Tag Archives: Cyber Security

French central bank chief urges insurers to step up cyber risk coverage

man representing cyber attack

PARIS (Reuters) – France’s central bank governor called on French insurers to enhance cyber risk coverage for their clients, as hack attacks and data privacy laws in Europe spur rising demand.

“With the help of reinsurers, insurers should be able to meet demands of cyber risk coverage, a concern that affects all businesses,” Francois Villeroy de Galhau said during a conference in Paris.

Though growing fast, the European cyber insurance market remains dwarfed by that in the United States, but is likely to expand in the coming years as new EU regulations come into force requiring firms to disclose when they have been the victim of an attack.

Around 28 percent of companies in Europe have been subject to a cyber attack over the past 12 months, but only 13 percent of companies have purchased cyber insurance, Marsh & McLennan Co’s (MMC.N) Marsh broker unit said in a survey, published in October 2016.

The value of global cyber insurance premiums outstanding is estimated by Marsh & McLennan Co’s (MMC.N) Marsh broker unit to be around $3.5 billion with 3 billion coming from the United States, and around $300 million coming from Europe.

“Insurance companies should learn from their own experience … in order to create a more mature market in France and Europe for insurance against cyber risks,” Villeroy added.

(Reporting by Maya Nikolaeva and Myriam Rivet; Editing by Leigh Thomas)

Saudi Arabia warns on cyber defense as Shamoon resurfaces

man on keyboard graphic

KHOBAR, Saudi Arabia (Reuters) – Saudi Arabia on Monday warned organizations in the kingdom to be on the alert for the Shamoon virus, which cripples computers by wiping their disks, as the labor ministry said it had been attacked and a chemicals firm reported a network disruption.

An alert from the telecoms authority seen by Reuters advised all parties to be vigilant for attacks from the Shamoon 2 variant of the virus that in 2012 crippled tens thousands of computers at oil giant Saudi Aramco.

Shamoon disrupts computers by overwriting the master book record, making it impossible for them to start up. Former U.S. Defense Secretary Leon Panetta said the 2012 Shamoon attack on Saudi Aramco was probably the most destructive cyber attack on a private business.

In the 2012 hacks, images of a burning U.S. flag were used to overwrite the drives of victims including Saudi Aramco and RasGas Co Ltd. In the recent attacks, an image of the body of 3-year-old drowned Syrian refugee Alan Kurdi was used in recent attacks, according to U.S. security researchers.

The Shamoon hackers were likely working on behalf of the Iranian government in the 2012 campaign and the more-recent attacks, said Adam Meyers, vice president with cyber security firm CrowdStrike. “It’s likely they will continue,” he said.

State-controlled Al Ekhbariya TV said on Twitter, using the hash tag #Shamoon, that several Saudi organizations had been targeted in recent cyber attacks.

The state news agency, meanwhile, said the labor ministry had been hit by a cyber attack, but that it did not impact its data.

Jubail-based Sadara Chemical Co, a joint venture firm owned by Saudi Aramco and U.S. company Dow Chemical, said it had experienced a network disruption on Monday morning and was working to resolve the issue.

The company made the disclosure on its official Twitter account after the warning by Al Ekhbariya TV, which cited the telecoms authority.

It did not say whether the disruption was due to a cyber attack but said as a precautionary measure it had stopped all services related to the network.

Other companies in Jubail, the hub of the Saudi petrochemicals industry, also experienced network disruptions, according to sources who were not authorized to publicly discuss the matter.

Those companies sought to protect themselves from the virus by shutting down their networks, said the sources, who declined to identify specific firms.

(Reporting by Reem Shamseddine. Additional reporting by Jim Finkle.; Writing By Maha El Dahan; Editing by Mark Potter and Andrew Hay)

As attacks grow, EU mulls banking stress tests for cyber risks

file graphic of man using a computer representing cyber attacks

By Francesco Guarascio

BRUSSELS (Reuters) – The European Union is considering testing banks’ defenses against cyber attacks, EU officials and sources said, as concerns grow about the industry’s vulnerability to hacking.

Cyber attacks against banks have increased in numbers and sophistication in recent years, with criminals finding new ways to target banks beyond trying to illicitly obtain details of their customers’ online accounts. Last February $81 million was taken from the Bangladesh central bank when hackers broke into its system and gained access to the SWIFT international transactions network.

Global regulators have tightened security requirements for banks after that giant cyber fraud, one of the biggest in history, and in some countries have carried out checks on lenders’ security systems.

But complex cyber attacks have kept rising, as revealed in November by SWIFT in a letter to client banks and by the theft of 2.5 million pounds ($3 million) from Tesco Plc’s banking arm in the first mass hacking of accounts at a Western lender.

Banks “are struggling to demonstrate their ability to cope with the rising threat of intruders gaining unauthorized access to their critical systems and data,” a report of the European Banking Authority (EBA) warned in December.

The next step from European regulators to boost security could be an EU-wide stress test.

The European executive commission is assessing additional initiatives to counter cyber attacks, a commission official told Reuters. “These include cyber-threat information sharing or penetration and resilience testing of systems.”

The European Central Bank announced last year it would set up a database to register incidents of cyber crime at commercial banks in the 19-country euro zone. But exchanges of information among national authorities on cyber incidents remains scant.

The Commission is studying whether EU-wide tests would help step up security, a source at the EU executive said. This would be in addition to controls already carried out by national authorities.

EBA, which is in charge of stress-testing the bloc’s banks, is expected to detail in summer the checks it intends to conduct in the next exercise planned in mid 2018.

EBA tests banks’ capital cushions and can conduct checks on specific issues. Last year it monitored risks caused by fines, as EU lenders faced sanctions from U.S. regulators.

An EBA official said cyber security was on the agency’s radar but no decision had been made on a possible stress test. The body’s chairman, Andrea Enria, has urged EU states to stress-test their financial institutions for cyber risks.

Lloyds Banking Group is working with law enforcement agencies to trace who was behind a cyber attack that caused intermittent outages for customers of its personal banking websites almost two weeks ago, according to a source familiar with the incident. Lloyds said it would not speculate on the cause of the attack. No customers suffered any losses.

BLOCKCHAIN

As European banks keep relying on digital infrastructure that is “rigid and outdated”, according to EBA, regulators are considering new technologies that could boost security.

Blockchain, the technology behind the most successful virtual currency, Bitcoin, is being closely monitored in Brussels “to establish the advantages and possible risks” but also to weigh possible moves to enable blockchain where it is hindered, the Commission source said.

More than 1 billion euros have been invested in blockchain startups, a World Economic Forum report said.

The EU agency for network and information security (ENISA) said in a report last week the technology offered new opportunities and could cut costs, but may also pose new cyber security challenges, mostly caused by its decentralized network.

Ukraine’s power outage was a cyber attack: Ukrenergo

Dispatchers at Ukraine's national power company

By Pavel Polityuk, Oleg Vukmanovic and Stephen Jewkes

KIEV/MILAN (Reuters) – A power blackout in Ukraine’s capital Kiev last month was caused by a cyber attack and investigators are trying to trace other potentially infected computers and establish the source of the breach, utility Ukrenergo told Reuters on Wednesday.

When the lights went out in northern Kiev on Dec. 17-18, power supplier Ukrenergo suspected a cyber attack and hired investigators to help it determine the cause following a series of breaches across Ukraine.

Preliminary findings indicate that workstations and Supervisory Control and Data Acquisition (SCADA) systems, linked to the 330 kilowatt sub-station “North”, were influenced by external sources outside normal parameters, Ukrenergo said in comments emailed to Reuters.

“The analysis of the impact of symptoms on the initial data of these systems indicates a premeditated and multi-level invasion,” Ukrenergo said.

Law enforcement officials and cyber experts are still working to compile a chronology of events, draw up a list of compromised accounts, and determine the penetration point, while tracing computers potentially infected with malware in sleep mode, it said.

The comments make no mention of which individual, group or country may have been behind the attack.

“It was an intentional cyber incident not meant to be on a large scale… they actually attacked more but couldn’t achieve all their goals,” said Marina Krotofil, lead cyber-security researcher at Honeywell, who assisted in the investigation.

In December 2015, a first-of-its-kind cyber attack cut the lights to 225,000 people in western Ukraine, with hackers also sabotaging power distribution equipment, complicating attempts to restore power.

Ukrainian security services blamed that attack on Russia.

In the latest attack, hackers are thought to have hidden in Ukrenergo’s IT network undetected for six months, acquiring privileges to access systems and figure out their workings, before taking methodical steps to take the power offline, Krotofil said.

“The team involved had quite a few people working in it, with very serious tools and an engineer who understands the power infrastructure,” she said.

The attacks against Ukraine’s power grid are widely seen by experts as the first examples of hackers shutting off critical energy systems supplying heat and light to millions of homes.

(Writing by Oleg Vukmanovic; reporting by Pavel Polityuk in Kiev, Oleg Vukmanovic and Stephen Jewkes in Milan; editing by Susan Fenton/Ruth Pitchford)

Russia says facing increased cyber attacks from abroad

graphic representing hacking or cyber attacks

MOSCOW (Reuters) – Russia is facing increased cyber attacks from abroad, a senior security official was quoted on Sunday as saying, responding to Western accusations that Moscow is aggressively targeting information networks in the United States and Europe.

U.S. intelligence agencies say Russian President Vladimir Putin ordered a cyber campaign aimed at boosting Donald Trump’s electoral chances by discrediting his Democrat rival Hillary Clinton in the 2016 presidential campaign.

Russia has dismissed the accusations as a “witch-hunt”.

“Recently we have noted a significant increase in attempts to inflict harm on Russia’s informational systems from external forces,” Nikolai Patrushev, secretary of Russia’s Security Council, told the Rossiiskaya Gazeta daily, according to excerpts of an interview to be published in full on Monday.

“The global (Internet) operators and providers are widely used, while the methods they use constantly evolve,” said Patrushev, a former head of the FSB secret service and a close ally of Putin.

Patrushev accused the outgoing U.S. administration of President Barack Obama of “deliberately ignoring the fact that the main Internet servers are based on the territory of the United States and are used by Washington for intelligence and other purposes aimed at retaining its global domination”.

But he added that Moscow hoped to establish “constructive contacts” with the Trump administration. Trump, who praised Putin during the election campaign and has called for better ties with Moscow, will be inaugurated as president on Jan. 20.

(Reporting by Vladimir Soldatkin; Editing by Gareth Jones)

Trump’s CIA nominee includes Russia in list of global challenges

guy to be head of CIA under Trump

By David Alexander and Jonathan Landay

WASHINGTON (Reuters) – U.S. President-elect Donald Trump’s nominee to head the CIA portrayed multiple challenges facing the United States on Thursday, from an aggressive Russia to a “disruptive” Iran to a China that he said is creating “real tensions.”

Diverging from Trump’s stated aim of seeking closer ties with Russia, Pompeo said that Russia is “asserting itself aggressively” by invading and occupying Ukraine, threatening Europe, and “doing nearly nothing” to destroy Islamic State.

Mike Pompeo, a Republican member of the House of Representatives and a former U.S. Army officer, was speaking at the start of his confirmation hearing in the U.S. Senate.

In his prepared opening statement, Pompeo noted that the CIA does not make policy on any country, adding, “it is a policy decision as to what to do with Russia, but it will be essential that the Agency provide policymakers with accurate intelligence and clear-eyed analysis of Russian activities.”

His testimony came at a time when Trump, a Republican who takes office on Jan. 20, has openly feuded with U.S. intelligence agencies.

For weeks, the president-elect questioned the intelligence agencies’ conclusion that Russia used hacking and other tactics to try to tilt the 2016 presidential election in his favor. Trump said on Wednesday that Russia was behind the hacking but that other countries were hacking the United States as well.

This week, Trump furiously denounced intelligence officials for what he said were leaks to the media by intelligence agencies of a dossier that makes unverified, salacious allegations about his contacts in Russia.

Pompeo, a conservative lawmaker from Kansas who is on the House Intelligence Committee, listed challenges facing the United States, saying “this is the most complicated threat environment the United States has faced in recent memory.”

This included what he called a “resilient” Islamic State and the fallout from Syria’s long civil war.

Pompeo also included North Korea, which he said had “dangerously accelerated its nuclear and ballistic missile capabilities.” He said China was creating “real tensions” with its activities in the South China Sea and in cyberspace as it flexed its muscles and expanded its military and economic reach.

He called Iran an “emboldened, disruptive player in the Middle East, fueling tensions” with Sunni Muslim allies of the United States.

(Writing by Frances Kerry; Editing by Howard Goller)

Democrats want 9/11-style special commission to probe Russia

rainy day at Capitol Hill

WASHINGTON (Reuters) – Democratic members of the U.S. Congress called on Monday for the creation of an independent commission to investigate Russia’s attempts to intervene in the 2016 election, similar to the Sept. 11 panel that probed the 2001 attacks on the United States.

Their “Protecting our Democracy Act” would create a 12-member, bipartisan independent panel to interview witnesses, obtain documents, issue subpoenas and receive public testimony to examine attempts by Moscow and any other entities to influence the election.

The panel members would not be members of Congress.

The legislation is one of many calls by lawmakers to look into Russian involvement in the contest, in which Republican Donald Trump defeated Democrat Hillary Clinton in the White House race, confounding opinion polls. Republicans also kept control of the Senate and House of Representatives by larger-than-expected margins.

U.S. intelligence agencies on Friday released a report saying that Russian President Vladimir Putin ordered an effort to help Trump’s electoral chances by discrediting Clinton.

Russia has denied the hacking allegations. A Kremlin spokesman said Monday they were “reminiscent of a witch-hunt.”

“There is no question that Russia attacked us,” Senator Ben Cardin, the top Democrat on the Senate Foreign Relations Committee, told a news conference.

Versions of the bill were introduced in both the Senate and House. In the Senate it has 10 sponsors. In the House it is backed by every member of the Democratic caucus, said Representative Elijah Cummings, the top Democrat on the House Oversight Committee.

However, no Republicans currently back the bill, so its prospects are dim, given Republican control of both houses of Congress.

While a few Republicans, notably Senators Lindsey Graham and John McCain, have supported calls for an independent probe, party leaders have resisted the idea, saying that investigations by Republican-led congressional committees are sufficient.

Senator Amy Klobuchar, who just returned from a trip to the Baltic states, Ukraine and Georgia with Graham and McCain, said Russia’s actions justified a probe by an independent panel of national experts.

“This is not just about one political party. It’s not even about one election. It’s not even about one country, our country. It is a repeated attempt… around the world, to influence elections,” Klobuchar said.

After Sept 11, 2001, Congress established an independent commission to look into the attacks and make recommendations about how to prevent similar actions in the future. Many of the recommendations were adopted into law.

“The American people felt good about what they did,” Cummings said.

(Reporting by Patricia Zengerle; editing by Grant McCool)

After U.S. intel report on Putin, British government launches cyber security review

Man typing on keyboard representing cyber security threats

LONDON (Reuters) – The British government said on Monday it is launching a national inquiry into cyber security to assess the extent to which the UK is protected from an ever-increasing tide of attacks worldwide.

The inquiry comes only two days after U.S. intelligence agencies said Russian president Vladimir Putin ordered an effort to help U.S president-elect Donald Trump’s electoral chances by discrediting Hillary Clinton in the 2016 U.S. presidential campaign.

“Attention has recently focused on the potential exploitation of the cyber domain by other states and associated actors for political purposes,” said Margaret Beckett, chair of parliament’s joint committee on national security strategy.

“But this is just one source of threat that the government must address,” she added, in a statement.

Cyber attacks in the UK have been on the rise, with businesses such as banks and retailers increasingly becoming targets for hackers.

Reported attacks on financial institutions in Britain rose from just five in 2014 to 75 in the year to October 2016, data from Britain’s Financial Conduct Authority (FCA) show. Last year, retailer Tesco’s banking arm suffered an attack which saw some 2.5 million pounds stolen from 9,000 current accounts.

The inquiry will look at issues including the types of cyber threats faced by the UK, the extent of human, financial and technical capital committed to address threats, and the development of offensive cyber capabilities.

The inquiry forms part of the second National Cyber Security Strategy launched in November last year, which has a total budget of 1.9 billion pounds running from 2016 to 2021.

(Reporting by Ritvik Carvalho; editing by Stephen Addison)

Congress begins Russia hacking probe, Trump still skeptical of U.S. intelligence

Donald Trump

By Dustin Volz

WASHINGTON (Reuters) – Senior U.S. intelligence officials will testify in Congress on Thursday on Russia’s alleged cyber attacks during the 2016 election campaign, even as President-elect Donald Trump casts doubt on intelligence agencies’ findings that Moscow orchestrated the hacks.

The hearings come a day before Trump is due to be briefed by intelligence agency chiefs on hacks that targeted the Democratic Party.

Trump is heading for a conflict over the issue with Democrats and fellow Republicans in Congress, many of whom are wary of Moscow and distrust the New York businessman’s praise of Russian President Vladimir Putin and efforts to heal the rift between the United States and Russia.

Director of National Intelligence James Clapper, National Security Agency Director Mike Rogers and Undersecretary of Defense for Intelligence Marcel Lettre are expected to appear before the Senate Armed Services Committee, which is chaired by Republican John McCain, a vocal critic of Putin.

Their testimony on cyber threats facing the United States will come a week after President Barack Obama ordered the expulsion of 35 Russian suspected spies and imposed sanctions on two Russian intelligence agencies over their alleged involvement in hacking U.S. political groups in the 2016 election.

U.S. intelligence agencies say Russia was behind hacks into Democratic Party organizations and operatives before the presidential election, a conclusion supported by several private cybersecurity firms. Moscow denies the hacking allegations.

U.S. intelligence officials have also said the Russian cyber attacks aimed to help Trump defeat Democrat Hillary Clinton in the Nov. 8 election. Several Republicans acknowledge Russian hacking during the election but have not linked it to an effort to help Trump win.

Documents stolen from the Democratic National Committee and John Podesta, Clinton’s campaign manager, were leaked to the media in advance of the election, embarrassing the Clinton campaign.

In a tweet on Wednesday, Trump said: “(WikiLeaks founder) Julian Assange said ‘a 14 year old could have hacked Podesta’ – why was DNC so careless? Also said the Russians did not give him the info!”

Trump also quoted Assange as telling Fox News that U.S. media coverage of the matter was “very dishonest.”

He and top advisers believe Democrats are trying to delegitimize his election victory by accusing Russian authorities of helping him.

FIRMER RESPONSE URGED

Some lawmakers, including McCain, said a firmer response was needed to check Russian aggression in cyberspace and elsewhere. He is among a handful of Republicans to join Democrats in pushing for a special committee to investigate Russia’s political hacking, although that effort has lost traction in the face of opposition from Republican leaders in Congress.

Obama instructed U.S. intelligence agencies last month to conduct a full review of the election hacks. That review could be completed and delivered to Obama as soon as Thursday, said sources familiar with the matter.

Five Democratic senators introduced legislation on Wednesday calling for the creation of an independent, nonpartisan commission to investigate Russian interference in the election.

Trump has also nominated people seen as friendly toward Moscow to senior administration posts, including secretary of state nominee Rex Tillerson, who while Exxon Mobil chief executive, was awarded the Order of Friendship, a Russian state honor, by Putin in 2013.

Rogers, the NSA chief, visited the president-elect in New York in November and is among a handful of people being considered by Trump to succeed the retiring Clapper as U.S. spy chief, in addition to former Republican Senator Dan Coats, according to sources familiar with the matter.

The Senate Foreign Relations Committee will also hold a closed-door hearing on Thursday to examine Russia’s alleged hacking and harassment of U.S. diplomats.

(Additional reporting by Patricia Zengerle and Mark Hosenball in Washington; Editing by Yara Bayoumy and Peter Cooney)

Yahoo email scan shows U.S. spy push to recast constitutional privacy

Yahoo logo near cyber screen

By Joseph Menn

(Reuters) – Yahoo Inc’s secret scanning of customer emails at the behest of a U.S. spy agency is part of a growing push by officials to loosen constitutional protections Americans have against arbitrary governmental searches, according to legal documents and people briefed on closed court hearings.

The order on Yahoo from the secret Foreign Intelligence Surveillance Court (FISC) last year resulted from the government’s drive to change decades of interpretation of the U.S. Constitution’s Fourth Amendment right of people to be secure against “unreasonable searches and seizures,” intelligence officials and others familiar with the strategy told Reuters.

The unifying idea, they said, is to move the focus of U.S. courts away from what makes something a distinct search and toward what is “reasonable” overall.

The basis of the argument for change is that people are making much more digital data available about themselves to businesses, and that data can contain clues that would lead to authorities disrupting attacks in the United States or on U.S. interests abroad.

While it might technically count as a search if an automated program trawls through all the data, the thinking goes, there is no unreasonable harm unless a human being looks at the result of that search and orders more intrusive measures or an arrest, which even then could be reasonable.

Civil liberties groups and some other legal experts said the attempt to expand the ability of law enforcement agencies and intelligence services to sift through vast amounts of online data, in some cases without a court order, was in conflict with the Fourth Amendment because many innocent messages are included in the initial sweep.

“A lot of it is unrecognizable from a Fourth Amendment perspective,” said Orin Kerr, a former federal prosecutor and Georgetown University Law School expert on surveillance. “It’s not where the traditional Fourth Amendment law is.”

But the general counsel of the Office of the Director of National Intelligence (ODNI), Robert Litt, said in an interview with Reuters on Tuesday that the legal interpretation needed to be adjusted because of technological changes.

“Computerized scanning of communications in the same way that your email service provider scans looking for viruses – that should not be considered a search requiring a warrant for Fourth Amendment purposes,” said Litt. He said he is leaving his post on Dec. 31 as the end of President Barack Obama’s administration nears.

DIGITAL SIGNATURE

Reuters was unable to determine what data, if any, was handed over by Yahoo after its live email search. The search was first reported by Reuters on Oct. 4. Yahoo and the National Security Agency (NSA) declined to explain the basis for the order.

The surveillance court, whose members are appointed by U.S. Supreme Court Chief Justice John Roberts, oversees and approves the domestic pursuit of intelligence about foreign powers. While details of the Yahoo search are classified, people familiar with the matter have told Reuters it was aimed at isolating a digital signature for a single person or small team working for a foreign government frequently at odds with America.

The ODNI is expected to disclose as soon as next month an estimated number of Americans whose electronic communications have been caught up in online surveillance programs intended for foreigners, U.S. lawmakers said.

The ODNI’s expected disclosure is unlikely to cover such orders as the one to Yahoo but would encompass those under a different surveillance authority called section 702. That section allows the operation of two internet search programs, Prism and “upstream” collection, that were revealed by former NSA contractor Edward Snowden more than three years ago. Prism gathers the messaging data of targets from Alphabet Inc’s Google, Facebook, Microsoft, Apple among others.

Upstream surveillance allows the NSA to copy web traffic to search data for certain terms called “selectors,” such as email addresses, that are contained in the body of messages. ODNI’s Litt said ordinary words are not used as selectors.

The Fourth Amendment applies to the search and seizure of electronic devices as much as ordinary papers. Wiretaps and other surveillance in the internet age are now subject to litigation across the United States. But in the FISC, with rare exceptions, the judges hear only from the executive branch.

Their rulings have been appealed only three times, each time going to a review board. Only the government is permitted to appeal from there, and so far it has never felt the need.

PUBLIC LEGAL CHALLENGES

The FISC’s reasoning, though, is heading into public courts. The 9th U.S. Circuit Court of Appeals on Dec. 5 cited FISC precedents in rejecting an appeal of an Oregon man who was convicted of plotting to bomb a Christmas tree lighting ceremony after his emails were collected in another investigation.

Groups such as the American Civil Liberties Union and the Electronic Frontier Foundation are fighting the expansion of legalized surveillance in Congress and in courts.

On Dec. 8, the ACLU argued in the 4th U.S. Circuit Court of Appeals that a lawsuit by Wikipedia’s parent group against the NSA should not have been dismissed by a lower court, which ruled that the nonprofit could not show it had been snooped on and that the government could keep details of the program secret.

The concerns of civil libertarians and others have been heightened by President-elect Donald Trump’s nomination of conservative Representative Mike Pompeo of Kansas to be director of the CIA. Pompeo, writing in the Wall Street Journal in January, advocated expanding bulk collection of telephone calling records in pursuit of Islamic State and its sympathizers who could plan attacks on Americans. Pompeo said the records could be combined with “publicly available financial and lifestyle information into a comprehensive, searchable database.”

Yahoo’s search went far beyond what would be required to monitor a single email account. The company agreed to create and then conceal a special program on its email servers that would check all correspondence for a specific string of bits.

Trawling for selectors is known as “about” searching, when content is collected because it is about something of interest rather than because it was sent or received by an established target. It is frequently used by the NSA in its bulk upstream collection of international telecom traffic.

The Privacy and Civil Liberties Oversight Board, an appointed panel established by Congress as part of its post-9/11 expansion of intelligence authority, reported in 2014 that “about” searches “push the program close to the line of constitutional reasonableness.”

A glimpse of the new legal arguments came in a FISC proceeding last year held to review NSA and FBI annual surveillance targets and four sets of procedures for limiting the spread of information about Americans.

Judge Thomas Hogan appointed Amy Jeffress, an attorney at Arnold and Porter and a former national security prosecutor, to weigh in, the first time that court had asked an outside privacy expert for advice before making a decision.

Jeffress argued each search aimed at an American should be tested against the Fourth Amendment, while prosecutors said that only overall searching practice had to be evaluated for “reasonableness.” Hogan agreed with the government, ruling that even though the Fourth Amendment was all but waived in the initial data gathering because foreigners were the targets, the voluminous data incidentally gathered on Americans could also be used to investigate drug deals or robberies.

“While they are targeting foreign intelligence information, they are collecting broader information, and there needs to be strong protections for how that information is used apart from national security,” Jeffress told Reuters.

ODNI’s Litt wrote in a February Yale Law Review article that the new approach was appropriate, in part because so much personal data is willingly shared by consumers with technology companies. Litt advocated for courts to evaluate “reasonableness” by looking at the entirety of the government’s activity, including the degree of transparency.

Litt told Reuters that he did not mean, however, that the same techniques in “about” searches should be pushed toward the more targeted searches at email providers such as Yahoo.

Although speaking generally, he said: “My own personal approach to this is you should trade off broader collection authority for stricter use authority,” so that more is taken in but less is acted upon.

This position strikes some academics and participants in the process as a remarkable departure from what the highest legal authority in the land was thinking just two years ago.

That was when the Supreme Court’s Roberts wrote for a majority in declaring that mobile phones usually could not be searched without warrants.

After prosecutors said they had protocols in place to protect phone privacy, Roberts wrote: “Probably a good idea, but the Founders did not fight a revolution to gain the right to government agency protocols.”

With little evidence that the Supreme Court agrees with the surveillance court, it remains possible it would reverse the trend. But a case would first need to make its way up there.

(Reporting by Joseph Menn in San Francisco; additional reporting by Dustin Volz, Mark Hosenball and John Walcott in Washington; Editing by Jonathan Weber and Grant McCool)