54 Civil Liberties And Public Interest Organizations Oppose The FISA Improvements Act

This post, written by Activism Director Rainey Reitman, was originally published by the Electronic Frontier Foundation on Dec. 18.

Fifty-four civil liberties and public interest groups sent a letter to Congressional leadership today opposing S. 1631, the FISA Improvements Act. The bill, promoted by Senator Dianne Feinstein (D-Calif.), seeks to legalize and extend National Security Agency mass surveillance programs, including the classified phone records surveillance program confirmed by documents released by former NSA contractor Edward Snowden this summer.

On Monday, a Federal judge found the phone records program that Feinstein’s bill supports was likely unConstitutional. In a sharply worded opinion, Judge Richard Leon explained, “I cannot imagine a more ‘indiscriminate’ and ‘arbitrary invasion’ than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying it and analyzing it without judicial approval.”

Feinstein has been promoting the bill as a way to rein in NSA overreach, but legal experts have criticized the bill for attempting to sanction the worst of the surveillance abuses. The letter published today calls on members of Congress to reject the FISA Improvements Act and champion reform that would end mass surveillance by the NSA.

Signers included the American Civil Liberties Union, the Council on American-Islamic Relations, Electronic Frontier Foundation, Greenpeace USA, PEN American Center, Progressive Change Campaign Committee, TechFreedom and others.

The coalition letter highlighted the free speech concerns with continued bulk data collection by the NSA, noting: “The NSA mass surveillance programs already sweep up data about millions of people daily. This shadow of surveillance chills freedom of speech, undermines confidence in US Internet companies, and runs afoul of the Constitution.”

The public at large increasingly opposes dragnet government surveillance. An Associated Press/NORC poll released in September 2013 showed strong opposition to bulk data collection: Close to 60 percent of respondents opposed Internet and telephone record surveillance; 62 percent of respondents opposed collection of the contents of Americans’ emails without warrants.

If the FISA Improvements Act were to pass, the NSA would continue its collection of the telephone records of millions of Americans and could restart the bulk collection of Internet communication records — a program the government attempted under dubious legal grounds but abandoned because it wasn’t effective.

The FISA Improvements Act has already passed out of the Senate Intelligence Committee and could be taken up for a Senate vote. Last week, the Barack Obama Administration testified in support of the bill, and Feinstein has confirmed that she intends to work with the House on pushing her bill in January.

Read the opposition letter in full below. Help defeat this bill by emailing your member of Congress today.

December 18, 2013,

Dear Members of Congress,

As civil liberties groups and other organizations advancing the public interest, we write this letter today to strongly urge you to oppose S. 1631, the FISA Improvements Act. The FISA Improvements Act does not offer real reform to stop the NSA’s mass collection of our communications and communications records. Instead, S. 1631 seeks to entrench some of the worst forms of NSA surveillance into US law and to extend the NSA surveillance programs in unprecedented ways.

If the FISA Improvements Act were to pass, the NSA would continue to collect telephone records of hundreds of millions of Americans not suspected of any crime. This is a violation of Americans’ privacy and Constitutional rights. Multiple polls, including a September 2013 Associated Press poll, consistently show a strong majority of the American people opposing such programs.

Furthermore, the bill seeks to permit the NSA to restart the bulk collection of Internet communication records—an extremely invasive, secret program the government attempted under dubious legal ground but abandoned because it wasn’t effective.

The NSA mass surveillance programs already sweep up data about millions of people daily. This shadow of surveillance chills freedom of speech, undermines confidence in US Internet companies, and runs afoul of the Constitution.

Please champion real reform to end these programs and oppose S. 1631, which would codify and expand them.

Sincerely,

Access
Advocacy for Principled Action in Government
AIDS Policy Project
American Civil Liberties Union
American Library Association
Amicus
Arab American Institute
Bill of Rights Defense Committee
Brennan Center for Justice at NYU Law School
Campaign for Liberty
Center for Democracy and Technology
Center for Rights
Charity & Security Network
Citizens for Responsibility and Ethics in Washington (CREW)
The Constitution Project
Council on American-Islamic Relations
CREDO Mobile
Cyber Privacy Project
Defending Dissent Foundation
Demand Progress
DownsizeDC.org
Electronic Frontier Foundation
F2C: Freedom to Connect
Fight for the Future
Firedoglake
Floor64
Free Press Action Fund
Free Software Foundation
Freedom of the Press Foundation
Government Accountability Project
Greenpeace USA
Human Rights Watch
InFo – The Foundation for Innovation and Internet Freedom
Liberty Coalition
Media Alliance
Media Mobilizing Project
Montgomery County Civil Rights Coalition
National Association of Criminal Defense Lawyers
National Coalition Against Censorship
New America Foundation’s Open Technology Institute
OpenMedia International
OpenTheGovernment.org
Participatory Politics Foundation
PEN American Center
PolitiHacks
Privacy Rights Clearinghouse
Progressive Change Campaign Committee
Project On Government Oversight
Public Knowledge
reddit
RootsAction.org
TechFreedom
The Rutherford Institute
ThoughtWorks

cc: Members of the House and Senate Judiciary and Intelligence Committees

Files

A Plan For Broader Anti-Surveillance Action

This post, written by Cindy Cohn and Katitza Rodriguez and Parker Higgins, was originally published by the Electronic Frontier Foundation on Dec. 17.

Last Monday, eight of the largest Internet companies took the unprecedented step of publicly calling for an end to bulk collection of communications data. Then on Tuesday, a coalition of over 550 of the world’s leading authors (including 5 Nobel prize winners) issued a statement calling for a reassertion of our digital privacy. In the next few days, the United Nations General Assembly is expected to pass a key privacy resolution.

While all of these are heartening steps, the time is coming to fill in the details of the more general international calls for reform. Luckily, EFF and several other NGOs and legal scholars around the world have already developed a set of robust principles, called the 13 International Principles for the Application of Human Rights to Communications Surveillance—or more commonly, the Necessary and Proportionate Principles. These can be used by people around the world to push for stronger local legal protections, as well as by the United Nations and other international bodies. The Principles have so far been endorsed by over 329 organizations, 43 experts and elected officials, and thousands of individuals from around the world. It’s also open for signature by companies. If you haven’t already signed it, you can do so today.

The Principles look beyond the current set of revelations to take a broad look at how modern communications surveillance technologies can be addressed consistent with human rights and the rule of law. Some of the key factors are:

Protect Critical Internet Infrastructure: No law should impose security holes in our technology in order to facilitate surveillance. Dumbing down the security of hundreds of millions innocent people who rely on secure technologies in order to ensure surveillance capabilities against the very few bad guys is both overbroad and short-sighted. Yet one of the most significant revelations this year has been the extent to which NSA, GCHQ and others have done just that—they have secretly undermined the global  communications infrastructure and services. They have obtained private encryption keys for commercial services relied on by individuals and companies alike and have put backdoors into and generally undermined security tools and even key cryptographic standards relied upon by millions around the world. The assumption underlying such efforts—that no communication can be truly secure—is inherently dangerous, leaving people at the mercy of good guys and bad guys alike. It must be rejected.

Protect Metadata: It’s time to move beyond the fallacy that information about communications is not as privacy invasive as communications themselves. Information about communications, also called metadata or non-content, can include the location of your cell phone, clickstream data, and search logs, and is just as invasive as reading your email or listening to your phone calls—if not more so. What is important is not the kind of data is collected, but its effect on the privacy of the individual. Thus, the law must require high standards for government access — for criminal prosecutions this means the equivalent of a probable cause warrant issued by a court (or other impartial judicial authority)—whenever that access reveals previously nonpublic information about individual communications. This includes revealing a speaker’s identity if it is not public; the websites or social media one has encountered; the people one has communicated with; and when, from where, and for how long. In the pre-Internet age, the much more limited amount and kind of “metadata” available to law enforcement was treated as less sensitive than content, but given current communications surveillance capabilities, this can no longer be the case. Our metadata needs to be treated with the same level of privacy as our content.

Monitoring Equals Surveillance: Much of the expansive state surveillance revealed in the past year depends on confusion over whether actual “surveillance” has occurred and thus whether human rights obligations apply. Some have suggested that if information is merely collected and kept but not looked at by humans, no privacy invasion has occurred. Others argue that computers analyzing all communications in real-time for key words and other selectors is not “surveillance” for purposes of triggering legal protections. These differences in interpretation can mean the difference between targeted and mass surveillance of communications.

Definitions matter. This is why one of the crucial points in our principles is the definition of “Communications surveillance”, which encompasses the monitoring, interception, collection, analysis, use, preservation and retention of, interference with, or access to information that includes, reflects, or arises from or a person’s communications in the past, present or future. States should not be able to bypass privacy protections on the basis of arbitrary definitions.

Mission Creep: Contrary to many official statements, the modern reality is that state intelligence agencies are involved in a much broader scope of activities than simply those related to national security or counterterrorism. The NSA and its partners, for example, have used the expansive powers granted to them for political and even economic spying—things that have little to do with the safety of the state and its citizens. Worse, the information collected by foreign intelligence agencies, it turns out, is routinely (and secretly!) re-used by domestic agencies such as the Drug Enforcement Agency, effectively bypassing the checks and balances imposed on such domestic agencies.

The Necessary and Proportionate Principles state that communications surveillance (including the collection of information or any interference with access to our data) must be proportionate to the objective they are intended to address. And equally importantly, even where surveillance is justified by one agency for one purpose, the Principles prohibit the unrestricted reuse of this information by other agencies for other purposes.

No Voluntary Cooperation: As we’ve learned about extralegal and voluntary deals between tech companies and intelligence agencies, it’s become increasingly clear that the terms of cooperation between governments and private entities must be made public. The Necessary and Proportionate principles clarify that there is no scope for voluntary cooperation from companies unless a warrant has met the proportionality test.

Combat a Culture of Secret Law: The basis and interpretation of surveillance powers must be on the public record, and rigorous reporting and individual notification (with proper safeguards) must be required. The absence of transparency in surveillance laws and practices reflects a lack of compliance with human rights and the rule of law. Secret laws—whether about surveillance or anything else—are unacceptable. The state must not adopt or implement a surveillance practice without public law defining its limits. Moreover, the law must meet a standard of clarity and precision that is sufficient to ensure that individuals have advance notice of, and can foresee, its application. When citizens are unaware of a law, its interpretation, or its application, it is effectively secret. A secret law is not a legal law.

Notification: Notification must be the norm, not the exception. Individuals should be notified of authorization of communications surveillance with enough time and information to enable them to appeal the decision, except when doing so would endanger the investigation at issue. Individuals should also have access to the materials presented in support of the application for authorization. The notification principle has become essential in fighting illegal or overreaching surveillance. Before the Internet, the police would knock on a suspect’s door, show their warrant, and provide the individual a reason for entering the suspect’s home. The person searched could watch the search occur and see whether the information gathered went beyond the scope of the warrant.

Electronic surveillance, however, is much more surreptitious. Data can be intercepted or acquired directly from a third party such as Facebook or Twitter without the individual knowing. Therefore, it is often impossible to know that one has been under surveillance, unless the evidence leads to criminal charges. As a result the innocent are the least likely to discover their privacy has been invaded. Indeed, new technologies have even enabled covert remote searches of personal computers. Any delay in notification has to be based upon a showing to a court, and tied to an actual danger to the investigation at issue or harm to a person.

Restore Proportionality: Authorities must have prior authorization by an independent and impartial judicial entity in order to determine that a certain act of surveillance has a sufficiently high likelihood to provide evidence that will address a serious harm. Any decisions about surveillance must weigh the benefits against the costs of violating an individual’s privacy and freedom of expression. Respect for due process also requires that any interference with fundamental rights must be properly enumerated in law that is consistently practiced and available to the public. A judge must ensure that freedoms are respected and limitations are appropriately applied.

Cross-Border Access Protection: Privacy protections must be consistent across borders at home and abroad. Governments should not bypass national privacy protections by relying on secretive informal data sharing agreements with foreign states or private international companies. Individuals should not be denied privacy rights simply because they live in another country from the one that is surveilling them. Where data is flowing across borders, the law of the jurisdiction with the greatest privacy protections should apply.

More To Be Done: The Necessary and Proportionate Principles provide a basic framework for governments to ensure the rule of law, oversight and safeguards. They also call for accountability, with penalties for unlawful access and strong and effective protections for whistleblowers. They are starting to serve as a model for reform around the world and we urge governments, companies NGOs and activists around the world to use them to structure necessary change. The technology companies’ statement last week is a welcome addition and a good start. It also highlights the conspicuous silence of the telecommunications companies, which appear to have a much bigger and deeper role in mass surveillance.

But while the Principles are aimed at governments, government action isn’t the only way to combat surveillance overreach. All of the communications companies, Internet and telecommunications alike, can help by securing their networks and limiting the information they collect. EFF has long recommended that online service providers collect the minimum amount of information for the minimum time that is necessary to perform their operations, and to effectively obfuscate, aggregate and delete unneeded user information. This helps them in their compliance burdens as well: if they collect less data, there is less data to hand over to the government.

Working together, legal efforts like the Necessary and Proportionate Principles serving as a basis for international and national reforms, plus technical efforts like deploying encryption and limiting information collected, can serve as a foundation for a new era of private and secure digital communications.

The FAA Creates Thin Privacy Guidelines For The Nation’s First Domestic Drone ‘Test Sites’

This article, compiled by activist April Glaser and senior staff attorney Jennifer Lynch, was originally published by the Electronic Frontier Foundation.

Commercial unmanned aerial systems are set to start flying over U.S. airspace in 2015. In November, the Federal Aviation Administration released its final privacy rules for the six drone “test sites” that the agency will use to evaluate how drones will be integrated into domestic air traffic. These new privacy requirements were issued just days after Senator Ed Markey (D-Mass.) introduced a new bill, the Drone Aircraft Privacy and Transparency Act (DAPTA), intended to codify essential privacy and transparency requirements within the FAA’s regulatory framework for domestic drones and drone test sites.

In 2012, Obama signed the Federal Aviation Administration Modernization and Reform Act, which mandated that the FAA implement “test sites” to fly domestic drones before opening the door to nationwide regulations and licensing for commercial drone flying. Twenty-four States have applied to be FAA drone test sites. While the FAA’s rules do establish minimal transparency guidelines for the new drone test sites, the new rules apply only to the test sites and do not apply to the drones that are already authorized to fly.

The new transparency rules require each test site operator to create, post and enforce its own privacy policy, as well as set up “a mechanism to receive and consider comments from the public.” The FAA rules further state that test sites must require all drone operators to establish “a written plan for the operator’s use and retention of data collected by the UAS.” Although the FAA’s rules require the test site privacy policies to be made available to the public, there seems to be no similar requirement for the UAS operators’ “written plans.” There also appears to be no FAA oversight for these transparency rules; the rules basically call for the test sites to police themselves.

While the Electronic Frontier Foundation appreciates the steps the FAA has taken so far, the agency could and should go further to require similar transparency from all drone operators. The FAA has already authorized almost 1,500 permits for domestic drones since 2007; but, despite EFF’s two Freedom of Information Act lawsuits for drone data, EFF still doesn’t know much about where these drones are flying and what data they are collecting.

EFF submitted comments in the FAA’s rule-making process about what a good privacy policy for the drone test sites would look like, and only a few of its proposals were adopted into the new rules. The FAA did not, as EFF recommended, develop and provide a model privacy policy for all test site operators — something that would have been relatively easy to produce, considering the Federal reach of the agency. The FAA also could have gone further to ensure that data collected at drone test sites does not exceed Constitutional and other legal limitations. Nine States have passed laws that restrict the use of drones by either law enforcement or private citizens. Some of these States have also applied to be drone test sites, which would then test those existing State policies.

It is especially important for the FAA to define basic data collection procedures for domestic drones, because the technology enables a kind of surveillance not achievable by manned aerial or ground-based law enforcement or commercial entities. Some drones are capable of staying in the air for 16 to 24 hours at a time, much longer than a manned aircraft ever could. Drones can fly altitudes above 20,000 feet with super-high-resolution cameras and can monitor and track many people at once or intercept phone calls and text messages. Drones also cost far less to purchase, operate and maintain than helicopters and planes.

A number of drone bills have been introduced in Congress over the past two years, but Markey’s proposed legislation is demanding of both the FAA and drone operators when it comes to protecting the Constitutional rights of Americans. DAPTA calls for the FAA to institute and enforce guidelines for all licensed domestic drone flights — not just test sites — that include clear data minimization procedures, as well as transparency rules that require drone test site operators to disclose their data collection practices and how drone operators use, retain and share all collected data.

Markey’s bill requires the FAA to create a publicly searchable database of all awarded drone operator licenses, the logistical details of their operation, and each drone operator’s data collection and minimization statement. Creating a database like this is within the FAA’s purview. The agency already runs other databases about aircrafts in national airspace, listing who is in the air, accident reports and safety information.

Law enforcement agencies across the country are already flying drones without set national privacy guidelines in place. But at this point, EFF’s most successful tactic for learning more about drones has been to sue for access to information. The American public shouldn’t have to submit a Freedom of Information Act request just to know if drones are overhead. Markey’s bill is a strong start to what needs to be an ongoing conversation about the future of American privacy standards in light of the coming age of domestic drones. We need more lawmakers to speak up for greater transparency and accountability of both government and commercial operation of drones in our national airspace.

Until there are laws in place that mandate transparency, EFF encourages you to submit requests to your local law enforcement agency and city council to learn more about drone flights in your area. EFF has partnered with MuckRock, an open government organization dedicated to helping people send requests for public records, to campaign for greater transparency about drones that are already flying in the United States. If you’re wondering what your own police agency may be doing with drones, go here and fill out this simple form so MuckRock can send in a public records request for you.

Electronic Frontier Foundation Issues Legal Challenge To Warrantless Cell Phone Tracking

Alarming information about just how frequently law enforcement officials across the country (not to mention the NSA) are trying to get cell phone data, including your location, seem to be published in the news media every day.  With these privacy concerns in mind, last week we filed an amicus brief in the Connecticut Appellate Court in State v. Smith, urging it to find the state police violated the Fourth Amendment when it obtained cell tower records without a search warrant.

In this case, police were investigating a bank robbery and wanted to get cell phone records to tie the defendant to the crime. Officers obtained an ex parte order from the court that allowed them to obtain six months worth of Smith’s cell phone records, including subscriber information and cell tower connection records. Even though the government went to a judge to get authorization to get the records, they didn’t get a search warrant. Instead, both Federal and Connecticut State law authorize police to obtain cell phone location records with a showing less than the probable cause required to obtain a warrant. The trial court found the records were obtained properly and Smith was convicted and sentenced to 55 years in prison.

On appeal, Smith argues that the 4th Amendment’s prohibition against unreasonable searches and seizures means the police must obtain a search warrant supported by probable cause to get cell site records. Our brief agrees, explaining how cell site records can reveal a person’s location with increasing precision, triggering an expectation of privacy and requiring police to obtain a probable cause search warrant in order to access this information. The warrant requirement is a minimal additional burden, since police have to go to a judge anyway to get the records under current law. Our new amicus brief follows on the heels of other briefs we’ve filed on the topic in State and Federal courts across the country, arguing that police must obtain a search warrant to get access to a cell phone company’s records about which towers a cell phone connects to.

This is a pervasive problem, with warrantless searches going on across the country. Senator Edward Markey (D-MA) recently published responses he received to a number of questions he sent to seven different cell phone providers about their interactions with law enforcement. The responses detailed how many law enforcement requests they obtained in 2012, what type of judicial or administrative orders they require before they produce records, and how much money they were reimbursed by the government. We hope to have more about these responses soon, but the quick takeaway is that there are lots of government requests being made by law enforcement to the police, including over 9,000 requests for “tower dumps,” a 21st century general warrant that asks a cell phone provider to disclose the records of all the phones that connect to a cell phone tower at a particular time.

Senator Markey has indicated he hopes to introduce a bill to require police obtain a search warrant before accessing these records, a legislative fix that has been proposed in Congress before but gone nowhere. But this time, with growing concern over the government’s surveillance capabilities and the lead of states like Maine, Montana and New Jersey, who have all adopted a warrant requirement for cell tracking by legislation or court decision, we’re hopeful that lawmakers will understand the privacy interests at stake and safeguard our locations with a search warrant.

EFF’s Updated List Of Who Protects Your Online Information

This article, compiled by senior staff attorney Kurt Opsahl, staff attorney Nate Cardozo and activist Parker Higgins, was originally published by the Electronic Frontier Foundation on Dec. 5.

The Electronic Frontier Foundation has asked the companies in its Who Has Your Back Program what they are doing to bolster encryption in light of the National Security Agency’s unlawful surveillance of your communications. EFF is pleased to see that four companies — Dropbox, Google, SpiderOak and Sonic.net — are implementing five out of five of EFF’s best practices for encryption. In addition, EFF appreciates that Yahoo! just announced several measures it plans to take to increase encryption, including the very critical encryption of data center links, and that Twitter has confirmed that it has encryption of data center links in progress. See the infographic.

By adopting these practices, described below, these service providers have taken a critical step toward protecting their users from warrantless seizure of their information off of fiber-optic cables. By enabling encryption across their networks, service providers can make backdoor surveillance more challenging, requiring the government to go to courts and use legal process. While Lavabit’s travails have shown how difficult that can be for service providers, at least there was the opportunity to fight back in court.

While not every company in EFF’s survey has implemented every recommendation, each step taken helps; and EFF appreciates those who have worked to strengthen their security. EFF hopes that every online service provider adopts these best practices and continues to work to protect their networks and their users.

Crypto Survey Results

UPDATE, Nov. 20: Facebook and Tumblr have provided further information to supplement the Encrypt the Web Report. EFF is pleased to report that Tumblr is planning to upgrade its Web connections to HTTPS this year and implement HSTS by 2014, and Facebook is working on encrypting data center links and implementing STARTTLS.

UPDATE, Nov. 22: Google has provided further information to supplement the report on its use of HSTS. See the updated chart below and the notes for more information.

UPDATE, Dec. 5: Microsoft has provided further information, announcing a plan to expand encryption across all its services, including encrypting links between data center and implementing forward secrecy by the end of 2014.

crypto-survey-graphic-20131205

Why Crypto Is So Important

The NSA’s MUSCULAR program, which tapped into the fiber-optic lines connecting the data centers of Internet giants like Google and Yahoo, exposed the tremendous vulnerabilities companies can face when up against as powerful an agency as the NSA. Bypassing the companies’ legal departments, the program grabbed extralegal access to your communications, without even the courtesy of an order from the secret rubber-stamp Foreign Intelligence Surveillance Court. The program is not right, and it’s not just.

With that in mind, EFF has asked service providers to implement strong encryption. EFF would like to see encryption on every step of the way for a communication on its way to, or within, a service provider’s systems.

For starters, EFF has asked companies to encrypt their websites with Hypertext Transfer Protocol Secure (HTTPS) by default. This means that when a user connects to a website, it will automatically use a channel that encrypts the communications from the user’s computer to the website.

EFF has also asked them to flag all authentication cookies as secure. This means cookie communications are limited to encrypted transmission, which directs Web browsers to use these cookies only through an encrypted connection. That stops network operators from stealing (or even logging) users’ identities by sniffing authentication cookies going over insecure connections.

To ensure that the communication remains secure, EFF has asked companies to enable HTTP Strict Transport Security (HSTS). HSTS essentially insists on using secure communications, preventing certain attacks where a network pretends that the site has asked to communicate insecurely.

All of these technologies are now industry-standard best practices. While they encrypt the communications from the end user to the server and back, the MUSCULAR revelations have shown this is not enough. Accordingly, EFF has asked service providers to encrypt communications between company cloud servers and data centers. Anytime a user’s data transits a network, it should be strongly encrypted, in case an attacker has access to the physical data links or has compromised the network equipment.

In addition, we have asked for email service providers to implement STARTTLS for email transfer. STARTTLS is an opportunistic encryption system, which encrypts communications between email servers that use the Simple Mail Transfer Protocol (SMTP) standard. When a user emails someone on a different provider (say, a Hotmail user writing to a Gmail user), the mail message will have to be delivered over the Internet. If both email servers understand STARTTLS, then the communications will be encrypted in transit. If only Gmail does but Hotmail does not (the current situation), they will be in the clear and exposed to eavesdropping, so it’s critical to get as many email service providers as possible to implement the system.

Finally, EFF has asked companies to use forward secrecy for their encryption keys. Forward secrecy, sometimes called “perfect forward secrecy,” is designed to protect previously encrypted communications, even if one of the service providers’ keys is later compromised. Without forward secrecy, an attacker who learns a service provider’s secret key can use it to go back and read previously incomprehensible encrypted communications — perhaps ones that were recorded months or years in the past.

  • 1. The HSTS domains are wallet.google.com; checkout.google.com; chrome.google.com; docs.google.com; sites.google.com; spreadsheets.google.com; appengine.google.com; encrypted.google.com; accounts.google.com; profiles.google.com; mail.google.com; talkgadget.google.com; talk.google.com; hostedtalkgadget.google.com; plus.google.com; plus.sandbox.google.com; script.google.com; history.google.com; security.google.com; goto.google.com; market.android.com; ssl.google-analytics.com; drive.google.com; googleplex.com; groups.google.com; apis.google.com; chromiumcodereview.appspot.com; chrome-devtools-frontend.appspot.com; codereview.appspot.com; codereview.chromium.org; code.google.com; dl.google.com; translate.googleapis.com; oraprodsso.corp.google.com; oraprodmv.corp.google.com; gmail.com; googlemail.com; www.gmail.com; www.googlemail.com; google-analytics.com; and googlegroups.com.

 

Electronic Frontier Foundation Calls For Update To Archaic Email Privacy Law

This article, compiled by activist April Glaser and attorney Nate Cardozo, was originally published by the Electronic Frontier Foundation.

The Electronic Frontier Foundation is calling for reform of the Electronic Communications Privacy Act (ECPA), the 1986 law used by the government to access your online documents, messages, and emails stored in the cloud without a warrant.

ECPA is sorely outdated. It was enacted before web-based email became ubiquitous and “the cloud” meant only airborne water vapor. The law purports to allow for any opened emails or unopened emails left on a server for more than 180 days to be treated like abandoned property. Although the courts disagree, some agencies believe that ECPA allows law enforcement to access stored content with a mere subpoena. That interpretation created a senseless distinction—law enforcement was required to meet a much lower standard to access your saved webmail than the warrant standard that would be required if the same emails were printed and stored in your file cabinet. ECPA should not be used to bypass 4th Amendment protections that cover our personal email accounts, our social media messages, or anything else using cloud storage.

In the midst of the global outrage sparked by the 2013 revelations of warrantless NSA surveillance, we’ve also learned that the National Security Agency actively collaborates with the FBI and other government agencies to access private emails and Internet data stored by U.S. companies. Even if we are successful in reining in the NSA’s overly broad and unconstitutional surveillance, without ECPA reform other government agencies could still claim the legal authority to continue the massive collection of millions of innocent people’s personal communications and data without due process.

Bills to reform ECPA have gained huge bipartisan support. Earlier in the year, the Senate Judiciary Committee voted unanimously to update our outdated electronic privacy law.  And now, a similar bill is being debated in the House. The problem is that government agencies like the Securities and Exchange Commission are asking for a special carve out permitting the agency to access email and data stored by Internet service providers without a warrant.  This exception, if granted, would completely undermine meaningful, and much needed, ECPA reform.

EFF is a member of the Digital Due Process coalition, a collection of tech companies, start-ups, privacy advocates, and think tanks working to update ECPA to ensure that laws continue to protect the rights of users as technologies advance and usage patterns evolve. Today, please join us in demanding for long-overdue updates to our archaic electronic privacy laws.

Speak out:

1. You can sign the White House Petition calling on the Obama Administration to reject agency demands for unjustified surveillance authority that would undermine critically needed ECPA reform. Check out the privacy policy of the White House site here.

2. You can send an email to your representatives in Congress using the EFF action center: Don’t Let Privacy Law Get Stuck in 1986: Demand s Digital Upgrade to the Electronic Communications Privacy Act

Does Video Surveillance Of A Home For A Month Violate The 4th Amendment

This article, originally published by the Electronic Frontier Foundation, was written by attorney Hanni Fakhoury.

Just because a jogger can see the outside of your home on a public street doesn’t mean you’ve surrendered all your privacy expectations in the home. However, that seemingly obvious concept is being put to the test in a federal criminal case in Washington state, which involves the constitutionality of using a camera mounted on a pole outside a house to allow the police to watch the home for almost a month. Senior District Court Judge Edward Shea invited EFF to submit an amicus brief in the case and Monday we filed our brief, arguing prolonged warrantless video surveillance violates the 4th Amendment.

In United States v. Vargas, local police in Franklin County, Washington suspected Leonel Vargas of drug trafficking and in April 2013, installed a pole camera on a public road overlooking Vargas’ rural home. They did not get a search warrant to install or use the camera, which was pointed squarely at the front door and driveway of the home. Officers had the ability to pan the camera around and zoom in and out all from the comfort of the police station. They watched the outside of Vargas’ home for more than a month, taking notice of who visited him and what cars they were driving. They observed no criminal activity until a month after they began snooping, when officers saw him shooting a gun at beer bottles in what appeared to be target practice. Because the officer had learned earlier that Vargas was undocumented, they had probable cause to believe he had committed a Federal crime by possessing a firearm. They used this surveillance to get a search warrant to enter Vargas’ home, and the search turned up drugs and guns, which form the criminal charges against Vargas.

Vargas moved to suppress the video surveillance, arguing the use of the pole camera violated the 4th Amendment, which prohibits unreasonable searches. Since the front yard and door of Vargas’ home is considered “curtilage,” it is entitled to the same 4th Amendment protection as the home, where warrantless searches are considered per se unreasonable.

In defending the surveillance, the government argued that Vargas had no expectation of privacy since he exposed the front of his house to the public. But no one expects their house to be placed under invasive 24/7 video surveillance for a month. Although the U.S. Supreme Court in the 1980s previously authorized warrantless aerial surveillance in California v. Ciraolo, Dow Chemical Co. v. United States and Florida v. Riley, all of those cases involved one-time fly-overs, not continuous surveillance. Like GPS and cell phone tracking, prolonged video surveillance of a person’s home raises much more significant 4th Amendment problems than a one-time observation. Non-stop video surveillance — especially of a person’s home — allows the police to determine a person’s associations and patterns of movements, information that can be extremely revealing.

The invasiveness of video surveillance has led courts to require the police to do more than just get a search warrant to engage in this kind of snooping. Law enforcement must make additional showings to the court — similar to those necessary to obtain authorization to wiretap a phone call — before engaging in covert video surveillance. Any other rule would allow the police free rein to silently watch and record those they dislike, waiting for someone to inevitably commit one of the myriad federal crimes. Since the police had no warrant or judicial authorization whatsoever to video record Vargas’ home for a month, the surveillance violated the 4th Amendment and all the evidence the police seized as a result of the surveillance can’t be used against Vargas in his criminal case.

These arguments touch upon more than pole cameras. As police departments around the country get their hands on new technologies like drones and mesh networks, the ability to move around anonymously and privately will be significantly impaired. It’s crucial for courts to play a role in policing the police and their new toys by overseeing the use of these technologies.

Judge Shea will hear oral argument on the motion on February 11, 2014 at 10am at the federal courthouse in Richland, Washington.

An Open Letter Urging Universities To Encourage Conversation About Online Privacy

This article, written by EFF activist April Glaser, was originally published on the foundation’s website on Dec. 2.

When a group of students from Iowa State University (ISU) contacted the Electronic Freedom Foundation about forming an ISU Digital Freedom group, they were facing an unexpected problem: Despite their simple goal of fostering a healthy conversation around freedom-enhancing software, the university administration denied them official recognition. The university has since granted the Digital Freedom group the green light to meet on campus, but under unduly restrictive conditions. These students’ story is instructive to students around the country and the world who are concerned about online privacy.

The administration initially denied the Digital Freedom Group’s proposal because it did not want ISU students either to advocate for or participate in the “secrecy network” Tor, and would not permit the student group to use any “free software designed to enable online anonymity.” The students had not proposed that a Tor node be established on campus. Rather they asked that they be able to provide a forum to “discuss, learn and practice techniques to anonymize and protect digital communication.”

The students were told they had to gain clearance from the Iowa State University attorneys and security clearance from the university’s Chief Information Officer. They were ultimately successful, and Iowa State University is now home to its very own Digital Freedom Group.

EFF strongly supports the formation of student groups like the Digital Freedom Group that aim to discuss and learn about methods for secure and private use of the Internet. We submit this open letter to campus activity review boards across the world that may feel a similar hesitation on the topic of online anonymity and privacy. Students, professors, and staff from other universities are invited to contact us [students@eff.org] with stories of misguided, speech-chilling policies.

University administrations around the world,

A healthy conversation about online privacy should never be stifled. Yet we’ve heard too many stories of students whose efforts to initiate these conversations have faced roadblocks from university administrators fearful of encryption and anonymity software.

But the time has come now to embrace these technologies, not blindly reject them. There is nothing to fear about online privacy and the various tools available to achieve it.

The demonization of technology because of a few bad actors is a dangerous path. Think about it: the classification of a computer as a machine designed for cybercrime, makes no more sense than maligning cell phones because drug dealers use them to make illegal sales. Instead, we should encourage ethical and responsible use of technologies. The best way to do this is through meaningful conversation that explains how technologies function and the myriad ways technology is and can be utilized.

Tor, in particular, was originally developed by the U.S. Naval Research Laboratory for the purposes of protecting government communications. But today it is used to serve a variety of needs. Journalists use Tor to protect the anonymity of their sources; Internet users in countries where information is censored use Tor to circumvent oppressive firewalls; lawyers use iTor to exchange sensitive information relating to a case; corporations use Tor to protect trade secrets; and people use Tor everyday to have conversations about topics they might feel uncomfortable discussing without the protection anonymity provides. The technology is popular among survivors of rape or gang violence and medical patients who want to take part in online communities, but may only wish do so anonymously.

Anonymous speech has a long history in democratic societies, particularly when used by those whose politically contentious views might have put them ill-at-ease amongst their contemporaries (like Mark Twain, Voltaire, and George Orwell—all pen names). The Federalist Papers were written under the collective pen name Publius to protect the identities of the individual authors. In a similar fashion, Tor gives people the opportunity to discuss anything, freely and without fear of being tracked or chastised for their opinions.

There are other free software tools that we consider to be good hygiene for a privacy-conscious user, like GPG email encryption, which is used to keep email communication private from malicious hackers or unconstitutional government surveillance. There is also our HTTPS Everywhere browser extension, designed to encrypt data that travels between a user’s computer and a website. These practices are not designed to cloak criminals from the view of law-enforcement. Rather, they are intended to make experiences online as trustworthy as possible, despite the fact that the interactions occur across great distances between people and organizations that may never meet in the physical sense.

Conversations about online privacy and security should be encouraged, and never silenced. The more that students understand how security threats function and the myriad ways they can protect their communications and identity, the less vulnerable they are to cybercrime or unwanted surveillance. Privacy technologies can be introduced as a framework grounded in ethical applications and First Amendment principles.

Please never hesitate to contact the Electronic Frontier Foundation with questions about online privacy or anonymity tools, and more importantly, think twice before ever limiting what students can and cannot discuss openly, especially when it comes to the use of technology. Healthy and open dialogue about how students can, should, and do use existing technologies is far better than forcing secrecy, which may only serve to promote notions of criminality about Internet practices that, if used properly, serve to enhance and protect our basic rights online.

Securely and sincerely,

The Electronic Frontier Foundation

PS: Please see and share our “Myths and Facts About Tor” document for a deeper discussion about the oft-misunderstood software.

EFF Calls Out Wall Street Journal For Getting Facts Wrong About NSA Surveillance

Wall Street Journal columnist L. Gordon Crovitz wrote a misleading and error-filled column about NSA surveillance on Monday, based on documents obtained by EFF through our Freedom of Information Act lawsuit. Since we’ve been poring over the documents for the last week, we felt it was important to set the record straight about what they actually reveal.

Crovitz:

Edward Snowden thought he was exposing the National Security Agency’s lawless spying on Americans. But the more information emerges about how the NSA conducts surveillance, the clearer it becomes that this is an agency obsessed with complying with the complex rules limiting its authority.

That’s an interesting interpretation of the recently released documents, given that one of the two main FISA court opinions released says the NSA was engaged in “systemic overcollection” of American Internet data for years, and committed “longstanding and pervasive violations of the prior orders in this matter.” The court summarized what it called the government’s “frequent failures to comply with the [surveillance program’s] terms” and their “apparent widespread disregard of [FISA court imposed] restrictions.”

Crovitz:

[The documents] portray an agency acting under the watchful eye of hundreds of lawyers and compliance officers.

Again, this is not what the actual FISA court opinions portray. “NSA’s record of compliance with these rules has been poor,” and “those responsible for conducting oversight failed to do so effectively,” FISA court Judge Bates wrote in the key opinion released last week. In another FISA court opinion from 2009, released two months ago, the NSA admitted that not a single person in the entire agency accurately understood or could describe the NSA’s whole surveillance system to the court.

It’s true that the number of compliance officers at the NSA has increased in recent years, but as the Washington Post reported, so has the number of privacy violations.

Crovitz:

These documents disprove one of Mr. Snowden’s central claims: “I, sitting at my desk, certainly had the authority to wiretap anyone, from you or your accountant, to a federal judge, to even the president if I had a personal email,” he told the Guardian, a British newspaper.

Here, Crovitz is setting up a strawman. Snowden wasn’t talking about the NSA’s legal authority, but their technical authority to conduct such searches. Snowden was likely referring to XKeyScore, which the Guardian reported allowed NSA analysts to “search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals.”

We actually have a specific example that proves Snowden’s point. As the New York Times reported in 2009, an NSA analyst “improperly accessed” former President Bill Clinton’s personal email. More recently, we’ve learned that the NSA analysts abused the agency vast surveillance powers to spying on ex-spouses or former lovers.

Crovitz:

The NSA also released the legal arguments the Justice Department used in 2006 to justify collection of phone metadata-the telephone number of the calling and called parties and the date, time and duration of the call.

Metadata collection is about connecting the dots linking potential terrorist accomplices. The Clinton administration created barriers to the use of metadata, which the 9/11 Commission concluded let the terrorists avoid detection. Since then, metadata has helped stop dozens of plots, including an Islamist plan to blow up the New York Stock Exchange in 2008.

Again, not true. As Intelligence Committee members Sen. Ron Wyden and Sen. Mark Udall have continually emphasized, there is “no evidence” that the phone metadata program is effective at stopping terrorists. Independent analyses have come to the same conclusion. When called out on that number in a Congressional hearing, even NSA Director Keith Alexander admitted the number was exaggerated.

The only “disrupted plot” the NSA can point to that was solely the work of the phone metadata program was a case where a man from San Diego sent a few thousand dollars to the al-Shabaab organization in Africa in 2008. In other words, the metadata did not disrupt an active terrorist plot inside the US at all.

Crovitz:

The declassified brief from 2006 made clear that such metadata “would never even be seen by any human being unless a terrorist connection were first established,” estimating that “0.000025% or one in four million” of the call records “actually would be seen by a trained analyst.”

The major 2009 FISA court opinion released in September, that apparently Mr. Crovitz either didn’t read or conveniently left out of his piece, showed that the NSA had been systematically querying part of this phone records database for years for numbers that the agency did not have a “reasonable articulable suspicion” were involved in terrorism—as they were required to have by the FISA court. Of the more than 17,000 numbers that the NSA was querying everyday, the agency only had “reasonable articulable suspicion” for approximately 1,800 of them.

The FISA court concluded, five years after the metadata program was brought under a legal framework, that it had been “so frequently and systematically violated that it can fairly be said that this critical element of the overall…regime has never functioned effectively.”

These documents clearly do not paint a picture of an agency with a clean privacy record and a reputation for following court rules, as Mr. Crovitz claims, and in fact, they show why it is vital Congress passes substantive NSA reform immediately. You can go here to take action.

NSA Mass Surveillance Puts Major Stress On U.S. Economy

This article, written by EFF activist Trevor Timm, was originally published on the foundation’s website on Nov. 25.

Privacy may not be the only casualty of the National Security Agency’s massive surveillance program. Major sectors of the U.S. economy are reporting financial damage as the recent revelations shake consumer confidence and U.S. trade partners distance themselves from companies that may have been compromised by the NSA or, worse, are secretly collaborating with the spy agency. Member of Congress, especially those who champion America’s competitiveness in the global marketplace, should take note and rein in the NSA now if they want to stem the damage.

The Wall Street Journal recently reported that AT&T’s desired acquisition of the European company Vodafone is in danger due to the company’s well-documented involvement in the NSA’s data-collection programs. European officials said the telecommunications giant would face “intense scrutiny” in its bid to purchase a major cell phone carrier.  The Journal went on to say:

“Resistance to such a deal, voiced by officials in interviews across Europe, suggests the impact of the NSA affair could extend beyond the diplomatic sphere and damage US economic interests in key markets.”

In September, analysts at Cisco Systems reported that the fallout “reached another level,” when the National Institute of Standards and Technology (NIST) told companies not to use cryptographic standards that may have been undermined by the NSA’s BULLRUN program. The Cisco analysts said that if cryptography was compromised “it would be a critical blow to trust required across the Internet and the security community.”

This forecast was proven true in mid-November, when Cisco reported a 12 percent slump in its sales in the developing world due to the NSA revelations. As the Financial Times reported, new orders fell by 25 percent in Brazil and 30 percent in Russia and Cisco predicts its overall sales could drop by as much 10 percent this quarter.  Cisco executives were quoted saying the NSA’s activities have created “a level of uncertainty or concern” that will have a deleterious impact on a wide-range of tech companies.

It is hard for civil libertarians to shed tears over AT&T losing business because of NSA spying, considering the company allowed the NSA to directly tap into its fiber optic cables to copy vast amounts of innocent Americans’ Internet traffic.  AT&T was also recently revealed as having partnered with both the DEA and the CIA on separate mass surveillance programs. It is also hard to feel sorry for Cisco, which stands accused of helping China spy on dissidents and religious minorities. But the fact that the spying is hurting these major companies is indicative of the size of the problem.

This summer, European Parliament’s civil liberties committee was presented with a proposal to require every American website to place surveillance notices to EU citizens in order to force the US government to reverse course:

“The users should be made aware that the data may be subject to surveillance (under FISA 702) by the US government for any purpose which furthers US foreign policy. A consent requirement will raise EU citizen awareness and favour growth of services solely within EU jurisdiction. This will thus have economic impact on US business and increase pressure on the US government to reach a settlement.” [emphasis ours]

Meanwhile, Telenor, Norway’s largest telecom provider has reportedly halted its plans to move its customers to a U.S.-based cloud provider. Brazil seems to be moving ahead to create its own email service and require US companies locate an office there if they wish to do business with Brazilian customers.

Laws like this mean that companies like Google “could be barred from doing business in one of the world’s most significant markets,” according to Google’s director for law enforcement and information security at Google, Richard Selgado. Google has been warning of this as far back as July, when in FISA court documents it argued that the continued secrecy surrounding government surveillance demands would harm its business.

Many commentators have been warning about the economic ramifications for months. Princeton technologist Ed Felten, who previously at the Federal Trade Commission, best explained why the NSA revelations could end up hurting US businesses:

“This is going to put US companies at a competitive disadvantage, because people will believe that U.S. companies lack the ability to protect their customers—and people will suspect that U.S. companies may feel compelled to lie to their customers about security.”

The fallout may worsen. One study released shortly after the first Edward Snowden leaks said the economy would lose $22 to $35 billion in the next three years. Another study by Forrester said the $35 billion estimate was too low and pegged the real loss figure around $180 billion for the US tech industry by 2016.

Much of the economic problem stems for the US government’s view that it’s open season when it comes to spying on non-U.S. persons. As Mark Zuckerberg said in September, the government’s position is“don’t worry, we’re not spying on any Americans. Wonderful, that’s really helpful for companies trying to work with people around the world.” Google’s Chief Legal Officer David Drummond echoed this sentiment last week, saying:

“The justification has been couched as ‘Don’t worry. We’re only snooping on foreigners.’ For a company like ours, where most of our business and most of our users are non-American, that’s not very helpful.”

Members of Congress who care about the US economy should take note: the companies losing their competitive edge due to NSA surveillance are mainstream economic drivers. Just as their constituents are paying attention, so are the customers who vote with their dollars. As Sen. Ron Wyden remarked last month, “If a foreign enemy was doing this much damage to the economy, people would be in the streets with pitchforks.”

Electronic Frontier Foundation: Same Mass Surveillance Story, Different Chapter

This post, written by EFF staff attorney Mark Rumold, originally appeared on the foundation’s website on Nov. 20.

Documents released Monday by the Director of National Intelligence tell a story we’ve heard before: The government, through one-sided argument in a secret court, obtained unConstitutional orders to collect vast amounts of information about millions of innocent Americans.

Before, it was Americans’ call records; the opinions released today describe the National Security Agency’s program collecting Americans’ Internet communications. And, just as we saw with the government’s bulk collection of calling records, what the Foreign Intelligence Surveillance Act court envisioned to be a closely controlled Internet metadata program quickly resulted in violations of its orders and restrictions, the search and collection of more information than the government was authorized to acquire, and repeated violations of the privacy of millions of Americans.

Here are some snippets, taken from the opinions and orders of the FISA court, describing the government’s repeated operation of the programs in violation of its orders:

Opinion of the FISC (pages 21-22)

Notwithstanding this and many similar prior representations, there in fact had been systemic overcollection since [redacted]. On [redacted] the government provided written notice of yet another form of substantial non-compliance discovered by NSA OGC. . . This overcollection, which had occurred continuously since the initial authorization . . . , included the acquisition of [redacted]. . . The government later advised that this continuous overcollection acquired many other types of data and that “[v]irtually every PR/TT record” generated by this program included some data that had not been authorized for collection.

Opinion of the FISC (page 4)

The current application relies on this prior framework, but also seeks to expand authorization in ways that tests the limits of what the applicable FISA provisions will bear. It also raises issues that are closely related to serious compliance problems that have characterized the government’s implementation of prior FISC orders. It is therefore helpful at the outset to summarize both the underlying rationale of the prior authorizations and the government’s frequent failures to comply with their terms.

Order and Supplemental Order of the FISC (pages 6) (emphasis in original)

Given the apparent widespread disregard of [FISC imposed] restrictions, it seems clear that NSA’s Office of General Counsel has failed to satisfy its obligation to ensure that all analysts with access to information derived from the PT/TT metadata ‘recieve appropriate training and guidance regarding the querying standard set out in paragraph c. above, as well other procedures and restrictions regarding the retrieval, storage, and dissemination, of such information

Order and Supplemental Order of the FISC (pages 6 -7)

The Court is also seriously concerned regarding NSA’s placement of unminimized metadata from both the above-captioned matters into databases accessible by outside agencies, which, as the government has acknowledged, violates not only the Court’s orders, but also NSA’s minimization and dissemination procedures set forth in USSID 18.

The Electronic Frontier Foundation just begun digesting the documents released Monday and will provide more analysis in the coming days. But EFF hopes these disclosures will provide more evidence, if any more was needed, of the need for serious and comprehensive FISA reform.

Electronic Frontier Foundation: Senators, Writers, Reporters, Defense Attorneys And Surveillance Experts Back Suit Against The NSA

This post, written by EFF legal fellow Andrew Crocker, originally appeared on the foundation’s website on Nov. 19.

EFF’s case challenging the government’s mass telephone records collection program, First Unitarian Church of Los Angeles v. NSA, has received some new firepower in the form of five amicus briefs, including one from U.S. senators charged with overseeing the NSA’s activities. The briefs are all in support of our claim that the NSA’s mass surveillance of ordinary Americans’ telephone records is illegal and unconstitutional.

The friend-of-the-court brief filed by the ACLU on behalf of Senators Ron Wyden, Mark Udall, and Martin Heinrich takes issue with the government’s argument that mass collection is necessary because it is the only effective technique for using phone records: The government has repeatedly suggested that it first must assemble the haystack, then find the needle. The senators, all members of the committee tasked with oversight of the NSA, write that they “have seen no evidence that the bulk collection of Americans’ phone records has provided any intelligence of value that could not have been gathered through less intrusive means.” As the senators’ brief points out, the government has other, more targeted means of surveillance at its disposal which can yield intelligence without invading the privacy of millions of innocent Americans.

The problems with unchecked surveillance and the need for oversight are also discussed in a brief filed on behalf of three experts in the history of intelligence agency surveillance: NSA historian James Bamford and two Church Committee staff members, Loch Johnson and Peter Fenn. Relying on the findings of the 1975 Church Committee, the brief draws parallels between the NSA’s current dragnet collection of phone records and previous mass surveillance programs. When left unchecked, the experts assert, initially narrow surveillance programs “expand beyond their original purposes, often into illegal conduct.”

Several other briefs shed light on the destructive effects that the phone records program has on fundamental constitutional rights, such as free speech, free association, and the right to counsel.

The PEN American Center, whose members include some of the most celebrated writers in the world, undertook a survey that shows that the revelation of NSA surveillance has caused American writers to self-censor, avoiding writing and communicating about topics that might draw government scrutiny. As PEN explains in its brief, these chilling effects undermine the First Amendment’s fundamental protection of the right to advocate unpopular or controversial viewpoints.

Meanwhile, the Reporters Committee for Freedom of the Press focuses on the “corrosive effect that mass call tracking has on the ability of the media to report on matters of public interest.” For some of the most important reporting in American history, including the Watergate scandal and the first revelations of the NSA’s warrantless wiretapping in 2005, reporters have relied on confidential sources and government leaks. In the past, when the government has sought to identify these sources, it has had to obey First Amendment protections and negotiate with journalists. Yet, as the Reporters Committee argues, these protections are “rendered pointless when cast against the backdrop of total surveillance of domestic telephone calls.” As a result, reporters’ sources dry up, restricting the ability of the press to play its crucial role in providing information to the public.

Finally, the National Association of Criminal Defense Lawyers highlights how the phone records program infringes the Sixth Amendment’s guarantee of a right to counsel in criminal cases.  Interlocking doctrines of confidentiality protect several aspects of the lawyer-client relationship, but just as the mass collection of phone records can reveal many intimate details of individuals’ daily lives, it can also strip away this confidentiality. Because “the very act of consulting with the counsel of one’s choice places the fact and details of that consultation, and all subsequent communications by both attorney and client, in the hands of the Government,” clients are chilled from seeking legal help and the Sixth Amendment guarantee is undermined.

Combined with the plaintiffs’ first-hand accounts of how their associational rights are chilled by the phone records program, these amicus briefs show the wide-ranging effects of the government’s unconstitutional phone records program.

The amicus briefs:

Senators Wyden, Udall and Heinrich

Surveillance Experts

PEN American Center

Reporters Committee for Freedom of the Press et al.

NACDL

Electronic Frontier Foundation: DRM In Cars Will Drive Consumers Crazy

This article, written by Parker Higgins, was originally published by the Electronic Frontier Foundation on Nov. 13.

Forget extra cupholders or power windows: the new Renault Zoe comes with a “feature” that absolutely nobody wants. Instead of selling consumers a complete car that they can use, repair, and upgrade as they see fit, Renault has opted to lock purchasers into a rental contract with a battery manufacturer and enforce that contract with digital rights management (DRM) restrictions that can remotely prevent the battery from charging at all.

We’ve long joined makers and tinkerers in warning that, as software becomes a part of more and more everyday devices, DRM and the legal restrictions on circumventing it will create hurdles to standard repairs and even operation. In the U.S., a car manufacturer who had wrapped its onboard software in technical restrictions could argue that attempts to get around those are in violation of the Digital Millennium Copyright Act (DMCA)—specifically section 1201, the notorious “anti-circumvention” provisions. These provisions make it illegal for users to circumvent DRM or help others do so, even if the purpose is perfectly legal otherwise.  Similar laws exist around the world, and are even written into some international trade agreements—including, according to a recently leaked draft, the Trans-Pacific Partnership Agreement.

Since the DMCA became law in 1998, Section 1201 has resulted in countless unintended consequences. It has chilled innovation, stifled the speech of legitimate security researchers, and interfered with consumer rights. Section 1201 came under particular fire this year because it may prevent consumers from unlocking their own phones to use with different carriers. After a broadly popular petition raised the issue, the White House acknowledged that the restriction is out of line with common sense.

The problem extends beyond inconvenience. In plenty of cases, DRM has led to users losing altogether the ability to watch, listen to, read, or play media that can’t be “authenticated.” Video games with online components now routinely reach an end-of-life period where the company providing the authentication decides it’s no longer worth it to operate the servers. That raises the frightening possibility of a company like Renault deciding that it’s not cost-effective anymore to verify new batteries—and leaving car owners high and dry.

And these are all just the problems with the DRM running as expected. Unfortunately, the intentional restrictions created by DRM can also create security vulnerabilities that can be exploited by other bad actors. The most prominent example may be the “rootkit” that Sony included on music CDs and which led in some cases to further malware infection. The stakes may be even higher when it comes to cars. Security researchers uncovering security problems in cars already face restrictions on publishing; that stands to get worse as DRM enters the picture.

As our friends at iFixit say, if you can’t fix it, you don’t own it. Users need the right to repair the things they buy, and that is incompatible with blanket restrictions on circumventing DRM.

Copyright maximalists like to point to the 1201 safety valve—a rulemaking procedure to identify narrow exemptions. But the process happens every three years in the Copyright Office, and it’s pretty dysfunctional: the exemptions require extensive work, must be justified from scratch each time, and have no established appeal process. Permission to “jailbreak” cars can’t even be considered until 2015, and even if it is granted, consumers may be wary to invest in a new car if their right to repair it could be revoked three years later.

There’s a better way, but it requires legislation. Representative Zoe Lofgren and a group of bipartisan sponsors have proposed the Unlocking Technology Act, to limit the anti-circumvention provisions to cases where there is actual infringement. That’s a common sense change that is long overdue.

More fundamentally, though, users must push back on the creeping imposition of DRM in more and more places. As EFF Fellow and former staff member Cory Doctorow has noted, computers are increasingly devices that we depend on for our own health and safety. It’s critically important, then, that consumers actually own our stuff. Stay tuned: We’ll be pushing hard on this issue on many fronts in the coming year, and we’ll need your help.

NSA’s Vast Surveillance Powers Extend Far Beyond Counterterrorism, Despite Misleading Government Claims

Writing Nov. 11 for the Electronic Frontier Foundation, Trevor Timm explains how the NSA has everything to lose if it can’t continue to control its fear-mongering script – a script that calls for broad surveillance powers in order to keep Americans safe from the familiar horrors they’ve seen, over and over, on TV.

By Trevor Timm

Time and again we’ve seen the National Security Agency (NSA) defend its vast surveillance apparatus by invoking the spectre of terrorism, discussing its spying powers as a method to keep America safe.  Yet, the truth is that counterterrorism is only a fraction of their far broader authority to seek “foreign intelligence information,” a menacing sounding term that actually encapsulates all sorts of innocuous, everyday conversation.

The New York Times demonstrated this disconnect last week, reporting, “the [leaked NSA] documents make clear, the focus on counterterrorism is a misleadingly narrow sales pitch for an agency with an almost unlimited agenda. Its scale and aggressiveness are breathtaking.”

Under the Foreign Intelligence Surveillance Act, NSA is given a mandate for collecting “foreign intelligence information” but this is not a very substantive limitation, and certainly does not restrict the NSA to counterterrorism — rather, it is defined to include “information with respect to a foreign power … that relates to … the conduct of the foreign affairs of the United States.”

Read that carefully for a minute. Anything “that relates to the foreign affairs of the United States.” Interpreted broadly, this can be political news, anything about economics, it doesn’t even have to involve a crime — basically anything besides the weather. Indeed, given the government penchant for warped and distorting the definitions of words in secret, we wouldn’t be surprised if the government would argue that weather could fall under the umbrella of “foreign intelligence information” too.

After all, government lawyers have managed to convince the secret FISA court that “relevant to” an investigation is no limitation at all – rather, it can encompass records of every call made in, to or from the United States. It seems unlikely that the government would interpret “relates to … the conduct of foreign affairs” to be any narrower.

This tactic is nothing new. Back in 2008, FISA Amendments Act supporters were invoking terrorism without mentioning this far broader definition, which has since been used to gather information from Internet companies as part of the infamous PRISM program.

Lead sponsor of the bill Senator Kit Bond (R-Mo.) infamously said, “There is nothing to fear in the [new FISA] bill, unless you have al-Qaida on your speed dial.” Yet at the time, as Marty Lederman, a legal scholar who would later become a key lawyer in Obama’s Justice Department, explained that in reality, “There is nothing to fear in the new FISA bill unless you make international phone calls or e-mails that arguably implicate the federal government’s national security, foreign affairs or law enforcement interests.”

Yet, government officials consistently refer to terrorism as the reason NSA is conducting this surveillance, while occasionally adding the spice of nuclear proliferation or “cyber”-hackers. For example, Congressman Mike Rogers (R-Mich.) defended the NSA like this two weeks ago, telling CNN’s “State of the Union” that if French citizens knew what terror plots the NSA was protecting them from “they would be applauding and popping Champagne corks.” While Rogers knows full well that there is no terrorism connection to tapping German Chancellor Angela Merkel’s cell phone, he wants the conversation to go to more familiar ground.

Other times, NSA mentions “foreign intelligence information” and says examples of such information include terrorist activities, conveniently omitting the vast authority granted to spy for diplomatic information. After a story in Le Monde last month, the Director of National Intelligence referred reporters to the statement, “The government cannot target anyone under the court-approved procedures for Section 702 collection unless there is an appropriate, and document foreign intelligence purpose for the acquisition (such as for the prevention of terrorism, hostile cyber activities, or nuclear proliferation)…” (emphasis ours)

It’s in the NSA’s interest to sell their programs playing off the fears of Americans, and they do with great regularly. In fact, NSA talking points, obtained by reporter Jason Leopold using the Freedom of Information Act, state that NSA should continually invoke 9/11 under the heading “sound bites that resonate.”

Counter-terrorism and WMDs are certainly an important part of the NSA’s mandate, but are not limits on its authority.  As we have seen from the reports about spying on foreign heads of state, foreign businesses, and even the World Bank, the NSA is using its spying superpowers to the full limits of “foreign intelligence information,” while trying to keep the conversation in a narrow band.

So let’s get one thing straight: when the NSA vacuums up millions of innocent people’s communications and metadata, the agency is not limiting itself to counter-terrorism uses. Pretending there is a narrower scope is not an honest way to have a debate.

The Electronic Frontier Foundation Ponders How The New York Times Endorsed an Agreement the Public Isn’t Allowed To Read?

The New York Times’ editorial board has made a disappointing endorsement of the Trans-Pacific Partnership (TPP), even as the actual text of the agreement remains secret. That raises two distressing possibilities: either in an act of extraordinary subservience, the Times has endorsed an agreement that neither the public nor its editors have the ability to read. Or, in an act of extraordinary cowardice, it has obtained a copy of the secret text and hasn’t yet fulfilled its duty to the public interest to publish it.

Without a publicly available agreement, readers are forced into the uncomfortable position of taking official government statements at face value. That’s reflected in the endorsement, which fails to note the myriad ways in which TPP has been negotiated undemocratically, shutting out public oversight while permitting corporate interests to drive the agenda. Given these glaring issues, it is disconcerting that the Times would take such a supportive stance on an agreement that is likely to threaten innovation and users’ digital rights well into the 21st century.

That situation leaves unanswered questions. Does the editorial board, for example, support the TPP provisions that would give private corporations new tools to undermine national sovereignty and democratic processes? Because “investor-state dispute settlement,” slated for inclusion in both the TPP and the EU-US trade agreement, the Transatlantic Trade and Investment Partnership (TTIP), would give multinational companies the power to sue countries over laws that might cut into expected future profits. This could allow corporations to unravel any policy designed to protect users against violations of their right to privacy or free speech online. The paper’s endorsement notes that copyright enforcement could be expanded to suit legacy media companies, but provides no explanation of why a trade agreement is an acceptable venue for deciding such issues.

Does the New York Times also endorse an initiative to scrap democratic oversight of TPP by elected lawmakers? After all, Senate Finance committee leaders, Senator Max Baucus and Senator Orrin Hatch have renewed their call to pass fast-track, which would hand over Congress’ constitutional mandate over US trade policy to the Obama Administration. Fast-track, also known as Trade Promotion Authority, would restrict lawmakers from having any proper hearings on its provisions, limiting them to an up-or-down vote on the entire 29 chapter treaty.

The paper’s statement emphasizes how the Obama Administration strives to make TPP’s policies “an example for the rest of the world to follow.” But if that’s the case, then it’s all the more important that the agreement be published immediately. Such a significant body of international law regulating digital policy must not be negotiated without proper, informed public debate. The secrecy of the process itself ensures that only some private interests will be represented at the expense of others. In addition, the U.S. Trade Representative’s history of pushing forth extreme copyright enforcement policies through other trade agreements gives little assurance that users’ rights will be considered in the TPP.

Trade representatives are working to finalize TPP negotiations by the end of the year. Negotiators are scheduled to meet in Salt Lake City next week to negotiate outstanding issues in this agreement, including provisions on liability for Internet Service Providers and anti-circumvention measures over DRM. Following that, trade delegates are seeking to finalize and sign this agreement in December in a ministerial meeting in Singapore.

It’s unfortunate that news outlets are giving little coverage to TPP, when media attention could have a major impact on how the US and the other 11 nations draft digital policy. But public media coverage is precisely the sort of accountability that official secrecy thwarts. Instead of endorsing an agreement the public can’t read, a responsible paper would condemn the secrecy involved. And if the Times has seen the text and knows what’s contained in the TPP, then they have a responsibility to publish the text immediately and expose the US government’s back room dealings.

In either case, it is deeply disappointing that the New York Times would even support the TPP when the public remains in the dark. An endorsement of TPP at this stage is an endorsement of opaque, corporate-driven policymaking.

You can take action against TPP here.

EFF: Forced Decryption Of Electronic Data Is Self-Incrimination And Prohibited By 5th Amendment

This article, written by Electronic Frontier Foundation staff attorney Hanni Fakhoury, and was originally published on the Foundation’s website on Oct. 30.

Encryption is one of the most important ways to safeguard data from prying eyes. But what happens when those prying belong to the government? Can they force you to break your own encryption and provide them with the information they want?

In a new amicus brief, we explain that the Fifth Amendment privilege against self-incrimination prohibits the government from forcing someone to decrypt their computer when they’re suspected of a crime.

Leon Gelfgatt was charged with forgery and the government, with a search warrant, seized a number of his electronic devices. Law enforcement couldn’t break the encryption that protected the devices, so it went to court, asking a judge to order Gelfgatt to decrypt the devices for them. The Fifth Amendment protects a person from being forced to testify against themselves and so the government promised not to look at the encryption key—the “testimony” in their eyes—but nonetheless wanted the ability to use the unencrypted data against Gelfgatt. The judge denied the government’s request, ruling that forcing Gelfgatt to decrypt the devices would violate the Fifth Amendment.

The government appealed that decision and the case is now before the Massachusetts Supreme Judicial Court, where we filed an amicus brief with the ACLU and the ACLU of Massachusetts.

Our brief argues that the lower court got it right. The Fifth Amendment protects a person from being forced to reveal the “contents of his mind” to the government, allowing law enforcement to learn facts it didn’t already know. When it comes to compelled decryption, the Fifth Amendment clearly applies because the government would be learning new facts beyond simply the encryption key. By forcing Gelfgatt to translate the encrypted data it cannot read into a readable format, it would be learning what the unencrypted data was (and whether any data existed). Plus, the government would learn perhaps the most crucial of facts: that Gelfgatt had access to and dominion and control of files on the devices.

It’s not the first time we’ve made this argument in court; we’ve filed amicus briefs in other cases involving forced decryption, and won big last year in the Eleventh Circuit Court of Appeals, which agreed with us that the act of decrypting a computer is protected by the Fifth Amendment.

At a time when the recent public disclosures have suggested the government has been undermining cryptography, we hope the court understands the importance of having strong technological safeguards to protect our privacy and find that our constitutional protections prohibit what the government is trying to do here.

Oral argument in the case is set for Nov. 5, 2013 in Boston.

New Documents Obtained By Electronic Frontier Foundation Confirm: NSA Collects First, Seeks Authorization Later

This article, written by Electronic Frontier Foundation staff attorney Mark Rumold, was originally published on the Foundation’s website.

The government released a second batch of documents yesterday in response to EFF’s ongoing FOIA lawsuit for information concerning Section 215 of the Patriot Act — the provision of law the government relies on to compel the disclosure of records of millions of Americans’ calls.

One document, in particular, confirms what in recent months has become abundantly clear: the NSA is unwilling to submit to meaningful and effective oversight and seems unwilling to recognize the extraordinarily sensitive nature of the information it collects.

The document, which appears to be a written response to an Intelligence Committee staffer’s question, describes the NSA’s acquisition and testing of Americans’ cell site location data. The document shows that, prior to obtaining and testing samples of location information taken from Americans’ cell phone calls, the NSA didn’t even bother to inform the Foreign Intelligence Surveillance Court (FISC) or the relevant Congressional oversight bodies prior to doing so. In fact, neither NSA nor the National Security Division of the Department of Justice thought the collection of Americans’ location information sufficiently novel or important to even justify an individualized legal analysis. In the view of DOJ, the location information of thousands (or millions) of Americans could just be lumped in with the information the FISC had already approved for collection.

Keep this in mind, too: approximately a year prior, the FISC nearly shut down the call record program after the agency repeatedly misled the court about how and under what circumstances it was accessing Americans’ call records. To then obtain extraordinarily sensitive information about the movements of Americans — without first informing either the FISC or any of NSA’s Congressional oversight bodies — smacks of a fundamental disregard for the NSA’s oversight system and the coordinate branches of government.

It’s time to put an end to the agency’s “collect first, seek authorization later” mentality. The NSA needs to recognize, once and for all, that it is not above the law. When an agency acts without oversight or the authorization of Congress, the judiciary, or even the President, it’s clear that the agency has gone off the rails. We need a full and public investigation of the NSA’s spying activities, and members of the intelligence community should be held accountable.

EFF Offers Ten Steps You Can Take To Fight Internet Surveillance Right Now

One of the trends we’ve seen is how, as the word of the NSA’s spying has spread, more and more ordinary people want to know how (or if) they can defend themselves from surveillance online. But where to start?

The bad news is: if you’re being personally targeted by a powerful intelligence agency like the NSA, it’s very, very difficult to defend yourself. The good news, if you can call it that, is that much of what the NSA is doing is mass surveillance on everybody. With a few small steps, you can make that kind of surveillance a lot more difficult and expensive, both against you individually, and more generally against everyone.

Here are ten steps you can take to make your own devices secure. This isn’t a complete list, and it won’t make you completely safe from spying. But every step you take will make you a little bit safer than average. And it will make your attackers, whether they’re the NSA or a local criminal, have to work that much harder.

  1. Use end-to-end encryption.

    We know the NSA has been working to undermine encryption, but experts like Bruce Schneier who have seen the NSA documents feel that encryption is still “your friend”. And your best friends remain open source systems that don’t share your secret key with others, are open to examination by security experts, and encrypt data all the way from one end of a conversation to the other: from your device to the person you’re chatting with. The easiest tool that achieves this end-to-end encryption is off-the-record (OTR) messaging, which gives instant messaging clients end-to-end encryption capabilities (and you can use it over existing services, such as Google Hangout and Facebook chat). Install it on your own computers, and get your friends to install it too. When you’ve done that, look into PGP–it’s tricky to use, but used well it’ll stop your email from being an open book to snoopers. (OTR isn’t the same as Google Chat’s option to “Go off the record”; you’ll need extra software to get end-to-end encryption.)

  2. Encrypt as much communications as you can. 

    Even if you can’t do end-to-end, you can still encrypt a lot of your Internet traffic. If you use EFF’s HTTPS Everywhere browser addon for Chrome or Firefox, you can maximise the amount of web data you protect by forcing websites to encrypt webpages whenever possible. Use a virtual private network (VPN) when you’re on a network you don’t trust, like a cybercafe.

  3. Encrypt your hard drive.

    The latest version of Windows, Macs, iOS and Android all have ways to encrypt your local storage. Turn it on. Without it, anyone with a few minutes physical access to your computer, tablet or smartphone can copy its contents, even if they don’t have your password.

  4. Strong passwords, kept safe.

    Passwords these days have to be ridiculously long to be safe against crackers. That includes the password to email accounts, and passwords to unlock devices, and passwords to web services. If it’s bad to re-use passwords, and bad to use short passwords, how can you remember them all? Use a password manager. Even write down your passwords and keeping them in your wallet is safer than re-using the same short memorable password — at least you’ll know when your wallet is stolen. You can create a memorable strong master password using a random word system like that described at diceware.com.

  5. Use Tor.

    “Tor Stinks”, this slide leaked from GCHQ says. That shows much the intelligence services are worried about it. Tor is an the open source program that protects your anonymity online by shuffling your data through a global network of volunteer servers. If you install and use Tor, you can hide your origins from corporate and mass surveillance. You’ll also be showing that Tor is used by everyone, not just the “terrorists” that GCHQ claims.

  6. Turn on two-factor (or two-step) authentication.

    Google and Gmail has it; Twitter has it; Dropbox has it. Two factor authentication, where you type a password and a regularly changed confirmation number, helps protect you from attacks on web and cloud services. When available, turn it on for the services you use. If it’s not available, tell the company you want it.

  7. Don’t click on attachments.

    The easiest ways to get intrusive malware onto your computer is through your email, or through compromised websites. Browsers are getting better at protecting you from the worst of the web, but files sent by email or downloaded from the Net can still take complete control of your computer. Get your friends to send you information in text; when they send you a file, double-check it’s really from them.

  8. Keep software updated, and use anti-virus software.

    The NSA may be attempting to compromise Internet companies (and we’re still waiting to see whether anti-virus companies deliberately ignore government malware), but on the balance, it’s still better to have the companies trying to fix your software than have attackers be able to exploit old bugs.

  9. Keep extra secret information extra secure.

    Think about the data you have, and take extra steps to encrypt and conceal your most private data. You can use TrueCrypt to separately encrypt a USB flash drive. You might even want to keep your most private data on a cheap netbook, kept offline and only used for the purposes of reading or editing documents.

  10. Be an ally.

    If you understand and care enough to have read this far, we need your help. To really challenge the surveillance state, you need to teach others what you’ve learned, and explain to them why it’s important. Install OTR, Tor and other software for worried colleagues, and teach your friends how to use them. Explain to them the impact of the NSA revelations. Ask them to sign up to Stop Watching Us and other campaigns against bulk spying. Run a Tor node, or hold a cryptoparty. They need to stop watching us; and we need to start making it much harder for them to get away with it.

EFF Examines Government Requests For Data To Yahoo, Facebook

Ever since Google issued its first transparency report in early 2010, EFF has called on other companies to follow suit and disclose statistics about the number of government requests for user data, whether the request they receive is an official demand (such as a warrant) or an unofficial request.  After all, users make decisions every day about which companies they trust with their data, therefore companies owe it to their customers to be transparent about when they hand data over to governments and law enforcement.

Since 2010, other companies have risen to the challenge, including Microsoft, Internet service provider Sonic.Net, cloud storage providers SpiderOak and DropBox, as well as social media companies such as LinkedIn and Twitter.

Now, two more companies have joined the movement: In the past couple of months, both Yahoo and Facebook issued their first transparency reports, covering the period of January-June 2013.

While we wish they had not taken this long, the two companies deserve kudos for taking this important step. Companies are under no legal obligation to inform their customers aggregate data about government requests for their data—this is a voluntary step. Both companies are members of the Global Network Initiative, however, which counts transparency among its core principles.

User trust

But in light of this summer’s revelations about the NSA’s PRISM—the program under which the NSA gains the ability to access to the private communications of users of many of the most popular Internet services, including those owned by Google, Microsoft, Facebook, and Yahoo—Internet giants are rushing to do what they can to restore user trust.

In September, Google, Facebook, and Yahoo all filed requests to the U.S. Foreign Intelligence Surveillance Court (FISC), asking for permission to publish the specific number of National Security Letters (NSL) that the companies received in the past year as well as the total number of user accounts affected by those requests. Of all the dangerous government surveillance powers that were expanded by the USA PATRIOT Act, the NSL power provided by five statutory provisions is one of the most frightening and invasive. These letters—the type served on communications service providers such as phone companies and ISPs and are authorized by 18 U.S.C. 2709—allow the FBI to secretly demand data about ordinary American citizens’ private communications and Internet activity without any prior judicial review. To make matters worse, recipients of NSLs are subject to gag orders that forbid them from ever revealing the letters’ existence to anyone. A federal judge found NSLs unconstitutional in March, but the order is on hold pending the government’s appeal.

Some companies have published aggregate numbers, ranging from 0-999 or 1000-1999 that give us a broad and blurry view of just how widespread the use of NSLs has been, but more detailed numbers would much more helpful to the public understanding of the surveillence, without compromising security.

So now that Facebook and Yahoo have issued transparency reports, what do they tell us?

Facebook’s Global Government Requests Report covers January-June 2013 and reveals that 71 countries requested data on a total of 37,954 to 38,954 users. Unsurprisingly, the US demanded the largest amount of user data, making somewhere between 11,000 to 12,000 requests for 20,000 to 21,000 users.

India came in a close second, with 3,245 requests for 4,144 accounts, and the United Kingdom ranked third with 1,975 requests for 2,337 users. Facebook also revealed the number of times the requests produced “some data.” Facebook handed over data to the U.S. 79% of the time, but only 50% and 68% of the time for India and the United Kingdom, respectively.

The vast majority of requests made to Facebook by less democratic countries (including Cote d’Ivoire, Nepal, and Qatar) were refused, however two nations stood out in the report: Pakistan and Turkey.  In the case of Pakistan, 35 requests were made for 47 users, 77% of which Facebook complied with.  In the case of Turkey, 96 requests for 170 users were made, and complied with 47% of the time.

What makes this unique is that no other major company has reported compliance with requests from Pakistan.  The South Asian country is nominally a democracy, but censors the Internet heavily and has made a relatively transparent effort of seeking Western companies to enable greater censorship and surveillance, a role that Canadian company Netsweeper has been all too eager to fill.  It is notable that Facebook has no offices in Pakistan (an office in-country could allow Pakistan to directly seek information from a local employee), nor has Pakistan signed a mutual legal assistance treaty (MLAT) with the US, putting Facebook under no legal obligation to comply with requests from the government.

With no offices in Turkey, either, it’s surprising to see such a high rate of compliance.  Complaints of Facebook censoring certain content in Turkey abound, and as a recent blog post by a Kurdish activist demonstrates, some of that censorship seems quite arbitrary.

At the same time, if Facebook doesn’t comply, it undoubtedly risks being blocked in these countries, just as YouTube was for several years, and a tool used by opposition figures and activists might become unavailable.  On balance, we think most countries would rightly be hesitant to remove popular Internet tool, as it may create more unrest than the information sought to be quashed.

While Facebook has been transparent about its law enforcement guidelines, information regarding its processes when it comes to international requests is vague – the data use policy allows disclosure when “consistent with internationally recognized standards,” which are not defined. Facebook could enhance its transparency by clarifying its standards for complying with requests; even if its standards are perfect in everyway, users are legitimately concerned when they do not know what standards might apply.

Like Facebook, Yahoo also reported that the United States led the number of requests, with 12,444 data requests that included 40,322 Yahoo accounts. Yahoo handed content-related data, including communications in Yahoo Mail or Messenger, photos on Flickr or Yahoo Address Book entries, over to American agencies in 4,604 cases. The company gave the government non-content related information, which includes a person’s name, location or Internet Protocol address, in 6,798 cases.

Yahoo received fewer requests from the United Kingdom (1,709) and India (1,490) than did Facebook, with similar compliance rates.  Once nice feature of Yahoo’s report is that it breaks down the type of data disclosure (non-content vs. content) in a pie chart for each country.  In the UK, for example, 44% of requests were responded to with disclosures of non-content data, while in 20% of cases, content was disclosed to law enforcement.

Surprisingly, Yahoo received far more requests from Hong Kong than any other company, and complied with 100% of them (content was only disclosed in 1% of those cases).  The South China Morning Post quoted lawmaker Charles Mok as saying that the number was high, and called on Yahoo to disclose which government agencies requested the data.

EFF: The Good And The Bad Of NSA Spying Bills In Congress

This post, written by Electronic Frontier Foundation legal director Cindy Cohn and policy analyst Mark Jaycox, was originally published by the EFF  on Oct. 22.

The Senate is moving quickly on bills to reform many aspects of the NSA spying. Currently, the Judiciary Committee, which has favored privacy in the past, and the chairs of the Intelligence Committees, Senator Dianne Feinstein and Representative Mike Rogers, will be introducing bills tackling the NSA spying.

The Intelligence Committee Bills Must be Stopped

Many of NSA reform bills going through Congress are encouraging, but the most important priority for those who want to stop the spying is to stop the bill by the Intelligence Committees of the House and Senate. The Chairs of each have confirmed that the (still secret) bill is aimed at continuing collection of everyone American’s phone records unabated. The bill will likely provide some window dressing of limited transparency, while shoring up the legal basis for the spying.

Since the leaks in June, the committees’ Chairs have defended the program with justifications the press has thoroughly debunked. While we have opinions about what the best way forward is, the only sure way to not go backwards, or seal the status quo into stone, is to stop the bill currently in the works by the Intelligence Committee chairs.

What “Stop the Spying” Looks Like

We have also been encouraged by the various other proposals being introduced. Here are some ways to think about the bills currently introduced or coming down the pike.

The good bills being proposed are omnibus bills—so-called because they change a variety of different laws. They try to stop the mass collection of innocent Americans’ calling records (using Section 215 of the Patriot Act), phone calls and emails (using Section 702 of the Foreign Intelligence Surveillance Act (FISA)), and try to introduce much needed transparency reforms to the court overseeing the spying, the Foreign Intelligence Surveillance Court (FISA Court).

So far, only S. 1551, the Intelligence Oversight and Surveillance Reform Act—sponsored by Senators Ron Wyden, Richard Blumenthal, Mark Udall, and Rand Paul—has been released. The bill is a fantastic start. The other, by Senator Patrick Leahy and Rep. Jim Sensenbrenner, is still being readied, but we’re hopeful based on what we’ve heard so far.

In general, EFF believes that whatever bill goes through Congress must stop the mass spying; either through nullifying the NSA’s interpretation of Section 215, or otherwise. And it should do so in a publicly verifiable way. It goes without saying that this is, among other things, in addition to reforming the FISA Court process, increasing transparency, and fixing National Security Letters.

Direct path: Forbid Mass Collection

There is a direct way to do this. Congress could unequivocally forbid the government from the mass collection of phone records. Congress usually does this with the phrase “notwithstanding any other law.” This is the path EFF strongly recommends. It looks something like below and includes FISA’s exceptions for wartime and other emergencies.

Notwithstanding any other law, no governmental entity shall engage in the mass collection of communications records, unless the collection is authorized pursuant to sections 1802, 1811, 1843 or 1844 of this chapter.

Indirect Path: “Pertains to” Fix

A second, less direct way, is also being considered. This requires a bit of legislative analysis to understand, so bear with us. Overall, this approach, if done carefully, may also work, but it has a more complicated story than merely banning mass collection.

The change, which we call the “pertains to” fix is to provide that, in addition to being “relevant to” an authorized investigation, the information the NSA wants must also “pertain to” a foreign agent or power. Right now the law doesn’t require that—it only requires “relevance to an authorized investigation” and then says that “relevance” is presumed to be met when information “pertains to” a foreign power.

This change would make “pertains to” a foreign agent or power a separate requirement, and was originally proposed in the 2006 debates when the Patriot Act was up for reauthorization by Congress, meaning that it needed to be voted on again. The basis for thinking that this change would stop mass collection is that, in its White Paper defending its interpretation of Section 215, the Administration pointed to the failure of this “pertains to” proposal to pass as a basis for its claim that Congress actually authorized mass spying in 2006.

The risk in this indirect path is that in the past few months we’ve seen incredibly strained legal definitions by the Department of Justice (DOJ) over words like “relevant.” The same may happen with “pertain to.” Indeed, Judge Claire Eagen of the FISA Court recently wrote that information is “relevant” to an investigation if it’s “pertinent” to the investigation. This may mean that adding “pertinent” may not be interpreted as adding any new requirements.

There’s more: in more than one of the released FISA Court opinions there are allusions to the idea that the government’s first application on May 23, 2006 discussed how all Americans’ calling records “pertain to” the activities of foreign agents. And the most recent DOJ filings—which include its motion to dismiss in the ACLU’s case against Section 215 spying and its submission to the Supreme Court in EPIC’s challenge to the spying—may also reveal that the Administration thinks any collection of records en masse “pertains to” the activities of a foreign agent or power, so long as the records can aid in the discovery of “otherwise hidden connections between individuals suspected of engaging in terrorist activity and unknown co-conspirators with whom they maintain contact in the United States.” These are just some of the reasons why Congress must be certain to stop the abuse of Section 215 with clear—and definitive—language.

Spying On Innocent Users Must Stop

Of course it may be that a court will interpret Congress’ actions in adding the “pertain to” requirement as forbidding mass spying. To be sure, the NSA will find it difficult to get around Congressional intent if the legislative history is clear. So the indirect path might work, despite the DOJ’s theories, and may be more politically palatable. Regardless of whether the issue is taken on directly or indirectly; however, EFF believes that Congress must take steps to stop mass spying. And we’ll be there in the courts to enforce it, long after the spotlight in Congress has moved on.

Why Hollywood Should Stop Pushing For More Government Internet Control

This post, written by global policy analyst Maira Sutton and activist Parker Higgins, originally appeared on the Electronic Frontier Foundation’s website on Oct. 18.

The content lobby’s narrative about the Internet’s impact on the creative industry has grown all too familiar. According to this tiresome story, Hollywood is doing everything it can to prevent unauthorized downloading, but people—enabled by peer-to-peer technologies, “rogue” websites, search engines, or whatever the bogeyman of the moment is—keep doing it anyway. As a result, say groups like the Motion Picture Association of America (MPAA), creators are deprived of their hard-earned and well-deserved profits and have little incentive to keep creating.

There’s a lot that’s wrong with this story (like the assumption that most copyright royalties actual end up in the pockets of the artists). But one of the most pernicious aspects is the idea that Hollywood is actually making a sincere effort to meet user demand.

That’s why we’re happy to see a new website called PiracyData.org, is helping to tell another crucial part of the story. As the site shows, the studios aren’t keeping up with the markets that new technologies enable—which is why, in many cases, the most popular films are not even available through preferred legal channels.

The site lists the top 10 most pirated films on BitTorrent and checks whether those films are available to stream, rent, or purchase digitally. In a simple chart, it shows how few options users have for accessing these in-demand movies. Since the site began recording three weeks ago, only 20% have been available for digital rental and none have been available for streaming. This site goes to highlight the underlying problem of unauthorized file sharing: the high demand for legal access to films is not being met when we clearly already have the technology to enable this experience.

Of course, this data confirms the long-held suspicions of many who object to Hollywood’s demand for ever more draconian copyright enforcement efforts. Instead of focusing on piracy and spending millions on lobbying for those policy changes, the content industry should be investing its resources into creating better and more accessible platforms for users. Unfortunately, Hollywood refuses to acknowledge that reality. We’ve seen the industry demonstrate that with its continuing efforts to push legislation that runs counter to the public interest, and its stubborn refusal to offer content in the formats people have been shown to prefer.

If the studios were to invest their considerable resources in meeting the market demand, it could lead to a very profitable digital marketplace. We said this before, and we’ll keep saying it until it sinks in: the hard-working men and women in the entertainment industry should stand up and tell their leaders to either embrace the age of the Internet or get out of the way so that new, forward-thinking industry leaders can take their place.