Tech companies and privacy advocates to Congress: End mass spying now

This post, written by Electronic Frontier Foundation legislative analyst Mark Jaycox, originally appeared on the foundation’s website.

A letter sent from major tech companies and civil society groups demanded Congress end the mass collection of calling records under Section 215 of the Patriot Act before an upcoming June 1 expiration date. The letter was signed by the Reform Government Surveillance coalition; which represents major tech companies like Google, Microsoft, and Yahoo; and, privacy groups like ACLU and EFF.

Specifically, the letter urges:

a clear, strong, and effective end to bulk collection practices under the USA PATRIOT Act, including under the Section 215 records authority and the Section 214 authority regarding pen registers and trap & trace devices.  Any collection that does occur under those authorities should have appropriate safeguards in place to protect privacy and users’ rights.

Even though the Attorney General and Director of National Intelligence have said the USA Freedom Act retains operational capabilities, the commitment by companies to end bulk collection is an important step in a Republican-led Congress that has increasingly used national security threats to stave off Section 215 reform.

The letter sends Congress a clear message: any bill to reform Section 215 must end mass collection, provide transparency requirements, and avoid adding any data retention or technology mandates. In the past we’ve defined ending bulk collection as a simple ban on mass spying. Similarly, groups like the Center for Democracy and Technology have noted that ending bulk collection means prohibiting the large-scale government collection and retention of non-public records about persons who are not connected to national security threats. Other groups, like the Open Technology Institute, have included the use of “an exclusive list of ‘unique’ identifiers” as a way to successfully end mass collection under Section 215.

EFF: Congress Must Pass FOIA Reform Legislation

This post by staff attorney Sophia Cope originally appeared on the website of the Electronic Frontier Foundation.

This week is Sunshine Week, an annual celebration to promote government transparency and access to information. As a public interest organization dedicated to these ideals, the Electronic Frontier Foundation continues to call on Congress to update the Freedom of Information Act, a key tool for citizens to obtain federal government records and to hold federal agencies accountable.

Two FOIA reform bills are pending in Congress. The Senate bill is the FOIA Improvement Act of 2015 (S. 337), which the Senate Judiciary Committee passed in February. The House bill, the FOIA Oversight and Implementation Act of 2015 (H.R. 653), has yet to be considered by the House Committee on Oversight and Government Reform.

An important aspect of both bills is that they narrow Exemption 5, which permits an agency to withhold inter-agency or intra-agency “pre-decisional” memos and other documents that reflect the agency’s “deliberative process” in reaching a final decision. Congress’ legitimate policy goal in enacting Exemption 5 was to permit some level of confidentiality in order to promote candor among agency employees.

Both bills create a time limit for documents withheld under Exemption 5, meaning that even if Exemption 5 technically applies to records, if the records are older than 25 years from the date of the FOIA request, the agency cannot withhold them from disclosure. The House bill goes a step further and requires disclosure of “records that embody the working law, effective policy, or the final decision of the agency.”

These reforms are important, particularly the language in the House bill, because Exemption 5 has been inappropriately used by many federal agencies to withhold documents that are arguably final decisions. The exemption has been used by the Justice Department, in particular, to withhold opinions by the Office of Legal Counsel (OLC), which is considered the authoritative source on how the executive branch interprets the law.

EFF lost a FOIA lawsuit last year that sought to obtain an OLC opinion that authorized the FBI’s use of “National Security Letters” to obtain citizens’ call logs without legal process and contrary to existing law. The ACLU and The New York Times won a similar lawsuit to obtain the OLC opinion authorizing the “targeted killing” of Americans only because the government had voided its ability to invoke Exemption 5 when it made various public statements about the targeted killing program.

One disappointing aspect of the FOIA reform bills is that they do not include a public interest balancing test for Exemption 5. Such language was originally included in the Senate bill last Congress, but it was stripped out at the last minute and not included in either bill this Congress. A public interest balancing test would require the disclosure of records if the public interest in doing so outweighs the agency’s interest in withholding the documents. This would give federal judges the power to order disclosure even if the agency appropriately invokes Exemption 5. The House bill does include language that directs the agencies to generally consider “whether the release of the records would be in the public interest because it is likely to contribute significantly to public understanding of the operations or activities of the government.”

If FOIA made clear that agencies cannot withhold documents that reflect the “working law, effective policy, or the final decision of the agency” and agencies and judges must consider the public interest in disclosure even if Exemption 5 technically applies, perhaps EFF would have won its lawsuit and the ACLU and New York Times would not have had to rely on unique facts to win their case. Without public access to OLC opinions, which have also authorized torture and warrantless wiretapping, the federal government creates a body of secret law, which is antithetical to a democratic society.

Notwithstanding the importance of narrowing the scope of Exemption 5, it is important to note that FOIA exemptions are generally discretionary, meaning that even if an exemption technically applies to a request, an agency has the discretion to disclose the records anyway. The FOIA reform bills would force greater transparency by codifying the Obama administration’s policy that agencies should implement FOIA under a presumption of openness and that records should only be withheld if the agencies can “reasonably foresee” harm from disclosure, not merely because an exemption technically applies. This would prohibit future administrations from shifting to a less transparent FOIA policy, which was the case with the last Bush administration.

The FOIA reform bills also strengthen the Office of Government Information Services (OGIS), also known as the FOIA ombudsman, that works with requesters and agencies to resolve FOIA disputes in order to avoid costly litigation. Both bills clarify that OGIS can issue its annual report (with recommendations for how agencies can improve FOIA implementation) without obtaining prior approval from any other Executive Branch agency or office, which has been a problem in the past. The Senate bill also provides that OGIS can issue advisory opinions on disputes between requesters and agencies at any time, either pursuant to its own discretion or a request from a party (current law only authorizes advisory opinions pursuant to OGIS’s discretion and after mediation fails).

Finally, both bills mandate the creation of a “consolidated online request portal” to provide the public with a “one-stop shop” for submitting FOIA requests to federal agencies, which is already underway by a few select agencies at FOIAonline.

While the FOIA reform bills could go further in improving FOIA implementation, they both offer meaningful changes that would enhance government transparency and advance the public’s right to know. EFF urges Congress to be true to the spirit of Sunshine Week and pass FOIA reform legislation as soon as possible.

Guess who wasn’t invited to the CIA’s Hacker Jamboree?


This post, written by Electronic Frontier Foundation staff attorney Nate Cardozo and legal fellow Andrew Crocker, originally appeared on the foundation’s website.

Apple, that’s who. Or Microsoft, or any of the other vendors whose products U.S. government contractors have successfully exploited according to a recent report in the Intercept. While we’re not surprised that the Intelligence Community is actively attempting to develop new spycraft tools and capabilities — that’s their job — we expect them to follow the administration’s rules of engagement. Those rules require an evaluation under what’s known as the “Vulnerabilities Equities Process.” In the White House’s own words, the process should usually result in disclosing software vulnerabilities to vendors, because “in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.”

Nevertheless, the Intercept article describes an annual CIA conference known as the Trusted Computing Base (TCB) Jamboree at which members of the intelligence community present extensively on software vulnerabilities and exploits to be used in spying operations. At the 2012 TCB Jamboree, presenters from Sandia National Laboratories, which is a contractor for the Department of Energy, described an attack on Xcode, the Apple software used to compile applications in Mac OS X and iOS. The “whacked” Xcode exploit, called Strawhorse, enables intelligence agents to implant a version of Xcode on developers’ computers which, unbeknownst to the developers, would cause software they compile to include a backdoor or other compromise. If successful, the attack could enable a range of surveillance-friendly applications to be covertly made available to the public. The report suggests that the Sandia team discovered and employed a number additional of vulnerabilities in Apple’s hardware and software, including a vulnerability in Apple’s secure element that enabled them to extract a secret key, and one that allowed modification of the OS X updater to install a keylogger. Finally, the report describes similar presentations on Microsoft’s BitLocker software and others.

The vulnerabilities involved in these exploits were almost certainly unknown to Apple itself, and the documents released by the Intercept do not indicate that the CIA or its contractors ever considered disclosing them to the company. Yet this is what the administration’s Vulnerabilities Equities Process requires—a balancing test that weighs the risk to average users of leaving unpatched vulnerabilities against the needs of the intelligence community.

EFF has sued under the Freedom of Information Act (FOIA) to uncover more about the Vulnerabilities Equities Process, which the White House characterized as a set principles that inform “a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.” Naturally, the Office of the Director of National Intelligence and the NSA have been less than forthcoming in response to our FOIA suit, producing only a handful of highly-redacted documents to date. Given the scanty information we’ve received, and the freedom with which the Jamboree attendees seem to stockpile vulnerabilities, we have doubts that the Equities Process is really as “disciplined and rigorous” as the administration claims.

When asked for comment, an unnamed intelligence official told CNBC: “There’s a whole world of devices out there, and that’s what we’re going to do…It is what it is.”

EFF: The 4th Amendment covers DNA collection

This was originally published on the website of the Electronic Frontier Foundation

San Francisco — People have a 4th Amendment right to privacy when it comes to their genetic material, the Electronic Frontier Foundation (EFF) argued in an amicus brief filed last week with the U.S. Supreme Court.

EFF is asking the Supreme Court to hear arguments in Raynor v. State of Maryland, a case that examines whether police should be allowed to collect and analyze “inadvertently shed” DNA without a warrant or consent, such as swabbing cells from a drinking glass or a chair. EFF argues that genetic material contains a vast amount of personal information that should receive the full protection of the Constitution against unreasonable searches and seizures.

“As human beings, we shed hundreds of thousands of skin and hair cells daily, with each cell containing information about who we are, where we come from, and who we will be,” EFF Senior Staff Attorney Jennifer Lynch said. “The court must recognize that allowing police the limitless ability to collect and search genetic material will usher in a future where DNA may be collected from any person at any time, entered into and checked against DNA databases, and used to conduct pervasive surveillance.”

Glenn Raynor’s genetic material was collected and tested without his knowledge or consent after he agreed to an interview at a police station as part of a criminal investigation. The police didn’t have probable cause to arrest Raynor, and he refused to provide a DNA sample. After he left the station, police swabbed the armrest of the chair where he had been sitting to collect his skin cells without his knowledge. The police then extracted a DNA profile from the cells and used it to connect him to the crime. The Maryland Court of Appeals ruled that this collection was lawful, and Raynor petitioned the Supreme Court for review. EFF’s brief supports Raynor’s petition.

The sophistication and speed of DNA analysis technology is advancing exponentially as the costs of the technology drop. These advances, EFF argues, raise significant questions for privacy and civil liberties. DNA can reveal sensitive personal health information and can allow police to identify a person’s relatives, turning family members into inadvertent “genetic informants” on each other. Some researchers have also postulated that DNA can determine race, sexual orientation, intelligence and even political predispositions.

“Law enforcement should not be able to amass giant databases of genetic material they find lying around,” EFF Senior Staff Attorney Hanni Fakhoury said. “The Supreme Court should review this case and consider it within the context of emerging technologies that could significantly affect the privacy rights of every American.”

For EFF’s amicus brief:

EFF: Making sense of a disappointing decision on mass surveillance

This article by senior staff attorney David Greene appeared on the website of the Electronic Frontier Foundation.

Feb. 10 marked a frustrating juncture in the Electronic Frontier Foundation’s long-running lawsuit against mass surveillance, Jewel v. NSA, filed on behalf of AT&T customers whose communications and telephone records are being vacuumed by the National Security Agency.

A federal court in San Francisco sided with the U.S. Department of Justice, ruling that the plaintiffs could not win a significant portion of the case — a 4th Amendment challenge to the NSA’s tapping of the Internet backbone — without disclosure of classified information that would harm national security. In other words, Judge Jeffrey White found that “state secrets” can trump the judicial process and held that EFF’s clients could not prove they have standing.

To be perfectly clear: This decision does not end EFF’s case. The judge did not find that it is legal for the NSA to tap into the Internet backbone. Nor does the ruling apply to the portion of case that covers the NSA’s capture of telephone records on a massive scale. EFF will continue to fight in court, both in Jewel, as well as our two other ongoing lawsuits challenging NSA surveillance.

We disagree with the court’s decision, and it will not be the last word on the constitutionality of the government’s mass surveillance of the communications of ordinary Americans.

The Jewel backstory

Jewel was filed in 2008 on behalf of ordinary Americans. The case is based on a wide range of NSA mass surveillance disclosed to the public in a series of newspaper articles starting in 2005 and bolstered by a former AT&T technician whistle-blower who revealed a tap on AT&Ts fiber optic “Internet backbone.” The public learned that the NSA was copying Internet traffic as it traversed the backbone, also known as Upstream collection, as well as that it was collecting telephone call detail records in bulk. EFF’s clients alleged that these practices violate the 1st and 4th Amendments to the Constitution and several other laws related to electronic surveillance.

Over the past seven years, both the district court and the 9th U.S. Circuit Court of Appeals have considered a variety of legal issues in the case. Last year, EFF appeared before the court during an emergency hearing over the NSA continual destruction of evidence.

This most recent ruling was in response to the motion for partial summary judgment EFF filed in July 2014 arguing that the NSA’s backbone surveillance violates the 4th Amendment. The government responded with its own motion for partial summary judgment, asserting several defenses, including the “state secrets” privilege, which permits judges to disregard evidence that would endanger national security if publicly released. In support of its motion, the government filed secret declarations by NSA officials that were available to White, but not to us or the public; and the judge relied on this evidence in his order.

Standing and state secrets

White did not rule on the legality or constitutionality of the NSA mass Internet surveillance we challenged. Rather, the court explained that the publicly available information did not paint a complete picture of how the NSA collects Internet traffic, so the court could not rule on the program without looking at information that could constitute “state secrets.”

“Because a fair and full adjudication of the Government Defendants’ defenses would require harmful disclosures of national security information that is protected by the state secrets privilege, the Court must exclude such evidence from the case,” White writes in the decision. “Addressing any defenses involves a significant risk of potentially harmful effects any disclosures could have on national security.”

Agreeing with the government, the court found that the plaintiffs lacked “standing” to challenge the constitutionality of the program because they could not prove that the surveillance occurred as plaintiffs’ alleged. Despite the judge’s finding that he could not adjudicate the standing issue without “risking exceptionally grave damage to national security,” he expressed frustration that he could not fully explain his analysis and reasoning because of the state secrets issue.

“The Court is frustrated by the prospect of deciding the current motions without full public disclosure of the Court’s analysis and reasoning,” he writes. “However, it is a necessary by-product of the types of concerns raised by this case. Although partially not accessible to the Plaintiffs or the public, the record contains the full materials reviewed by the Court. The Court is persuaded that its decision is correct both legally and factually and furthermore is required by the interests of national security.”

We disagree. Notably, White did not mention the statutory procedure available for considering classified information. The Foreign Intelligence Surveillance Act (FISA) allows courts to examine secret evidence that is necessary to determine whether surveillance conducted by the government was done legally. In a decision in 2013, White correctly ruled that this FISA procedure preempts the state secrets privilege; and we believe that the government’s use of the privilege here was improper.

The decision does not fully resolve the case. Again, the court considered only a part of our case — the NSA’s copying of Internet traffic from the Internet backbone — based on the publicly available evidence, primarily the report published by the president’s Civil Liberties Oversight Board report and information provided by whistle-blower Mark Klein. Our motion did not place at issue any of the other surveillance programs that are part of the lawsuit, such as the mass surveillance of telephone call records.

Those other claims remain, and we intend to pursue them.

EFF: Secure Our Borders First Act would ensure proliferation of drones at the border

This article by activist Nadia Kayyali originally appeared on the website of the Electronic Frontier Foundation.

Security shouldn’t be a synonym for giving up civil liberties. But bills like HR 399 show that lawmakers think it is. The Secure Our Borders First Act is an ugly piece of legislation that’s clearly intended to strong-arm the Department of Homeland Security into dealing with the border in a very particular way: with drones and other surveillance technology.

The bill appears to have stalled in the House. It was on the calendar for last week but wasn’t voted on, and it’s not on the schedule for this week. But it’s not dead yet. And even if it does die, this isn’t the first time Congress has tried to increase the use of drones at the border. In 2013, the Senate passed S.744, the Border Security, Economic Opportunity and Immigration Modernization Act. The bill called for the use of drones “24 hours per day and for 7 days per week.” The House of Representatives did not pass the legislation, but the drone mandate in HR 399 is eerily similar. And it demonstrates that the idea that drones should be used at the border is persistent.

The 72-page piece of legislation, authored by Rep. Michael McCaul (R-Texas), gives the Department of Homeland Security (DHS) an incredibly specific mandate. It requires DHS to gain “operational control” of high traffic areas within 2 years, and the entire southern border within 5 years. Operational control means “the prevention of all unlawful entries into the United States.” It prescribes exactly how that should be done and even includes penalties for failure to do so, including pay freezes for government officials.

The bill also prescribes how operational control should be obtained. It does this by prescribing what equipment 11 specific border points should use. At several of the points, that equipment includes drones. Additionally, the bill includes the following mandate:

The Office of Air and Marine of U.S. Customs and Border Protection [CBP] shall operate unmanned aerial systems not less than 16 hours per day, seven days per week.

As the ACLU notes, it’s a little shocking that the bill includes such mandates only “weeks after a damning DHS Inspector General (DHS IG) report titled ‘CBP Drones are Dubious Achievers.’” And that’s just the most recent report. In June 2012, the Electronic Frontier Foundation called attention to another DHS IG report that faulted the DHS for wasting time, money and resources using drones that were ineffective and lacked oversight. To put it in perspective, Predator drones cost $3,000 per hour to fly. That’s certainly part of the reason that HR 399 authorizes $1 billion in appropriations.

Of course, the waste of money in this bill pales in comparison to its potential negative impact on civil liberties. Drones pose a multitude of privacy concerns. Drones can be equipped with, among other capabilities, facial-recognition technology; live-feed video cameras; thermal imaging: fake cellphone towers to intercept phone calls, texts and GPS locations; as well as back-end software tools like license-plate recognition, GPS tracking and facial recognition. They are capable of highly advanced and near-constant surveillance and can amass large amounts of data on private citizens, which can then be linked to data collected by the government and private companies in other contexts.

Lest it seem that this will affect only communities directly adjacent to the border, or individuals being investigated or pursued by CBP, it’s important to note that the government considers the border to extend 100 miles in, and CBP has certain powers to conduct activities like searches that would be unconstitutional elsewhere. Furthermore, according to documents obtained by the EFF as part of a Freedom of Information Act lawsuit against the agency, CBP appears to be flying drones well within the Southern and Northern U.S. borders for a wide variety of non-border patrol reasons. In fact, the documents showed that between 2010 and 2012, the number of missions CBP flew for state, local and non-CBP federal agencies increased eightfold.

The silver lining? The legislation hasn’t passed yet. There’s still time to contact your elected representatives and tell them to vote no.

EFF: New report on bulk collection shows that there’s no magical solution to bad policy

This article by activist Nadia Kayyali originally appeared on the website of the Electronic Frontier Foundation.

The National Academy of Sciences has released “Bulk Collection of Signals Intelligence: Technical Options,” a report on technical solutions to the problem of bulk collection. The report, which was made public on Jan. 15, was the result of Barack Obama’s Presidential Policy Directive 28 (PPD 28). PPD 28 mandated an assessment of “the feasibility of creating software that would allow the Intelligence Community more easily to conduct targeted information acquisition rather than bulk collection.”

PPD 28 asked for a limited technical assessment. And that’s the substance of the report. Some analyses of the report from the media seem to misunderstand this, emphasizing that the report finds “no effective alternative to the government’s ‘bulk collection.’” But the report makes it clear that it does not address “policy questions and tried to avoid making judgments about them.” In fact, as the report aptly (and repeatedly) points out:

Other groups, such as the President’s Review Group on Intelligence and Communications Technologies and the Privacy and Civil Liberties Oversight Board (in its Section 215 report) have said that bulk collection of telephone metadata is not justified. These were policy and legal judgments that are not in conflict with the committee’s conclusion that there is no software technique that will fully substitute for bulk collection; there is no technological magic.

That’s right. There’s no software magic that can recreate the past in the same way that bulk collection of the phone records of millions of innocent people can. That’s all the report (unsurprisingly) concludes about bulk collection.

While our current lack of a software time-machine may be a disappointment, it does not mean there is no alternative to bulk collection. Alternatives abound. Indeed, in the context of Section 215 and the bulk collection of Americans’ phone records, after just six months of public debate and deliberation, an alternative was proposed that would ensure that the intelligence community has the “necessary and appropriate tools to help keep us safe,” while “end[ing] the dragnet collection of phone records under Section 215 of the PATRIOT Act.”

But the government hasn’t made it easy to have an honest debate about bulk surveillance, since as the report notes, Very little has been made public about actual cases where U.S. SIGINT has contributed to counterterrorism… The selection of the cases that were made public, the details of the accounts, and their significance have all been controversial.” Compounding these shortcomings, officials have made trumped-up claims about the effectiveness of bulk collection — claims that have been criticized by the President’s Review Board and the Privacy and Civil Liberties Oversight Board, among others. It’s impossible to have an honest debate without access to facts.

Ultimately, as the report points out, “whether the gain in privacy is worth the loss [of bulk collection] is a policy question that the committee does not address” — and it’s one we might not even need to answer. We’re confident that alternatives to bulk collection exist — alternatives that can be created through honest and full public debate, alternatives that preserve important national security functions without compromising the privacy of millions.

So there may be no technological magic bullet. And there may not even be a political magic bullet. But that doesn’t mean there aren’t solutions.

EFF: In wake of Charlie Hebdo attack, let’s not sacrifice even more rights

This article by Sophia Cope and Jillian York originally appeared on the website of the Electronic Frontier Foundation

The Electronic Frontier Foundation is stunned and deeply saddened by the attack on Charlie Hebdo, a French satirical newspaper. As free speech advocates, we mourn the use of violence against individuals who used creativity and free expression to engage in cultural and political criticism. Murder is the ultimate form of censorship.

The journalists and cartoonists at Charlie Hebdo have long used satire to engage in cultural critique, a form of expression strongly protected by international norms and with deep historical roots in prompting societal change and igniting discussions on controversial issues (see, for example, Jonathan Swift’s Modest Proposal and Voltaire’s Candide). In the age of the Internet, satire is finding fecund ground on video-sharing sites, social media and across the blogosphere as a way of engaging in discussion on political issues, social ideas, economic theory and even poking fun at celebrities. While satire has a long history in France, it has become commonplace in many countries, including in the Middle East, where satirists such as Bassem Youssef (“Egypt’s Jon Stewart”) have faced pressure to go silent. In the face of tragedy and extremism, humor can be a way of reclaiming power.

Often in the wake of a terrorist attack, we see governments move swiftly to adopt new laws without consideration of the privacy rights being sacrificed in the process. Even as we mourn the losses at Charlie Hebdo, we must be wary of any attempt to rush through new surveillance and law enforcement powers, which are likely to disproportionately affect Muslims and other minorities.

The attack on Charlie Hebdo was an attack on individuals exercising their free expression rights. But we must not sacrifice some rights in a rush to protect others.

There are numerous instances in which countries enacted sweeping new laws in the wake of an attack or in response to a threat, when grief and fear outweighed commitments to freedom of expression and privacy. The consequences can be far reaching. In the United Kingdom, the government swiftly revised police powers with the Terrorist Act of 2006 in the wake of bombings in London. In Australia, new legislative measures were introduced in response to a foiled terrorism plot. In 2012, Iraq tried to quickly push through a set of strict “cybercrime” laws in the wake of the Arab Spring uprisings. And in the U.S., the 9/11 attacks were used to justify poorly considered legislation that significantly broadened surveillance authorities. Already, U.S. senators are using the Paris attacks to justify mass surveillance programs by the National Security Agency.

Let us defend freedom of expression by committing to uphold all rights.

EFF: What we learned about NSA spying in 2014 and what we’re fighting to expose in 2015

This story by activist Nadia Kayyali and staff attorney Mark Rumold originally appeared on the website of the Electronic Frontier Foundation.

After a banner year for shedding light on the NSA’s secret surveillance programs in 2013, the pace of disclosures in 2014 — both from whistleblowers and through Freedom of Information Act (FOIA) lawsuits — slowed significantly.

But that’s not because all the secrets of NSA surveillance have been revealed.

In fact, some of the most significant information about the NSA’s surveillance programs still remain secret. Despite one of the most significant leaks in American history and despite a promise to declassify as much information as possible about the programs, nearly two years later the government still refuses to provide the public with the information it needs. For example, government officials still have not answered a simple, yet vitally important, question: What type of information does the NSA collect about millions, or hundreds of millions, of Americans (or the citizens of any other country, for that matter)? And the government still refuses to release some of the most significant decisions of the Foreign Intelligence Surveillance Court — the secret court tasked with monitoring the government’s surveillance programs.

Despite the slowdown, in 2014, we learned still more about the NSA’s surveillance programs than we knew before. We learned that:

  • Through the NSA’s Mystic program, the agency records every single cellphone conversation in the Bahamas and Afghanistan, storing those conversations for up to 30 days.
  • The NSA specifically targets systems administrators — the people who are often charged with keeping networks safe and secure.
  • The NSA and its partners exploit mobile apps, such as the popular Angry Birds game, to access users’ private information such as location, home address, gender and more.
  • The NSA sought to develop capabilities to infect millions of computers with malware implants as part of its TURBINE program.
  • The NSA’s Dishfire operation collects 200 million text messages daily from users around the globe.
  • The NSA “intercepts ‘millions of images per day’ — including about 55,000 ‘facial recognition quality images’” and processes them with powerful facial recognition software.
  • The NSA spies on civic leaders and model citizens. The Intercept put a face to NSA spying, publishing a profile of five American Muslim leaders who have been targeted for surveillance. They including an attorney, two professors, a former member of the Bush administration and the founder of the Council on American-Islamic Relations.

Despite all this additional information, too much still remains secret.

But there’s reason to hope for 2015. For one, in response to an EFF FOIA lawsuit, a federal court has ordered the government to release some of the remaining, significant, and still-secret FISC opinions in the early part of 2015. We also launched a campaign to reform Executive Order 12333; and, as part of that campaign, we’re urging the government to come clean about the types of information in collects on millions of people around the world. Whether it’s in federal court or the court of public opinion, in 2015, we’ll keep fighting for the public’s right to know.

This article is part of our Year In Review series; read other articles about the fight for digital rights in 2014. Like what you’re reading? EFF is a member-supported nonprofit, powered by donations from individuals around the world. Join us today and defend free speech, privacy, and innovation.

EFF’s 2014 holiday wish list

This article, by global policy analyst Eva Galperin, was published on website of the Electronic Frontier Foundation on Dec. 18.

For the past three years, the Electronic Frontier Foundation has greeted the holiday season by publishing a list of things we’d like to see happen in the coming year. Sometimes these are actions we’d like to see taken by companies, and sometimes our wishes are aimed at governments, but we also include actions everyday people can take to advance our digital civil liberties. This year has seen great progress in areas such as transparency reports and encrypting digital communications. We want to build on that progress in 2015.

Here are some of the things we’re wishing for this holiday:

  • News organizations and individual journalists should make it easy to securely accept documents from anonymous sources by setting up their own instances of SecureDrop.
  • President Obama should stand up for the privacy rights of people all over the world and amend Executive Order 12333 to prohibit mass surveillance. Most people have never heard of it, but Executive Order 12333 is “the primary authority under which the country’s intelligence agencies conduct the majority of their operations.” So while the U.S. Congress is considering bills to curtail mass telephone surveillance, the NSA’s primary surveillance authority will be left unchallenged. Let’s change that in 2015.
  • Congress should pass meaningful reform to the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act.
  • Companies that provide digital communications services should enable real end-to-end encryption for users, without backdoors for law enforcement (We’re looking at you, Verizon!). There have been some great steps in this direction already, but we want to see a race to the top.
  • Websites should honor Do Not Track.
  • Facebook should follow the lead of Google+ and drop its harmful “real names” policy.
  • Congress should defend users and refuse to put secret trade agreements like the Trans-Pacific Partnership (TPP) agreement on the fast track to ratification. Deals like TPP include provisions that threaten digital rights for Internet users everywhere in the name of intellectual property protection.
  • U.S. policymakers should strongly advocate for the benefits of a flexible fair use system. When they are involved in international policymaking, they should propose safeguards for users to counteract extreme copyright restrictions. They should start by supporting a legally binding treaty for copyright exceptions and limitations for libraries and archives.
  • All Internet sites should adopt cryptographic best practices for every connection, every time, including PFS, STARTTLS, HSTS and encrypted traffic between data centers.
  • Companies should offer clear guidelines and a path for the disclosure of vulnerabilities that will not get security researchers sued.
  • The NSA and the Office of the Director of National Intelligence should disclose its Vulnerability Equities Process. All that they’ve told us so far is that this process is used to determine whether to disclose software security flaws known as “zero days” or to keep them secret for their own use, but we’ve had to file a FOIA lawsuit to get the details.

EFF: Copyright law as a tool for state censorship of the Internet

This story by global policy analyst Maira Sutton originally appeared on the website of the Electronic Frontier Foundation

When state officials seek to censor online speech, they’re going to use the quickest and easiest method available. For many, copyright takedown notices do the trick. After years of lobbying and increasing pressure from content industries on policymakers and tech companies, sending copyright notices to take media offline is easier than ever.

The copyright law that state actors most often invoke is the Digital Millennium Copyright Act (DMCA). The DMCA was the first major digital copyright law passed in the United States, creating strict procedural rules for how and when a copyright holder can claim that uploaded content infringes on their copyright. U.S.-based tech companies that receive these infringement notices must comply with these rules to receive their safe harbor — the protection they have from being liable for hosting unlawful user content.

The DMCA has become a global tool for censorship, precisely because it was designed to facilitate the removal of online media. The law carries provisions on intermediary liability, among many other strict copyright enforcement rules, which induce websites, Internet service providers and other such “intermediaries” to remove content that is alleged to be a copyright infringement.

If the DMCA is U.S. law, how can governments around the world use it to censor speech? The DMCA has become the default template for tech companies to respond to copyright infringement notices. Since many major tech companies have offices in the U.S., they must comply with U.S. law. But even if they don’t operate in this jurisdiction, most major companies have implemented a DMCA-style takedown procedure anyway because it has become a de facto legal norm.

It’s a norm that is reinforced and exported abroad by dozens of trade agreements that carry provisions that mirror, and further entrench, restrictive interpretations of the DMCA. The South Korea-U.S. free trade agreement (aka KORUS) and the Australia-U.S. free trade agreement (aka AUSFTA) are just two examples. The language in those agreements was actually a lot like the DMCA. But the negotiators abstracted the language just enough so that U.S. law could still be compliant with it, while the other countries could be pressured to enact even harsher domestic restrictions. Following their trade agreements with the U.S., South Korea enacted a three-strikes takedown regime, and Australia was pushed into enacting policies requiring intermediaries to terminate the accounts of repeat infringers.

Now we’re seeing a disturbing trend where governments and state-friendly agencies are abusing DMCA takedowns to silence political criticism. Here are the cases we know about where governments have misused U.S. copyright law to censor the Internet.

DMCA and State Censorship Around the World: A Timeline of Case Studies

  • United States: YouTube removed a 30-second Air Force recruitment ad after lawyers for the Air Force’s Cyber Command sent a DMCA notice demanding it take it down. The notice was likely invalid, since U.S. government works are in the public domain. (March 2008)
  • Saudi Arabia: A satirical show on Youtube called “Fitnah” was censored when the primary, state-funded Saudi TV channel, Rotana, sent DCMA notices to take down several of their videos. Later, a Lebanese TV show did a report about the takedown, and then another DMCA notice was sent and it was also removed from Youtube. All of the videos were later restored. (September 2014)

There are likely many more notices that state actors have used to censor users. Rightsholders are sending more and more DMCA takedowns by the year, and a telling sign of this is that some companies have begun to quantify this abuse in their transparency reports. As companies are increasingly being forced to be complicit in this censorship, it’s now more important as ever for them to be transparent about the notices they receive, and for them to take advantage of the flexibility they have under the DMCA to do what they can to protect users’ speech.

If you know of any cases of state-mandated Internet censorship carried out through the DMCA or other copyright laws’ takedown procedures, please send them to The Electronic Frontier Foundation already tracks general DMCA takedowns with our Takedown Hall of Shame. Now EFF is looking for more cases where governments and their agencies have directly sought to censor the Internet via their own takedown requests.

Censoring the Web isn’t the solution to terrorism or counterfeiting; it’s the problem

This story by Senior Global Policy Analyst Jeremy Malcolm appeared on the website of the Electronic Frontier Foundation.

In politics, as with Internet memes, ideas don’t spread because they are good; they spread because they are good at spreading. One of the most virulent ideas in Internet regulation in recent years has been the idea that if a social problem manifests on the Web, the best thing that you can do to address that problem is to censor the Web.

It’s an attractive idea because if you don’t think too hard, it appears to be a political no-brainer. It allows governments to avoid addressing the underlying social problem — a long and costly process — and instead simply pass the buck to Internet providers, who can quickly make whatever content has raised rankles “go away.” Problem solved! Except, of course, that it isn’t.

Among the difficult social problems that Web censorship is often expected to solve are terrorism, child abuse, and copyright and trademark infringement. In recent weeks, some further cases of this tactic being vainly employed against such problems have emerged from the United Kingdom, France and Australia.

U.K. court orders ISPs to block websites for trademark infringement

In a victory for luxury brands and a loss for Internet users, the British High Court last month ordered five of the country’s largest ISPs to block websites selling fake counterfeit goods. While alarming enough, this was merely a test case, leading the way for a reported 290,000 websites to be potentially targeted in future legal proceedings.

Do we imagine for a moment that, out of a quarter-million websites, none of them are false positives that actually sell non-infringing products? (If websites blocked for copyright infringement or pornography are any example, we know the answer.) Do we consider it a wise investment to tie up the justice system in blocking websites that could very easily be moved under a different domain within minutes?

The reason this ruling concerns us is not that we support counterfeiting of manufactured goods. It concerns us because it further normalizes the Band-Aid solution of content blocking, and de-emphasises more permanent and effective solutions that would target those who actually produce the counterfeit or illegal products being promoted on the Web.

Britain and France call on ISPs to censor extremist content

Not content with enlisting major British ISPs as copyright and trademark police, they have also recently been called upon to block extremist content on the Web and to provide a button that users can use to report supposed extremist material. Usual suspects Google, Facebook and Twitter have also been roped by the government to carry out blocking of their own. Yet to date, no details have been released about how these extrajudicial blocking procedures would work or under what safeguards of transparency and accountability, if any, they would operate.

This fixation on solving terrorism by blocking websites is not limited to the United Kingdom. Across the channel in France, a new “anti-terrorism” law that the Electronic Frontier Foundation reported on earlier was finally passed this month. The law allows websites to be blocked if they “condone terrorism.” “Terrorism” is as slippery a concept in France as anywhere else. Indeed, France’s broad definition of a terrorist act has drawn criticism from Human Rights Watch for its legal imprecision.

Australian plans to block copyright infringing sites

Finally (though, sadly, probably not), reports last week suggest that Australia will be next to follow the example of the U.K. and Spain in blocking websites that host or link to allegedly copyright material, following on from a July discussion paper that mooted this as a possible measure to combat copyright infringement.

How did this become the new normal? When did politicians around the world lose the will to tackle social problems head-on, and instead decide to sweep them under the rug by blocking evidence of them from the Web? It certainly isn’t due to any evidence that these policies actually work. Anyone who wants to access blocked content can trivially do so, using software like Tor.

Rather, it seems to be that it’s politically better for governments to be seen as doing something to address such problems, no matter how token and ineffectual, than to do nothing — and website blocking is the easiest “something” they can do. But not only is blocking not effective, it is actively harmful — both at its point of application due to the risk of over-blocking, but also for the Internet as a whole, in the legitimization that it offers to repressive regimes to censor and control content online.

Like an overused Internet meme that deserves to fade away, so too it is time that courts and regulators moved on from website blocking as a cure for society’s ills. If we wish to reduce political extremism, cut off the production of counterfeits or prevent children from being abused, then we should be addressing those problems directly — rather than by merely covering up the evidence and pretending they have gone away.

New malware detection tool can expose illegitimate state surveillance

This post, written by Eva Galperin, was originally published on the Electronic Frontier Foundation website.

Recent years have seen a boom in the adoption of surveillance technology by governments around the world, including spyware that provides its purchasers the unchecked ability to target remote Internet users’ computers, to read their personal emails, listen in on private audio calls, record keystrokes and passwords, and remotely activate their computer’s camera or microphone. The Electronic Frontier Foundation, together with Amnesty International, Digitale Gesellschaft, and Privacy International have all had experience assisting journalists and activists who have faced the illegitimate use of such software in defiance of accepted international human rights law.

Software like this is designed to evade detection by its victims. That’s why we’ve joined together to support Detekt, a new malware detection tool developed by security researcher Claudio Guarnieri. Detekt is an easy-to-use, open source tool that allows users to check their Windows PCs for signs of infection by surveillance malware that we know is being used by government to spy on activists and journalists.

Some of the software used by states against innocent citizens is widely available on the Internet, while more sophisticated alternatives are made and sold by private companies and sold to governments everywhere from the United States and Europe to Ethiopia and Vietnam.

Detekt makes it easy for at-risk users to check their PCs for possible infection by this spyware, which often goes undetected by existing commercial anti-virus products.

Because Detekt is a best-effort tool and spyware companies make frequent changes to their software to avoid detection, users should keep in mind that Detekt cannot conclusively guarantee that your computer is not compromised by the spyware it aims to detect. However, we hope that the availability of this tool will help us to detect some ongoing infections, provide advice to infected users, and contribute to the debate around curbing the use of government spyware in countries where it is linked to human rights abuses.

EFF: Why metadata matters and the third-party doctrine doesn’t

This piece, written by activist Nadia Kayyali, first appeared on the Electronic Frontier Foundation’s website.

How can the U.S. government possibly claim that its collection of the phone records of millions of innocent Americans is legal? It relies mainly on two arguments: first, that no one can have a reasonable expectation of privacy in their metadata; and second, that the outcome is controlled by the so-called “third-party doctrine,” which says that no one has an expectation of privacy in information they convey to a third party (such as telephone numbers dialed). The Electronic Frontier Foundation expects the government to press both of these arguments on Nov. 4 before the District of Columbia Circuit Court of Appeals. We look forward to responding.

Oral argument will take place at 9:30 a.m. at the District of Columbia Circuit Court at 333 Constitution Ave. NW in Courtroom 20 before Judges David Sentelle, Stephen Williams and Janice Rogers Brown. The public is welcome to attend.

A little context for EFF’s role in this case: EFF and the American Civil Liberties Union filed an amicus brief in Klayman v. Obama on Aug. 20. The case itself was first filed June 6, 2013, just one day after journalists began publishing information from the Edward Snowden leaks; and it was the first challenge to the government’s “telephony metadata” collection. Judge Richard Leon of the District Court for the District of Columbia granted a preliminary injunction. The government appealed, Klayman cross appealed some issues, and now the case is headed to the Court of Appeals.

Leon found that the government’s bulk collection of telephony metadata likely constitutes an unconstitutional search under the 4th Amendment. We agree. And since the issue is so important, we weighed in on the case along with the ACLU and the ACLU of the Nation’s Capital. We asked the court for the right to participate in the oral argument. The court agreed, giving us 10 minutes and also giving 10 minutes to another amicus, the Center for National Security Studies. Cindy Cohn will argue the case for EFF and ACLU.

Here’s what we’ll be saying on those two key points:

Metadata matters

We want to ensure that the court recognizes that “the call records collected by the government are not just metadata — they are intimate portraits of the lives of millions of Americans.”

The argument that the bulk collection of private information from millions of Americans is no big deal because it’s “just metadata” is a tired one. It’s been disproven by research, and it doesn’t stand up to common sense. First, there’s no bright line. What is deemed “metadata” is often murky (such as subject lines and URLs), context-dependent and not clearly distinguishable from content, which everyone agrees is protected by the 4th Amendment.

Second, and more important, even without listening in on a conversation, metadata reveals private information — sometimes more than would be revealed by content.

We offer some examples where metadata is more revealing in our brief: People can “donate to charities by sending a text message…The metadata about these texts reveals that the subscriber has donated to a specific charity or cause, while the content of the message contains at most a donation amount.” Similarly, “an hour-long call at 3 a.m. to a suicide prevention hotline” could be very revealing. In fact, even a single piece of metadata could reflect an individual’s political or religious associations or mental health issues.

Consider a short-term study at Stanford that analyzed only a few months of telephony metadata from just 546 people focused partly on individual calls. The researchers found many calls that even in isolation could be revealing, such as a call to a political campaign, noting: “Many organizations have a narrow purpose, such that an individual call gives rise to sensitive inferences.” The study found “numerous calls within our dataset that give rise to these sorts of straightforward inferences.”

By contrast, the government is collecting huge amounts of metadata — by conservative estimates, at least billions of call records. And as the Stanford study showed, these records are exponentially revealing in the aggregate: “A pattern of calls will often, of course, reveal more than individual call records. During our analysis, we encountered a number of patterns that were highly indicative of sensitive activities or traits.”

As important as the sensitivity of the information here is the fact that the potential sensitivity is exactly why the government wants the information. The government has emphasized repeatedly in speeches and in legal briefs that it needs to collect so much metadata specifically so that it can analyze complete (or at least very big) datasets. That makes sense since, as we point out in our brief, this aggregation provides context and information to metadata and allows analysts to create “social graphs” that map webs of relationships between individuals and groups. In fact, aggregated metadata could allow an analyst to determine “the membership, structure, or participants in organizations and movements like the NAACP, the Tea Party, or Occupy Wall Street …”

To compound the privacy invasion, metadata is highly structured, making it ideal for the kind of analysis that reveals highly personal information. It’s easier to review than the content of communications. And since the government’s argument is that all metadata is unprotected, it’s important not to consider it in a vacuum. As we note, metadata “is truly ubiquitous, created through the innumerable and near-continuous digital transactions and interactions attendant to modern life.”

The ‘third-party doctrine’ is not controlling

After trying to convince the court that metadata just isn’t that revealing, the government says that the 4th Amendment also doesn’t apply because we “voluntarily” turn over the numbers we dial to telephone companies — as if this weren’t just an artifact of how the phones work and instead was some kind of individual choice we make. Because of this, the government argues, the situation is governed by the “third-party doctrine,” the idea that people have no expectation of privacy in information they entrust to others.

That argument is almost as tired as the metadata claim and ignores the realities of modern life. The third-party doctrine comes from a 1979 Supreme Court case, Smith v. Maryland, which involved the collection of the phone numbers dialed by a criminal suspect over the course of three days using a rudimentary pen register. And as Leon said in his opinion in the lower court:

[T]he Court in Smith was not confronted with the NSA’s Bulk Telephony Metadata Program. Nor could the Court in 1979 ever have imagined how the citizens of 2013 would interact with their phones.

Leon hits the nail on the head. As we point out, the issue in Klayman is not limited to collection of the numbers dialed by one individual suspected of criminal wrongdoing over a very short period of time. The issues here are bulk collection and sophisticated analysis of the detailed telephone records of millions of people suspected of nothing at all.

We emphasize five significant points of difference in our brief:

  • Scale: The program collects data for all or nearly all Americans, rather than one individual suspected of a serious crime.
  • Duration: The current program captures years of data, while the pen register in Smith captured data for only three days.
  • Changes in telephone use: Use of the telephone has changed dramatically since 1979, when telephones were largely stationary devices shared among a number of users, with one number per household or organization. Today, as landline usage dwindles, mobile phones have become personal, not shared, devices that many people carry constantly with them and use dozens, if not hundreds, of times per day.
  • Information collected: The phone records in this case include whether the call was completed, its duration, and other information rather than simply which numbers were being dialed, as in Smith.
  • Individualized suspicion: The program does not collect information based on individualized suspicion of any sort, much less individualized suspicion of a crime.

These differences mean that it’s just not credible to try to cram the government’s gigantic, revealing telephone records collection into the narrow box of the Smith line of cases. As our brief notes, that’s “a result unimaginable when Smith was decided and certainly not considered by the Court.”

In short, both the government’s metadata argument and its third-party doctrine argument are wrongly applied to massive telephone record collection. Moreover, both ask the court to ignore how we live today, with our “papers and effects” stored with third parties and metadata trailing our every move. Yet even with technological changes, we can and do have reasonable expectations that this information will remain private. We look forward to the court’s careful consideration of these and other points on Tuesday.

EFF, ACLU to present oral argument in NSA spying case on Nov. 4

This originally appeared on the website of the Electronic Frontier Foundation.

Washington, D.C. — The Electronic Frontier Foundation (EFF) will appear before a federal appeals court next week to argue the National Security Agency (NSA) should be barred from its mass collection of telephone records of million of Americans. The hearing in Klayman v. Obama is set for 9:30 a.m. on Tuesday, Nov. 4, in Washington, D.C.

Appearing as an amicus, EFF Legal Director Cindy Cohn will present oral argument at the U.S. Court of Appeals for the District of Columbia Circuit on behalf of EFF and the American Civil Liberties Union (ACLU), which submitted a joint brief in the case.

Conservative activist and lawyer Larry Klayman filed the suit in the aftermath of the first Edward Snowden disclosure, in which The Guardian revealed how the NSA was collecting telephone records on a massive scale from the telecommunications company Verizon. In December, District Court Judge Richard Leon issued a preliminary injunction in the case, declaring that the mass surveillance program was likely unconstitutional.

EFF argues that the call-records collection, which the NSA conducts with claimed authority under Section 215 of the USA PATRIOT Act, violates the 4th Amendment rights of millions of Americans. Separately, EFF is counsel in two other lawsuits against the program — Jewel v. NSA and First Unitarian Church of Los Angeles v. NSA — and is co-counsel with the ACLU in a third, Smith v. Obama.

EFF: Three spooky ways you’re being spied on this Halloween

This piece, written by activist Nadia Kayyali, first appeared on the Electronic Frontier Foundation’s website.

It’s that time of year when people don sinister masks, spray themselves with fake blood and generally go all-out for a good fright. But at the Electronic Frontier Foundation, we think there are plenty of real-world ghouls to last year-round. Fortunately, we won’t let them hide under your bed. Sometimes our work sounds like science fiction, but the surveillance techniques and technology we fight are all too real. Here are some of the beasts hiding in your backyard that we’ve been fighting to expose.

Automated license plate readers

Automated license plate readers (ALPRs) are cameras that can either be mounted on squad cars or be stationary. They read license plates and record the time, date and location a particular car was encountered. And they’re paving the way for wholesale tracking of every driver’s movements. ALPRs can scan up to 1,800 license plates per minute and can collect data on vast numbers of vehicles. In Los Angeles, for example, the Los Angeles Police Department and Sheriff’s Department collect data on 3 million cars per week.

Much like metadata about phone calls, the information obtained from ALPRs reveals sensitive personal information. In fact, the International Association of Chiefs of Police issued a report in 2009 recognizing that “recording driving habits” could raise 1st Amendment concerns because cameras could record “vehicles parked at addiction-counseling meetings, doctors’ offices, health clinics, or even staging areas for political protests.”

Because of this potential for serious invasions of privacy, EFF and the American Civil Liberties Union teamed up to ask the city and county of Los Angeles for a week’s worth of ALPR data. The lower court sided with the government after it denied our request, but we’re appealing the ruling.

Fusion centers

Fusion centers  are information clearinghouses that enable unprecedented levels of bidirectional information sharing between state, local, tribal and territorial law enforcement agencies and federal agencies like the FBI and Department of Homeland Security. Bidirectional means that local law enforcement can share information with these agencies while also accessing federal information, through portals like the FBI’s eGuardian database.

Fusion centers are a serious threat to privacy. They magnify the impact of excessive spying by making sure that it gets shared through a vast network of agencies with almost no oversight.

And oversight is clearly needed. Fusion centers coordinate the National Suspicious Activity Reporting Initiative (NSI), an effort to implement suspicious activity reporting (SAR) nationwide. SAR are intelligence reports that, according to the government, document “behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity.” And while they do lead to law enforcement contact with innocent people, they do not meet legally cognizable standards for search or seizure under the 4th Amendment. Instead, they lead to racial and religious profiling and political repression. Public records act requests have shown that people of color often end up being the target of SARs.

And that’s not the only way fusion centers threaten privacy and civil liberties. Public records requests have also shown that fusion centers are used to record and share information about 1st Amendment-protected activities in a way that aids repressive police activity and chills freedom of association.

That’s why when the Privacy and Civil Liberties Oversight Board (PCLOB) announced that it was considering looking at the standards for SAR, EFF submitted a comment.  We urged PCLOB not only to review SAR standards, but to conduct a thorough assessment of fusion centers in general. We believe that such a review will show what every other review by the government has shown: that fusion centers produce “predominantly useless information,” “a bunch of crap,” while “running afoul of departmental guidelines meant to guard against civil liberties” and are “possibly in violation of the Privacy Act.”


Last but not least, we’re keeping an eye on the spreading use of Stingrays. (Stingray is the brand name of an international mobile subscriber identity locator.) These are devices that are used by law enforcement to electronically search for a particular cellphone’s signal by capturing the international mobile subscriber identity of potentially thousands of people in a particular area. Small enough to fit in a van, they masquerade as a cellphone tower and trick your phone into connecting with them every 7 to 15 seconds. As a result, the government can surreptitiously figure out whom, when and to where you are calling and the precise location of every device within the range. With some devices, it can even capture the content of your conversations.

Part of what’s so concerning about Stingrays is that we know very little about how they are being used. In the first case to consider the constitutional implications of stingrays, U.S. v. Rigmaiden (in which we filed an amicus brief along with the ACLU) the court denied a motion to throw out evidence obtained using a Stingray. In our brief, we pointed out that the application for a warrant neither made it clear that law enforcement would be using a Stingray nor explained how the device worked. It’s that lack of explanation that we find so concerning.

But what we do know about Stingrays is chilling. They capture data from anybody who happens to be in an area where one is being used, regardless of whether they are suspected of a crime. And some models can even capture contents of communications.

The constitutionality of Stingrays is almost certain to be challenged again, especially after the Supreme Court’s decision requiring a warrant to search arrestee’s cellphones in Riley v. California. We’ll continue to keep an eye out for any cases addressing this technology. In the meantime, we’re doing public records act requests to police departments to learn more about who is using these devices and how.

We think this technology is scarier than any costume you’ll see on the streets this week. But don’t worry; we’re here to turn the lights on.

Where books are banned, the Internet is a game changer

This post, written by EFF director for international freedom of expression Jillian York, was originally published on the foundation’s website.

The censorship or banning of books is a phenomenon that occurs in countries around the world. Books that are considered “scandalous” or inciteful in some way are often targets of censorship by governments, schools, libraries and other entities.

In the United States, as NPR explains, books have historically been banned for violence and sexual content, as well as profanity, and continue to be banned by individual school districts. In Australia, the sale of certain books — such as Bret Easton Ellis’ “American Psycho” — is restricted to readers 18 and over. In Egypt, books challenging the political status quo are often targets of censorship. Amazon maintains a list of countries where particular books cannot be shipped. And the list goes on.

For individuals living in countries with high levels of censorship, the Internet has become a means for circumventing restrictions on book sales. Access to online bookstores and platforms like Kindle have, for example, helped people in China get around the infamous Great Firewall. New platforms like Oyster provide reading materials in English that might not be available for purchase, either due to censorship or lack of demand. And free platforms like Project Gutenberg create access where cost or censorship is an issue.

But for some, these workarounds have restrictions as well. Copyright and related licensing restrictions can curtail access to books in certain places; for example, a new book on atheism in the Arab world by journalist Brian Whitaker is unavailable for purchase in the Middle East and Africa, apparently due to international distribution issues. App stores sometimes restrict access to book platforms out of copyright or liability concerns, as well as when faced by government pressure. And restrictions on international banking — not to mention the cost of e-books — can limit people in many countries from taking advantage of online book platforms.

In Sudan, books can be especially hard to come by. Not only does the government confiscate and ban books and harass authors, but high customs taxes have forced numerous bookstores to close over the past few years.

“Online access to books is so important for the new generation,” says Sudanese activist Dalia Haj Omar, but U.S. sanctions prevent individuals from accessing a number of sites and resources that would allow young Sudanese to circumvent restrictions on reading and learning. Among the sites that are unavailable to Sudanese are Khan Academy and the Google Play Store.

Despite the sanctions, which Haj Omar is working to reform, she says that young Sudanese are finding ways around the various restrictions, and points to an article in the New York Times detailing Khartoum’s literary revival. It describes the work of Abdullah Al-Zain, the man behind a monthly book swap event called Mafroush (“displayed”). “The Internet is not necessarily an enemy of books,” says Al-Zain. Indeed.

EFF: Local use of surveillance equipment deserves same scrutiny as militarized police


This piece, written by activist Nadia Kayyali, first appeared on the Electronic Frontier Foundation’s website.

Since the police shooting of Michael Brown and the response in the streets, militarization of the police, especially with surplus military hardware like armored vehicles, has been a hot topic, both in the news and in Congress. And that’s a good thing.

But the equipment we can see on the news isn’t the only thing flowing from our military to local cops. Alongside armored vehicles and guns, local police are getting surveillance technology with help from the federal government. And while we don’t know the full contours of that aid, what we do know is worrisome and should spur further scrutiny, both locally and nationally.

The risks of militarizing the local cops are easy to see — and they’re compounded by folding local law enforcement into homeland security. Military technology, and suspicionless mass surveillance, are based on a military mindset: Everyone is a possible enemy, and no one deserves privacy. While some lawmakers justify this shift by pointing to the “war on drugs” and “the war on terror,” the United States is not technically a war zone. This raises the specter of the Posse Comitatus Act, passed in the late 1800s to prevent use of the military in domestic law enforcement.

Congress is finally taking a look into the transfers of hardware

Fortunately, Congress is starting to take seriously some parts of this transformation of local law enforcement. On Sept. 9, spurred on by the horrifying use of military technology on the streets of Ferguson, the Homeland Security and Governmental Affairs Committee held a hearing on “the effectiveness of federal programs that provide state and local police with surplus military equipment and grant funding for exercises and for training.” The hearing looked at the Department of Defense (DOD) 1033 program, which allows the DOD to give away for free surplus equipment to local law enforcement, the Department of Homeland Security’s (DHS) Homeland Security Grant Programs and the Department of Justice’s Justice Assistance Grant (JAG) program.

Each of these three programs has transferred millions of dollars of equipment and funding to local law enforcement, from bayonets to drones. This includes funding for fusion centers, the state and local criminal intelligence information clearinghouses that allow local law enforcement to access and input information into federal databases like the FBI’s eGuardian without even meeting a “probable cause” standard.

The hearing gave the committee a chance to hear direct testimony from representatives of these three programs, as well as other experts and stakeholders. Written statements from speakers are available here.

Senators closely questioned the representatives of each of the three programs, revealing some startling truths:

The DOD and DHS do not provide any training to departments that get equipment or money from them, including high tech surveillance equipment like drones and mine-resistant ambush-protected vehicles (MRAPs).

None of the agencies look into whether a state or local law enforcement agency is under active investigation or has a history of civil rights or civil liberties violations.

Prior to Ferguson, these three officials had never met, even though they were providing similar equipment and funding for equipment to the same police departments.

The total number of pieces of controlled property, such as weapons, currently in the possession of law enforcement agencies is approximately 460,000.

The questions that were not answered, or partially answered, were also revealing:

“What (is) the difference between a militarized and increasingly federalized police force and a standing army?”

“When was the last time you can recall that equipment from the 1033 program was used for counterterrorism?”

The overall picture that emerged was that the federal officials are willing to fund surveillance and military technologies to local law enforcement but provide little or no training to police officers — and have no policies in place to ensure this equipment isn’t misused. The White House is conducting a review of these programs; and while there is no clear timeline for completion, it’s a step in the right direction.

Surveillance deserves a look, too

Congress and the White House need to include surveillance technologies in their inquiries. The same money that funds MRAPs and night vision goggles also funds intelligence gathering at the local level. DHS’s Homeland Security Grant Program directly funds fusion centers. In fact, its 2014 grant announcement emphasized that funding fusion centers and integrating them nationally is a high priority. And DHS Urban Area Security Initiative money funds events like Urban Shield, a four-day-long event that featured “preparedness” exercises as well as a marketplace of military and surveillance technology.

Another possible avenue for review is the Privacy and Civil Liberties Oversight Board (PCLOB). PCLOB asked for public comments on its proposed mid- and long-term agenda, which includes an examination of the “functional standards” used for Suspicious Activity Reporting (SAR),” a program coordinated through fusion centers.1 EFF, along with others, submitted comments encouraging PCLOB to take a close look more generally at fusion centers. The comments emphasized that accountability for fusion centers, like all the programs reviewed in the Senate hearing, is a major problem:

The bidirectional flow of data in fusion centers, as well as interagency cooperation and jurisdictional blurriness, makes accountability and a clear understanding of the applicability of laws and regulations difficult… In the midst of this ambiguous and opaque environment, fusion centers have access to a staggering amount of data including the FBI’s eGuardian database and a variety of other federal databases. They may even potentially have access to unminimized NSA data. And as data gathered under the problematic SAR standards is entered into these databases, the lines of responsibility for unconstitutional invasions of privacy and civil liberties become ever more unclear.

Local cops, local action

There is a silver lining to all of this, though. Unlike the onerous task of reforming the National Security Agency, the FBI and other federal agencies, addressing militarization of and surveillance by local law enforcement is much easier for grass-roots activists. Groups like the coalition that helped push the Urban Shield exercise out of Oakland, California, the coalition that stopped Berkeley, California from purchasing an armored vehicle, and the coalition that helped to stop the purchase of a drone in Alameda County, California, are springing up all over the country.

For those concerned about the use of military surveillance equipment domestically, it’s a good time to do some research into your own local government to find out not only whether they are obtaining the kinds of military equipment that you can see, but also whether they are obtaining surveillance technologies that you can’t. Public records act requests are a great way to find out whether your town or city has gotten any of these funds and how it has, or plans to, spend them. Let us know what you find out, and let your elected officials know what you think.

Senators Tasked With NSA Oversight Urge Appeals Court To End Call Records Collection

This post, written by Electronic Frontier Foundation legal fellow Andrew Crocker, was originally published on the foundation’s website.

Smith v. Obama, a challenge to the NSA’s warrantless collection of phone records, currently before the 9th U.S. Circuit Court of Appeals, has received some high-profile support. In six amicus briefs filed yesterday, a range of groups add depth to the Electronic Frontier Foundation’s argument that the NSA’s activities are an extraordinary invasion of the privacy of innocent Americans.

Powerfully, Senators Ron Wyden, Mark Udall, and Martin Heinrich — members of the committee charged with overseeing the NSA — write that they “have seen no evidence that the bulk collection of Americans’ phone records has provided any intelligence of value that could not have been gathered through means that caused far less harm to the privacy interests of millions of Americans.” This echoes statements made by numerous officials, including President Obama himself, and it is crucial to countering the arguments in this case about the national security importance of the NSA’s program.

Other briefs expand on the problems with the government’s legal arguments in Smith and discuss how bulk surveillance causes specific harms to privacy and other constitutional values. In a brief filed by the Electronic Privacy Information Center (EPIC), a group of leading legal and technical experts discuss the history of information generated by telephone calls and the rise of modern call records, the “metadata” collected by the NSA. The brief thoroughly debunks the government’s claims that 40-year-old legal rules allowing limited collection of records can justify the highly revealing program at issue here. Briefs by the Reporters Committee for the Freedom of the Press, the National Association of Criminal Defense Lawyers and the PEN American Center respectively explore the specific harms to reporter-source relationships, attorney-client communications and the 6th Amendment right to counsel, and the profound chilling effect on freedom of expression. Finally, a brief by the Center for National Security Studies explains that the statute used by the government, Section 215 of the USA PATRIOT Act, also cannot justify this program.

The court will consider these arguments as the briefing in Smith continues. A hearing is expected in November 2014.

Grassroots Groups Fighting Law Enforcement Exercise Designed To Put Cops In Touch With Military Tech Companies

This post, written by activist Nadia Kayyali, was originally published on the EFF website.

While all eyes are on the disturbing evidence of police militarization in Ferguson, are you paying attention to what’s happening with law enforcement in your own back yard?

In the San Francisco Bay Area, the answer is yes. A coalition of community groups has come together to call attention to Urban Shield, a four-day long “preparedness” exercise for law enforcement and other agencies that will take place from September 4-8.  They’ve organized a week of education, including a march and demonstration outside of the event on Friday, September 5. To these community groups, Urban Shield represents state violence and political repression, not public safety.

The reasons for protesting Urban Shield are clear. It is one of the ways that local law enforcement gets access to, and romanced by, military and surveillance technologies like the ones we’ve seen turned against protesters in Ferguson, as well as low-level crimes, across the country.

Urban Shield is coordinated by the for-profit company Cytel Group, and in addition to training exercises, it also functions as a marketplace and testing site for new militarized technologies. The accompanying trade show includes exhibitors from armored vehicle manufacturers to a “counter-terrorism magazine.” In 2013, companies were encouraged “to place their products and technology directly into the hands of SWAT, Fire, EOD, and EMS professionals.” Vending at Urban Shield is touted as a way to get “invaluable real-time feedback for vendor product[s]” since “at the end of every scenario the teams are questioned concerning the benefits and drawbacks of each piece of technology used in that scenario.” It’s unsurprising that Urban Shield has a “try it out” component for law enforcement, since there is an incredible amount of profit to be made from such products, often with federal funds (i.e. taxpayer dollars) footing the bill.

The event is part of the federal Urban Areas Security Initiative (UASI). UASI is a grant program administered by the federal Department of Homeland Security’s Homeland Security Grant Program (the same program that funds fusion centers). In the San Francisco Bay Area, the grants are coordinated by the Bay Area UASI, a regional coordinating body. UASI grants are supposed to go to “planning, organization, equipment, training, and exercise needs of high-threat, high-density Urban Areas.” The grants have gone to law enforcement agencies all over the country— but the program has been the subject of scathing critique from grassroots groups and lawmakers.

Much of the criticism around UASI is that the grants enable purchases of equipment that no community should adopt without a public conversation. The obvious examples are armored vehicles and so-called “less-lethal” weapons like tear gas and rubber bullets, like those used to violently suppress demonstrators in Ferguson. But UASI funds can also be used to purchase sophisticated surveillance equipment that, absent safeguards, could allow local law enforcement to spy on activists before demonstrations ever take place, or to racially profile people of color in communities like Oakland. Senator Tom Coburn’s 2012 report “Safety at Any Price” lists some of the equipment that has been purchased with UASI money, and it reads like a laundry list of privacy advocates’ concerns: surveillance cameras, mobile fingerprinting devices, automated license plate readers, armored vehicles, and drones. To make matters worse, as Senator Coburn’s report points out, there is no evidence that these purchases make anyone safer.

It should also be noted that Urban Shield is not limited to the San Francisco area. Boston and Austin also participate in similar trainings, as has Jordan. And Jordan isn’t the only international connection. As the Urban Shield website boasts, “In 2014, teams from Singapore and South Korea will participate.” Teams in the past have included the French National Police and teams from Israel, Brazil, Jordan, and Bahrain. Police departments from across the country participate as well, including SWAT teams from Newark, Dallas, Chicago, and Travis County, Texas.

None of this has escaped the attention of organizers, who have made it clear that Urban Shield is linked to surveillance of activists and violence against communities of color across the country, but also to political repression internationally. In their words: “The line between police and military is blurring as parallel military tactics are being deployed globally to repress dissent and increase state control over people who are calling for freedom and justice.”

Time’s Running Out; Tweet Your Senator

The story “Two Privacy Bills Move As Congress Returns From Vacation,” by legislative analyst Mark Jaycox, was published by the Electronic Frontier Foundation on Sept. 2.

After all its hard work this year, Congress is almost done with its summer recess. Lawmakers are due back Monday and have much to tackle. Two bills are of paramount importance to the Electronic Frontier Foundation. One — the USA FREEDOM Act — must be passed by Congress, while the other — the Cybersecurity Information Sharing Act (CISA) — must be killed.

The USA FREEDOM Act is a good first step to rein in the NSA’s “Business Records” program, which collects Americans’ calling records using Section 215 of the Patriot Act. Since July, EFF has urged people to contact their senators to co-sponsor the bill. EFF even created a scorecard to help you figure out where your member of Congress stands.

On the other side is CISA, a privacy-invasive cybersecurity bill written by the Senate Intelligence Committee to facilitate the sharing of computer threats between companies and the government. The bill grants companies broad legal immunity to spy on users and share their information with government agencies like the NSA. This zombie bill — just like previous cybersecurity bills — must be killed.

One Step Forward And Two Steps Back

The USA FREEDOM Act is an important step forward for privacy. First, it would stop the government from sending court orders to phone companies for all of their customers’ calling records. The bill also introduces much-needed institutional changes to the secretive court, called the Foreign Intelligence Surveillance Court (FISA court), which is overseeing the spying. Lastly, the bill introduces transparency requirements by mandating the government report on the number of orders obtained by the FISA court and by allowing companies to report on the number of orders it receives. There are still problems with the bill, but it’s an important piece of legislation that starts to solve some of the problems revealed by the Edward Snowden disclosures.

Unfortunately, Senator Dianne Feinstein’s Cybersecurity Act, if passed, would take us two steps backward. Every year, “information sharing” bills are introduced in Congress. And every year, they fail due to broad immunity clauses for companies, vague definitions and aggressive spying powers. The current Cybersecurity Act is the fourth time in four years that Congress has tried to pass “information sharing” legislation.

The current version of CISA neglects much of what we’ve learned from Snowden, such as how information obtained using Section 702 of the Foreign Intelligence Surveillance Act is used for cybersecurity. The bill also suffers from some of the same exact faults as previous bills, which includes overly broad legal immunity for companies to share personal information with the government and with other private companies.

Congress Must Kill CISA And Pass USA FREEDOM

Both bills deal with important privacy issues, but are on completely opposite sides of the debate. Congress can do the right thing by pushing forward with the USA FREEDOM Act and passing much-needed NSA reform. Tweet your senator to support the USA FREEDOM Act. After that, send him an email asking him to not support CISA.

Note from the Editor: Under the Obama Administration, the NSA, the IRS, and the State and Justice departments are blatantly stepping on Americans’ privacy—and these are just the breaches we’re aware of. I’ve arranged for readers to get a free copy of The Ultimate Privacy Guide so you can be protected from any form of surveillance by anyone—government, corporate or criminal. Click here for your free copy.

Aaron Swartz’s Work, Computer Crime Law And ‘The Internet’s Own Boy’

This article by activist April Glaser was published by Electronic Frontier Foundation on Aug. 27.

It’s been more than a year since Aaron Swartz’s tragic death, and now Swartz’s life is the subject of a new documentary, “The Internet’s Own Boy,” directed by Brian Knappenberger. The documentary has received much acclaim and deservedly so. It tells the story of a political activist and innovator who put theory into practice, always experimenting and building new tools and methodologies to animate his theory of change.

Swartz fought for an Internet grounded in community, creativity and human rights. By co-creating platforms like RSS, reddit, Creative Commons and the technology that became SecureDrop, he helped make information accessible. Perhaps more than anything, Swartz helped hundreds of thousands of people participate in the political processes that determine the laws we have to live under every day.

There are so many things that Swartz accomplished by the age of 26 that we thought it may help to make a companion for the film, a guide for those who want to watch with a deeper understanding of the issues behind Aaron’s projects.

We begin with the projects discussed in the film and then examine the Computer Fraud and Abuse Act, the law that was used to indict him on 11 criminal charges before his tragic death.

Creative Commons And The Problem With Copyright

As a teenager, Swartz was a core member on the team of lawyers and copyright wonks that developed Creative Commons, a project that simplifies sharing with easy-to-use copyright licenses. Swartz helped to design the code behind Creative Commons licensing.

Creative Commons was a revolutionary project that remains significant today. It’s a suite of licenses that artists, writers and other creators can use to enable sharing, remixing and collaboration. Online, it’s incredibly easy to copy and paste, to edit, and to share instantaneously. Doing so can sometimes run smack in the face of copyright law, which requires explicit permissions to be granted in advance of sharing or using a creative work in many contexts.

Creative Commons is more compatible with the intensive sharing environment of the Internet. It allows for artists, makers, programmers, writers and everyone in between to only reserve some rights, not all rights. With a Creative Commons license, one can encourage the sharing of her work while still being attributed. One can choose not to allow others to monetize a work, but either invite remixing or block remixing while still encouraging distribution. Knappenberger has made “The Internet’s Own Boy” available under a Creative Commons license, and it can be downloaded and shared for free from the Internet Archive.

Open Access And Open Government

A large part of “The Internet’s Own Boy” traces Swartz’s various projects aimed at furthering the pursuit of information. He wanted to make it easier to learn about the laws that we have to live with every day, as well as ease access to the academic articles that form the building blocks of our knowledge about the world.

“The world’s entire scientific and cultural heritage, published over centuries in books and journals,” reads the Open Access Manifesto, which was written by Swartz and is quoted in the documentary, “is increasingly being digitized and locked up by a handful of private corporations.”

Swartz started projects like The Open Library, which seeks to make one Web page for every book published (imagine a future where we don’t link to Amazon when directing people to a book). And during his brief stint at Stanford, Swartz worked with a law student to download the entire Westlaw database of law review articles and found troubling connections between funders of research and favorable conclusions.

Swartz’s quest led him to the PACER system, the federal judiciary’s pay-walled public court record database. PACER charges per page to view U.S. court documents that are a matter of public record. Journalists, students, litigants, academics and all kinds of people need access to the details of the litigation that defines our laws in order to do their work. We shouldn’t have to pay to see the law.

Information activists like Carl Malamud have long been critical of PACER. And in 2009, when the system launched a project to allow free PACER access at 17 libraries nationwide, Malamud encouraged patrons to download PACER records and share them on an online repository. Swartz accepted the invitation and wrote a computer program that downloaded 20 million pages of federal court documents. In the process, scores of privacy violations were found in the PACER documents, which revealed Social Security numbers, Secret Service agents’ identities and the like, leading to stricter privacy enforcement in the courts.

For doing that, Swartz became the target of an FBI investigation that was later dropped. But as Malamud remembers in the documentary, “I’ll grant you that downloading 20 million pages had perhaps exceeded the expectations of the people running the pilot access [PACER] project, but surprising a bureaucrat isn’t illegal.”

Stopping SOPA

Swartz played a central role in the fight to stop the censorious Stop Online Piracy Act (SOPA) that snowballed into the largest online campaign in history. SOPA was a poorly worded bill that would have allowed the Department of Justice to shut down entire Internet domains because content posted on a single website might be infringing copyright — and without a trial.

Swartz co-founded Demand Progress, a digital rights organization that the Electronic Frontier Foundation continues to work with closely today. Demand Progress was instrumental in organizing the grass-roots outcry; Demand Progress boiled down the bill into super simple language and asked that people take a quick action to stop it. Most people in Washington were trying to make slight improvements to a terrible bill, but Demand Progress, along with EFF, Fight for the Future, Public Knowledge and others mounted a campaign to stop it completely.

Wikipedia, Mozilla, Google and countless others blacked out websites and displayed banners over their logos, sending people to a petition to oppose the bill. It worked. SOPA didn’t pass, and today it remains one of the most important chapters in the history of the digital rights movement.

The Computer Fraud And Abuse Act

“There’s no justice in following unjust laws,” reads the Open Access Manifesto penned by Swartz. And an unjust law is exactly what prosecutors used against Swartz, who was charged with 13 criminal counts for downloading millions of articles from an academic journal database, on MIT’s network. An unjust system charged Swartz in a way that would have put him in jail for years (the maximum sentence possible added up to 35 years, yet we realize that would have been an unlikely outcome) for  violating the Computer Fraud and Abuse Act.

The prosecution of Swartz also reflected profound problems with the criminal justice system far beyond the Computer Fraud and Abuse Act (CFAA), including the incentives for prosecutors to pursue charges as aggressively as possible to try to make a defendant plead guilty.

Eleven of the 13 counts against Swartz were based on the CFAA, a law written in 1984 that makes it a crime to access a computer without “authorization” or in excess of authorized access. But these terms aren’t clear; and the Department of Justice in the past has argued the CFAA makes it a federal crime to violate  a website’s terms of service, meaning that something like lying about your age or your height online could be counted as a federal crime.

Framing Aaron’s Law As A Good Start

“The Internet’s Own Boy” points viewers to Aaron’s Law, a bill proposed soon after Swartz’s passing that would partly fix the broken and outdated CFAA. EFF supports Aaron’s Law. If it passed, everyday computer users wouldn’t face criminal liability for violating a terms of service agreement. And Aaron’s Law would protect users who access information in ways that protect their anonymity. But unfortunately, the bill does not go far enough and does not — currently — have widespread support in Congress.

Aaron’s Law, as drafted, wouldn’t have protected Swartz from the excessive penalties mounted against him. The CFAA currently punishes low-level offenses as felonies that, in a saner world, would be classified as misdemeanors. Currently, the CFAA is structured so that the same behavior can often be double-counted as violations of multiple provisions of law, which prosecutors then combine to beef up the potential penalties to an absurd degree. We strongly believe that CFAA reform should eliminate this kind of double-counting.

The Fight Continues

Swartz sought to make the world a better place; he wanted to share access to knowledge and expose corruption. Our movement to defend digital rights is stronger because of him. And we can only imagine how Swartz would have contributed to the fight to protect our rights and expand our freedoms as more people come to depend on an open Internet.

We will continue to fight. Swartz’s story is one worth telling. That’s why we encourage everyone who has seen this documentary to show it to a friend, host a screening at work or on campus and encourage others to watch it.

Supreme Court Tackles Online Threats

This article by Hanni Fakhoury originally appeared August 26 at the website of the Electronic Frontier Foundation.

When Sarah Palin placed crosshairs over political districts her political action committee was targeting in the 2010 midterm election, there was an outcry but she wasn’t arrested. Although some claimed the imagery was violent, no one believed Palin was actually intending to shoot anyone. But when Anthony Elonis posted some ugly speech on his Facebook account, fantasizing about killing his ex-wife and law enforcement agents, he was arrested, indicted for making Internet threats and sentenced to more than three and a half years in prison. Elonis claimed he was venting and that he didn’t mean what he said. The prosecutor explained to the jury that it didn’t matter what Elonis thought, and the Third Circuit Court of Appeals agreed, ruling the government only had to show a reasonable person felt threatened by the posts.

With Elonis’ case now before the Supreme Court, we’ve joined an amicus brief filed by the Student Press Law Center and the PEN American Center to explain why the unique nature of the Internet and the First Amendment require the government prove a person actually meant to make a threat before he can be prosecuted.

This is especially important for youth who communicate through social media. One of the great things about the Internet is its ability to spread speech far and wide. But that also means speech may be misunderstood when it is received by an unintended audience or without the original context in which it was published, creating the risk that fiery rhetoric is transformed into criminal liability. We’ve already seen how one 18 year old who posted some ugly trash talk on Facebook is now facing ten years in prison. Obviously, there is no room in our society for true threats of violence, whether spoken online or offline. So requiring a subjective intent to threaten is the best way to balance First Amendment values with public safety. Speech that appears threatening but is clearly parody or a joke is protected, while true, violent threats meant to be threatening are punished.

The rapid growth of social media has clearly benefited society, enhancing the ability to connect with other people far and wide and with those both within and outside of our communities. Hopefully, the Court will help preserve this public resource by not unnecessarily extending criminal liability in overbroad ways.

Sean D. Jordan, Kent C. Sullivan, Peter Ligh and Travis Mock of Sutherland LLP, wrote the brief for EFF, SPLC and PEN American Center.