404 — The Hague issues clarion call for consumer protections online via Global Commission on Internet Governance

Here's an interesting piece about the struggle for influence amongst the Net's various stakeholders, from consumers and businesses to academia and government. Each competes for a voice, muscling others out of the way. In the EU, consumers have the upper hand, closely followed by business interests. In this country it's government, closely followed by by business interests. Then come consumers and academia . . . helas. I deal with these very issues in my latest novel, 4o4 - A John Decker Thriller, about the surveillance state, just out from Cornucopia Press. Pick up your copy from Amazon. And check out this excellent story from The Guardian.

 Activists of Indian Youth Congress and National Students Union of India shout anti-government slogans during a protest in support of net neutrality in New Delhi. Photograph: Money Sharma/AFP/Getty Images

Can the internet be saved without harming democracy?

A new report wants to foster a digital age underpinned by human rights and calls for greater transparency from global giants. But will we ever trust the internet?

Julia Powles

Citizens of the internet: here is some welcome news. Your downtrodden digital rights might be getting a well-overdue booster shot. But it comes with some warnings.

This week in the Hague, a high-level group of 29 internet policymakers and influencers – including prominent ex-US and UK security and intelligence officials Michael Chertoff, Joseph Nye, Melissa Hathaway and David Omand – issued a clarion call for the protection and promotion of human rights online. Self-styled the Global Commission on Internet Governance, the group made this call as part of the broader objective of restoring trust and confidence in the internet.

Championing our fundamental human rights to privacy and personal data protection, the commission affirmed the need for strong encryption and other privacy-enhancing technologies, while completely rejecting government“backdoors” on communications platforms – on the basis that digital communications “should be inherently considered private between the intended parties”.

This clear and unambiguous statement is a mature recognition of both the environmental and legal reality: if we weaken security, even for the ostensibly “good” guys, we leave communications wide open for the bad guys, too. And while the UK Intelligence and Security Committee would prefer it otherwise, generic intrusion on our private communications, thoughts and papers has no precedent in the law of this land – and so it must stay.

The commission didn’t stop with just proposing measures to rein in unjust government surveillance that lacks necessity and proportionality, backed up by robust, independent oversight and the stick of appropriate redress and effective remedies for breach.

They insisted that companies, too, must be much more transparent and restrained in their use of data, offering users full and detailed information and real and informed choices, particularly in relation to the trade-offs inherent in “free” services – “often a guise for a kind of private surveillance in the service of ‘big data’,” the report states. This dual focus, on the dangers of both government and corporate surveillance, is refreshing and essential.

A new normative framework underpinned by human rights

The commission’s 18-page report is the first coordinated output from this group that was established 15 months ago by British and Canadian think-tanks, Chatham House and the Centre for International Governance Innovation, and chaired by ex-Swedish foreign minister, Carl Bildt. It precedes a final report anticipated for early 2016, and accompanies some 14 independent papers of varying quality, commissioned on different related topics over the past year.

The report is an important advance because it considers and balances the need for citizen confidence in digital communications and services, while at the same recognising our shared interest in law enforcement and targeted surveillance.

As a result of this, it comes out firmly on the side of transparency, accountability, restraint, and the primacy of human rights.

“The obligation of states to protect and promote rights to privacy and freedom of expression are not optional,” the report states. “Even if they are not absolute rights, limitations to these rights, even those based on national security concerns, must be prescribed by law, guaranteeing that exceptions are both necessary and proportionate. Governments should guarantee the same human rights protection to all individuals within their borders.”

The report is also attuned to the more insidious aspects of private commercial surveillance, recognising, for example, that the evolving internet of things poses unprecedented challenges for privacy and security and must proceed with transparency, accountability, and clear legal bases for data collection and use.

“Personal data protection regulations are mostly not yet suited to the complexity of the digital age,” the authors write, “for example, by not adequately regulating the extensive secondary use of personal data or ensuring the transparency of exceptions to privacy for sovereignty and national security purposes.”

Social compacts, multistakeholderism and other illusions

The group’s overall ambition is to articulate and advance a strategic vision on the polarising and widely-misunderstood topic of internet governance.

Narrowly conceived, internet governance concerns internet-native bodies, such as ICANN (the private company with a monopoly on domain name distribution and regulation) and IETF (an internet standards body).

But more broadly, internet governance is the biggest geoeconomic and geopolitical battlefield you’ve never heard about â€“ dictating the rules, emperors, winners and losers of our online lives, fortunes and destinies. And it is politically fraught, because both in its narrow and broad incarnations, internet governance is undeniably dominated by one state’s security and economic interests: the United States.

The subtext of the report – and where some hazards may lie – is a general push for what is termed the multistakeholder model of internet governance. This is a neoliberal concept that has taken hold in this peculiar, captured domain of international relations, and which brings corporations to the table with the governments that are supposed to regulate them.

The report pushes what it calls a “social compact” – an invented term, not the philosophical concept of old. It reflects the frightening prospect that the new age bonds of society are not between citizens and states, but between citizens (likely, in the imagining of its proponents, to be self-employed cheap workers of the “sharing economy” and other fabricated markets) and a nebulous “community” of “stakeholders”.

In plain English: between us, and near-stateless global giants like Google, untethered from terrestrial law and infrastructure, and running the ultimate monopoly machine.

While the stakeholders of such compacts vary (in this report, bizarrely, the judiciary is included, despite independence being a judge’s first and most important hallmark), the constant is business, propped up by civil society, the “technical community” and academics – with governments always in a subordinate role (because of the constant spectre, whether justified or fantastical, of dictatorial and repressive regimes somehow overreaching their boundaries).

Some of the props in these communities are fiercely independent, tireless voices for good and great causes. But many others, whether knowingly or naively, are just another front for business interests. And the 150-odd countries that probably have some interests, between China/Russia on the one hand, and the US and its allies on the other? They are forgotten.

Will “trust” save the internet?

The commission’s report is excellent in many respects. It advances what it terms a normative framework for privacy and security, and provides sensible details and strong baselines. The report is supported by some very informative and originalsurvey work, showing the extent of public concern about government and corporate surveillance. But to make the content meaningful, there needs to be more consideration given to the premise and proposed mechanisms for action and reform.

Trust and confidence are an odd premise on which to advance this report. Think about these traits. They are fickle and human. Hard to gain and easy to lose, they are attributes of people, acquired by lifetimes of experience and the manifold clues embedded in our social fabric.

But machines, entities, infrastructure and artefacts – these are not things we trust. They are things we use, tolerate or begrudgingly accept, with varied levelsof reflection and knowledge.

We don’t want our corporations and security agencies fickle and fallible. Trust and confidence take hard work, time and evidence. They must be earned. And they will be earned by obeying laws, respecting and promoting human rights, and cracking down and remedying profligate corporate and government behaviour without fear or favour.

The concerns expressed here with multistakeholderism are sounded as a general warning about the neoliberal directions in which it takes us, rather than a dismissal of the promising and important content of the commission’s report.

The report is at least sensitive to the need to keep all players – whether corporate or state – accountable, within the law, and responsive to a greatly enhanced set of tech norms and ethics, a point championed in particular by the group’s tech-savvy Dutch Liberal MEP Marietje Schaake.

However, it is a worry that the report does not even consider the mechanisms by which an international and social consensus might be achieved on the issues being addressed. The social compact may be advanced pragmatically, becausebetter alternatives are not considered feasible or reachable. But the concern is that, by appealing to what is, in effect, self-regulation, the compact will become a diluted pacifier, and a ceiling, rather than a floor.

The document should be seen as a challenge: by whatever mechanism it is achieved, it outlines exactly the sorts of major behavioural changes we require, both from state intelligence agencies and from multinational companies, if we are really going to save the internet.

Crime, hacking and being monetised – what worries citizens

The CIGI-Ipsos Global Survey on Internet Security and Trust is based on 23,326 internet users, drawn from 24 countries and polled over 36 days in October-November 2014. It found that:

• 74% were concerned about companies monitoring online activities and then selling that information for commercial purposes
• 77% were concerned about hacking of personal accounts
• 78% were concerned about personal financial cybercrime
• 61% were concerned about domestic government surveillance
• 62% were concerned about foreign government surveillance
• 72% want their online data and personal information to be physically stored on a secure server in their own country
• 64% had an enhanced degree of concern about their online privacy in the year following the Snowden revelations

404 — SONY warns media outlets and Wikileaks: Don't publish my shit!

Sony Pictures Entertainment is warning news media outlets that WikiLeaks’s posting of emails and documents stolen from Sony does not make them fair game. â€œWikiLeaks is incorrect that this Stolen Information belongs in the public domain, and it is, in many jurisdictions, unlawful to place it there or otherwise access or distribute it,” David Boies, a SONY legal representative said. On Thursday, WikiLeaks renewed interest in last November’s cyberattack on Sony by posting an indexed, searchable archive of material taken in the hack. WikiLeaks said it was justified in posting the material because it chronicles the inner workings of an international corporation with extensive business and government connections but Mr. Boies warned news organizations about possessing or reproducing the stolen material. So far, he has not filed any lawsuits. The hack by North Korea strangely mirrors the cyber-attacks from North Korea that I dramatize in my latest novel, 4o4 - A John Decker Thriller, about the surveillance state, just out from Cornucopia Press. Pick up your copy from Amazon today! And check out this news story from The New York Times.

Sony Studio Renews Warning After WikiLeaks Posts Stolen Data

By MICHAEL CIEPLY

LOS ANGELES — David Boies, a lawyer for Sony Pictures Entertainment, began warning news media outlets on Friday that WikiLeaks’s posting of emails and documents stolen from Sony does not, in the media giant’s view, make them fair game.

“WikiLeaks is incorrect that this Stolen Information belongs in the public domain, and it is, in many jurisdictions, unlawful to place it there or otherwise access or distribute it,” Mr. Boies wrote in a letter that was prepared for distribution to outlets that post or publish the material.

On Thursday, WikiLeaks renewed interest in last November’s cyberattack on Sony by posting an indexed, searchable archive of material taken in the hack. WikiLeaks said it was justified in posting the material because it chronicles the inner workings of an international corporation with extensive business and government connections.

Mr. Boies had warned news organizations about possessing or reproducing the stolen material; but he appears so far not to have filed lawsuits against those who ignored his warnings.

In his new letter, Mr. Boies cited federal copyright and computer fraud laws in warning against use of the material, now posted by WikiLeaks. “Many other countries have similar, if not more stringent, laws applicable to this situation,” the letter added.

Since the WikiLeaks post, Gawker, The Wrap and others have posted accounts of material freshly culled from the Sony files.

404 — Conservative think tank American Enterprise and Norse think Iran is ramping up cyber-attacks while Cylance says the opposite

While Norse and the right-wing American Enterprise Institute believe Iran has been ramping up its online attacks of U.S. systems, others like Cylance believe the Iranians have actually been toning them down during recent nuclear negotiations with the U.S. The Cylance analysis makes more sense to me. And, frankly, I'm glad the Iranians took down Sheldon Adelson's casinos for a time. I can't stand that interfering billionaire who has made his fortune by exploiting the gambling addictions of millions. The Iranians appear to be behind several cyber-attacks in my most recent novel, 4o4 - A John Decker Thriller, about the surveillance state, just out from Cornucopia Press. Pick up your copy from Amazon today! Meantime, check out this piece from The New York Times.

The Las Vegas Sands and billionaire Zionist Sheldon Adelson were "owned" by Iranian hackers when they took down his casino's servers last year.

Iran Is Raising Sophistication and Frequency of Cyberattacks, Study Says

By DAVID E. SANGER and NICOLE PERLROTH

WASHINGTON — In February, a year after the Las Vegas Sands was hit by a devastating cyberattack that ruined many of the computers running its casino and hotel operations, the director of national intelligence, James R. Clapper Jr., publicly told Congress what seemed obvious: Iranian hackers were behind the attack.

Sheldon G. Adelson, the billionaire chief executive of Sands, who is a major supporter of Israel and an ardent opponent of negotiating with Tehran, had suggested an approach to the Iran problem a few months before the attack that no public figure had ever uttered in front of cameras.

“What I would say is: ‘Listen. You see that desert out there? I want to show you something,’ â€ Mr. Adelson said at Yeshiva University in Manhattan in October 2013. He then argued for detonating an American nuclear weapon where it would not “hurt a soul,” except “rattlesnakes and scorpions or whatever,” before adding, “Then you say, ‘See, the next one is in the middle of Tehran.’ â€

Instead, Tehran directed an attack at the desert of Nevada. Now a new study of Iran’s cyberactivities, to be released by Norse, a cybersecurity firm, and the American Enterprise Institute, concludes that beyond the Sands attack, Iran has greatly increased the frequency and skill of its cyberattacks, even while negotiating with world powers over limits on its nuclear capabilities. [NOTE: Please consider the source. The American Enterprise Institute (like the Cato) is a very conservative, right-wing think tank. They have a horse in this race, clearly. ED]

“Cyber gives them a usable weapon, in ways nuclear technology does not,” said Frederick W. Kagan, who directs the institute’s Critical Threats Project and is beginning a larger effort to track Iranian cyberactivity. “And it has a degree of plausible deniability that is attractive to many countries.”  [NOTE: This is exactly the logic used by George W. Bush when he authorized the development of Stuxnet by the NSA (with Israel's Unit 8200), the computer virus that disabled many Iranian centrifuges at Natanz. ED]

Mr. Kagan argues that if sanctions against Iran are suspended under the proposed nuclear accord, Iran will be able to devote the revenue from improved oil exports to cyberweapons. But it is far from clear that that is what Iran would do.

When Mr. Clapper named Iran in the Sands attack [NOTE: General Clapper is the NSA head who lied to Congress about the government's mass domestic surveillance program. ED], it was one of the few instances in which American intelligence agencies had identified a specific country that it believed was using such attacks for political purposes. The first came in December, when President Obama accused North Korea of launching a cyberattack on Sony Pictures. Other United States officials have said that Iran attacked American banks in retaliation for sanctions and that it destroyed computers at the oil giant Saudi Aramco in retaliation for the close Saudi ties with the United States.

The evidence from the Norse report, along with analyses by American intelligence agencies, strongly suggests that Iran has made much greater use of cyberweapons over the past year, despite international sanctions. The attacks have mostly involved espionage, but a few, like the Sands attack, have been for destructive purposes.

In the report, to be released Friday, Norse — which, like other cybersecurity firms, has an interest in portraying a world of cyberthreats but presumably little incentive in linking them to any particular country — traced thousands of attacks against American targets to hackers inside Iran.

The report, and a similar one from Cylance, another cybersecurity firm, make clear that Iranian hackers are moving from ostentatious cyberattacks in which they deface websites or simply knock them offline to much quieter reconnaissance. In some cases, they appear to be probing for critical infrastructure systems that could provide opportunities for more dangerous and destructive attacks.

But Norse and Cylance differ on the question of whether the Iranian attacks have accelerated in recent months, or whether Tehran may be pulling back during a critical point in the nuclear negotiations.

Norse, which says it maintains thousands of sensors across the Internet to collect intelligence on attackers’ methods, insists that Iranian hackers have shown no signs of letting up. Between January 2014 and last month, the Norse report said, its sensors picked up a 115 percent increase in attacks launched from Iranian Internet protocol, or I.P., addresses. Norse said that its sensors had detected more than 900 attacks, on average, every day in the first half of March.

Cylance came to a different conclusion, at least for Iran’s activities in the past few months, as negotiations have come to a head. Stuart McClure, the chief executive and founder of Cylance, which has been tracking Iranian hacking groups, said that there had been a notable drop in activity over the past few months, and that the groups were now largely quiet. [NOTE: This makes more sense to me. Why rock the boat when you're negotiating? ED]

American intelligence agencies also monitor the groups, but they do not publicly publish assessments of the activity. Classified National Intelligence Estimates over the past five years have identified Russia and China as the United States’ most sophisticated, and prolific, adversaries in cyberspace.

However, American officials have said that Iran and North Korea concern them the most, not for their sophistication, but because their attacks are aimed more at destruction, as was the case with the attack on Sony Pictures. In addition to the Sands attack last year — about which Mr. Clapper gave no detail in public — Iran has been identified as the source of the 2012 attack on Saudi Aramco, in which hackers wiped out data on 30,000 computers, replacing it with an image of a burning American flag.

American intelligence officials say Iran’s most sophisticated hackers are limited in number, but work for both front companies and the government. The officials are concerned that as destructive attacks become more frequent, the temptation will rise to launch attacks on what the government calls “critical infrastructure,” like railways, power grids or water supplies.

Cylance researchers, for example, noted that Iranian hackers were using tools to spy on and potentially shut down critical control systems and computer networks in the United States, as well as in Canada, Israel, Saudi Arabia, the United Arab Emirates and a handful of other countries. Their targets have included a network that connects Marines and civilians across the United States, as well as networks of oil companies and major airlines and airports.

Norse’s researchers also noted attacks from Iran that were directed at so-called Scada systems — short for supervisory control and data acquisition systems — like the kind that the United States and Israel attacked at Iran’s nuclear enrichment center in Natanz, using code that caused about 1,000 centrifuges to self-destruct.

That strike, often referred to as the Stuxnet attack, may have inspired the Iranians to begin a cycle of retaliation, a recently disclosed memo from Edward J. Snowden’s trove of National Security Agency documents indicates. Norse says it saw evidence that Iranian hackers probed the network of Telvent, a company now owned by Schneider Electric that designs software to allow energy companies and power grid operators to control their valves and switches from afar.

The company’s systems were breached by Chinese military hackers in 2012. Two years later, Norse said, it witnessed 62 attacks, in a span of 10 minutes, from an I.P. address in Iran on a Telvent system that provides the foundation for all of the company’s Scada infrastructure.

“This activity,” Norse researchers wrote, “might be interpreted as an Iranian effort to establish cyberbeachheads in crucial U.S. infrastructure systems — malware that is dormant for now but would allow Iran to damage and destroy those systems if it chose to do so later.”

David E. Sanger reported from Washington, and Nicole Perlroth from San Francisco.

404 & dEATH in dAVOS — Wi-Fi on planes opens door to in-flight hacking of avionics that could bring down plane

Airplane cockpit electronics are indirectly connected to the passenger cabin through shared IP networks. The connection between passenger-accessible systems and the avionics of the plane is heavily moderated by firewalls, but information security experts have pointed out that firewalls, like all software, can never be assumed to be totally infallible. In all likelihood, you would have to be on the plane to make this happen but suicide bombers can be trained. (And, I can think of a number of ways where you wouldn't even have to be aboard . . . but I won't air my ideas here for obvious reason.) In dEATH in dAVOS, my protagonist hacks a number of government and banking servers while traveling at 30,000 feet across the Atlantic, thereby "forgiving" or wiping out billions in student loans. And using this kind of WiFi penetration is something I also cover in my latest thriller, 4o4 - A John Decker Thriller, about the surveillance state, just out from Cornucopia Press. Pick up your copy from Amazon today! Meantime, check out this piece from The Guardian.

 Is in-flight internet as secure as it should be?

Wi-Fi on planes opens door to in-flight hacking, warns US watchdog

Modern aircraft increasingly connected to internet, which could potentially lead to hackers seizing control of a plane mid-flight, says GAO

Alex Hern and agencies

Hackers on commercial flights could now bring down the plane they are on by using the on board Wi-Fi, a US government watchdog has warned.

The US Government Accountability Office (GAO) does not suggest it would be easy to do but it points out that as airlines and the Federal Aviation Administration attempt to modernise planes and flight tracking with internet-based technology, attackers have a new vulnerability they could exploit.

The GAO says: “Modern aircraft are increasingly connected to the internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems.”

The report highlights the fact that cockpit electronics are indirectly connected to the passenger cabin through shared IP networks. The connection between passenger-accessible systems and the avionics of the plane is heavily moderated by firewalls, but information security experts have pointed out that firewalls, like all software, can never be assumed to be totally infallible.

“Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented,” explains the office.

“According to cybersecurity experts we interviewed, internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors,” the report adds.

The Federal Aviation Administration does not currently verify the cybersecurity of a new airliner before certifying it for scope, although it “currently issues rules with limited scope, called Special Conditions, to aircraft manufacturers when aircraft employ new technologies where IP interconnectivity could present cybersecurity risks”.

The report praises the FAA for the steps it has taken to get its cybersecurity policies in order, but says that “opportunity exists for further action”, and particularly highlights as a cause for concern the fact that cybersecurity responsibility is split over multiple FAA offices.

A worst case scenario is that a terrorist with a laptop would sit among the passengers and take control of the airplane using its passenger Wi-Fi, said Rep. Peter DeFazio, an Oregon Democrat on the House Transportation and Infrastructure Committee who requested the investigation. [NOTE: No, the worst case is someone does this from the ground or an adjacent plane without putting themselves in jeopardy but they won't tell you that. ED]

“That’s a serious vulnerability, and FAA should work quickly” to fix the problem, DeFazio said.

The GAO released a separate report last March that determined the FAA’s system for guiding planes and other aircraft also was at “increased and unnecessary risk” of being hacked.

One area of weakness is the ability to prevent and detect unauthorised access to the vast network of computer and communications systems the FAA uses to process and track flights around the world, the report said. The FAA relies on more than 100 of these air traffic systems to direct planes.

In January 2015, the GAO praised the FAA for taking steps to protect air-traffic controllers, but warned that “significant security control weaknesses remain that threaten the [FAA’s] ability to ensure the safe and uninterrupted operation of the national airspace system”.

404 — NSA and FBI fight to retain spy powers as surveillance law nears expiration

On June 1, key provisions of the Patriot Act will expire, including the dreaded Section 215 that enables the NSA and other government agencies to perform warrantless mass surveillance on 300,000,000 Americans. DON'T LET THIS HAPPEN! Please contact your members of Congress and the President today and pen an online note telling them to let Section 215 expire. It's not just the 4th Amendment at stake here. It is the Constitution itself that's at risk. The balance of our Constitutional right to protect ourselves against unreasonable search and seizure and our cyber-security is at the heart of my latest novel, 4o4 - A John Decker Thriller, about the surveillance state, just out from Cornucopia Press. Pick up your copy from Amazon today! Meantime, check out this piece from The Guardian.

 National Security Agency Director Michael Rogers speaks in Washington DC.

NSA and FBI fight to retain spy powers as surveillance law nears expiration

• Debate reignites on Capitol Hill with Patriot Act section set to expire
• Agency representatives secretly meet with members of Congress

Spencer Ackerman

With about 45 days remaining before a major post-9/11 surveillance authorization expires, representatives of the National Security Agency and the FBI are taking to Capitol Hill to convince legislators to preserve their sweeping spy powers.

That effort effectively re-inaugurates a surveillance debate in Congress that has spent much of 2015 behind closed doors. Within days, congressional sources tell the Guardian, the premiere NSA reform bill of the last Congress, known as the USA Freedom Act, is set for reintroduction – and this time, some former supporters fear the latest version of the bill will squander an opportunity for even broader surveillance reform.

Republican leaders of the House intelligence committee arranged for NSA and FBI representatives to hold secret briefings for members of Congress on Tuesday and Wednesday. Staff did not name the officials addressing legislators.

The classified briefings come amid an unsettled surveillance debate in Congress that rushes up against an unforgiving deadline. On 1 June, Section 215 of the Patriot Act, which permits US law enforcement and surveillance agencies to collect business records, expires.

Section 215 is the authority claimed by the NSA since 2006 for its ongoing daily bulk collection of US phone records revealed by the Guardian in 2013 thanks to leaks from whistleblower Edward Snowden. While the Obama administration and US intelligence agencies last year supported divesting the NSA of its domestic phone metadata collection, a bill to do so failed in November.

But the FBI and its supporters fear that the expiration of Section 215 will cut deeper than the loss of bulk collection. The FBI is warning that it will lose access to investigative leads for domestic terrorism and espionage, such as credit card information, hotel records and more, outside normal warrant or subpoena channels.

While the briefings were not described as a platform for defending the controversial Section 215, they “offer an important opportunity to hear directly from analysts and operators who use Section 215 as part of their daily mission to protect the Nation from terrorist attacks,” according to an announcement for legislators sent by intelligence committee chairman Devin Nunes and Georgia Republican Lynn Westmoreland and obtained by the Guardian.

Civil-libertarian members who attended left unsatisfied.

“Our questions about constitutionality and legality were answered with statements of efficacy. We said, ‘How can this possibly be legal?’ and they would say, ‘this program works great, here’s how it’s helping us catch terrorists,’” Representative Thomas Massie, a Kentucky Republican, told the Guardian.

Yet with Section 215’s lifespan now stretching to a matter of weeks, supporters of broad surveillance powers have yet to put forth a bill for their preservation – evidence, opponents believe, that the votes for reauthorization do not exist, particularly not in the House of Representatives.

Members of the intelligence and judiciary committees in both chambers are still negotiating behind closed doors to determine the shape of a vehicle to reauthorize 215. A spokeswoman for Senator Richard Burr, the North Carolina Republican who leads the Senate intelligence committee, had no information to offer on Tuesday. Senator Dan Coats, an Indiana Republican, left an afternoon intelligence committee meeting saying the shape of a reauthorization was under “ongoing discussion”.

A different congressional source said Senate GOP leadership was “clinging to the pipe dream” of a straight reauthorization.

More likely, according to a multiple Hill sources, is a different option under consideration: making the major NSA reform bill of the last Congress the point of departure for reauthorizing 215 in the current one.

That bill, the USA Freedom Act, passed the House in May 2014 before narrowly failing in November in the Senate. Belatedly, the White House endorsed it, after seeing it had a greater chance of passage than any pro-NSA alternative. Yet the House version lost substantial civil-libertarian support after the intelligence agencies and House leadership weakened its surveillance restrictions, including its central prohibition on the bulk collection of domestic phone records.

Advocates of the bill in both congressional chambers, including its original architects, have been laboring for eight weeks in marathon negotiations to revive the USA Freedom Act. The revived bill would extend the expiring provisions of the Patriot Act for a still-undetermined number of years – essentially staking out the center of the 2015-era surveillance debate for a bill that would take NSA out of the domestic bulk-collection business.

Advocates believe they are close enough to agreement that reintroduction could come as early as Thursday and would move through the judiciary committees.

But several privacy activists inside and outside Congress consider the USA Freedom Act insufficient.

The bill would not abridge NSA collection of Americans’ international communications, nor prevent the NSA or the FBI from warrantlessly searching through its troves of them for Americans’ identifying information. Nor would it restrict a constellation of surveillance efforts authorized by a Reagan-era executive order. Even a recently disclosed bulk domestic phone records collection dragnet by the Drug Enforcement Agency would be untouched.

“We should be demanding more reforms than the intelligence agencies are gladly willing to offer us,” said David Segal of the activist group Demand Progress.

Last month, Massie co-sponsored a bill introduced by Wisconsin Democrat Mark Pocan going much further. The Surveillance State Repeal Act would repeal the entire Patriot Act and a landmark 2008 expansion of the Foreign IntelligenceSurveillance Act. As well, the bill carries protections for national-security whistleblowers against retaliation and makes probable cause the basis for foreign-intelligence surveillance of an American or someone on US soil.

But the bill, with only ten current co-sponsors, faces questions about its viability, which even Massie concedes.

“It’s very long odds, but it’s a statement about what needs to happen. It’s a stronger Freedom Act that’s not going to get watered down,” Massie said.

After the NSA briefing on Tuesday, Massie said he sees a “tremendous opportunity” for surveillance reform, and said he thinks the newest members of Congress are likely to determine the fate of the expiring Patriot Act provisions.

“A lot of it is going to hinge on the freshmen. Right now, as far as I can tell, the select intelligence committee is making a real strong play to persuade the freshmen that all of these public concerns are overblown,” Massie said.

Ben Jacobs in Washington contributed reporting.

dEATH in dAVOS — Private jets and cushy dorms: colleges indulge the 1% as inequality deepens

Here's a mind-boggling piece about the services of which the offspring of the 1% can avail themselves when they go to college. None of this was available in my day (back in the 1970s, when Amherst College cost around $7K-$10K/year; now it's $63K). The level of income disparity is shocking today, which is why I feature this debate in the novel I just finished writing, dEATH in dAVOS.

 Colleges have not been immune to deepening inequality.

Private jets and cushy dorms: colleges indulge the 1% as inequality deepens

Forget your father’s station wagon – some students spend $14,000 on ‘application boot camp’ before flying between luxurious campuses

Suzanne McGee

For college seniors, spring brings college acceptance letters – and financial aid packages, full of forms to fill out. For college juniors, it’s the season to visit those institutions they dream of attending 18 months from now, to talk to admissions officials and tour the campuses.

Of course, for those lucky enough to be in the top 1% of wealthy Americans, the whole process will be infinitely easier.

Even the endless process of visiting one campus after another – an arduous ritual in many families – is turned into a smooth process for those able to write a check for the equivalent of a year’s tuition at some top-notch colleges. Magellan Jets is offering “1%” families a special college tour package: 10 Hour Jet Cards for $43,500, entitling buyers not only to 10 hours of private jet time but to the help of the company’s logistics team to organize a customized itinerary and arrange car service at your destinations. (Those car trips will include guided tours of the local town, if you’ve got the time.)

Once you’ve finished a visit, the company will leave notepads at your seat for you to jot down your thoughts – and then condense the fruits of all those notations in a summarized overview of your visits for you. Oh, and if you’re interested in athletics, Magellan promises to arrange a meet and greet “with high profile alumni”.

It’s not quite your father’s station wagon.

We’ve become accustomed to the idea that we need to find ways to improve primary and secondary education, giving very smart and highly motivated kids like the young Sonia Sotomayor (today, a supreme court justice; in the 1960s, the daughter of a single mother living in the housing projects in the Bronx) a way to move from the economic and social margins of American society to the mainstream.

But as the wealth gap has widened steadily, to the point where the median net worth of upper-income families is nearly seven times that of a middle-class household, and 70 times what a family like Sotomayor’s might earn today, according to a report from the Pew Research Center, the college experience is mirroring that. The 1% may fly on private jets to check out prospective campuses – including some where their parents may have made substantial donations to build computer labs, athletic facilities or other facilities, turning them into so-called “development applicants” and giving them a leg up. For some members of the bottom 1%, whose family budget may not even stretch to a bus ticket, the first time they visit a college campus may be the day they arrive to register and move into their dorms, long after they have been accepted.

Naturally enough, the money race starts with the application process itself. A member of the 1% can pay $14,000 or so to participate in a four-day “application boot camp” sponsored by an admissions counseling firm whose charges run up to the equivalent of a year’s tuition.

It’s true that most top-tier universities want diversity, and will actively seek out members of – well, let’s call them the bottom 1% – to balance their student body and to ensure that the best and the brightest have access to a great education. We may well applaud moves by colleges with big endowments, like Stanford, to make their education more affordable by offering full tuition. Indeed, Stanford just announced that anyone whose family income or assets fall below $125,000 won’t have to pay a dime in tuition; those making less than $65,000 will get free room and board as well.

After taking a few moments to ponder the irony that $125,000 – a decidedly middle-class income – is now “poor” enough to get you a free ride at Stanford, while Princeton doesn’t charge tuition if your family makes less than $140,000, let’s consider what the university experience is like for members of the two extremes – both the upper and lower 1%.

Many universities have rushed to install amenities for the top tier, knowing that it’s one way to compensate for the lack of an Ivy League name. Princeton can get away with its ho-hum dorm rooms – they were never designed to be luxurious. Woodrow Wilson, when he was president of the university, tried to combat the “us versus them” mindset that he saw luxurious off-campus eating clubs as fostering, and deliberately built modest, basic dormitories. But elsewhere? These days, it seems, the sky is the limit when trying to appeal to the top 1%.

You can see the arms race most clearly in dorm rooms, rather than in academics. Imagine a cafeteria that dishes up tortellini with walnut pesto sauce, a climbing wall and a “bouldering cave”, a fireside lounge, tanning facilities, an Olympic-sized lap pool and, ahem, “spherical nap pods”.

Some of the new amenities aren’t even necessary. Wichita State built a new $65m residence hall, complete with all kinds of technology, at the heart of the campus. It costs nearly twice as much to live there as it does to live in older dorms – which have vacancies. So why build it? Because students want more, and they and/or their parents will pay more to get it.

It isn’t just the universities that are catering to this top 1% demographic. Private developers have woken up to the fact that parents sending their children away to college want them to live with the comforts of home, and in smaller communities, like Columbia, Missouri (home to three separate universities), they are racing to build luxury apartments – and offering video game rooms, theater rooms, golf simulators and “the most over the top amenities”. Some students actually figure they probably won’t bother going to classes, and just treat their college experience as a vacation, even as the community itself worries about the lack of affordable housing for year-round citizens and working families.

And if you’re the upper 1%, of course, you can have access to a personal concierge, just as if you lived at the Pierre or the Ritz. The same demographic who tour their prospective colleges by personal jet can have their concierges decorate their dorm rooms, get hold of tickets to concerts or sporting events, or arrange parties – a phenomenon that didn’t even exist a few years ago.

Meanwhile, the bottom 1%, too, is starting to be heard, at last. For this group, college has never been easy. Not being able to afford textbooks meant that some freshmen or sophomores always were behind their peers – however hard they studied. Juggling jobs and a heavy course load reduce the odds that they’ll do well in school – and even if they aren’t paying tuition, they still have to find a way to live in costly cities. And few colleges are as generous in offering full tuition packages as Stanford and Princeton are.

For the bottom 1%, a college diploma is supposed to be their ticket to the top 1% – or at least, to the top 10%. But in a recent op-ed in the Columbia Spectator, a first-year Columbia University student bluntly laid out the reality of being a member of the bottom 1%, living in an environment dominated by the top 1%, with their casual assumptions.

“What was once a straightforward concept of upward mobility is no more,” the author writes. It has been replaced by “upward friction”, as “the answer many low-income students get when discussing their struggles is ‘work harder’.”

While their affluent peers enjoy the rock-climbing walls and personal butlers, some members of the bottom 1% literally wonder where they’ll be sleeping at night, or where their next meal is coming from. One student posted on the Columbia University Class Confessions Facebook page about tradeoffs like losing an hour’s pay to meet with a professor – only to have the professor forget to show up.

The big tuition checks that the top 1% are writing may be helping to subsidize the ability of the bottom 1% to attend college at all, but telling the latter group “just be glad you’re here; now, figure it out”, doesn’t seem like the right approach, even as colleges and private companies bend over backwards to accommodate their wealthier peers. Just offering families more ways to save for college expenses, and suggesting that they save more, isn’t enough: college costs are rising too rapidly and total student debt now has topped $1.3tn.

Maybe we should look at what is happening in Europe, where colleges in Germany, Denmark and Sweden offer free college tuition. Of course, it comes without frills. There are no lavish dorms, no lap pools. And there’s no bottom 1%, worrying about where they’ll sleep.

404 — Another fine piece about Stingrays and other tech the feds are using to spy without warrants

Here's another fine piece by Trevor Timm of The Guardian about Stingrays and other techniques and technologies the feds are using to spy on us without warrants or probable cause. This kind of surveillance is at the heart of my latest novel, 4o4 - A John Decker Thriller, about the surveillance state, just out from Cornucopia Press. Pick up your copy from Amazon today. 

 When will the government stop listening in to our conversations?

The government hides surveillance programs just because people would freak out

Government agencies will go to great lengths to keep their data collection a secret, strictly to avoid the bad press they know would be coming

Trevor Timm

Want to see how secrecy is corrosive to democracy? Look no further than a series of explosive investigations by various news organizations this week that show the government hiding surveillance programs purely to prevent a giant public backlash. 

USA Today’s Brad Heath published a blockbuster story on Monday about the Drug Enforcement Administration (DEA) running a massive domestic spying operation parallel to the NSA’s that was tracking billions of international calls made by Americans. They kept it secret for more than two decades. According to the USA Today report, the spying program was not only used against alleged terrorist activity, but countless supposed drug crimes, as well as “to identify US suspects in a wide range of other investigations”. And they collected information on millions of completely innocent Americans along the way.

Heath’s story is awash with incredible detail and should be read in full, but one of the most interesting parts was buried near the end: the program was shut down by the Justice Department after the Snowden leaks, not because Snowden exposed the program, but because they knew that when the program eventually would leak, the government would have no arguments to defend it.

The justification they were using for the NSA’s program - that it was only being used against dangerous terrorists, not ordinary criminals - just wasn’t true with the DEA. The public would clearly be outraged by the twisted legal justification that radically re-interpreted US law in complete secrecy. “They couldn’t defend both programs”, a former Justice Department official told Heath. The piece also reveals that Attorney General Eric Holder “didn’t think we should have that information” in the first place, which is interesting because Holder was one of the first Justice Department officials to approve the program during the Clinton administration. It’s nice he came to his senses, but if the program never risked going public, would he have felt the same?

There are many other surveillance programs the government is desperate to keep hidden. Consider Stingray devices, the mini fake cell phone towers that can vacuum up cell phone data of entire neighborhoods at the same time and which are increasingly being used by local cops all around the country. The Associated Press reported this week that the Baltimore police have used these controversial devices thousands of times in the course of ordinary investigations and have tried to hide how the devices are used from judges.

The lengths to which the FBI will go to keep these devices secret from the public is alarming. As a Guardian investigation detailed on Friday, the FBI makes local police that use them sign non-disclosure agreements, and goes as far as to direct them to dismiss charges against potential criminals if the phone surveillance will be exposed at trial (as is required by due process rights in the Fifth Amendment).

The AP recounted this extraordinary courtroom exchange about the non-disclosure agreements that took place between a defense attorney and a Baltimore detective:

“Does it instruct you to withhold evidence from the state’s attorney and the circuit court of Baltimore city, even if upon order to produce?” asked defense attorney Joshua Insley.

“Yes,” Cabreja replied, saying he spoke with the FBI last week about the case.

Why is the FBI going so far as to ignore judges’ court orders and basically obstruct justice? The government has claimed in the past that it doesn’t want what director Jim Comey refers to as “bad people” finding out how this technology works. But the details are widely available online, and have been reported on in detail by virtually every major news organization. It’s more likely that the FBI is trying to prevent the inevitable fallout when they have to admit that they are sucking up the cell phone information of thousands of innocent people - and the fourth amendment challenges that would follow.

If the government wants to use mass surveillance techniques against the public, that should be up to the public, not a decision made in secret knowing ordinary Americans would freak out if they found out.

404 — FBI forces local cops to keep Stingray phone listening devices secret even if it means flouting judges

Check out this interesting piece from Al Jazeera about how the feds are fighting tooth and nail to keep certain surveillance techniques and technologies secret, even if it means local courts/judges must drop cases and let criminals walk. What you don't know WILL hurt you, if you give a fig about privacy and your 4th Amendment protections against unreasonable search and seizure. These are exactly the issues I cover in my latest novel, 4o4 - A John Decker Thriller, about the surveillance state, just out from Cornucopia Press. Pick up your copy from Amazon today.

Police want to keep surveillance tech secret

Time for law enforcement to come clean on how stingrays spy on Americans’ cellphones

by Joshua Kopstein   @zenalbatross

If you use a cellphone and live in one of these 20 states, there’s a decent chance police have spied on you using a secretive mass surveillance tool called a stingray. But good luck finding out. Because if there’s one thing we know for sure about these devices, it’s that the federal government is fighting tooth and nail to stop you from ever learning anything about them.

Stingrays (also known as cell-site simulators, IMSI catchers and dirtboxes) are devices that identify and track cellphones en masse by acting like fake cell towers, fooling all nearby phones into connecting to them. Last year documents obtained through the Freedom of Information Act revealed that the Federal Bureau of Investigation is requiring state and local police departments to sign nondisclosure agreements before obtaining the devices. But the details of those secret agreements were always completely redacted.

That is until earlier this week, when the ACLU released new stingray documents, including an agreement between the FBI and police in Erie County, New York. It confirms what privacy advocates have suspected: The federal government is intervening at the state and local level to hide information about stingrays at any cost — even when it means withholding evidence or dropping criminal cases.

The agreement bars the Erie County Sheriff’s Office from making any public statements about stingrays and says it must call the FBI to intervene whenever a public records request or court order compels the county to reveal any information about the technology. The accord even says the department must be willing to drop cases, explicitly directing police to “seek dismissal of the case in lieu of using or providing or allowing others to use or provide any information concerning [stingrays]” at the FBI’s request.

That’s right: The FBI is commanding local cops to ignore court orders and sabotage criminal cases rather than reveal information about stingrays.

Other police departments are apparently under the same mandate. In incredible testimony on Wednesday, a Baltimore police detective admitted in court that the FBI has instructed the city’s police to disobey court orders that seek information about stingrays, which he said the department has used 4,300 times since 2007. In a previous case, Baltimore prosecutors threw out evidence after a judge threatened to hold an officer in contempt for refusing to explain how a stingray was used to catch the defendant. And in Florida, a defendant was let off with six months of probation for armed robbery — an offense normally carrying a minimum sentence of four years — again so that police wouldn’t have to tell the court how they used a stingray in the bust.

These are just a few Kafkaesque examples of the extreme measures police have taken to prevent the public from finding out about stingrays. Last year documents requested by the ACLU of Florida were seized by U.S. marshals at the FBI’s behest just hours before they were scheduled to be released under a court order.

If telling the public how a technology works makes that technology useless, maybe it’s not worth sinking millions of taxpayer dollars into it in the first place. 

The underhanded tactics are chilling, given that police rarely seek court approval for using this technology. In Erie County, police obtained a court order (which has a lower standard of proof than a warrant) only once out of the 47 times a stingray was used from May 2010 to October 2014. Even then, cops have knowingly deceived courts about their use of stingrays at the direction of federal agencies, misleadingly calling the device a “confidential source.” This is a widespread tactic known as parallel construction, in which police use secret and legally dubious means to spy on suspects, then create false narratives about how the evidence was obtained.

What could be so important that it excuses withholding evidence, lying to judges and dropping criminal charges?

According to the FBI’s agreement with the Erie County Sheriff’s Office, revealing any information about stingrays would be catastrophic. “Disclosure could result in the FBI’s inability to protect the public from terrorism and other criminal activity,” the bureau claims, “because through public disclosures, this technology has been rendered essentially useless for future investigations.”

First, if using a stingray means letting suspects off the hook to protect its secrets, the technology is already useless. Second, if telling the public how a technology works causes that technology to be “rendered essentially useless,” maybe it’s not something worth sinking millions of taxpayer dollars into in the first place.

It’s not as if we don’t already have a general idea of how these devices work. The Florida-based Harris Corp., which based them on devices it originally produced for the U.S. Navy, sells its trademarked StingRay and its successors, the Hailstorm and StingRay II, for up to $400,000 per unit. Similar equipment can be built for only a few hundred dollars and has been shown off at hacker conferences for years; researchers have even created a way to detect stingrays and similar devices using an app.

Any other countermeasures that might be used against stingrays (for instance, using burner phones or paying with cash) have long been known to criminals and haven’t stopped cops from catching them. Nor has it stopped police from spying on countless innocent bystanders inevitably caught in the devices’ dragnets.

Allowing cops to flout the rule of law to conceal technology that has such dire privacy implications only undermines the police’s credibility. The public deserves to know which police departments and agencies have stingrays, when and how often they’re used and why.

Hopefully, more judges will begin realizing that the government’s desperate efforts to hide stingrays are about shielding them from public ire, not from criminals and terrorists. In stubbornly guarding this information, the only thing police are protecting stingrays from is the legal and constitutional scrutiny they have long and urgently needed. 

404 — Amnesty International, Liberty and Privacy International challenge Britain's GCHQ over surveillance

Amnesty International, Liberty and Privacy International filed a legal complaint with the court today. These are exactly the issues I wrestle with in my latest novel, 4o4 - A John Decker Thriller, about the surveillance state, just out from Cornucopia Press. Pick up your copy from Amazon today! Meantime, check out this piece from the BBC.

The human rights groups claim Britons' human rights have been broken by GCHQ's surveillance

European court challenge to UK surveillance

Rights groups have asked the European Court of Human Rights to rule on the legality of the UK's large-scale surveillance regime.

BBC

Amnesty International, Liberty and Privacy International filed a legal complaint with the court today.

The scale of the surveillance carried out by GCHQ has been revealed by US whistleblower Edward Snowden.

A similar legal challenge mounted in the UK last year saw judges rule that the spying did not breach human rights.

Secret court

"The UK government's surveillance practices have been allowed to continue unabated and on an unprecedented scale, with major consequences for people's privacy and freedom of expression," said Nick Williams, legal counsel for Amnesty in a statement.

The three organisations claim that the surveillance carried out by GCHQ breaches the European Convention on Human Rights that enshrines certain freedoms in law.

The surveillance carried out by GCHQ has been subject to a series of legal challenges since National Security Agency documents provided by Edward Snowden started to appear in the media.

In December, the Investigatory Powers Tribunal that oversees the work of the intelligence services ruled that GCHQ's spying did not violate Britons' human rights and was a legitimate way to gather intelligence.

In February, a separate ruling by the IPT found that the spy agency's surveillance programme was unlawful because the processes governing how GCHQ gathered and shared information were not public enough.

Amnesty acknowledged these rulings in its statement but said the "secretive" nature of IPT hearings meant there was little transparency about the way GCHQ was being policed. This, it said, undermined the faith people had in official oversight of the agency.

Information that had come to light in the last 12 months showed, said Amnesty, that there were flaws in the oversight system. One revelation concerned arrangements GCHQ has with its US counterparts to get at data it would be difficult for the UK agency to get permission to acquire.

There were also loopholes in UK laws governing surveillance being exploited by GCHQ to expand its spying abilities, it said.

In a statement, a GCHQ spokesperson said: "We completely reject the assertions made in the press release from Amnesty International and others, which do not reflect the judgments of the Investigatory Powers Tribunal.

"The IPT was clear in its December judgment that the legal regime is lawful, and that GCHQ does not seek to carry out mass surveillance, "added the spokesperson. "The government will be vigorously defending this case at the European Court of Human Rights."

404 & dEATH in dAVOS — Europol kills off shape-shifting 'Mystique' malware

Shapeshifting malware that changes its identity up to 19 times a day to avoid detection has been deactivated by Europe's Cybercrime Centre and the FBI. At its height in September 2014 the malware, called Beebone, was controlling 100,000 computers a day. This is the kind of malware leveraged by Robin Beauvais, protagonist in the novel I've just completed, dEATH IN dAVOS, about a teen hacker who gets herself invited to the World Economic Forum in Davos, Switzerland, ostensibly to give a lecture about an app she's developed but, in reality, to kill off nefarious billionaires who use their great wealth to avoid prosecution for their evil deeds. The shape-shifting nature of the malware is also something I cover in my latest novel, 4o4 - A John Decker Thriller, about the surveillance state, just out from Cornucopia Press. Pick up your copy from Amazon today! Meantime, check out this piece from the BBC.

Like the Beebone malware, X-Men's Mystique - played by Jennifer Lawrence - morphs to take on other identities

Europol kills off shape-shifting 'Mystique' malware

By Dan Simmons

Shapeshifting malware that changes its identity up to 19 times a day to avoid detection has been deactivated by Europe's Cybercrime Centre and the FBI.

At its height in September 2014 the malware, called Beebone, was controlling 100,000 computers a day.

Criminals used it to help steal passwords and download other programs to the infected computers.

Around 12,000 victims are being asked to use new online clean-up tools to remove it.

'Mystique-like' morphing

Beebone downloaded other malware which could steal passwords and banking details

Once on a victim's computer, Beebone operates like a downloader application that can be controlled by the suspected criminal gangs behind the program.

It was used to force victims' PCs to fetch other malware from the internet including password stealers, ransomware, rootkits, and programs designed to take down legitimate websites.

Computer security firm Intel Security, which helped law enforcement agencies to stop the malware, said it had seen Beebone change its identity up to 19 times per day to avoid more traditional "signature detection" anti-virus methods.

Intel Security's chief technology officer Raj Samani told the BBC: "Beebone is highly sophisticated. It regularly changes its unique identifier, downloading a new version of itself, and can detect when it is being isolated, studied, or attacked.

"It can successfully block attempts to kill it."

Operation Beebone

Operation Beebone was carried out by the Joint Cybercrime Action Taskforce set up by the European Union to tackle cross-border internet crime. The team finally managed to tackle the malware by stopping it from connecting to servers on the net used to control and send it instructions.

Nearly 100 .com, .net, and .org domains have been "sinkholed" - the process by which traffic meant for specific IP addresses is redirected from suspected criminal-controlled sites to the investigating authorities. This allows detectives to "see" how the application behaves and to intercept requests for further instructions by the malicious software.

The FBI assisted in redirecting traffic from most of the sites being used by the gangs because they were operated from the United States and are under US jurisdiction.

The operation also involved private security firms Intel Security, Kaspersky Labs and Shadowserver. The taskforce now believes it has isolated the morphing malware so criminals can no longer make use of it.

Sustained threat

Head of operations at the European Cybercrime Centre, Paul Gillen told the BBC the agency would now look at whether those behind the attacks could be identified and brought to justice. He admitted the solution the taskforce had found was not a permanent one: "We can't sinkhole these domains forever. We need those infected to clean up their computers as soon as possible."

Several security vendors have created a free tool to remove the Beebone malware including F-Secure, TrendMicro, Symantec and Intel Security.

Symantec is one of several private security firms signed up to help EC3

But victims need to first realise they have the malware on their systems before they can download the removal tool.

Raj Samani said those who have the malware "will be notified by their internet service provider".

ISPs in each affected country will be handed a list of suspected victims to contact by the taskforce.

Dangerous threat

The Beebone malware was described by the Europol taskforce as "very sophisticated". Some security experts believe the consequences of the attack could have been much worse.

Portcullis Security in the UK advises various British government departments on cybersecurity issues. Its director, Paul Docherty, told the BBC:

"The fact that it [the malware] is complicated suggests that it could be used for more targeted attacks. If those responsible were able to harness similar difficult-to-detect code they could potentially move the point of attack from home users to corporate users or other entities which typically hold large amounts of sensitive, valuable data."

Mr Docherty said computer users should have anti-virus software installed and that it was essential that they kept it up-to-date. He warned against members of the public underestimating how valuable their computer might be to criminal hackers.

"There is still a general consensus that, It won't happen to me, I have nothing anyone could want. However, when you discuss with people what they actually use their technology for this changes very quickly."

Future challenge

The total number of computers infected by Beebone is relatively modest compared with some recent malware take-downs like GameOver Zeus. Security experts believe this is because the malware was not spread by mass emailing potential victims with poisoned internet links, an approach known as spearphishing. Intel Security said Beebone was more commonly spread through hardware like USB drives, or data discs.

Now remaining victims are being asked to clean up their computers as soon as possible.

Mr Samani said it is likely those who have Beebone on their computers "were likely to have a lot of other malware too because of the nature of Beebone as a malware downloader itself".

But there is another good reason why victims will want to move on quickly, says Mr Docherty: "Clean-up after infection could be complicated, as this [criminal] campaign has used a constantly changing (polymorphic) dropper to implant malware, it is possible that it has also installed code of a similar nature to re-enable access to the systems following clean-up."