FAQ: Privacy Activist’s Guide To Why The Surveillance State’s Fusion Centers Matter

This handy FAQ was compiled by Electronic Frontier Foundation activist Nadia Kayyali and originally published on the foundation’s website on April 7.

While NSA surveillance has been front and center in the news recently, fusion centers are a part of the surveillance state that deserve close scrutiny.

Fusion centers are a local arm of the so-called “intelligence community,” the 17 intelligence agencies coordinated by the National Counterterrorism Center (NCTC). The government documentation around fusion centers is entirely focused on breaking down barriers between the various government agencies that collect and maintain criminal intelligence information.

Barriers between local law enforcement and the NSA are already weak. We know that the Drug Enforcement Agency gets intelligence tips from the NSA which are used in criminal investigations and prosecutions. To make matters worse, the source of these tips is camouflaged using “parallel construction,” meaning that a different source for the intelligence is created to mask its classified source.

This story demonstrates what we called “one of the biggest dangers of the surveillance state: the unquenchable thirst for access to the NSA’s trove of information by other law enforcement agencies.” This is particularly concerning when NSA information is used domestically. Fusion centers are no different.

In fact, in early 2012, the Foreign Intelligence Surveillance Court approved the sharing of raw NSA data with the NCTC. The intelligence community overseen by the NCTC includes the Department of Homeland Security and FBI, the main Federal fusion center partners. Thus, fusion centers—and even local law enforcement—could potentially be receiving unminimized NSA data. This runs counter to the distant image many people have of the NSA, and it’s why focusing on fusion centers as part of the recently invigorated conversation around surveillance is important.

What are fusion centers?

Fusion centers are information centers that enable intelligence sharing between local, State, tribal, territorial, and Federal agencies. They are actual physical locations that house equipment and staff who analyze and share intelligence.

How many are there?

There are 78 recognized fusion centers listed on the Department of Homeland Security (DHS) website.

Who works at fusion centers?

Fusion centers are staffed by local law enforcement and other local government employees as well as Department of Homeland Security personnel. DHS “has deployed over 90 personnel, including Intelligence Officers and Regional Directors, to the field.” Staffing agreements vary from place to place. Fusion centers are often also colocated with FBI Joint Terrorism Task Forces.

What do fusion centers do?

Fusion centers enable unprecedented levels of bi-directional information sharing between State, local, tribal, and territorial agencies and the Federal intelligence community. Bi-directional means that fusion centers allow local law enforcement to share information with the larger Federal intelligence community, while enabling the intelligence community to share information with local law enforcement. Fusion centers allow local cops to get—and act upon—information from agencies like the FBI.

Fusion centers are also key to the National Suspicious Activity Reporting Initiative (NSI), discussed below.

What is suspicious activity reporting?

The government defines suspicious activity reporting (SAR) as “official documentation of observed behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity.” SARs can be initiated by law enforcement, by private sector partners, or by “see something, say something” tips from citizens. They are then investigated by law enforcement.

What is the National Suspicious Activity Reporting Initiative?

NSI is an initiative to standardize suspicious activity reporting. The NSI was conceived in 2008, and started with an evaluation project that culminated in a January 2010 report describing how NSI would encompass all fusion centers. It appears significant progress has been made towards this goal.

The evaluation project included so-called Building Communities of Trust (BCOT) meetings which focused “on developing trust among law enforcement, fusion centers, and the communities they serve to address the challenges of crime and terrorism prevention.”

BCOT “community” events involved representatives from local fusion centers, DHS, and FBI traveling to different areas and speaking to selected community representatives and civil rights advocates about NSI. These were invite only events with the clear purpose of attempting to engender community participation and garner support from potential opponents such as the ACLU.

So what’s wrong with Suspicious Activity Reporting and the NSI?

SARs do no meet legally cognizable standards for search or seizure under the Fourth amendment. Normally, the government must satisfy reasonable suspicion or probable cause standards when searching a person or place or detaining someone. While SARs themselves are not a search or seizure, they are used by law enforcement to initiate investigations, or even more intrusive actions such as detentions, on the basis of evidence that does not necessarily rise to the level of probable cause or reasonable suspicion. In other words, while the standard for SAR sounds like it was written to comport with the constitutional standards for investigation already in place, it does not.

In fact, the specific set of behaviors listed in the National SAR standards include innocuous activities such as:

taking pictures or video of facilities, buildings, or infrastructure in a manner that would arouse suspicion in a reasonable person,” and “demonstrating unusual interest in facilities, buildings, or infrastructure beyond mere casual or professional (e.g. engineers) interest such that a reasonable person would consider the activity suspicious. Examples include observation through binoculars, taking notes, attempting to measure distances, etc.

These standards are clearly ripe for abuse of discretion.

Do fusion centers increase racial and religious profiling?

The weak standards around SAR are particularly concerning because of the way they can lead to racial and religious profiling. SARs can originate from untrained civilians as well as law enforcement, and as one woman pointed out at a BCOT event people who might already be a little racist who are ‘observing’ a white man photographing a bridge are going to view it a little differently than people observing me, a woman with a hijab, photographing a bridge. The bottom line is that bias is not eliminated by so-called observed behavior standards.

Furthermore, once an investigation into a SAR has been initiated, existing law enforcement bias can come into play; SARs give law enforcement a reason to initiate contact that might not otherwise exist.

Unsurprisingly, like most tools of law enforcement, public records act requests have shown that people of color often end up being the target of SARs:

One review of SARs collected through Public Records Act requests in Los Angeles showed that 78% of SARs were filed on non-whites. An audit by the Los Angeles Police Department’s Inspector General puts that number at 74%, still a shockingly high number.

A review of SARs obtained by the ACLU of Northern California also show that most of the reports demonstrate bias and are based on conjecture rather than articulable suspicion of criminal activity. Some of the particularly concerning SARs include titles like “Suspicious ME [Middle Eastern] Males Buy Several Large Pallets of Water” and “Suspicious photography of Folsom Dam by Chinese Nationals.” The latter SAR resulted in police contact: “Sac[ramento] County Sheriff’s Deputy contacted 3 adult Asian males who were taking photos of Folsom Dam. They were evasive when the deputy asked them for identification and said their passports were in their vehicle.” Both of these SARs were entered into FBI’s eGuardian database.

Not only that, there have been disturbing examples of racially biased informational bulletins coming from fusion centers. A 2009 “North Central Texas Fusion Center Prevention Awareness Bulletin” implies that tolerance towards Muslims is dangerous and that Islamic militants are using methods such as “hip-hop boutiques” and “online social networks” to indoctrinate youths in America.

Do fusion centers facilitate political repression?

Fusion centers have been used to record and share information about First Amendment protected activities in a way that aids repressive police activity and chills freedom of association.

A series of public records act requests in Massachusetts showed: “Officers monitor demonstrations, track the beliefs and internal dynamics of activist groups, and document this information with misleading criminal labels in searchable and possibly widely-shared electronic reports.” The documents included intelligence reports addressing issues such internal group discussions and protest planning, and showed evidence of police contact.

For example, one report indicated that “Activists arrested for trespassing at a consulate were interviewed by three surveillance officers ‘in the hopes that these activists may reach out to the officers in the future.’ They were asked about their organizing efforts and for the names of other organizers.”

Who oversees the National Suspicious Activity Reporting Initiative?

The NSI is led by the Program Manager for the Information Sharing Environment (PM-ISE) in collaboration with the DHS and the FBI. The ISE is “the people, projects, systems, and agencies that enable responsible information sharing for National security.” The PM-ISE, currently Kshemendra Paul, oversees the development and implementation of the ISE. The position was created by the Intelligence Reform and Terrorism Prevention Act of 2004.

If this all sounds confusing, that’s because it is: the entire intelligence community is a plethora of duplicative agencies with overlapping areas of responsibility.

What kind of information do fusion centers have?

Staff at fusion centers have access to a variety of databases. Not all staff have the same level of clearances, and the entire extent of what is available to fusion centers is unclear. But we do know certain facts for sure:

Fusion centers have access to the FBI’s eGuardian database, an unclassified companion to the FBI’s Guardian Threat Tracking System. “The Guardian and eGuardian systems . . . have a bi-directional communication ability that facilitates sharing, reporting, collaboration, and deconfliction among all law enforcement agencies.”

Fusion centers also have access to DHS’ Homeland Security Data Network and it’s companion Homeland Security Information Network. These systems provide access to terrorism-related information residing in DoD’s classified network. It is worth noting that HSIN was hacked in 2009 and was considered so problematic that it was briefly decommissioned entirely.

Fusion centers have access to other information portals including the FBI’s Law Enforcement Online portal, Lexis Nexis, the Federal Protective Service portal, and Regional Information Sharing Systems .

Finally, as discussed above, we know that unminimized NSA data can be shared with the National Counterterrorism Center, which means that fusion centers could be in receipt of such data.

What Federal laws apply to fusion centers?

Because they are collaborative, legal authority over fusion centers is blurred, perhaps purposefully. However, there are some Federal laws that apply. The Constitution applies, and fusion centers arguably interfere with the First and Fourth Amendments.

28 Code of Federal Regulations Part 23 governs certain Federal criminal intelligence systems. The “Fusion Center Guidelines . . . call for the adoption of 28 CFR Part 23 as the minimum governing principles for criminal intelligence systems.” 28 CFR 23.20 requires reasonable suspicion to collect and maintain criminal intelligence and prohibits collection and maintenance of information about First Amendment protected activity “unless such information directly relates to criminal conduct or activity and there is reasonable suspicion that the subject of the information is or may be involved in criminal conduct or activity.” Finally, it prohibits inclusion of any information collected in violation of local law.

Section 552(a)(e)(7) of the Privacy Act prohibits Federal agencies, in this case DHS personnel who work at fusion centers, from maintaining any “record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity.” A 2012 U.S. Senate Permanent Subcommittee on Investigations report on fusion centers stated: “The apparent indefinite retention of cancelled intelligence reports that were determined to have raised privacy or civil liberties concerns appears contrary to DHS’s own policies and the Privacy Act.”

What State or local laws apply to fusion centers?

Fusion centers are sometimes bound by local and state laws. The law enforcement agencies that feed information into centers may also be restricted in terms of what information they can gather.

The Northern California Regional Intelligence Center, located in San Francisco, CA, serves as a good example of how State and local regulations can apply to a fusion center. NCRIC works with law enforcement partners around the region and stores criminal intelligence information. The California constitution has a right to privacy and California has other laws that address privacy and criminal intelligence. These should cover NCRIC.

The San Francisco Police Department’s relationship with NCRIC also serves as a good example of the applicability of local laws. SFPD participates in suspicious activity reporting, but is also bound by a number of restrictions, including Department General Order 8.10, which heavily restricts intelligence gathering by the SFPD, as well as the sanctuary city ordinance, which prohibits working with immigration enforcement. While the fusion center would not be bound by these regulations on its own, the SFPD is.

Who funds fusion centers?

Fusion centers are funded by Federal and State tax dollars. Estimates of exactly how much funding fusion centers get from these sources are difficult to obtain. However, there are some numbers available.

For 2014, the Homeland Security Grant Program, which is the Federal grant program that funds fusion centers, has $401,346,000 available in grant funds. The grant announcement emphasizes that funding fusion centers and integrating them nationally is a high priority. This is an approximately $50 million increase over last year’s allocation—somewhat shocking in light of the critiques around fusion center funding that have been raised by Congress.

A 2008 Congressional Research Service report states that the average fusion center derives 31% of its budget from the Federal government. Those numbers may have changed now.

Has there been any discussion about fusion centers at the Federal level?

Yes, but not enough. In October of 2012, fusion centers were the subject of an extremely critical report from the U.S. Senate Permanent Subcommittee on Investigations. The bipartisan report focused on the waste, ineptitude, and civil liberties violations at fusion centers. The report revealed that fusion centers spent tax dollars on “gadgets such as ‘shirt button cameras, $6,000 laptops and big-screen televisions. One fusion center spent $45,000 on a decked-out SUV…” Regarding the information produced by fusion centers, the report noted that fusion centers produced “‘intelligence’ of uneven quality – oftentimes shoddy, rarely timely, sometimes endangering citizens’ civil liberties and Privacy Act protections, occasionally taken from already-published public sources, and more often than not unrelated to terrorism.”

This report recommended a hard look at fusion center funding, but that clearly has not happened. They are still operating across the country with Federal funding. In fact, their funding has even been increased.

What about at the local level?

There are grassroots privacy advocates in multiple cities fighting to get more information about fusion centers and how their local law enforcement participates in them. These efforts have been frustrated by stonewalling of public records act requests and uneducated, or at times dishonest, public officials.

Have any regulations been passed or proposed?

To date, only one place has passed regulations around fusion centers. Berkeley, CA, passed a policy in September 2012 that the Berkeley Police Department can only submit suspicious activity reports after establishing reasonable suspicion of criminal behavior, and put in place an audit of SARs.

Massachusetts is also considering changes to fusion centers. SB 642 would strictly limit collection and dissemination of criminal intelligence information and would require a yearly audit of the Massachusetts Commonwealth Fusion Center.

What can I do?

Fusion centers are an area ripe for grassroots organizing. Groups like the StopLAPD Spying Coalition, which put together a “People’s Audit” of SARs in LA, provide excellent examples of how this can happen. Public records act requests can be leveraged to get information about what your local law enforcement is doing. Grassroots organizing and education can get people and elected officials talking about this issue.

On April 10, activists across the country will be participating in “Stop the Spy Centers: a national day of action against fusion centers.” These activists have three demands: 1. Shut down fusion centers, 2. De-fund fusion centers, and 3. Release all suspicious activity reports and secret files.

While April 10 is one day of action, the conversation around fusion centers must continue hand in hand with our national discourse around NSA, CIA, and FBI surveillance.

Where can I get more information about fusion centers?

 

EFF: Websites Must Use HSTS In Order To Be Secure

This article, written by Electronic Frontier Foundation technologist Jeremy Gillula, was originally published on the organization’s website on April 4.

You would think that by now the Internet would have grown up enough that things like online banking, email, or government websites would rely on thoroughly engineered security to make sure your data isn’t intercepted by attackers. Unfortunately when it comes to the vast majority of websites on the Internet, that assumption would be dead wrong. That’s because most websites (with a few notable exceptions) don’t yet support a standard called HSTS—HTTPS Strict Transport Security.

Why is lack of HSTS even an issue? To see what could go wrong, imagine the following common scenario. You’re in a coffee shop and you want to check your bank account. You pop open your laptop, connect to the free wifi, load up your web browser, and type in your bank’s URL. No security alerts pop up when you load the page, and there’s even a padlock icon next to the address, so you go ahead and login. Unfortunately, you could very well have just sent your login information to a potential attacker.

The way the attack worked is as follows. When your browser first tried to contact the bank’s server and load its homepage via HTTP, the attacker intercepted the request to connect and prevented it from getting there (perhaps by having his laptop pretend to be that free wifi hot-spot). He then sent your request to the bank’s server himself. When he got the response back (i.e. the webpage to load, the images to display, etc.) he stripped out any links that would initiate a secure HTTPS connection, modified the page so that it would show the padlock icon next to the address (by setting a padlock as the favicon), and sent it back to your laptop. Of course these kinds of attacks have been automated. The result is a page that looks identical in your web browser—the only difference is that it’s not secured, and the attacker can read everything you send to the server and everything that gets sent back.

But why couldn’t your browser detect the attack? The problem is that modern browsers display prominent security alerts only when a website’s security credentials appear suspicious—if a website connects over a secure channel and everything appears OK nothing much happens, and the same is true if the website connects over a normal, insecure channel. Without HSTS, browsers have no way of knowing that a website should be delivered securely, and so cannot alert you when a website that ought to be loaded securely (e.g. your bank’s website) is instead loaded via a normal connection (i.e. the unencrypted version the attacker sends to you instead). HSTS fixes that by allowing servers to send a message to the browser saying “Hey! Connections to me should be encrypted!” and allowing browsers to understand and act on that message.

So why haven’t more websites enabled HSTS? The biggest reason, we fear, is that web developers just don’t know about it.1 Another problem is that support for HSTS in browsers has been incomplete: only Chrome, Firefox, and Opera have had HSTS support for a significant period. This is changing though: we noticed that Apple quietly added HSTS support to Safari in OS X 10.9. For now, Internet Explorer doesn’t support HSTS—which means that there’s basically no such thing as a secure website in IE.

In response to questions from EFF about this situation, a Microsoft spokesperson told EFF that the company would now commit to supporting HSTS in the next major release of Internet Explorer (we aren’t sure whether we have persuaded Microsoft to implement HSTS sooner, though that seems quite likely, and is great news). This means that with the next major release of IE, every major browser will support properly secured websites.

In the mean time, what can users do to make sure their connections are secure? One option would be to use EFF’s HTTPS Everywhere browser extension. HTTPS Everywhere automatically tells your browser to use secured connections on many (but not all) websites that support them; on many domains it functions like a client-initiated equivalent of the serverside HSTS mechanism.

But what if you’re stuck using a browser that doesn’t support HSTS or HTTPS Everywhere, or a website that doesn’t support HSTS? For now all a savvy user can do is to always carefully examine the address of the site you’ve loaded, and verify that it’s secure by checking to make sure it has “https” in the front and is the precise address you want to visit.2 Unfortunately this assumes that you know ahead of time (and remember) whether or not a site should be secure, and are meticulous with every website you visit. This is obviously a huge burden to place on users—it makes a lot more sense to automate the process via HSTS, and it’s about time website operators the world over picked up the slack and did so.

EFF: An NSA ‘Reform Bill’ of the Intelligence Community, Written by the Intelligence Community, and for the Intelligence Community

This post, written by legislative analyst Mark Jaycox, was originally published by the Electronic Frontier Foundation on April 2.

Representatives Mike Rogers and Dutch Ruppersberger, the leaders of the House Intelligence Committee, introduced HR 4291, the FISA Transparency and Modernization Act (.pdf), to end the collection of all Americans’ calling records using Section 215 of the Patriot Act. Both have vehemently defended the program since June, and it’s reassuring to see two of the strongest proponents of the National Security agency’s actions agreeing with privacy advocates’ (and the larger public’s) demands to end the program. The bill needs only 17 lines to stop the calling records program, but it weighs in at more than 40 pages. Why? Because the “reform” bill tries to create an entirely new government “authority” to collect other electronic data.

Collecting All Americans’ Calling Records Is So 2012

The bill only ends the government collection of all Americans’ calling records using Section 215 of the Patriot Act — a good, albeit very small, first step. It also tries to prohibit the mass collection of other records like firearm sales and tax records. Unfortunately, it may still allow the government to argue for such collection as long as the NSA uses a “specific identifier or selection term.” In short: The government may still try to search these records and potentially other records. The bill leaves almost all of Section 215 as-is, the sole fix being that the section would no longer apply to calling records. The bill also stays mum on the NSA’s ability to mass spy on financial records, credit card records or other purchasing records using Section 215.

Collecting All Americans’ Internet Records Is The Future

The next 20 pages of the bill create a process where the government sends orders directed at electronic communication service providers for the collection of “records created as a result of communications of an individual or facility.”

The words simply switch out one form of unconstitutional mass collection for another. And this latter version is even scarier than the mass collection of Americans’ calling records. A “facility” could include an entire internet service provider (ISP) like Comcast or company like Google. And the bill’s use of “electronic communication” doesn’t use the definition found in the Foreign Intelligence Surveillance Act (FISA), but the one found in criminal law, which includes any transfer of data like uploaded documents to the cloud, calendar entries or address book entries. Under the bill, the government might try to argue that the order can collect any type of record created as the result of any “electronic communication” as long as the communication is of an agent of a foreign power or someone in contact with the agent or foreign power. This is an incredibly broad standard.

What’s worse is that the order doesn’t need prior judicial approval of who is targeted, where the information is supposed to be collected and why the government is searching for the information. The new order could collect the content of the communication or U.S. personal information like credit card numbers, Social Security numbers, names or addresses. That’s because the order must only be “reasonably designed” to not acquire such information. There is no mandate in the bill banning such collection or deleting such information upon collection.

The new order has “civil liberties and privacy protection procedures,” written by the Attorney General and the Director of National Intelligence. But don’t let the name fool you. The procedures only have to “reasonably limit” the collection, retention or searching of records not useful for foreign intelligence information. It’s too bad that “foreign intelligence information” is essentially defined in FISA to mean “everything.” The procedures are reviewed every year by the FISA court; and once accepted, the government sends out orders to companies for records without any additional judicial approval.

The above procedures to minimize certain information (“minimization procedures”) take after ones found in Section 702 of the Foreign Intelligence Surveillance Amendments Act, which is used to unconstitutionally mass collect innocent users’ phone calls and emails. Unfortunately, the procedures in Section 702 fail at even nominally protecting innocent users’ communications. Section 702 requires the procedures to be “reasonably designed” to exclude wholly domestic American communications. Despite the fact that the FISA court found the NSA collecting tens of thousands of such emails, the court thought NSA’s targeting procedures were still “reasonable.” We also know that the procedures fail time after time and are designed to retain and search the very communications the NSA isn’t supposed to be retaining and searching. Both are good reasons to think such procedures won’t work for the bill’s newly devised order. We won’t even know how much they fail (or succeed) because the procedures are filed in secret and stamped classified. Keeping the law secret worked out well in the past, so it should work out well in the future, right?

The bill is what’s expected from the House Intelligence Committee. The committee was created to oversee the intelligence community, but it has been coopted for quite some time. Though it stops the mass collection of all Americans’ calling records, the bill’s creation of a new order to conduct unconstitutional mass spying on any record created by a communication is disturbing. And it’s a bill that will surely fail to pass Congress when real reform bills that would stop all uses of Section 215 to conduct mass spying, like the USA Freedom Act, are already on the table. Tell Congress now to support NSA reform that will stop every government use of Section 215 to mass spy on innocent users.

EFF Statement On Proposals To Overhaul NSA Spying

This article, compiled by legal director Cindy Cohn and legislative analyst Mark M. Jaycox, was originally published by the Electronic Frontier Foundation on March 25.

Today we learned that the Obama Administration and the House Intelligence Committee are both proposing welcome and seemingly significant changes to the mass telephone records collection program. Both the Obama Administration and the Intelligence Committee suggest that mass collection end with no new data retention requirements for telephone companies. This is good news, but we have not seen the details of either. And details, as we have learned, are very important in assessing suggested changes to the National Security Agency’s mass spying.

But comparing what we know, it appears that the Obama Administration’s proposal requires significantly more judicial review — not just reviewing procedures, but reviewing actual search requests — so it’s preferable to the Intelligence Committee’s approach.

Yet a new legislative proposal isn’t necessary here. There is already a bill ending bulk collection. It’s called the USA FREEDOM Act by Judiciary Committee chairs Senator Patrick Leahy and Representative Jim Sensenbrenner. It’s a giant step forward and better than either approach floated today since it offers more comprehensive reform, although some changes are still needed. We urge the Administration and the Intelligence Committees to support the USA FREEDOM.

Or better still, we urge the Administration to simply decide that it will stop misusing section 215 of the Patriot Act and section 702 of the FISA Amendments Act and Executive Order 12333 and whatever else it is secretly relying on to stop mass spying. The executive branch does not need Congressional approval to stop the spying; nothing Congress has done compels it to engage in bulk collection. It could simply issue a new executive order requiring the NSA to stop.

Also, the Obama Administration does not go beyond the telephone records programs, which are important, but are only a relatively small piece of the NSA’s surveillance and, by itself, won’t stop mass surveillance. We continue to believe that comprehensive public review is needed through a new Church Committee to ensure that all of the NSA’s mass surveillance is brought within the rule of law and the Constitution. Given all the various ways that the NSA has overreached, piecemeal change is not enough.

Microsoft Says: Come Back With A Warrant, Unless You’re Microsoft

This article, written by Andrew Crocker, originally appeared March 21, 2014 on the website of the Electronic Frontier Foundation.

EFF has long argued that law enforcement agencies must get a warrant when they ask Internet companies for the content of their users’ communications. In 2013, as part of our annual Who Has Your Back report, we started awarding stars to companies that require warrants for content. It is now unclear whether Microsoft, one of our inaugural “gold star” companies in that category, is willing to live by its own maxim.

This controversy was brought to light by the arrest of an ex-Microsoft employee named Alex Kibkalo. According to a criminal complaint sworn in a Seattle federal court, Kibkalo stole proprietary information from Microsoft, including its Activation Server Software Development Kit (SDK), and passed the code to a French blogger. The complaint alleges that Kibkalo committed criminal trade secret theft. What’s troubling is that the FBI’s basis for the arrest was an open-ended, warrantless search of a Hotmail user’s account, conducted by Microsoft itself.

In September 2012, Microsoft’s internal security team received a tip that an anonymous blogger was in possession of the SDK source code. Conveniently for Microsoft, however, the French blogger, who has not been accused of any crime, communicated with Microsoft’s tipster using Hotmail. Since Microsoft runs Hotmail, it simply searched through the contents of that email account for evidence of the SDK leak. Gallingly, the Kibkalo complaint states that Microsoft’s Office of Legal Compliance signed off on this “content pull.”

At first blush, Microsoft’s unilateral decision to rifle through its user’s emails sounds like a violation of the Electronic Communications Privacy Act, ECPA. We at EFF have called for critical updates to ECPA’s privacy protections, but the law is fundamentally designed to protect email from this kind of snooping, albeit with some narrow exceptions.

Microsoft’s initial statement in response explained, “While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances.” Realizing that this wouldn’t cut it, the company’s deputy general counsel subsequently announced a new policy for conducting these searches in the future:

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed.  So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available.  In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:

To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge.  We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.

Unfortunately, this new policy just doubles down on the Microsoft’s indefensible and tone-deaf actions in the Kibkalo case. It begins with a false premise that courts do not issue orders in these circumstances because Microsoft was searching “itself,” rather than the contents of its user’s email on servers it controlled.

To the contrary, if Microsoft’s independent legal team concluded that there was probable cause, it could have passed the tipster’s information to the FBI to obtain a warrant and conduct the search under the auspices of the criminal justice system. The warrant protections enshrined in the Constitution would be preserved, ECPA would be satisfied, and Microsoft could have claimed the high moral ground. Instead, Microsoft has opted for an internal corporate shadow court.

To be sure, the process described in Microsoft’s statement bears more than a passing resemblance to a standard criminal investigation, with a prosecutorial team building a case and then presenting it to an ostensibly neutral third party, a retired federal judge no less. Let’s call it Warrants for Windows!

The monumental problem here is that Microsoft’s process has none of the protections provided by our legal system. No matter how fairly this process operates in any particular situation, approval by an employee paid by Microsoft, no matter how well qualified, is not approval of a “neutral and detached magistrate,” as required by the Fourth Amendment. Similarly, the protections provided to criminal suspects by the Fifth and Sixth Amendments wouldn’t apply to Microsoft’s internal investigation. In short, “Come back with a warrant” is meaningless when the FBI doesn’t get involved until after all the evidence has been collected.

Yet another colossal problem with Microsoft’s policy is its potential for abuse. Microsoft’s initial statement explained that the Microsoft Services Agreement (TOS) granted it “permission” to conduct the searches. But a brief check of these terms shows that Microsoft reserves the right to conduct search in far more scenarios than merely “exceptional circumstances.” That’s because Section 5.2 of the TOS states:

Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content . . . when Microsoft forms a good faith belief that doing so is necessary . . . . (b) to enforce this agreement or protect the rights or property of Microsoft or our customers[.]

And according to Section 3.5, one of the ways users can violate the agreement and thus give Microsoft “permission” to access their content is to email content that violates the company’s Code of Conduct. Spoiler alert: the Code of Conduct is ridiculously broad.

A few examples of things that would violate the Code of Conduct and allow search and disclosure of Hotmail email content:

Emailing “links to external sites that violate this Code of Conduct” such as by “depict[ing] nudity of any sort.” So you’re out of luck if you wanted to send your friend a link to Wikipedia, because the encyclopedia contains a fair number of articles containing nudity. Nor could you link to a Peanuts cartoon, because Snoopy is eternally pantsless, and Microsoft specifically prohibits links to “nudity in non-human forms such as cartoons.”

Similarly, linking to external content that violates the Code by “incit[ing] [or] express[ing] … profanity.” That means no YouTube, because it has, for example, clips of George Carlin’s Seven Dirty Words routine.

“[P]romoting or otherwise facilitate[ing] the purchase and sale of ammunition or firearms.” Best to unsubscribe from that NRA mailing list.

Presumably, Microsoft isn’t using these sorts of violations as an excuse to rifle through its users’ emails. But when it relies on permission from its TOS to do so, it reserves the right to abuse.

The search in the Kibkalo case may have revealed criminal activity, but it was also conducted in Microsoft’s self-interest, which is an exceedingly dangerous precedent. Combined with the kangaroo court potential of the company’s new internal Warrants for Windows policy, Microsoft is playing with fire. It should have followed its own advice and asked the FBI to step in with a warrant.

EFF: Los Angeles Cops Argue All Cars In LA Are Under Investigation

This article, written by senior staff attorney Jennifer Lynch, was originally published by the Electronic Frontier Foundation.

The Freedom of Information Act is not the only law the public can use to obtain records from the government. Most States have similar laws for accessing documents on the State and local levels. In California, the Electronic Frontier Foundation is using the California Public Records Act to learn what new technologies local law enforcement agencies are using and whether these technologies violate our rights.

Do you drive a car in the greater Los Angeles Metropolitan area? According to the L.A. Police Department and L.A. Sheriff’s Department, your car is part of a vast criminal investigation.

The agencies took a novel approach in the briefs they filed in EFF and the ACLU of Southern California’s California Public Records Act lawsuit seeking a week’s worth of Automatic License Plate Reader (ALPR) data. They have argued that “All [license plate] data is investigatory.” The fact that it may never be associated with a specific crime doesn’t matter.

This argument is completely counter to our criminal justice system, in which we assume law enforcement will not conduct an investigation unless there are some indicia of criminal activity. In fact, the 4th Amendment was added to the U.S. Constitution exactly to prevent law enforcement from conducting mass, suspicionless investigations under “general warrants” that targeted no specific person or place and never expired.

ALPR systems operate in just this way. The cameras are not triggered by any suspicion of criminal wrongdoing; instead, they automatically and indiscriminately photograph all license plates (and cars) that come into view. This happens without an officer targeting a specific vehicle and without any level of criminal suspicion. The ALPR system immediately extracts the key data from the image — the plate number and time, date and location where it was captured — and runs that data against various hotlists. At the instant the plate is photographed not even the computer system itself — let alone the officer in the squad car — knows whether the plate is linked to criminal activity.

Taken to an extreme, the agencies’ arguments would allow law enforcement to conduct around-the-clock surveillance on every aspect of our lives and store those records indefinitely on the off-chance they may aid in solving a crime at some previously undetermined date in the future. If the court accepts their arguments, the agencies would then be able to hide all this data from the public.

However, as EFF argued in the Reply brief filed in the case last Friday, the accumulation of information merely because it might be useful in some unspecified case in the future certainly is not an “investigation” within any reasonable meaning of the word.

LAPD And LASD Recognize Privacy Interest In License Plate Data

In another interesting turn in the case, both agencies fully acknowledged the privacy issues implicated by the collection of license plate data.

LAPD stated in its brief:

[T]he privacy implications of disclosure [of license plate data] are substantial. Members of the public would be justifiably concerned about LAPD releasing information regarding the specific locations of their vehicles on specific dates and times. . . . LAPD is not only asserting vehicle owners’ privacy interests. It is recognizing that those interests are grounded in federal and state law, particularly the California Constitution. Maintaining the confidentiality of ALPR data is critical . . . in relation to protecting individual citizens’ privacy interests

The sheriff’s department recognized that ALPR data tracked “individuals’ movement over time” and that, with only a license plate number, someone could learn “personal identifying information” about the vehicle owner (such as the owner’s home address) by looking up the license plate number in a database with “reverse lookup capabilities such as LexisNexis and Westlaw.”

The agencies use the fact that ALPR data collection impacts privacy to argue that — although they should still be allowed to collect this information and store it for years — they should not have to disclose any of it to the public. However, the fact that the technology can be so privacy invasive suggests that we need more information on where and how it is being collected, not less. This sales video from Vigilant Solutions shows just how much the government can learn about where you’ve been and how many times you’ve been there when Vigilant runs their analytics tools on historical ALPR data. We can only understand how LA police are really using their ALPR systems through access to the narrow slice of the data we’ve requested in this case.

EFF will be arguing these points and others at the hearing on its petition for writ of mandate in Los Angeles Superior Court, Stanley Mosk Courthouse, this coming Friday at 9:30 a.m.

EFF Victories In 2 FOIA Cases: Court Rules Government’s Arguments ‘Clearly Inadequate’ To Support Claims

This article, written by senior staff attorney Jennifer Lynch, was originally published by the Electronic Frontier Foundation.

Sunshine Week is often a time for transparency advocates to collectively lament about government secrecy and institutional resistance to accountability. But the week of advocacy is also an opportunity to highlight how, through patience and a lot of court motions, organizations such as the Electronic Frontier Foundation can pry important documents from agencies that would rather operate in the shadows.

The Electronic Frontier Foundation recently won favorable rulings in two hard-fought Freedom of Information Act cases involving reports of intelligence agency misconduct and agency attempts to mandate backdoors into Internet communications. In light of recent revelations about illegal National Security Agency and FBI surveillance, the records produced in these cases could not be more timely.

EFF V. CIA: Reports Of Intelligence Agency Misconduct

In EFF v. CIA, first filed in 2009, EFF sought reports of illegal intelligence activities submitted to the Intelligence Oversight Board. A judge has since ordered the government to release previously withheld documents about agency misconduct or come up with new arguments to justify the secrecy. Because of the government’s requests for deadline extensions, the records are now due March 21.

These reports were prepared by the FBI, the Department of Defense, the Office of the Director of National Intelligence and the Department of Homeland Security. This latest ruling may result in the further disclosure of significant government misconduct. The reports EFF obtained so far under FOIA have revealed:

These records have helped Congress and the courts to understand the scope of Federal intelligence agency misconduct. However, the agencies continue to withhold hundreds of documents from the public.

The court agreed with EFF that the agencies failed to justify their withholdings. The court said the government’s arguments were “clearly inadequate” and that the agencies’ “generalized assertions and boilerplate fall far short of the detail required to demonstrate that information was properly withheld under FOIA.”

By their nature, these reports detail illegal activities that, according to executive order and statute, may not be classified or withheld under FOIA. Given this, and given the fact that EFF requested these records more than five years ago, it is hoping the government will do the right thing and release them.

EFF v. DOJ: Expansion Of Electronic Surveillance Laws

A court has also ordered the Department of Justice to hand over documents in EFF’s FOIA lawsuit to obtain information that the government may be using to justify an expansion of a law that aids Federal wiretapping.

In EFF v. DOJ,  filed in 2010, EFF sued the DOJ, the FBI and the Drug Enforcement Administration to get information on problems that hamper electronic surveillance and could justify or undermine the Barack Obama Administration’s calls for expanded surveillance powers.

Over the past few years, Federal agencies have been pushing Congress to expand the Communications Assistance for Law Enforcement Act (CALEA) to require communications service providers from Google to Skype to Facebook to Sony to build surveillance-ready “backdoors” into their systems. However, other than a couple extremely vague anecdotes, the agencies have failed to provide any evidence that that their investigations have been thwarted without such a fix. In EFF’s FOIA requests, it sought this very information.

As discussed in detail here, the government withheld a significant amount of material, claiming it was “outside the scope” of EFF’s FOIA request. The government also argued it was entitled to withhold names of Internet service providers that had helped it conduct surveillance, because it would hurt these companies’ bottom line if their customers knew they were working with the government. The court agreed with EFF that both of these arguments lacked merit and ordered the government to release records. It’s a great win and reinforces important case law for FOIA requesters in the 9th Circuit.

These Opinions Are Good For The Public, But They Aren’t Enough

The opinions in these cases show that courts continue to be concerned that the government is withholding more information from the public than it is entitled to. And they both reinforce important precedent for FOIA requesters.

However, the cases also reinforce the belief that the current system of government transparency is broken. In EFF v. CIA, EFF submitted its first requests for records in 2008. Once EFF filed its motion for summary judgment in the case, it took the court more than a year and a half to rule on the motion. It has now been more than five years since EFF filed that request, and the government continues to withhold a majority of the records.

The second case, EFF v. DOJ, isn’t much better. In that case, EFF filed its requests in 2010 and then waited nearly a year for the government to finish processing records that were then either withheld in full or produced but almost completely blacked out. EFF went through two rounds of summary judgment briefing — a year apart — on the same documents and issues before the court finally ruled in its favor — a full six months after EFF argued the motion. And EFF is still waiting for records.

As EFF has stated before, given the failings of the standard transparency process, there has to be room and support for whistle-blowers to act alongside the FOIA process. These insiders can expose government hypocrisy and illegal activities without the public having to rely on tenacious lawyers — and wait many years — to learn about these activities.
EFF is currently negotiating with the government about the release of final records in these cases and will post those records on its site when it receives them.

EFF: Former Members Call On Congress To Create A New Church Committee

This article, written by legislative analyst Mark Jaycox, was originally published by the Electronic Frontier Foundation:

Monday marks the second day of “Sunshine Week”—a week to focus on the importance of open government and how to ensure accountability of our leaders at the federal, state, and local levels.

When US intelligence agencies were caught spying on Americans 40 years ago, Congress answered the public outcry by creating an investigative task force to bring these covert, and potentially illegal, practices into the light. The Church Committee, as it was commonly known because of its chairman, Sen. Frank Church, interviewed 800 people, held 271 hearings and published volumes upon volumes of reportsall of which paved the way for reform.

Today, we are publishing a letter signed by 16 former counsel, advisers, and professional staff members of the Church Committee, calling on Congress to create a new special committee to investigate the NSA and other intelligence agencies. This new “Church Committee for the 21st Century” would conduct a thorough examination into the oversight system currently in place (including the House and Senate Intelligence Committees) and the intelligence communities actions (such as the CIA spying on Senate staff and the NSA spying on all Americans).

They write:

As former members and staff of the Church Committee we can authoritatively say: the erosion of public trust currently facing our intelligence community is not novel, nor is its solution. A Church Committee for the 21st Century—a special congressional investigatory committee that undertakes a significant and public reexamination of intelligence community practices that affect the rights of Americans and the laws governing those actions—is urgently needed. Nothing less than the confidence of the American public in our intelligence agencies and, indeed, the federal government, is at stake.

Read the full letter here, or download it here. Last week, Frederick A.O. Schwarz Jr., who served as chief counsel to the Church Committee, also published an editorial in The Nation, titled “Why We Need a New Church Committee to Fix Our Broken Intelligence System.”

For some heavy reading that will leave you with a sense of surveillance déjà vu, you can also peruse the Church Committee’s historic reports here.

Guess Who Just Made The List: A Guide To The Internet’s Biggest Enemies

The Electronic Frontier Foundation’s Director for International Freedom of Expression Jillian York wrote this post, which originally appeared on the foundation’s website on Thursday.

Reporters Without Borders (RSF) released its annual “Enemies of the Internet” index this week—a ranking first launched in 2006 intended to track countries that repress online speech, intimidate and arrest bloggers, and conduct surveillance of their citizens.  Some countries have been mainstays on the annual index, while others have been able to work their way off the list.  Two countries particularly deserving of praise in this area are Tunisia and Myanmar (Burma), both of which have stopped censoring the Internet in recent years and are headed in the right direction toward Internet freedom.

In the former category are some of the world’s worst offenders: Cuba, North Korea, China, Iran, Saudi Arabia, Vietnam, Belarus, Bahrain, Turkmenistan, Syria.  Nearly every one of these countries has amped up their online repression in recent years, from implementing sophisticated surveillance (Syria) to utilizing targeted surveillance tools (Vietnam) to increasing crackdowns on online speech (Saudi Arabia).  These are countries where, despite advocacy efforts by local and international groups, no progress has been made.

The newcomers 

A third, perhaps even more disheartening category, is the list of countries new to this year’s index.  A motley crew, these nations have all taken new, harsh approaches to restricting speech or monitoring citizens:

Russia: As RSF writes, Russia has been on a downward slope for more than a decade.  Until fairly recently, however, the Russian government did not directly censor the Internet, preferring instead to employ subtle strategies to control online discourse.  In 2012, that changed, when the Russian Duma overwhelmingly passed a bill allowing the creation of a national blacklist of websites.  Today, that blacklist continues to grow, while the government continues to seek new ways of limiting online speech.

Pakistan: We’ve expressed concerns about Pakistan many times before, so we’re glad to see the country called out for its repressive behavior.  Despite significant opposition from inside the country, the Pakistan Telecommunications Authority continues to add sites to its opaque blacklist, most notably YouTube following the ‘Innocence of Muslims’ debacle in 2012.  Efforts from local activists have also demonstrated the willingness of foreign companies—in particular Canadian company Netsweeper—to aid in Pakistan’s repression of speech.

United States: This is the first time the US has made it onto RSF’s list.  While the US government doesn’t censor online content, and pours money into promoting Internet freedom worldwide, the National Security Agency’s unapologetic dragnet surveillance and the government’s treatment of whistleblowers have earned it a spot on the index.

United Kingdom: The European nation has been dubbed by RSF as the “world champion of surveillance” for its recently-revealed depraved strategies for spying on individuals worldwide.  The UK also joins countries like Ethiopia and Morocco in using terrorism laws to go after journalists.  Not noted by RSF, but also important, is the fact that the UK is also cracking down on legal pornography, forcing Internet users to opt-in with their ISP if they wish to view it and creating a slippery slope toward overblocking.  This is in addition to the government’s use of an opaque, shadowy NGO to identify child sexual abuse images, sometimes resulting instead in censorship of legitimate speech.

India: A country that has long censored certain types of speech, it’s surprising that India has never made it to RSF’s list before.  Still, in the past two years, things have gotten significantly worse as the Indian government has enacted new laws to limit online speech and has slouched toward the NSA at a time when its neighbors have spoken out against surveillance.

Ethiopia: The African country has been on a downward spiral for the past few years, blocking VoIP services, sentencing bloggers to long prison sentences, and enacting laws to block online content.  Most recently, EFF filed a lawsuit accusing the Ethiopian government of installing spyware on the device of an American citizen of Ethiopian origin.  In a similar case, Privacy International filed a criminal complaint alleging the use of FinSpy on the device of a UK resident.

Missing from the list

There are a few countries that were left out of this year’s index that we think should have been included.  These nations have all taken a turn for the worse in recent years:

Turkey: Although Turkey has shown up on RSF’s watchlist before, and despite a spate of arrests of social media users during last summer’s protests, Turkey managed to stay off this year’s index.  The country has come under fire from human rights advocates for its online repression, and in 2012, the European Court of Human Rights found that Turkey had violated its citizens’ right to free expression by blocking Google sites.  Turkey is definitely an enemy of the Internet.

Jordan: Despite local protests and international opposition, in June 2013, Jordan initiated a ban on more than 300 news sites that refused or failed to register with the Press and Publications Department.  Those sites remain blocked.

Morocco: The North African nation’s approach to the Internet had improved somewhat in recent years, with the government unblocking sites that were formerly censored.  The arrest of journalist Ali Anouzla in September 2013 and subsequent blocking of Lakome, the publication he co-founded, however, seems to signal a new era.  Activists have expressed concern that bad legislation is just around the corner.

We urge the countries that find themselves on RSF’s “Enemies of the Internet” list this year—as well as those that are glaringly missing from the list—to take note of countries, such as Tunisia and Myanmar (Burma), who have taken steps to ameliorate violations of Internet freedom and remove themselves from RSF’s annual index.

 

 

EFF: Supreme Court Must Set Limits On Cellphone Searches

This article was originally published by the Electronic Frontier Foundation.

Changing Technology Demands New Rules for Police

San Francisco — The Electronic Frontier Foundation (EFF) asked the U.S. Supreme Court Monday to set limits on warrantless searches of cellphones, arguing in two cases before the court that changing technology demands new guidelines for when the data on someone’s phone can be accessed and reviewed by investigators.

The amicus briefs were filed in Riley v. California and U.S. v. Wurie. In both cases, after arresting a suspect, law enforcement officers searched the arrestee’s cellphone without obtaining a warrant from a judge. Historically, police have been allowed some searches “incident to arrest” in order to protect officers’ safety and to preserve evidence. However, in the briefs filed Monday, EFF argues that once a cellphone has been seized, the police should be required to get a search warrant to look through the data on the phone.

“Allowing investigators to search a phone at this point — after the device has been secured by law enforcement but before going to a judge and showing probable cause — is leaving 21st Century technology outside the protections of the Fourth Amendment,” said EFF Staff Attorney Hanni Fakhoury. “If we’re going to truly have privacy in the digital age, we need clear, common-sense guidelines for searches of digital devices, with meaningful court oversight of when and how these searches can be conducted.”

In the not-so-distant past, our pockets and purses carried only limited information about our lives. But in the age of the smartphone, we are walking around with a complete, detailed history of our work schedules, our medical concerns, our political beliefs and our financial situations. Our phones include pictures of family gatherings, videos of friends, apps that help manage our health and our money, and email and text messages from both our personal and professional lives.

“Our phones include an extraordinary amount of sensitive information — our past, our present, our plans for the future,” said Fakhoury. “We can’t let investigators rummage through this data on a whim. It’s time for the Supreme Court to recognize the important role that judicial oversight must play in searches of cell phones incident to arrest.”

Today’s brief was filed in conjunction with the Center for Democracy and Technology. The brief was authored with the assistance of Andrew Pincus of Mayer Brown LLP and the Yale Law School Supreme Court Clinic.

For the full brief filed in Riley and Wurie:
https://www.eff.org/document/amicus-brief-supreme-court

For more on search incident to arrest:
https://www.eff.org/issues/search-incident-arrest

Contact:

Hanni Fakhoury
Staff Attorney
Electronic Frontier Foundation
hanni@eff.org

Related Cases

Supreme Court cases on cellphone searches

EFF Tech Experts: Tech Companies Must Defend Against Surveillance

This open letter to tech companies was originally published by the Electronic Frontier Foundation. It includes 10 principles to protect users from National Security Agency sabotage.

In the past nine months, our trust in technology companies has been badly shaken. Today, in collaboration with prominent security researchers and technologists, EFF presents an open letter to technology companies, urging them to protect users from NSA backdoors and earn back the trust that has been lost.

From the Snowden revelations emerge stories of collusion between government spy agencies and the companies whose services are integral to our everyday lives. There have been disturbing allegations published by Reuters indicating that RSA, an influential information security firm, accepted a $10 million contract from NSA that included, among other items, an agreement to use what we now know to be an intentionally compromised random number generator as the default for its BSAFE cryptographic library.

A future where we cannot trust the very technologies meant to secure our communications is fundamentally unsustainable. It’s time for technology companies to start helping users regain trust, with transparency and active opposition to illegal surveillance. Implementing the requisite changes in technical infrastructure and business practices may have short-term costs; however, the long-term cost of keeping users in perpetual fear of NSA sabotage is far greater.

How to Protect Your Users from NSA Backdoors: An Open Letter to Technology Companies

As security researchers, technologists, and digital rights advocates, we are deeply concerned about collaboration between government agencies and technology companies in undermining users’ security. Among other examples, we are alarmed by recent allegations that RSA, Inc. accepted $10 million from NSA to keep a compromised algorithm in the default setting of a security product long after its faults were revealed. We believe that covert collusion with spy agencies poses a grave threat to users and must be mitigated with commitment to the following best practices to protect users from illegal surveillance:

  1. Provide public access to source code whenever possible, and adopt a reproducible build process so that others can verify the integrity of pre-compiled binaries. Both open and closed source software should be distributed with verifiable signatures from a trusted party and a path for users to verify that their copy of the software is functionally identical to every other copy (a property known as “binary transparency”).
  2. Explain choices of cryptographic algorithms and parameters. Make best efforts to fix or discontinue the use of cryptographic libraries, algorithms, or primitives with known vulnerabilities and disclose to customers immediately when a vulnerability is discovered.
  3. Hold an open and productive dialogue with the security and privacy communities. This includes facilitating review and responding to productive criticism from researchers.
  4. Provide a clear and secure pathway for security researchers to report vulnerabilities. Fix security bugs promptly.
  5. Publish government request reports regularly (often these are called “Transparency Reports”). Include the most granular reporting allowed by law.
  6. Invest in secure UX engineering to make it as easy as possible for users to use the system securely and as hard as possible for users to use the system unsafely.
  7. Publicly oppose mass surveillance and all efforts to mandate the insertion of backdoors or intentional weaknesses into security tools.
  8. Fight in court any attempt by the government or any third party to compromise users’ security.
  9. Adopt a principle of discarding user data after it is no longer necessary for the operation of the business.
  10. Always protect data-in-transit with strong encryption in order to prevent dragnet surveillance. Follow best practices for setting up SSL/TLS on servers whenever applicable.

Sincerely,
The Electronic Frontier Foundation in collaboration with*:

  • Roger Dingledine, Project Leader, Tor Project
  • Brendan Eich, CTO, Mozilla Corporation
  • Matthew Green, Assistant Research Professor, Department of Computer Science, Johns Hopkins University
  • Nadia Heninger, Assistant Professor, Department of Computer and Information Science, University of Pennsylvania
  • Tanja Lange, Professor, Department of Mathematics and Computer Science, Technische Universiteit Eindhoven
  • Nick Mathewson, Chief Architect, Tor Project
  • Eleanor Saitta, OpenITP / IMMI
  • Bruce Schneier, Security Technologist
  • Christopher Soghoian, Principal Technologist, Speech, Privacy and Technology Project, American Civil Liberties Union
  • Ashkan Soltani, Independent Researcher and Consultant
  • Brian Warner, Tahoe-LAFS Project
  • Zooko Wilcox-O’Hearn, Founder and CEO, LeastAuthority.com

*Affiliations listed for identification purposes only.

EFF: Support The Right To Repair The Goods You Purchase

This article, written by Electronic Frontier Foundation Intellectual Property Director Corynne McSherry, was originally published on the organization’s website on Feb. 18.

South Dakota has put forth new legislation to support to a simple principle: if you own something, you ought to be allowed to fix it. The new bill, SB 136, would require manufacturers of electronics and appliances that contain embedded software to make available to consumers and independent repair shops the information and parts they need to repair those devices, and fully disclose any contract provision standing in the way of full repair and reuse.

That seems like a pretty uncontroversial goal, but lots of major manufacturers that purport to “sell” you all kinds of products are doing their level best to make sure that if your product breaks, only they (or someone they authorize) can repair it. They do this in all kinds of ways—by tying your purchase (or update) to an expensive repair contract; burying sneaky clauses into license agreements (remember, you might buy a device, but if it contains software to make it more functional you probably only “rent” that software); treating repair information (like diagnostic codes) as proprietary; or refusing to sell repair parts to “unauthorized” independent shops (and then calling in the feds to prosecute shops that sell those parts anyway).

That’s bad for consumers and for the environment—how often have many of us tossed a device into the trash, or recycled it, because repairing it was too expensive? If that device contains electronics, that casual decision added to the e-waste that is slowly poisoning the planet.

South Dakota isn’t the first state to step in to defend its residents’ right to repair. In Massachusetts, legislators and voters passed legislation requiring automakers to provide affordable access to all tools, software and information used to repair late model cars and heavy duty vehicles. That legislation will go into effect in 2015.

SB 136 in South Dakota isn’t perfect—we’d love to see an additional requirement that the information be freely accessible and online, for example—but it’s an important step in the right direction.

The bill was debated in the Commerce committee today, and will move on to a larger vote later this week. If you live in South Dakota, contact your state senator today and tell him or her to support SB 136.

EFF Explains The History Of Surveillance And The Black Community

February is Black History Month and that history is intimately linked with surveillance by the Federal government in the name of “national security.”  Indeed, the history of surveillance in the African-American community plays an important role in the debate around spying today and in the calls for a Congressional investigation into that surveillance. Days after the first NSA leaks emerged last June, EFF called for a new Church Committee. We mentioned that Dr. Martin Luther King, Jr., was one of the targets of the very surveillance that eventually led to the formation of the first Church Committee. This Black History Month, we should remember the many African-American activists who were targeted by intelligence agencies. Their stories serve as cautionary tales for the expanding surveillance state.

The latest revelations about surveillance are only the most recent in a string of periodic public debates around domestic spying perpetrated by the NSA, FBI, and CIA. This spying has often targeted politically unpopular groups or vulnerable communities, including anarchists, anti-war activists, communists, and civil rights leaders.

Government surveillance programs, most infamously the FBI’s “COINTELPRO”, targeted Black Americans fighting against segregation and structural racism in the 1950s and 60s. COINTELPRO, short for Counter Intelligence Program, was started in 1956 by the FBI and continued until 1971. The program was a systemic attempt to infiltrate, spy on, and disrupt activists in the name of “national security.” While it initially focused on the Communist Party, in the 1960s its focus expanded to include a wide swathe of activists, with a strong focus on the Black Panther Party and civil rights leaders such as Dr. Martin Luther King, Jr.

FBI papers show that in 1962 “the FBI started and rapidly continued to gravitate toward Dr. King.” This was ostensibly because the FBI believed black organizing was being influenced by communism. In 1963 FBI Assistant Director William Sullivan recommended “increased coverage of communist influence on the Negro.” However, the FBI’s goal in targeting Dr. King was clear: to find “avenues of approach aimed at neutralizing King as an effective Negro leader,” because the FBI was concerned that he might become a “messiah.”

The FBI subjected Dr. King to a variety of tactics, including bugging his hotel rooms, photographic surveillance, and physical observation of King’s movements by FBI agents. The FBI’s actions went beyond spying on Dr. King, however. Using information gained from that surveillance, the FBI sent him anonymous letters attempting to “blackmail him into suicide.” The agency also attempted to break up his marriage by sending selectively edited “personal moments he shared with friends and women” to his wife.

The FBI also specifically targeted the Black Panther Party with the intention of destroying it. They infiltrated the Party with informants and subjected members to repeated interviews. Agents sent anonymous letters encouraging violence between street gangs and the Panthers in various cities, which resulted in “the killings of four BPP members and numerous beatings and shootings,” as well as letters sowing internal dissension in the Panther Party. The agency also worked with police departments to harass local branches of the Party through raids and vehicle stops. In one of the most disturbing examples of this, the FBI provided information to the Chicago Police Department that aided in a raid on BPP leader Fred Hampton’s apartment. The raid ended with the Chicago Police shooting Hampton dead.

The FBI was not alone in targeting civil rights leaders. The NSA also engaged in domestic spying that included Dr. King. In an eerily prescient statement, Senator Walter Mondale said he was concerned that the NSA “could be used by President ‘A’ in the future to spy upon the American people, to chill and interrupt political dissent.”

The Church Committee was created in response to these and other public scandals, and was charged with getting to the bottom of the government’s surveillance overreach. In response to its findings, Congress passed new laws to provide privacy safeguards, including the Foreign Intelligence Surveillance Act. But ever since these safeguards were put in place, the intelligence community has tried to weaken or operate around them. The NSA revelations show the urgent need to reform the laws governing surveillance and to rein in the intelligence community.

Today we’re responding to those domestic surveillance abuses by an unrestrained intelligence branch. The overreach we’ve seen in the past underscores the need for reform. Especially during Black History Month, let’s not forget the speech-stifling history of US government spying that has targeted communities of color.

EFF: What Pete Seeger Can Teach Us About The NSA

This article, written by EFF Legal Director Cindy Cohn, was originally published by the organization on Feb. 1. Editor’s Note: Many of Personal Liberty’s readers likely disagree with the late Pete Seeger’s political positions. But as Americans are increasingly confronted with government intrusions on privacy, Seeger’s reaction to government prying in his personal life is worth noting.

 “I am not going to answer any questions as to my association, my philosophical beliefs, or how I voted in any election, or any of these private affairs. I think these are very improper questions for any American to be asked, especially under such compulsion as this.”

Pete Seeger, 1955, testimony pursuant to subpoena before the House Un-American Activities Committee.

The world lost a clear, strong voice for peace, justice, and community with the death of singer and activist Pete Seeger last week. While Seeger was known as an outspoken musician not shy about airing his political opinions, it’s also important to remember he was once persecuted for those opinions, despite breaking no law. And the telling of this story should give pause to those who claim to be unconcerned about the government’s metadata seizure and search programs that reveal our associations to the government today.

In 1955, Seeger was called before the House Un-American Activities Committee, where he defiantly refused to answer questions about others who he associated with and who shared his political beliefs and associations, believing Congress was violating his First Amendment rights. He was especially concerned about revealing his associations:

I will be glad to tell what songs I have ever sung, because singing is my business. . . .  But I decline to say who has ever listened to them, who has written them, or other people who have sung them.

But if the same thing were to happen today, a Congressional subpoena and a public hearing wouldn’t be necessary for the government to learn all of our associations and other “private affairs.” Since the NSA has been collecting and keeping them, they could just get that same information from their own storehouses of our records.

According to the Constitution, the government is supposed to meet a high standard before collecting this private information about our associations, especially the political ones that the Congressmen were demanding of Seeger. For instance, under the First Amendment, it must “serve compelling state interests, unrelated to the suppression of ideas, that cannot be achieved through means significantly less restrictive of associational freedoms.”

It doesn’t matter whether the government wants associations to look for possibly “illegal” activities of civil rights activists, Communist sympathizers, anarchists, trade unionists, war resisters, gun rights activists, environmental activists, drug legalization advocates, or wants to go after legitimate criminals and potential terrorists, if the government can’t justify the collection of this “metadata” on this “strict scrutiny” standard, they’re not allowed to collect any of it. Yet right now, they collect all of it.

We’re still learning of all the ways the government is able to track our associations without anything like the due process and standards required by the First and Fourth Amendments, but it is the centerpiece of the NSA’s mass telephone records collection program under Patriot Act section 215, which EFF is fighting with our First Unitarian Church v. NSA case that focuses on the right of association.  Our lead client, the First Unitarian Church of Los Angeles, had its own role in resisting the House Un-American Activities Committee. It’s also part and parcel of the mass collection of content and metadata of people all around the world under section 702 of the FISA Amendments Act. And it’s a real concern even if the companies hold the data, as we’ve seen with the FBI’s self-certified National Security Letters and the Hemisphere program, where AT&T employees are embedded in government investigations so that they can more readily search through our phone records for the FBI, the DEA and others.

Each of these programs effectively allows the government to do to you what Pete Seeger refused to let them do to him—track your associations, beliefs and other private affairs without proper legal protections.  And they can do this at scale that was unimaginable in 1955, thanks to the digital nature of our communications, the digital tools that allow them to search automatically rather than by hand and the fact that so much more about these private affairs is in the hands of third parties like our phone and internet companies.

While Seeger escaped jail, he was convicted of contempt for his failure to answer these questions. Thankfully Joseph McCarthy and the Un-American Activities Committees were later widely condemned, and Americans understandably look back sadly and with embarrassment on time when the Committee forced Americans to reveal their own associations, along with the associations and beliefs of others.  With the passing of moral and artistic heroes like Seeger, we should redouble our efforts to make sure that our “private affairs” remain safe and the government’s ability to access them remains subject to careful controls.

Join EFF on February 11 to fight back against mass surveillance.

Free Sgt. Star: Army Ignores FOIA Request for Artificial Intelligence Records

This article, written by media relations coordinator and investigative researcher Dave Maass, was originally published by the Electronic Frontier Foundation.

Sgt. Star is a 6-foot-1, clean-shaven, strong-jawed white male, with eyes that match the camouflage pattern on his combat uniform. His voice is deep, authoritative and carefully enunciative. He seems to be in his 30s, but he is actually only about 7 years old.

Sgt. Star is not a real person, or at least not a corporeal one. He is a chatbot — an artificial intelligence program designed to hold conversations — that was commissioned by the U.S. Army to help with recruitment efforts. He can recognize questions and dispense answers, verbally and in text, and also help the user surf the GoArmy.com website. According to marketing materials, he has answered more than 11 million questions so far.

Last year, the Electronic Frontier Foundation filed a request with the Army to see if EFF could obtain him, or elements of him, through the Freedom of Information Act. More than 75 calendar days have passed, and the Army still hasn’t responded — not even to say it’s withholding the records.

Contemplation of military service is one the most personal and life-altering decisions an American can undertake, with lasting consequences. EFF is interested in learning how Sgt. Star works, what questions he was programmed to answer and whether the Army has found the project effective. As electronic privacy advocates, EFF also hopes to determine what happens to the records of conversations Sgt. Star has with potential recruits.

As chatbots grow in popularity, particularly in a commercial setting (a reporter from TIME even discovered a chatbot posing as a telemarketer), Sgt. Star is often pointed to as a successful model of how this technology can be used as a replacement for humans in providing customer service. The SGT STAR project (officially, it’s all-caps) began in 2007 with a partnership between U.S. Army Accession Command and the Spokane, Wash.-based company Next IT, which sells “intelligent virtual assistants” to businesses. In the years since Sgt. Star’s inception, he has expanded beyond his GoArmy interface and potential recruits can now interact with him through Facebook or download him to their mobile phones via an app launched by the Army last year. Sgt. Star also makes appearances at public events, such as NASCAR races and Future Farmers of America gatherings, where users can talk to a full-size projection developed by the Institute for Creative Technologies at University of Southern California.

EFF contacted programmer Bruce Wilcox, two-time winner of the Loebner Prize for Artificial Intelligence (aka “The First Turing Test”) for advice on what to ask for in a FOIA request. Wilcox suggested EFF seek Sgt. Star’s input patterns (all the phrases and keywords Sgt. Star is pre-programmed to recognize) and the scripted output answers (all the possible things Sgt. Star could say). In the FOIA letter, EFF requested these files as they existed for each year between 2007 and 2013, in order to compare how Sgt. Star’s answers evolved to reflect developments in global conflicts, changes to military benefit packages and new policies, such as the repeal of “Don’t Ask, Don’t Tell.”

To cover its bases, EFF widened the FOIA request to include all contracts regarding Sgt. Star, all annual and quarterly reports that reference Sgt. Star, any audits, and any privacy policies associated with the program. EFF also asked for whatever analytical data might be available, such as the number of conversations Sgt. Star has had, the duration of those conversations, the general geolocation of the users (broadly), the number of conversations that resulted in direct communication with a human recruiter and any estimate of manpower saved by using the AI.

Once EFF crafted the request, the next challenge was to determine which agency was responsible for Sgt. Star. With the disestablishment of the Accession Command in September 2012, it was unclear which division had inherited Sgt. Star. EFF started with the public affairs office of the U.S. Army Recruiting Command (USAREC) in Fort Knox, Ky. From there, EFF’s request bounced to the Army Marketing and Research Group, a new division created in October 2012. A representative initially said he would follow up in a week and get EFF whatever he could. That was last November, and EFF has yet to receive any further response, despite a follow-up letter filed shortly after the Army missed the 20-day FOIA response deadline. EFF even sent the Army a note that it was writing this blog post.

The Army can’t argue that none of the records EFF requested can be released. Sgt. Star’s individual responses are already publicly available on the Internet, provided a user enters all of the possible questions into the chat interface, so there’s no reason the script should not be available in aggregate. Next IT uses basic Sgt. Star statistics in its marketing materials. For example, the program has a 94 percent accuracy rate in answering questions and the average user interacted with the program for 10.4 minutes. The fact that a private company can access this data, but the public cannot, raises questions about both privacy and government transparency.

When filing a FOIA request like this, it’s important to anticipate how the release of information would serve the public interest. Military recruitment practices have long been a subject of public controversy, whether it’s regarding protests over recruiters on school campuses or the use of video games to spur combat interest in youths. Everyone from veteran advocates to peace activists to budget watchdogs could review how the Army uses emerging technology to inform and persuade potential recruits. Social commentators could create satire through augmented version of Sgt. Star by plugging his input and output scripts into a publicly available chatbot engine. EFF is especially concerned with how personal data is collected, stored and shared beyond what is disclosed in the online privacy policy for chatting with human recruiters. As government transparency activists, EFF also wants to ensure that digital records stored in unconventional databases are in the public domain.

When the Army Marketing and Research Group was founded, the division’s director, Mark S. Davis, said its mission was to “make the Army more transparent to the American public; explained in a way that is accessible and shows how truly extraordinary the U.S. Army and the American Soldier are.” If he still believes that, his office should let the American people see how truly extraordinary the Army’s virtual recruiter is by responding to EFF’s FOIA request.

Free Sgt. Star.

EFF: Government Views On Fair Use Troubling For Small Content Creators

This article, written by electronic freedom activist Parker Higgins and attorney Mitch Stoltz, was originally published by the Electronic Frontier Foundation.

Copyright reform hearings continue to lumber along in the House of Representatives, with Tuesday’s in the Judiciary Committee marking the seventh in as many months. This hearing was dedicated to “The Scope of Fair Use,” and though the panel of witnesses was more diverse than in some of the earlier hearings, there were still some disappointing trends in the conversation.

One area that got significant attention was the topic of mass digitization, which has been repeatedly determined by courts to be a fair and transformative use. Not only is it fair, but as Professor Peter Jaszi noted during the hearing it is also tremendously beneficial, enabling the indexing and searching of huge sets of works.

Several panelists, however, pointed to the legal status of mass digitization as evidence of “fair use creep,” stressing its supposed lack of “transformative” quality over the other fair use considerations. That’s a mistake. Mass digitization is absolutely the sort of thing fair use is supposed to enable. Fair use is a flexible doctrine, not a rigid list of exceptions, so that it can accommodate changes in practices or technology.

Even more troublingly, some panelists seemed fixated on the commercial character of a use in determining whether it could be considered fair. On the one hand, the Supreme Court is abundantly clear that commercial use does not preclude a finding of fair use. But to listen to some of the panelists Tuesday, the notion seemed to be that if anybody is making money, rightsholders want a cut—or worse, the power to veto the use in the first place. The definition of commercial use, too, was stretched to its breaking point: according to one panelist, an otherwise non-commercial video remix can be tainted with the label of commercial as soon as it is posted to an ad-supported platform like YouTube.

That same panelist—the songwriter and copyright expansion activist David Lowery—also repeatedly raised hip hop as an example of copyright working effectively without fair use because the genre has managed to achieve popularity despite often requiring licenses for musical samples. Of course, this characterization overlooks how licensing schemes limit what sorts of creativity are sanctioned under the law, and that seminal works in the genre simply could not be made under today’s understanding of sampling.

Taken together, these two themes represent a pernicious misconception that there are “legitimate” works—the ones presented by companies that belong to lobbying organizations with multi-million dollar budgets—and “illegitimate” ones that require permission to be created or commercially exploited.

In terms of the law, the Supreme Court rejected that argument over 100 years ago, and has been reaffirmed numerous times in cases like Campbell v. Acuff-Rose Music (“Whether … parody is in good taste or bad does not and should not matter to fair use”) and Yankee Publishing Inc. v. News America Publishing (“First Amendment protections do not apply only to those who speak clearly, whose jokes are funny, and whose parodies succeed”). Any understanding of fair use has to reflect that legal tradition.

Although it didn’t get much attention during Tuesday’s hearing, issues of fair use are complicated by the incredibly high penalties that can await those accused of infringement. These punitive fees discourage artists from actually exercising fair use rights as they create.

One panelist, Professor June Besek, recently suggested that statutory damages don’t need to be addressed, but her record on this issue is troubling. Writing to the Department of Commerce this month, Besek pointed to a $6,000 court judgment won by notorious copyright troll Prenda Law—a judgment that was almost certainly achieved by fraud—as an example of the current copyright law working well.

Professor Besek said that copyright penalties for individual file-sharers don’t need fixing at this time because cases like Prenda’s (brought using the law firm’s alter ego, AF Holdings, as plaintiff) result in damages “under $10,000.” It’s widely known that Prenda has coerced millions of dollars in “settlement” payments from Internet subscribers by building false copyright cases on a framework of shell companies, forged documents, lies to the courts, and threats of $150,000 penalties. Using an AF Holdings case to show that the copyright system is working well—because the fraud victim lost $6,000 instead of a possible $150,000—is bizarre, and casts doubt on Professor Besek’s testimony.

Tuesday’s hearing was cut short by other legislative action on the floor, but as Committee Chairman Goodlatte noted, it was “perhaps the most important copyright hearing” yet. Congress should continue to get the opinions of witnesses like Professor Jaszi and Naomi Novik from the Organization for Transformative Works—people that have experience with art and media that depends on fair use.

Scorecard: Will Obama Hit The Mark On Real NSA Reform?

The Electronic Frontier Foundation is planning to grade the President’s forthcoming National Security Agency “reform” package, and they’re asking Americans to make their wishes known before Obama unveils his plan on Friday.

By The Electronic Frontier Foundation    

On Friday, President Barack Obama will announce changes and potential reforms he will make to the National Security Agency (NSA). What can we expect? Many people are skeptical that the president will create meaningful limits to the NSA’s practice of sweeping up the digital communications of millions of people worldwide. Instead of actually stopping the spying, Obama could just make pronouncements calling for more transparency or additional layers of bureaucratic oversight. Basically, he could duck the most important thing he could do to show leadership: rein in government surveillance.

We’ve compiled a list of common-sense fixes that the President could—and should—announce at his briefing on Friday. Many of these are similar to measures proposed by the president’s own Review Group on Intelligence and Communications Technologies, which produced a report with over 40 recommendations last month. The list below is not comprehensive, but it addresses the central problems with NSA surveillance. Fixing all of them will go a long way toward restoring America’s trust in its government and resolving some of the most egregious civil liberties abuses of the NSA.

We’ll be scoring Obama’s presentation on Friday and we’ll let you know which, if any, of these reforms he supports. You can help us pressure Obama in the coming days by tweeting these reforms at him.

1. Stop mass surveillance of digital communications and communication records.

It doesn’t matter what legal authority is being cited—whether it’s the Patriot Act, the FISA Amendments Act, or an executive order—the government should not be sweeping up massive amounts of information by and about innocent people first, then sorting out whether any of its targets are included later. The NSA has disingenuously argued that simply acquiring this data isn’t actually “collecting” and that no privacy violation can take place unless the information it stores is actually seen by a human or comes up through an automated search of what it has collected. That’s nonsense. The government’s current practices of global dragnet surveillance constitute general warrants that violate the First and Fourth Amendments, and fly in the face of accepted international human rights laws. Obama needs to direct the NSA to engage only in targeted surveillance and stop its programs of mass surveillance, something he can do with a simple executive order.

 

2. Protect the privacy rights of foreigners.

The NSA’s surveillance is based upon the presumption that foreigners are fair game, whether their information is collected inside the US or outside the US. But non-suspect foreigners shouldn’t have their communications surveiled any more than non-suspect Americans. The review group recommended limited protections for non-US persons and while that is a good start, the president should do more to ensure that actual suspicion is required before either targeted or untargeted surveillance of non-US persons.

 

3. Don’t turn communications companies into the new Big Brother: no data retention mandate.

Obama’s review group recommended ending the NSA’s telephone records program, which we strongly agree with, but then indicated that a reasonable substitute would be to force American communications companies to store the data themselves and make it available to the government. The group ultimately recommended a data retention mandate if companies won’t comply voluntarily. But companies shouldn’t be pressed into becoming the NSA’s agents by keeping more data than they need or keeping it longer than they need to. To the contrary, companies should be working on ways to store less user data for less time—decreasing the risks from data breaches and intrusions like the one that just happened to Target. Data retention heads in the wrong direction for our security regardless of whether the government or private parties store the information.

 

4. National Security Letters need prior judicial review and should never be accompanied by a perpetual gag order.

One recommendation of the review group we heartily endorse is reining in National Security Letters. The FBI uses these letters to demand user data from communications service providers with no judicial review. Providers are forbidden from talking about receiving NSLs, which means the letters also serve as perpetual gag orders. EFF was successful in convincing a federal judge to strike down these NSLs last year. The case is on appeal but Obama can remedy the situation more quickly by instructing the FBI not to issue NSLs without prior judicial review, and to limit its use of gag orders.

 

5. Stop undermining Internet security, weakening encryption, and infiltrating companies.

Recent revelations show that the NSA is undermining Internet encryption, making us all less secure when we use technology. These practices include weakening standards, attacking technology companies, and preventing security holes from being fixed. As the president’s review group recognized, this has serious consequences for any industry that relies on digital security—finance, medicine, transportation, and countless others, along with anyone in the world who relies on safe, private communication. Obama should follow the recommendations of his review group and immediately stop the NSA’s efforts to undermine or weaken the security of our technologies.

 

6. Oppose the FISA Improvements Act.

The FISA Improvements Act, promoted by Sen. Dianne Feinstein, a stalwart defender of the NSA, would codify mass surveillance by the NSA and potentially extend the spying. Obama should make clear that he opposes the bill and would veto it if it came to his desk.

 

7. Reject the third party doctrine.

Obama should announce that it will be the policy of the Justice Department that data held by a third party (such as a telecom company or an Internet service provider) has the same constitutional protections as data stored at home. This will help correct deeply flawed Supreme Court rulings from the 1970s, which found that people who allowed companies store their data had no expectation of privacy in it, and will support efforts to update the Electronic Communications Privacy Act to reflect current realities of how we use technology.

 

8. Provide a full public accounting of our surveillance apparatus.

Obama is fond of saying that the public misunderstands the government’s surveillance programs because they are being brought to light in “dribs and drabs” based on whistleblower evidence. To remedy this, Obama should appoint an independent committee to give a full public accounting of surveillance programs that impact non-suspects around the world. This does not mean revealing specific methods for tracking terrorists, but it does mean providing a comprehensive review of the legal authorities relied upon and the surveillance programs that affect non-suspect members of the public. The appointed committee should directly engage whistleblowers like Thomas Drake, William Binney, Edward Snowden and others, and include independent technological experts.

 

9. Reform the state secrets privilege and stop overclassifying.

For years, the government has fought accountability in the courts by claiming all of the information related to surveillance programs is a “state secret.” The government should commit to continue the work started by Sen. Ted Kennedy to reform the state secrets privilege to ensure it is no longer used to shield abuses from public accountability. In a similar vein, the government routinely classifies documents that would pose no danger to our security if they are made public. In fact, the classification system is often abused to hide information about government abuses of power.  We need to embrace transparency, not secrecy, as the default, in our courts and our public discourse, both to better protect actual secrets and to better hold the government accountable for its actions.

 

10. Reform the FISA court: provide a public advocate and stop secret law.

There are myriad problems with the Foreign Intelligence Surveillance Court, the secretive court system that signs off on national security surveillance requests. Two of the biggest are: 1. One-sidedness: Government lawyers argue for surveillance authority in front of judges without any adversary in the room to argue for due process, privacy and civil liberties; 2. Secret law: The FISA court has created a huge body of secret law that impacts the communications of millions of Americans but is unknown to them. Obama should take preliminary steps to reform the FISA court by supporting calls for a public advocate to ensure an adversarial process in the courtroom. Further, the president should forbid the DOJ from blocking the publication of FISA court legal interpretations and only allow the redaction of true operational details.

 

11. Protect national security whistleblowers working for the public good.

Whistleblowers like Mark Klein, Kirk Wiebe, Thomas Drake, William Binney, Edward Snowden and others have provided the public with critical information about national security abuses that helped spark a much needed public debate about transparency, privacy, and the public’s relationship with its government. Yet some of these whistleblowers face decades in prison for their actions under outdated or misapplied laws. The president should not only instruct the DOJ to stop prosecuting whistleblowers who publicize information for the public good, but champion affirmative legislation to protect them.

 

12. Criminal defendants should know if national security surveillance is being used against them.

Recently released documents confirm that the NSA is sharing surveillance data with other US agencies, and that the FBI is running its own mass surveillance programs. Information gathered through these programs is being fed as “tips” into regular criminal investigations, with instructions to hide the origin of the information. This practice of intelligence laundering runs afoul of protections enshrined in the Fifth and Sixth Amendments, which guarantee a criminal defendant a meaningful opportunity to present a defense and challenge the government’s case. The president should make clear that criminal defendants have a right to be given notice of all surveillance information used to investigate or prosecute them as soon as risk to the investigation has passed and never later than when the accused faces trial.

We will publish a filled-out scorecard right after Obama’s speech on Friday. In the meantime, we have just days left before the announcement. Let’s use every moment we have to pressure Obama to really stop mass spying.

SCORECARD

 

Customs And Border Protection Lent Predator Drones To Other Agencies 700 Times In 3 Years, According To ‘Newly Discovered’ Records

This post, written by senior staff attorney Jennifer Lynch, was originally published by the Electronic Frontier Foundation on Jan. 14.

U.S. Customs And Border Protection recently “discovered” additional daily flight logs that show the agency has flown its drones on behalf of local, State and Federal law enforcement agencies on 200 more occasions than previously released records indicated.

Last July, the Electronic Frontier Foundation reported, based on daily flight log records CBP made available to EFF in response to its Freedom of Information Act lawsuit, that CBP logged an eightfold increase in the drone surveillance it conducts for other agencies. These agencies included a diverse group of local, State and Federal law enforcement — ranging from the FBI, U.S. Immigration and Customs Enforcement, the U.S. Marshals Service and the Coast Guard to the Minnesota Bureau of Criminal Investigation, the North Dakota Bureau of Criminal Investigation, the North Dakota Army National Guard and the Texas Department of Public Safety.

CBP stated that these flight logs and a list of agencies it later prepared based on those logs represented all the missions the agency flew on behalf of non-CBP agencies. Yet after EFF and CBP briefed the remaining issues in the case in EFF’s Cross Motions for Summary Judgment and on the eve of the pivotal court hearing on those motions in December, CBP announced it “discovered that it did not release all entries from the daily reports for 2010-2012” responsive to EFF’s Freedom of Information Act request.

Not only do these new flight logs and the accompanying new list of agencies show a striking increase in the overall number of flights (700 versus 500), they also reveal a sharp increase in the number of flights for certain Federal agencies like ICE (53 more flights than previously revealed) and the Drug Enforcement Administration (20 more flights). And they also reveal CBP flew 32 additional times on behalf of State and local agencies — including previously undisclosed law enforcement like the Arizona Department of Public Safety and the Minnesota Drug Task Force. Unfortunately, CBP continues to withhold the names of many of these State and local agencies, arguing that revealing them would somehow impede ongoing investigations. However, as EFF pointed out in its summary judgment brief, disclosing that CBP was working with, for example, the Pima County, Ariz., Sheriff’s Department would not be specific enough to affect any particular criminal operation. It would hardly be surprising that CBP was working with Pima County because it shares a border with Mexico. It is also — at 9,200 square miles — one of the larger counties in Arizona and has one of the highest crime rates of any county in the country: a rate of 4,983 crimes per 100,000 people. Given the large geographic size of and crime rate in this county and others like it, it is hard to imagine that releasing information about which county sheriff’s department CBP is working with would enable suspected criminals in the area to link CBP’s drone surveillance to their particular criminal activity.

The newly released records reveal other surprising facts, including that CBP was using its sophisticated VADER surveillance system much more frequently than previously thought and was using it for other agencies. This sensor, also known as Vehicle and Dismount Exploitation Radar, was initially developed for use in the Afghanistan war and can detect the presence of people from as high as 25,000 feet. CBP has used this sensor in its surveillance operations since 2011 and used it at least 30 times for other agencies in 2012. The records CBP previously released to EFF contained no specific mention of VADER technology. As noted by the Center for Investigative Reporting, the system has several limitations — not the least of which is that “it can’t tell the difference between a U.S. citizen and noncitizen.”

The records also indicate that CBP’s drones appear plagued with problems; many of the logs indicate missions were terminated or canceled due to undisclosed issues affecting both the aircraft (General Atomics was often called in to address issues with the Predators) and the surveillance equipment on board (Raytheon, which supplies the RADAR equipment for CBP’s drones was also called in). The VADER system had its own undisclosed problems.

CBP noted in a recent Privacy Impact Assessment (PIA) that it generally flies its drones in support of its primary mission: “border security.” Yet these records indicate just how blurred that mission has become. This is problematic because, as CBP also notes, drones like Predators enable “the monitoring of large areas of land more efficiently and with fewer personnel than other aviation assets.”

As the use of Predators moves from maintaining security at the Nation’s borders to general law enforcement elsewhere within the country, more and more people in the United States will be subject to drone surveillance. CBP states in its PIA that it stores data unassociated with a particular investigation for no more than 30 days; but much, if not most, of this data will be associated with an investigation and may, therefore, be stored indefinitely — even if it includes footage of property, vehicles and people unassociated with the investigation.

CBP also states in the PIA that we shouldn’t be concerned about the privacy implications of its drones because their sensors cannot yet identify individual people. However, these sensors are becoming more sophisticated every day, and it won’t be long before surveillance capabilities like “facial recognition or soft biometric recognition, which can recognize and track individuals based on attributes such as height, age, gender, and skin color” are added to CBP’s arsenal.  We need to address these issues before that happens.

Senator Dianne Feinstein was concerned enough about drone surveillance to amend last term’s Senate Immigration Bill to restrict CBP’s flights in California to within three miles of the border. We should be similarly concerned about CBP’s flights throughout the country — especially when CBP still refuses to reveal exactly which State and local agencies it’s working with. EFF will be arguing just that point in the hearing on its Cross Motion for Summary Judgment in the case this coming Wednesday.

Documents:

In order to be comprehensive, EFF presents the documents CBP previously provided alongside the supplemental disclosures referred to in this report. The updates are marked “NEW.”

Agency Lists

2010 Flight Logs

2011 Flight Logs

2012 Flight Logs

Feb. 11: The Day We Fight Back Against NSA Surveillance

This post, written by Activism Director Rainey Reitman, was originally published by the Electronic Frontier Foundation on Jan. 10.

In January 2006, the Electronic Frontier Foundation filed its first lawsuit challenging the Constitutionality of National Security Agency mass surveillance.

In January 2012, the Internet rose up to protest and defeat the Stop Online Piracy Act (SOPA), legislation that sought to censor the Internet in the name of copyright enforcement.

And in January of last year, EFF lost a dear friend and fierce digital rights advocate, Aaron Swartz. EFF vowed to defend the rights of Internet users everywhere in his memory.

Now EFF has a new challenge: ending mass surveillance by the NSA.

The Edward Snowden revelations have provided disturbing details and confirmation of some of EFF’s worst fears about NSA spying. The NSA is undermining basic encryption standards, the very backbone of the Internet. It has collected the phone records of hundreds of millions of people not suspected of any crime. It has swept up the electronic communications of millions of people indiscriminately, exploiting the digital technologies we use to connect and inform.

But EFF isn’t going to let the NSA ruin the Internet. Inspired by the memory of Swartz and fueled by its victory against SOPA, EFF is joining forces with a coalition of liberty-defending organizations to fight back against NSA spying.

Today, on the eve of the anniversary of Swartz’s death, EFF asks you to join them in stepping up to the plate once again. Bring your creativity, your networks, your art and your dedication; and join EFF in a month of action, culminating in an Internet-wide protest on Feb. 11.

Join EFF. Fight back.

Three Hearings, Nine Hours, and One Accurate Statement: Why Congress Must Begin a Full Investigation into NSA Spying

This post, written by Legislative Analyst Mark M. Jaycox and Senior Staff Attorney Lee Tien, was originally published by the Electronic Frontier Foundation on Jan. 7.

Last week, press reports revealed more about the National Security Agency’s (NSA) elite hacking unit, the Office of Tailored Access Operations (TAO). The press also helped the public grasp other NSA activities, like how it’s weakening encryption. All of this is on top of the NSA’s collection of users’ phone calls, emails, address books, buddy lists, calling records, online video game chats, financial documents, browsing history and calendar data we’ve learned about since June.

By contrast, thus far Congress as a whole has done little to help the public understand what the NSA and the larger intelligence community are doing. Even members of Congress seem to learn more from newspaper reports than from “official” sources.

Regaining Congressional Oversight

Something is very wrong when Congress and the public learn more about the NSA’s activities from newspaper leaks than from the Senate and House intelligence committees. The committees are supposed to oversee the intelligence community activities on behalf of the public, but more often — as the New Yorker describes it — “treat senior intelligence officials like matinée idols.”

It’s time for Congress to reassert its oversight role and begin a full-scale investigation into the NSA’s surveillance and analytic activities. The current investigations — which aren’t led by Congress — are unable to fully investigate the revelations, Congressional committees’ hearings have added little, and Congress cannot rely solely on mandating more reports from the NSA as a solution.

Hearings Inside Congress

So far, Senate Judiciary Committee Chairman Patrick Leahy is valiantly attempting to shine more light on the NSA’s activities, but the hearings have only served as venues for Administration officials to parrot talking points and provide non-answers to important questions. This is very similar to what happened after The New York Times released the first reports of warrantless wiretapping in December 2005.

The hearings’ ineffectiveness are shown by the fact that it took three hearings — nine hours — for Leahy to clarify just how many terrorist attacks the collection of all Americans’ calling records stopped. In the first hearing (July), government witnesses said the program stopped “54 terrorist attacks.” By the third hearing (October) — and after much pressure by Leahy – Gen. Keith Alexander corrected his statement: It turns out the program had only stopped “one, perhaps two” terror plots, one of which involved “material support.” Aside from this, there are still two sets of questions from the hearings by Senator Richard Blumenthal and Senator Ron Wyden that the intelligence community has still left unanswered.

It shouldn’t take three hearings over several months for a member of Congress to obtain accurate and understandable information from the director of the NSA.

A Congressional Investigation Is Needed

Congress must initiate a full-scale, targeted investigation outside of its regular committees. Such an investigation would normally fall under Congress’ intelligence or other oversight committees. But any investigation into the NSA’s activities must include a review of the current Congressional oversight regime. Since the creation of the intelligence committees in 1978, there has been no external audit or examination of how the system has performed.

A review is needed when the Senate intelligence committee’s own chairwoman, Senator Dianne Feinstein, admits how extraordinary difficult it is to obtain information from the intelligence community. Members of Congress have complained that briefings are like “playing a game of 20 questions” and other members have even noted how the House intelligence committee may have neglected to pass information to members before a key vote.

Current members of Congress aren’t the only ones complaining: former Vice President Walter Mondale and Senator Gary Hart — two former members of Congress who were instrumental in creating the Senate intelligence committee — have also said that the intelligence committees are not operating as they were originally intended.

Increasing Reports Is A Start

So far, Congress favors increasing reporting requirements or asking for an investigation by an Inspector General (IG). Transparency bills — like bills brought by both Senator Al Franken and Representative Zoe Lofgren — are a fantastic start. But such reports won’t uncover the secret law the NSA is using or the secret collection of ordinary people’s information. It also won’t tell us about the use of Executive Order 12333. The bills will only provide a numerical range regarding the orders the government sends, companies receive, and the number of users or accounts the orders impact.

What’s worse, the Inspector General of the Intelligence Community — who reports directly to the very officials who authorized the spying — told Senators he is unable to carry out a review of the programs due to a lack of resources. And even if such an investigation were to occur, the IG is unable to even request documents without the approval of the Director of National Intelligence.

Time For A New Investigation

The NSA leaks are ushering in a new day regarding Congressional oversight of the intelligence community. And it’s why Congress must dedicate the resources to a full-scale investigation by a special committee. Such a committee will allow Congress to delve into what other data the NSA may be collecting en masse about Americans, to learn about how the surveillance laws it passed are being used, and to inform the American public — all while protecting national security. It’s a tough balancing act, but Congress was able to do it in the 1970s with the Church and Pike Committees. And it should have the courage to do it again today.

EFF Looks Back On 2013: States, Not Congress, Stepped Up To Protect Individuals’ Privacy

The Electronic Frontier Foundation is releasing a series of year-in-review posts that focus on different aspects of the highly-publicized clash between government surveillance and individual freedoms in 2013. This one, by EFF’s Hanni Fakhoury, shows that the political will to protect Americans’ Constitutional rights against illegal searches and seizures has largely resided with State governments and the State-level courts – while members of Congress continue to posture and twiddle their thumbs.

 

January 2, 2014 | By Hanni Fakhoury

As the outcry against NSA spying and electronic surveillance has grown, the need to protect privacy through legislation has never been higher. With law enforcement itching to use aggressive new surveillance techniques from drones to facial recognition to fight crime, privacy is often discarded by the wayside as collateral damage. Ideally it would be Congress that would take the lead in passing privacy legislation, creating uniform standards that protect privacy across the country. And while there were a number of Congressional proposals, none went anywhere in 2013. So while Congress continues to drag its feet, State courts and Legislatures have stepped up to protect their citizens’ electronic privacy.

This summer, the Massachusetts Supreme Judicial Court ruled, in a case that we filed an amicus brief in, that passengers in a car have an expectation of privacy to be free from persistent GPS location monitoring. Montana and Maine passed legislation that required police to obtain a search warrant before tracking any electronic device. And Texas passed a bill that requires state law enforcement to obtain a search warrant before accessing electronic communications like emails from a service provider.

As States placed an emphasis on protecting privacy, we stepped up our efforts to get involved at the State level. We filed numerous amicus briefs in state courts across the country on a whole host of privacy issues. We argued to the Supreme Courts of Rhode Island and Washington that your text messages stored on someone else’s cell phone were protected by the Fourth Amendment. We urged courts in Connecticut and Massachusetts to follow New Jersey’s lead, and require police to obtain a search warrant before getting cell phone tower information. We explained to the Texas high court that unlike a pair of pants, police can’t search an arrestee’s cell phone without a warrant. And again before the Massachusetts high court, we explained why the Fifth Amendment prohibited a suspect from being forced to decrypt a computer. We got involved in State legislation too, sponsoring an email privacy bill in California that passed the legislature, but was vetoed by Governor Jerry Brown. We also opposed a Massachusetts bill that aimed to expand the State’s wiretapping statute.

Early indication suggests 2014 will see more States getting involved to pass privacy legislation. Wisconsin is considering a location privacy bill that would prohibit police tracking a cell phone without a search warrant. Lawmakers in Montana are planning to introduce an initiative to amend the State constitution to protect digital privacy. And we’ll be there too, working to convince State courts and Legislatures to make privacy conscious decisions, in addition to our Federal work. Hopefully 2014 will be the year Congress catches up to the States.