1) More Systems Compromised in #OPMHack, 2) A Love Letter to Hackers, and 3) What’s a Credit Freeze?

Posted: 3:29 am  EDT

 

On June 4, OPM released a statement on “a cybersecurity incident” that potentially affected personnel data of current and former federal employees, including personally identifiable information (PII) (see OPM Hack Compromises Federal Employee Records, Not Just PII But Security Clearance Info).  The initial estimate was that the OPM hack affected potentially 4 million employees. On June 12, fedscoop reported that the American Federation of Government Employees (AFGE) believed that the breach may have compromised personal data of as high as 14 million employees.

We understand that the State Department issued a notice to employees concerning the OPM breach on June 4. A second notice dated June 12 (am told this was actually a June 11 notice) was shared with BuzzFeed (see below). Several unnamed State Department employees were quoted in that BuzzFeed article, a tell-tale sign of growing frustration that we can also see from our inbox.

.

.

.

.

.

Excerpt from email sent by Under Secretary of Management Pat Kennedy on June 12 (via BuzzFeed)

This is an update to my previous e-mail of June 4th [repeated at the very end of this message.]

As was communicated last week, the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed the Personally Identifiable Information (PII) of some current and former Federal employees. This email provides additional information regarding next steps for those affected State Department employees. But, every employee should read this email.

In the coming weeks, OPM will be sending notifications to individuals whose PII was potentially compromised in this incident. The email will come from [DELETED] and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.

As a note of caution, confirm that the email you receive is, in fact, the official notification. It’s possible that malicious groups may leverage this event to launch phishing attacks. To protect yourself, we encourage you to check the following:

1. Make sure the sender email address is [DELETED]

2. The email is sent exclusively to your work email address. No other individuals should be in the To, CC, or BCC fields.

3. The email subject should be exactly [DELETED]

4. Do not click on the included link. Instead, record the provided PIN code, open a web browser then manually type the URL {DELETED]. You can then use the provided instructions to enroll [DELETED].

5. The email should not contain any attachments. If it does, do not open them.

6. The email should not contain any requests for additional personal information.

7. The official email should look like the sample screenshot below.

Additional information has also been made available beginning on June 8, 2015 on the company’s website [DELETED].

Regardless of whether or not you receive this notification, employees should take extra care to ensure that they are following recommended cyber and personal security procedures. If you suspect that you have received a phishing attack, contact your agency’s security office.

In general, government employees are often frequent targets of “phishing” attacks, which are surreptitious approaches to stealing your identity, accessing official computer systems, running up bills in your name, or even committing crimes using your identity. Phishing schemes use e-mail or websites to trick you into disclosing personal and sensitive information.

Oh, man.

Hopefully no one will copy this “recipe” to send folks a fake notification to enroll somewhere else.

On May 28, just days before the OPM breach was reported, OPM issued a solicitation for OPM Privacy Act Incident Services. The services required include 1) notification services, 2) credit report access services, 3) credit monitoring services, 4) identity theft insurance and recovery services, and 5) project management services. According to the solicitation, these services will be offered, at the discretion of the Government, to individuals who may be at risk due to compromised Personally Identifiable Information (PII).  The $20,760,741.63 contract for Call 1 was awarded to Winvale Group, LLC on June 2 but was published on fedbiz on June 5, the day after the breach was reported. Call 1 contract includes services to no more than 4 million units/employees.

Note that the State Department notice dated June 12 says that “email should not contain any attachments (#5). The OPM Services awarded on June 2 includes the following:

3.1.1.2 Contractor email Notification: The Contractor will prepare and send email notifications to affected individuals using read receipts. Emails (or attachments) will appear on Government letterhead, will contain Government-approved language, and will contain the signature of the Government official(s). Emails may contain one or more attachments. Email notification proof(s) will be provided to the Government for approval not later than 48 hours after award of a Call against the BPA. The Government will approve the email notification within 24 hours to enable the Contractor to begin preparation for distribution. The Contractor will require, receipt, track, and manage read receipts for email notifications.

Get that?

Now this. Somebody from State sent us a love letter for the hackers:

Dear Hackers: While you’re in there, please get my travel voucher for $291.46 approved, permanently cripple Carlson Wagonlit so we can stop wasting money on a useless product, and figure out how many special political hires there really are roaming our halls.  Oh and please don’t use my SF-86 info against my parents, it isn’t their fault I was an idiot and gave the government every last bit of info on my entire life.  I’m sure there’s more but it’s the weekend, let’s chat Monday. #LetsActLikeNothingHappened #SeriouslyThoughWTF .

And because the initial report is often understated per abrakadabra playbook hoping the bad news will go away, we’re now hearing this:

Oops, wait, what’s this?

Well, here is part of that email sent from “M” on  June 15, 5:35 pm ET:

“OPM has recently discovered that additional systems were compromised. These systems include those that contain info related to background investigations of current, former, and prospective Federal government employees, as well as other individuals from whom a Federal background investigation was conducted. This separate incident…was discovered as a result of OPM’s aggressive efforts to update its cybersecurity posture… OPM will notify those individuals whose info may have been compromised as soon as practical. You will be updated when we have more info on how and when these notifications will occur.”

So that original OPM estimate of 4 million affected employees is now OBE. That original $20 million contract will potentially go up.

Brian Krebs‘ piece on credit monitoring, the default response these days when a breach happens is worth a read. Basically, he’s saying that credit monitoring services aren’t really built to prevent ID theft (read Are Credit Monitoring Services Worth It?).

What can you do besides the suggestions provided by the State Department and OPM? Brian Krebs suggests a “credit freeze” or a “security freeze” not discussed or offered by OPM. Check out the very informative Q&A here.

 

We  know what else is on our to-do list today.

#

Former Secretary Clinton talks about her state.gov private emails

Posted: 01:11 am  EDT

 

Excerpt from the transcript of Hillary Clinton’s remarks on the email controversy swirling about via Time’s @ZekeJMiller:

There are four things I want the public to know.

First, when I got to work as secretary of state, I opted for convenience to use my personal email account, which was allowed by the State Department, because I thought it would be easier to carry just one device for my work and for my personal emails instead of two.

Looking back, it would’ve been better if I’d simply used a second email account and carried a second phone, but at the time, this didn’t seem like an issue.

Second, the vast majority of my work emails went to government employees at their government addresses, which meant they were captured and preserved immediately on the system at the State Department.

Third, after I left office, the State Department asked former secretaries of state for our assistance in providing copies of work- related emails from our personal accounts. I responded right away and provided all my emails that could possibly be work-related, which totalled roughly 55,000 printed pages, even though I knew that the State Department already had the vast majority of them. We went through a thorough process to identify all of my work- related emails and deliver them to the State Department. At the end, I chose not to keep my private personal emails — emails about planning Chelsea’s wedding or my mother’s funeral arrangements, condolence notes to friends as well as yoga routines, family vacations, the other things you typically find in inboxes.

No one wants their personal emails made public, and I think most people understand that and respect that privacy.

Fourth, I took the unprecedented step of asking that the State Department make all my work-related emails public for everyone to see.

I am very proud of the work that I and my colleagues and our public servants at the department did during my four years as secretary of state, and I look forward to people being able to see that for themselves.

Again, looking back, it would’ve been better for me to use two separate phones and two email accounts. I thought using one device would be simpler, and obviously, it hasn’t worked out that way.

 

The Clinton folks have also released a Q&A on her email use:

 

.

.

So if we tell over 70,000 employees that they should secure their email accounts and “avoid conducting official Department business from your personal email accounts,” then we go off and use our own private non-government email, what leadership message are we sending out to the troops?  Follow what I say not what I do?

.

The secretary of state is the highest classifying authority at the State Department. Since she did not have a state.gov account, does this mean, she never sent/receive any classified material via email in the entirety of her tenure at the State Department? If so, was there a specific person who routinely checked classified email and cable traffic intended for the secretary of state?

.

The podium heads insist that there is no restriction in use of private emails. Never mind that this is exclusive use of private emails. If a junior diplomat or IT specialist sets-up his/her own email server to conduct government business at the home backyard shed in Northern Virginia, do you think Diplomatic Security would not be after him or her? Would he/she even gets tenured by the Tenuring Board despite systems management practices contrary to published guidelines?  If the answer is “yes,” we’d really like to know how this works. For ordinary people.

And then there’s this — if there were a hundred people at State that the then secretary of state regularly sent emails to, was there not a single one who said, “wait a minute’ this might not be such a great idea?

.

Bottomline despite this brouhaha? Her personal email server will remain private. She has full control over what the public get to see. End of story. Or maybe not.

.

Oops, what’s this? Oh, dear.

#

 

State Dept refused to name its SGEs because of reasons #1, #2, #3, #4 and … oh right, the Privacy Act of 1974

— Domani Spero

Last week, ProPublica posted this: Who Are State Dept’s 100 “Special Government Employees”? It Won’t Say.  We blogged about it here: Who Are State Dept’s 100 “Special Government Employees”? Dunno But Is Non-Disclosure For Public Good? Today, the Project On Government Oversight (POGO) has more on the subject. And after months of giving one reason or another to the reporters pursuing this case, the State Department is down to its Captain America shield  — the Privacy Act of 1974.

Below excerpted from POGO: State Dept. Won’t Name Advisers Already in Government’s Public Database:

They’ve all been selected to advise the State Department on foreign policy issues. Their names are listed on the State Department’s website.

So why won’t the Department disclose that these individuals are special government employees (SGEs)?

For four months, State has refused to name its SGEs, ProPublica reported last week, leaving the public to guess which outside experts are advising the Department on matters that affect the public’s interest.

Yet, the Project On Government Oversight was able to find more than 100 of the advisers identified as SGEs in an online government database. In other words, some of the information that State has been refusing to provide is hiding in plain sight.
[…]
State has refused to identify any of its special employees, even though most agencies contacted by ProPublica were easily able to provide a list of their SGEs.

First, a State spokeswoman told ProPublica her agency “does not disclose employee information of this nature.”

When ProPublica filed a request seeking the list of names under the Freedom of Information Act (FOIA), it was told the agency doesn’t keep such a list, and State’s FOIA office refused to track down the information because it would require “extensive research.”

In September, ProPublica told State it planned to report that the Department was refusing to provide a list of names. In response, State said the FOIA request “was being reopened” and that the records would be provided “in a few weeks,” according to ProPublica.

“The State Department has since pushed back the delivery date three times and still hasn’t provided any list,” ProPublica reported last week. “It has been four months since we filed the original request.”

On Friday, a State official told The Washington Post that the Department is “diligently working to resolve” the FOIA request. The official cited concerns about “maintaining employee protections of privacy.”

State’s posture over the past several months is at odds with POGO’s finding: why can’t the Department give the press the same information it already supplied to a public database?

“Disclosure of certain employee information is subject to the Privacy Act of 1974,” Alec Gerlach, a State spokesperson, told POGO. “That some information may already be publicly available does not absolve the Department of Privacy Act requirements. Whether someone is an SGE is Privacy Act-protected information that we would not release except through the FOIA process.”

However, one of the authors of ProPublica’s story questioned why State hasn’t turned over the requested records. “I think anytime a government agency won’t reveal information, it raises questions about why they aren’t,” Liz Day, ProPublica’s Director of Research, told POGO.

Holy mother of god of distraught spoxes!  Okay, please, try not to laugh. It is disturbing to watch this type of contortion, and it seems to be coming regularly these days from Foggy Bottom.

Seriously.  If this is about the Privacy Act of 1974, why wasn’t ProPublica told of this restriction four months ago? And does that mean that all other agencies who released their SGE names were in violation of the Privacy Act of 1974?

Also, State/OIG was told that “The number of special government employee filers was given as 100.”  A State Department spokeswoman told ProPublica that there are “about 100” such employees.  But what do you know?  The Project On Government Oversight was able to find more than 100 of the advisers (excel download file) identified as SGEs in an online government database. Are there more? How many more?

The list does not include the more famous SGEs of the State Department previously identified in news report.

New message from Mission Command:  “Good morning, Mr. Hunt (or whoever is available). Your mission, should you choose to accept it, involves the retrieval of very Special Government Employee (SGE) names. There are more than a hundred names but no one knows how many more.  They are padlocked in the Privacy Act of 1974 vault, guarded by a monstrous fire-breathing creature from Asia Minor. PA1974 vault location is currently in Foggy Bottom.  As always, should you or any member of your team be caught or killed, everybody with a badge will disavow all knowledge of your actions. This message will self-destruct in five seconds.  If not, well, find a match and burn.”

* * *

 

 

 

 

Take Time Today to Tell Your Senators to #StopCISPA

Via the Electronic Frontier Foundation.  Click on the image below to use EFF’s automated system to email your senators.  Sunlight Foundation shows that backers of the Cyber Intelligence Sharing and Protection Act had $605 million in lobbying expenditures from 2011 through the third quarter of last year compared to $4.3 million spent by opponents of the bill. Lopsided resources in action.

Screen Shot 2013-04-21

EFF: U.S. House of Representatives Shamefully Passes CISPA; Internet Freedom Advocates Prepare for a Battle in the Senate

ACLU:  CISPA Explainer #1: What Information Can Be Shared?

ACLU: CISPA Explainer #2: With Whom Can Information Be Shared?

ACLU:  CISPA Explainer #3: What Can Be Done With Information After It Is Shared?

The Security Skeptic:  What you (still) need to know about CISPA

— DS

 

 

 

 

 

US Embassies Cyprus & Greece: Federal Benefits Recipients at Risk of Identity Theft

You’ve heard about the financial crisis roiling the tiny Mediterranean island of Cyprus.  The €10 billion bailout announced recently is not going to be the end of it.  According to The Telegraph, Cyprus central bank official Yiangos Dimitriou has confirmed that the cashing of cheques will be banned as part of the introduction of capital controls. Dimitriou also announced that bank withdrawals will be limited to €300 a day.  Reuters reported that people leaving Cyprus may take only €1,000 with them. Apparently, there are also notices at the airport warning travelers of the new restrictions and that officers had orders to confiscate cash above the €1,000 euro limit.

Given that the 2010 OIG report of US Embassy Nicosia made no mention of American Citizen Services, we presume that there are not too many American residents in the island.  American retirees have flocked to Greece and their number in Cyprus is significantly lower than the UK pensioners, of which there are reportedly about 18,000 in the island. We understand that the Athens consular district is home to approximately 110,000 American citizens and there is a federal benefits attaché at the US Embassy in Greece who reports to the consul general.

Still, there potentially are enough Americans residing and banking in Cyprus which prompted the Federal Benefits Unit at the US Embassy in Athens to released the following statement:

We have arranged the following contingencies for customers who receive their federal benefits through Cyprus banks. Under any of these options, direct deposit changes usually occur 2 months after the month we receive the request, so do not close your old account until you receive the first payment in your new account.

Send an email to FBU.Athens@ssa.gov to change how you receive direct deposits.

Use a Subject Line in this format: SUBJECT: CYPRUS

– Your name and last 4 digits of your social security number

In the message, provide the following:

1. Last name and first name

2. Street Address

3. Phone Number

4. Social Security Number (9 Digits), and

5.  Direct deposit information, depending the option you request.

Options include designating a bank in the United States to receive direct deposits, designating a bank in the Greece to receive direct deposits (though the account must be in euros), and requesting a Chase Direct Benefit Card from JP Morgan Chase Bank

Read in full here.

Similarly, the contact info for the Federal Benefits Unit in Nicosia requires beneficiaries to provide their SSN via email to consularnicosia@state.gov .

Screen Shot 2013-03-24

The intentions to help as expeditiously as possible is commendable but did anyone stop and pause how this might put retirees and recipients at risk of identify thief?

Did anyone stop and think how Social Security information is an identity thief’s dream?

With your Social Security number in hand, an opportunistic hacker or other online criminal can do just about anything — create phony bank accounts using your name; charge unlimited amounts of goods and services to credit accounts you never meant to open; steal your identity and recreate it multiple times and in multiple locations.

What security provisions are there to minimized potential misused of SSN transmitted via unencrypted email?

Where is the disclosure statement required under the Privacy Act?

The Privacy Act states that you cannot be denied a government benefit or service if you refuse to disclose your SSN unless the disclosure is required by federal law, or the disclosure is to an agency that has been using SSNs before January 1975, when the Privacy Act went into effect. There are other exceptions as well. Read the Code of Federal Regulations section here: http://edocket.access.gpo.gov/cfr_2008/julqtr/28cfr16.53.htm.

If you are asked to give your SSN to a government agency and no disclosure statement is included on the form, you should complain to the agency and cite the Privacy Act of 1974. You can also contact your Congressional representative and U.S. Senators with your complaint. Unfortunately, there appear to be no penalties when a government agency fails to provide a disclosure statement.

Asking the federal benefits beneficiaries to send their social security numbers via email is like asking them to write it on a postcard.  C’mon folks,  would you write and mail yours on a postcard? No? Well then ….

sig4

 

 

US Embassy Manila: George Anikow, Diplomatic Spouse Killed in Early Morning Altercation

Citing the Information Officer of the US Embassy in Manila Tina Malone, Rappler.com reported that the husband of an American Embassy employee was killed in Makati City, in the Philippines on Saturday, November 24.  Ms. Malone declined to disclose more details about the incident but did say that the Philippine National Police (PNP) have suspects in custody and that “The US Embassy appreciates the cooperation of the Philippine authorities, and will work closely with the PNP in their investigation.”

An ABS-CBN report identified the victim as George Anikow, who was allegedly killed by 4 suspects at around 4 am, Saturday, in front of the gate of Bel-Air Subdivision.  Elsewhere local reports also indicate that US embassy press attache Tina Malone confirmed the incident but refused to give out the name of the victim for “privacy reasons.” Various news reports spelled the victim’s name as Anico.

The alleged attackers, young men who reportedly come from well-off Filipino families, ranged in age from 22 to 28 and are publicly named by the news report here.

The Philippine Daily Inquirer also reported this incident:

George Anikow, 41, an inactive US marine officer, died on Saturday morning after he was mauled and fatally stabbed at the back and left shoulder in an event so random he and the other men hardly knew each other, Senior Supt. Manuel Lukban, Makati police chief, said in an interview.
[…]
The victim, a dependent of one of the officers of the US Embassy, was awaiting order from the US Marine to be called to duty, the police said.

Lukban said the Makati police opted to file murder, a non-bailable offense, instead of homicide since the attackers chased the victim “with the intent to kill.”

We emailed the US Embassy Manila last night but have yet to receive a response (which may or may not come).  We’ve also seen the public affairs arms of embassies do this often enough citing “privacy reasons” for the deceased in refusing to release or confirm the identity of victims.  They ought to know better than that since the privacy rules no longer cover the dead. Would be a lot more understandable if they decline to provide details due to sensitivity to the next of kin rather than privacy rules.

While we have been unable to confirm this, it looks like the FSO in this case is a first tour officer on a consular assignment to the US Embassy in Manila.  Public records also indicate that the US Embassy in Manila back in August solicited a quotation for a service apartment for this FSO and her family (spouse,  three children 12, 10 and 6 and a 50 lb Labrador) for 40 nights ending on September 24, 2012. Which seems to indicate they were in temporary housing until late September.  And if that’s the case, then they have just moved in to Bel-Air within the last two months, a private subdivision and gated community in Makati where the victim was reportedly a resident.

The latest Crime and Security Report issued by the Regional Security Office of the US Embassy says that crime is a significant concern in urban areas of the Philippines. Typical criminal acts include pick pocketing, confidence schemes, acquaintance scams, and, in some cases, credit card fraud. It also says that carjacking, kidnappings, robberies, and violent assaults sporadically occur throughout metro Manila and elsewhere in the Philippines.

 

 

 

 

In which politicians lament over our dead diplomats — also fund-raises over them before they are even buried

Perhaps Mitt really is a nice, rich guy who shops at Costco. That does not offend me; but this one does.  There are way too many “wonderfuls” here to make it sound authentic.  I do not/not like it.  He sounds as if he did not think through what he was going to say besides calling them, wonderful, that is.  It sounds to me as if our diplomats killed in Benghazi have become convenient props for the political campaign. Brrr…. that is cold, man.

Here is a coverage of that Virginia speech:

“I know that we’ve had heavy hearts across America today, and I want you to know things are going to get a lot better. But I also recognize that right now we’re in mourning. We’ve lost four of our diplomats across the world. We’re thinking about their families and those that they’ve left behind,” Romney said, at the beginning of a rally with roughly 2,700 supporters here in Northern Virginia.

Then, as Romney continued to lament the loss of U.S. Ambassador J. Christopher Stevens, and the three others killed in Benghazi, a heckler distracted him.

“What a tragedy, to lose such a wonderful, wonderful, uh,” Romney said, as the heckler began to yell, “Why are you politicizing Libya?”

Romney continued, “wonderful people that have been so wonderful and appreciate their service to the country.”

They are …”wonderful, wonderful, uh (heckler interuptus) wonderful people that have been so wonderful …”

That’s the best he can do?

You can hear the crowd chant the heckler down with USA! USA! USA!  Then Mr. Romney said, “And so I would, I would offer a moment of silence but one gentleman doesn’t want to be silent so we’re going to keep on going,” Romney said.

If he wins in November, he would need a good thesaurus.

So then here comes a top contender for the Crassest Award of the Year.

Former senator and former GOP presidentiable Rick Santorum apparently is using the rising violence in the Middle East (and his expression of condolences on the deaths of our diplomats) as the basis for a fundraising e-mail sent out by his political advocacy organization according to The Cable:

“The news coming out of the Middle East is deeply saddening and concerning. Karen and I first want to express our condolences to the families of Ambassador Stevens and the three other American officials who were killed in the recent terrorist attacks. Their service to our country was heroic and this senseless act of violence is horrifying,” begins the e-mail signed by Santorum and sent out by Patriot Voices, the nonprofit 501(c)4 advocacy group he co-founded after he lost his primary bid.
[…]
The organization has two missions: to help Mitt Romney defeat Barack Obama and to promote conservative policies and values, according to Santorum’s statements in June when it launched.

“Please continue to stand with me as we advocate for policies that properly defend Americans and their principles abroad. President Obama’s approach of apologizing to our enemies, turning our backs on our allies, and leading from behind weakens America and empowers our enemies. If American ideals are to remain prosperous here and abroad, the appeasement policies of this president must stop,” Santorum wrote.

The Cable reports that the end of the e-mail contains the pitch with a link to the Patriot Voices donation page.

Wow, what a crass act. Announcing an expression of condolence to the dead diplomats’ families via a fund-raising email with a pitch for donation before our diplomats are even back in U.S. soil. Before we can properly bury them or mourn their passing.  What?  They couldn’t wait even until after the return of remains today?

Holy mother of goat and her crazy nephews! How shockingly opportunistic!

Meanwhile in related news, in yesterday’s Politico op-ed, Newt Gingrich, former Speaker and another former GOP presidentiable took issue with the Obama administration calling this a “senseless act of violence” (he probably did not get Rick’s email) and writes:

This concept of “senseless violence” is at the heart of the left’s refusal to confront the reality of radical Islamists.

These are not acts of senseless violence.

These are acts of war.

Our ambassador to Libya and three other Americans were not killed by a senseless mob. They were killed by a purposeful group of men armed with sophisticated weapons.

I recall, of course, Newt Gingrich telling CBS News in 2011, “The correct thing in an act of war is to kill people who are trying to kill you.” He was talking about Al-Awlaki, a U.S.-born cleric linked to al Qaeda, who was killed by a CIA drone.

Haven’t we seen this movie with war drums before, after 9/11? It started slow, then swooshed ever and we ended up in Iraq and got stuck there for years and years.

How many dots would it take before the warmongers can connect “this purposeful group of men” to say …. Iran and the bomb, bomb, bomb Iran chorus?  The pencils are out and the dots are out there …

I think we must be vigilant and not get swooshed over a second time around even when our hearts are broken.

Google Buzz: Think Before You Click

A lot of virtual ink has been spilled on Google Buzz since its rollout last week especially relating to privacy issues. Here is the Google team’s recent take:  Millions of Buzz users, and improvements based on your feedback and A new Buzz start-up experience based on your feedback:  On Saturday, Google announced some forthcoming changes via its Gmail blog:

For the tens of millions of you who have already started using Buzz, over the next couple weeks we’ll be showing you a similar version of this new start-up experience to give you a second chance to review and confirm the people you’re following.
[…]
Second, Buzz will no longer connect your public Picasa Web Albums and Google Reader shared items automatically. Just to be clear: Buzz only automatically connected content that was already public, so if you had previously shared photos in an “Unlisted” album or set your Google Reader shared items as “Protected,” no one except the people you’d explicitly allowed to see your stuff has been able to see it. But due to your feedback Buzz will no longer connect these sites automatically.

Third, we’re adding a Buzz tab to Gmail Settings. From there, you’ll be able to hide Buzz from Gmail or disable it completely. In addition, there will be a link to these settings from the initial start-up page so you can easily decide from the get go that you don’t want to use Buzz at all.

This may be a great idea for some, but it’s not for me.  If you want to skip this hassle after the Buzz splash screen (the one that says Check out Buzz and Nah, go directly to Gmail), select Nah … and go to your Gmail account.  Scroll down to the bottom of your Gmail page and click on “turn off Buzz.” Buzz should disappear from the left-hand side bar of your Gmail. For good measure, check that your Google profile is also configured to your desired privacy setting.    

Related Items: 

Horn v. Huddle: A Cable, A Table, and Something in the Middle?

I did not make up that title — just tweaked it from the Court of Appeals decision on the Horn v. Huddle case heard before ROGERS, BROWN and GRIFFITH, Circuit Judges in the U.S. Court of Appeals for the District of Columbia Circuit. I am reprinting excerpts from the decision below. This seems like a convoluted way to get somebody’s assignment involuntary curtailed, don’t you think?


Concurring and dissenting opinion filed by Circuit Judge B
ROWN(excerpt):


Once the privileged material is removed, Horn is essentially left with three pieces of circumstantial evidence — a cable, a table, and Huddle’s apparent lie. I question whether a reasonable person would seriously entertain the possibility, based on that evidence alone, that Huddle learned of Horn’s statement via a wiretap. One wonders if the atmosphere of government intrigue in this case — an atmosphere carefully cultivated by Horn and unfortunately only exacerbated by the government’s invocation of the state secrets privilege — is in fact doing much of the work in the majority’s determination that Horn has established a prima facie case on such skimpy evidence. Would a reasonable person really think Horn had established a prima facie case with the same circumstantial evidence if he was an OSHA inspector in Hoboken?

Opinion for the Court filed by Circuit Judge ROGERS (excerpt).

[…] Horn’s basic claim is straightforward: Late at night on August 12, 1993, he placed a phone call from his personal residence to a DEA subordinate, David Sikorra. He expressed concern that Huddle was trying to expel him from Burma and that DEA might respond by closing its Burma office. Soon thereafter, Horn learned of a cable, since declassified in part, that Huddle sent to State Department officials in Washington, D.C. This cable, which is dated August 13, 1993, contains an unclassified paragraph that reads:

Finally, Horn shows increasing signs of evident strain. Late last night, for example, he telephoned his junior agent to say that “I am bringing the whole DEA operation down here.” “You will be leaving with me . . . We’ll all leave together.” In this context, he then went on to note talks with [DEA officials] Greene and Maher without explicitly drawing a connection.


Cable from Franklin Huddle, American Embassy, Rangoon, Burma, to Secretary of State, Washington, D.C. ¶ 6 (Aug. 13, 1993) (“Huddle Cable”) (ellipses in original). On the basis of this cable, which Horn claims quotes him verbatim, Horn concluded that someone was eavesdropping on his personal conversation with Sikorra.


In an unclassified and unprivileged affidavit submitted to the district court, Huddle insisted instead that Horn’s conversation had spread by word of mouth. Huddle averred that he told the IG investigators that the information in the cable was provided to him by DEA Special Agent Bruce Stubbs. Special Agent Stubbs, for his part, denied, in the declassified portion of the IG report, telling anything to Huddle about Horn’s conversation with Sikorra. According to unclassified and unprivileged information, Stubbs was on official travel during the relevant time period and told IG investigators that he neither saw Huddle in person nor contacted him by telephone. Stubbs insisted that he did not learn of Horn’s conversation with Sikorra until he returned to Rangoon on August 26, 1993, almost two weeks after Huddle sent the cable to the State Department.


Further, Stubbs swore in an unclassified and unprivileged affidavit that Huddle had contacted him while the IG investigation was pending to discuss how Stubbs had told Huddle about Horn’s statement. Stubbs averred that he had no such recollection and that Huddle’s telephone call was improper, to which Huddle responded that he was merely “prescreening [Stubbs] to determine [his] recollections of Horn’s allegations.” Stubbs Aff. para. 8. This aspect of Stubbs’ affidavit is supported by a file memorandum that he wrote on September 22, 1994, the day after he was contacted by Huddle. When confronted with Stubbs’ affidavit, Huddle told investigators in writing that he “stand[s] by [his] statement.” Huddle Stmt. (Nov. 7, 1995).


Horn thus contends, in view of the unclassified and unprivileged materials, that he has demonstrated a prima facie case because the district court found that the redacted cable showed eavesdropping as the source of information, and the declassified interviews with personnel then stationed at the Embassy in Rangoon establish that Huddle did not learn of Horn’s conversation, either verbatim or otherwise, from Stubbs or anybody else, leaving unconstitutional surveillance as the only remaining option. Although Horn has no direct evidence that Huddle participated in an unlawful surveillance, he relies on the following circumstantial evidence:


First, in November 1992 there was a suspicious entry into
his apartment in Burma when, unsolicited, his government issued rectangular coffee table was swapped for an oval replacement while he was out of town. He was advised that his “original coffee table was needed to complete a sofa set at another residence.” Memorandum from Richard A. Horn on Questionable Furniture Movement para. 3 (Feb. 27, 1995). Horn characterized this conduct as “peculiar” and notes that “[a] telephone was located in this room within close proximity to the aforementioned coffee table.” Id. para. 4.

Second, Horn traces the limited spread among Embassy personnel of his conversation with Sikorra, emphasizing that Huddle’s source was specific enough to allow Huddle to use quotation marks and ellipses in the cable. In declassified statements, Sikorra explained that he told only a secretary, Mary Weinhold, about the disturbing telephone call; Mrs. Weinhold explained that no one could have overheard her conversation with Sikorra and that she does not recall having told her husband, who also worked at the Embassy, about Horn’s conversation; Mr. Weinhold corroborated his wife’s recollection; and Huddle’s deputy at the Embassy stated his belief that Huddle was aware of the conversation between Horn and Sikorra before he was.


The district court “verified that indeed, [the Huddle cable] is a verbatim reproduction of parts of Horn’s conversation with Sikorra, using quotation marks and ellipses, and a paraphrasing of other parts — evidence that Horn’s conversation had been wiretapped.” Mem. Op. of Feb. 10, 1997, at 4. Nonetheless, the district court found Horn’s allegations insufficient to establish a prima facie case. Mem. Op. of July 28, 2004, at 10. The district court reasoned that Defendant II’s identity is protected and that there is no unprivileged evidence connecting him to Horn’s allegations.


Related Item:

No. 04-5313 IN RE: SEALED CASE | Appeal from the United States District Court for the District of Columbia (No. 94cv01756)
Argued December 14, 2006 | Decided June 29, 2007 | Unsealed July 20, 2007

PDF file

Big Brother with Big Ears, In China

Listening Ears near Greatstone-on-Sea, Kent, Great Britain.
These are concrete listening ears built for the war.
Aeroplanes flying across the channel could be heard
by observers positioned near these “ears”.

Photo by Paul Russon
. Licensed under the Creative Commons
Attribution-Share Alike 2.0 license.

The Overseas Security Advisory Council had just released its 2009 China Crime and Safety Report. The Regional Security Office (RSO) there continues to rate the overall crime threat in China as low; that’s the good news. The bad news is if you talk about it or even about your laundry, or that one with the hot abs next door, chances are somebody is listening. And for a while there, some bloggers could not even read their own posts from China, or post comments in their own blog. I understand that the restrictions have been relaxed since around the Olympics but one can’t tell when that door closes down again. Excerpt below on privacy from the 2009 report:

All visitors should be aware that they have no reasonable expectation of privacy in public or private locations. The U.S. Mission regularly receives reports of human and technical monitoring of U.S. private businessmen and visiting U.S. citizens. The areas around U.S. and other foreign diplomatic facilities and residences are under overt physical and video surveillance – dozens of security personnel are posted outside of facilities and around residences, while video cameras are visible throughout diplomatic quarters (offices and residential neighborhoods) of Beijing. Thousands of additional video cameras were added throughout Beijing in advance of the Olympics to aid law enforcement authorities.

All hotel rooms and offices are considered to be subject to on-site or remote technical monitoring at all times. Hotel rooms, residences and offices may be accessed at any time without the occupant’s consent or knowledge. Elevators and public areas of housing compounds are also under continuous surveillance. In one instance, the management company of a residential compound informed its tenants (to include official Americans) that their apartments were subject to search.

Embassy employees are warned not to discuss classified or sensitive information in their homes, vehicles or offices. Post strongly encourages members of the private sector to take similar precautions to safeguard sensitive, personal and/or proprietary information.

All means of communication – telephones, cellular telephones, faxes, e-mail, text messages, etc., – are likely monitored. The government has access to the infrastructure operated by the limited number of Internet service providers and wireless providers operating in China. Wireless access to the Internet in major metropolitan areas is becoming more and more common. As such, the Chinese can more easily access official and personal computers.

The Chinese Government has publicly declared that they regularly monitor private e-mail and Internet browsing though cooperation with local Internet service providers. The government also employs several thousand individuals to police the Internet. Bloggers are subject to particular scrutiny in China where such activity is usually not permitted and blog sites are, as a general rule, blocked.

Sounds so — totally crappy, right? I wonder if anyone make up stories just to keep the listeners occupied. If you read all 864 pages of Anna Karenina aloud, what might the big ears do with that? Record it… translate it … pursue dead ender trails ???