EFF: Former Members Call On Congress To Create A New Church Committee

This article, written by legislative analyst Mark Jaycox, was originally published by the Electronic Frontier Foundation:

Monday marks the second day of “Sunshine Week”—a week to focus on the importance of open government and how to ensure accountability of our leaders at the federal, state, and local levels.

When US intelligence agencies were caught spying on Americans 40 years ago, Congress answered the public outcry by creating an investigative task force to bring these covert, and potentially illegal, practices into the light. The Church Committee, as it was commonly known because of its chairman, Sen. Frank Church, interviewed 800 people, held 271 hearings and published volumes upon volumes of reportsall of which paved the way for reform.

Today, we are publishing a letter signed by 16 former counsel, advisers, and professional staff members of the Church Committee, calling on Congress to create a new special committee to investigate the NSA and other intelligence agencies. This new “Church Committee for the 21st Century” would conduct a thorough examination into the oversight system currently in place (including the House and Senate Intelligence Committees) and the intelligence communities actions (such as the CIA spying on Senate staff and the NSA spying on all Americans).

They write:

As former members and staff of the Church Committee we can authoritatively say: the erosion of public trust currently facing our intelligence community is not novel, nor is its solution. A Church Committee for the 21st Century—a special congressional investigatory committee that undertakes a significant and public reexamination of intelligence community practices that affect the rights of Americans and the laws governing those actions—is urgently needed. Nothing less than the confidence of the American public in our intelligence agencies and, indeed, the federal government, is at stake.

Read the full letter here, or download it here. Last week, Frederick A.O. Schwarz Jr., who served as chief counsel to the Church Committee, also published an editorial in The Nation, titled “Why We Need a New Church Committee to Fix Our Broken Intelligence System.”

For some heavy reading that will leave you with a sense of surveillance déjà vu, you can also peruse the Church Committee’s historic reports here.

Guess Who Just Made The List: A Guide To The Internet’s Biggest Enemies

The Electronic Frontier Foundation’s Director for International Freedom of Expression Jillian York wrote this post, which originally appeared on the foundation’s website on Thursday.

Reporters Without Borders (RSF) released its annual “Enemies of the Internet” index this week—a ranking first launched in 2006 intended to track countries that repress online speech, intimidate and arrest bloggers, and conduct surveillance of their citizens.  Some countries have been mainstays on the annual index, while others have been able to work their way off the list.  Two countries particularly deserving of praise in this area are Tunisia and Myanmar (Burma), both of which have stopped censoring the Internet in recent years and are headed in the right direction toward Internet freedom.

In the former category are some of the world’s worst offenders: Cuba, North Korea, China, Iran, Saudi Arabia, Vietnam, Belarus, Bahrain, Turkmenistan, Syria.  Nearly every one of these countries has amped up their online repression in recent years, from implementing sophisticated surveillance (Syria) to utilizing targeted surveillance tools (Vietnam) to increasing crackdowns on online speech (Saudi Arabia).  These are countries where, despite advocacy efforts by local and international groups, no progress has been made.

The newcomers 

A third, perhaps even more disheartening category, is the list of countries new to this year’s index.  A motley crew, these nations have all taken new, harsh approaches to restricting speech or monitoring citizens:

Russia: As RSF writes, Russia has been on a downward slope for more than a decade.  Until fairly recently, however, the Russian government did not directly censor the Internet, preferring instead to employ subtle strategies to control online discourse.  In 2012, that changed, when the Russian Duma overwhelmingly passed a bill allowing the creation of a national blacklist of websites.  Today, that blacklist continues to grow, while the government continues to seek new ways of limiting online speech.

Pakistan: We’ve expressed concerns about Pakistan many times before, so we’re glad to see the country called out for its repressive behavior.  Despite significant opposition from inside the country, the Pakistan Telecommunications Authority continues to add sites to its opaque blacklist, most notably YouTube following the ‘Innocence of Muslims’ debacle in 2012.  Efforts from local activists have also demonstrated the willingness of foreign companies—in particular Canadian company Netsweeper—to aid in Pakistan’s repression of speech.

United States: This is the first time the US has made it onto RSF’s list.  While the US government doesn’t censor online content, and pours money into promoting Internet freedom worldwide, the National Security Agency’s unapologetic dragnet surveillance and the government’s treatment of whistleblowers have earned it a spot on the index.

United Kingdom: The European nation has been dubbed by RSF as the “world champion of surveillance” for its recently-revealed depraved strategies for spying on individuals worldwide.  The UK also joins countries like Ethiopia and Morocco in using terrorism laws to go after journalists.  Not noted by RSF, but also important, is the fact that the UK is also cracking down on legal pornography, forcing Internet users to opt-in with their ISP if they wish to view it and creating a slippery slope toward overblocking.  This is in addition to the government’s use of an opaque, shadowy NGO to identify child sexual abuse images, sometimes resulting instead in censorship of legitimate speech.

India: A country that has long censored certain types of speech, it’s surprising that India has never made it to RSF’s list before.  Still, in the past two years, things have gotten significantly worse as the Indian government has enacted new laws to limit online speech and has slouched toward the NSA at a time when its neighbors have spoken out against surveillance.

Ethiopia: The African country has been on a downward spiral for the past few years, blocking VoIP services, sentencing bloggers to long prison sentences, and enacting laws to block online content.  Most recently, EFF filed a lawsuit accusing the Ethiopian government of installing spyware on the device of an American citizen of Ethiopian origin.  In a similar case, Privacy International filed a criminal complaint alleging the use of FinSpy on the device of a UK resident.

Missing from the list

There are a few countries that were left out of this year’s index that we think should have been included.  These nations have all taken a turn for the worse in recent years:

Turkey: Although Turkey has shown up on RSF’s watchlist before, and despite a spate of arrests of social media users during last summer’s protests, Turkey managed to stay off this year’s index.  The country has come under fire from human rights advocates for its online repression, and in 2012, the European Court of Human Rights found that Turkey had violated its citizens’ right to free expression by blocking Google sites.  Turkey is definitely an enemy of the Internet.

Jordan: Despite local protests and international opposition, in June 2013, Jordan initiated a ban on more than 300 news sites that refused or failed to register with the Press and Publications Department.  Those sites remain blocked.

Morocco: The North African nation’s approach to the Internet had improved somewhat in recent years, with the government unblocking sites that were formerly censored.  The arrest of journalist Ali Anouzla in September 2013 and subsequent blocking of Lakome, the publication he co-founded, however, seems to signal a new era.  Activists have expressed concern that bad legislation is just around the corner.

We urge the countries that find themselves on RSF’s “Enemies of the Internet” list this year—as well as those that are glaringly missing from the list—to take note of countries, such as Tunisia and Myanmar (Burma), who have taken steps to ameliorate violations of Internet freedom and remove themselves from RSF’s annual index.

 

 

EFF: Supreme Court Must Set Limits On Cellphone Searches

This article was originally published by the Electronic Frontier Foundation.

Changing Technology Demands New Rules for Police

San Francisco — The Electronic Frontier Foundation (EFF) asked the U.S. Supreme Court Monday to set limits on warrantless searches of cellphones, arguing in two cases before the court that changing technology demands new guidelines for when the data on someone’s phone can be accessed and reviewed by investigators.

The amicus briefs were filed in Riley v. California and U.S. v. Wurie. In both cases, after arresting a suspect, law enforcement officers searched the arrestee’s cellphone without obtaining a warrant from a judge. Historically, police have been allowed some searches “incident to arrest” in order to protect officers’ safety and to preserve evidence. However, in the briefs filed Monday, EFF argues that once a cellphone has been seized, the police should be required to get a search warrant to look through the data on the phone.

“Allowing investigators to search a phone at this point — after the device has been secured by law enforcement but before going to a judge and showing probable cause — is leaving 21st Century technology outside the protections of the Fourth Amendment,” said EFF Staff Attorney Hanni Fakhoury. “If we’re going to truly have privacy in the digital age, we need clear, common-sense guidelines for searches of digital devices, with meaningful court oversight of when and how these searches can be conducted.”

In the not-so-distant past, our pockets and purses carried only limited information about our lives. But in the age of the smartphone, we are walking around with a complete, detailed history of our work schedules, our medical concerns, our political beliefs and our financial situations. Our phones include pictures of family gatherings, videos of friends, apps that help manage our health and our money, and email and text messages from both our personal and professional lives.

“Our phones include an extraordinary amount of sensitive information — our past, our present, our plans for the future,” said Fakhoury. “We can’t let investigators rummage through this data on a whim. It’s time for the Supreme Court to recognize the important role that judicial oversight must play in searches of cell phones incident to arrest.”

Today’s brief was filed in conjunction with the Center for Democracy and Technology. The brief was authored with the assistance of Andrew Pincus of Mayer Brown LLP and the Yale Law School Supreme Court Clinic.

For the full brief filed in Riley and Wurie:
https://www.eff.org/document/amicus-brief-supreme-court

For more on search incident to arrest:
https://www.eff.org/issues/search-incident-arrest

Contact:

Hanni Fakhoury
Staff Attorney
Electronic Frontier Foundation
hanni@eff.org

Related Cases

Supreme Court cases on cellphone searches

EFF Tech Experts: Tech Companies Must Defend Against Surveillance

This open letter to tech companies was originally published by the Electronic Frontier Foundation. It includes 10 principles to protect users from National Security Agency sabotage.

In the past nine months, our trust in technology companies has been badly shaken. Today, in collaboration with prominent security researchers and technologists, EFF presents an open letter to technology companies, urging them to protect users from NSA backdoors and earn back the trust that has been lost.

From the Snowden revelations emerge stories of collusion between government spy agencies and the companies whose services are integral to our everyday lives. There have been disturbing allegations published by Reuters indicating that RSA, an influential information security firm, accepted a $10 million contract from NSA that included, among other items, an agreement to use what we now know to be an intentionally compromised random number generator as the default for its BSAFE cryptographic library.

A future where we cannot trust the very technologies meant to secure our communications is fundamentally unsustainable. It’s time for technology companies to start helping users regain trust, with transparency and active opposition to illegal surveillance. Implementing the requisite changes in technical infrastructure and business practices may have short-term costs; however, the long-term cost of keeping users in perpetual fear of NSA sabotage is far greater.

How to Protect Your Users from NSA Backdoors: An Open Letter to Technology Companies

As security researchers, technologists, and digital rights advocates, we are deeply concerned about collaboration between government agencies and technology companies in undermining users’ security. Among other examples, we are alarmed by recent allegations that RSA, Inc. accepted $10 million from NSA to keep a compromised algorithm in the default setting of a security product long after its faults were revealed. We believe that covert collusion with spy agencies poses a grave threat to users and must be mitigated with commitment to the following best practices to protect users from illegal surveillance:

  1. Provide public access to source code whenever possible, and adopt a reproducible build process so that others can verify the integrity of pre-compiled binaries. Both open and closed source software should be distributed with verifiable signatures from a trusted party and a path for users to verify that their copy of the software is functionally identical to every other copy (a property known as “binary transparency”).
  2. Explain choices of cryptographic algorithms and parameters. Make best efforts to fix or discontinue the use of cryptographic libraries, algorithms, or primitives with known vulnerabilities and disclose to customers immediately when a vulnerability is discovered.
  3. Hold an open and productive dialogue with the security and privacy communities. This includes facilitating review and responding to productive criticism from researchers.
  4. Provide a clear and secure pathway for security researchers to report vulnerabilities. Fix security bugs promptly.
  5. Publish government request reports regularly (often these are called “Transparency Reports”). Include the most granular reporting allowed by law.
  6. Invest in secure UX engineering to make it as easy as possible for users to use the system securely and as hard as possible for users to use the system unsafely.
  7. Publicly oppose mass surveillance and all efforts to mandate the insertion of backdoors or intentional weaknesses into security tools.
  8. Fight in court any attempt by the government or any third party to compromise users’ security.
  9. Adopt a principle of discarding user data after it is no longer necessary for the operation of the business.
  10. Always protect data-in-transit with strong encryption in order to prevent dragnet surveillance. Follow best practices for setting up SSL/TLS on servers whenever applicable.

Sincerely,
The Electronic Frontier Foundation in collaboration with*:

  • Roger Dingledine, Project Leader, Tor Project
  • Brendan Eich, CTO, Mozilla Corporation
  • Matthew Green, Assistant Research Professor, Department of Computer Science, Johns Hopkins University
  • Nadia Heninger, Assistant Professor, Department of Computer and Information Science, University of Pennsylvania
  • Tanja Lange, Professor, Department of Mathematics and Computer Science, Technische Universiteit Eindhoven
  • Nick Mathewson, Chief Architect, Tor Project
  • Eleanor Saitta, OpenITP / IMMI
  • Bruce Schneier, Security Technologist
  • Christopher Soghoian, Principal Technologist, Speech, Privacy and Technology Project, American Civil Liberties Union
  • Ashkan Soltani, Independent Researcher and Consultant
  • Brian Warner, Tahoe-LAFS Project
  • Zooko Wilcox-O’Hearn, Founder and CEO, LeastAuthority.com

*Affiliations listed for identification purposes only.

EFF: Support The Right To Repair The Goods You Purchase

This article, written by Electronic Frontier Foundation Intellectual Property Director Corynne McSherry, was originally published on the organization’s website on Feb. 18.

South Dakota has put forth new legislation to support to a simple principle: if you own something, you ought to be allowed to fix it. The new bill, SB 136, would require manufacturers of electronics and appliances that contain embedded software to make available to consumers and independent repair shops the information and parts they need to repair those devices, and fully disclose any contract provision standing in the way of full repair and reuse.

That seems like a pretty uncontroversial goal, but lots of major manufacturers that purport to “sell” you all kinds of products are doing their level best to make sure that if your product breaks, only they (or someone they authorize) can repair it. They do this in all kinds of ways—by tying your purchase (or update) to an expensive repair contract; burying sneaky clauses into license agreements (remember, you might buy a device, but if it contains software to make it more functional you probably only “rent” that software); treating repair information (like diagnostic codes) as proprietary; or refusing to sell repair parts to “unauthorized” independent shops (and then calling in the feds to prosecute shops that sell those parts anyway).

That’s bad for consumers and for the environment—how often have many of us tossed a device into the trash, or recycled it, because repairing it was too expensive? If that device contains electronics, that casual decision added to the e-waste that is slowly poisoning the planet.

South Dakota isn’t the first state to step in to defend its residents’ right to repair. In Massachusetts, legislators and voters passed legislation requiring automakers to provide affordable access to all tools, software and information used to repair late model cars and heavy duty vehicles. That legislation will go into effect in 2015.

SB 136 in South Dakota isn’t perfect—we’d love to see an additional requirement that the information be freely accessible and online, for example—but it’s an important step in the right direction.

The bill was debated in the Commerce committee today, and will move on to a larger vote later this week. If you live in South Dakota, contact your state senator today and tell him or her to support SB 136.

EFF Explains The History Of Surveillance And The Black Community

February is Black History Month and that history is intimately linked with surveillance by the Federal government in the name of “national security.”  Indeed, the history of surveillance in the African-American community plays an important role in the debate around spying today and in the calls for a Congressional investigation into that surveillance. Days after the first NSA leaks emerged last June, EFF called for a new Church Committee. We mentioned that Dr. Martin Luther King, Jr., was one of the targets of the very surveillance that eventually led to the formation of the first Church Committee. This Black History Month, we should remember the many African-American activists who were targeted by intelligence agencies. Their stories serve as cautionary tales for the expanding surveillance state.

The latest revelations about surveillance are only the most recent in a string of periodic public debates around domestic spying perpetrated by the NSA, FBI, and CIA. This spying has often targeted politically unpopular groups or vulnerable communities, including anarchists, anti-war activists, communists, and civil rights leaders.

Government surveillance programs, most infamously the FBI’s “COINTELPRO”, targeted Black Americans fighting against segregation and structural racism in the 1950s and 60s. COINTELPRO, short for Counter Intelligence Program, was started in 1956 by the FBI and continued until 1971. The program was a systemic attempt to infiltrate, spy on, and disrupt activists in the name of “national security.” While it initially focused on the Communist Party, in the 1960s its focus expanded to include a wide swathe of activists, with a strong focus on the Black Panther Party and civil rights leaders such as Dr. Martin Luther King, Jr.

FBI papers show that in 1962 “the FBI started and rapidly continued to gravitate toward Dr. King.” This was ostensibly because the FBI believed black organizing was being influenced by communism. In 1963 FBI Assistant Director William Sullivan recommended “increased coverage of communist influence on the Negro.” However, the FBI’s goal in targeting Dr. King was clear: to find “avenues of approach aimed at neutralizing King as an effective Negro leader,” because the FBI was concerned that he might become a “messiah.”

The FBI subjected Dr. King to a variety of tactics, including bugging his hotel rooms, photographic surveillance, and physical observation of King’s movements by FBI agents. The FBI’s actions went beyond spying on Dr. King, however. Using information gained from that surveillance, the FBI sent him anonymous letters attempting to “blackmail him into suicide.” The agency also attempted to break up his marriage by sending selectively edited “personal moments he shared with friends and women” to his wife.

The FBI also specifically targeted the Black Panther Party with the intention of destroying it. They infiltrated the Party with informants and subjected members to repeated interviews. Agents sent anonymous letters encouraging violence between street gangs and the Panthers in various cities, which resulted in “the killings of four BPP members and numerous beatings and shootings,” as well as letters sowing internal dissension in the Panther Party. The agency also worked with police departments to harass local branches of the Party through raids and vehicle stops. In one of the most disturbing examples of this, the FBI provided information to the Chicago Police Department that aided in a raid on BPP leader Fred Hampton’s apartment. The raid ended with the Chicago Police shooting Hampton dead.

The FBI was not alone in targeting civil rights leaders. The NSA also engaged in domestic spying that included Dr. King. In an eerily prescient statement, Senator Walter Mondale said he was concerned that the NSA “could be used by President ‘A’ in the future to spy upon the American people, to chill and interrupt political dissent.”

The Church Committee was created in response to these and other public scandals, and was charged with getting to the bottom of the government’s surveillance overreach. In response to its findings, Congress passed new laws to provide privacy safeguards, including the Foreign Intelligence Surveillance Act. But ever since these safeguards were put in place, the intelligence community has tried to weaken or operate around them. The NSA revelations show the urgent need to reform the laws governing surveillance and to rein in the intelligence community.

Today we’re responding to those domestic surveillance abuses by an unrestrained intelligence branch. The overreach we’ve seen in the past underscores the need for reform. Especially during Black History Month, let’s not forget the speech-stifling history of US government spying that has targeted communities of color.

EFF: What Pete Seeger Can Teach Us About The NSA

This article, written by EFF Legal Director Cindy Cohn, was originally published by the organization on Feb. 1. Editor’s Note: Many of Personal Liberty’s readers likely disagree with the late Pete Seeger’s political positions. But as Americans are increasingly confronted with government intrusions on privacy, Seeger’s reaction to government prying in his personal life is worth noting.

 “I am not going to answer any questions as to my association, my philosophical beliefs, or how I voted in any election, or any of these private affairs. I think these are very improper questions for any American to be asked, especially under such compulsion as this.”

Pete Seeger, 1955, testimony pursuant to subpoena before the House Un-American Activities Committee.

The world lost a clear, strong voice for peace, justice, and community with the death of singer and activist Pete Seeger last week. While Seeger was known as an outspoken musician not shy about airing his political opinions, it’s also important to remember he was once persecuted for those opinions, despite breaking no law. And the telling of this story should give pause to those who claim to be unconcerned about the government’s metadata seizure and search programs that reveal our associations to the government today.

In 1955, Seeger was called before the House Un-American Activities Committee, where he defiantly refused to answer questions about others who he associated with and who shared his political beliefs and associations, believing Congress was violating his First Amendment rights. He was especially concerned about revealing his associations:

I will be glad to tell what songs I have ever sung, because singing is my business. . . .  But I decline to say who has ever listened to them, who has written them, or other people who have sung them.

But if the same thing were to happen today, a Congressional subpoena and a public hearing wouldn’t be necessary for the government to learn all of our associations and other “private affairs.” Since the NSA has been collecting and keeping them, they could just get that same information from their own storehouses of our records.

According to the Constitution, the government is supposed to meet a high standard before collecting this private information about our associations, especially the political ones that the Congressmen were demanding of Seeger. For instance, under the First Amendment, it must “serve compelling state interests, unrelated to the suppression of ideas, that cannot be achieved through means significantly less restrictive of associational freedoms.”

It doesn’t matter whether the government wants associations to look for possibly “illegal” activities of civil rights activists, Communist sympathizers, anarchists, trade unionists, war resisters, gun rights activists, environmental activists, drug legalization advocates, or wants to go after legitimate criminals and potential terrorists, if the government can’t justify the collection of this “metadata” on this “strict scrutiny” standard, they’re not allowed to collect any of it. Yet right now, they collect all of it.

We’re still learning of all the ways the government is able to track our associations without anything like the due process and standards required by the First and Fourth Amendments, but it is the centerpiece of the NSA’s mass telephone records collection program under Patriot Act section 215, which EFF is fighting with our First Unitarian Church v. NSA case that focuses on the right of association.  Our lead client, the First Unitarian Church of Los Angeles, had its own role in resisting the House Un-American Activities Committee. It’s also part and parcel of the mass collection of content and metadata of people all around the world under section 702 of the FISA Amendments Act. And it’s a real concern even if the companies hold the data, as we’ve seen with the FBI’s self-certified National Security Letters and the Hemisphere program, where AT&T employees are embedded in government investigations so that they can more readily search through our phone records for the FBI, the DEA and others.

Each of these programs effectively allows the government to do to you what Pete Seeger refused to let them do to him—track your associations, beliefs and other private affairs without proper legal protections.  And they can do this at scale that was unimaginable in 1955, thanks to the digital nature of our communications, the digital tools that allow them to search automatically rather than by hand and the fact that so much more about these private affairs is in the hands of third parties like our phone and internet companies.

While Seeger escaped jail, he was convicted of contempt for his failure to answer these questions. Thankfully Joseph McCarthy and the Un-American Activities Committees were later widely condemned, and Americans understandably look back sadly and with embarrassment on time when the Committee forced Americans to reveal their own associations, along with the associations and beliefs of others.  With the passing of moral and artistic heroes like Seeger, we should redouble our efforts to make sure that our “private affairs” remain safe and the government’s ability to access them remains subject to careful controls.

Join EFF on February 11 to fight back against mass surveillance.

Free Sgt. Star: Army Ignores FOIA Request for Artificial Intelligence Records

This article, written by media relations coordinator and investigative researcher Dave Maass, was originally published by the Electronic Frontier Foundation.

Sgt. Star is a 6-foot-1, clean-shaven, strong-jawed white male, with eyes that match the camouflage pattern on his combat uniform. His voice is deep, authoritative and carefully enunciative. He seems to be in his 30s, but he is actually only about 7 years old.

Sgt. Star is not a real person, or at least not a corporeal one. He is a chatbot — an artificial intelligence program designed to hold conversations — that was commissioned by the U.S. Army to help with recruitment efforts. He can recognize questions and dispense answers, verbally and in text, and also help the user surf the GoArmy.com website. According to marketing materials, he has answered more than 11 million questions so far.

Last year, the Electronic Frontier Foundation filed a request with the Army to see if EFF could obtain him, or elements of him, through the Freedom of Information Act. More than 75 calendar days have passed, and the Army still hasn’t responded — not even to say it’s withholding the records.

Contemplation of military service is one the most personal and life-altering decisions an American can undertake, with lasting consequences. EFF is interested in learning how Sgt. Star works, what questions he was programmed to answer and whether the Army has found the project effective. As electronic privacy advocates, EFF also hopes to determine what happens to the records of conversations Sgt. Star has with potential recruits.

As chatbots grow in popularity, particularly in a commercial setting (a reporter from TIME even discovered a chatbot posing as a telemarketer), Sgt. Star is often pointed to as a successful model of how this technology can be used as a replacement for humans in providing customer service. The SGT STAR project (officially, it’s all-caps) began in 2007 with a partnership between U.S. Army Accession Command and the Spokane, Wash.-based company Next IT, which sells “intelligent virtual assistants” to businesses. In the years since Sgt. Star’s inception, he has expanded beyond his GoArmy interface and potential recruits can now interact with him through Facebook or download him to their mobile phones via an app launched by the Army last year. Sgt. Star also makes appearances at public events, such as NASCAR races and Future Farmers of America gatherings, where users can talk to a full-size projection developed by the Institute for Creative Technologies at University of Southern California.

EFF contacted programmer Bruce Wilcox, two-time winner of the Loebner Prize for Artificial Intelligence (aka “The First Turing Test”) for advice on what to ask for in a FOIA request. Wilcox suggested EFF seek Sgt. Star’s input patterns (all the phrases and keywords Sgt. Star is pre-programmed to recognize) and the scripted output answers (all the possible things Sgt. Star could say). In the FOIA letter, EFF requested these files as they existed for each year between 2007 and 2013, in order to compare how Sgt. Star’s answers evolved to reflect developments in global conflicts, changes to military benefit packages and new policies, such as the repeal of “Don’t Ask, Don’t Tell.”

To cover its bases, EFF widened the FOIA request to include all contracts regarding Sgt. Star, all annual and quarterly reports that reference Sgt. Star, any audits, and any privacy policies associated with the program. EFF also asked for whatever analytical data might be available, such as the number of conversations Sgt. Star has had, the duration of those conversations, the general geolocation of the users (broadly), the number of conversations that resulted in direct communication with a human recruiter and any estimate of manpower saved by using the AI.

Once EFF crafted the request, the next challenge was to determine which agency was responsible for Sgt. Star. With the disestablishment of the Accession Command in September 2012, it was unclear which division had inherited Sgt. Star. EFF started with the public affairs office of the U.S. Army Recruiting Command (USAREC) in Fort Knox, Ky. From there, EFF’s request bounced to the Army Marketing and Research Group, a new division created in October 2012. A representative initially said he would follow up in a week and get EFF whatever he could. That was last November, and EFF has yet to receive any further response, despite a follow-up letter filed shortly after the Army missed the 20-day FOIA response deadline. EFF even sent the Army a note that it was writing this blog post.

The Army can’t argue that none of the records EFF requested can be released. Sgt. Star’s individual responses are already publicly available on the Internet, provided a user enters all of the possible questions into the chat interface, so there’s no reason the script should not be available in aggregate. Next IT uses basic Sgt. Star statistics in its marketing materials. For example, the program has a 94 percent accuracy rate in answering questions and the average user interacted with the program for 10.4 minutes. The fact that a private company can access this data, but the public cannot, raises questions about both privacy and government transparency.

When filing a FOIA request like this, it’s important to anticipate how the release of information would serve the public interest. Military recruitment practices have long been a subject of public controversy, whether it’s regarding protests over recruiters on school campuses or the use of video games to spur combat interest in youths. Everyone from veteran advocates to peace activists to budget watchdogs could review how the Army uses emerging technology to inform and persuade potential recruits. Social commentators could create satire through augmented version of Sgt. Star by plugging his input and output scripts into a publicly available chatbot engine. EFF is especially concerned with how personal data is collected, stored and shared beyond what is disclosed in the online privacy policy for chatting with human recruiters. As government transparency activists, EFF also wants to ensure that digital records stored in unconventional databases are in the public domain.

When the Army Marketing and Research Group was founded, the division’s director, Mark S. Davis, said its mission was to “make the Army more transparent to the American public; explained in a way that is accessible and shows how truly extraordinary the U.S. Army and the American Soldier are.” If he still believes that, his office should let the American people see how truly extraordinary the Army’s virtual recruiter is by responding to EFF’s FOIA request.

Free Sgt. Star.

EFF: Government Views On Fair Use Troubling For Small Content Creators

This article, written by electronic freedom activist Parker Higgins and attorney Mitch Stoltz, was originally published by the Electronic Frontier Foundation.

Copyright reform hearings continue to lumber along in the House of Representatives, with Tuesday’s in the Judiciary Committee marking the seventh in as many months. This hearing was dedicated to “The Scope of Fair Use,” and though the panel of witnesses was more diverse than in some of the earlier hearings, there were still some disappointing trends in the conversation.

One area that got significant attention was the topic of mass digitization, which has been repeatedly determined by courts to be a fair and transformative use. Not only is it fair, but as Professor Peter Jaszi noted during the hearing it is also tremendously beneficial, enabling the indexing and searching of huge sets of works.

Several panelists, however, pointed to the legal status of mass digitization as evidence of “fair use creep,” stressing its supposed lack of “transformative” quality over the other fair use considerations. That’s a mistake. Mass digitization is absolutely the sort of thing fair use is supposed to enable. Fair use is a flexible doctrine, not a rigid list of exceptions, so that it can accommodate changes in practices or technology.

Even more troublingly, some panelists seemed fixated on the commercial character of a use in determining whether it could be considered fair. On the one hand, the Supreme Court is abundantly clear that commercial use does not preclude a finding of fair use. But to listen to some of the panelists Tuesday, the notion seemed to be that if anybody is making money, rightsholders want a cut—or worse, the power to veto the use in the first place. The definition of commercial use, too, was stretched to its breaking point: according to one panelist, an otherwise non-commercial video remix can be tainted with the label of commercial as soon as it is posted to an ad-supported platform like YouTube.

That same panelist—the songwriter and copyright expansion activist David Lowery—also repeatedly raised hip hop as an example of copyright working effectively without fair use because the genre has managed to achieve popularity despite often requiring licenses for musical samples. Of course, this characterization overlooks how licensing schemes limit what sorts of creativity are sanctioned under the law, and that seminal works in the genre simply could not be made under today’s understanding of sampling.

Taken together, these two themes represent a pernicious misconception that there are “legitimate” works—the ones presented by companies that belong to lobbying organizations with multi-million dollar budgets—and “illegitimate” ones that require permission to be created or commercially exploited.

In terms of the law, the Supreme Court rejected that argument over 100 years ago, and has been reaffirmed numerous times in cases like Campbell v. Acuff-Rose Music (“Whether … parody is in good taste or bad does not and should not matter to fair use”) and Yankee Publishing Inc. v. News America Publishing (“First Amendment protections do not apply only to those who speak clearly, whose jokes are funny, and whose parodies succeed”). Any understanding of fair use has to reflect that legal tradition.

Although it didn’t get much attention during Tuesday’s hearing, issues of fair use are complicated by the incredibly high penalties that can await those accused of infringement. These punitive fees discourage artists from actually exercising fair use rights as they create.

One panelist, Professor June Besek, recently suggested that statutory damages don’t need to be addressed, but her record on this issue is troubling. Writing to the Department of Commerce this month, Besek pointed to a $6,000 court judgment won by notorious copyright troll Prenda Law—a judgment that was almost certainly achieved by fraud—as an example of the current copyright law working well.

Professor Besek said that copyright penalties for individual file-sharers don’t need fixing at this time because cases like Prenda’s (brought using the law firm’s alter ego, AF Holdings, as plaintiff) result in damages “under $10,000.” It’s widely known that Prenda has coerced millions of dollars in “settlement” payments from Internet subscribers by building false copyright cases on a framework of shell companies, forged documents, lies to the courts, and threats of $150,000 penalties. Using an AF Holdings case to show that the copyright system is working well—because the fraud victim lost $6,000 instead of a possible $150,000—is bizarre, and casts doubt on Professor Besek’s testimony.

Tuesday’s hearing was cut short by other legislative action on the floor, but as Committee Chairman Goodlatte noted, it was “perhaps the most important copyright hearing” yet. Congress should continue to get the opinions of witnesses like Professor Jaszi and Naomi Novik from the Organization for Transformative Works—people that have experience with art and media that depends on fair use.

Scorecard: Will Obama Hit The Mark On Real NSA Reform?

The Electronic Frontier Foundation is planning to grade the President’s forthcoming National Security Agency “reform” package, and they’re asking Americans to make their wishes known before Obama unveils his plan on Friday.

By The Electronic Frontier Foundation    

On Friday, President Barack Obama will announce changes and potential reforms he will make to the National Security Agency (NSA). What can we expect? Many people are skeptical that the president will create meaningful limits to the NSA’s practice of sweeping up the digital communications of millions of people worldwide. Instead of actually stopping the spying, Obama could just make pronouncements calling for more transparency or additional layers of bureaucratic oversight. Basically, he could duck the most important thing he could do to show leadership: rein in government surveillance.

We’ve compiled a list of common-sense fixes that the President could—and should—announce at his briefing on Friday. Many of these are similar to measures proposed by the president’s own Review Group on Intelligence and Communications Technologies, which produced a report with over 40 recommendations last month. The list below is not comprehensive, but it addresses the central problems with NSA surveillance. Fixing all of them will go a long way toward restoring America’s trust in its government and resolving some of the most egregious civil liberties abuses of the NSA.

We’ll be scoring Obama’s presentation on Friday and we’ll let you know which, if any, of these reforms he supports. You can help us pressure Obama in the coming days by tweeting these reforms at him.

1. Stop mass surveillance of digital communications and communication records.

It doesn’t matter what legal authority is being cited—whether it’s the Patriot Act, the FISA Amendments Act, or an executive order—the government should not be sweeping up massive amounts of information by and about innocent people first, then sorting out whether any of its targets are included later. The NSA has disingenuously argued that simply acquiring this data isn’t actually “collecting” and that no privacy violation can take place unless the information it stores is actually seen by a human or comes up through an automated search of what it has collected. That’s nonsense. The government’s current practices of global dragnet surveillance constitute general warrants that violate the First and Fourth Amendments, and fly in the face of accepted international human rights laws. Obama needs to direct the NSA to engage only in targeted surveillance and stop its programs of mass surveillance, something he can do with a simple executive order.

 

2. Protect the privacy rights of foreigners.

The NSA’s surveillance is based upon the presumption that foreigners are fair game, whether their information is collected inside the US or outside the US. But non-suspect foreigners shouldn’t have their communications surveiled any more than non-suspect Americans. The review group recommended limited protections for non-US persons and while that is a good start, the president should do more to ensure that actual suspicion is required before either targeted or untargeted surveillance of non-US persons.

 

3. Don’t turn communications companies into the new Big Brother: no data retention mandate.

Obama’s review group recommended ending the NSA’s telephone records program, which we strongly agree with, but then indicated that a reasonable substitute would be to force American communications companies to store the data themselves and make it available to the government. The group ultimately recommended a data retention mandate if companies won’t comply voluntarily. But companies shouldn’t be pressed into becoming the NSA’s agents by keeping more data than they need or keeping it longer than they need to. To the contrary, companies should be working on ways to store less user data for less time—decreasing the risks from data breaches and intrusions like the one that just happened to Target. Data retention heads in the wrong direction for our security regardless of whether the government or private parties store the information.

 

4. National Security Letters need prior judicial review and should never be accompanied by a perpetual gag order.

One recommendation of the review group we heartily endorse is reining in National Security Letters. The FBI uses these letters to demand user data from communications service providers with no judicial review. Providers are forbidden from talking about receiving NSLs, which means the letters also serve as perpetual gag orders. EFF was successful in convincing a federal judge to strike down these NSLs last year. The case is on appeal but Obama can remedy the situation more quickly by instructing the FBI not to issue NSLs without prior judicial review, and to limit its use of gag orders.

 

5. Stop undermining Internet security, weakening encryption, and infiltrating companies.

Recent revelations show that the NSA is undermining Internet encryption, making us all less secure when we use technology. These practices include weakening standards, attacking technology companies, and preventing security holes from being fixed. As the president’s review group recognized, this has serious consequences for any industry that relies on digital security—finance, medicine, transportation, and countless others, along with anyone in the world who relies on safe, private communication. Obama should follow the recommendations of his review group and immediately stop the NSA’s efforts to undermine or weaken the security of our technologies.

 

6. Oppose the FISA Improvements Act.

The FISA Improvements Act, promoted by Sen. Dianne Feinstein, a stalwart defender of the NSA, would codify mass surveillance by the NSA and potentially extend the spying. Obama should make clear that he opposes the bill and would veto it if it came to his desk.

 

7. Reject the third party doctrine.

Obama should announce that it will be the policy of the Justice Department that data held by a third party (such as a telecom company or an Internet service provider) has the same constitutional protections as data stored at home. This will help correct deeply flawed Supreme Court rulings from the 1970s, which found that people who allowed companies store their data had no expectation of privacy in it, and will support efforts to update the Electronic Communications Privacy Act to reflect current realities of how we use technology.

 

8. Provide a full public accounting of our surveillance apparatus.

Obama is fond of saying that the public misunderstands the government’s surveillance programs because they are being brought to light in “dribs and drabs” based on whistleblower evidence. To remedy this, Obama should appoint an independent committee to give a full public accounting of surveillance programs that impact non-suspects around the world. This does not mean revealing specific methods for tracking terrorists, but it does mean providing a comprehensive review of the legal authorities relied upon and the surveillance programs that affect non-suspect members of the public. The appointed committee should directly engage whistleblowers like Thomas Drake, William Binney, Edward Snowden and others, and include independent technological experts.

 

9. Reform the state secrets privilege and stop overclassifying.

For years, the government has fought accountability in the courts by claiming all of the information related to surveillance programs is a “state secret.” The government should commit to continue the work started by Sen. Ted Kennedy to reform the state secrets privilege to ensure it is no longer used to shield abuses from public accountability. In a similar vein, the government routinely classifies documents that would pose no danger to our security if they are made public. In fact, the classification system is often abused to hide information about government abuses of power.  We need to embrace transparency, not secrecy, as the default, in our courts and our public discourse, both to better protect actual secrets and to better hold the government accountable for its actions.

 

10. Reform the FISA court: provide a public advocate and stop secret law.

There are myriad problems with the Foreign Intelligence Surveillance Court, the secretive court system that signs off on national security surveillance requests. Two of the biggest are: 1. One-sidedness: Government lawyers argue for surveillance authority in front of judges without any adversary in the room to argue for due process, privacy and civil liberties; 2. Secret law: The FISA court has created a huge body of secret law that impacts the communications of millions of Americans but is unknown to them. Obama should take preliminary steps to reform the FISA court by supporting calls for a public advocate to ensure an adversarial process in the courtroom. Further, the president should forbid the DOJ from blocking the publication of FISA court legal interpretations and only allow the redaction of true operational details.

 

11. Protect national security whistleblowers working for the public good.

Whistleblowers like Mark Klein, Kirk Wiebe, Thomas Drake, William Binney, Edward Snowden and others have provided the public with critical information about national security abuses that helped spark a much needed public debate about transparency, privacy, and the public’s relationship with its government. Yet some of these whistleblowers face decades in prison for their actions under outdated or misapplied laws. The president should not only instruct the DOJ to stop prosecuting whistleblowers who publicize information for the public good, but champion affirmative legislation to protect them.

 

12. Criminal defendants should know if national security surveillance is being used against them.

Recently released documents confirm that the NSA is sharing surveillance data with other US agencies, and that the FBI is running its own mass surveillance programs. Information gathered through these programs is being fed as “tips” into regular criminal investigations, with instructions to hide the origin of the information. This practice of intelligence laundering runs afoul of protections enshrined in the Fifth and Sixth Amendments, which guarantee a criminal defendant a meaningful opportunity to present a defense and challenge the government’s case. The president should make clear that criminal defendants have a right to be given notice of all surveillance information used to investigate or prosecute them as soon as risk to the investigation has passed and never later than when the accused faces trial.

We will publish a filled-out scorecard right after Obama’s speech on Friday. In the meantime, we have just days left before the announcement. Let’s use every moment we have to pressure Obama to really stop mass spying.

SCORECARD

 

Customs And Border Protection Lent Predator Drones To Other Agencies 700 Times In 3 Years, According To ‘Newly Discovered’ Records

This post, written by senior staff attorney Jennifer Lynch, was originally published by the Electronic Frontier Foundation on Jan. 14.

U.S. Customs And Border Protection recently “discovered” additional daily flight logs that show the agency has flown its drones on behalf of local, State and Federal law enforcement agencies on 200 more occasions than previously released records indicated.

Last July, the Electronic Frontier Foundation reported, based on daily flight log records CBP made available to EFF in response to its Freedom of Information Act lawsuit, that CBP logged an eightfold increase in the drone surveillance it conducts for other agencies. These agencies included a diverse group of local, State and Federal law enforcement — ranging from the FBI, U.S. Immigration and Customs Enforcement, the U.S. Marshals Service and the Coast Guard to the Minnesota Bureau of Criminal Investigation, the North Dakota Bureau of Criminal Investigation, the North Dakota Army National Guard and the Texas Department of Public Safety.

CBP stated that these flight logs and a list of agencies it later prepared based on those logs represented all the missions the agency flew on behalf of non-CBP agencies. Yet after EFF and CBP briefed the remaining issues in the case in EFF’s Cross Motions for Summary Judgment and on the eve of the pivotal court hearing on those motions in December, CBP announced it “discovered that it did not release all entries from the daily reports for 2010-2012” responsive to EFF’s Freedom of Information Act request.

Not only do these new flight logs and the accompanying new list of agencies show a striking increase in the overall number of flights (700 versus 500), they also reveal a sharp increase in the number of flights for certain Federal agencies like ICE (53 more flights than previously revealed) and the Drug Enforcement Administration (20 more flights). And they also reveal CBP flew 32 additional times on behalf of State and local agencies — including previously undisclosed law enforcement like the Arizona Department of Public Safety and the Minnesota Drug Task Force. Unfortunately, CBP continues to withhold the names of many of these State and local agencies, arguing that revealing them would somehow impede ongoing investigations. However, as EFF pointed out in its summary judgment brief, disclosing that CBP was working with, for example, the Pima County, Ariz., Sheriff’s Department would not be specific enough to affect any particular criminal operation. It would hardly be surprising that CBP was working with Pima County because it shares a border with Mexico. It is also — at 9,200 square miles — one of the larger counties in Arizona and has one of the highest crime rates of any county in the country: a rate of 4,983 crimes per 100,000 people. Given the large geographic size of and crime rate in this county and others like it, it is hard to imagine that releasing information about which county sheriff’s department CBP is working with would enable suspected criminals in the area to link CBP’s drone surveillance to their particular criminal activity.

The newly released records reveal other surprising facts, including that CBP was using its sophisticated VADER surveillance system much more frequently than previously thought and was using it for other agencies. This sensor, also known as Vehicle and Dismount Exploitation Radar, was initially developed for use in the Afghanistan war and can detect the presence of people from as high as 25,000 feet. CBP has used this sensor in its surveillance operations since 2011 and used it at least 30 times for other agencies in 2012. The records CBP previously released to EFF contained no specific mention of VADER technology. As noted by the Center for Investigative Reporting, the system has several limitations — not the least of which is that “it can’t tell the difference between a U.S. citizen and noncitizen.”

The records also indicate that CBP’s drones appear plagued with problems; many of the logs indicate missions were terminated or canceled due to undisclosed issues affecting both the aircraft (General Atomics was often called in to address issues with the Predators) and the surveillance equipment on board (Raytheon, which supplies the RADAR equipment for CBP’s drones was also called in). The VADER system had its own undisclosed problems.

CBP noted in a recent Privacy Impact Assessment (PIA) that it generally flies its drones in support of its primary mission: “border security.” Yet these records indicate just how blurred that mission has become. This is problematic because, as CBP also notes, drones like Predators enable “the monitoring of large areas of land more efficiently and with fewer personnel than other aviation assets.”

As the use of Predators moves from maintaining security at the Nation’s borders to general law enforcement elsewhere within the country, more and more people in the United States will be subject to drone surveillance. CBP states in its PIA that it stores data unassociated with a particular investigation for no more than 30 days; but much, if not most, of this data will be associated with an investigation and may, therefore, be stored indefinitely — even if it includes footage of property, vehicles and people unassociated with the investigation.

CBP also states in the PIA that we shouldn’t be concerned about the privacy implications of its drones because their sensors cannot yet identify individual people. However, these sensors are becoming more sophisticated every day, and it won’t be long before surveillance capabilities like “facial recognition or soft biometric recognition, which can recognize and track individuals based on attributes such as height, age, gender, and skin color” are added to CBP’s arsenal.  We need to address these issues before that happens.

Senator Dianne Feinstein was concerned enough about drone surveillance to amend last term’s Senate Immigration Bill to restrict CBP’s flights in California to within three miles of the border. We should be similarly concerned about CBP’s flights throughout the country — especially when CBP still refuses to reveal exactly which State and local agencies it’s working with. EFF will be arguing just that point in the hearing on its Cross Motion for Summary Judgment in the case this coming Wednesday.

Documents:

In order to be comprehensive, EFF presents the documents CBP previously provided alongside the supplemental disclosures referred to in this report. The updates are marked “NEW.”

Agency Lists

2010 Flight Logs

2011 Flight Logs

2012 Flight Logs

Feb. 11: The Day We Fight Back Against NSA Surveillance

This post, written by Activism Director Rainey Reitman, was originally published by the Electronic Frontier Foundation on Jan. 10.

In January 2006, the Electronic Frontier Foundation filed its first lawsuit challenging the Constitutionality of National Security Agency mass surveillance.

In January 2012, the Internet rose up to protest and defeat the Stop Online Piracy Act (SOPA), legislation that sought to censor the Internet in the name of copyright enforcement.

And in January of last year, EFF lost a dear friend and fierce digital rights advocate, Aaron Swartz. EFF vowed to defend the rights of Internet users everywhere in his memory.

Now EFF has a new challenge: ending mass surveillance by the NSA.

The Edward Snowden revelations have provided disturbing details and confirmation of some of EFF’s worst fears about NSA spying. The NSA is undermining basic encryption standards, the very backbone of the Internet. It has collected the phone records of hundreds of millions of people not suspected of any crime. It has swept up the electronic communications of millions of people indiscriminately, exploiting the digital technologies we use to connect and inform.

But EFF isn’t going to let the NSA ruin the Internet. Inspired by the memory of Swartz and fueled by its victory against SOPA, EFF is joining forces with a coalition of liberty-defending organizations to fight back against NSA spying.

Today, on the eve of the anniversary of Swartz’s death, EFF asks you to join them in stepping up to the plate once again. Bring your creativity, your networks, your art and your dedication; and join EFF in a month of action, culminating in an Internet-wide protest on Feb. 11.

Join EFF. Fight back.

Three Hearings, Nine Hours, and One Accurate Statement: Why Congress Must Begin a Full Investigation into NSA Spying

This post, written by Legislative Analyst Mark M. Jaycox and Senior Staff Attorney Lee Tien, was originally published by the Electronic Frontier Foundation on Jan. 7.

Last week, press reports revealed more about the National Security Agency’s (NSA) elite hacking unit, the Office of Tailored Access Operations (TAO). The press also helped the public grasp other NSA activities, like how it’s weakening encryption. All of this is on top of the NSA’s collection of users’ phone calls, emails, address books, buddy lists, calling records, online video game chats, financial documents, browsing history and calendar data we’ve learned about since June.

By contrast, thus far Congress as a whole has done little to help the public understand what the NSA and the larger intelligence community are doing. Even members of Congress seem to learn more from newspaper reports than from “official” sources.

Regaining Congressional Oversight

Something is very wrong when Congress and the public learn more about the NSA’s activities from newspaper leaks than from the Senate and House intelligence committees. The committees are supposed to oversee the intelligence community activities on behalf of the public, but more often — as the New Yorker describes it — “treat senior intelligence officials like matinée idols.”

It’s time for Congress to reassert its oversight role and begin a full-scale investigation into the NSA’s surveillance and analytic activities. The current investigations — which aren’t led by Congress — are unable to fully investigate the revelations, Congressional committees’ hearings have added little, and Congress cannot rely solely on mandating more reports from the NSA as a solution.

Hearings Inside Congress

So far, Senate Judiciary Committee Chairman Patrick Leahy is valiantly attempting to shine more light on the NSA’s activities, but the hearings have only served as venues for Administration officials to parrot talking points and provide non-answers to important questions. This is very similar to what happened after The New York Times released the first reports of warrantless wiretapping in December 2005.

The hearings’ ineffectiveness are shown by the fact that it took three hearings — nine hours — for Leahy to clarify just how many terrorist attacks the collection of all Americans’ calling records stopped. In the first hearing (July), government witnesses said the program stopped “54 terrorist attacks.” By the third hearing (October) — and after much pressure by Leahy – Gen. Keith Alexander corrected his statement: It turns out the program had only stopped “one, perhaps two” terror plots, one of which involved “material support.” Aside from this, there are still two sets of questions from the hearings by Senator Richard Blumenthal and Senator Ron Wyden that the intelligence community has still left unanswered.

It shouldn’t take three hearings over several months for a member of Congress to obtain accurate and understandable information from the director of the NSA.

A Congressional Investigation Is Needed

Congress must initiate a full-scale, targeted investigation outside of its regular committees. Such an investigation would normally fall under Congress’ intelligence or other oversight committees. But any investigation into the NSA’s activities must include a review of the current Congressional oversight regime. Since the creation of the intelligence committees in 1978, there has been no external audit or examination of how the system has performed.

A review is needed when the Senate intelligence committee’s own chairwoman, Senator Dianne Feinstein, admits how extraordinary difficult it is to obtain information from the intelligence community. Members of Congress have complained that briefings are like “playing a game of 20 questions” and other members have even noted how the House intelligence committee may have neglected to pass information to members before a key vote.

Current members of Congress aren’t the only ones complaining: former Vice President Walter Mondale and Senator Gary Hart — two former members of Congress who were instrumental in creating the Senate intelligence committee — have also said that the intelligence committees are not operating as they were originally intended.

Increasing Reports Is A Start

So far, Congress favors increasing reporting requirements or asking for an investigation by an Inspector General (IG). Transparency bills — like bills brought by both Senator Al Franken and Representative Zoe Lofgren — are a fantastic start. But such reports won’t uncover the secret law the NSA is using or the secret collection of ordinary people’s information. It also won’t tell us about the use of Executive Order 12333. The bills will only provide a numerical range regarding the orders the government sends, companies receive, and the number of users or accounts the orders impact.

What’s worse, the Inspector General of the Intelligence Community — who reports directly to the very officials who authorized the spying — told Senators he is unable to carry out a review of the programs due to a lack of resources. And even if such an investigation were to occur, the IG is unable to even request documents without the approval of the Director of National Intelligence.

Time For A New Investigation

The NSA leaks are ushering in a new day regarding Congressional oversight of the intelligence community. And it’s why Congress must dedicate the resources to a full-scale investigation by a special committee. Such a committee will allow Congress to delve into what other data the NSA may be collecting en masse about Americans, to learn about how the surveillance laws it passed are being used, and to inform the American public — all while protecting national security. It’s a tough balancing act, but Congress was able to do it in the 1970s with the Church and Pike Committees. And it should have the courage to do it again today.

EFF Looks Back On 2013: States, Not Congress, Stepped Up To Protect Individuals’ Privacy

The Electronic Frontier Foundation is releasing a series of year-in-review posts that focus on different aspects of the highly-publicized clash between government surveillance and individual freedoms in 2013. This one, by EFF’s Hanni Fakhoury, shows that the political will to protect Americans’ Constitutional rights against illegal searches and seizures has largely resided with State governments and the State-level courts – while members of Congress continue to posture and twiddle their thumbs.

 

January 2, 2014 | By Hanni Fakhoury

As the outcry against NSA spying and electronic surveillance has grown, the need to protect privacy through legislation has never been higher. With law enforcement itching to use aggressive new surveillance techniques from drones to facial recognition to fight crime, privacy is often discarded by the wayside as collateral damage. Ideally it would be Congress that would take the lead in passing privacy legislation, creating uniform standards that protect privacy across the country. And while there were a number of Congressional proposals, none went anywhere in 2013. So while Congress continues to drag its feet, State courts and Legislatures have stepped up to protect their citizens’ electronic privacy.

This summer, the Massachusetts Supreme Judicial Court ruled, in a case that we filed an amicus brief in, that passengers in a car have an expectation of privacy to be free from persistent GPS location monitoring. Montana and Maine passed legislation that required police to obtain a search warrant before tracking any electronic device. And Texas passed a bill that requires state law enforcement to obtain a search warrant before accessing electronic communications like emails from a service provider.

As States placed an emphasis on protecting privacy, we stepped up our efforts to get involved at the State level. We filed numerous amicus briefs in state courts across the country on a whole host of privacy issues. We argued to the Supreme Courts of Rhode Island and Washington that your text messages stored on someone else’s cell phone were protected by the Fourth Amendment. We urged courts in Connecticut and Massachusetts to follow New Jersey’s lead, and require police to obtain a search warrant before getting cell phone tower information. We explained to the Texas high court that unlike a pair of pants, police can’t search an arrestee’s cell phone without a warrant. And again before the Massachusetts high court, we explained why the Fifth Amendment prohibited a suspect from being forced to decrypt a computer. We got involved in State legislation too, sponsoring an email privacy bill in California that passed the legislature, but was vetoed by Governor Jerry Brown. We also opposed a Massachusetts bill that aimed to expand the State’s wiretapping statute.

Early indication suggests 2014 will see more States getting involved to pass privacy legislation. Wisconsin is considering a location privacy bill that would prohibit police tracking a cell phone without a search warrant. Lawmakers in Montana are planning to introduce an initiative to amend the State constitution to protect digital privacy. And we’ll be there too, working to convince State courts and Legislatures to make privacy conscious decisions, in addition to our Federal work. Hopefully 2014 will be the year Congress catches up to the States.

54 Civil Liberties And Public Interest Organizations Oppose The FISA Improvements Act

This post, written by Activism Director Rainey Reitman, was originally published by the Electronic Frontier Foundation on Dec. 18.

Fifty-four civil liberties and public interest groups sent a letter to Congressional leadership today opposing S. 1631, the FISA Improvements Act. The bill, promoted by Senator Dianne Feinstein (D-Calif.), seeks to legalize and extend National Security Agency mass surveillance programs, including the classified phone records surveillance program confirmed by documents released by former NSA contractor Edward Snowden this summer.

On Monday, a Federal judge found the phone records program that Feinstein’s bill supports was likely unConstitutional. In a sharply worded opinion, Judge Richard Leon explained, “I cannot imagine a more ‘indiscriminate’ and ‘arbitrary invasion’ than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying it and analyzing it without judicial approval.”

Feinstein has been promoting the bill as a way to rein in NSA overreach, but legal experts have criticized the bill for attempting to sanction the worst of the surveillance abuses. The letter published today calls on members of Congress to reject the FISA Improvements Act and champion reform that would end mass surveillance by the NSA.

Signers included the American Civil Liberties Union, the Council on American-Islamic Relations, Electronic Frontier Foundation, Greenpeace USA, PEN American Center, Progressive Change Campaign Committee, TechFreedom and others.

The coalition letter highlighted the free speech concerns with continued bulk data collection by the NSA, noting: “The NSA mass surveillance programs already sweep up data about millions of people daily. This shadow of surveillance chills freedom of speech, undermines confidence in US Internet companies, and runs afoul of the Constitution.”

The public at large increasingly opposes dragnet government surveillance. An Associated Press/NORC poll released in September 2013 showed strong opposition to bulk data collection: Close to 60 percent of respondents opposed Internet and telephone record surveillance; 62 percent of respondents opposed collection of the contents of Americans’ emails without warrants.

If the FISA Improvements Act were to pass, the NSA would continue its collection of the telephone records of millions of Americans and could restart the bulk collection of Internet communication records — a program the government attempted under dubious legal grounds but abandoned because it wasn’t effective.

The FISA Improvements Act has already passed out of the Senate Intelligence Committee and could be taken up for a Senate vote. Last week, the Barack Obama Administration testified in support of the bill, and Feinstein has confirmed that she intends to work with the House on pushing her bill in January.

Read the opposition letter in full below. Help defeat this bill by emailing your member of Congress today.

December 18, 2013,

Dear Members of Congress,

As civil liberties groups and other organizations advancing the public interest, we write this letter today to strongly urge you to oppose S. 1631, the FISA Improvements Act. The FISA Improvements Act does not offer real reform to stop the NSA’s mass collection of our communications and communications records. Instead, S. 1631 seeks to entrench some of the worst forms of NSA surveillance into US law and to extend the NSA surveillance programs in unprecedented ways.

If the FISA Improvements Act were to pass, the NSA would continue to collect telephone records of hundreds of millions of Americans not suspected of any crime. This is a violation of Americans’ privacy and Constitutional rights. Multiple polls, including a September 2013 Associated Press poll, consistently show a strong majority of the American people opposing such programs.

Furthermore, the bill seeks to permit the NSA to restart the bulk collection of Internet communication records—an extremely invasive, secret program the government attempted under dubious legal ground but abandoned because it wasn’t effective.

The NSA mass surveillance programs already sweep up data about millions of people daily. This shadow of surveillance chills freedom of speech, undermines confidence in US Internet companies, and runs afoul of the Constitution.

Please champion real reform to end these programs and oppose S. 1631, which would codify and expand them.

Sincerely,

Access
Advocacy for Principled Action in Government
AIDS Policy Project
American Civil Liberties Union
American Library Association
Amicus
Arab American Institute
Bill of Rights Defense Committee
Brennan Center for Justice at NYU Law School
Campaign for Liberty
Center for Democracy and Technology
Center for Rights
Charity & Security Network
Citizens for Responsibility and Ethics in Washington (CREW)
The Constitution Project
Council on American-Islamic Relations
CREDO Mobile
Cyber Privacy Project
Defending Dissent Foundation
Demand Progress
DownsizeDC.org
Electronic Frontier Foundation
F2C: Freedom to Connect
Fight for the Future
Firedoglake
Floor64
Free Press Action Fund
Free Software Foundation
Freedom of the Press Foundation
Government Accountability Project
Greenpeace USA
Human Rights Watch
InFo – The Foundation for Innovation and Internet Freedom
Liberty Coalition
Media Alliance
Media Mobilizing Project
Montgomery County Civil Rights Coalition
National Association of Criminal Defense Lawyers
National Coalition Against Censorship
New America Foundation’s Open Technology Institute
OpenMedia International
OpenTheGovernment.org
Participatory Politics Foundation
PEN American Center
PolitiHacks
Privacy Rights Clearinghouse
Progressive Change Campaign Committee
Project On Government Oversight
Public Knowledge
reddit
RootsAction.org
TechFreedom
The Rutherford Institute
ThoughtWorks

cc: Members of the House and Senate Judiciary and Intelligence Committees

Files

A Plan For Broader Anti-Surveillance Action

This post, written by Cindy Cohn and Katitza Rodriguez and Parker Higgins, was originally published by the Electronic Frontier Foundation on Dec. 17.

Last Monday, eight of the largest Internet companies took the unprecedented step of publicly calling for an end to bulk collection of communications data. Then on Tuesday, a coalition of over 550 of the world’s leading authors (including 5 Nobel prize winners) issued a statement calling for a reassertion of our digital privacy. In the next few days, the United Nations General Assembly is expected to pass a key privacy resolution.

While all of these are heartening steps, the time is coming to fill in the details of the more general international calls for reform. Luckily, EFF and several other NGOs and legal scholars around the world have already developed a set of robust principles, called the 13 International Principles for the Application of Human Rights to Communications Surveillance—or more commonly, the Necessary and Proportionate Principles. These can be used by people around the world to push for stronger local legal protections, as well as by the United Nations and other international bodies. The Principles have so far been endorsed by over 329 organizations, 43 experts and elected officials, and thousands of individuals from around the world. It’s also open for signature by companies. If you haven’t already signed it, you can do so today.

The Principles look beyond the current set of revelations to take a broad look at how modern communications surveillance technologies can be addressed consistent with human rights and the rule of law. Some of the key factors are:

Protect Critical Internet Infrastructure: No law should impose security holes in our technology in order to facilitate surveillance. Dumbing down the security of hundreds of millions innocent people who rely on secure technologies in order to ensure surveillance capabilities against the very few bad guys is both overbroad and short-sighted. Yet one of the most significant revelations this year has been the extent to which NSA, GCHQ and others have done just that—they have secretly undermined the global  communications infrastructure and services. They have obtained private encryption keys for commercial services relied on by individuals and companies alike and have put backdoors into and generally undermined security tools and even key cryptographic standards relied upon by millions around the world. The assumption underlying such efforts—that no communication can be truly secure—is inherently dangerous, leaving people at the mercy of good guys and bad guys alike. It must be rejected.

Protect Metadata: It’s time to move beyond the fallacy that information about communications is not as privacy invasive as communications themselves. Information about communications, also called metadata or non-content, can include the location of your cell phone, clickstream data, and search logs, and is just as invasive as reading your email or listening to your phone calls—if not more so. What is important is not the kind of data is collected, but its effect on the privacy of the individual. Thus, the law must require high standards for government access — for criminal prosecutions this means the equivalent of a probable cause warrant issued by a court (or other impartial judicial authority)—whenever that access reveals previously nonpublic information about individual communications. This includes revealing a speaker’s identity if it is not public; the websites or social media one has encountered; the people one has communicated with; and when, from where, and for how long. In the pre-Internet age, the much more limited amount and kind of “metadata” available to law enforcement was treated as less sensitive than content, but given current communications surveillance capabilities, this can no longer be the case. Our metadata needs to be treated with the same level of privacy as our content.

Monitoring Equals Surveillance: Much of the expansive state surveillance revealed in the past year depends on confusion over whether actual “surveillance” has occurred and thus whether human rights obligations apply. Some have suggested that if information is merely collected and kept but not looked at by humans, no privacy invasion has occurred. Others argue that computers analyzing all communications in real-time for key words and other selectors is not “surveillance” for purposes of triggering legal protections. These differences in interpretation can mean the difference between targeted and mass surveillance of communications.

Definitions matter. This is why one of the crucial points in our principles is the definition of “Communications surveillance”, which encompasses the monitoring, interception, collection, analysis, use, preservation and retention of, interference with, or access to information that includes, reflects, or arises from or a person’s communications in the past, present or future. States should not be able to bypass privacy protections on the basis of arbitrary definitions.

Mission Creep: Contrary to many official statements, the modern reality is that state intelligence agencies are involved in a much broader scope of activities than simply those related to national security or counterterrorism. The NSA and its partners, for example, have used the expansive powers granted to them for political and even economic spying—things that have little to do with the safety of the state and its citizens. Worse, the information collected by foreign intelligence agencies, it turns out, is routinely (and secretly!) re-used by domestic agencies such as the Drug Enforcement Agency, effectively bypassing the checks and balances imposed on such domestic agencies.

The Necessary and Proportionate Principles state that communications surveillance (including the collection of information or any interference with access to our data) must be proportionate to the objective they are intended to address. And equally importantly, even where surveillance is justified by one agency for one purpose, the Principles prohibit the unrestricted reuse of this information by other agencies for other purposes.

No Voluntary Cooperation: As we’ve learned about extralegal and voluntary deals between tech companies and intelligence agencies, it’s become increasingly clear that the terms of cooperation between governments and private entities must be made public. The Necessary and Proportionate principles clarify that there is no scope for voluntary cooperation from companies unless a warrant has met the proportionality test.

Combat a Culture of Secret Law: The basis and interpretation of surveillance powers must be on the public record, and rigorous reporting and individual notification (with proper safeguards) must be required. The absence of transparency in surveillance laws and practices reflects a lack of compliance with human rights and the rule of law. Secret laws—whether about surveillance or anything else—are unacceptable. The state must not adopt or implement a surveillance practice without public law defining its limits. Moreover, the law must meet a standard of clarity and precision that is sufficient to ensure that individuals have advance notice of, and can foresee, its application. When citizens are unaware of a law, its interpretation, or its application, it is effectively secret. A secret law is not a legal law.

Notification: Notification must be the norm, not the exception. Individuals should be notified of authorization of communications surveillance with enough time and information to enable them to appeal the decision, except when doing so would endanger the investigation at issue. Individuals should also have access to the materials presented in support of the application for authorization. The notification principle has become essential in fighting illegal or overreaching surveillance. Before the Internet, the police would knock on a suspect’s door, show their warrant, and provide the individual a reason for entering the suspect’s home. The person searched could watch the search occur and see whether the information gathered went beyond the scope of the warrant.

Electronic surveillance, however, is much more surreptitious. Data can be intercepted or acquired directly from a third party such as Facebook or Twitter without the individual knowing. Therefore, it is often impossible to know that one has been under surveillance, unless the evidence leads to criminal charges. As a result the innocent are the least likely to discover their privacy has been invaded. Indeed, new technologies have even enabled covert remote searches of personal computers. Any delay in notification has to be based upon a showing to a court, and tied to an actual danger to the investigation at issue or harm to a person.

Restore Proportionality: Authorities must have prior authorization by an independent and impartial judicial entity in order to determine that a certain act of surveillance has a sufficiently high likelihood to provide evidence that will address a serious harm. Any decisions about surveillance must weigh the benefits against the costs of violating an individual’s privacy and freedom of expression. Respect for due process also requires that any interference with fundamental rights must be properly enumerated in law that is consistently practiced and available to the public. A judge must ensure that freedoms are respected and limitations are appropriately applied.

Cross-Border Access Protection: Privacy protections must be consistent across borders at home and abroad. Governments should not bypass national privacy protections by relying on secretive informal data sharing agreements with foreign states or private international companies. Individuals should not be denied privacy rights simply because they live in another country from the one that is surveilling them. Where data is flowing across borders, the law of the jurisdiction with the greatest privacy protections should apply.

More To Be Done: The Necessary and Proportionate Principles provide a basic framework for governments to ensure the rule of law, oversight and safeguards. They also call for accountability, with penalties for unlawful access and strong and effective protections for whistleblowers. They are starting to serve as a model for reform around the world and we urge governments, companies NGOs and activists around the world to use them to structure necessary change. The technology companies’ statement last week is a welcome addition and a good start. It also highlights the conspicuous silence of the telecommunications companies, which appear to have a much bigger and deeper role in mass surveillance.

But while the Principles are aimed at governments, government action isn’t the only way to combat surveillance overreach. All of the communications companies, Internet and telecommunications alike, can help by securing their networks and limiting the information they collect. EFF has long recommended that online service providers collect the minimum amount of information for the minimum time that is necessary to perform their operations, and to effectively obfuscate, aggregate and delete unneeded user information. This helps them in their compliance burdens as well: if they collect less data, there is less data to hand over to the government.

Working together, legal efforts like the Necessary and Proportionate Principles serving as a basis for international and national reforms, plus technical efforts like deploying encryption and limiting information collected, can serve as a foundation for a new era of private and secure digital communications.

The FAA Creates Thin Privacy Guidelines For The Nation’s First Domestic Drone ‘Test Sites’

This article, compiled by activist April Glaser and senior staff attorney Jennifer Lynch, was originally published by the Electronic Frontier Foundation.

Commercial unmanned aerial systems are set to start flying over U.S. airspace in 2015. In November, the Federal Aviation Administration released its final privacy rules for the six drone “test sites” that the agency will use to evaluate how drones will be integrated into domestic air traffic. These new privacy requirements were issued just days after Senator Ed Markey (D-Mass.) introduced a new bill, the Drone Aircraft Privacy and Transparency Act (DAPTA), intended to codify essential privacy and transparency requirements within the FAA’s regulatory framework for domestic drones and drone test sites.

In 2012, Obama signed the Federal Aviation Administration Modernization and Reform Act, which mandated that the FAA implement “test sites” to fly domestic drones before opening the door to nationwide regulations and licensing for commercial drone flying. Twenty-four States have applied to be FAA drone test sites. While the FAA’s rules do establish minimal transparency guidelines for the new drone test sites, the new rules apply only to the test sites and do not apply to the drones that are already authorized to fly.

The new transparency rules require each test site operator to create, post and enforce its own privacy policy, as well as set up “a mechanism to receive and consider comments from the public.” The FAA rules further state that test sites must require all drone operators to establish “a written plan for the operator’s use and retention of data collected by the UAS.” Although the FAA’s rules require the test site privacy policies to be made available to the public, there seems to be no similar requirement for the UAS operators’ “written plans.” There also appears to be no FAA oversight for these transparency rules; the rules basically call for the test sites to police themselves.

While the Electronic Frontier Foundation appreciates the steps the FAA has taken so far, the agency could and should go further to require similar transparency from all drone operators. The FAA has already authorized almost 1,500 permits for domestic drones since 2007; but, despite EFF’s two Freedom of Information Act lawsuits for drone data, EFF still doesn’t know much about where these drones are flying and what data they are collecting.

EFF submitted comments in the FAA’s rule-making process about what a good privacy policy for the drone test sites would look like, and only a few of its proposals were adopted into the new rules. The FAA did not, as EFF recommended, develop and provide a model privacy policy for all test site operators — something that would have been relatively easy to produce, considering the Federal reach of the agency. The FAA also could have gone further to ensure that data collected at drone test sites does not exceed Constitutional and other legal limitations. Nine States have passed laws that restrict the use of drones by either law enforcement or private citizens. Some of these States have also applied to be drone test sites, which would then test those existing State policies.

It is especially important for the FAA to define basic data collection procedures for domestic drones, because the technology enables a kind of surveillance not achievable by manned aerial or ground-based law enforcement or commercial entities. Some drones are capable of staying in the air for 16 to 24 hours at a time, much longer than a manned aircraft ever could. Drones can fly altitudes above 20,000 feet with super-high-resolution cameras and can monitor and track many people at once or intercept phone calls and text messages. Drones also cost far less to purchase, operate and maintain than helicopters and planes.

A number of drone bills have been introduced in Congress over the past two years, but Markey’s proposed legislation is demanding of both the FAA and drone operators when it comes to protecting the Constitutional rights of Americans. DAPTA calls for the FAA to institute and enforce guidelines for all licensed domestic drone flights — not just test sites — that include clear data minimization procedures, as well as transparency rules that require drone test site operators to disclose their data collection practices and how drone operators use, retain and share all collected data.

Markey’s bill requires the FAA to create a publicly searchable database of all awarded drone operator licenses, the logistical details of their operation, and each drone operator’s data collection and minimization statement. Creating a database like this is within the FAA’s purview. The agency already runs other databases about aircrafts in national airspace, listing who is in the air, accident reports and safety information.

Law enforcement agencies across the country are already flying drones without set national privacy guidelines in place. But at this point, EFF’s most successful tactic for learning more about drones has been to sue for access to information. The American public shouldn’t have to submit a Freedom of Information Act request just to know if drones are overhead. Markey’s bill is a strong start to what needs to be an ongoing conversation about the future of American privacy standards in light of the coming age of domestic drones. We need more lawmakers to speak up for greater transparency and accountability of both government and commercial operation of drones in our national airspace.

Until there are laws in place that mandate transparency, EFF encourages you to submit requests to your local law enforcement agency and city council to learn more about drone flights in your area. EFF has partnered with MuckRock, an open government organization dedicated to helping people send requests for public records, to campaign for greater transparency about drones that are already flying in the United States. If you’re wondering what your own police agency may be doing with drones, go here and fill out this simple form so MuckRock can send in a public records request for you.

Electronic Frontier Foundation Issues Legal Challenge To Warrantless Cell Phone Tracking

Alarming information about just how frequently law enforcement officials across the country (not to mention the NSA) are trying to get cell phone data, including your location, seem to be published in the news media every day.  With these privacy concerns in mind, last week we filed an amicus brief in the Connecticut Appellate Court in State v. Smith, urging it to find the state police violated the Fourth Amendment when it obtained cell tower records without a search warrant.

In this case, police were investigating a bank robbery and wanted to get cell phone records to tie the defendant to the crime. Officers obtained an ex parte order from the court that allowed them to obtain six months worth of Smith’s cell phone records, including subscriber information and cell tower connection records. Even though the government went to a judge to get authorization to get the records, they didn’t get a search warrant. Instead, both Federal and Connecticut State law authorize police to obtain cell phone location records with a showing less than the probable cause required to obtain a warrant. The trial court found the records were obtained properly and Smith was convicted and sentenced to 55 years in prison.

On appeal, Smith argues that the 4th Amendment’s prohibition against unreasonable searches and seizures means the police must obtain a search warrant supported by probable cause to get cell site records. Our brief agrees, explaining how cell site records can reveal a person’s location with increasing precision, triggering an expectation of privacy and requiring police to obtain a probable cause search warrant in order to access this information. The warrant requirement is a minimal additional burden, since police have to go to a judge anyway to get the records under current law. Our new amicus brief follows on the heels of other briefs we’ve filed on the topic in State and Federal courts across the country, arguing that police must obtain a search warrant to get access to a cell phone company’s records about which towers a cell phone connects to.

This is a pervasive problem, with warrantless searches going on across the country. Senator Edward Markey (D-MA) recently published responses he received to a number of questions he sent to seven different cell phone providers about their interactions with law enforcement. The responses detailed how many law enforcement requests they obtained in 2012, what type of judicial or administrative orders they require before they produce records, and how much money they were reimbursed by the government. We hope to have more about these responses soon, but the quick takeaway is that there are lots of government requests being made by law enforcement to the police, including over 9,000 requests for “tower dumps,” a 21st century general warrant that asks a cell phone provider to disclose the records of all the phones that connect to a cell phone tower at a particular time.

Senator Markey has indicated he hopes to introduce a bill to require police obtain a search warrant before accessing these records, a legislative fix that has been proposed in Congress before but gone nowhere. But this time, with growing concern over the government’s surveillance capabilities and the lead of states like Maine, Montana and New Jersey, who have all adopted a warrant requirement for cell tracking by legislation or court decision, we’re hopeful that lawmakers will understand the privacy interests at stake and safeguard our locations with a search warrant.

EFF’s Updated List Of Who Protects Your Online Information

This article, compiled by senior staff attorney Kurt Opsahl, staff attorney Nate Cardozo and activist Parker Higgins, was originally published by the Electronic Frontier Foundation on Dec. 5.

The Electronic Frontier Foundation has asked the companies in its Who Has Your Back Program what they are doing to bolster encryption in light of the National Security Agency’s unlawful surveillance of your communications. EFF is pleased to see that four companies — Dropbox, Google, SpiderOak and Sonic.net — are implementing five out of five of EFF’s best practices for encryption. In addition, EFF appreciates that Yahoo! just announced several measures it plans to take to increase encryption, including the very critical encryption of data center links, and that Twitter has confirmed that it has encryption of data center links in progress. See the infographic.

By adopting these practices, described below, these service providers have taken a critical step toward protecting their users from warrantless seizure of their information off of fiber-optic cables. By enabling encryption across their networks, service providers can make backdoor surveillance more challenging, requiring the government to go to courts and use legal process. While Lavabit’s travails have shown how difficult that can be for service providers, at least there was the opportunity to fight back in court.

While not every company in EFF’s survey has implemented every recommendation, each step taken helps; and EFF appreciates those who have worked to strengthen their security. EFF hopes that every online service provider adopts these best practices and continues to work to protect their networks and their users.

Crypto Survey Results

UPDATE, Nov. 20: Facebook and Tumblr have provided further information to supplement the Encrypt the Web Report. EFF is pleased to report that Tumblr is planning to upgrade its Web connections to HTTPS this year and implement HSTS by 2014, and Facebook is working on encrypting data center links and implementing STARTTLS.

UPDATE, Nov. 22: Google has provided further information to supplement the report on its use of HSTS. See the updated chart below and the notes for more information.

UPDATE, Dec. 5: Microsoft has provided further information, announcing a plan to expand encryption across all its services, including encrypting links between data center and implementing forward secrecy by the end of 2014.

crypto-survey-graphic-20131205

Why Crypto Is So Important

The NSA’s MUSCULAR program, which tapped into the fiber-optic lines connecting the data centers of Internet giants like Google and Yahoo, exposed the tremendous vulnerabilities companies can face when up against as powerful an agency as the NSA. Bypassing the companies’ legal departments, the program grabbed extralegal access to your communications, without even the courtesy of an order from the secret rubber-stamp Foreign Intelligence Surveillance Court. The program is not right, and it’s not just.

With that in mind, EFF has asked service providers to implement strong encryption. EFF would like to see encryption on every step of the way for a communication on its way to, or within, a service provider’s systems.

For starters, EFF has asked companies to encrypt their websites with Hypertext Transfer Protocol Secure (HTTPS) by default. This means that when a user connects to a website, it will automatically use a channel that encrypts the communications from the user’s computer to the website.

EFF has also asked them to flag all authentication cookies as secure. This means cookie communications are limited to encrypted transmission, which directs Web browsers to use these cookies only through an encrypted connection. That stops network operators from stealing (or even logging) users’ identities by sniffing authentication cookies going over insecure connections.

To ensure that the communication remains secure, EFF has asked companies to enable HTTP Strict Transport Security (HSTS). HSTS essentially insists on using secure communications, preventing certain attacks where a network pretends that the site has asked to communicate insecurely.

All of these technologies are now industry-standard best practices. While they encrypt the communications from the end user to the server and back, the MUSCULAR revelations have shown this is not enough. Accordingly, EFF has asked service providers to encrypt communications between company cloud servers and data centers. Anytime a user’s data transits a network, it should be strongly encrypted, in case an attacker has access to the physical data links or has compromised the network equipment.

In addition, we have asked for email service providers to implement STARTTLS for email transfer. STARTTLS is an opportunistic encryption system, which encrypts communications between email servers that use the Simple Mail Transfer Protocol (SMTP) standard. When a user emails someone on a different provider (say, a Hotmail user writing to a Gmail user), the mail message will have to be delivered over the Internet. If both email servers understand STARTTLS, then the communications will be encrypted in transit. If only Gmail does but Hotmail does not (the current situation), they will be in the clear and exposed to eavesdropping, so it’s critical to get as many email service providers as possible to implement the system.

Finally, EFF has asked companies to use forward secrecy for their encryption keys. Forward secrecy, sometimes called “perfect forward secrecy,” is designed to protect previously encrypted communications, even if one of the service providers’ keys is later compromised. Without forward secrecy, an attacker who learns a service provider’s secret key can use it to go back and read previously incomprehensible encrypted communications — perhaps ones that were recorded months or years in the past.

  • 1. The HSTS domains are wallet.google.com; checkout.google.com; chrome.google.com; docs.google.com; sites.google.com; spreadsheets.google.com; appengine.google.com; encrypted.google.com; accounts.google.com; profiles.google.com; mail.google.com; talkgadget.google.com; talk.google.com; hostedtalkgadget.google.com; plus.google.com; plus.sandbox.google.com; script.google.com; history.google.com; security.google.com; goto.google.com; market.android.com; ssl.google-analytics.com; drive.google.com; googleplex.com; groups.google.com; apis.google.com; chromiumcodereview.appspot.com; chrome-devtools-frontend.appspot.com; codereview.appspot.com; codereview.chromium.org; code.google.com; dl.google.com; translate.googleapis.com; oraprodsso.corp.google.com; oraprodmv.corp.google.com; gmail.com; googlemail.com; www.gmail.com; www.googlemail.com; google-analytics.com; and googlegroups.com.

 

Electronic Frontier Foundation Calls For Update To Archaic Email Privacy Law

This article, compiled by activist April Glaser and attorney Nate Cardozo, was originally published by the Electronic Frontier Foundation.

The Electronic Frontier Foundation is calling for reform of the Electronic Communications Privacy Act (ECPA), the 1986 law used by the government to access your online documents, messages, and emails stored in the cloud without a warrant.

ECPA is sorely outdated. It was enacted before web-based email became ubiquitous and “the cloud” meant only airborne water vapor. The law purports to allow for any opened emails or unopened emails left on a server for more than 180 days to be treated like abandoned property. Although the courts disagree, some agencies believe that ECPA allows law enforcement to access stored content with a mere subpoena. That interpretation created a senseless distinction—law enforcement was required to meet a much lower standard to access your saved webmail than the warrant standard that would be required if the same emails were printed and stored in your file cabinet. ECPA should not be used to bypass 4th Amendment protections that cover our personal email accounts, our social media messages, or anything else using cloud storage.

In the midst of the global outrage sparked by the 2013 revelations of warrantless NSA surveillance, we’ve also learned that the National Security Agency actively collaborates with the FBI and other government agencies to access private emails and Internet data stored by U.S. companies. Even if we are successful in reining in the NSA’s overly broad and unconstitutional surveillance, without ECPA reform other government agencies could still claim the legal authority to continue the massive collection of millions of innocent people’s personal communications and data without due process.

Bills to reform ECPA have gained huge bipartisan support. Earlier in the year, the Senate Judiciary Committee voted unanimously to update our outdated electronic privacy law.  And now, a similar bill is being debated in the House. The problem is that government agencies like the Securities and Exchange Commission are asking for a special carve out permitting the agency to access email and data stored by Internet service providers without a warrant.  This exception, if granted, would completely undermine meaningful, and much needed, ECPA reform.

EFF is a member of the Digital Due Process coalition, a collection of tech companies, start-ups, privacy advocates, and think tanks working to update ECPA to ensure that laws continue to protect the rights of users as technologies advance and usage patterns evolve. Today, please join us in demanding for long-overdue updates to our archaic electronic privacy laws.

Speak out:

1. You can sign the White House Petition calling on the Obama Administration to reject agency demands for unjustified surveillance authority that would undermine critically needed ECPA reform. Check out the privacy policy of the White House site here.

2. You can send an email to your representatives in Congress using the EFF action center: Don’t Let Privacy Law Get Stuck in 1986: Demand s Digital Upgrade to the Electronic Communications Privacy Act

Does Video Surveillance Of A Home For A Month Violate The 4th Amendment

This article, originally published by the Electronic Frontier Foundation, was written by attorney Hanni Fakhoury.

Just because a jogger can see the outside of your home on a public street doesn’t mean you’ve surrendered all your privacy expectations in the home. However, that seemingly obvious concept is being put to the test in a federal criminal case in Washington state, which involves the constitutionality of using a camera mounted on a pole outside a house to allow the police to watch the home for almost a month. Senior District Court Judge Edward Shea invited EFF to submit an amicus brief in the case and Monday we filed our brief, arguing prolonged warrantless video surveillance violates the 4th Amendment.

In United States v. Vargas, local police in Franklin County, Washington suspected Leonel Vargas of drug trafficking and in April 2013, installed a pole camera on a public road overlooking Vargas’ rural home. They did not get a search warrant to install or use the camera, which was pointed squarely at the front door and driveway of the home. Officers had the ability to pan the camera around and zoom in and out all from the comfort of the police station. They watched the outside of Vargas’ home for more than a month, taking notice of who visited him and what cars they were driving. They observed no criminal activity until a month after they began snooping, when officers saw him shooting a gun at beer bottles in what appeared to be target practice. Because the officer had learned earlier that Vargas was undocumented, they had probable cause to believe he had committed a Federal crime by possessing a firearm. They used this surveillance to get a search warrant to enter Vargas’ home, and the search turned up drugs and guns, which form the criminal charges against Vargas.

Vargas moved to suppress the video surveillance, arguing the use of the pole camera violated the 4th Amendment, which prohibits unreasonable searches. Since the front yard and door of Vargas’ home is considered “curtilage,” it is entitled to the same 4th Amendment protection as the home, where warrantless searches are considered per se unreasonable.

In defending the surveillance, the government argued that Vargas had no expectation of privacy since he exposed the front of his house to the public. But no one expects their house to be placed under invasive 24/7 video surveillance for a month. Although the U.S. Supreme Court in the 1980s previously authorized warrantless aerial surveillance in California v. Ciraolo, Dow Chemical Co. v. United States and Florida v. Riley, all of those cases involved one-time fly-overs, not continuous surveillance. Like GPS and cell phone tracking, prolonged video surveillance of a person’s home raises much more significant 4th Amendment problems than a one-time observation. Non-stop video surveillance — especially of a person’s home — allows the police to determine a person’s associations and patterns of movements, information that can be extremely revealing.

The invasiveness of video surveillance has led courts to require the police to do more than just get a search warrant to engage in this kind of snooping. Law enforcement must make additional showings to the court — similar to those necessary to obtain authorization to wiretap a phone call — before engaging in covert video surveillance. Any other rule would allow the police free rein to silently watch and record those they dislike, waiting for someone to inevitably commit one of the myriad federal crimes. Since the police had no warrant or judicial authorization whatsoever to video record Vargas’ home for a month, the surveillance violated the 4th Amendment and all the evidence the police seized as a result of the surveillance can’t be used against Vargas in his criminal case.

These arguments touch upon more than pole cameras. As police departments around the country get their hands on new technologies like drones and mesh networks, the ability to move around anonymously and privately will be significantly impaired. It’s crucial for courts to play a role in policing the police and their new toys by overseeing the use of these technologies.

Judge Shea will hear oral argument on the motion on February 11, 2014 at 10am at the federal courthouse in Richland, Washington.

An Open Letter Urging Universities To Encourage Conversation About Online Privacy

This article, written by EFF activist April Glaser, was originally published on the foundation’s website on Dec. 2.

When a group of students from Iowa State University (ISU) contacted the Electronic Freedom Foundation about forming an ISU Digital Freedom group, they were facing an unexpected problem: Despite their simple goal of fostering a healthy conversation around freedom-enhancing software, the university administration denied them official recognition. The university has since granted the Digital Freedom group the green light to meet on campus, but under unduly restrictive conditions. These students’ story is instructive to students around the country and the world who are concerned about online privacy.

The administration initially denied the Digital Freedom Group’s proposal because it did not want ISU students either to advocate for or participate in the “secrecy network” Tor, and would not permit the student group to use any “free software designed to enable online anonymity.” The students had not proposed that a Tor node be established on campus. Rather they asked that they be able to provide a forum to “discuss, learn and practice techniques to anonymize and protect digital communication.”

The students were told they had to gain clearance from the Iowa State University attorneys and security clearance from the university’s Chief Information Officer. They were ultimately successful, and Iowa State University is now home to its very own Digital Freedom Group.

EFF strongly supports the formation of student groups like the Digital Freedom Group that aim to discuss and learn about methods for secure and private use of the Internet. We submit this open letter to campus activity review boards across the world that may feel a similar hesitation on the topic of online anonymity and privacy. Students, professors, and staff from other universities are invited to contact us [students@eff.org] with stories of misguided, speech-chilling policies.

University administrations around the world,

A healthy conversation about online privacy should never be stifled. Yet we’ve heard too many stories of students whose efforts to initiate these conversations have faced roadblocks from university administrators fearful of encryption and anonymity software.

But the time has come now to embrace these technologies, not blindly reject them. There is nothing to fear about online privacy and the various tools available to achieve it.

The demonization of technology because of a few bad actors is a dangerous path. Think about it: the classification of a computer as a machine designed for cybercrime, makes no more sense than maligning cell phones because drug dealers use them to make illegal sales. Instead, we should encourage ethical and responsible use of technologies. The best way to do this is through meaningful conversation that explains how technologies function and the myriad ways technology is and can be utilized.

Tor, in particular, was originally developed by the U.S. Naval Research Laboratory for the purposes of protecting government communications. But today it is used to serve a variety of needs. Journalists use Tor to protect the anonymity of their sources; Internet users in countries where information is censored use Tor to circumvent oppressive firewalls; lawyers use iTor to exchange sensitive information relating to a case; corporations use Tor to protect trade secrets; and people use Tor everyday to have conversations about topics they might feel uncomfortable discussing without the protection anonymity provides. The technology is popular among survivors of rape or gang violence and medical patients who want to take part in online communities, but may only wish do so anonymously.

Anonymous speech has a long history in democratic societies, particularly when used by those whose politically contentious views might have put them ill-at-ease amongst their contemporaries (like Mark Twain, Voltaire, and George Orwell—all pen names). The Federalist Papers were written under the collective pen name Publius to protect the identities of the individual authors. In a similar fashion, Tor gives people the opportunity to discuss anything, freely and without fear of being tracked or chastised for their opinions.

There are other free software tools that we consider to be good hygiene for a privacy-conscious user, like GPG email encryption, which is used to keep email communication private from malicious hackers or unconstitutional government surveillance. There is also our HTTPS Everywhere browser extension, designed to encrypt data that travels between a user’s computer and a website. These practices are not designed to cloak criminals from the view of law-enforcement. Rather, they are intended to make experiences online as trustworthy as possible, despite the fact that the interactions occur across great distances between people and organizations that may never meet in the physical sense.

Conversations about online privacy and security should be encouraged, and never silenced. The more that students understand how security threats function and the myriad ways they can protect their communications and identity, the less vulnerable they are to cybercrime or unwanted surveillance. Privacy technologies can be introduced as a framework grounded in ethical applications and First Amendment principles.

Please never hesitate to contact the Electronic Frontier Foundation with questions about online privacy or anonymity tools, and more importantly, think twice before ever limiting what students can and cannot discuss openly, especially when it comes to the use of technology. Healthy and open dialogue about how students can, should, and do use existing technologies is far better than forcing secrecy, which may only serve to promote notions of criminality about Internet practices that, if used properly, serve to enhance and protect our basic rights online.

Securely and sincerely,

The Electronic Frontier Foundation

PS: Please see and share our “Myths and Facts About Tor” document for a deeper discussion about the oft-misunderstood software.

EFF Calls Out Wall Street Journal For Getting Facts Wrong About NSA Surveillance

Wall Street Journal columnist L. Gordon Crovitz wrote a misleading and error-filled column about NSA surveillance on Monday, based on documents obtained by EFF through our Freedom of Information Act lawsuit. Since we’ve been poring over the documents for the last week, we felt it was important to set the record straight about what they actually reveal.

Crovitz:

Edward Snowden thought he was exposing the National Security Agency’s lawless spying on Americans. But the more information emerges about how the NSA conducts surveillance, the clearer it becomes that this is an agency obsessed with complying with the complex rules limiting its authority.

That’s an interesting interpretation of the recently released documents, given that one of the two main FISA court opinions released says the NSA was engaged in “systemic overcollection” of American Internet data for years, and committed “longstanding and pervasive violations of the prior orders in this matter.” The court summarized what it called the government’s “frequent failures to comply with the [surveillance program’s] terms” and their “apparent widespread disregard of [FISA court imposed] restrictions.”

Crovitz:

[The documents] portray an agency acting under the watchful eye of hundreds of lawyers and compliance officers.

Again, this is not what the actual FISA court opinions portray. “NSA’s record of compliance with these rules has been poor,” and “those responsible for conducting oversight failed to do so effectively,” FISA court Judge Bates wrote in the key opinion released last week. In another FISA court opinion from 2009, released two months ago, the NSA admitted that not a single person in the entire agency accurately understood or could describe the NSA’s whole surveillance system to the court.

It’s true that the number of compliance officers at the NSA has increased in recent years, but as the Washington Post reported, so has the number of privacy violations.

Crovitz:

These documents disprove one of Mr. Snowden’s central claims: “I, sitting at my desk, certainly had the authority to wiretap anyone, from you or your accountant, to a federal judge, to even the president if I had a personal email,” he told the Guardian, a British newspaper.

Here, Crovitz is setting up a strawman. Snowden wasn’t talking about the NSA’s legal authority, but their technical authority to conduct such searches. Snowden was likely referring to XKeyScore, which the Guardian reported allowed NSA analysts to “search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals.”

We actually have a specific example that proves Snowden’s point. As the New York Times reported in 2009, an NSA analyst “improperly accessed” former President Bill Clinton’s personal email. More recently, we’ve learned that the NSA analysts abused the agency vast surveillance powers to spying on ex-spouses or former lovers.

Crovitz:

The NSA also released the legal arguments the Justice Department used in 2006 to justify collection of phone metadata-the telephone number of the calling and called parties and the date, time and duration of the call.

Metadata collection is about connecting the dots linking potential terrorist accomplices. The Clinton administration created barriers to the use of metadata, which the 9/11 Commission concluded let the terrorists avoid detection. Since then, metadata has helped stop dozens of plots, including an Islamist plan to blow up the New York Stock Exchange in 2008.

Again, not true. As Intelligence Committee members Sen. Ron Wyden and Sen. Mark Udall have continually emphasized, there is “no evidence” that the phone metadata program is effective at stopping terrorists. Independent analyses have come to the same conclusion. When called out on that number in a Congressional hearing, even NSA Director Keith Alexander admitted the number was exaggerated.

The only “disrupted plot” the NSA can point to that was solely the work of the phone metadata program was a case where a man from San Diego sent a few thousand dollars to the al-Shabaab organization in Africa in 2008. In other words, the metadata did not disrupt an active terrorist plot inside the US at all.

Crovitz:

The declassified brief from 2006 made clear that such metadata “would never even be seen by any human being unless a terrorist connection were first established,” estimating that “0.000025% or one in four million” of the call records “actually would be seen by a trained analyst.”

The major 2009 FISA court opinion released in September, that apparently Mr. Crovitz either didn’t read or conveniently left out of his piece, showed that the NSA had been systematically querying part of this phone records database for years for numbers that the agency did not have a “reasonable articulable suspicion” were involved in terrorism—as they were required to have by the FISA court. Of the more than 17,000 numbers that the NSA was querying everyday, the agency only had “reasonable articulable suspicion” for approximately 1,800 of them.

The FISA court concluded, five years after the metadata program was brought under a legal framework, that it had been “so frequently and systematically violated that it can fairly be said that this critical element of the overall…regime has never functioned effectively.”

These documents clearly do not paint a picture of an agency with a clean privacy record and a reputation for following court rules, as Mr. Crovitz claims, and in fact, they show why it is vital Congress passes substantive NSA reform immediately. You can go here to take action.