are asking for many times. They also don't understand even the most basic concepts of how the Internet works. I presume the non-field agents (the people that are in operations centers and don't talk to people) are the ones that penetrate the end-user electronically, as necessary." https://www.noisebridge.net/pipermail/noisebridge-discuss/2013-March/035200.html ========== NSLs were still alive and kicking up until a week of so ago, when the EFF's successful ruling was announced. The EFF has let me know that the ruling only stands for 90 days and that there is a possibility the ruling will be rescinded after that upon appeal. So, we are not safe yet. I was in contact with the EFF this month regarding the issue. They referred me to some lawyers, but basically, the advice to me in general has been is that no digital information is protected from snooping unless it is stored in your home and encrypted. But even then, I am told that silent "black bag" jobs (tampering your home electronic devices) are a possibility if you are labeled a threat to national security. Here is some feedback I can share, since I am a rare person to have realized the snooping was in effect while it was occurring. I also got confirmation of this due to lack of a confidentiality requirement when multiple agents attempted to visit me in person and called me on the phone. They wanted to follow-up after their many months of snooping revealed that I was not in fact a "terrorist" -- simply a security researcher that had identified vulnerabilities of a North American utility company. After half a year of working with the utility company, they did nothing to protect my own data, so I went online to blow the whistle about the company being breached and all user data (including home addresses and names) being compromised. With this vulnerability, someone could effectively find your home address / phone / name on account no matter where you lived in North America, since you are required to provide this when receiving utility service. To my knowledge, the companies involved have still not gone public with this information. Some things the Secret Service did to snoop on me that you should also be aware of, and some feedback follow: * SS served Google with an NSL to obtain my account information. * Around January, upon logging into the Google account, Google showed a strange NOTICE message asking me to accept the terms of usage of my account. This was odd, because in a decade of being a Google user, I had never seen this. I am told that this is Google's way of "telling you without telling you" that you have been served an NSL. Google, by law, is not allowed to tell you about the NSL, but they definitely are within their right to ask you to accept their TOS upon login. This is the "tell" that everyone here should be aware of. If you see this, you are likely being monitored. * My Google account was being operated by someone else, despite utilizing 2-step and very strong passwords. This may have been limited to a Google Chat 0day, unpublished vulnerability, or a Google backdoor. My chat contacts said I was online when I was not online or had messaged them, when I had not. * I received multiple emails from shady individuals asking me to provide / sell 0day. Some were in poor English. I presume this may have been a baiting tactic to get me on some technicality. I did not sell any 0day nor did I accept their request to "help them" with whatever they were seeking in terms of shady deals. * One of my encrypted Desktop home Linux computers was mysteriously wiped upon my return from a trip. The RAID array was 'corrupted'. * People I know started getting strange calls from random numbers at odd hours. I wonder if this was some attempt to exploit remote listening flaws in some phones, but I am justly paranoid. * Someone opened mail / packages at my physical residence to reveal the contents inside. This was very odd and not something that ever happens. It occurred at least twice to my knowledge. * Local police were posted outside my residence the morning I received numerous calls from SS agents. * SS confirmed over the phone that they monitored my Google account, after I told them I knew they were. At first, they would not tell me they did and denied it. The agent actually said "Google should not have told you that". When I asked how many other online accounts they monitored, the agent refused to let me know the details. When asked if they monitored my financial / banking / health records, they said the surveillance was limited to electronic records. I presume this includes my ISP, Google, phone, any accounts signed up via Google (third-party registration / account emails give it away), etc. * I was told that my security research activities are a "legal grey area", but that the investigation was being closed. The SS said that the data they have on me "is safe" and "will be destroyed" after some "expiration period". I vehemently expressed my distrust that it would be held securely or destroyed. For your background, I have been on the other side of such requests, as the person providing data to the Secret Service field agents before. These people don't understand technology and don't understand what they are asking for many times. They also don't understand even the most basic concepts of how the Internet works. I presume the non-field agents (the people that are in operations centers and don't talk to people) are the ones that penetrate the end-user electronically, as necessary. Unfortunately, I have no evidence to support the above other than the strange activity on my account. An entirely separate and more likely scenario is that the Secret Service communications are hacked by Nation States that used that surveillance to target me directly. A scary assumption, but not out of the question. Mitnick was reading GOV emails long ago and I would have to presume that adversaries are snooping GOV emails still to this day. If you have any other insights, I would be glad to hear them. I would love to speak with anyone else that can come forward as an NSL victim. On Wed, Mar 20, 2013 at 5:10 PM, Andy Isaacson <adi at hexapodia.org> wrote: > Did you receive one of the few NSLs without a confidentiality > requirement, or did you manage to get it set aside, or are you relying > on Judge Illston's decision in this disclosure? (Just curious.) It did not have a confidentiality requirement, to my knowledge. I am attempting to get the FOIA data on myself, but it has been rejected thus far.