Freedom of the Press Foundation
Show Navigation

Bill expands US spying powers

Martin Shelton
Dr. Martin Shelton

Principal Researcher

Aerial photograph of the National Security Agency. (CC BY-SA 2.0/Trevor Paglen)

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

In the news

Welp, after months of debate, Congress finally reauthorized a controversial surveillance authority, Section 702 of the Foreign Intelligence Surveillance Act. While legislators considered reforms to FISA that would restrain the federal intelligence and law enforcement community’s abilities to spy on American communications without a warrant, they in fact expanded these surveillance powers to subject more electronic communications service providers, such as U.S. cloud computing data centers, to data collection. According to Wired, “Legal experts—including a rare few attorneys who’ve argued cases before the FISA court in the past—say the new ECSP text ensnares owners of facilities housing equipment used to store and carry data, as well as commercial landlords and virtually anyone with access to communications equipment in those spaces.” Read more here.

What you can do

  • We often speak to journalists about using end-to-end encrypted communications software like Signal. If confidential communications are a concern for you or your organization — and they should be — this FISA development really underscores the need to opt for encrypted services when possible. Read our guides to learn more.
  • The same applies to how we think about cloud service providers. If the cloud computing service needs to process your data (e.g., transcription services), these surveillance programs would make it possible for a service provider to hand over personal data, so think about whether it’s acceptable to use a given cloud service provider before uploading. This will depend on what kind of data you want to protect, and when.
  • It’s not yet clear how these capabilities will be used in the wild, but given the FBI’s history of abusing surveillance authorities to monitor Americans who have even a tangential connection to foreign communications, this doesn’t look good. You need to assume that when you connect to a U.S. cloud service provider that can decrypt your data, it is subject to domestic surveillance. Likewise, some of the authorities here could arguably expand into the physical realm, with commercial entities such as landlords or maintenance people with access to communications equipment possibly compelled to provide assistance to law enforcement. For media organizations that are concerned about federal authorities monitoring their reporting materials or processes, this could mean introducing additional security for their communications equipment and infrastructure in a much more deliberate way into their threat model. Our digital security training team is always ready to talk to journalists about your specific needs and concerns. Reach out here.

Updates from our team

Whether someone gives you one at a conference or you find one in a parking lot, chances are you’ve at some point wondered about the safety of an unfamiliar USB device. My colleague Davis wrote a primer on what to do with dodgy USB devices. Check it out.

We are always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

Martin Shelton
Principal Researcher
Freedom of the Press Foundation

Donate to support press freedom

Your support is more important than ever.
Donate now

Read more about Digital Security Digest

Google details app violations

According to its security blog, Google prevented 2.28 million — yes, million — Android apps from being published on its Play Store in 2023. The company says it also removed 333,000 accounts for attempting to deliver malware through the Play Store, as well as for “repeated severe policy violations.” These numbers have grown substantially since 2022, when the company disclosed it prevented 1.43 million apps from being published on the Play Store.

3414dff9-26c5-b870-35f2-aeefe3836d2c

Apple warns iPhone users of targeted malware

On April 10, Apple sent users in 92 countries warning of mercenary malware attacks targeting the iPhone. The notification did not provide details about the identities of the attackers. According to TechCrunch, Apple warned, “This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously.”

Reporting from a presidential election

Preparing for election-related security issues

Throughout this year, our digital security training team will share our thoughts on navigating security issues during the 2024 election season. Elections around the world experience distinct security issues that may change from year to year, but in the U.S. we look to 2020 for lessons on how to get ahead of likely issues, from surveillance of our sensitive communications to perennial phishing attacks and harassment for political reporting.

More posts