Does Video Surveillance Of A Home For A Month Violate The 4th Amendment

This article, originally published by the Electronic Frontier Foundation, was written by attorney Hanni Fakhoury.

Just because a jogger can see the outside of your home on a public street doesn’t mean you’ve surrendered all your privacy expectations in the home. However, that seemingly obvious concept is being put to the test in a federal criminal case in Washington state, which involves the constitutionality of using a camera mounted on a pole outside a house to allow the police to watch the home for almost a month. Senior District Court Judge Edward Shea invited EFF to submit an amicus brief in the case and Monday we filed our brief, arguing prolonged warrantless video surveillance violates the 4th Amendment.

In United States v. Vargas, local police in Franklin County, Washington suspected Leonel Vargas of drug trafficking and in April 2013, installed a pole camera on a public road overlooking Vargas’ rural home. They did not get a search warrant to install or use the camera, which was pointed squarely at the front door and driveway of the home. Officers had the ability to pan the camera around and zoom in and out all from the comfort of the police station. They watched the outside of Vargas’ home for more than a month, taking notice of who visited him and what cars they were driving. They observed no criminal activity until a month after they began snooping, when officers saw him shooting a gun at beer bottles in what appeared to be target practice. Because the officer had learned earlier that Vargas was undocumented, they had probable cause to believe he had committed a Federal crime by possessing a firearm. They used this surveillance to get a search warrant to enter Vargas’ home, and the search turned up drugs and guns, which form the criminal charges against Vargas.

Vargas moved to suppress the video surveillance, arguing the use of the pole camera violated the 4th Amendment, which prohibits unreasonable searches. Since the front yard and door of Vargas’ home is considered “curtilage,” it is entitled to the same 4th Amendment protection as the home, where warrantless searches are considered per se unreasonable.

In defending the surveillance, the government argued that Vargas had no expectation of privacy since he exposed the front of his house to the public. But no one expects their house to be placed under invasive 24/7 video surveillance for a month. Although the U.S. Supreme Court in the 1980s previously authorized warrantless aerial surveillance in California v. Ciraolo, Dow Chemical Co. v. United States and Florida v. Riley, all of those cases involved one-time fly-overs, not continuous surveillance. Like GPS and cell phone tracking, prolonged video surveillance of a person’s home raises much more significant 4th Amendment problems than a one-time observation. Non-stop video surveillance — especially of a person’s home — allows the police to determine a person’s associations and patterns of movements, information that can be extremely revealing.

The invasiveness of video surveillance has led courts to require the police to do more than just get a search warrant to engage in this kind of snooping. Law enforcement must make additional showings to the court — similar to those necessary to obtain authorization to wiretap a phone call — before engaging in covert video surveillance. Any other rule would allow the police free rein to silently watch and record those they dislike, waiting for someone to inevitably commit one of the myriad federal crimes. Since the police had no warrant or judicial authorization whatsoever to video record Vargas’ home for a month, the surveillance violated the 4th Amendment and all the evidence the police seized as a result of the surveillance can’t be used against Vargas in his criminal case.

These arguments touch upon more than pole cameras. As police departments around the country get their hands on new technologies like drones and mesh networks, the ability to move around anonymously and privately will be significantly impaired. It’s crucial for courts to play a role in policing the police and their new toys by overseeing the use of these technologies.

Judge Shea will hear oral argument on the motion on February 11, 2014 at 10am at the federal courthouse in Richland, Washington.

An Open Letter Urging Universities To Encourage Conversation About Online Privacy

This article, written by EFF activist April Glaser, was originally published on the foundation’s website on Dec. 2.

When a group of students from Iowa State University (ISU) contacted the Electronic Freedom Foundation about forming an ISU Digital Freedom group, they were facing an unexpected problem: Despite their simple goal of fostering a healthy conversation around freedom-enhancing software, the university administration denied them official recognition. The university has since granted the Digital Freedom group the green light to meet on campus, but under unduly restrictive conditions. These students’ story is instructive to students around the country and the world who are concerned about online privacy.

The administration initially denied the Digital Freedom Group’s proposal because it did not want ISU students either to advocate for or participate in the “secrecy network” Tor, and would not permit the student group to use any “free software designed to enable online anonymity.” The students had not proposed that a Tor node be established on campus. Rather they asked that they be able to provide a forum to “discuss, learn and practice techniques to anonymize and protect digital communication.”

The students were told they had to gain clearance from the Iowa State University attorneys and security clearance from the university’s Chief Information Officer. They were ultimately successful, and Iowa State University is now home to its very own Digital Freedom Group.

EFF strongly supports the formation of student groups like the Digital Freedom Group that aim to discuss and learn about methods for secure and private use of the Internet. We submit this open letter to campus activity review boards across the world that may feel a similar hesitation on the topic of online anonymity and privacy. Students, professors, and staff from other universities are invited to contact us [] with stories of misguided, speech-chilling policies.

University administrations around the world,

A healthy conversation about online privacy should never be stifled. Yet we’ve heard too many stories of students whose efforts to initiate these conversations have faced roadblocks from university administrators fearful of encryption and anonymity software.

But the time has come now to embrace these technologies, not blindly reject them. There is nothing to fear about online privacy and the various tools available to achieve it.

The demonization of technology because of a few bad actors is a dangerous path. Think about it: the classification of a computer as a machine designed for cybercrime, makes no more sense than maligning cell phones because drug dealers use them to make illegal sales. Instead, we should encourage ethical and responsible use of technologies. The best way to do this is through meaningful conversation that explains how technologies function and the myriad ways technology is and can be utilized.

Tor, in particular, was originally developed by the U.S. Naval Research Laboratory for the purposes of protecting government communications. But today it is used to serve a variety of needs. Journalists use Tor to protect the anonymity of their sources; Internet users in countries where information is censored use Tor to circumvent oppressive firewalls; lawyers use iTor to exchange sensitive information relating to a case; corporations use Tor to protect trade secrets; and people use Tor everyday to have conversations about topics they might feel uncomfortable discussing without the protection anonymity provides. The technology is popular among survivors of rape or gang violence and medical patients who want to take part in online communities, but may only wish do so anonymously.

Anonymous speech has a long history in democratic societies, particularly when used by those whose politically contentious views might have put them ill-at-ease amongst their contemporaries (like Mark Twain, Voltaire, and George Orwell—all pen names). The Federalist Papers were written under the collective pen name Publius to protect the identities of the individual authors. In a similar fashion, Tor gives people the opportunity to discuss anything, freely and without fear of being tracked or chastised for their opinions.

There are other free software tools that we consider to be good hygiene for a privacy-conscious user, like GPG email encryption, which is used to keep email communication private from malicious hackers or unconstitutional government surveillance. There is also our HTTPS Everywhere browser extension, designed to encrypt data that travels between a user’s computer and a website. These practices are not designed to cloak criminals from the view of law-enforcement. Rather, they are intended to make experiences online as trustworthy as possible, despite the fact that the interactions occur across great distances between people and organizations that may never meet in the physical sense.

Conversations about online privacy and security should be encouraged, and never silenced. The more that students understand how security threats function and the myriad ways they can protect their communications and identity, the less vulnerable they are to cybercrime or unwanted surveillance. Privacy technologies can be introduced as a framework grounded in ethical applications and First Amendment principles.

Please never hesitate to contact the Electronic Frontier Foundation with questions about online privacy or anonymity tools, and more importantly, think twice before ever limiting what students can and cannot discuss openly, especially when it comes to the use of technology. Healthy and open dialogue about how students can, should, and do use existing technologies is far better than forcing secrecy, which may only serve to promote notions of criminality about Internet practices that, if used properly, serve to enhance and protect our basic rights online.

Securely and sincerely,

The Electronic Frontier Foundation

PS: Please see and share our “Myths and Facts About Tor” document for a deeper discussion about the oft-misunderstood software.

EFF Calls Out Wall Street Journal For Getting Facts Wrong About NSA Surveillance

Wall Street Journal columnist L. Gordon Crovitz wrote a misleading and error-filled column about NSA surveillance on Monday, based on documents obtained by EFF through our Freedom of Information Act lawsuit. Since we’ve been poring over the documents for the last week, we felt it was important to set the record straight about what they actually reveal.


Edward Snowden thought he was exposing the National Security Agency’s lawless spying on Americans. But the more information emerges about how the NSA conducts surveillance, the clearer it becomes that this is an agency obsessed with complying with the complex rules limiting its authority.

That’s an interesting interpretation of the recently released documents, given that one of the two main FISA court opinions released says the NSA was engaged in “systemic overcollection” of American Internet data for years, and committed “longstanding and pervasive violations of the prior orders in this matter.” The court summarized what it called the government’s “frequent failures to comply with the [surveillance program’s] terms” and their “apparent widespread disregard of [FISA court imposed] restrictions.”


[The documents] portray an agency acting under the watchful eye of hundreds of lawyers and compliance officers.

Again, this is not what the actual FISA court opinions portray. “NSA’s record of compliance with these rules has been poor,” and “those responsible for conducting oversight failed to do so effectively,” FISA court Judge Bates wrote in the key opinion released last week. In another FISA court opinion from 2009, released two months ago, the NSA admitted that not a single person in the entire agency accurately understood or could describe the NSA’s whole surveillance system to the court.

It’s true that the number of compliance officers at the NSA has increased in recent years, but as the Washington Post reported, so has the number of privacy violations.


These documents disprove one of Mr. Snowden’s central claims: “I, sitting at my desk, certainly had the authority to wiretap anyone, from you or your accountant, to a federal judge, to even the president if I had a personal email,” he told the Guardian, a British newspaper.

Here, Crovitz is setting up a strawman. Snowden wasn’t talking about the NSA’s legal authority, but their technical authority to conduct such searches. Snowden was likely referring to XKeyScore, which the Guardian reported allowed NSA analysts to “search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals.”

We actually have a specific example that proves Snowden’s point. As the New York Times reported in 2009, an NSA analyst “improperly accessed” former President Bill Clinton’s personal email. More recently, we’ve learned that the NSA analysts abused the agency vast surveillance powers to spying on ex-spouses or former lovers.


The NSA also released the legal arguments the Justice Department used in 2006 to justify collection of phone metadata-the telephone number of the calling and called parties and the date, time and duration of the call.

Metadata collection is about connecting the dots linking potential terrorist accomplices. The Clinton administration created barriers to the use of metadata, which the 9/11 Commission concluded let the terrorists avoid detection. Since then, metadata has helped stop dozens of plots, including an Islamist plan to blow up the New York Stock Exchange in 2008.

Again, not true. As Intelligence Committee members Sen. Ron Wyden and Sen. Mark Udall have continually emphasized, there is “no evidence” that the phone metadata program is effective at stopping terrorists. Independent analyses have come to the same conclusion. When called out on that number in a Congressional hearing, even NSA Director Keith Alexander admitted the number was exaggerated.

The only “disrupted plot” the NSA can point to that was solely the work of the phone metadata program was a case where a man from San Diego sent a few thousand dollars to the al-Shabaab organization in Africa in 2008. In other words, the metadata did not disrupt an active terrorist plot inside the US at all.


The declassified brief from 2006 made clear that such metadata “would never even be seen by any human being unless a terrorist connection were first established,” estimating that “0.000025% or one in four million” of the call records “actually would be seen by a trained analyst.”

The major 2009 FISA court opinion released in September, that apparently Mr. Crovitz either didn’t read or conveniently left out of his piece, showed that the NSA had been systematically querying part of this phone records database for years for numbers that the agency did not have a “reasonable articulable suspicion” were involved in terrorism—as they were required to have by the FISA court. Of the more than 17,000 numbers that the NSA was querying everyday, the agency only had “reasonable articulable suspicion” for approximately 1,800 of them.

The FISA court concluded, five years after the metadata program was brought under a legal framework, that it had been “so frequently and systematically violated that it can fairly be said that this critical element of the overall…regime has never functioned effectively.”

These documents clearly do not paint a picture of an agency with a clean privacy record and a reputation for following court rules, as Mr. Crovitz claims, and in fact, they show why it is vital Congress passes substantive NSA reform immediately. You can go here to take action.

NSA Mass Surveillance Puts Major Stress On U.S. Economy

This article, written by EFF activist Trevor Timm, was originally published on the foundation’s website on Nov. 25.

Privacy may not be the only casualty of the National Security Agency’s massive surveillance program. Major sectors of the U.S. economy are reporting financial damage as the recent revelations shake consumer confidence and U.S. trade partners distance themselves from companies that may have been compromised by the NSA or, worse, are secretly collaborating with the spy agency. Member of Congress, especially those who champion America’s competitiveness in the global marketplace, should take note and rein in the NSA now if they want to stem the damage.

The Wall Street Journal recently reported that AT&T’s desired acquisition of the European company Vodafone is in danger due to the company’s well-documented involvement in the NSA’s data-collection programs. European officials said the telecommunications giant would face “intense scrutiny” in its bid to purchase a major cell phone carrier.  The Journal went on to say:

“Resistance to such a deal, voiced by officials in interviews across Europe, suggests the impact of the NSA affair could extend beyond the diplomatic sphere and damage US economic interests in key markets.”

In September, analysts at Cisco Systems reported that the fallout “reached another level,” when the National Institute of Standards and Technology (NIST) told companies not to use cryptographic standards that may have been undermined by the NSA’s BULLRUN program. The Cisco analysts said that if cryptography was compromised “it would be a critical blow to trust required across the Internet and the security community.”

This forecast was proven true in mid-November, when Cisco reported a 12 percent slump in its sales in the developing world due to the NSA revelations. As the Financial Times reported, new orders fell by 25 percent in Brazil and 30 percent in Russia and Cisco predicts its overall sales could drop by as much 10 percent this quarter.  Cisco executives were quoted saying the NSA’s activities have created “a level of uncertainty or concern” that will have a deleterious impact on a wide-range of tech companies.

It is hard for civil libertarians to shed tears over AT&T losing business because of NSA spying, considering the company allowed the NSA to directly tap into its fiber optic cables to copy vast amounts of innocent Americans’ Internet traffic.  AT&T was also recently revealed as having partnered with both the DEA and the CIA on separate mass surveillance programs. It is also hard to feel sorry for Cisco, which stands accused of helping China spy on dissidents and religious minorities. But the fact that the spying is hurting these major companies is indicative of the size of the problem.

This summer, European Parliament’s civil liberties committee was presented with a proposal to require every American website to place surveillance notices to EU citizens in order to force the US government to reverse course:

“The users should be made aware that the data may be subject to surveillance (under FISA 702) by the US government for any purpose which furthers US foreign policy. A consent requirement will raise EU citizen awareness and favour growth of services solely within EU jurisdiction. This will thus have economic impact on US business and increase pressure on the US government to reach a settlement.” [emphasis ours]

Meanwhile, Telenor, Norway’s largest telecom provider has reportedly halted its plans to move its customers to a U.S.-based cloud provider. Brazil seems to be moving ahead to create its own email service and require US companies locate an office there if they wish to do business with Brazilian customers.

Laws like this mean that companies like Google “could be barred from doing business in one of the world’s most significant markets,” according to Google’s director for law enforcement and information security at Google, Richard Selgado. Google has been warning of this as far back as July, when in FISA court documents it argued that the continued secrecy surrounding government surveillance demands would harm its business.

Many commentators have been warning about the economic ramifications for months. Princeton technologist Ed Felten, who previously at the Federal Trade Commission, best explained why the NSA revelations could end up hurting US businesses:

“This is going to put US companies at a competitive disadvantage, because people will believe that U.S. companies lack the ability to protect their customers—and people will suspect that U.S. companies may feel compelled to lie to their customers about security.”

The fallout may worsen. One study released shortly after the first Edward Snowden leaks said the economy would lose $22 to $35 billion in the next three years. Another study by Forrester said the $35 billion estimate was too low and pegged the real loss figure around $180 billion for the US tech industry by 2016.

Much of the economic problem stems for the US government’s view that it’s open season when it comes to spying on non-U.S. persons. As Mark Zuckerberg said in September, the government’s position is“don’t worry, we’re not spying on any Americans. Wonderful, that’s really helpful for companies trying to work with people around the world.” Google’s Chief Legal Officer David Drummond echoed this sentiment last week, saying:

“The justification has been couched as ‘Don’t worry. We’re only snooping on foreigners.’ For a company like ours, where most of our business and most of our users are non-American, that’s not very helpful.”

Members of Congress who care about the US economy should take note: the companies losing their competitive edge due to NSA surveillance are mainstream economic drivers. Just as their constituents are paying attention, so are the customers who vote with their dollars. As Sen. Ron Wyden remarked last month, “If a foreign enemy was doing this much damage to the economy, people would be in the streets with pitchforks.”

Electronic Frontier Foundation: Same Mass Surveillance Story, Different Chapter

This post, written by EFF staff attorney Mark Rumold, originally appeared on the foundation’s website on Nov. 20.

Documents released Monday by the Director of National Intelligence tell a story we’ve heard before: The government, through one-sided argument in a secret court, obtained unConstitutional orders to collect vast amounts of information about millions of innocent Americans.

Before, it was Americans’ call records; the opinions released today describe the National Security Agency’s program collecting Americans’ Internet communications. And, just as we saw with the government’s bulk collection of calling records, what the Foreign Intelligence Surveillance Act court envisioned to be a closely controlled Internet metadata program quickly resulted in violations of its orders and restrictions, the search and collection of more information than the government was authorized to acquire, and repeated violations of the privacy of millions of Americans.

Here are some snippets, taken from the opinions and orders of the FISA court, describing the government’s repeated operation of the programs in violation of its orders:

Opinion of the FISC (pages 21-22)

Notwithstanding this and many similar prior representations, there in fact had been systemic overcollection since [redacted]. On [redacted] the government provided written notice of yet another form of substantial non-compliance discovered by NSA OGC. . . This overcollection, which had occurred continuously since the initial authorization . . . , included the acquisition of [redacted]. . . The government later advised that this continuous overcollection acquired many other types of data and that “[v]irtually every PR/TT record” generated by this program included some data that had not been authorized for collection.

Opinion of the FISC (page 4)

The current application relies on this prior framework, but also seeks to expand authorization in ways that tests the limits of what the applicable FISA provisions will bear. It also raises issues that are closely related to serious compliance problems that have characterized the government’s implementation of prior FISC orders. It is therefore helpful at the outset to summarize both the underlying rationale of the prior authorizations and the government’s frequent failures to comply with their terms.

Order and Supplemental Order of the FISC (pages 6) (emphasis in original)

Given the apparent widespread disregard of [FISC imposed] restrictions, it seems clear that NSA’s Office of General Counsel has failed to satisfy its obligation to ensure that all analysts with access to information derived from the PT/TT metadata ‘recieve appropriate training and guidance regarding the querying standard set out in paragraph c. above, as well other procedures and restrictions regarding the retrieval, storage, and dissemination, of such information

Order and Supplemental Order of the FISC (pages 6 -7)

The Court is also seriously concerned regarding NSA’s placement of unminimized metadata from both the above-captioned matters into databases accessible by outside agencies, which, as the government has acknowledged, violates not only the Court’s orders, but also NSA’s minimization and dissemination procedures set forth in USSID 18.

The Electronic Frontier Foundation just begun digesting the documents released Monday and will provide more analysis in the coming days. But EFF hopes these disclosures will provide more evidence, if any more was needed, of the need for serious and comprehensive FISA reform.

Electronic Frontier Foundation: Senators, Writers, Reporters, Defense Attorneys And Surveillance Experts Back Suit Against The NSA

This post, written by EFF legal fellow Andrew Crocker, originally appeared on the foundation’s website on Nov. 19.

EFF’s case challenging the government’s mass telephone records collection program, First Unitarian Church of Los Angeles v. NSA, has received some new firepower in the form of five amicus briefs, including one from U.S. senators charged with overseeing the NSA’s activities. The briefs are all in support of our claim that the NSA’s mass surveillance of ordinary Americans’ telephone records is illegal and unconstitutional.

The friend-of-the-court brief filed by the ACLU on behalf of Senators Ron Wyden, Mark Udall, and Martin Heinrich takes issue with the government’s argument that mass collection is necessary because it is the only effective technique for using phone records: The government has repeatedly suggested that it first must assemble the haystack, then find the needle. The senators, all members of the committee tasked with oversight of the NSA, write that they “have seen no evidence that the bulk collection of Americans’ phone records has provided any intelligence of value that could not have been gathered through less intrusive means.” As the senators’ brief points out, the government has other, more targeted means of surveillance at its disposal which can yield intelligence without invading the privacy of millions of innocent Americans.

The problems with unchecked surveillance and the need for oversight are also discussed in a brief filed on behalf of three experts in the history of intelligence agency surveillance: NSA historian James Bamford and two Church Committee staff members, Loch Johnson and Peter Fenn. Relying on the findings of the 1975 Church Committee, the brief draws parallels between the NSA’s current dragnet collection of phone records and previous mass surveillance programs. When left unchecked, the experts assert, initially narrow surveillance programs “expand beyond their original purposes, often into illegal conduct.”

Several other briefs shed light on the destructive effects that the phone records program has on fundamental constitutional rights, such as free speech, free association, and the right to counsel.

The PEN American Center, whose members include some of the most celebrated writers in the world, undertook a survey that shows that the revelation of NSA surveillance has caused American writers to self-censor, avoiding writing and communicating about topics that might draw government scrutiny. As PEN explains in its brief, these chilling effects undermine the First Amendment’s fundamental protection of the right to advocate unpopular or controversial viewpoints.

Meanwhile, the Reporters Committee for Freedom of the Press focuses on the “corrosive effect that mass call tracking has on the ability of the media to report on matters of public interest.” For some of the most important reporting in American history, including the Watergate scandal and the first revelations of the NSA’s warrantless wiretapping in 2005, reporters have relied on confidential sources and government leaks. In the past, when the government has sought to identify these sources, it has had to obey First Amendment protections and negotiate with journalists. Yet, as the Reporters Committee argues, these protections are “rendered pointless when cast against the backdrop of total surveillance of domestic telephone calls.” As a result, reporters’ sources dry up, restricting the ability of the press to play its crucial role in providing information to the public.

Finally, the National Association of Criminal Defense Lawyers highlights how the phone records program infringes the Sixth Amendment’s guarantee of a right to counsel in criminal cases.  Interlocking doctrines of confidentiality protect several aspects of the lawyer-client relationship, but just as the mass collection of phone records can reveal many intimate details of individuals’ daily lives, it can also strip away this confidentiality. Because “the very act of consulting with the counsel of one’s choice places the fact and details of that consultation, and all subsequent communications by both attorney and client, in the hands of the Government,” clients are chilled from seeking legal help and the Sixth Amendment guarantee is undermined.

Combined with the plaintiffs’ first-hand accounts of how their associational rights are chilled by the phone records program, these amicus briefs show the wide-ranging effects of the government’s unconstitutional phone records program.

The amicus briefs:

Senators Wyden, Udall and Heinrich

Surveillance Experts

PEN American Center

Reporters Committee for Freedom of the Press et al.


Electronic Frontier Foundation: DRM In Cars Will Drive Consumers Crazy

This article, written by Parker Higgins, was originally published by the Electronic Frontier Foundation on Nov. 13.

Forget extra cupholders or power windows: the new Renault Zoe comes with a “feature” that absolutely nobody wants. Instead of selling consumers a complete car that they can use, repair, and upgrade as they see fit, Renault has opted to lock purchasers into a rental contract with a battery manufacturer and enforce that contract with digital rights management (DRM) restrictions that can remotely prevent the battery from charging at all.

We’ve long joined makers and tinkerers in warning that, as software becomes a part of more and more everyday devices, DRM and the legal restrictions on circumventing it will create hurdles to standard repairs and even operation. In the U.S., a car manufacturer who had wrapped its onboard software in technical restrictions could argue that attempts to get around those are in violation of the Digital Millennium Copyright Act (DMCA)—specifically section 1201, the notorious “anti-circumvention” provisions. These provisions make it illegal for users to circumvent DRM or help others do so, even if the purpose is perfectly legal otherwise.  Similar laws exist around the world, and are even written into some international trade agreements—including, according to a recently leaked draft, the Trans-Pacific Partnership Agreement.

Since the DMCA became law in 1998, Section 1201 has resulted in countless unintended consequences. It has chilled innovation, stifled the speech of legitimate security researchers, and interfered with consumer rights. Section 1201 came under particular fire this year because it may prevent consumers from unlocking their own phones to use with different carriers. After a broadly popular petition raised the issue, the White House acknowledged that the restriction is out of line with common sense.

The problem extends beyond inconvenience. In plenty of cases, DRM has led to users losing altogether the ability to watch, listen to, read, or play media that can’t be “authenticated.” Video games with online components now routinely reach an end-of-life period where the company providing the authentication decides it’s no longer worth it to operate the servers. That raises the frightening possibility of a company like Renault deciding that it’s not cost-effective anymore to verify new batteries—and leaving car owners high and dry.

And these are all just the problems with the DRM running as expected. Unfortunately, the intentional restrictions created by DRM can also create security vulnerabilities that can be exploited by other bad actors. The most prominent example may be the “rootkit” that Sony included on music CDs and which led in some cases to further malware infection. The stakes may be even higher when it comes to cars. Security researchers uncovering security problems in cars already face restrictions on publishing; that stands to get worse as DRM enters the picture.

As our friends at iFixit say, if you can’t fix it, you don’t own it. Users need the right to repair the things they buy, and that is incompatible with blanket restrictions on circumventing DRM.

Copyright maximalists like to point to the 1201 safety valve—a rulemaking procedure to identify narrow exemptions. But the process happens every three years in the Copyright Office, and it’s pretty dysfunctional: the exemptions require extensive work, must be justified from scratch each time, and have no established appeal process. Permission to “jailbreak” cars can’t even be considered until 2015, and even if it is granted, consumers may be wary to invest in a new car if their right to repair it could be revoked three years later.

There’s a better way, but it requires legislation. Representative Zoe Lofgren and a group of bipartisan sponsors have proposed the Unlocking Technology Act, to limit the anti-circumvention provisions to cases where there is actual infringement. That’s a common sense change that is long overdue.

More fundamentally, though, users must push back on the creeping imposition of DRM in more and more places. As EFF Fellow and former staff member Cory Doctorow has noted, computers are increasingly devices that we depend on for our own health and safety. It’s critically important, then, that consumers actually own our stuff. Stay tuned: We’ll be pushing hard on this issue on many fronts in the coming year, and we’ll need your help.

NSA’s Vast Surveillance Powers Extend Far Beyond Counterterrorism, Despite Misleading Government Claims

Writing Nov. 11 for the Electronic Frontier Foundation, Trevor Timm explains how the NSA has everything to lose if it can’t continue to control its fear-mongering script – a script that calls for broad surveillance powers in order to keep Americans safe from the familiar horrors they’ve seen, over and over, on TV.

By Trevor Timm

Time and again we’ve seen the National Security Agency (NSA) defend its vast surveillance apparatus by invoking the spectre of terrorism, discussing its spying powers as a method to keep America safe.  Yet, the truth is that counterterrorism is only a fraction of their far broader authority to seek “foreign intelligence information,” a menacing sounding term that actually encapsulates all sorts of innocuous, everyday conversation.

The New York Times demonstrated this disconnect last week, reporting, “the [leaked NSA] documents make clear, the focus on counterterrorism is a misleadingly narrow sales pitch for an agency with an almost unlimited agenda. Its scale and aggressiveness are breathtaking.”

Under the Foreign Intelligence Surveillance Act, NSA is given a mandate for collecting “foreign intelligence information” but this is not a very substantive limitation, and certainly does not restrict the NSA to counterterrorism — rather, it is defined to include “information with respect to a foreign power … that relates to … the conduct of the foreign affairs of the United States.”

Read that carefully for a minute. Anything “that relates to the foreign affairs of the United States.” Interpreted broadly, this can be political news, anything about economics, it doesn’t even have to involve a crime — basically anything besides the weather. Indeed, given the government penchant for warped and distorting the definitions of words in secret, we wouldn’t be surprised if the government would argue that weather could fall under the umbrella of “foreign intelligence information” too.

After all, government lawyers have managed to convince the secret FISA court that “relevant to” an investigation is no limitation at all – rather, it can encompass records of every call made in, to or from the United States. It seems unlikely that the government would interpret “relates to … the conduct of foreign affairs” to be any narrower.

This tactic is nothing new. Back in 2008, FISA Amendments Act supporters were invoking terrorism without mentioning this far broader definition, which has since been used to gather information from Internet companies as part of the infamous PRISM program.

Lead sponsor of the bill Senator Kit Bond (R-Mo.) infamously said, “There is nothing to fear in the [new FISA] bill, unless you have al-Qaida on your speed dial.” Yet at the time, as Marty Lederman, a legal scholar who would later become a key lawyer in Obama’s Justice Department, explained that in reality, “There is nothing to fear in the new FISA bill unless you make international phone calls or e-mails that arguably implicate the federal government’s national security, foreign affairs or law enforcement interests.”

Yet, government officials consistently refer to terrorism as the reason NSA is conducting this surveillance, while occasionally adding the spice of nuclear proliferation or “cyber”-hackers. For example, Congressman Mike Rogers (R-Mich.) defended the NSA like this two weeks ago, telling CNN’s “State of the Union” that if French citizens knew what terror plots the NSA was protecting them from “they would be applauding and popping Champagne corks.” While Rogers knows full well that there is no terrorism connection to tapping German Chancellor Angela Merkel’s cell phone, he wants the conversation to go to more familiar ground.

Other times, NSA mentions “foreign intelligence information” and says examples of such information include terrorist activities, conveniently omitting the vast authority granted to spy for diplomatic information. After a story in Le Monde last month, the Director of National Intelligence referred reporters to the statement, “The government cannot target anyone under the court-approved procedures for Section 702 collection unless there is an appropriate, and document foreign intelligence purpose for the acquisition (such as for the prevention of terrorism, hostile cyber activities, or nuclear proliferation)…” (emphasis ours)

It’s in the NSA’s interest to sell their programs playing off the fears of Americans, and they do with great regularly. In fact, NSA talking points, obtained by reporter Jason Leopold using the Freedom of Information Act, state that NSA should continually invoke 9/11 under the heading “sound bites that resonate.”

Counter-terrorism and WMDs are certainly an important part of the NSA’s mandate, but are not limits on its authority.  As we have seen from the reports about spying on foreign heads of state, foreign businesses, and even the World Bank, the NSA is using its spying superpowers to the full limits of “foreign intelligence information,” while trying to keep the conversation in a narrow band.

So let’s get one thing straight: when the NSA vacuums up millions of innocent people’s communications and metadata, the agency is not limiting itself to counter-terrorism uses. Pretending there is a narrower scope is not an honest way to have a debate.

The Electronic Frontier Foundation Ponders How The New York Times Endorsed an Agreement the Public Isn’t Allowed To Read?

The New York Times’ editorial board has made a disappointing endorsement of the Trans-Pacific Partnership (TPP), even as the actual text of the agreement remains secret. That raises two distressing possibilities: either in an act of extraordinary subservience, the Times has endorsed an agreement that neither the public nor its editors have the ability to read. Or, in an act of extraordinary cowardice, it has obtained a copy of the secret text and hasn’t yet fulfilled its duty to the public interest to publish it.

Without a publicly available agreement, readers are forced into the uncomfortable position of taking official government statements at face value. That’s reflected in the endorsement, which fails to note the myriad ways in which TPP has been negotiated undemocratically, shutting out public oversight while permitting corporate interests to drive the agenda. Given these glaring issues, it is disconcerting that the Times would take such a supportive stance on an agreement that is likely to threaten innovation and users’ digital rights well into the 21st century.

That situation leaves unanswered questions. Does the editorial board, for example, support the TPP provisions that would give private corporations new tools to undermine national sovereignty and democratic processes? Because “investor-state dispute settlement,” slated for inclusion in both the TPP and the EU-US trade agreement, the Transatlantic Trade and Investment Partnership (TTIP), would give multinational companies the power to sue countries over laws that might cut into expected future profits. This could allow corporations to unravel any policy designed to protect users against violations of their right to privacy or free speech online. The paper’s endorsement notes that copyright enforcement could be expanded to suit legacy media companies, but provides no explanation of why a trade agreement is an acceptable venue for deciding such issues.

Does the New York Times also endorse an initiative to scrap democratic oversight of TPP by elected lawmakers? After all, Senate Finance committee leaders, Senator Max Baucus and Senator Orrin Hatch have renewed their call to pass fast-track, which would hand over Congress’ constitutional mandate over US trade policy to the Obama Administration. Fast-track, also known as Trade Promotion Authority, would restrict lawmakers from having any proper hearings on its provisions, limiting them to an up-or-down vote on the entire 29 chapter treaty.

The paper’s statement emphasizes how the Obama Administration strives to make TPP’s policies “an example for the rest of the world to follow.” But if that’s the case, then it’s all the more important that the agreement be published immediately. Such a significant body of international law regulating digital policy must not be negotiated without proper, informed public debate. The secrecy of the process itself ensures that only some private interests will be represented at the expense of others. In addition, the U.S. Trade Representative’s history of pushing forth extreme copyright enforcement policies through other trade agreements gives little assurance that users’ rights will be considered in the TPP.

Trade representatives are working to finalize TPP negotiations by the end of the year. Negotiators are scheduled to meet in Salt Lake City next week to negotiate outstanding issues in this agreement, including provisions on liability for Internet Service Providers and anti-circumvention measures over DRM. Following that, trade delegates are seeking to finalize and sign this agreement in December in a ministerial meeting in Singapore.

It’s unfortunate that news outlets are giving little coverage to TPP, when media attention could have a major impact on how the US and the other 11 nations draft digital policy. But public media coverage is precisely the sort of accountability that official secrecy thwarts. Instead of endorsing an agreement the public can’t read, a responsible paper would condemn the secrecy involved. And if the Times has seen the text and knows what’s contained in the TPP, then they have a responsibility to publish the text immediately and expose the US government’s back room dealings.

In either case, it is deeply disappointing that the New York Times would even support the TPP when the public remains in the dark. An endorsement of TPP at this stage is an endorsement of opaque, corporate-driven policymaking.

You can take action against TPP here.

EFF: Forced Decryption Of Electronic Data Is Self-Incrimination And Prohibited By 5th Amendment

This article, written by Electronic Frontier Foundation staff attorney Hanni Fakhoury, and was originally published on the Foundation’s website on Oct. 30.

Encryption is one of the most important ways to safeguard data from prying eyes. But what happens when those prying belong to the government? Can they force you to break your own encryption and provide them with the information they want?

In a new amicus brief, we explain that the Fifth Amendment privilege against self-incrimination prohibits the government from forcing someone to decrypt their computer when they’re suspected of a crime.

Leon Gelfgatt was charged with forgery and the government, with a search warrant, seized a number of his electronic devices. Law enforcement couldn’t break the encryption that protected the devices, so it went to court, asking a judge to order Gelfgatt to decrypt the devices for them. The Fifth Amendment protects a person from being forced to testify against themselves and so the government promised not to look at the encryption key—the “testimony” in their eyes—but nonetheless wanted the ability to use the unencrypted data against Gelfgatt. The judge denied the government’s request, ruling that forcing Gelfgatt to decrypt the devices would violate the Fifth Amendment.

The government appealed that decision and the case is now before the Massachusetts Supreme Judicial Court, where we filed an amicus brief with the ACLU and the ACLU of Massachusetts.

Our brief argues that the lower court got it right. The Fifth Amendment protects a person from being forced to reveal the “contents of his mind” to the government, allowing law enforcement to learn facts it didn’t already know. When it comes to compelled decryption, the Fifth Amendment clearly applies because the government would be learning new facts beyond simply the encryption key. By forcing Gelfgatt to translate the encrypted data it cannot read into a readable format, it would be learning what the unencrypted data was (and whether any data existed). Plus, the government would learn perhaps the most crucial of facts: that Gelfgatt had access to and dominion and control of files on the devices.

It’s not the first time we’ve made this argument in court; we’ve filed amicus briefs in other cases involving forced decryption, and won big last year in the Eleventh Circuit Court of Appeals, which agreed with us that the act of decrypting a computer is protected by the Fifth Amendment.

At a time when the recent public disclosures have suggested the government has been undermining cryptography, we hope the court understands the importance of having strong technological safeguards to protect our privacy and find that our constitutional protections prohibit what the government is trying to do here.

Oral argument in the case is set for Nov. 5, 2013 in Boston.

New Documents Obtained By Electronic Frontier Foundation Confirm: NSA Collects First, Seeks Authorization Later

This article, written by Electronic Frontier Foundation staff attorney Mark Rumold, was originally published on the Foundation’s website.

The government released a second batch of documents yesterday in response to EFF’s ongoing FOIA lawsuit for information concerning Section 215 of the Patriot Act — the provision of law the government relies on to compel the disclosure of records of millions of Americans’ calls.

One document, in particular, confirms what in recent months has become abundantly clear: the NSA is unwilling to submit to meaningful and effective oversight and seems unwilling to recognize the extraordinarily sensitive nature of the information it collects.

The document, which appears to be a written response to an Intelligence Committee staffer’s question, describes the NSA’s acquisition and testing of Americans’ cell site location data. The document shows that, prior to obtaining and testing samples of location information taken from Americans’ cell phone calls, the NSA didn’t even bother to inform the Foreign Intelligence Surveillance Court (FISC) or the relevant Congressional oversight bodies prior to doing so. In fact, neither NSA nor the National Security Division of the Department of Justice thought the collection of Americans’ location information sufficiently novel or important to even justify an individualized legal analysis. In the view of DOJ, the location information of thousands (or millions) of Americans could just be lumped in with the information the FISC had already approved for collection.

Keep this in mind, too: approximately a year prior, the FISC nearly shut down the call record program after the agency repeatedly misled the court about how and under what circumstances it was accessing Americans’ call records. To then obtain extraordinarily sensitive information about the movements of Americans — without first informing either the FISC or any of NSA’s Congressional oversight bodies — smacks of a fundamental disregard for the NSA’s oversight system and the coordinate branches of government.

It’s time to put an end to the agency’s “collect first, seek authorization later” mentality. The NSA needs to recognize, once and for all, that it is not above the law. When an agency acts without oversight or the authorization of Congress, the judiciary, or even the President, it’s clear that the agency has gone off the rails. We need a full and public investigation of the NSA’s spying activities, and members of the intelligence community should be held accountable.

EFF Offers Ten Steps You Can Take To Fight Internet Surveillance Right Now

One of the trends we’ve seen is how, as the word of the NSA’s spying has spread, more and more ordinary people want to know how (or if) they can defend themselves from surveillance online. But where to start?

The bad news is: if you’re being personally targeted by a powerful intelligence agency like the NSA, it’s very, very difficult to defend yourself. The good news, if you can call it that, is that much of what the NSA is doing is mass surveillance on everybody. With a few small steps, you can make that kind of surveillance a lot more difficult and expensive, both against you individually, and more generally against everyone.

Here are ten steps you can take to make your own devices secure. This isn’t a complete list, and it won’t make you completely safe from spying. But every step you take will make you a little bit safer than average. And it will make your attackers, whether they’re the NSA or a local criminal, have to work that much harder.

  1. Use end-to-end encryption.

    We know the NSA has been working to undermine encryption, but experts like Bruce Schneier who have seen the NSA documents feel that encryption is still “your friend”. And your best friends remain open source systems that don’t share your secret key with others, are open to examination by security experts, and encrypt data all the way from one end of a conversation to the other: from your device to the person you’re chatting with. The easiest tool that achieves this end-to-end encryption is off-the-record (OTR) messaging, which gives instant messaging clients end-to-end encryption capabilities (and you can use it over existing services, such as Google Hangout and Facebook chat). Install it on your own computers, and get your friends to install it too. When you’ve done that, look into PGP–it’s tricky to use, but used well it’ll stop your email from being an open book to snoopers. (OTR isn’t the same as Google Chat’s option to “Go off the record”; you’ll need extra software to get end-to-end encryption.)

  2. Encrypt as much communications as you can. 

    Even if you can’t do end-to-end, you can still encrypt a lot of your Internet traffic. If you use EFF’s HTTPS Everywhere browser addon for Chrome or Firefox, you can maximise the amount of web data you protect by forcing websites to encrypt webpages whenever possible. Use a virtual private network (VPN) when you’re on a network you don’t trust, like a cybercafe.

  3. Encrypt your hard drive.

    The latest version of Windows, Macs, iOS and Android all have ways to encrypt your local storage. Turn it on. Without it, anyone with a few minutes physical access to your computer, tablet or smartphone can copy its contents, even if they don’t have your password.

  4. Strong passwords, kept safe.

    Passwords these days have to be ridiculously long to be safe against crackers. That includes the password to email accounts, and passwords to unlock devices, and passwords to web services. If it’s bad to re-use passwords, and bad to use short passwords, how can you remember them all? Use a password manager. Even write down your passwords and keeping them in your wallet is safer than re-using the same short memorable password — at least you’ll know when your wallet is stolen. You can create a memorable strong master password using a random word system like that described at

  5. Use Tor.

    “Tor Stinks”, this slide leaked from GCHQ says. That shows much the intelligence services are worried about it. Tor is an the open source program that protects your anonymity online by shuffling your data through a global network of volunteer servers. If you install and use Tor, you can hide your origins from corporate and mass surveillance. You’ll also be showing that Tor is used by everyone, not just the “terrorists” that GCHQ claims.

  6. Turn on two-factor (or two-step) authentication.

    Google and Gmail has it; Twitter has it; Dropbox has it. Two factor authentication, where you type a password and a regularly changed confirmation number, helps protect you from attacks on web and cloud services. When available, turn it on for the services you use. If it’s not available, tell the company you want it.

  7. Don’t click on attachments.

    The easiest ways to get intrusive malware onto your computer is through your email, or through compromised websites. Browsers are getting better at protecting you from the worst of the web, but files sent by email or downloaded from the Net can still take complete control of your computer. Get your friends to send you information in text; when they send you a file, double-check it’s really from them.

  8. Keep software updated, and use anti-virus software.

    The NSA may be attempting to compromise Internet companies (and we’re still waiting to see whether anti-virus companies deliberately ignore government malware), but on the balance, it’s still better to have the companies trying to fix your software than have attackers be able to exploit old bugs.

  9. Keep extra secret information extra secure.

    Think about the data you have, and take extra steps to encrypt and conceal your most private data. You can use TrueCrypt to separately encrypt a USB flash drive. You might even want to keep your most private data on a cheap netbook, kept offline and only used for the purposes of reading or editing documents.

  10. Be an ally.

    If you understand and care enough to have read this far, we need your help. To really challenge the surveillance state, you need to teach others what you’ve learned, and explain to them why it’s important. Install OTR, Tor and other software for worried colleagues, and teach your friends how to use them. Explain to them the impact of the NSA revelations. Ask them to sign up to Stop Watching Us and other campaigns against bulk spying. Run a Tor node, or hold a cryptoparty. They need to stop watching us; and we need to start making it much harder for them to get away with it.

EFF Examines Government Requests For Data To Yahoo, Facebook

Ever since Google issued its first transparency report in early 2010, EFF has called on other companies to follow suit and disclose statistics about the number of government requests for user data, whether the request they receive is an official demand (such as a warrant) or an unofficial request.  After all, users make decisions every day about which companies they trust with their data, therefore companies owe it to their customers to be transparent about when they hand data over to governments and law enforcement.

Since 2010, other companies have risen to the challenge, including Microsoft, Internet service provider Sonic.Net, cloud storage providers SpiderOak and DropBox, as well as social media companies such as LinkedIn and Twitter.

Now, two more companies have joined the movement: In the past couple of months, both Yahoo and Facebook issued their first transparency reports, covering the period of January-June 2013.

While we wish they had not taken this long, the two companies deserve kudos for taking this important step. Companies are under no legal obligation to inform their customers aggregate data about government requests for their data—this is a voluntary step. Both companies are members of the Global Network Initiative, however, which counts transparency among its core principles.

User trust

But in light of this summer’s revelations about the NSA’s PRISM—the program under which the NSA gains the ability to access to the private communications of users of many of the most popular Internet services, including those owned by Google, Microsoft, Facebook, and Yahoo—Internet giants are rushing to do what they can to restore user trust.

In September, Google, Facebook, and Yahoo all filed requests to the U.S. Foreign Intelligence Surveillance Court (FISC), asking for permission to publish the specific number of National Security Letters (NSL) that the companies received in the past year as well as the total number of user accounts affected by those requests. Of all the dangerous government surveillance powers that were expanded by the USA PATRIOT Act, the NSL power provided by five statutory provisions is one of the most frightening and invasive. These letters—the type served on communications service providers such as phone companies and ISPs and are authorized by 18 U.S.C. 2709—allow the FBI to secretly demand data about ordinary American citizens’ private communications and Internet activity without any prior judicial review. To make matters worse, recipients of NSLs are subject to gag orders that forbid them from ever revealing the letters’ existence to anyone. A federal judge found NSLs unconstitutional in March, but the order is on hold pending the government’s appeal.

Some companies have published aggregate numbers, ranging from 0-999 or 1000-1999 that give us a broad and blurry view of just how widespread the use of NSLs has been, but more detailed numbers would much more helpful to the public understanding of the surveillence, without compromising security.

So now that Facebook and Yahoo have issued transparency reports, what do they tell us?

Facebook’s Global Government Requests Report covers January-June 2013 and reveals that 71 countries requested data on a total of 37,954 to 38,954 users. Unsurprisingly, the US demanded the largest amount of user data, making somewhere between 11,000 to 12,000 requests for 20,000 to 21,000 users.

India came in a close second, with 3,245 requests for 4,144 accounts, and the United Kingdom ranked third with 1,975 requests for 2,337 users. Facebook also revealed the number of times the requests produced “some data.” Facebook handed over data to the U.S. 79% of the time, but only 50% and 68% of the time for India and the United Kingdom, respectively.

The vast majority of requests made to Facebook by less democratic countries (including Cote d’Ivoire, Nepal, and Qatar) were refused, however two nations stood out in the report: Pakistan and Turkey.  In the case of Pakistan, 35 requests were made for 47 users, 77% of which Facebook complied with.  In the case of Turkey, 96 requests for 170 users were made, and complied with 47% of the time.

What makes this unique is that no other major company has reported compliance with requests from Pakistan.  The South Asian country is nominally a democracy, but censors the Internet heavily and has made a relatively transparent effort of seeking Western companies to enable greater censorship and surveillance, a role that Canadian company Netsweeper has been all too eager to fill.  It is notable that Facebook has no offices in Pakistan (an office in-country could allow Pakistan to directly seek information from a local employee), nor has Pakistan signed a mutual legal assistance treaty (MLAT) with the US, putting Facebook under no legal obligation to comply with requests from the government.

With no offices in Turkey, either, it’s surprising to see such a high rate of compliance.  Complaints of Facebook censoring certain content in Turkey abound, and as a recent blog post by a Kurdish activist demonstrates, some of that censorship seems quite arbitrary.

At the same time, if Facebook doesn’t comply, it undoubtedly risks being blocked in these countries, just as YouTube was for several years, and a tool used by opposition figures and activists might become unavailable.  On balance, we think most countries would rightly be hesitant to remove popular Internet tool, as it may create more unrest than the information sought to be quashed.

While Facebook has been transparent about its law enforcement guidelines, information regarding its processes when it comes to international requests is vague – the data use policy allows disclosure when “consistent with internationally recognized standards,” which are not defined. Facebook could enhance its transparency by clarifying its standards for complying with requests; even if its standards are perfect in everyway, users are legitimately concerned when they do not know what standards might apply.

Like Facebook, Yahoo also reported that the United States led the number of requests, with 12,444 data requests that included 40,322 Yahoo accounts. Yahoo handed content-related data, including communications in Yahoo Mail or Messenger, photos on Flickr or Yahoo Address Book entries, over to American agencies in 4,604 cases. The company gave the government non-content related information, which includes a person’s name, location or Internet Protocol address, in 6,798 cases.

Yahoo received fewer requests from the United Kingdom (1,709) and India (1,490) than did Facebook, with similar compliance rates.  Once nice feature of Yahoo’s report is that it breaks down the type of data disclosure (non-content vs. content) in a pie chart for each country.  In the UK, for example, 44% of requests were responded to with disclosures of non-content data, while in 20% of cases, content was disclosed to law enforcement.

Surprisingly, Yahoo received far more requests from Hong Kong than any other company, and complied with 100% of them (content was only disclosed in 1% of those cases).  The South China Morning Post quoted lawmaker Charles Mok as saying that the number was high, and called on Yahoo to disclose which government agencies requested the data.

EFF: The Good And The Bad Of NSA Spying Bills In Congress

This post, written by Electronic Frontier Foundation legal director Cindy Cohn and policy analyst Mark Jaycox, was originally published by the EFF  on Oct. 22.

The Senate is moving quickly on bills to reform many aspects of the NSA spying. Currently, the Judiciary Committee, which has favored privacy in the past, and the chairs of the Intelligence Committees, Senator Dianne Feinstein and Representative Mike Rogers, will be introducing bills tackling the NSA spying.

The Intelligence Committee Bills Must be Stopped

Many of NSA reform bills going through Congress are encouraging, but the most important priority for those who want to stop the spying is to stop the bill by the Intelligence Committees of the House and Senate. The Chairs of each have confirmed that the (still secret) bill is aimed at continuing collection of everyone American’s phone records unabated. The bill will likely provide some window dressing of limited transparency, while shoring up the legal basis for the spying.

Since the leaks in June, the committees’ Chairs have defended the program with justifications the press has thoroughly debunked. While we have opinions about what the best way forward is, the only sure way to not go backwards, or seal the status quo into stone, is to stop the bill currently in the works by the Intelligence Committee chairs.

What “Stop the Spying” Looks Like

We have also been encouraged by the various other proposals being introduced. Here are some ways to think about the bills currently introduced or coming down the pike.

The good bills being proposed are omnibus bills—so-called because they change a variety of different laws. They try to stop the mass collection of innocent Americans’ calling records (using Section 215 of the Patriot Act), phone calls and emails (using Section 702 of the Foreign Intelligence Surveillance Act (FISA)), and try to introduce much needed transparency reforms to the court overseeing the spying, the Foreign Intelligence Surveillance Court (FISA Court).

So far, only S. 1551, the Intelligence Oversight and Surveillance Reform Act—sponsored by Senators Ron Wyden, Richard Blumenthal, Mark Udall, and Rand Paul—has been released. The bill is a fantastic start. The other, by Senator Patrick Leahy and Rep. Jim Sensenbrenner, is still being readied, but we’re hopeful based on what we’ve heard so far.

In general, EFF believes that whatever bill goes through Congress must stop the mass spying; either through nullifying the NSA’s interpretation of Section 215, or otherwise. And it should do so in a publicly verifiable way. It goes without saying that this is, among other things, in addition to reforming the FISA Court process, increasing transparency, and fixing National Security Letters.

Direct path: Forbid Mass Collection

There is a direct way to do this. Congress could unequivocally forbid the government from the mass collection of phone records. Congress usually does this with the phrase “notwithstanding any other law.” This is the path EFF strongly recommends. It looks something like below and includes FISA’s exceptions for wartime and other emergencies.

Notwithstanding any other law, no governmental entity shall engage in the mass collection of communications records, unless the collection is authorized pursuant to sections 1802, 1811, 1843 or 1844 of this chapter.

Indirect Path: “Pertains to” Fix

A second, less direct way, is also being considered. This requires a bit of legislative analysis to understand, so bear with us. Overall, this approach, if done carefully, may also work, but it has a more complicated story than merely banning mass collection.

The change, which we call the “pertains to” fix is to provide that, in addition to being “relevant to” an authorized investigation, the information the NSA wants must also “pertain to” a foreign agent or power. Right now the law doesn’t require that—it only requires “relevance to an authorized investigation” and then says that “relevance” is presumed to be met when information “pertains to” a foreign power.

This change would make “pertains to” a foreign agent or power a separate requirement, and was originally proposed in the 2006 debates when the Patriot Act was up for reauthorization by Congress, meaning that it needed to be voted on again. The basis for thinking that this change would stop mass collection is that, in its White Paper defending its interpretation of Section 215, the Administration pointed to the failure of this “pertains to” proposal to pass as a basis for its claim that Congress actually authorized mass spying in 2006.

The risk in this indirect path is that in the past few months we’ve seen incredibly strained legal definitions by the Department of Justice (DOJ) over words like “relevant.” The same may happen with “pertain to.” Indeed, Judge Claire Eagen of the FISA Court recently wrote that information is “relevant” to an investigation if it’s “pertinent” to the investigation. This may mean that adding “pertinent” may not be interpreted as adding any new requirements.

There’s more: in more than one of the released FISA Court opinions there are allusions to the idea that the government’s first application on May 23, 2006 discussed how all Americans’ calling records “pertain to” the activities of foreign agents. And the most recent DOJ filings—which include its motion to dismiss in the ACLU’s case against Section 215 spying and its submission to the Supreme Court in EPIC’s challenge to the spying—may also reveal that the Administration thinks any collection of records en masse “pertains to” the activities of a foreign agent or power, so long as the records can aid in the discovery of “otherwise hidden connections between individuals suspected of engaging in terrorist activity and unknown co-conspirators with whom they maintain contact in the United States.” These are just some of the reasons why Congress must be certain to stop the abuse of Section 215 with clear—and definitive—language.

Spying On Innocent Users Must Stop

Of course it may be that a court will interpret Congress’ actions in adding the “pertain to” requirement as forbidding mass spying. To be sure, the NSA will find it difficult to get around Congressional intent if the legislative history is clear. So the indirect path might work, despite the DOJ’s theories, and may be more politically palatable. Regardless of whether the issue is taken on directly or indirectly; however, EFF believes that Congress must take steps to stop mass spying. And we’ll be there in the courts to enforce it, long after the spotlight in Congress has moved on.

Why Hollywood Should Stop Pushing For More Government Internet Control

This post, written by global policy analyst Maira Sutton and activist Parker Higgins, originally appeared on the Electronic Frontier Foundation’s website on Oct. 18.

The content lobby’s narrative about the Internet’s impact on the creative industry has grown all too familiar. According to this tiresome story, Hollywood is doing everything it can to prevent unauthorized downloading, but people—enabled by peer-to-peer technologies, “rogue” websites, search engines, or whatever the bogeyman of the moment is—keep doing it anyway. As a result, say groups like the Motion Picture Association of America (MPAA), creators are deprived of their hard-earned and well-deserved profits and have little incentive to keep creating.

There’s a lot that’s wrong with this story (like the assumption that most copyright royalties actual end up in the pockets of the artists). But one of the most pernicious aspects is the idea that Hollywood is actually making a sincere effort to meet user demand.

That’s why we’re happy to see a new website called, is helping to tell another crucial part of the story. As the site shows, the studios aren’t keeping up with the markets that new technologies enable—which is why, in many cases, the most popular films are not even available through preferred legal channels.

The site lists the top 10 most pirated films on BitTorrent and checks whether those films are available to stream, rent, or purchase digitally. In a simple chart, it shows how few options users have for accessing these in-demand movies. Since the site began recording three weeks ago, only 20% have been available for digital rental and none have been available for streaming. This site goes to highlight the underlying problem of unauthorized file sharing: the high demand for legal access to films is not being met when we clearly already have the technology to enable this experience.

Of course, this data confirms the long-held suspicions of many who object to Hollywood’s demand for ever more draconian copyright enforcement efforts. Instead of focusing on piracy and spending millions on lobbying for those policy changes, the content industry should be investing its resources into creating better and more accessible platforms for users. Unfortunately, Hollywood refuses to acknowledge that reality. We’ve seen the industry demonstrate that with its continuing efforts to push legislation that runs counter to the public interest, and its stubborn refusal to offer content in the formats people have been shown to prefer.

If the studios were to invest their considerable resources in meeting the market demand, it could lead to a very profitable digital marketplace. We said this before, and we’ll keep saying it until it sinks in: the hard-working men and women in the entertainment industry should stand up and tell their leaders to either embrace the age of the Internet or get out of the way so that new, forward-thinking industry leaders can take their place.

Protect Your Privacy: EFF Explains How To Opt Out Of Google’s Shared Endorsements

This post, written by activist Adi Kamdar, originally appeared on the Electronic Frontier Foundation’s website on Oct. 17.

Google recently announced an update to its Terms of Service, focused on displaying your profile name and photo next to advertisements and reviews. The new feature, which goes into effect on November 11, is called Shared Endorsements and will allow you to share your recommendations (whether a +1 on Google Play or a restaurant rating on Google Maps) with your connections.

For example, if your friend searches “Indian food” and an advertisement shows up for a local restaurant you’ve rated, your profile picture, name, and review might show up alongside it. Many users will take issue with their likeness used to promote sponsored links without their explicit consent—as Facebook knows all too well. Even more users rightfully have concerns with the fact that old comments posted with one online landscape in mind are now being reused in a completely different manner and placed before a completely different audience.

A crucial component of privacy is control, and being able to control how your information is used is an important user right. Thankfully, Google has made it very simple to opt out of Shared Endorsements. Here’s how:

Step 1: Go To Your Settings

Go to the Shared Endorsements setting page. You can find this page by going to Google Plus and clicking “Settings” in the toolbar on the left. Next to “Shared Endorsements,” click “Edit.”

Step 2: Uncheck The Box

Scroll down and make sure the box is unchecked. Once it is unchecked, click “Save.”

That’s it! If you follow these two steps, you’ll have successfully opted out of Google’s Shared Endorsements feature.

(If you have several Google accounts, or if you manage various Google Plus pages, you will need to repeat these steps for each of them.)

EFF Takes On The Drug Enforcement Agency’s Secret Use Of Electronic Surveillance In Criminal Cases

This post, written by attorney Hanni Fakhoury, was originally published Oct. 15 on the Electronic Frontier Foundation’s website.

Given the recent revelations about just how pervasive the government’s electronic surveillance has been, it’s no surprise these surveillance programs are popping up in criminal cases, as defense attorneys are finding gaps in how the government collected particular pieces of electronic evidence on their clients. A new amicus brief we filed today with the ACLU and the ACLU of Northern California in a drug case in San Francisco federal district court asks the court to order the government to fill these gaps.

The case involves 20 co-defendants charged with transporting and distributing drugs from San Francisco to Seattle. During the investigation, the government obtained records on over 700,000 phone calls made by more than 600 different phone numbers, including records such as numbers dialed or dialing in, the date, time and duration of the calls, and in some cases location information. Yet despite the sheer volume of calls at issue, the government produced to the defense attorneys court orders authorizing collection on only 52 of these phone numbers. The enormous discrepancy between the call data actually collected and the court orders authorizing the collection raises serious questions about whether the government took advantage of the controversial surveillance programs recently leaked to the press.

In June, details of the NSA’s bulk telephone records collection program was published by The Guardian. Then in August, Reuters reported about the NSA’s practice of funneling information to the Drug Enforcement Administration’s Special Operations Division (“SOD”). In turn, the DEA and SOD would use the information to generate its own independent leads and then deliberately omit the NSA’s involvement in reports and affidavits, effectively “laundering” the intelligence. Then, in September, the New York Times reported that DEA agents had direct access into AT&T’s database known as “Hemisphere” that contained millions of records about phone calls dating back to 1987. Like SOD, agents are deliberately instructed to omit referencing the Hemisphere program in court documents.

With all this information coming to light, criminal defendants are fighting to uncover what type of electronic surveillance really occurred in their criminal cases, and how information was obtained by the government. In our amicus brief, we ask a federal district court to order the government to provide more information about how it potentially used these surveillance programs in criminal cases.

For example, investigators in the San Francisco drug case were able to locate a phone number for a suspect only two days after his prior number had been disconnected. The reports turned over to defense attorneys indicated that the information was obtained by a confidential source, and that may very well be true. But this ability to connect an old phone number with a new one sounds exactly like what the Hemisphere program is capable of doing. Yet, there’s no mention of the Hemisphere program in any of the investigative reports, a glaring omission that is consistent with the DEA’s directive to agents to “never refer to Hemisphere in any official document” and instead lie that the “results were obtained from an AT&T subpoena.”

Deliberately omitting this information is all part of DEA’s act of, in their own words, “protecting the program.” As we explain in our amicus brief, this deliberate omission runs afoul of the Fifth Amendment’s guarantee of due process. Specifically, under Brady v. Maryland, the government must disclose “material” evidence that is favorable to the defense. “Material” means the evidence could affect the outcome of the criminal proceeding and Brady‘s obligation extends to “material” facts relevant to raising Fourth Amendment challenges. Here, understanding if and how these surveillance programs were used would be “material” for three reasons.

First, if these programs were used to obtain evidence against a criminal defendant, the defendant must be given an opportunity to challenge that evidence. They couldn’t do so without the full facts of whether the programs were used, and how. Second, the government must turn over evidence that bears on the credibility of a witness. A witness’ credibility is an important factor in determining whether probable cause exists, and that obligation is not just reserved to the government’s use of human witnesses. The Ninth Circuit Court of Appeals (which has jurisdiction on the federal court in San Francisco) has explained that these discovery obligations require the government to disclose evidence of a drug detecting dog’s reliability. We believe the same obligations extend to electronic surveillance too. Third, in Franks v. Delaware, the US Supreme Court ruled that a criminal defendant has a right to challenge false or deliberately omitted statements in a search warrant affidavit. In turn, the Ninth Circuit has held Brady requires prosecutors to disclose evidence that could be used to impeach the testimony of an officer at a suppression hearing. Thus, to the extent officers used the program, it would impeach their claims that they relied on an administrative subpoena or a confidential source to get the information.

While it may seem like connecting these surveillance programs to domestic criminal cases is “highly hypothetical,” the operation of these programs outside of the public eye, coupled with the directive that agents utilizing SOD and Hemisphere hide the existence of the programs from even judges and prosecutors means courts must require the government to dig deeper and untangle how electronic surveillance actually occurred in a criminal case. The Supreme Court in Franks noted the Fourth Amendment “would be reduced to a nullity if a police officer was able to use deliberately falsified allegations to demonstrate probable cause, and, having misled the magistrate, then was able to remain confident that the ploy was worthwhile.” We hope the Court here and in other criminal cases orders the government to come clean.

Polls Continue to Show Majority of Americans Against NSA Spying

This post, by Policy Analyst and Legislative Assistant Mark M. Jaycox, originally appeared on the Electronic Frontier Foundation website on Oct. 7.

Shortly after the June leaks, numerous polls asked the American people if they approved or disapproved of the National Security Agency spying, which includes collecting telephone records using Section 215 of the Patriot Act and collecting phone calls and emails using Section 702 of the Foreign Intelligence Surveillance Act. The answer then was a resounding no, and new polls released in August and September clearly show Americans’ increasing concern about privacy has continued.

Since July, many of the polls not only confirm the American people think the NSA’s actions violate their privacy, but think the surveillance should be stopped. For instance in an Associated Press poll, nearly 60 percent of Americans said they oppose the NSA collecting data about their telephone and Internet usage. In another national poll by The Washington Post and ABC News, 74 percent of respondents said the NSA’s spying intrudes on their privacy rights. This majority should come as no surprise, as we’ve seen a sea change in opinion polls on privacy since the Edward Snowden revelations started in June.

What’s also important is that it crosses political party lines. The Washington Post/ABC News poll found 70 percent of Democrats and 77 percent of Republicans believe the NSA’s spying programs intrude on their privacy rights. This change is significant, showing that privacy is a bipartisan issue. In 2006, a similar question found only 50 percent of Republicans thought the government intruded on their privacy rights.

Americans also continue their skepticism of the Federal government and its inability to conduct proper oversight. In a recent poll, Rasmussen — though sometimes known for push polling — revealed that there’s been a 30 percent increase in people who believe it is now more likely that the government will monitor their phone calls. Maybe even more significant is that this skepticism carries over into whether Americans believe the government’s claim that it “robustly oversees” the NSA’s programs. In a Huffpost/You Gov poll, 53 percent of respondents said they think “the federal courts and rules put in place by Congress” do not provide “adequate oversight.” Only 18 percent of people agreed with the statement.

Americans seem to be waking up from its surveillance state slumber as the leaks around the illegal and unConstitutional NSA spying continue. The anger Americans — especially younger Americans — have around the NSA spying is starting to show. President Barack Obama has seen a 14-point swing in his approval and disapproval rating among voters aged 18-29 after the NSA spying.

These recent round of polls confirm that Americans are not only concerned with the fact that the spying infringes their privacy, but also that they want the spying to stop. And this is even more so for younger Americans. Now is the time for Congress to act: click here now to join the StopWatching.Us coalition.

EFF Provides An In-Depth Look At How The NSA Deploys Malware

This article, written by staff technologist Dan Auerbach, was originally published by the Electronic Frontier Foundation on Oct. 8.

We’ve long suspected that the NSA, the world’s premiere spy agency, was pretty good at breaking into computers. But now, thanks to an article by security expert Bruce Schneier—who is working with the Guardian to go through the Snowden documents—we have a much more detailed view of how the NSA uses exploits in order to infect the computers of targeted users. The template for attacking people with malware used by the NSA is in widespread use by criminals and fraudsters, as well as foreign intelligence agencies, so it’s important to understand and defend against this threat to avoid being a victim to the plethora of attackers out there.

How Does Malware Work Exactly?

Deploying malware over the web generally involves two steps. First, as an attacker, you have to get your victim to visit a website under your control. Second, you have to get software—known as malware—installed on the victim’s computer in order to gain control of that machine. This formula isn’t universal, but is often how web-based malware attacks proceed.

In order to accomplish the first step of getting a user to visit a site under your control, an attacker might email the victim text that contains a link to the website in question, in a so-called phishing attack. The NSA reportedly uses phishing attacks sometimes, but we’ve learned that this step usually proceeds via a so-called “man-in-the-middle” attack.1 The NSA controls a set of servers codenamed “Quantum” that sit on the Internet backbone, and these servers are used to redirect targets away from their intended destinations to still other NSA-controlled servers that are responsible for the injection of malware. So, for example, if a targeted user visits “”, the target’s browser will display the ordinary Yahoo! landing page but will actually be communicating with a server controlled by the NSA. This malicious version of Yahoo!’s website will tell the victim’s browser to make a request in a background to another server controlled by the NSA which is used to deploy malware.

Once a victim visits a malicious website, how does the attacker actually infect the computer? Perhaps the most straightforward method is to trick the user into downloading and running software. A cleverly designed pop-up advertisement may convince a user to download and install the attacker’s malware, for example.

But this method does not always work, and relies on a user taking action to download and run software. Instead, attackers can exploit software vulnerabilities in the browser that the victim is using in order to gain access to her computer. When a victim’s browser loads a website, the software has to perform tasks like parsing text given to it by the server, and will often load browser plugins like Flash that run code given to it by the server, in addition to executing Javascript code given to it by the server. But browser software—which is becoming increasingly complex as the web gains more functionality—doesn’t work perfectly. Like all software, it has bugs, and sometimes those bugs are exploitable security vulnerabilities that allow an attacker to gain access to a victim’s computer just because a particular website was visited. Once browser vendors discover vulnerabilities, they are generally patched, but sometimes a user has out of date software that is still vulnerable to known attack. Other times, the vulnerabilities are known only to the attacker and not to the browser vendor; these are called zero-day vulnerabilities.

The NSA has a set of servers on the public Internet with the code name “FoxAcid” used to deploy malware. Once their Quantum servers redirect targets to a specially crafted URL hosted on a FoxAcid server, software on that FoxAcid server selects from a toolkit of exploits in order to gain access to the user’s computer. Presumably this toolkit has both known public exploits that rely on a user’s software being out of date, as well as zero-day exploits which are generally saved for high value targets.2 The agency then reportedly uses this initial malware to install longer lasting malware.

Once an attacker has successfully infected a victim with malware, the attacker generally has full access to the user’s machines: she can record key strokes (which will reveal passwords and other sensitive information), turn on a web cam, or read any data on the victim’s computer.

What Can Users Do To Protect Themselves?

We hope that these revelations spur browser vendors to action, both to harden their systems against exploits, and to attempt to detect and block the malware URLs used by the FoxAcid servers.

In the meantime, users concerned about their security should practice good security hygiene. Always keep your software up to date—especially browser plugins like Flash that require manual updates. Make sure you can distinguish between legitimate updates and pop-up ads that masquerade as software updates. Never click a suspicious looking link in an email.

For users who want to go an extra step towards being more secure—and we think everyone should be in this camp—consider making plugins like Flash and Java “click-to-play” so that they are not executed on any given web page until you affirmatively click them. For Chromium and Chrome, this option is available in Settings => Show Advanced Settings => Privacy => Content Settings => Plug-ins. For Firefox, this functionality is available by installing a browser Add-On like “Click to Play per-element”. Plugins can also be uninstalled or turned off completely. Users should also use ad blocking software to stop unnecessary web requests to third party advertisers and web trackers, and our HTTPS Everywhere add-on in order to encrypt connections to websites with HTTPS as much as possible.

Finally, for users who are willing to notice some more pain when browsing the web, consider using an add-on like NotScripts (Chrome) or NoScript (Firefox) to limit the execution of scripts. This means you will have to click to allow scripts to run, and since Javascript is very prevalent, you will have to click a lot. For Firefox users, RequestPolicy is another useful add-on that stops third-party resources from loading on a page by default. Once again, as third-party resources are popular, this will disrupt ordinary browsing a fair amount. Finally, for the ultra paranoid, HTTP Nowhere will disable all HTTP traffic completely, forcing your browsing experience to be entirely encrypted, and making it so that only websites that offer an HTTPS connection are available to browse.


The NSA’s system for deploying malware isn’t particularly novel, but getting some insight into how it works should help users and browser and software vendors better defend against these types of attacks, making us all safer against criminals, foreign intelligence agencies, and a host of attackers. That’s why we think it’s critical that the NSA come clean about its capabilities and where the common security holes are—our online security depends on it.

1. The term “man-in-the-middle” is sometimes reserved for attacks on cryptographically secure connections, for example using a fraudulent SSL certificate. In this context, however, we mean it more generally to mean any attack where the attacker sits between the victim and the intended website.
2. According to the Guardian article, “the most valuable exploits are saved for the most important targets.”

EFF: Technology Is Not To Blame In Silk Road Takedown

This article, written by Parker Higgins, was originally published by the Electronic Frontier Foundation on Oct. 3.

The man alleged to be “Dread Pirate Roberts,” the founder and operator of the Silk Road—an online marketplace where bitcoins were traded for a range of goods and services, including drugs—was arrested by the FBI in San Francisco yesterday. The criminal complaint, released today, provides many details about how the site and its users relied on widespread anonymity technology, including Tor and Bitcoin.

The increased attention on this technology is a good reminder about how important it is not to blame these tools for the actions of a small portion of their users. The public wouldn’t tolerate a campaign to malign the car because of its utility as a getaway vehicle for bank robbers; we must apply the same critical thinking to essential privacy-preserving technology.

In certain parts of the complaint, even the federal agent behind the investigation and the Justice Department attorney in charge of the case acknowledge this. In describing how Tor was required to access the Silk Road (the site was configured as a Tor hidden service), they state that “Tor has known legitimate uses”. Similarly, “Bitcoins are not illegal in and of themselves and have known legitimate uses.”

Elsewhere the complaint goes astray. For example, it asserts that the suspect’s efforts to “‘hide the identities of those that run Silk Road’ reflect his awareness of the illegal nature of the Silk Road enterprise.” Of course, that explanation overlooks the countless lawful reasons why a person would want to engage in anonymous speech—and in the process hide the identities of those behind the technical infrastructure—that don’t involve breaking the law.

Similarly, the complaint’s description of the bitcoin “tumbler” that the Silk Road employed to obscure the parties involved in each transaction is alarmingly limited. According to the complaint, “the only function served by such ‘tumblers’ is to assist with the laundering of criminal proceeds.” Really, the purpose of a tumbler is to attempt to make a bitcoin transaction as anonymous and private as cash. Certainly one can take issue with Silk Road’s use of the technology in particular. It’s incredibly dangerous, though, to say that anonymous currency—whether bitcoins or traditional cash—is only of interest to drug dealers or money launderers.

It’s essential that the use of encryption, anonymization techniques, and other privacy practices is not deemed a suspicious activity. Rather, it must be recognized as an essential element for practicing freedom of speech in a digital environment.

In some ways, the complaint provides encouragement to those who depend on this technology to engage in speech privately and anonymously. After all, it was human error, and the chance discovery of nine fake ID cards in a routine package inspection at the border, that led to the final round of investigation. This summer’s revelations about the NSA’s subverting certain cryptographic technologies have definitely heightened fears in the security community. Although there are still some unanswered questions about the investigation, it’s a small relief that, for now, those fears weren’t confirmed by the criminal complaint.

The point remains, however, that relegating these technologies by associating them only with their criminal use threatens to undermine their ability to enable important, lawful speech.

Unfortunately, we’ve witnessed that sort of demonization of technology before. We’ve seen it in attempts to target peer-to-peer protocols because they can be used for copyright infringement; in the outrageous stacking of penalties that can result in decades of possible prison time for violations of the Computer Fraud and Abuse Act; in the original “Crypto Wars” of the 1990s and their reprise today; and in many other places besides.

The allegations against the Silk Road are serious, and may get even more so as the case progresses to formal charges and a trial. But if the government puts undue weight on the suspect’s use of technology, instead of the actual crimes of which he is accused, the public will be worse off for it.

Join EFF And The Stopwatching.Us Coalition To Stop Government Spying

This post originally appeared on the Electronic Frontier Foundation’s website.

This summer, some of our worst fears and suspicions about the NSA have been confirmed. We now have evidence that the NSA is actively undermining the basic security of the Internet. It is collecting millions and millions of phone records of individuals not suspected of any crime. It is surveilling journalists.

The NSA’s overreaching surveillance is creating a climate of fear and chilling free speech. Its addiction to secrecy makes real accountability impossible

But there’s a movement forming to change all of this. And we’re about to take the next step.

On the weekend of October 26 — the 12th anniversary of the signing of the USA PATRIOT Act — thousands of people from across the political spectrum will unite in Washington, D.C. to take a stand against unconstitutional surveillance. Please join EFF in D.C. for a day of grassroots training and citizen lobbying on October 25th and a historic rally and petition delivery on October 26th.

Stopwatching.Us is a politically diverse coalition including more than 100 public advocacy organizations and companies, including EFF, ACLU, FreedomWorks, Free Press, Mozilla, National Libertarian Party, reddit, Restore the Fourth and Thoughtworks.

We want you to join us in D.C. for this event. There will be speakers, privacy experts, live music, and an opportunity to be part of the official delivery of the Stop Watching Us petition to Congress – a petition in which over a half million people have called for an end to mass, suspicionless surveillance.

Join us in Washington.

— RSVP on the event page (privacy policy here):
— RSVP for the lobby day here:

Note: you do not need to RSVP to attend the rally, but it helps us gauge numbers. RSVPing to the event means that you may be contacted about other Stopwatching events and updates. If you would prefer not to have that type of contact, please RSVP to EFF here.

We’re planning a two-day event. Here are the details:

Friday, October 25th: Training and lobby day

If you are coming from out of town, you should plan to arrive in D.C. on Thursday night so you can join us for trainings on Friday morning. EFF is working with our friends Public Knowledge and other members of the coalition to host a lobby day in D.C. on NSA surveillance. On Friday morning, we’ll give you an overview of NSA surveillance, including talking points and handouts, and prepare you to meet with staffers. Then you will meet with key Hill staffers and elected officials to explain your concerns about NSA surveillance. Don’t worry – we schedule the meetings for you. We’ll be done by midafternoon.

In person meetings are the most effective way for an individual to influence Congress on an issue (except maybe giving them a lot of money).  Even if you’ve never considered lobbying on an issue, this is a not-to-be-missed opportunity to change America’s stance on surveillance.

Saturday, October 26th: Rally against mass surveillance

The coalition is hosting a historic rally in Washington D.C on Saturday October 26th – the 12th anniversary of the signing of the Patriot Act.  We’ll be joined by YACHT, the indie pop duo that’s sweeping the nation with its new song, “Party at the NSA.”  With your help, we’re going to create an amazing rally for privacy. Will you be there?

Hundreds of thousands of people have spoken out since the major NSA leaks began this June. Dozens of members of Congress have introduced bills aimed at reining in the NSA, and hundreds of organizations and companies are uniting to end the NSA’s unconstitutional surveillance.

But we will only succeed if we take the next step and raise our voices. RSVP now.

U.N. Launches Thirteen Principles Against Unchecked Surveillance

Geneva – At the 24th Session of the United Nations Human Rights Council on Friday, six major privacy NGOs, including the Electronic Frontier Foundation (EFF), warned nations of the urgent need comply with international human rights law to protect their citizens from the dangers posed by mass digital surveillance.

The groups launched the “International Principles on the Application of Human Rights to Communications Surveillance” at a side event on privacy hosted by the governments of Austria, Germany, Hungary, Liechtenstein, Norway, and Switzerland. The text is available in 30 languages at

“Governments around the world are waking up to the risks unrestrained digital surveillance pose to free societies,” EFF International Rights Director Katitza Rodriguez said during the official presentation of the principles. “Privacy is a human right and needs to be protected as fiercely as all other rights. States need to restore the application of human rights to communications surveillance.”

The document was the product of a year-long negotiation process between Privacy International, the Electronic Frontier Foundation, Access, Human Rights Watch, Reporters Without Borders, and the Association for Progressive Communications. The document spells out how existing human rights law applies to modern digital surveillance and gives lawmakers and observers a benchmark for measuring states’ surveillance practices against long-established human rights standards. The principles have now been endorsed by over 260 organizations from 77 countries, from Somalia to Sweden.

Included in the 13 principles are tenets such as:

Necessity: State surveillance must be limited to that which is necessary to achieve a legitimate aim.

Proportionality: Communications surveillance should be regarded as a highly intrusive act and weighed against the harm that would be caused to the individual’s rights.

Transparency: States must be transparent about the use and scope of communications surveillance. Public Oversight: States need independent oversight mechanisms.

Integrity of Communications and Systems: Because compromising security for state purposes always compromises security more generally, states must not compel ISPs or hardware and software vendors to include backdoors or other spying capabilities.

EFF and its co-signers will use the principles to advocate at national, regional and international levels for a change in how present surveillance laws are interpreted and new laws are crafted, including urging the United States government to re-engineer its domestic surveillance program to comply with international human rights law.

The event, “How to Safeguard the Right to Privacy in the Digital Age,” featured speakers including Navi Pillay, the United Nations High Commissioner for Human Rights–who highlighted the recent scandals over British and US surveillance programs in her introductory remarks to the Human Rights Council this week—and Frank La Rue, the United Nations Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression. Earlier this year, LaRue released a report that details the widespread use of state surveillance of communications in several countries, stating that such surveillance severely undermines a citizenry’s ability to enjoy private lives, freely express themselves and exercise their other fundamental human rights.

“Member states of the Human Rights Council should assess their surveillance laws and bring them into compliance with the 13 benchmarks,” Rodriguez says. “We must put an end to unchecked, suspicionless, mass spying online.”

EFF Explains Google Street View Ruling And What It Means for Researchers And Cops

This post, written by staff attorney Hanni Fakhoury, was originally published on the EFF website on Monday.

Is a Wi-Fi signal the equivalent of an FM radio station, blasting classic rock ballads through your car speakers?

Not to the Ninth Circuit Court of Appeals, which issued its long awaited decision in Joffe v. Google this week, the case where Google was sued for allegedly violating the Wiretap Act when its Street View cars sucked up data from wireless routers as it passed by.

The Background

Google’s Street View feature allows users to see photographs of specific addresses on a Google map. To generate these pictures, Google deployed a fleet of cars with cameras mounted on top of their roofs to drive across the world and take pictures of everything it could. From 2007 to 2010 Google also equipped these cars with antennas and software that were capable of scanning wireless routers nearby in order to capture information like the network’s name, a router’s MAC addresses and whether a Wi-Fi network was encrypted or not.

Google did this to enhance the accuracy and precision of its location based services. But it also captured “payload data,” or the actual data transmitted through the Wi-Fi networks, including emails, usernames, passwords and more. After Google was criticized for the collection it apologized for the program in 2010, grounded the cars and has been ordered to delete the data in some countries.

The Lawsuit and the Law

Numerous class action lawsuits were filed against Google in 2010, claiming the company had violated federal and state wiretap laws by collecting this data. Although the Wiretap Act generally prohibits the interception of electronic and wire communications, Google moved to dismiss the case, arguing it didn’t violate the law because its collection of the data was permitted under an exception to the Wiretap Act. Under 18 U.S.C. § 2511(2)(g)(i), the interception of an “electronic communication” that “is readily accessible to the general public” is permitted.

This is really two related exceptions. The first covers electronic communications that are “readily accessible to the general public.” For example, a message posted on a public message board. The second exception comes from the definition of “readily accessible to the general public” in 18 U.S.C. § 2510(16)(a), which includes an unencrypted “radio communication.” In essence, an unencrypted radio communication is always considered to be “readily accessible to the general public.” So you can tune the radio in your car to any station without being guilty of wiretapping.

Google ultimately argued that its collection of the unencrypted Wi-Fi traffic was legal under the Wiretap Act for two reasons; first because unencrypted Wi-Fi signals are a “radio communication” which by definition is “readily accessible to the general public.” And second, even if it wasn’t a “radio communication,” it was an electronic communication that in practice was “readily accessible to the general public.”

Unfortunately, the Wiretap Act doesn’t more specifically define what “radio communication” means and so the trial court had to resolve whether Wi-Fi signals are in fact what Congress meant by “radio communications” or not.

The lower court, after all the cases were consolidated, ultimately denied Google’s motion, finding that unencrypted Wi-Fi signals weren’t “radio communications,” but rather electronic communications. It then rejected Google’s fallback argument, finding that unencrypted Wi-Fi signals aren’t “readily accessible to the general public.”

The Ninth Circuit agreed with the trial court. On the “radio communication” issue, the appellate court ruled that Congress meant a “radio communication” to mean a “predominantly auditory broadcast” like an AM/FM or CB radio broadcast. Because data sent over a Wi-Fi signal isn’t auditory, the Court held that it was not a “radio communication” under the Wiretap Act, regardless of whether a wireless access point used radio frequencies to communicate.

Having found that the “radio communication” exception didn’t apply, it also rejected Google’s second argument that unencrypted Wi-Fi signals are “readily accessible to the general public.” The Court noted that unlike, for example, an FM radio station which could broadcast for miles, Wi-Fi signals are “geographically limited and fail to travel far beyond the walls of the home or office where the access point is located.” In addition, the Court reasoned Wi-Fi signals aren’t “accessible” because capturing them “requires sophisticated hardware and software” and “most of the general public lacks the expertise to intercept and decode payload data transmitted over a Wi-Fi network.” As a result, the lawsuit against Google will now continue.

The Good and The Bad

First, the bad. If you’re a security researcher in the Ninth Circuit (which covers most of the West Coast) who wants to capture unencrypted Wi-Fi packets as part of your research, you better call a lawyer first (and we can help you with that). The Wiretap Act imposes both civil and serious criminal penalties for violations and there is a real risk that researchers who intentionally capture payload data transmitted over unencrypted Wi-Fi—even if they don’t read the actual communications —may be found in violation of the law. Given the concerns about over-criminalization and overcharging, prosecutors now have another felony charge in their arsenal.

On the other hand, the decision also provides a strong argument that the feds and other law enforcement agencies that want to spy on data transmitted over unencrypted Wi-Fi will need to get a wiretap order to do so. We’ve seen the government use a device called a “moocherhunter” without a search warrant to read Wi-Fi signals to figure out who’s connecting to a particular wireless router. This decision suggests that to the extent the government uses a device like this (or even a “stingray” to the extent it can capture Wi-Fi signals) to capture payload data —even if just to determine a person’s location—they’ll need a wiretap order to do so. That’s good news since wiretap orders are harder to get than a search warrant.

It’s doubtful this will be the last word; lower courts have disagreed with each other and the Ninth Circuit is the first appellate court to rule on the tricky issue. We’ll be following the cases closely to especially see how the government interprets the decision, both to see whether it prosecutes security researchers and whether it gets a wiretap order to use its exotic surveillance tools.