EFF: Campus Activism Against NSA Spying is Growing Fast

This piece, written by Electronic Frontier Foundation activist April Glaser, originally appeared on the foundation’s website on April 25.

The Electronic Frontier Foundation has been on the road, traveling to cities and towns across the country to bring our message of digital rights and reform to community and student groups.

And while we had the tremendous opportunity to talk about our work and our two lawsuits against the National Security Agency, the best part of the trip was learning about all of the inspiring and transformative activism happening everyday on the local level to combat government surveillance and defend our digital rights.

We met students and professors in Eugene, Ore., who held a campus-wide digital rights event at the University of Oregon. There, students had the opportunity to unpack their campus privacy policy, download and learn freedom-enhancing software, and explore their library’s open access initiative.

We traveled to Cambridge, Mass., where we met local activists and students ready to join the fight against draconian computer crime laws and raise awareness about the effects of mass surveillance on student innovation and academic freedom. In one particularly inspiring meeting with MIT’s Student Information Processing Board, we talked about how student innovators have long felt rudderless in the face of poorly written and outdated computer crime laws.

Most recently, a student was issued a subpoena for a project developed with fellow MIT classmates at a local hackathon. The students’ project, called TidBit, demonstrates how a client’s computer can mine for Bitcoin as an alternative to website advertising. The project was designed for a hackathon (where it won an award for innovation) and was never actually implemented, but instead explicitly marked as a proof of concept. Yet the State of New Jersey issued a subpoena trying to get info about the project and suggesting the TidBit developers had violated the law. EFF is helping the students fight back by moving to quash the subpoena. The TidBit case is the latest in a string of student confrontation with computer crime laws at MIT over the years.

We remember how Aaron Swartz was charged under the grossly unfair and outdated Computer Fraud and Abuse Act. And we remember when the Massachusetts Bay Transit Authority ordered that MIT students cancel their scheduled presentation at DEFCON about vulnerabilities that they found in Boston’s transit fare payment system, violating their 1st Amendment right to discuss their important research. The facts are clear: Student innovation is chilled by broken computer crime laws, and reform is sorely needed.

While we were in Cambridge, we participated in LibrePlanet, the annual Free Software Foundation conference. And after the conference local activists, technologists and free software enthusiasts joined us for a Free Software Foundation/EFF Speakeasy. We had the opportunity to talk about how the Free Software Foundation is one of the 22 plaintiffs in our First Unitarian Church of Los Angeles  v. NSA case, as well as what technologists can do to combat mass surveillance.

EFF also stopped in New York City to meet with students from the New School and New York University to talk about what students can do on campus to oppose NSA surveillance. And we were delighted to co-host a Students’ Speakeasy, where we chatted about ways to get active on campus with the Student Net Alliance, a growing network of people involved in campus communities that support sound Internet law and policy. Whether it’s writing a letter about how mass surveillance chills academic freedom, learning, and the need to research and discuss controversial topics; holding regular campus cryptoparties; or petitioning for better open access policies on campus, there are plenty of things that students can do join the fight to protect our digital rights.

“The Internet was born on university campuses, and universities have always been at the center of critical fights to keep the Internet free and open,” said Alec Foster, founder of Student Net Alliance. “As students, we believe in advancing policy and technology that support the free and open flow of information, and ensure our private communications are equally protected online and offline.”

It’s been a busy month! Just last week we visited Iowa, where we collaborated with the student-run Iowa State University Digital Freedom Group to put together a giant event for the campus-wide First Amendment week. More than 250 people showed up to hear about EFF’s litigation against the NSA and learn about reforms in Congress that aim to rein the NSA back within the bounds of the Constitution.

When the ISU Digital Freedom Group was trying to form on campus last year, they met serious resistance from the school’s administration who wouldn’t give them the green light because they did not want ISU students to advocate for or participate in the “secrecy network” Tor and would not permit the student group to use any “free software designed to enable online anonymity.”

But the students had not proposed that a Tor node be established on campus. Rather, they simply asked that they be able to provide a forum to “discuss, learn and practice techniques to anonymize and protect digital communication.” EFF wrote an open letter to university administrations across the country about the importance of student groups like the Digital Freedom Group that aim to discuss and learn about methods for secure and private use of the Internet.

After our tremendously successful event, the ISU Digital Student Group hosted their first cryptoparty, where campus based technologists taught about important Internet privacy tools like GPG email encryption, Tor, and Off-the-Record instant messaging. We all had a wonderful time in Ames and look forward to watching the group grow.

At EFF we are thrilled to meet more activists across the country working on the front lines to defend our digital rights. And this fight is now more important than ever. Snowden’s revelations have brought conversations about government surveillance and the right to privacy into the spotlight. Now is the time to organize for real reform. Join us.

EFF’s Suggestions For Government Surveillance Oversight

This piece, written by Electronic Frontier Foundation Legal Director and Legislative Analyst Mark M. Jaycox, originally appeared on the foundation’s website on April 23.

EFF recently filed comments with the Privacy and Civil Liberties Oversight Board (PCLOB) concerning Section 702 of the Foreign Intelligence Surveillance Amendments Act (FAA), one of the key statutes under which the government claims it can conduct mass surveillance of innocent people’s communications and records from inside the US. EFF maintains that the government’s activities under Section 702 that we know about are unconstitutional, not supported by the statutory language, and violate international law.

The PCLOB, created as a result of recommendations by the 9/11 Commission, is an agency charged with ensuring privacy and civil liberties are included in the White House’s counterterrorism activities. After a long delay, the board became operational in February 2012. Their first report, issued in January 2014, reviewed the government’s use of the Patriot Act to collect all Americans’ calling records. The report largely agreed with our concerns about that program, carefully described how it is illegal and recommended the government stop the program. In our recent comments, we urge the PCLOB to take the same careful approach to the government’s activities under Section 702.

Specifically, we urge the PCLOB to work on:

1) Transparency: The PCLOB should push for more disclosures about surveillance conducted under Section 702, especially as it impacts innocent people in the US and around the world. The comments outline what is known about two types of spying the government has said are authorized by Section 702: the PRISM program and “upstream” collection. We also point out key information needed to have a real public debate on these issues, including specifics about the programs that have no reasonable harm to national security such as the number of orders sent and the number of US person communications collected. Throughout the comments, we offer specific suggestions about additional technical and policy information that should be made publicly available. This includes whether any of these programs limit or restrict the architecture or technology of private-sector systems. The information will help innocent people around the world understand whether and how their non-suspect communications are being collected, analyzed, used, and retained by the US government.

2) A Constitutional Analysis: As it did concerning the telephone records collection program, we urge the PCLOB to perform a serious Constitutional analysis of the government’s activities under Section 702. Section 702 is being used to authorize modern-day general warrants inconsistent with the Fourth Amendment. The comments discuss how the founders specifically rejected the so-called “hated writs” on the grounds, among others, that the writs did not require judicial approval, particularity, and a finding or probable cause prior to seizure and search of the “papers and effects.” The comments urge the PCLOB to consider the serious threats to privacy including:

  • Searches done “about” a target of surveillance, which collect the content of Americans and trigger Fourth Amendment requirements;
  • “Backdoor searches,” which are searches of potentially innocent communications sucked into the NSA’s databases containing phone calls and emails collected under Section 702;
  • The mass collection and analysis of millions of Americans’ communications, both domestic and international, which the government claims were merely “incidentally” collected;
  • The court review limited to “procedures” for targeting and minimization rather than the actual seizure and searches. This abstract approval is not a sufficient substitute for the Fourth Amendment’s requirement of a “neutral and detached” magistrate, especially when the NSA is seizing millions of complicated communications, like “multiple communications transactions” and nested messages including those of innocent users.
  • Filtering only by IP address, which is what the government says it does to protect Americans. IP filtering cannot tell what passport a person holds and is grossly insufficient as a way to ensure that only the communications of foreigners abroad are ultimately analyzed. EFF notes specifically that many American websites (including the House of Representatives website) load content from foreign websites with foreign IP addresses and that many Americans use VPNs and other common technological processes which result in Americans having foreign IP addresses.

3) A Statutory Analysis: We also urge the PCLOB to engage in a statutory analysis of Section 702 and note, as it did for Section 215, that the statutory language does not provide for bulk collection. Instead, the statute forbids the government from “intentionally acquiring” fully domestic communications and requires “reasonably designed” procedures. We write: “it strains credulity to think that mass collection from the fiber optic cables located inside the US. is either ‘reasonably designed’ to ensure that acquisition is limited to persons believed to be outside the US,” especially given that the cables carry both international and domestic traffic.

4) An International Analysis: We point out that Section 702 violates international human rights law, as explained in detail in the Necessary and Proportionate Principles. Section 702’s mass surveillance is inherently disproportionate and is improperly discriminatory in ignoring the privacy rights of innocent foreigners.

5) Recommending Fixes: We urge the PCLOB to suggest legislative fixes to, or repeal of, Section 702. This includes narrowing definitions in the statute, like “foreign intelligence information;” ensuring a judge approves specific targets; and ensuring more information is released about the programs.

A full copy of the comments can be found here.

EFF: It’s Hard to Get The Whole Story In The One-Sided Surveillance Court

This article, written by activist Nadia Kayyali  and attorney Kurt Opsahl, was originally published by the Electronic Frontier Foundation on April 16.

While most courts in the United States are adversarial—each party presents its side and a jury, or occasionally a judge, makes a decision—in the Foreign Intelligence Surveillance Court (FISC), only the government presents its case to a judge. While typically two opposing sides work under public review to make sure all the facts are brought to light, in the FISC the system relies on a heightened duty of candor for the government. As is illustrated all too well by recent developments in our First Unitarian v. NSA case, this one-sided court system is fundamentally unfair.

In March, after we learned that the government intended to destroy records of Section 215 bulk collection relevant to our NSA cases, we filed for a temporary restraining order in the Federal court in San Francisco. We also filed a motion to correct the record with the FISC, since it was a FISC order requiring the destruction of bulk metadata after five years that was at issue.

Following the emergency hearing on our motion, the San Francisco federal court ordered the government to preserve the evidence. On the same day that the federal court issued its order, the FISC issued its own strongly worded order in which it granted our motion and mandated the government to make a filing with the FISC explaining exactly why it had failed to notify the Court about relevant information regarding preservation orders in two related cases, Jewel and Shubert. This omission influenced the FISC’s decision on the government’s request for relief, and the FISC was not happy about it.

On April 2, the DOJ made its filing. The government’s statements in this document deserve close attention because they illustrate in high-definition the failures of the FISC’s one-sided system.

The response essentially says that in hindsight, it is clear to the government why the FISC would have wanted to know about the Jewel and Shubert orders. But the government’s filings show that it unilaterally decided it was right about its interpretation of the legal theories in these cases. In so doing, it failed to live up to the heightened duty of candor present in ex parte proceedings by failing to inform the FISC that this was disputed. In essence, the government narrowly interpreted the causes of action in the Jewel complaint, excluding the Section 215 surveillance purportedly authorized by the FISC, and thereby narrowing the evidence it would preserve. By making a decision about what facts were relevant, the DOJ attorneys elevated themselves into the role of a judge.

The government apologized to the FISC for its omission, but it also continues to inaccurately portray the controversy over the legal theories our cases. In fact, the DOJ uses this filing to again present their interpretation of the disagreement over the scope of the cases, failing to mention the various arguments we have made on that issue before Judge White in San Francisco. The DOJ calls our view “recently-expressed,” attempting to create the impression that the DOJ had no idea that there was any controversy until 2014.  They neglect to mention that we wrote in a 2010 brief that the “government defendants’ assertion that ‘plaintiffs do not challenge surveillance authorized by the FISA Court’ … misconceives both plaintiffs’ complaint and the role of the district court ….”

If this had been a normal court proceeding, each side would present their position in the most favorable light, and the judge would decide who is right. In the FISC, however, this balanced system breaks down. This one-sided system allows for no accountability except in the rare circumstance where the affected parties can raise the issue with the court. Indeed, in most cases, the arguments and the decision are kept secret, and no one can second-guess the government.

This is why we continue to urge Congress to change the laws governing how FISC operates. At a minimum, significant court decisions must be made public, and a privacy advocate should be a part of the process. These improvements won’t bring the same kind of balance that can come with an adversarial system, but could at least deliver a semblance of fairness to the process.

EFF: Tea Party, Taxes And Why The Original Patriots Would’ve Revolted Against The Surveillance State

This article was originally published by the Electronic Frontier Foundation on April 15.

Let’s just imagine we could transport an Internet-connected laptop back to the 1790s, when the United States was in its infancy. The technology would no doubt knock the founders out of their buckle-top boots, but once the original patriots got over the initial shock and novelty (and clearing up Wikipedia controversies, hosting an AMA and boggling over Dogecoin), the sense of marvel would give way to alarm as they realized how electronic communications could be exploited by a tyrant, such as the one from which they just freed themselves.

As America’s first unofficial chief technologist, Benjamin Franklin would be the first to recognize the danger and take to trolling the message boards with his famous sentiment: Those who would trade liberty for safety deserve neither. (And he’d probably troll under a fake handle, using Tor, since the patriots understood that some truths are best told with anonymity.)

Today, the Tea Party movement continues the legacy of the founders, championing the rights guaranteed by the Constitution and Bill of Rights. Never afraid of controversy, Tea Party activists and elected leaders are fighting against mass surveillance in the courts and in the halls of state legislatures and Congress.

Each year on April 15, Americans pay taxes that keep the government running. It’s a time for reflecting upon whether that money is funding a government for the people or a government that is undermining the people, supposedly for their own good. After a watershed year of newly disclosed information about the National Security Agency, the Tea Party has plenty to protest about.

How The Founders Fought Mass Surveillance

Mass surveillance was not part of the original social contract — the terms of service, if you will — between Americans and their government. Untargeted surveillance is one reason we have an independent country today.

Under the Crown’s rule, English officials used writs of assistance to indiscriminately “enter and go into any house, shop cellar, warehouse, or room or other place and, in case of resistance, to break open doors, chests, trunks, and other package there” in order to find tax evaders. Early patriot writers, such as James Otis Jr. and John Dickinson, railed against these general warrants; and it was this issue, among other oppressive conditions, that inspired the Declaration of Independence and the Fourth Amendment.

James Madison drafted clear language guaranteeing the rights of Americans, and it bears reading again in full:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Centuries later, the principle still applies, whether we’re talking about emails or your mobile phone. As the Tea Party activists at FreedomWorks told us when we consulted them for this post: The Fourth Amendment does not stop at technology’s door.

(For a more in-depth historical review, check out former EFF legal intern David Snyder’s essay, “The NSA’s ‘General Warrants': How the Founding Fathers Fought an 18th Century Version of the President’s Illegal Domestic Spying.”)

Tea Party Versus Big Brother

The Tea Party movement is closely associated with the right to bear arms, religious rights and tax freedom. But as Brian Brady, a prolific Tea Party activist in San Diego County we also consulted, said: The movement must embrace the Constitution as a whole. Threats to privacy, he says, are also threats to freedom of speech, religion and association. Property rights mean nothing if the government can search your home or computer without probable cause.

In other words, mass surveillance is a manifestation of big government.

Tea Party activists don’t shy away from confrontations that may put them at odds with other groups (particularly on the left); but no one can deny that on the subject of mass surveillance, the movement is on the frontlines protecting every American’s rights.

TechFreedom and gun-rights groups, such as the CalGuns Foundation and the Franklin Armory (named after Ben), have joined unlikely allies such as Greenpeace and People for the American Way to sue the NSA. Represented by the Electronic Frontier Foundation, the plaintiffs argue that collecting phone metadata (your number, who you called, when and for how long you spoke), chills the ability for these groups to associate freely, as guaranteed by the First Amendment as well as the Fourth Amendment. FreedomWorks and Sen. Rand Paul have also filed a class action lawsuit against the NSA on similar grounds.

Conservative attorney and founder of Judicial Watch Larry Klayman was the first plaintiff to challenge the program’s unconstitutionality. So far, his lawsuit in Washington, D.C. has been successful. In December, the federal judge in the case wrote, “I cannot imagine a more ‘indiscriminate’ and ‘arbitrary invasion’ than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying it and analyzing it without judicial approval.”

Tea Party-affiliated lawmakers have also been pushing back against mass surveillance with a variety of bipartisan legislative reforms; Rep. Justin Amash, for example, came within a few votes of cutting the NSA’s telephone metadata program funding with a budget amendment last July. State legislators who align with the Tea Party have also sponsored bills across the country condemning the NSA, from California State Sen. Joel Anderson’s successful resolution calling for an end to the call records program to Michigan Rep. Tom McMillin’s call for the Department of Justice to prosecute Director of National Intelligence James Clapper for misleading Congress.

Tax, Spend And Surveil

Reason magazine has an excellent essay about IRS and privacy, outlining how the IRS obtains, scours and fails to secure personal data collected from taxpayers, while tax-reform advocate Grover Norquist wrote a worthwhile op-ed in The Daily Caller today about how the IRS exploits the outdated Electronic Communications Privacy Act. But it’s also important to consider that the taxes the government collects ultimately fund the surveillance state. “No taxation without representation” was the rallying cry of the American Revolution, and yet here we are today, with the NSA conducting surveillance without adequate checks and balances. Members of Congress complain that they haven’t been properly briefed on the NSA’s programs and judicial approval of these programs is conducted by a secret court that only hears the government’s side of the story. On the local level, law enforcement agencies are adopting new surveillance technologies such as automatic license plate readers, facial recognition and Stingrays with little public input or other oversight.

On the whole, maintaining the mass surveillance state is expensive. There are 17 (that’s right, 17) different federal agencies that are part of the “intelligence community,” each of them involved in various, interconnected forms of surveillance. There’s no concrete evidence of how it has made us safer, but there’s plenty of concrete evidence of how much it has cost. The bottom line? We’re paying the government to unreasonably intrude on our lives. The budget for intelligence in 2013 was $52.6 billion. Of that, $10.8 billion went to the NSA. That’s approximately $167 per person in the United States.

For a prime example of the wasteful spending, one only need to read  Sen. Tom Coburn’s report “Safety at Any Price,” which outlined the inappropriate spending done under the Department of Homeland Security’s grant program (such as paying for “first responders to attend a HALO Counterterrorism Summit at a California island spa resort featuring a simulated zombie apocalypse”). This followed on the heels of a harsh bipartisan Senate report criticizing the extreme waste at fusion centers around the country. Federal funds were used to purchase big screen TVs, decked-out SUVS and miniature cameras. To make matters worse, the report found that fusion centers violated civil liberties and produced little information of any use.

Mass surveillance is a symptom of uncontrolled government overreach. The question is: What’s the cure?

Defending Privacy Is A Patriotic Duty

While every single person has cause to be alarmed by surveillance, those who criticize government policies have particular reason to be concerned. Those who have new, or not yet popular, ideas (or, in the case of the Tea Party, old and popular ideas in resurgence) are often targets of overreaching surveillance. It’s not a partisan issue; it’s a constitutional issue.

Activism is most effective when is happens at the personal, local and national levels. And the Tea Party has proven it knows how make a ruckus, whether it’s on a personal blog or outside the White House. America needs the Tea Party to keep applying that patriotic passion to NSA reform.

We have also just created a new collection of resources for grass-roots activists, including tips on how to organize public events and use the media to spread the word about your issues, as well as a collection of one-page informational sheets that make it easy to explain these issues. And above all, speak out. Help EFF stop bills that attempt to legalize mass surveillance and join EFF in demanding real reform.

Stopping mass surveillance — it’s what the first patriots did, and it’s what today’s patriots are doing right now.

EFF: Digital Technology Can Leave Your Health History Exposed

This article was originally published by the Electronic Frontier Foundation on April 9.

The digitization of medical records is being pitched to the public as a way to revolutionize healthcare. But rapid technological innovation and lagging privacy laws are leaving patients — and their most sensitive information — vulnerable to exposure and abuse, especially in this age of “big data.” The Electronic Frontier Foundation (EFF) is launching a new medical privacy project today to identify the emerging issues and to give advocates the information they need to fight for stronger protections for patients.

“You assume that the decision about when to disclose medical data — like if you’ve had an abortion or have a serious heart condition — is yours and yours alone. But that information may be circulated in the process of paying for and providing treatment, or as part of mandated reporting,” said EFF Senior Staff Attorney Lee Tien. “As the American medical establishment moves towards complete digitization of patient records, it’s important to take a hard look on what that means for everyone’s privacy, and what we should do about it.”

EFF’s project explores the unsettled areas of medical privacy law and technology, including a primer on how law enforcement might get access to your health information or how the government might be able to collect it by claiming that it’s necessary for national security. There’s also a detailed discussion of public health reporting systems and how federal health laws give patients some rights but take others away. EFF will add more topics in the months to come.

“Genetic testing provides a striking example of some of the challenges we face with protecting medical data. Genetic data is uniquely identifiable and can be easily obtained from cells we shed every day,” says EFF Activism Director Rainey Reitman. “But we have weak laws protecting this highly sensitive data.”

EFF’s work on the medical privacy project is supported by a grant from the Consumer Privacy Rights Fund of the Rose Foundation for Communities and the Environment.

For EFF’s full medical privacy project:

FAQ: Privacy Activist’s Guide To Why The Surveillance State’s Fusion Centers Matter

This handy FAQ was compiled by Electronic Frontier Foundation activist Nadia Kayyali and originally published on the foundation’s website on April 7.

While NSA surveillance has been front and center in the news recently, fusion centers are a part of the surveillance state that deserve close scrutiny.

Fusion centers are a local arm of the so-called “intelligence community,” the 17 intelligence agencies coordinated by the National Counterterrorism Center (NCTC). The government documentation around fusion centers is entirely focused on breaking down barriers between the various government agencies that collect and maintain criminal intelligence information.

Barriers between local law enforcement and the NSA are already weak. We know that the Drug Enforcement Agency gets intelligence tips from the NSA which are used in criminal investigations and prosecutions. To make matters worse, the source of these tips is camouflaged using “parallel construction,” meaning that a different source for the intelligence is created to mask its classified source.

This story demonstrates what we called “one of the biggest dangers of the surveillance state: the unquenchable thirst for access to the NSA’s trove of information by other law enforcement agencies.” This is particularly concerning when NSA information is used domestically. Fusion centers are no different.

In fact, in early 2012, the Foreign Intelligence Surveillance Court approved the sharing of raw NSA data with the NCTC. The intelligence community overseen by the NCTC includes the Department of Homeland Security and FBI, the main Federal fusion center partners. Thus, fusion centers—and even local law enforcement—could potentially be receiving unminimized NSA data. This runs counter to the distant image many people have of the NSA, and it’s why focusing on fusion centers as part of the recently invigorated conversation around surveillance is important.

What are fusion centers?

Fusion centers are information centers that enable intelligence sharing between local, State, tribal, territorial, and Federal agencies. They are actual physical locations that house equipment and staff who analyze and share intelligence.

How many are there?

There are 78 recognized fusion centers listed on the Department of Homeland Security (DHS) website.

Who works at fusion centers?

Fusion centers are staffed by local law enforcement and other local government employees as well as Department of Homeland Security personnel. DHS “has deployed over 90 personnel, including Intelligence Officers and Regional Directors, to the field.” Staffing agreements vary from place to place. Fusion centers are often also colocated with FBI Joint Terrorism Task Forces.

What do fusion centers do?

Fusion centers enable unprecedented levels of bi-directional information sharing between State, local, tribal, and territorial agencies and the Federal intelligence community. Bi-directional means that fusion centers allow local law enforcement to share information with the larger Federal intelligence community, while enabling the intelligence community to share information with local law enforcement. Fusion centers allow local cops to get—and act upon—information from agencies like the FBI.

Fusion centers are also key to the National Suspicious Activity Reporting Initiative (NSI), discussed below.

What is suspicious activity reporting?

The government defines suspicious activity reporting (SAR) as “official documentation of observed behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity.” SARs can be initiated by law enforcement, by private sector partners, or by “see something, say something” tips from citizens. They are then investigated by law enforcement.

What is the National Suspicious Activity Reporting Initiative?

NSI is an initiative to standardize suspicious activity reporting. The NSI was conceived in 2008, and started with an evaluation project that culminated in a January 2010 report describing how NSI would encompass all fusion centers. It appears significant progress has been made towards this goal.

The evaluation project included so-called Building Communities of Trust (BCOT) meetings which focused “on developing trust among law enforcement, fusion centers, and the communities they serve to address the challenges of crime and terrorism prevention.”

BCOT “community” events involved representatives from local fusion centers, DHS, and FBI traveling to different areas and speaking to selected community representatives and civil rights advocates about NSI. These were invite only events with the clear purpose of attempting to engender community participation and garner support from potential opponents such as the ACLU.

So what’s wrong with Suspicious Activity Reporting and the NSI?

SARs do no meet legally cognizable standards for search or seizure under the Fourth amendment. Normally, the government must satisfy reasonable suspicion or probable cause standards when searching a person or place or detaining someone. While SARs themselves are not a search or seizure, they are used by law enforcement to initiate investigations, or even more intrusive actions such as detentions, on the basis of evidence that does not necessarily rise to the level of probable cause or reasonable suspicion. In other words, while the standard for SAR sounds like it was written to comport with the constitutional standards for investigation already in place, it does not.

In fact, the specific set of behaviors listed in the National SAR standards include innocuous activities such as:

taking pictures or video of facilities, buildings, or infrastructure in a manner that would arouse suspicion in a reasonable person,” and “demonstrating unusual interest in facilities, buildings, or infrastructure beyond mere casual or professional (e.g. engineers) interest such that a reasonable person would consider the activity suspicious. Examples include observation through binoculars, taking notes, attempting to measure distances, etc.

These standards are clearly ripe for abuse of discretion.

Do fusion centers increase racial and religious profiling?

The weak standards around SAR are particularly concerning because of the way they can lead to racial and religious profiling. SARs can originate from untrained civilians as well as law enforcement, and as one woman pointed out at a BCOT event people who might already be a little racist who are ‘observing’ a white man photographing a bridge are going to view it a little differently than people observing me, a woman with a hijab, photographing a bridge. The bottom line is that bias is not eliminated by so-called observed behavior standards.

Furthermore, once an investigation into a SAR has been initiated, existing law enforcement bias can come into play; SARs give law enforcement a reason to initiate contact that might not otherwise exist.

Unsurprisingly, like most tools of law enforcement, public records act requests have shown that people of color often end up being the target of SARs:

One review of SARs collected through Public Records Act requests in Los Angeles showed that 78% of SARs were filed on non-whites. An audit by the Los Angeles Police Department’s Inspector General puts that number at 74%, still a shockingly high number.

A review of SARs obtained by the ACLU of Northern California also show that most of the reports demonstrate bias and are based on conjecture rather than articulable suspicion of criminal activity. Some of the particularly concerning SARs include titles like “Suspicious ME [Middle Eastern] Males Buy Several Large Pallets of Water” and “Suspicious photography of Folsom Dam by Chinese Nationals.” The latter SAR resulted in police contact: “Sac[ramento] County Sheriff’s Deputy contacted 3 adult Asian males who were taking photos of Folsom Dam. They were evasive when the deputy asked them for identification and said their passports were in their vehicle.” Both of these SARs were entered into FBI’s eGuardian database.

Not only that, there have been disturbing examples of racially biased informational bulletins coming from fusion centers. A 2009 “North Central Texas Fusion Center Prevention Awareness Bulletin” implies that tolerance towards Muslims is dangerous and that Islamic militants are using methods such as “hip-hop boutiques” and “online social networks” to indoctrinate youths in America.

Do fusion centers facilitate political repression?

Fusion centers have been used to record and share information about First Amendment protected activities in a way that aids repressive police activity and chills freedom of association.

A series of public records act requests in Massachusetts showed: “Officers monitor demonstrations, track the beliefs and internal dynamics of activist groups, and document this information with misleading criminal labels in searchable and possibly widely-shared electronic reports.” The documents included intelligence reports addressing issues such internal group discussions and protest planning, and showed evidence of police contact.

For example, one report indicated that “Activists arrested for trespassing at a consulate were interviewed by three surveillance officers ‘in the hopes that these activists may reach out to the officers in the future.’ They were asked about their organizing efforts and for the names of other organizers.”

Who oversees the National Suspicious Activity Reporting Initiative?

The NSI is led by the Program Manager for the Information Sharing Environment (PM-ISE) in collaboration with the DHS and the FBI. The ISE is “the people, projects, systems, and agencies that enable responsible information sharing for National security.” The PM-ISE, currently Kshemendra Paul, oversees the development and implementation of the ISE. The position was created by the Intelligence Reform and Terrorism Prevention Act of 2004.

If this all sounds confusing, that’s because it is: the entire intelligence community is a plethora of duplicative agencies with overlapping areas of responsibility.

What kind of information do fusion centers have?

Staff at fusion centers have access to a variety of databases. Not all staff have the same level of clearances, and the entire extent of what is available to fusion centers is unclear. But we do know certain facts for sure:

Fusion centers have access to the FBI’s eGuardian database, an unclassified companion to the FBI’s Guardian Threat Tracking System. “The Guardian and eGuardian systems . . . have a bi-directional communication ability that facilitates sharing, reporting, collaboration, and deconfliction among all law enforcement agencies.”

Fusion centers also have access to DHS’ Homeland Security Data Network and it’s companion Homeland Security Information Network. These systems provide access to terrorism-related information residing in DoD’s classified network. It is worth noting that HSIN was hacked in 2009 and was considered so problematic that it was briefly decommissioned entirely.

Fusion centers have access to other information portals including the FBI’s Law Enforcement Online portal, Lexis Nexis, the Federal Protective Service portal, and Regional Information Sharing Systems .

Finally, as discussed above, we know that unminimized NSA data can be shared with the National Counterterrorism Center, which means that fusion centers could be in receipt of such data.

What Federal laws apply to fusion centers?

Because they are collaborative, legal authority over fusion centers is blurred, perhaps purposefully. However, there are some Federal laws that apply. The Constitution applies, and fusion centers arguably interfere with the First and Fourth Amendments.

28 Code of Federal Regulations Part 23 governs certain Federal criminal intelligence systems. The “Fusion Center Guidelines . . . call for the adoption of 28 CFR Part 23 as the minimum governing principles for criminal intelligence systems.” 28 CFR 23.20 requires reasonable suspicion to collect and maintain criminal intelligence and prohibits collection and maintenance of information about First Amendment protected activity “unless such information directly relates to criminal conduct or activity and there is reasonable suspicion that the subject of the information is or may be involved in criminal conduct or activity.” Finally, it prohibits inclusion of any information collected in violation of local law.

Section 552(a)(e)(7) of the Privacy Act prohibits Federal agencies, in this case DHS personnel who work at fusion centers, from maintaining any “record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity.” A 2012 U.S. Senate Permanent Subcommittee on Investigations report on fusion centers stated: “The apparent indefinite retention of cancelled intelligence reports that were determined to have raised privacy or civil liberties concerns appears contrary to DHS’s own policies and the Privacy Act.”

What State or local laws apply to fusion centers?

Fusion centers are sometimes bound by local and state laws. The law enforcement agencies that feed information into centers may also be restricted in terms of what information they can gather.

The Northern California Regional Intelligence Center, located in San Francisco, CA, serves as a good example of how State and local regulations can apply to a fusion center. NCRIC works with law enforcement partners around the region and stores criminal intelligence information. The California constitution has a right to privacy and California has other laws that address privacy and criminal intelligence. These should cover NCRIC.

The San Francisco Police Department’s relationship with NCRIC also serves as a good example of the applicability of local laws. SFPD participates in suspicious activity reporting, but is also bound by a number of restrictions, including Department General Order 8.10, which heavily restricts intelligence gathering by the SFPD, as well as the sanctuary city ordinance, which prohibits working with immigration enforcement. While the fusion center would not be bound by these regulations on its own, the SFPD is.

Who funds fusion centers?

Fusion centers are funded by Federal and State tax dollars. Estimates of exactly how much funding fusion centers get from these sources are difficult to obtain. However, there are some numbers available.

For 2014, the Homeland Security Grant Program, which is the Federal grant program that funds fusion centers, has $401,346,000 available in grant funds. The grant announcement emphasizes that funding fusion centers and integrating them nationally is a high priority. This is an approximately $50 million increase over last year’s allocation—somewhat shocking in light of the critiques around fusion center funding that have been raised by Congress.

A 2008 Congressional Research Service report states that the average fusion center derives 31% of its budget from the Federal government. Those numbers may have changed now.

Has there been any discussion about fusion centers at the Federal level?

Yes, but not enough. In October of 2012, fusion centers were the subject of an extremely critical report from the U.S. Senate Permanent Subcommittee on Investigations. The bipartisan report focused on the waste, ineptitude, and civil liberties violations at fusion centers. The report revealed that fusion centers spent tax dollars on “gadgets such as ‘shirt button cameras, $6,000 laptops and big-screen televisions. One fusion center spent $45,000 on a decked-out SUV…” Regarding the information produced by fusion centers, the report noted that fusion centers produced “‘intelligence’ of uneven quality – oftentimes shoddy, rarely timely, sometimes endangering citizens’ civil liberties and Privacy Act protections, occasionally taken from already-published public sources, and more often than not unrelated to terrorism.”

This report recommended a hard look at fusion center funding, but that clearly has not happened. They are still operating across the country with Federal funding. In fact, their funding has even been increased.

What about at the local level?

There are grassroots privacy advocates in multiple cities fighting to get more information about fusion centers and how their local law enforcement participates in them. These efforts have been frustrated by stonewalling of public records act requests and uneducated, or at times dishonest, public officials.

Have any regulations been passed or proposed?

To date, only one place has passed regulations around fusion centers. Berkeley, CA, passed a policy in September 2012 that the Berkeley Police Department can only submit suspicious activity reports after establishing reasonable suspicion of criminal behavior, and put in place an audit of SARs.

Massachusetts is also considering changes to fusion centers. SB 642 would strictly limit collection and dissemination of criminal intelligence information and would require a yearly audit of the Massachusetts Commonwealth Fusion Center.

What can I do?

Fusion centers are an area ripe for grassroots organizing. Groups like the StopLAPD Spying Coalition, which put together a “People’s Audit” of SARs in LA, provide excellent examples of how this can happen. Public records act requests can be leveraged to get information about what your local law enforcement is doing. Grassroots organizing and education can get people and elected officials talking about this issue.

On April 10, activists across the country will be participating in “Stop the Spy Centers: a national day of action against fusion centers.” These activists have three demands: 1. Shut down fusion centers, 2. De-fund fusion centers, and 3. Release all suspicious activity reports and secret files.

While April 10 is one day of action, the conversation around fusion centers must continue hand in hand with our national discourse around NSA, CIA, and FBI surveillance.

Where can I get more information about fusion centers?


EFF: Websites Must Use HSTS In Order To Be Secure

This article, written by Electronic Frontier Foundation technologist Jeremy Gillula, was originally published on the organization’s website on April 4.

You would think that by now the Internet would have grown up enough that things like online banking, email, or government websites would rely on thoroughly engineered security to make sure your data isn’t intercepted by attackers. Unfortunately when it comes to the vast majority of websites on the Internet, that assumption would be dead wrong. That’s because most websites (with a few notable exceptions) don’t yet support a standard called HSTS—HTTPS Strict Transport Security.

Why is lack of HSTS even an issue? To see what could go wrong, imagine the following common scenario. You’re in a coffee shop and you want to check your bank account. You pop open your laptop, connect to the free wifi, load up your web browser, and type in your bank’s URL. No security alerts pop up when you load the page, and there’s even a padlock icon next to the address, so you go ahead and login. Unfortunately, you could very well have just sent your login information to a potential attacker.

The way the attack worked is as follows. When your browser first tried to contact the bank’s server and load its homepage via HTTP, the attacker intercepted the request to connect and prevented it from getting there (perhaps by having his laptop pretend to be that free wifi hot-spot). He then sent your request to the bank’s server himself. When he got the response back (i.e. the webpage to load, the images to display, etc.) he stripped out any links that would initiate a secure HTTPS connection, modified the page so that it would show the padlock icon next to the address (by setting a padlock as the favicon), and sent it back to your laptop. Of course these kinds of attacks have been automated. The result is a page that looks identical in your web browser—the only difference is that it’s not secured, and the attacker can read everything you send to the server and everything that gets sent back.

But why couldn’t your browser detect the attack? The problem is that modern browsers display prominent security alerts only when a website’s security credentials appear suspicious—if a website connects over a secure channel and everything appears OK nothing much happens, and the same is true if the website connects over a normal, insecure channel. Without HSTS, browsers have no way of knowing that a website should be delivered securely, and so cannot alert you when a website that ought to be loaded securely (e.g. your bank’s website) is instead loaded via a normal connection (i.e. the unencrypted version the attacker sends to you instead). HSTS fixes that by allowing servers to send a message to the browser saying “Hey! Connections to me should be encrypted!” and allowing browsers to understand and act on that message.

So why haven’t more websites enabled HSTS? The biggest reason, we fear, is that web developers just don’t know about it.1 Another problem is that support for HSTS in browsers has been incomplete: only Chrome, Firefox, and Opera have had HSTS support for a significant period. This is changing though: we noticed that Apple quietly added HSTS support to Safari in OS X 10.9. For now, Internet Explorer doesn’t support HSTS—which means that there’s basically no such thing as a secure website in IE.

In response to questions from EFF about this situation, a Microsoft spokesperson told EFF that the company would now commit to supporting HSTS in the next major release of Internet Explorer (we aren’t sure whether we have persuaded Microsoft to implement HSTS sooner, though that seems quite likely, and is great news). This means that with the next major release of IE, every major browser will support properly secured websites.

In the mean time, what can users do to make sure their connections are secure? One option would be to use EFF’s HTTPS Everywhere browser extension. HTTPS Everywhere automatically tells your browser to use secured connections on many (but not all) websites that support them; on many domains it functions like a client-initiated equivalent of the serverside HSTS mechanism.

But what if you’re stuck using a browser that doesn’t support HSTS or HTTPS Everywhere, or a website that doesn’t support HSTS? For now all a savvy user can do is to always carefully examine the address of the site you’ve loaded, and verify that it’s secure by checking to make sure it has “https” in the front and is the precise address you want to visit.2 Unfortunately this assumes that you know ahead of time (and remember) whether or not a site should be secure, and are meticulous with every website you visit. This is obviously a huge burden to place on users—it makes a lot more sense to automate the process via HSTS, and it’s about time website operators the world over picked up the slack and did so.

EFF: An NSA ‘Reform Bill’ of the Intelligence Community, Written by the Intelligence Community, and for the Intelligence Community

This post, written by legislative analyst Mark Jaycox, was originally published by the Electronic Frontier Foundation on April 2.

Representatives Mike Rogers and Dutch Ruppersberger, the leaders of the House Intelligence Committee, introduced HR 4291, the FISA Transparency and Modernization Act (.pdf), to end the collection of all Americans’ calling records using Section 215 of the Patriot Act. Both have vehemently defended the program since June, and it’s reassuring to see two of the strongest proponents of the National Security agency’s actions agreeing with privacy advocates’ (and the larger public’s) demands to end the program. The bill needs only 17 lines to stop the calling records program, but it weighs in at more than 40 pages. Why? Because the “reform” bill tries to create an entirely new government “authority” to collect other electronic data.

Collecting All Americans’ Calling Records Is So 2012

The bill only ends the government collection of all Americans’ calling records using Section 215 of the Patriot Act — a good, albeit very small, first step. It also tries to prohibit the mass collection of other records like firearm sales and tax records. Unfortunately, it may still allow the government to argue for such collection as long as the NSA uses a “specific identifier or selection term.” In short: The government may still try to search these records and potentially other records. The bill leaves almost all of Section 215 as-is, the sole fix being that the section would no longer apply to calling records. The bill also stays mum on the NSA’s ability to mass spy on financial records, credit card records or other purchasing records using Section 215.

Collecting All Americans’ Internet Records Is The Future

The next 20 pages of the bill create a process where the government sends orders directed at electronic communication service providers for the collection of “records created as a result of communications of an individual or facility.”

The words simply switch out one form of unconstitutional mass collection for another. And this latter version is even scarier than the mass collection of Americans’ calling records. A “facility” could include an entire internet service provider (ISP) like Comcast or company like Google. And the bill’s use of “electronic communication” doesn’t use the definition found in the Foreign Intelligence Surveillance Act (FISA), but the one found in criminal law, which includes any transfer of data like uploaded documents to the cloud, calendar entries or address book entries. Under the bill, the government might try to argue that the order can collect any type of record created as the result of any “electronic communication” as long as the communication is of an agent of a foreign power or someone in contact with the agent or foreign power. This is an incredibly broad standard.

What’s worse is that the order doesn’t need prior judicial approval of who is targeted, where the information is supposed to be collected and why the government is searching for the information. The new order could collect the content of the communication or U.S. personal information like credit card numbers, Social Security numbers, names or addresses. That’s because the order must only be “reasonably designed” to not acquire such information. There is no mandate in the bill banning such collection or deleting such information upon collection.

The new order has “civil liberties and privacy protection procedures,” written by the Attorney General and the Director of National Intelligence. But don’t let the name fool you. The procedures only have to “reasonably limit” the collection, retention or searching of records not useful for foreign intelligence information. It’s too bad that “foreign intelligence information” is essentially defined in FISA to mean “everything.” The procedures are reviewed every year by the FISA court; and once accepted, the government sends out orders to companies for records without any additional judicial approval.

The above procedures to minimize certain information (“minimization procedures”) take after ones found in Section 702 of the Foreign Intelligence Surveillance Amendments Act, which is used to unconstitutionally mass collect innocent users’ phone calls and emails. Unfortunately, the procedures in Section 702 fail at even nominally protecting innocent users’ communications. Section 702 requires the procedures to be “reasonably designed” to exclude wholly domestic American communications. Despite the fact that the FISA court found the NSA collecting tens of thousands of such emails, the court thought NSA’s targeting procedures were still “reasonable.” We also know that the procedures fail time after time and are designed to retain and search the very communications the NSA isn’t supposed to be retaining and searching. Both are good reasons to think such procedures won’t work for the bill’s newly devised order. We won’t even know how much they fail (or succeed) because the procedures are filed in secret and stamped classified. Keeping the law secret worked out well in the past, so it should work out well in the future, right?

The bill is what’s expected from the House Intelligence Committee. The committee was created to oversee the intelligence community, but it has been coopted for quite some time. Though it stops the mass collection of all Americans’ calling records, the bill’s creation of a new order to conduct unconstitutional mass spying on any record created by a communication is disturbing. And it’s a bill that will surely fail to pass Congress when real reform bills that would stop all uses of Section 215 to conduct mass spying, like the USA Freedom Act, are already on the table. Tell Congress now to support NSA reform that will stop every government use of Section 215 to mass spy on innocent users.

EFF Statement On Proposals To Overhaul NSA Spying

This article, compiled by legal director Cindy Cohn and legislative analyst Mark M. Jaycox, was originally published by the Electronic Frontier Foundation on March 25.

Today we learned that the Obama Administration and the House Intelligence Committee are both proposing welcome and seemingly significant changes to the mass telephone records collection program. Both the Obama Administration and the Intelligence Committee suggest that mass collection end with no new data retention requirements for telephone companies. This is good news, but we have not seen the details of either. And details, as we have learned, are very important in assessing suggested changes to the National Security Agency’s mass spying.

But comparing what we know, it appears that the Obama Administration’s proposal requires significantly more judicial review — not just reviewing procedures, but reviewing actual search requests — so it’s preferable to the Intelligence Committee’s approach.

Yet a new legislative proposal isn’t necessary here. There is already a bill ending bulk collection. It’s called the USA FREEDOM Act by Judiciary Committee chairs Senator Patrick Leahy and Representative Jim Sensenbrenner. It’s a giant step forward and better than either approach floated today since it offers more comprehensive reform, although some changes are still needed. We urge the Administration and the Intelligence Committees to support the USA FREEDOM.

Or better still, we urge the Administration to simply decide that it will stop misusing section 215 of the Patriot Act and section 702 of the FISA Amendments Act and Executive Order 12333 and whatever else it is secretly relying on to stop mass spying. The executive branch does not need Congressional approval to stop the spying; nothing Congress has done compels it to engage in bulk collection. It could simply issue a new executive order requiring the NSA to stop.

Also, the Obama Administration does not go beyond the telephone records programs, which are important, but are only a relatively small piece of the NSA’s surveillance and, by itself, won’t stop mass surveillance. We continue to believe that comprehensive public review is needed through a new Church Committee to ensure that all of the NSA’s mass surveillance is brought within the rule of law and the Constitution. Given all the various ways that the NSA has overreached, piecemeal change is not enough.

Microsoft Says: Come Back With A Warrant, Unless You’re Microsoft

This article, written by Andrew Crocker, originally appeared March 21, 2014 on the website of the Electronic Frontier Foundation.

EFF has long argued that law enforcement agencies must get a warrant when they ask Internet companies for the content of their users’ communications. In 2013, as part of our annual Who Has Your Back report, we started awarding stars to companies that require warrants for content. It is now unclear whether Microsoft, one of our inaugural “gold star” companies in that category, is willing to live by its own maxim.

This controversy was brought to light by the arrest of an ex-Microsoft employee named Alex Kibkalo. According to a criminal complaint sworn in a Seattle federal court, Kibkalo stole proprietary information from Microsoft, including its Activation Server Software Development Kit (SDK), and passed the code to a French blogger. The complaint alleges that Kibkalo committed criminal trade secret theft. What’s troubling is that the FBI’s basis for the arrest was an open-ended, warrantless search of a Hotmail user’s account, conducted by Microsoft itself.

In September 2012, Microsoft’s internal security team received a tip that an anonymous blogger was in possession of the SDK source code. Conveniently for Microsoft, however, the French blogger, who has not been accused of any crime, communicated with Microsoft’s tipster using Hotmail. Since Microsoft runs Hotmail, it simply searched through the contents of that email account for evidence of the SDK leak. Gallingly, the Kibkalo complaint states that Microsoft’s Office of Legal Compliance signed off on this “content pull.”

At first blush, Microsoft’s unilateral decision to rifle through its user’s emails sounds like a violation of the Electronic Communications Privacy Act, ECPA. We at EFF have called for critical updates to ECPA’s privacy protections, but the law is fundamentally designed to protect email from this kind of snooping, albeit with some narrow exceptions.

Microsoft’s initial statement in response explained, “While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances.” Realizing that this wouldn’t cut it, the company’s deputy general counsel subsequently announced a new policy for conducting these searches in the future:

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed.  So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available.  In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:

To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge.  We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.

Unfortunately, this new policy just doubles down on the Microsoft’s indefensible and tone-deaf actions in the Kibkalo case. It begins with a false premise that courts do not issue orders in these circumstances because Microsoft was searching “itself,” rather than the contents of its user’s email on servers it controlled.

To the contrary, if Microsoft’s independent legal team concluded that there was probable cause, it could have passed the tipster’s information to the FBI to obtain a warrant and conduct the search under the auspices of the criminal justice system. The warrant protections enshrined in the Constitution would be preserved, ECPA would be satisfied, and Microsoft could have claimed the high moral ground. Instead, Microsoft has opted for an internal corporate shadow court.

To be sure, the process described in Microsoft’s statement bears more than a passing resemblance to a standard criminal investigation, with a prosecutorial team building a case and then presenting it to an ostensibly neutral third party, a retired federal judge no less. Let’s call it Warrants for Windows!

The monumental problem here is that Microsoft’s process has none of the protections provided by our legal system. No matter how fairly this process operates in any particular situation, approval by an employee paid by Microsoft, no matter how well qualified, is not approval of a “neutral and detached magistrate,” as required by the Fourth Amendment. Similarly, the protections provided to criminal suspects by the Fifth and Sixth Amendments wouldn’t apply to Microsoft’s internal investigation. In short, “Come back with a warrant” is meaningless when the FBI doesn’t get involved until after all the evidence has been collected.

Yet another colossal problem with Microsoft’s policy is its potential for abuse. Microsoft’s initial statement explained that the Microsoft Services Agreement (TOS) granted it “permission” to conduct the searches. But a brief check of these terms shows that Microsoft reserves the right to conduct search in far more scenarios than merely “exceptional circumstances.” That’s because Section 5.2 of the TOS states:

Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content . . . when Microsoft forms a good faith belief that doing so is necessary . . . . (b) to enforce this agreement or protect the rights or property of Microsoft or our customers[.]

And according to Section 3.5, one of the ways users can violate the agreement and thus give Microsoft “permission” to access their content is to email content that violates the company’s Code of Conduct. Spoiler alert: the Code of Conduct is ridiculously broad.

A few examples of things that would violate the Code of Conduct and allow search and disclosure of Hotmail email content:

Emailing “links to external sites that violate this Code of Conduct” such as by “depict[ing] nudity of any sort.” So you’re out of luck if you wanted to send your friend a link to Wikipedia, because the encyclopedia contains a fair number of articles containing nudity. Nor could you link to a Peanuts cartoon, because Snoopy is eternally pantsless, and Microsoft specifically prohibits links to “nudity in non-human forms such as cartoons.”

Similarly, linking to external content that violates the Code by “incit[ing] [or] express[ing] … profanity.” That means no YouTube, because it has, for example, clips of George Carlin’s Seven Dirty Words routine.

“[P]romoting or otherwise facilitate[ing] the purchase and sale of ammunition or firearms.” Best to unsubscribe from that NRA mailing list.

Presumably, Microsoft isn’t using these sorts of violations as an excuse to rifle through its users’ emails. But when it relies on permission from its TOS to do so, it reserves the right to abuse.

The search in the Kibkalo case may have revealed criminal activity, but it was also conducted in Microsoft’s self-interest, which is an exceedingly dangerous precedent. Combined with the kangaroo court potential of the company’s new internal Warrants for Windows policy, Microsoft is playing with fire. It should have followed its own advice and asked the FBI to step in with a warrant.