EFF: Copyright law as a tool for state censorship of the Internet

This story by global policy analyst Maira Sutton originally appeared on the website of the Electronic Frontier Foundation

When state officials seek to censor online speech, they’re going to use the quickest and easiest method available. For many, copyright takedown notices do the trick. After years of lobbying and increasing pressure from content industries on policymakers and tech companies, sending copyright notices to take media offline is easier than ever.

The copyright law that state actors most often invoke is the Digital Millennium Copyright Act (DMCA). The DMCA was the first major digital copyright law passed in the United States, creating strict procedural rules for how and when a copyright holder can claim that uploaded content infringes on their copyright. U.S.-based tech companies that receive these infringement notices must comply with these rules to receive their safe harbor — the protection they have from being liable for hosting unlawful user content.

The DMCA has become a global tool for censorship, precisely because it was designed to facilitate the removal of online media. The law carries provisions on intermediary liability, among many other strict copyright enforcement rules, which induce websites, Internet service providers and other such “intermediaries” to remove content that is alleged to be a copyright infringement.

If the DMCA is U.S. law, how can governments around the world use it to censor speech? The DMCA has become the default template for tech companies to respond to copyright infringement notices. Since many major tech companies have offices in the U.S., they must comply with U.S. law. But even if they don’t operate in this jurisdiction, most major companies have implemented a DMCA-style takedown procedure anyway because it has become a de facto legal norm.

It’s a norm that is reinforced and exported abroad by dozens of trade agreements that carry provisions that mirror, and further entrench, restrictive interpretations of the DMCA. The South Korea-U.S. free trade agreement (aka KORUS) and the Australia-U.S. free trade agreement (aka AUSFTA) are just two examples. The language in those agreements was actually a lot like the DMCA. But the negotiators abstracted the language just enough so that U.S. law could still be compliant with it, while the other countries could be pressured to enact even harsher domestic restrictions. Following their trade agreements with the U.S., South Korea enacted a three-strikes takedown regime, and Australia was pushed into enacting policies requiring intermediaries to terminate the accounts of repeat infringers.

Now we’re seeing a disturbing trend where governments and state-friendly agencies are abusing DMCA takedowns to silence political criticism. Here are the cases we know about where governments have misused U.S. copyright law to censor the Internet.

DMCA and State Censorship Around the World: A Timeline of Case Studies

  • United States: YouTube removed a 30-second Air Force recruitment ad after lawyers for the Air Force’s Cyber Command sent a DMCA notice demanding it take it down. The notice was likely invalid, since U.S. government works are in the public domain. (March 2008)
  • Saudi Arabia: A satirical show on Youtube called “Fitnah” was censored when the primary, state-funded Saudi TV channel, Rotana, sent DCMA notices to take down several of their videos. Later, a Lebanese TV show did a report about the takedown, and then another DMCA notice was sent and it was also removed from Youtube. All of the videos were later restored. (September 2014)

There are likely many more notices that state actors have used to censor users. Rightsholders are sending more and more DMCA takedowns by the year, and a telling sign of this is that some companies have begun to quantify this abuse in their transparency reports. As companies are increasingly being forced to be complicit in this censorship, it’s now more important as ever for them to be transparent about the notices they receive, and for them to take advantage of the flexibility they have under the DMCA to do what they can to protect users’ speech.

If you know of any cases of state-mandated Internet censorship carried out through the DMCA or other copyright laws’ takedown procedures, please send them to maira@eff.org. The Electronic Frontier Foundation already tracks general DMCA takedowns with our Takedown Hall of Shame. Now EFF is looking for more cases where governments and their agencies have directly sought to censor the Internet via their own takedown requests.

Censoring the Web isn’t the solution to terrorism or counterfeiting; it’s the problem

This story by Senior Global Policy Analyst Jeremy Malcolm appeared on the website of the Electronic Frontier Foundation.

In politics, as with Internet memes, ideas don’t spread because they are good; they spread because they are good at spreading. One of the most virulent ideas in Internet regulation in recent years has been the idea that if a social problem manifests on the Web, the best thing that you can do to address that problem is to censor the Web.

It’s an attractive idea because if you don’t think too hard, it appears to be a political no-brainer. It allows governments to avoid addressing the underlying social problem — a long and costly process — and instead simply pass the buck to Internet providers, who can quickly make whatever content has raised rankles “go away.” Problem solved! Except, of course, that it isn’t.

Among the difficult social problems that Web censorship is often expected to solve are terrorism, child abuse, and copyright and trademark infringement. In recent weeks, some further cases of this tactic being vainly employed against such problems have emerged from the United Kingdom, France and Australia.

U.K. court orders ISPs to block websites for trademark infringement

In a victory for luxury brands and a loss for Internet users, the British High Court last month ordered five of the country’s largest ISPs to block websites selling fake counterfeit goods. While alarming enough, this was merely a test case, leading the way for a reported 290,000 websites to be potentially targeted in future legal proceedings.

Do we imagine for a moment that, out of a quarter-million websites, none of them are false positives that actually sell non-infringing products? (If websites blocked for copyright infringement or pornography are any example, we know the answer.) Do we consider it a wise investment to tie up the justice system in blocking websites that could very easily be moved under a different domain within minutes?

The reason this ruling concerns us is not that we support counterfeiting of manufactured goods. It concerns us because it further normalizes the Band-Aid solution of content blocking, and de-emphasises more permanent and effective solutions that would target those who actually produce the counterfeit or illegal products being promoted on the Web.

Britain and France call on ISPs to censor extremist content

Not content with enlisting major British ISPs as copyright and trademark police, they have also recently been called upon to block extremist content on the Web and to provide a button that users can use to report supposed extremist material. Usual suspects Google, Facebook and Twitter have also been roped by the government to carry out blocking of their own. Yet to date, no details have been released about how these extrajudicial blocking procedures would work or under what safeguards of transparency and accountability, if any, they would operate.

This fixation on solving terrorism by blocking websites is not limited to the United Kingdom. Across the channel in France, a new “anti-terrorism” law that the Electronic Frontier Foundation reported on earlier was finally passed this month. The law allows websites to be blocked if they “condone terrorism.” “Terrorism” is as slippery a concept in France as anywhere else. Indeed, France’s broad definition of a terrorist act has drawn criticism from Human Rights Watch for its legal imprecision.

Australian plans to block copyright infringing sites

Finally (though, sadly, probably not), reports last week suggest that Australia will be next to follow the example of the U.K. and Spain in blocking websites that host or link to allegedly copyright material, following on from a July discussion paper that mooted this as a possible measure to combat copyright infringement.

How did this become the new normal? When did politicians around the world lose the will to tackle social problems head-on, and instead decide to sweep them under the rug by blocking evidence of them from the Web? It certainly isn’t due to any evidence that these policies actually work. Anyone who wants to access blocked content can trivially do so, using software like Tor.

Rather, it seems to be that it’s politically better for governments to be seen as doing something to address such problems, no matter how token and ineffectual, than to do nothing — and website blocking is the easiest “something” they can do. But not only is blocking not effective, it is actively harmful — both at its point of application due to the risk of over-blocking, but also for the Internet as a whole, in the legitimization that it offers to repressive regimes to censor and control content online.

Like an overused Internet meme that deserves to fade away, so too it is time that courts and regulators moved on from website blocking as a cure for society’s ills. If we wish to reduce political extremism, cut off the production of counterfeits or prevent children from being abused, then we should be addressing those problems directly — rather than by merely covering up the evidence and pretending they have gone away.

New malware detection tool can expose illegitimate state surveillance

This post, written by Eva Galperin, was originally published on the Electronic Frontier Foundation website.

Recent years have seen a boom in the adoption of surveillance technology by governments around the world, including spyware that provides its purchasers the unchecked ability to target remote Internet users’ computers, to read their personal emails, listen in on private audio calls, record keystrokes and passwords, and remotely activate their computer’s camera or microphone. The Electronic Frontier Foundation, together with Amnesty International, Digitale Gesellschaft, and Privacy International have all had experience assisting journalists and activists who have faced the illegitimate use of such software in defiance of accepted international human rights law.

Software like this is designed to evade detection by its victims. That’s why we’ve joined together to support Detekt, a new malware detection tool developed by security researcher Claudio Guarnieri. Detekt is an easy-to-use, open source tool that allows users to check their Windows PCs for signs of infection by surveillance malware that we know is being used by government to spy on activists and journalists.

Some of the software used by states against innocent citizens is widely available on the Internet, while more sophisticated alternatives are made and sold by private companies and sold to governments everywhere from the United States and Europe to Ethiopia and Vietnam.

Detekt makes it easy for at-risk users to check their PCs for possible infection by this spyware, which often goes undetected by existing commercial anti-virus products.

Because Detekt is a best-effort tool and spyware companies make frequent changes to their software to avoid detection, users should keep in mind that Detekt cannot conclusively guarantee that your computer is not compromised by the spyware it aims to detect. However, we hope that the availability of this tool will help us to detect some ongoing infections, provide advice to infected users, and contribute to the debate around curbing the use of government spyware in countries where it is linked to human rights abuses.

EFF: Why metadata matters and the third-party doctrine doesn’t

This piece, written by activist Nadia Kayyali, first appeared on the Electronic Frontier Foundation’s website.

How can the U.S. government possibly claim that its collection of the phone records of millions of innocent Americans is legal? It relies mainly on two arguments: first, that no one can have a reasonable expectation of privacy in their metadata; and second, that the outcome is controlled by the so-called “third-party doctrine,” which says that no one has an expectation of privacy in information they convey to a third party (such as telephone numbers dialed). The Electronic Frontier Foundation expects the government to press both of these arguments on Nov. 4 before the District of Columbia Circuit Court of Appeals. We look forward to responding.

Oral argument will take place at 9:30 a.m. at the District of Columbia Circuit Court at 333 Constitution Ave. NW in Courtroom 20 before Judges David Sentelle, Stephen Williams and Janice Rogers Brown. The public is welcome to attend.

A little context for EFF’s role in this case: EFF and the American Civil Liberties Union filed an amicus brief in Klayman v. Obama on Aug. 20. The case itself was first filed June 6, 2013, just one day after journalists began publishing information from the Edward Snowden leaks; and it was the first challenge to the government’s “telephony metadata” collection. Judge Richard Leon of the District Court for the District of Columbia granted a preliminary injunction. The government appealed, Klayman cross appealed some issues, and now the case is headed to the Court of Appeals.

Leon found that the government’s bulk collection of telephony metadata likely constitutes an unconstitutional search under the 4th Amendment. We agree. And since the issue is so important, we weighed in on the case along with the ACLU and the ACLU of the Nation’s Capital. We asked the court for the right to participate in the oral argument. The court agreed, giving us 10 minutes and also giving 10 minutes to another amicus, the Center for National Security Studies. Cindy Cohn will argue the case for EFF and ACLU.

Here’s what we’ll be saying on those two key points:

Metadata matters

We want to ensure that the court recognizes that “the call records collected by the government are not just metadata — they are intimate portraits of the lives of millions of Americans.”

The argument that the bulk collection of private information from millions of Americans is no big deal because it’s “just metadata” is a tired one. It’s been disproven by research, and it doesn’t stand up to common sense. First, there’s no bright line. What is deemed “metadata” is often murky (such as subject lines and URLs), context-dependent and not clearly distinguishable from content, which everyone agrees is protected by the 4th Amendment.

Second, and more important, even without listening in on a conversation, metadata reveals private information — sometimes more than would be revealed by content.

We offer some examples where metadata is more revealing in our brief: People can “donate to charities by sending a text message…The metadata about these texts reveals that the subscriber has donated to a specific charity or cause, while the content of the message contains at most a donation amount.” Similarly, “an hour-long call at 3 a.m. to a suicide prevention hotline” could be very revealing. In fact, even a single piece of metadata could reflect an individual’s political or religious associations or mental health issues.

Consider a short-term study at Stanford that analyzed only a few months of telephony metadata from just 546 people focused partly on individual calls. The researchers found many calls that even in isolation could be revealing, such as a call to a political campaign, noting: “Many organizations have a narrow purpose, such that an individual call gives rise to sensitive inferences.” The study found “numerous calls within our dataset that give rise to these sorts of straightforward inferences.”

By contrast, the government is collecting huge amounts of metadata — by conservative estimates, at least billions of call records. And as the Stanford study showed, these records are exponentially revealing in the aggregate: “A pattern of calls will often, of course, reveal more than individual call records. During our analysis, we encountered a number of patterns that were highly indicative of sensitive activities or traits.”

As important as the sensitivity of the information here is the fact that the potential sensitivity is exactly why the government wants the information. The government has emphasized repeatedly in speeches and in legal briefs that it needs to collect so much metadata specifically so that it can analyze complete (or at least very big) datasets. That makes sense since, as we point out in our brief, this aggregation provides context and information to metadata and allows analysts to create “social graphs” that map webs of relationships between individuals and groups. In fact, aggregated metadata could allow an analyst to determine “the membership, structure, or participants in organizations and movements like the NAACP, the Tea Party, or Occupy Wall Street …”

To compound the privacy invasion, metadata is highly structured, making it ideal for the kind of analysis that reveals highly personal information. It’s easier to review than the content of communications. And since the government’s argument is that all metadata is unprotected, it’s important not to consider it in a vacuum. As we note, metadata “is truly ubiquitous, created through the innumerable and near-continuous digital transactions and interactions attendant to modern life.”

The ‘third-party doctrine’ is not controlling

After trying to convince the court that metadata just isn’t that revealing, the government says that the 4th Amendment also doesn’t apply because we “voluntarily” turn over the numbers we dial to telephone companies — as if this weren’t just an artifact of how the phones work and instead was some kind of individual choice we make. Because of this, the government argues, the situation is governed by the “third-party doctrine,” the idea that people have no expectation of privacy in information they entrust to others.

That argument is almost as tired as the metadata claim and ignores the realities of modern life. The third-party doctrine comes from a 1979 Supreme Court case, Smith v. Maryland, which involved the collection of the phone numbers dialed by a criminal suspect over the course of three days using a rudimentary pen register. And as Leon said in his opinion in the lower court:

[T]he Court in Smith was not confronted with the NSA’s Bulk Telephony Metadata Program. Nor could the Court in 1979 ever have imagined how the citizens of 2013 would interact with their phones.

Leon hits the nail on the head. As we point out, the issue in Klayman is not limited to collection of the numbers dialed by one individual suspected of criminal wrongdoing over a very short period of time. The issues here are bulk collection and sophisticated analysis of the detailed telephone records of millions of people suspected of nothing at all.

We emphasize five significant points of difference in our brief:

  • Scale: The program collects data for all or nearly all Americans, rather than one individual suspected of a serious crime.
  • Duration: The current program captures years of data, while the pen register in Smith captured data for only three days.
  • Changes in telephone use: Use of the telephone has changed dramatically since 1979, when telephones were largely stationary devices shared among a number of users, with one number per household or organization. Today, as landline usage dwindles, mobile phones have become personal, not shared, devices that many people carry constantly with them and use dozens, if not hundreds, of times per day.
  • Information collected: The phone records in this case include whether the call was completed, its duration, and other information rather than simply which numbers were being dialed, as in Smith.
  • Individualized suspicion: The program does not collect information based on individualized suspicion of any sort, much less individualized suspicion of a crime.

These differences mean that it’s just not credible to try to cram the government’s gigantic, revealing telephone records collection into the narrow box of the Smith line of cases. As our brief notes, that’s “a result unimaginable when Smith was decided and certainly not considered by the Court.”

In short, both the government’s metadata argument and its third-party doctrine argument are wrongly applied to massive telephone record collection. Moreover, both ask the court to ignore how we live today, with our “papers and effects” stored with third parties and metadata trailing our every move. Yet even with technological changes, we can and do have reasonable expectations that this information will remain private. We look forward to the court’s careful consideration of these and other points on Tuesday.

EFF, ACLU to present oral argument in NSA spying case on Nov. 4

This originally appeared on the website of the Electronic Frontier Foundation.

Washington, D.C. — The Electronic Frontier Foundation (EFF) will appear before a federal appeals court next week to argue the National Security Agency (NSA) should be barred from its mass collection of telephone records of million of Americans. The hearing in Klayman v. Obama is set for 9:30 a.m. on Tuesday, Nov. 4, in Washington, D.C.

Appearing as an amicus, EFF Legal Director Cindy Cohn will present oral argument at the U.S. Court of Appeals for the District of Columbia Circuit on behalf of EFF and the American Civil Liberties Union (ACLU), which submitted a joint brief in the case.

Conservative activist and lawyer Larry Klayman filed the suit in the aftermath of the first Edward Snowden disclosure, in which The Guardian revealed how the NSA was collecting telephone records on a massive scale from the telecommunications company Verizon. In December, District Court Judge Richard Leon issued a preliminary injunction in the case, declaring that the mass surveillance program was likely unconstitutional.

EFF argues that the call-records collection, which the NSA conducts with claimed authority under Section 215 of the USA PATRIOT Act, violates the 4th Amendment rights of millions of Americans. Separately, EFF is counsel in two other lawsuits against the program — Jewel v. NSA and First Unitarian Church of Los Angeles v. NSA — and is co-counsel with the ACLU in a third, Smith v. Obama.

EFF: Three spooky ways you’re being spied on this Halloween

This piece, written by activist Nadia Kayyali, first appeared on the Electronic Frontier Foundation’s website.

It’s that time of year when people don sinister masks, spray themselves with fake blood and generally go all-out for a good fright. But at the Electronic Frontier Foundation, we think there are plenty of real-world ghouls to last year-round. Fortunately, we won’t let them hide under your bed. Sometimes our work sounds like science fiction, but the surveillance techniques and technology we fight are all too real. Here are some of the beasts hiding in your backyard that we’ve been fighting to expose.

Automated license plate readers

Automated license plate readers (ALPRs) are cameras that can either be mounted on squad cars or be stationary. They read license plates and record the time, date and location a particular car was encountered. And they’re paving the way for wholesale tracking of every driver’s movements. ALPRs can scan up to 1,800 license plates per minute and can collect data on vast numbers of vehicles. In Los Angeles, for example, the Los Angeles Police Department and Sheriff’s Department collect data on 3 million cars per week.

Much like metadata about phone calls, the information obtained from ALPRs reveals sensitive personal information. In fact, the International Association of Chiefs of Police issued a report in 2009 recognizing that “recording driving habits” could raise 1st Amendment concerns because cameras could record “vehicles parked at addiction-counseling meetings, doctors’ offices, health clinics, or even staging areas for political protests.”

Because of this potential for serious invasions of privacy, EFF and the American Civil Liberties Union teamed up to ask the city and county of Los Angeles for a week’s worth of ALPR data. The lower court sided with the government after it denied our request, but we’re appealing the ruling.

Fusion centers

Fusion centers  are information clearinghouses that enable unprecedented levels of bidirectional information sharing between state, local, tribal and territorial law enforcement agencies and federal agencies like the FBI and Department of Homeland Security. Bidirectional means that local law enforcement can share information with these agencies while also accessing federal information, through portals like the FBI’s eGuardian database.

Fusion centers are a serious threat to privacy. They magnify the impact of excessive spying by making sure that it gets shared through a vast network of agencies with almost no oversight.

And oversight is clearly needed. Fusion centers coordinate the National Suspicious Activity Reporting Initiative (NSI), an effort to implement suspicious activity reporting (SAR) nationwide. SAR are intelligence reports that, according to the government, document “behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity.” And while they do lead to law enforcement contact with innocent people, they do not meet legally cognizable standards for search or seizure under the 4th Amendment. Instead, they lead to racial and religious profiling and political repression. Public records act requests have shown that people of color often end up being the target of SARs.

And that’s not the only way fusion centers threaten privacy and civil liberties. Public records requests have also shown that fusion centers are used to record and share information about 1st Amendment-protected activities in a way that aids repressive police activity and chills freedom of association.

That’s why when the Privacy and Civil Liberties Oversight Board (PCLOB) announced that it was considering looking at the standards for SAR, EFF submitted a comment.  We urged PCLOB not only to review SAR standards, but to conduct a thorough assessment of fusion centers in general. We believe that such a review will show what every other review by the government has shown: that fusion centers produce “predominantly useless information,” “a bunch of crap,” while “running afoul of departmental guidelines meant to guard against civil liberties” and are “possibly in violation of the Privacy Act.”

Stingrays

Last but not least, we’re keeping an eye on the spreading use of Stingrays. (Stingray is the brand name of an international mobile subscriber identity locator.) These are devices that are used by law enforcement to electronically search for a particular cellphone’s signal by capturing the international mobile subscriber identity of potentially thousands of people in a particular area. Small enough to fit in a van, they masquerade as a cellphone tower and trick your phone into connecting with them every 7 to 15 seconds. As a result, the government can surreptitiously figure out whom, when and to where you are calling and the precise location of every device within the range. With some devices, it can even capture the content of your conversations.

Part of what’s so concerning about Stingrays is that we know very little about how they are being used. In the first case to consider the constitutional implications of stingrays, U.S. v. Rigmaiden (in which we filed an amicus brief along with the ACLU) the court denied a motion to throw out evidence obtained using a Stingray. In our brief, we pointed out that the application for a warrant neither made it clear that law enforcement would be using a Stingray nor explained how the device worked. It’s that lack of explanation that we find so concerning.

But what we do know about Stingrays is chilling. They capture data from anybody who happens to be in an area where one is being used, regardless of whether they are suspected of a crime. And some models can even capture contents of communications.

The constitutionality of Stingrays is almost certain to be challenged again, especially after the Supreme Court’s decision requiring a warrant to search arrestee’s cellphones in Riley v. California. We’ll continue to keep an eye out for any cases addressing this technology. In the meantime, we’re doing public records act requests to police departments to learn more about who is using these devices and how.

We think this technology is scarier than any costume you’ll see on the streets this week. But don’t worry; we’re here to turn the lights on.

Where books are banned, the Internet is a game changer

This post, written by EFF director for international freedom of expression Jillian York, was originally published on the foundation’s website.

The censorship or banning of books is a phenomenon that occurs in countries around the world. Books that are considered “scandalous” or inciteful in some way are often targets of censorship by governments, schools, libraries and other entities.

In the United States, as NPR explains, books have historically been banned for violence and sexual content, as well as profanity, and continue to be banned by individual school districts. In Australia, the sale of certain books — such as Bret Easton Ellis’ “American Psycho” — is restricted to readers 18 and over. In Egypt, books challenging the political status quo are often targets of censorship. Amazon maintains a list of countries where particular books cannot be shipped. And the list goes on.

For individuals living in countries with high levels of censorship, the Internet has become a means for circumventing restrictions on book sales. Access to online bookstores and platforms like Kindle have, for example, helped people in China get around the infamous Great Firewall. New platforms like Oyster provide reading materials in English that might not be available for purchase, either due to censorship or lack of demand. And free platforms like Project Gutenberg create access where cost or censorship is an issue.

But for some, these workarounds have restrictions as well. Copyright and related licensing restrictions can curtail access to books in certain places; for example, a new book on atheism in the Arab world by journalist Brian Whitaker is unavailable for purchase in the Middle East and Africa, apparently due to international distribution issues. App stores sometimes restrict access to book platforms out of copyright or liability concerns, as well as when faced by government pressure. And restrictions on international banking — not to mention the cost of e-books — can limit people in many countries from taking advantage of online book platforms.

In Sudan, books can be especially hard to come by. Not only does the government confiscate and ban books and harass authors, but high customs taxes have forced numerous bookstores to close over the past few years.

“Online access to books is so important for the new generation,” says Sudanese activist Dalia Haj Omar, but U.S. sanctions prevent individuals from accessing a number of sites and resources that would allow young Sudanese to circumvent restrictions on reading and learning. Among the sites that are unavailable to Sudanese are Khan Academy and the Google Play Store.

Despite the sanctions, which Haj Omar is working to reform, she says that young Sudanese are finding ways around the various restrictions, and points to an article in the New York Times detailing Khartoum’s literary revival. It describes the work of Abdullah Al-Zain, the man behind a monthly book swap event called Mafroush (“displayed”). “The Internet is not necessarily an enemy of books,” says Al-Zain. Indeed.

EFF: Local use of surveillance equipment deserves same scrutiny as militarized police

 

This piece, written by activist Nadia Kayyali, first appeared on the Electronic Frontier Foundation’s website.

Since the police shooting of Michael Brown and the response in the streets, militarization of the police, especially with surplus military hardware like armored vehicles, has been a hot topic, both in the news and in Congress. And that’s a good thing.

But the equipment we can see on the news isn’t the only thing flowing from our military to local cops. Alongside armored vehicles and guns, local police are getting surveillance technology with help from the federal government. And while we don’t know the full contours of that aid, what we do know is worrisome and should spur further scrutiny, both locally and nationally.

The risks of militarizing the local cops are easy to see — and they’re compounded by folding local law enforcement into homeland security. Military technology, and suspicionless mass surveillance, are based on a military mindset: Everyone is a possible enemy, and no one deserves privacy. While some lawmakers justify this shift by pointing to the “war on drugs” and “the war on terror,” the United States is not technically a war zone. This raises the specter of the Posse Comitatus Act, passed in the late 1800s to prevent use of the military in domestic law enforcement.

Congress is finally taking a look into the transfers of hardware

Fortunately, Congress is starting to take seriously some parts of this transformation of local law enforcement. On Sept. 9, spurred on by the horrifying use of military technology on the streets of Ferguson, the Homeland Security and Governmental Affairs Committee held a hearing on “the effectiveness of federal programs that provide state and local police with surplus military equipment and grant funding for exercises and for training.” The hearing looked at the Department of Defense (DOD) 1033 program, which allows the DOD to give away for free surplus equipment to local law enforcement, the Department of Homeland Security’s (DHS) Homeland Security Grant Programs and the Department of Justice’s Justice Assistance Grant (JAG) program.

Each of these three programs has transferred millions of dollars of equipment and funding to local law enforcement, from bayonets to drones. This includes funding for fusion centers, the state and local criminal intelligence information clearinghouses that allow local law enforcement to access and input information into federal databases like the FBI’s eGuardian without even meeting a “probable cause” standard.

The hearing gave the committee a chance to hear direct testimony from representatives of these three programs, as well as other experts and stakeholders. Written statements from speakers are available here.

Senators closely questioned the representatives of each of the three programs, revealing some startling truths:

The DOD and DHS do not provide any training to departments that get equipment or money from them, including high tech surveillance equipment like drones and mine-resistant ambush-protected vehicles (MRAPs).

None of the agencies look into whether a state or local law enforcement agency is under active investigation or has a history of civil rights or civil liberties violations.

Prior to Ferguson, these three officials had never met, even though they were providing similar equipment and funding for equipment to the same police departments.

The total number of pieces of controlled property, such as weapons, currently in the possession of law enforcement agencies is approximately 460,000.

The questions that were not answered, or partially answered, were also revealing:

“What (is) the difference between a militarized and increasingly federalized police force and a standing army?”

“When was the last time you can recall that equipment from the 1033 program was used for counterterrorism?”

The overall picture that emerged was that the federal officials are willing to fund surveillance and military technologies to local law enforcement but provide little or no training to police officers — and have no policies in place to ensure this equipment isn’t misused. The White House is conducting a review of these programs; and while there is no clear timeline for completion, it’s a step in the right direction.

Surveillance deserves a look, too

Congress and the White House need to include surveillance technologies in their inquiries. The same money that funds MRAPs and night vision goggles also funds intelligence gathering at the local level. DHS’s Homeland Security Grant Program directly funds fusion centers. In fact, its 2014 grant announcement emphasized that funding fusion centers and integrating them nationally is a high priority. And DHS Urban Area Security Initiative money funds events like Urban Shield, a four-day-long event that featured “preparedness” exercises as well as a marketplace of military and surveillance technology.

Another possible avenue for review is the Privacy and Civil Liberties Oversight Board (PCLOB). PCLOB asked for public comments on its proposed mid- and long-term agenda, which includes an examination of the “functional standards” used for Suspicious Activity Reporting (SAR),” a program coordinated through fusion centers.1 EFF, along with others, submitted comments encouraging PCLOB to take a close look more generally at fusion centers. The comments emphasized that accountability for fusion centers, like all the programs reviewed in the Senate hearing, is a major problem:

The bidirectional flow of data in fusion centers, as well as interagency cooperation and jurisdictional blurriness, makes accountability and a clear understanding of the applicability of laws and regulations difficult… In the midst of this ambiguous and opaque environment, fusion centers have access to a staggering amount of data including the FBI’s eGuardian database and a variety of other federal databases. They may even potentially have access to unminimized NSA data. And as data gathered under the problematic SAR standards is entered into these databases, the lines of responsibility for unconstitutional invasions of privacy and civil liberties become ever more unclear.

Local cops, local action

There is a silver lining to all of this, though. Unlike the onerous task of reforming the National Security Agency, the FBI and other federal agencies, addressing militarization of and surveillance by local law enforcement is much easier for grass-roots activists. Groups like the coalition that helped push the Urban Shield exercise out of Oakland, California, the coalition that stopped Berkeley, California from purchasing an armored vehicle, and the coalition that helped to stop the purchase of a drone in Alameda County, California, are springing up all over the country.

For those concerned about the use of military surveillance equipment domestically, it’s a good time to do some research into your own local government to find out not only whether they are obtaining the kinds of military equipment that you can see, but also whether they are obtaining surveillance technologies that you can’t. Public records act requests are a great way to find out whether your town or city has gotten any of these funds and how it has, or plans to, spend them. Let us know what you find out, and let your elected officials know what you think.

Senators Tasked With NSA Oversight Urge Appeals Court To End Call Records Collection

This post, written by Electronic Frontier Foundation legal fellow Andrew Crocker, was originally published on the foundation’s website.

Smith v. Obama, a challenge to the NSA’s warrantless collection of phone records, currently before the 9th U.S. Circuit Court of Appeals, has received some high-profile support. In six amicus briefs filed yesterday, a range of groups add depth to the Electronic Frontier Foundation’s argument that the NSA’s activities are an extraordinary invasion of the privacy of innocent Americans.

Powerfully, Senators Ron Wyden, Mark Udall, and Martin Heinrich — members of the committee charged with overseeing the NSA — write that they “have seen no evidence that the bulk collection of Americans’ phone records has provided any intelligence of value that could not have been gathered through means that caused far less harm to the privacy interests of millions of Americans.” This echoes statements made by numerous officials, including President Obama himself, and it is crucial to countering the arguments in this case about the national security importance of the NSA’s program.

Other briefs expand on the problems with the government’s legal arguments in Smith and discuss how bulk surveillance causes specific harms to privacy and other constitutional values. In a brief filed by the Electronic Privacy Information Center (EPIC), a group of leading legal and technical experts discuss the history of information generated by telephone calls and the rise of modern call records, the “metadata” collected by the NSA. The brief thoroughly debunks the government’s claims that 40-year-old legal rules allowing limited collection of records can justify the highly revealing program at issue here. Briefs by the Reporters Committee for the Freedom of the Press, the National Association of Criminal Defense Lawyers and the PEN American Center respectively explore the specific harms to reporter-source relationships, attorney-client communications and the 6th Amendment right to counsel, and the profound chilling effect on freedom of expression. Finally, a brief by the Center for National Security Studies explains that the statute used by the government, Section 215 of the USA PATRIOT Act, also cannot justify this program.

The court will consider these arguments as the briefing in Smith continues. A hearing is expected in November 2014.

Grassroots Groups Fighting Law Enforcement Exercise Designed To Put Cops In Touch With Military Tech Companies

This post, written by activist Nadia Kayyali, was originally published on the EFF website.

While all eyes are on the disturbing evidence of police militarization in Ferguson, are you paying attention to what’s happening with law enforcement in your own back yard?

In the San Francisco Bay Area, the answer is yes. A coalition of community groups has come together to call attention to Urban Shield, a four-day long “preparedness” exercise for law enforcement and other agencies that will take place from September 4-8.  They’ve organized a week of education, including a march and demonstration outside of the event on Friday, September 5. To these community groups, Urban Shield represents state violence and political repression, not public safety.

The reasons for protesting Urban Shield are clear. It is one of the ways that local law enforcement gets access to, and romanced by, military and surveillance technologies like the ones we’ve seen turned against protesters in Ferguson, as well as low-level crimes, across the country.

Urban Shield is coordinated by the for-profit company Cytel Group, and in addition to training exercises, it also functions as a marketplace and testing site for new militarized technologies. The accompanying trade show includes exhibitors from armored vehicle manufacturers to a “counter-terrorism magazine.” In 2013, companies were encouraged “to place their products and technology directly into the hands of SWAT, Fire, EOD, and EMS professionals.” Vending at Urban Shield is touted as a way to get “invaluable real-time feedback for vendor product[s]” since “at the end of every scenario the teams are questioned concerning the benefits and drawbacks of each piece of technology used in that scenario.” It’s unsurprising that Urban Shield has a “try it out” component for law enforcement, since there is an incredible amount of profit to be made from such products, often with federal funds (i.e. taxpayer dollars) footing the bill.

The event is part of the federal Urban Areas Security Initiative (UASI). UASI is a grant program administered by the federal Department of Homeland Security’s Homeland Security Grant Program (the same program that funds fusion centers). In the San Francisco Bay Area, the grants are coordinated by the Bay Area UASI, a regional coordinating body. UASI grants are supposed to go to “planning, organization, equipment, training, and exercise needs of high-threat, high-density Urban Areas.” The grants have gone to law enforcement agencies all over the country— but the program has been the subject of scathing critique from grassroots groups and lawmakers.

Much of the criticism around UASI is that the grants enable purchases of equipment that no community should adopt without a public conversation. The obvious examples are armored vehicles and so-called “less-lethal” weapons like tear gas and rubber bullets, like those used to violently suppress demonstrators in Ferguson. But UASI funds can also be used to purchase sophisticated surveillance equipment that, absent safeguards, could allow local law enforcement to spy on activists before demonstrations ever take place, or to racially profile people of color in communities like Oakland. Senator Tom Coburn’s 2012 report “Safety at Any Price” lists some of the equipment that has been purchased with UASI money, and it reads like a laundry list of privacy advocates’ concerns: surveillance cameras, mobile fingerprinting devices, automated license plate readers, armored vehicles, and drones. To make matters worse, as Senator Coburn’s report points out, there is no evidence that these purchases make anyone safer.

It should also be noted that Urban Shield is not limited to the San Francisco area. Boston and Austin also participate in similar trainings, as has Jordan. And Jordan isn’t the only international connection. As the Urban Shield website boasts, “In 2014, teams from Singapore and South Korea will participate.” Teams in the past have included the French National Police and teams from Israel, Brazil, Jordan, and Bahrain. Police departments from across the country participate as well, including SWAT teams from Newark, Dallas, Chicago, and Travis County, Texas.

None of this has escaped the attention of organizers, who have made it clear that Urban Shield is linked to surveillance of activists and violence against communities of color across the country, but also to political repression internationally. In their words: “The line between police and military is blurring as parallel military tactics are being deployed globally to repress dissent and increase state control over people who are calling for freedom and justice.”

Time’s Running Out; Tweet Your Senator

The story “Two Privacy Bills Move As Congress Returns From Vacation,” by legislative analyst Mark Jaycox, was published by the Electronic Frontier Foundation on Sept. 2.

After all its hard work this year, Congress is almost done with its summer recess. Lawmakers are due back Monday and have much to tackle. Two bills are of paramount importance to the Electronic Frontier Foundation. One — the USA FREEDOM Act — must be passed by Congress, while the other — the Cybersecurity Information Sharing Act (CISA) — must be killed.

The USA FREEDOM Act is a good first step to rein in the NSA’s “Business Records” program, which collects Americans’ calling records using Section 215 of the Patriot Act. Since July, EFF has urged people to contact their senators to co-sponsor the bill. EFF even created a scorecard to help you figure out where your member of Congress stands.

On the other side is CISA, a privacy-invasive cybersecurity bill written by the Senate Intelligence Committee to facilitate the sharing of computer threats between companies and the government. The bill grants companies broad legal immunity to spy on users and share their information with government agencies like the NSA. This zombie bill — just like previous cybersecurity bills — must be killed.

One Step Forward And Two Steps Back

The USA FREEDOM Act is an important step forward for privacy. First, it would stop the government from sending court orders to phone companies for all of their customers’ calling records. The bill also introduces much-needed institutional changes to the secretive court, called the Foreign Intelligence Surveillance Court (FISA court), which is overseeing the spying. Lastly, the bill introduces transparency requirements by mandating the government report on the number of orders obtained by the FISA court and by allowing companies to report on the number of orders it receives. There are still problems with the bill, but it’s an important piece of legislation that starts to solve some of the problems revealed by the Edward Snowden disclosures.

Unfortunately, Senator Dianne Feinstein’s Cybersecurity Act, if passed, would take us two steps backward. Every year, “information sharing” bills are introduced in Congress. And every year, they fail due to broad immunity clauses for companies, vague definitions and aggressive spying powers. The current Cybersecurity Act is the fourth time in four years that Congress has tried to pass “information sharing” legislation.

The current version of CISA neglects much of what we’ve learned from Snowden, such as how information obtained using Section 702 of the Foreign Intelligence Surveillance Act is used for cybersecurity. The bill also suffers from some of the same exact faults as previous bills, which includes overly broad legal immunity for companies to share personal information with the government and with other private companies.

Congress Must Kill CISA And Pass USA FREEDOM

Both bills deal with important privacy issues, but are on completely opposite sides of the debate. Congress can do the right thing by pushing forward with the USA FREEDOM Act and passing much-needed NSA reform. Tweet your senator to support the USA FREEDOM Act. After that, send him an email asking him to not support CISA.

Note from the Editor: Under the Obama Administration, the NSA, the IRS, and the State and Justice departments are blatantly stepping on Americans’ privacy—and these are just the breaches we’re aware of. I’ve arranged for readers to get a free copy of The Ultimate Privacy Guide so you can be protected from any form of surveillance by anyone—government, corporate or criminal. Click here for your free copy.

Aaron Swartz’s Work, Computer Crime Law And ‘The Internet’s Own Boy’

This article by activist April Glaser was published by Electronic Frontier Foundation on Aug. 27.

It’s been more than a year since Aaron Swartz’s tragic death, and now Swartz’s life is the subject of a new documentary, “The Internet’s Own Boy,” directed by Brian Knappenberger. The documentary has received much acclaim and deservedly so. It tells the story of a political activist and innovator who put theory into practice, always experimenting and building new tools and methodologies to animate his theory of change.

Swartz fought for an Internet grounded in community, creativity and human rights. By co-creating platforms like RSS, reddit, Creative Commons and the technology that became SecureDrop, he helped make information accessible. Perhaps more than anything, Swartz helped hundreds of thousands of people participate in the political processes that determine the laws we have to live under every day.

There are so many things that Swartz accomplished by the age of 26 that we thought it may help to make a companion for the film, a guide for those who want to watch with a deeper understanding of the issues behind Aaron’s projects.

We begin with the projects discussed in the film and then examine the Computer Fraud and Abuse Act, the law that was used to indict him on 11 criminal charges before his tragic death.

Creative Commons And The Problem With Copyright

As a teenager, Swartz was a core member on the team of lawyers and copyright wonks that developed Creative Commons, a project that simplifies sharing with easy-to-use copyright licenses. Swartz helped to design the code behind Creative Commons licensing.

Creative Commons was a revolutionary project that remains significant today. It’s a suite of licenses that artists, writers and other creators can use to enable sharing, remixing and collaboration. Online, it’s incredibly easy to copy and paste, to edit, and to share instantaneously. Doing so can sometimes run smack in the face of copyright law, which requires explicit permissions to be granted in advance of sharing or using a creative work in many contexts.

Creative Commons is more compatible with the intensive sharing environment of the Internet. It allows for artists, makers, programmers, writers and everyone in between to only reserve some rights, not all rights. With a Creative Commons license, one can encourage the sharing of her work while still being attributed. One can choose not to allow others to monetize a work, but either invite remixing or block remixing while still encouraging distribution. Knappenberger has made “The Internet’s Own Boy” available under a Creative Commons license, and it can be downloaded and shared for free from the Internet Archive.

Open Access And Open Government

A large part of “The Internet’s Own Boy” traces Swartz’s various projects aimed at furthering the pursuit of information. He wanted to make it easier to learn about the laws that we have to live with every day, as well as ease access to the academic articles that form the building blocks of our knowledge about the world.

“The world’s entire scientific and cultural heritage, published over centuries in books and journals,” reads the Open Access Manifesto, which was written by Swartz and is quoted in the documentary, “is increasingly being digitized and locked up by a handful of private corporations.”

Swartz started projects like The Open Library, which seeks to make one Web page for every book published (imagine a future where we don’t link to Amazon when directing people to a book). And during his brief stint at Stanford, Swartz worked with a law student to download the entire Westlaw database of law review articles and found troubling connections between funders of research and favorable conclusions.

Swartz’s quest led him to the PACER system, the federal judiciary’s pay-walled public court record database. PACER charges per page to view U.S. court documents that are a matter of public record. Journalists, students, litigants, academics and all kinds of people need access to the details of the litigation that defines our laws in order to do their work. We shouldn’t have to pay to see the law.

Information activists like Carl Malamud have long been critical of PACER. And in 2009, when the system launched a project to allow free PACER access at 17 libraries nationwide, Malamud encouraged patrons to download PACER records and share them on an online repository. Swartz accepted the invitation and wrote a computer program that downloaded 20 million pages of federal court documents. In the process, scores of privacy violations were found in the PACER documents, which revealed Social Security numbers, Secret Service agents’ identities and the like, leading to stricter privacy enforcement in the courts.

For doing that, Swartz became the target of an FBI investigation that was later dropped. But as Malamud remembers in the documentary, “I’ll grant you that downloading 20 million pages had perhaps exceeded the expectations of the people running the pilot access [PACER] project, but surprising a bureaucrat isn’t illegal.”

Stopping SOPA

Swartz played a central role in the fight to stop the censorious Stop Online Piracy Act (SOPA) that snowballed into the largest online campaign in history. SOPA was a poorly worded bill that would have allowed the Department of Justice to shut down entire Internet domains because content posted on a single website might be infringing copyright — and without a trial.

Swartz co-founded Demand Progress, a digital rights organization that the Electronic Frontier Foundation continues to work with closely today. Demand Progress was instrumental in organizing the grass-roots outcry; Demand Progress boiled down the bill into super simple language and asked that people take a quick action to stop it. Most people in Washington were trying to make slight improvements to a terrible bill, but Demand Progress, along with EFF, Fight for the Future, Public Knowledge and others mounted a campaign to stop it completely.

Wikipedia, Mozilla, Google and countless others blacked out websites and displayed banners over their logos, sending people to a petition to oppose the bill. It worked. SOPA didn’t pass, and today it remains one of the most important chapters in the history of the digital rights movement.

The Computer Fraud And Abuse Act

“There’s no justice in following unjust laws,” reads the Open Access Manifesto penned by Swartz. And an unjust law is exactly what prosecutors used against Swartz, who was charged with 13 criminal counts for downloading millions of articles from an academic journal database, on MIT’s network. An unjust system charged Swartz in a way that would have put him in jail for years (the maximum sentence possible added up to 35 years, yet we realize that would have been an unlikely outcome) for  violating the Computer Fraud and Abuse Act.

The prosecution of Swartz also reflected profound problems with the criminal justice system far beyond the Computer Fraud and Abuse Act (CFAA), including the incentives for prosecutors to pursue charges as aggressively as possible to try to make a defendant plead guilty.

Eleven of the 13 counts against Swartz were based on the CFAA, a law written in 1984 that makes it a crime to access a computer without “authorization” or in excess of authorized access. But these terms aren’t clear; and the Department of Justice in the past has argued the CFAA makes it a federal crime to violate  a website’s terms of service, meaning that something like lying about your age or your height online could be counted as a federal crime.

Framing Aaron’s Law As A Good Start

“The Internet’s Own Boy” points viewers to Aaron’s Law, a bill proposed soon after Swartz’s passing that would partly fix the broken and outdated CFAA. EFF supports Aaron’s Law. If it passed, everyday computer users wouldn’t face criminal liability for violating a terms of service agreement. And Aaron’s Law would protect users who access information in ways that protect their anonymity. But unfortunately, the bill does not go far enough and does not — currently — have widespread support in Congress.

Aaron’s Law, as drafted, wouldn’t have protected Swartz from the excessive penalties mounted against him. The CFAA currently punishes low-level offenses as felonies that, in a saner world, would be classified as misdemeanors. Currently, the CFAA is structured so that the same behavior can often be double-counted as violations of multiple provisions of law, which prosecutors then combine to beef up the potential penalties to an absurd degree. We strongly believe that CFAA reform should eliminate this kind of double-counting.

The Fight Continues

Swartz sought to make the world a better place; he wanted to share access to knowledge and expose corruption. Our movement to defend digital rights is stronger because of him. And we can only imagine how Swartz would have contributed to the fight to protect our rights and expand our freedoms as more people come to depend on an open Internet.

We will continue to fight. Swartz’s story is one worth telling. That’s why we encourage everyone who has seen this documentary to show it to a friend, host a screening at work or on campus and encourage others to watch it.

Supreme Court Tackles Online Threats

This article by Hanni Fakhoury originally appeared August 26 at the website of the Electronic Frontier Foundation.

When Sarah Palin placed crosshairs over political districts her political action committee was targeting in the 2010 midterm election, there was an outcry but she wasn’t arrested. Although some claimed the imagery was violent, no one believed Palin was actually intending to shoot anyone. But when Anthony Elonis posted some ugly speech on his Facebook account, fantasizing about killing his ex-wife and law enforcement agents, he was arrested, indicted for making Internet threats and sentenced to more than three and a half years in prison. Elonis claimed he was venting and that he didn’t mean what he said. The prosecutor explained to the jury that it didn’t matter what Elonis thought, and the Third Circuit Court of Appeals agreed, ruling the government only had to show a reasonable person felt threatened by the posts.

With Elonis’ case now before the Supreme Court, we’ve joined an amicus brief filed by the Student Press Law Center and the PEN American Center to explain why the unique nature of the Internet and the First Amendment require the government prove a person actually meant to make a threat before he can be prosecuted.

This is especially important for youth who communicate through social media. One of the great things about the Internet is its ability to spread speech far and wide. But that also means speech may be misunderstood when it is received by an unintended audience or without the original context in which it was published, creating the risk that fiery rhetoric is transformed into criminal liability. We’ve already seen how one 18 year old who posted some ugly trash talk on Facebook is now facing ten years in prison. Obviously, there is no room in our society for true threats of violence, whether spoken online or offline. So requiring a subjective intent to threaten is the best way to balance First Amendment values with public safety. Speech that appears threatening but is clearly parody or a joke is protected, while true, violent threats meant to be threatening are punished.

The rapid growth of social media has clearly benefited society, enhancing the ability to connect with other people far and wide and with those both within and outside of our communities. Hopefully, the Court will help preserve this public resource by not unnecessarily extending criminal liability in overbroad ways.

Sean D. Jordan, Kent C. Sullivan, Peter Ligh and Travis Mock of Sutherland LLP, wrote the brief for EFF, SPLC and PEN American Center.

EFF, ACLU Demolish ‘It’s Just Metadata’ Claim In NSA Spying Appeal

This was originally published by the Electronic Frontier Foundation.

Washington, D.C. — The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) on Wednesday filed an amicus brief in Klayman v. Obama, a high-profile lawsuit that challenges mass surveillance, arguing that Americans’ telephone metadata deserves the highest protection of the 4th Amendment.

Larry Klayman, conservative activist and founder of Judicial Watch and Freedom Watch, was among the first plaintiffs to sue the National Security Agency (NSA) over the collection of telephone metadata from Verizon customers that was detailed in documents released by Edward Snowden. In December 2013, Judge Richard Leon issued a preliminary ruling that the program was likely unconstitutional, and the case is currently on appeal before the U.S. Court of Appeals for the District of Columbia Circuit.

In the new amicus brief in Klayman v. Obama, the EFF and ACLU lawyers repudiate arguments by U.S. officials that the records are “just metadata” and, therefore, not as sensitive as the contents of phone calls. Using research and new case law, the civil liberties groups argue that metadata (such as who individuals called, when they called and how long they spoke) can be even more revealing than conversations when collected en masse.

“Metadata isn’t trivial,” EFF legal fellow Andrew Crocker said. “Collected on a massive scale over a broad time period, metadata can reveal your political and religious affiliations, your friends and relationships, even whether you have a health condition or own guns. This is exactly the kind of warrantless search the Fourth Amendment was intended to prevent.”

The brief explains that changes in technology, as well as the government’s move from targeted to mass surveillance, mean that the holding of the 1979 Supreme Court case Smith v. Maryland that the government relies on (often called the “third-party doctrine”) does not apply. Instead, EFF and the ACLU point to a series of recent key decisions — including the Supreme Court decisions in United States v. Jones in 2012 and Riley v. California in 2014 — in which judges ruled in favor of requiring a warrant for electronic search and seizure.

“Dragnet surveillance is and has always has been illegal in the United States,” said ACLU staff attorney Alex Abdo. “Our country’s founders rebelled against overbroad searches and seizures, and they would be aghast to see the liberties they fought hard to enshrine into our Constitution sacrificed in the name of security. As even the president himself has recognized, we can keep the nation safe without surrendering our privacy.”

EFF and the ACLU have each litigated numerous 1st and 4th Amendment lawsuits related to NSA surveillance and together represent Idaho nurse Anna Smith in a similar case currently on appeal in the Ninth U.S. Circuit Court of Appeals called Smith v. Obama. The ACLU is a plaintiff in a case currently pending before the Second Circuit Court of Appeals, ACLU v. Clapper, to be heard on Sept. 2. EFF has two cases — Jewel v. NSA and First Unitarian Church of Los Angeles v. NSA — before the U.S. District Court for Northern District of California.

For the amicus brief:
https://www.eff.org/document/eff-and-aclu-amicus-brief-klayman

Contacts:

Andrew Crocker
Legal Fellow
Electronic Frontier Foundation
andrew@eff.org

One Way To Stand Against Spying: Meet With A Legislator

This story by activist April Glaser was published by the Electronic Frontier Foundation on Aug. 5. 

The National Security Agency pulls no punches when it comes to the surveillance of innocent people in every corner of the world in its attempt to “collect it all.” Those in the U.S. prepared to vigorously oppose mass government spying need to fight back and hold our representatives to account for the routine human rights violations perpetrated by the NSA. And this activism needs to occur on all levels, from lobbying local and State officials to setting up meetings with Congress members.

That’s part of the inspiration behind StandAgainstSpying.org, a tool that grades members of Congress on their track record in the fight against unConstitutional mass surveillance and the protection of the basic human right to privacy. Congress is in recess for the month of August, so right now is an ideal time to schedule a visit in-district.

Yet elected officials rarely hear from the diverse communities of everyday people who live under the shadow of government surveillance — that includes every American. That’s why the Electronic Frontier Foundation is encouraging people to visit their Congressional office and local representatives to make sure they know beyond a shadow of a doubt that their constituents demand meaningful NSA reform. After all, our political leaders are supposed to be working for us.

Senator Patrick Leahy (D-Vt.) introduced the new USA FREEDOM Act S. 2685 in the Senate at the end of July. It’s likely to come up for a vote in September. That means that for the next month activists and concerned citizens need to flood the offices of our Senators and make sure they hear us loud and clear: Now is the time to pass this critically important bill that will work rein in the NSA’s illegal mass spying and help to restore justice in the secret FISA court.

To help with lobbying visits to local Congressional offices, EFF made a handy one-page guide on the USA FREEDOM Act that you can leave with the staff person you meet with at your elected representative’s office.

Lobby For Digital Rights

Lobbying — whether you’re a concerned citizen or a representative of an interest group — boils down to building relationships. Usually, these relationships are with staff members or, if at the local level, sometimes with elected officials directly.

Citizen lobbying can be a powerful tool for driving a vision for reform, especially when it comes to tech policy and digital rights issues, where elected officials often are non-experts.

What’s more, most expertise on technology issues too often comes from specialists hired by industry interests. So when constituents visit their representative to discuss how hard-to-approach technology issues affect voters back home, you’ll typically find policymakers ready to listen carefully.

Is there an issue that you think your member of Congress should consider more closely or change her stance on? Consider discussing the issue with your elected representative by attending a town-hall meeting or visiting the closest constituent office. Here are some tips for how to contact your representative — either Federal, State or local — to ensure a successful meeting.

Find Your Target Office

The first step is to locate which political office you wish to target. This is easier for Federal issues than State issues. For Federal issues, you may wish to target a particular Senate or House committee or subcommittee, which might take some searching on the Internet.

In local political matters — for example, if you want to investigate the purchase or use of drones by your local police department — you may start by scheduling a meeting with a staff person from your city council member’s office.

Senate: Every State is represented by two Senators. And every Senator has an office in Washington, D.C., and multiple offices in the States they represent.

House of Representatives: States are separated into numbered districts, and each district is represented by one representative in the House of Representatives. The number of districts in a State is adjusted after each census. Similar to Senators, Representatives have an office in Washington, D.C., and at least one office in their home States.

Mayors: You may wish to contact your mayor or city manager about issues in your city, like issues concerning the police department, municipal broadband initiatives or funding for technology education in your city. Find your mayor.

Governors: For statewide issues, contact your Governor’s office to share your views or set up a meeting.

State lawmakers and city council members: Local political arenas are sometimes the best places to achieve tangible political change. Do some Internet searching to find your representative.

City councils have a tremendous effect on populations, as they can pass resolutions, bring issues to mayoral offices and conduct studies to drive policy reform. Consider going to a meeting to raise concerns about a local fusion center, community fiber Internet or the need for more government transparency.

Set Up A Meeting

A phone call in favor of or against a particular action that an elected official can take is a great way to advocate for reform, but nothing beats a face-to-face meeting with a staff person or your representative.

Setting up a meeting is easy. On a Federal level, when Congress is not in session, members work out of their in-district offices; so try to set up meetings there at those times. Members also hold frequent “town-hall” meetings for constituents. Inquire at your local office about when they will be held. You can also track when your representative will be in town by looking at the Congressional calendars for the House and the Senate. Congress often designates “constituent weeks” in order to inform the public when they will be in their district. Elected representatives want to hear from voters back home.

You’ll most likely get a meeting with a staff person, and that’s great. Staffers usually know more about the specific details of issues than the representative does.

When you make the call and set up the meeting, be sure you say which organization you represent or if you’re a solo concerned citizen, where you live and the issue that you want to discuss.

Prepare For Your Meeting

Do your research and be prepared. You have the opportunity to be a local expert and help shape the thinking of your elected official.

  • Who are you representing? Try to bring a petition or a letter that has numerous signatories to the meeting. Show that you’re representing a community of people that will be affected by the change you’re calling for.
  • Bring research. Consider making a folder or an information packet with research, white papers, local stories and contact information. If your issue is a digital rights related issue, visit EFF.org for helpful resources.
  • Prepare stories. A fantastic way to communicate the need for reform is by sharing stories. Politicians often repeat stories to make a case, so be prepared to share yours.
  • Have a website and contact information ready to share. Try to have a website and business card ready in advance of your meeting. This will help the staff person find you, your community and your position in the future.
  • Consider organizing a small delegation. Bring a group of stakeholders that all have diverse stories to share. The more real people and constituent numbers that you can tie to an issue the better.

Following Up

After your meeting, send a thank-you email to the person who met with you. In your email, be sure to include information and one or two links that you want your representative to consider. Try to set up another meeting if you feel that you didn’t get to finish making your case. Always be polite and gracious and don’t overload the staffer with more information than she’ll realistically read.

If your contact responds with questions, this is a good sign — and, by all means, answer them. This is a chance for you to become an expert that your representative contacts on digital rights issues. Remember that lobbying is all about building relationships, so try to keep the conversation going and meet again.

Good luck! Email info@eff.org to let EFF know how it went!

EFF: Record Label Lawsuit Could Jeopardize Online Content Communities

This article originally appeared on the Electronic Frontier Foundation website.

San Francisco — The Electronic Frontier Foundation (EFF) and a coalition of advocacy groups have asked a Federal appeals court to block record labels’ attempt to thwart Federal law in Capitol v. Vimeo — a case that could jeopardize free speech and innovation and the sites that host both.

In this lawsuit, the record labels sued online video site Vimeo, alleging that dozens of sound recordings were infringed in videos posted on the site. A ruling from a district court judge earlier this year found Vimeo could be responsible for copyright infringement, and in doing so imposed new, impossibly high standards for websites hosting user-generated content. In an amicus brief filed Wednesday, EFF argues that the decision undermines the safe harbors created by the Digital Millennium Copyright Act (DMCA), and the innovation and expression those safe harbors make possible.

“The safe harbors give websites a clear set of rules. If they follow the law in their response to complaints from copyright owners, then they can predict and manage their exposure to lawsuits and other legal challenges,” said EFF Intellectual Property Director Corynne McSherry. “The safe harbors are critical to the Internet’s success as a forum for innovative art, discussion, and expression of all kinds, forestalling crippling litigation that would force most websites to close their doors. Yet the district court created new liability, contrary to the law and the intent of Congress.”

At issue in Capitol v. Vimeo are videos that Vimeo employees viewed or interacted with, as well as pre-1972 sound recordings, which receive different copyright protection than post-1972 works. Essentially, the decision would seem to offer service providers an impossible choice: scour the website for any content that anyone could argue might include pre-1972 audio and thereby potentially lose safe harbor protections, or risk expensive copyright litigation.

“This is exactly the result that Congress was trying to avoid with the safe harbors — without them service providers unwilling to risk being sued may decide not to host videos and other works with audio at all,” said EFF Staff Attorney Vera Ranieri. “We hope the appeals court steps in to reinforce the law and protect free speech and innovation online.”

Also joining EFF’s brief are the Center for Democracy and Technology, New Media Rights, the Organization for Transformative Works, and Public Knowledge.

For the full amicus brief:
https://www.eff.org/document/amicus-brief-23

Contacts:

Corynne McSherry
Intellectual Property Director
Electronic Frontier Foundation
corynne@eff.org

Vera Ranieri
Staff Attorney
Electronic Frontier Foundation
vera@eff.org

The New Senate USA FREEDOM Act: A First Step Toward Reforming Mass Surveillance

This article by activist Nadia Kayyali was published by the Electronic Frontier Foundation on July 29.

On Tuesday, Senator Patrick Leahy introduced a revised version of his USA FREEDOM legislation, the USA FREEDOM Act of 2014, which focuses on telephone record collection and FISA court reform. While this bill is not a comprehensive solution to overly broad and unConstitutional surveillance, it is a strong first step. The Electronic Frontier Foundation urges Congress to support passage of the bill without any amendments that will weaken it.

The new legislation contains a number of key changes from the gutted House version of USA FREEDOM.

The USA FREEDOM Act Of 2014 Will End Bulk Collection Of Phone Records Under Section 215

EFF, along with other groups, made it clear that we would not support any legislation that did not effectively end bulk collection of call detail records. The Senate version of USA FREEDOM achieves this goal, by limiting collection to instances where there is reasonable suspicion that a “specific selection term” is associated with international terrorism.  

The House version of USA FREEDOM used murky language around the phrase “specific selection term,” in particular, raising concerns that a “specific selection term” could include an entire ZIP code or other similarly broad terms. For purposes of collection of call detail records where there is reasonable suspicion, the Senate version continues to use the definition that a specific selection term is an “individual, account, or personal device.” However, for any other purpose, the term must narrowly limit the scope of a request for information and cannot include a broad geographic region or an entire electronic communications service provider.

The USA FREEDOM Act Of 2014 Makes Significant Improvements To The FISA Court

The new USA FREEDOM makes two key changes to the secretive FISA Court process. First, we were pleased to see that it creates a special advocate position that will serve as an amicus in the court and is intended to advocate for civil liberties and privacy.

Second, it directs the Office of the Director of National Intelligence, in consultation with the Attorney General, to declassify “significant” FISA Court opinions. EFF would have preferred that this process be overseen directly by the Attorney General, with input from the FISA Court itself.  On the other hand, the new USA FREEDOM bill actually defines “significant” (the original USA FREEDOM bill did not), and this definition includes any novel interpretation of “specific selection term.”

The legislation also makes several other improvements.  When USA FREEDOM was originally introduced, EFF was concerned that it would codify “about” searches — the practice of searching for any communication that references a target, in addition to communications to and from a target. EFF was deeply concerned that this controversial practice would be written into law, and glad that the Senate version removes any reference to that form of searching.

The new legislation also has some small improvements to the initiation and judicial review procedure for national security letters — secretive FBI orders for data that are accompanied by gag orders — as well as pen register and trap-and-trace devices. The bill creates new reporting requirements for the government — including a requirement that the government estimate how many citizens have been affected by backdoor warrantless searches of information collected under the authority of Section 702 of the FISA Amendments Act. And finally, the bill creates a new option for companies to report on national security requests.

What The USA FREEDOM Act Of 2014 Doesn’t Do

First and foremost, the USA FREEDOM Act of 2014 does not adequately address Section 702 of the FISA Amendments Act, the problematic 2008 law that the government argues gives it the right to engage in mass Internet surveillance. EFF remains committed to reform of Section 702. EFF intends to pursue further reforms to end the National Security Agency’s abuse of this authority.

The legislation also does not affect Executive Order 12333, which has been interpreted by the NSA to allow extensive spying both on foreigners and U.S. citizens abroad. Strictly speaking, we don’t need Congress to fix this — the President could do it himself — but legislation would ensure that a later President couldn’t reinstate 12333 on her own.

The legislation may not completely end suspicionless surveillance. With respect to call detail records, it allows the NSA to get a second set of records (a second “hop”) with an undefined “direct connection” to the first specific selection term. Because the “direct connection” standard is vague, the government may seek to construe that phrase to mean less than reasonable suspicion.

Finally, as with all legislation up to this point, the new USA FREEDOM continues to exclude meaningful protections for the rights of non-citizens.

A Meaningful First Step

The USA FREEDOM Act of 2014 is a real first step because it creates meaningful change to NSA surveillance right now, while paving the way for the public to get more information about what the NSA is doing. We believe that this legislation will help ensure that the NSA reform conversation in Congress continues, rather than shutting it down. That’s why we urge Congress to support the Senate version of USA FREEDOM and pass it without any changes that will weaken its provisions.

Please help us pass this bill. Speak out today.

EFF, ACLU Join Idaho Mom’s Legal Challenge to NSA Surveillance

This story originally appeared Wednesday, July 16, 2014 at the website of the Electronic Frontier Foundation.

Court of Appeals Agrees to Expedite Case Over Telephone Records Collection

Coeur d’Alene, Idaho – The Electronic Freedom Foundation (EFF), the American Civil Liberties Union (ACLU) and the American Civil Liberties Union of Idaho have announced they will join Anna Smith’s legal team in her challenge of the government’s bulk collection of the telephone records of millions of innocent Americans.

Smith, an emergency neonatal nurse and pregnant mother of two, filed her suit against President Obama and several U.S. intelligence agencies shortly after the government confirmed revelations that the National Security Agency (NSA) was conducting bulk collection of telephone records under Section 215 of the Patriot Act. Smith, a customer of Verizon wireless, one of the companies that was ordered to disclose records to the NSA, argued the program violated her First and Fourth Amendment rights by collecting a wealth of detail about her familial, political, professional, religious and intimate associations.

“When I found out that the NSA was collecting records of my phone calls, I was shocked,” said Smith, who is also represented by her husband, Peter J Smith IV, and Idaho State Rep. Luke Malek. “I have heard of other governments spying indiscriminately on their own citizens, but I naively thought it did not happen in America. I believe who I call, when I call them, and how long we talk is not something the government should be able to get without a warrant. I sued because I believe the Constitution protects my calls from government searches. I am thrilled that the American Civil Liberties Union and Electronic Frontier Foundation agreed to assist us in this case. What Americans can reasonably expect to remain private is an issue of monumental importance.”

When U.S. District Judge Lynn Winmill dismissed Smith’s case, he expressed grave concerns about the privacy implications of the NSA’s surveillance but said that he believed that a 1979 Supreme Court case about targeted surveillance tied his hands. Smith is now appealing to the Ninth Circuit Court of Appeals.

EFF and the ACLU have each litigated numerous First and Fourth amendment lawsuits, including ongoing cases over this very NSA program. The ACLU is a plaintiff in a case currently pending before the Second Circuit Court of Appeals to be heard in early September. EFF has two cases before the Northern California Federal court. Smith v. Obama represents another opportunity to halt this mass surveillance.

“Anna Smith proves that a single citizen has the power to stand up for her rights and challenge the government when it tramples them,” EFF Legal Director Cindy Cohn said. “EFF is proud to lend our expertise in pursuing her appeal, which could very well be one of the cases that makes it to the Supreme Court.”

The court has granted Smith’s motion to expedite the case, with the opening brief due on Sept. 2, 2014.

“The call records program needlessly invades the privacy of millions of people,” said ACLU Deputy Legal Director Jameel Jaffer. “Even the President has acknowledged that the NSA does not need to collect information about every phone call in order to track the associations of suspected terrorists. Dragnet surveillance on this scale is both unconstitutional and unnecessary.”

NSA Spying: Now It’s Personal

This article first appeared July 11 on the website of the Electronic Frontier Foundation.

By Eva Galperin and Nadia Kayyali

Imagine that you watched a police officer in your neighborhood stop ten completely ordinary people every day just to take a look inside their vehicle or backpack. Now imagine that nine of those people are never even accused of a crime. They just happened to be in the wrong place at the wrong time. Even the most law-abiding person would eventually protest this treatment. In fact—they have.

Now replace police officers with the NSA. The scenario above is what the NSA is doing with our communications, under cover of its twisted interpretation of Section 702 of the FISA Amendments Act. The Washington Post has revealed that “Nine of 10 account holders found in a large cache of intercepted conversations, which former NSA contractor Edward Snowden provided in full to The Post, were not the intended surveillance targets.” Additionally, “[n]early half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents.”

The thousands of pages of documents that provide that basis for the article are not raw content. Rather, as Barton Gellman, one of the authors of the article states in a follow up published several days later states: “Everything in the sample we analyzed had been evaluated by NSA analysts in Hawaii, pulled from the agency’s central repositories and minimized by hand after automated efforts to screen out U.S. identities.”

What that means is that if you’re on the Internet, you’re in the NSA’s neighborhood—whether you are in the U.S. or not. And like those who protest unjust policies like stop and frisk in their cities, you should be protesting this treatment.

This revelation is significant because it proves the point privacy and civil liberties advocates have been making for years: NSA surveillance is not narrowly targeted. EFF’s legal fight against the NSA’s warrantless mass surveillance program has been ongoing since 2006, but The Washington Post’s statistics about 160,000 intercepts they have analyzed from the Snowden files indicate that even what the NSA calls “targeted” surveillance is far from narrow in scope.  In fact, it is so bloated that we should all be questioning its necessity and efficacy at this point. Taken hand in hand with The Intercept’s article outlining the targeting of five civil rights and political leaders from the Muslim-American community, our outrage should be palpable.

What’s more, the report comes on the heels of a debate specifically about Section 702 that has been brewing in Congress for months, as civil liberties champions like Senator Ron Wyden and Representative Zoe Lofgren question and work to address how the NSA uses this authority. This revelation should make it clear to the Senate when it considers the USA FREEDOM Act: Section 702 needs to be reformed. Cosmetic changes to NSA spying, or even substantive changes to Section 215 bulk telephone records collection, are insufficient. Unbridled, unconstitutional collection of the contents of communications needs to end.

The Washington Post article is based on a comprehensive review of thousands of pages of documents. In fact, as the article points out: “No government oversight body, including the Justice Department, the Foreign Intelligence Surveillance Court, intelligence committees in Congress or the president’s Privacy and Civil Liberties Oversight Board, has delved into a comparably large sample of what the NSA actually collects.” What’s more, these are documents that government officials have repeatedly insisted Edward Snowden would never have been able to access.

Regardless of the government’s denials, Snowden did have these documents, and now we know at least some of what they contained. So does Congress. So there’s no excuse anymore for the type of maneuvering that led to the gutting of USA FREEDOM in the House.  More importantly, there’s no excuse for the Senate to ignore Section 702 when it considers USA FREEDOM.

Real NSA reform from Congress will, among other things, shut the backdoor that allows the NSA to access American’s communications. It will also end collection of communications “about” a target.

Of course, none of this solves the problem of how NSA surveillance affects non-U.S. persons. One of the shocking things about The Washington Post’s article is its description of the communications intercepted:

Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers. In some photos, men show off their physiques. In others, women model lingerie, leaning suggestively into a webcam or striking risque poses in shorts and bikini tops.

We are no longer talking about statistics. We are talking about real people going about their daily lives. It is not surprising to learn that in the course of its investigations, the NSA gathers up a considerable number of communications that prove to be insignificant, irrelevant, or (as is the case with communications between US persons) outside the scope of their work. What is shocking is that the NSA keeps this enormous trove of personal data about people it should not be watching in the first place. It appears that the unspoken coda to General Alexander’s “collect it all” motto is “and never throw it away.”

The bottom line is this: The Internet is a global neighborhood. We shouldn’t feel unsafe there. But the NSA doesn’t seem to care.

The good news is, we can do something. Take action now. Go to https://www.standagainstspying.org and see how your elected representative stacks up when it comes to reforming the NSA, tweet at them, and send a letter to President Obama urging him to use his executive authority to reform the NSA now. You can also take action by contacting lawmakers here. If you are overseas, you can sign the letter to President Obama. You can also endorse the Necessary and Proportionate principles. Take back the Internet.

International Treaty Negotiations Go Further Underground with Unprecedented Secrecy Around Meetings in Canada

This post, written by EFF Global Policy Analyst Maria Sutton, was originally published on the foundation’s website July 8.

EFF is in Ottawa this week for the Trans-Pacific Partnership (TPP) negotiations, to influence the course of discussions over regressive digital policy provisions in this trade agreement that could lead to an increasingly restrictive Internet. But this round is different from the others—the secrecy around the talks is wholly unprecedented. The Canadian trade ministry, who is hosting this round of talks, has likely heightened the confidentiality due to the mass public opposition that is growing against this undemocratic, corporate-driven trade deal.

The trade offices from the 12 countries negotiating this deal no longer pre-announce details about the time and location of these negotiations. They don’t bother releasing official statements about the negotiations because they no longer call these “negotiation rounds” but “officials’ meetings.” But the seeming informality of these talks is misleading—negotiators are going to these so-called meetings to secretly pull together a deal. As far as we know, they’re still discussing whether they could expand the international norm of copyright terms to make it even longer. They are negotiating provisions that could lead to users getting censored and filtered over copyright, with no judicial oversight or consideration for fair use. And trade delegates are deliberating how much of a crime they should make it if users break the DRM on their devices and content, even if users don’t know it’s illegal and the content they’re unlocking isn’t even restricted by copyright in the first place.

So for this negotiation, we had to rely on rumors and press reports to know when and where it was even happening. At first, there were confirmed reports that the next TPP meeting would take place at a certain luxury hotel in downtown Vancouver. So civil society began to mobilize, planning events in the area to engage users and members of the public about the dangers of TPP. Then seemingly out of the blue, the entire negotiating round was moved across the country to Ottawa. There’s no way to confirm whether this was a deliberate misdirection, but either way it felt very fishy.

Already given this level of secrecy, it goes without saying that there will be no room for members of civil society or the public to engage directly with TPP negotiators. Towards the beginning of TPP talks, we were given 15 minutes to present to stakeholders, in addition to a stakeholder event that allowed us to hang around a big room to meet and pass information to negotiators who walked by. Then it was cut down to ten minutes (after we made some noise that it was going to be cut down to a mere eight minutes). In the following rounds, the stakeholder event was completely removed from the schedules of the official rounds. These didn’t provide sufficient time to convey to negotiators about the major threats we saw in this agreement, so those events already seemed to be a superficial nod to public participation. But now, they don’t even pretend to give us their ear.

Of course, corporate lobbyists continue to have easy access to the text. Advisors to major content industries can comment and read the text of the agreement on their private computers. But those of us who represent the public interest are left to chase down negotiators down the halls of hotels to let our concerns be heard and known to them.

As we watch TPP crawl its way towards getting finalized, signed, and eventually taint our laws with its one-sided corporate agenda, we need to continue to remember this fact: laws made in secret, with no public oversight or input, are illegitimate. That is not how law is made in democracies. If we’re to defend the fundamental democratic rule that law is based on transparent, popular consensus, we need to fight back against an agreement that engages in such a secretive, corporate-captured process.

Additional Resources:

Michael Geist: Why The Secrecy on the TPP Talks in Ottawa This Week? Because There is Something to Hide

Council of Canadian: Secretive critical talks on the Trans Pacific Partnership happening in Ottawa

EFF: Is Your Android Device Telling the World Where You’ve Been?

This post, written by technology projects director Peter Eckersley and staff technologist Jeremy Gillula, was originally published on the EFF website.

Do you own an Android device? Is it less than three years old? If so, then when your phone’s screen is off and it’s not connected to a Wi-Fi network, there’s a high risk that it is broadcasting your location history to anyone within Wi-Fi range who wants to listen.

This location history comes in the form of the names of wireless networks your phone has previously connected to. These frequently identify places you’ve been, including homes (“Tom’s Wi-Fi”), workplaces (“Company XYZ office net”), churches and political offices (“County Party HQ”), small businesses (“Toulouse Lautrec’s house of ill-repute”), and travel destinations (“Tehran Airport wifi”). This data is arguably more dangerous than that leaked in previous location data scandals because it clearly denotes in human language places that you’ve spent enough time to use the Wi-Fi. Normally, eavesdroppers would need to spend some effort extracting this sort of information from the latititude/longitude history typically discussed in location privacy analysis. But even when networks seem less identifiable, there are ways to look them up.

The Electronic Frontier Foundation briefly mentioned this problem during our recent post about Apple deciding to randomize MAC addresses in iOS 8. As EFF pointed out there, Wi-Fi devices that are not actively connected to a network can send out messages that contain the names of networks they’ve joined in the past in an effort to speed up the connection process. But after writing that post, EFF became curious just how many phones actually exhibited that behavior, and if so, how much information they leaked. To our dismay, we discovered that many of the modern Android phones EFF tested leaked the names of the networks stored in their settings (up to a limit of 15). And when EFF looked at these network lists, we realized that they were, in fact, dangerously precise location histories.

Aside from Android, some other platforms also suffer from this problem and will need to be fixed, although for various reasons, Android devices appear to pose the greatest privacy risk at the moment.

In Android EFF traced this behavior to a feature introduced in Honeycomb (Android 3.1) called Preferred Network Offload (PNO). PNO is supposed to allow phones and tablets to establish and maintain Wi-Fi connections even when they’re in low-power mode (i.e. when the screen is turned off). The goal is to extend battery life and reduce mobile data usage, since Wi-Fi uses less power than cellular data. But for some reason, even though none of the Android phones EFF tested broadcast the names of networks they knew about when their screens were on, many of the phones running Honeycomb or later (and even one running Gingerbread) broadcast the names of networks they knew about when their screens were turned off.

Response From Google

When EFF brought this issue to Google’s attention, it responded:

We take the security of our users’ location data very seriously and we’re always happy to be made aware of potential issues ahead of time. Since changes to this behavior would potentially affect user connectivity to hidden access points, we are still investigating what changes are appropriate for a future release.

Additionally, yesterday a Google employee submitted a patch to wpa_supplicant that fixes this issue. While we are glad this problem is being addressed so quickly, it will still be some time before that fix gets integrated into the downstream Android code. And even then, Android fragmentation and the broken update process for non-Google Android devices could delay or even prevent many users from receiving the fix. (We hope Google can make progress on this problem, too.)

Protective Steps You Can Take Today

With that said, a workaround is available (for most devices) for users who want to protect their privacy right now: Go into your phone’s “Advanced Wi-Fi” settings and set the “Keep Wi-Fi on during sleep” option to “Never.” Unfortunately, this will cause a moderate increase in data usage and power consumption — something users shouldn’t have to do in order to keep their phone from telling everyone everywhere they’ve been.

Unfortunately, on at least one device we tested — a Motorola Droid 4 running Android 4.1.2 — even this wasn’t sufficient. On the Droid 4, and perhaps on other phones, the only practical way to prevent the phone from leaking location is to manually forget the networks you don’t want broadcast, or disable Wi-Fi entirely whenever you aren’t actively connecting to a known Wi-Fi network. You can also find apps that will do this automatically for you.

Location history is extremely sensitive information. We urge Google to ship their fix as soon as possible, and other Android distributors to offer prompt updates containing it.