EFF Examines Government Requests For Data To Yahoo, Facebook

Ever since Google issued its first transparency report in early 2010, EFF has called on other companies to follow suit and disclose statistics about the number of government requests for user data, whether the request they receive is an official demand (such as a warrant) or an unofficial request.  After all, users make decisions every day about which companies they trust with their data, therefore companies owe it to their customers to be transparent about when they hand data over to governments and law enforcement.

Since 2010, other companies have risen to the challenge, including Microsoft, Internet service provider Sonic.Net, cloud storage providers SpiderOak and DropBox, as well as social media companies such as LinkedIn and Twitter.

Now, two more companies have joined the movement: In the past couple of months, both Yahoo and Facebook issued their first transparency reports, covering the period of January-June 2013.

While we wish they had not taken this long, the two companies deserve kudos for taking this important step. Companies are under no legal obligation to inform their customers aggregate data about government requests for their data—this is a voluntary step. Both companies are members of the Global Network Initiative, however, which counts transparency among its core principles.

User trust

But in light of this summer’s revelations about the NSA’s PRISM—the program under which the NSA gains the ability to access to the private communications of users of many of the most popular Internet services, including those owned by Google, Microsoft, Facebook, and Yahoo—Internet giants are rushing to do what they can to restore user trust.

In September, Google, Facebook, and Yahoo all filed requests to the U.S. Foreign Intelligence Surveillance Court (FISC), asking for permission to publish the specific number of National Security Letters (NSL) that the companies received in the past year as well as the total number of user accounts affected by those requests. Of all the dangerous government surveillance powers that were expanded by the USA PATRIOT Act, the NSL power provided by five statutory provisions is one of the most frightening and invasive. These letters—the type served on communications service providers such as phone companies and ISPs and are authorized by 18 U.S.C. 2709—allow the FBI to secretly demand data about ordinary American citizens’ private communications and Internet activity without any prior judicial review. To make matters worse, recipients of NSLs are subject to gag orders that forbid them from ever revealing the letters’ existence to anyone. A federal judge found NSLs unconstitutional in March, but the order is on hold pending the government’s appeal.

Some companies have published aggregate numbers, ranging from 0-999 or 1000-1999 that give us a broad and blurry view of just how widespread the use of NSLs has been, but more detailed numbers would much more helpful to the public understanding of the surveillence, without compromising security.

So now that Facebook and Yahoo have issued transparency reports, what do they tell us?

Facebook’s Global Government Requests Report covers January-June 2013 and reveals that 71 countries requested data on a total of 37,954 to 38,954 users. Unsurprisingly, the US demanded the largest amount of user data, making somewhere between 11,000 to 12,000 requests for 20,000 to 21,000 users.

India came in a close second, with 3,245 requests for 4,144 accounts, and the United Kingdom ranked third with 1,975 requests for 2,337 users. Facebook also revealed the number of times the requests produced “some data.” Facebook handed over data to the U.S. 79% of the time, but only 50% and 68% of the time for India and the United Kingdom, respectively.

The vast majority of requests made to Facebook by less democratic countries (including Cote d’Ivoire, Nepal, and Qatar) were refused, however two nations stood out in the report: Pakistan and Turkey.  In the case of Pakistan, 35 requests were made for 47 users, 77% of which Facebook complied with.  In the case of Turkey, 96 requests for 170 users were made, and complied with 47% of the time.

What makes this unique is that no other major company has reported compliance with requests from Pakistan.  The South Asian country is nominally a democracy, but censors the Internet heavily and has made a relatively transparent effort of seeking Western companies to enable greater censorship and surveillance, a role that Canadian company Netsweeper has been all too eager to fill.  It is notable that Facebook has no offices in Pakistan (an office in-country could allow Pakistan to directly seek information from a local employee), nor has Pakistan signed a mutual legal assistance treaty (MLAT) with the US, putting Facebook under no legal obligation to comply with requests from the government.

With no offices in Turkey, either, it’s surprising to see such a high rate of compliance.  Complaints of Facebook censoring certain content in Turkey abound, and as a recent blog post by a Kurdish activist demonstrates, some of that censorship seems quite arbitrary.

At the same time, if Facebook doesn’t comply, it undoubtedly risks being blocked in these countries, just as YouTube was for several years, and a tool used by opposition figures and activists might become unavailable.  On balance, we think most countries would rightly be hesitant to remove popular Internet tool, as it may create more unrest than the information sought to be quashed.

While Facebook has been transparent about its law enforcement guidelines, information regarding its processes when it comes to international requests is vague – the data use policy allows disclosure when “consistent with internationally recognized standards,” which are not defined. Facebook could enhance its transparency by clarifying its standards for complying with requests; even if its standards are perfect in everyway, users are legitimately concerned when they do not know what standards might apply.

Like Facebook, Yahoo also reported that the United States led the number of requests, with 12,444 data requests that included 40,322 Yahoo accounts. Yahoo handed content-related data, including communications in Yahoo Mail or Messenger, photos on Flickr or Yahoo Address Book entries, over to American agencies in 4,604 cases. The company gave the government non-content related information, which includes a person’s name, location or Internet Protocol address, in 6,798 cases.

Yahoo received fewer requests from the United Kingdom (1,709) and India (1,490) than did Facebook, with similar compliance rates.  Once nice feature of Yahoo’s report is that it breaks down the type of data disclosure (non-content vs. content) in a pie chart for each country.  In the UK, for example, 44% of requests were responded to with disclosures of non-content data, while in 20% of cases, content was disclosed to law enforcement.

Surprisingly, Yahoo received far more requests from Hong Kong than any other company, and complied with 100% of them (content was only disclosed in 1% of those cases).  The South China Morning Post quoted lawmaker Charles Mok as saying that the number was high, and called on Yahoo to disclose which government agencies requested the data.

EFF: The Good And The Bad Of NSA Spying Bills In Congress

This post, written by Electronic Frontier Foundation legal director Cindy Cohn and policy analyst Mark Jaycox, was originally published by the EFF  on Oct. 22.

The Senate is moving quickly on bills to reform many aspects of the NSA spying. Currently, the Judiciary Committee, which has favored privacy in the past, and the chairs of the Intelligence Committees, Senator Dianne Feinstein and Representative Mike Rogers, will be introducing bills tackling the NSA spying.

The Intelligence Committee Bills Must be Stopped

Many of NSA reform bills going through Congress are encouraging, but the most important priority for those who want to stop the spying is to stop the bill by the Intelligence Committees of the House and Senate. The Chairs of each have confirmed that the (still secret) bill is aimed at continuing collection of everyone American’s phone records unabated. The bill will likely provide some window dressing of limited transparency, while shoring up the legal basis for the spying.

Since the leaks in June, the committees’ Chairs have defended the program with justifications the press has thoroughly debunked. While we have opinions about what the best way forward is, the only sure way to not go backwards, or seal the status quo into stone, is to stop the bill currently in the works by the Intelligence Committee chairs.

What “Stop the Spying” Looks Like

We have also been encouraged by the various other proposals being introduced. Here are some ways to think about the bills currently introduced or coming down the pike.

The good bills being proposed are omnibus bills—so-called because they change a variety of different laws. They try to stop the mass collection of innocent Americans’ calling records (using Section 215 of the Patriot Act), phone calls and emails (using Section 702 of the Foreign Intelligence Surveillance Act (FISA)), and try to introduce much needed transparency reforms to the court overseeing the spying, the Foreign Intelligence Surveillance Court (FISA Court).

So far, only S. 1551, the Intelligence Oversight and Surveillance Reform Act—sponsored by Senators Ron Wyden, Richard Blumenthal, Mark Udall, and Rand Paul—has been released. The bill is a fantastic start. The other, by Senator Patrick Leahy and Rep. Jim Sensenbrenner, is still being readied, but we’re hopeful based on what we’ve heard so far.

In general, EFF believes that whatever bill goes through Congress must stop the mass spying; either through nullifying the NSA’s interpretation of Section 215, or otherwise. And it should do so in a publicly verifiable way. It goes without saying that this is, among other things, in addition to reforming the FISA Court process, increasing transparency, and fixing National Security Letters.

Direct path: Forbid Mass Collection

There is a direct way to do this. Congress could unequivocally forbid the government from the mass collection of phone records. Congress usually does this with the phrase “notwithstanding any other law.” This is the path EFF strongly recommends. It looks something like below and includes FISA’s exceptions for wartime and other emergencies.

Notwithstanding any other law, no governmental entity shall engage in the mass collection of communications records, unless the collection is authorized pursuant to sections 1802, 1811, 1843 or 1844 of this chapter.

Indirect Path: “Pertains to” Fix

A second, less direct way, is also being considered. This requires a bit of legislative analysis to understand, so bear with us. Overall, this approach, if done carefully, may also work, but it has a more complicated story than merely banning mass collection.

The change, which we call the “pertains to” fix is to provide that, in addition to being “relevant to” an authorized investigation, the information the NSA wants must also “pertain to” a foreign agent or power. Right now the law doesn’t require that—it only requires “relevance to an authorized investigation” and then says that “relevance” is presumed to be met when information “pertains to” a foreign power.

This change would make “pertains to” a foreign agent or power a separate requirement, and was originally proposed in the 2006 debates when the Patriot Act was up for reauthorization by Congress, meaning that it needed to be voted on again. The basis for thinking that this change would stop mass collection is that, in its White Paper defending its interpretation of Section 215, the Administration pointed to the failure of this “pertains to” proposal to pass as a basis for its claim that Congress actually authorized mass spying in 2006.

The risk in this indirect path is that in the past few months we’ve seen incredibly strained legal definitions by the Department of Justice (DOJ) over words like “relevant.” The same may happen with “pertain to.” Indeed, Judge Claire Eagen of the FISA Court recently wrote that information is “relevant” to an investigation if it’s “pertinent” to the investigation. This may mean that adding “pertinent” may not be interpreted as adding any new requirements.

There’s more: in more than one of the released FISA Court opinions there are allusions to the idea that the government’s first application on May 23, 2006 discussed how all Americans’ calling records “pertain to” the activities of foreign agents. And the most recent DOJ filings—which include its motion to dismiss in the ACLU’s case against Section 215 spying and its submission to the Supreme Court in EPIC’s challenge to the spying—may also reveal that the Administration thinks any collection of records en masse “pertains to” the activities of a foreign agent or power, so long as the records can aid in the discovery of “otherwise hidden connections between individuals suspected of engaging in terrorist activity and unknown co-conspirators with whom they maintain contact in the United States.” These are just some of the reasons why Congress must be certain to stop the abuse of Section 215 with clear—and definitive—language.

Spying On Innocent Users Must Stop

Of course it may be that a court will interpret Congress’ actions in adding the “pertain to” requirement as forbidding mass spying. To be sure, the NSA will find it difficult to get around Congressional intent if the legislative history is clear. So the indirect path might work, despite the DOJ’s theories, and may be more politically palatable. Regardless of whether the issue is taken on directly or indirectly; however, EFF believes that Congress must take steps to stop mass spying. And we’ll be there in the courts to enforce it, long after the spotlight in Congress has moved on.

Why Hollywood Should Stop Pushing For More Government Internet Control

This post, written by global policy analyst Maira Sutton and activist Parker Higgins, originally appeared on the Electronic Frontier Foundation’s website on Oct. 18.

The content lobby’s narrative about the Internet’s impact on the creative industry has grown all too familiar. According to this tiresome story, Hollywood is doing everything it can to prevent unauthorized downloading, but people—enabled by peer-to-peer technologies, “rogue” websites, search engines, or whatever the bogeyman of the moment is—keep doing it anyway. As a result, say groups like the Motion Picture Association of America (MPAA), creators are deprived of their hard-earned and well-deserved profits and have little incentive to keep creating.

There’s a lot that’s wrong with this story (like the assumption that most copyright royalties actual end up in the pockets of the artists). But one of the most pernicious aspects is the idea that Hollywood is actually making a sincere effort to meet user demand.

That’s why we’re happy to see a new website called PiracyData.org, is helping to tell another crucial part of the story. As the site shows, the studios aren’t keeping up with the markets that new technologies enable—which is why, in many cases, the most popular films are not even available through preferred legal channels.

The site lists the top 10 most pirated films on BitTorrent and checks whether those films are available to stream, rent, or purchase digitally. In a simple chart, it shows how few options users have for accessing these in-demand movies. Since the site began recording three weeks ago, only 20% have been available for digital rental and none have been available for streaming. This site goes to highlight the underlying problem of unauthorized file sharing: the high demand for legal access to films is not being met when we clearly already have the technology to enable this experience.

Of course, this data confirms the long-held suspicions of many who object to Hollywood’s demand for ever more draconian copyright enforcement efforts. Instead of focusing on piracy and spending millions on lobbying for those policy changes, the content industry should be investing its resources into creating better and more accessible platforms for users. Unfortunately, Hollywood refuses to acknowledge that reality. We’ve seen the industry demonstrate that with its continuing efforts to push legislation that runs counter to the public interest, and its stubborn refusal to offer content in the formats people have been shown to prefer.

If the studios were to invest their considerable resources in meeting the market demand, it could lead to a very profitable digital marketplace. We said this before, and we’ll keep saying it until it sinks in: the hard-working men and women in the entertainment industry should stand up and tell their leaders to either embrace the age of the Internet or get out of the way so that new, forward-thinking industry leaders can take their place.

Protect Your Privacy: EFF Explains How To Opt Out Of Google’s Shared Endorsements

This post, written by activist Adi Kamdar, originally appeared on the Electronic Frontier Foundation’s website on Oct. 17.

Google recently announced an update to its Terms of Service, focused on displaying your profile name and photo next to advertisements and reviews. The new feature, which goes into effect on November 11, is called Shared Endorsements and will allow you to share your recommendations (whether a +1 on Google Play or a restaurant rating on Google Maps) with your connections.

For example, if your friend searches “Indian food” and an advertisement shows up for a local restaurant you’ve rated, your profile picture, name, and review might show up alongside it. Many users will take issue with their likeness used to promote sponsored links without their explicit consent—as Facebook knows all too well. Even more users rightfully have concerns with the fact that old comments posted with one online landscape in mind are now being reused in a completely different manner and placed before a completely different audience.

A crucial component of privacy is control, and being able to control how your information is used is an important user right. Thankfully, Google has made it very simple to opt out of Shared Endorsements. Here’s how:

Step 1: Go To Your Settings

Go to the Shared Endorsements setting page. You can find this page by going to Google Plus and clicking “Settings” in the toolbar on the left. Next to “Shared Endorsements,” click “Edit.”

Step 2: Uncheck The Box

Scroll down and make sure the box is unchecked. Once it is unchecked, click “Save.”

That’s it! If you follow these two steps, you’ll have successfully opted out of Google’s Shared Endorsements feature.

(If you have several Google accounts, or if you manage various Google Plus pages, you will need to repeat these steps for each of them.)

EFF Takes On The Drug Enforcement Agency’s Secret Use Of Electronic Surveillance In Criminal Cases

This post, written by attorney Hanni Fakhoury, was originally published Oct. 15 on the Electronic Frontier Foundation’s website.

Given the recent revelations about just how pervasive the government’s electronic surveillance has been, it’s no surprise these surveillance programs are popping up in criminal cases, as defense attorneys are finding gaps in how the government collected particular pieces of electronic evidence on their clients. A new amicus brief we filed today with the ACLU and the ACLU of Northern California in a drug case in San Francisco federal district court asks the court to order the government to fill these gaps.

The case involves 20 co-defendants charged with transporting and distributing drugs from San Francisco to Seattle. During the investigation, the government obtained records on over 700,000 phone calls made by more than 600 different phone numbers, including records such as numbers dialed or dialing in, the date, time and duration of the calls, and in some cases location information. Yet despite the sheer volume of calls at issue, the government produced to the defense attorneys court orders authorizing collection on only 52 of these phone numbers. The enormous discrepancy between the call data actually collected and the court orders authorizing the collection raises serious questions about whether the government took advantage of the controversial surveillance programs recently leaked to the press.

In June, details of the NSA’s bulk telephone records collection program was published by The Guardian. Then in August, Reuters reported about the NSA’s practice of funneling information to the Drug Enforcement Administration’s Special Operations Division (“SOD”). In turn, the DEA and SOD would use the information to generate its own independent leads and then deliberately omit the NSA’s involvement in reports and affidavits, effectively “laundering” the intelligence. Then, in September, the New York Times reported that DEA agents had direct access into AT&T’s database known as “Hemisphere” that contained millions of records about phone calls dating back to 1987. Like SOD, agents are deliberately instructed to omit referencing the Hemisphere program in court documents.

With all this information coming to light, criminal defendants are fighting to uncover what type of electronic surveillance really occurred in their criminal cases, and how information was obtained by the government. In our amicus brief, we ask a federal district court to order the government to provide more information about how it potentially used these surveillance programs in criminal cases.

For example, investigators in the San Francisco drug case were able to locate a phone number for a suspect only two days after his prior number had been disconnected. The reports turned over to defense attorneys indicated that the information was obtained by a confidential source, and that may very well be true. But this ability to connect an old phone number with a new one sounds exactly like what the Hemisphere program is capable of doing. Yet, there’s no mention of the Hemisphere program in any of the investigative reports, a glaring omission that is consistent with the DEA’s directive to agents to “never refer to Hemisphere in any official document” and instead lie that the “results were obtained from an AT&T subpoena.”

Deliberately omitting this information is all part of DEA’s act of, in their own words, “protecting the program.” As we explain in our amicus brief, this deliberate omission runs afoul of the Fifth Amendment’s guarantee of due process. Specifically, under Brady v. Maryland, the government must disclose “material” evidence that is favorable to the defense. “Material” means the evidence could affect the outcome of the criminal proceeding and Brady‘s obligation extends to “material” facts relevant to raising Fourth Amendment challenges. Here, understanding if and how these surveillance programs were used would be “material” for three reasons.

First, if these programs were used to obtain evidence against a criminal defendant, the defendant must be given an opportunity to challenge that evidence. They couldn’t do so without the full facts of whether the programs were used, and how. Second, the government must turn over evidence that bears on the credibility of a witness. A witness’ credibility is an important factor in determining whether probable cause exists, and that obligation is not just reserved to the government’s use of human witnesses. The Ninth Circuit Court of Appeals (which has jurisdiction on the federal court in San Francisco) has explained that these discovery obligations require the government to disclose evidence of a drug detecting dog’s reliability. We believe the same obligations extend to electronic surveillance too. Third, in Franks v. Delaware, the US Supreme Court ruled that a criminal defendant has a right to challenge false or deliberately omitted statements in a search warrant affidavit. In turn, the Ninth Circuit has held Brady requires prosecutors to disclose evidence that could be used to impeach the testimony of an officer at a suppression hearing. Thus, to the extent officers used the program, it would impeach their claims that they relied on an administrative subpoena or a confidential source to get the information.

While it may seem like connecting these surveillance programs to domestic criminal cases is “highly hypothetical,” the operation of these programs outside of the public eye, coupled with the directive that agents utilizing SOD and Hemisphere hide the existence of the programs from even judges and prosecutors means courts must require the government to dig deeper and untangle how electronic surveillance actually occurred in a criminal case. The Supreme Court in Franks noted the Fourth Amendment “would be reduced to a nullity if a police officer was able to use deliberately falsified allegations to demonstrate probable cause, and, having misled the magistrate, then was able to remain confident that the ploy was worthwhile.” We hope the Court here and in other criminal cases orders the government to come clean.

Polls Continue to Show Majority of Americans Against NSA Spying

This post, by Policy Analyst and Legislative Assistant Mark M. Jaycox, originally appeared on the Electronic Frontier Foundation website on Oct. 7.

Shortly after the June leaks, numerous polls asked the American people if they approved or disapproved of the National Security Agency spying, which includes collecting telephone records using Section 215 of the Patriot Act and collecting phone calls and emails using Section 702 of the Foreign Intelligence Surveillance Act. The answer then was a resounding no, and new polls released in August and September clearly show Americans’ increasing concern about privacy has continued.

Since July, many of the polls not only confirm the American people think the NSA’s actions violate their privacy, but think the surveillance should be stopped. For instance in an Associated Press poll, nearly 60 percent of Americans said they oppose the NSA collecting data about their telephone and Internet usage. In another national poll by The Washington Post and ABC News, 74 percent of respondents said the NSA’s spying intrudes on their privacy rights. This majority should come as no surprise, as we’ve seen a sea change in opinion polls on privacy since the Edward Snowden revelations started in June.

What’s also important is that it crosses political party lines. The Washington Post/ABC News poll found 70 percent of Democrats and 77 percent of Republicans believe the NSA’s spying programs intrude on their privacy rights. This change is significant, showing that privacy is a bipartisan issue. In 2006, a similar question found only 50 percent of Republicans thought the government intruded on their privacy rights.

Americans also continue their skepticism of the Federal government and its inability to conduct proper oversight. In a recent poll, Rasmussen — though sometimes known for push polling — revealed that there’s been a 30 percent increase in people who believe it is now more likely that the government will monitor their phone calls. Maybe even more significant is that this skepticism carries over into whether Americans believe the government’s claim that it “robustly oversees” the NSA’s programs. In a Huffpost/You Gov poll, 53 percent of respondents said they think “the federal courts and rules put in place by Congress” do not provide “adequate oversight.” Only 18 percent of people agreed with the statement.

Americans seem to be waking up from its surveillance state slumber as the leaks around the illegal and unConstitutional NSA spying continue. The anger Americans — especially younger Americans — have around the NSA spying is starting to show. President Barack Obama has seen a 14-point swing in his approval and disapproval rating among voters aged 18-29 after the NSA spying.

These recent round of polls confirm that Americans are not only concerned with the fact that the spying infringes their privacy, but also that they want the spying to stop. And this is even more so for younger Americans. Now is the time for Congress to act: click here now to join the StopWatching.Us coalition.

EFF Provides An In-Depth Look At How The NSA Deploys Malware

This article, written by staff technologist Dan Auerbach, was originally published by the Electronic Frontier Foundation on Oct. 8.

We’ve long suspected that the NSA, the world’s premiere spy agency, was pretty good at breaking into computers. But now, thanks to an article by security expert Bruce Schneier—who is working with the Guardian to go through the Snowden documents—we have a much more detailed view of how the NSA uses exploits in order to infect the computers of targeted users. The template for attacking people with malware used by the NSA is in widespread use by criminals and fraudsters, as well as foreign intelligence agencies, so it’s important to understand and defend against this threat to avoid being a victim to the plethora of attackers out there.

How Does Malware Work Exactly?

Deploying malware over the web generally involves two steps. First, as an attacker, you have to get your victim to visit a website under your control. Second, you have to get software—known as malware—installed on the victim’s computer in order to gain control of that machine. This formula isn’t universal, but is often how web-based malware attacks proceed.

In order to accomplish the first step of getting a user to visit a site under your control, an attacker might email the victim text that contains a link to the website in question, in a so-called phishing attack. The NSA reportedly uses phishing attacks sometimes, but we’ve learned that this step usually proceeds via a so-called “man-in-the-middle” attack.1 The NSA controls a set of servers codenamed “Quantum” that sit on the Internet backbone, and these servers are used to redirect targets away from their intended destinations to still other NSA-controlled servers that are responsible for the injection of malware. So, for example, if a targeted user visits “yahoo.com”, the target’s browser will display the ordinary Yahoo! landing page but will actually be communicating with a server controlled by the NSA. This malicious version of Yahoo!’s website will tell the victim’s browser to make a request in a background to another server controlled by the NSA which is used to deploy malware.

Once a victim visits a malicious website, how does the attacker actually infect the computer? Perhaps the most straightforward method is to trick the user into downloading and running software. A cleverly designed pop-up advertisement may convince a user to download and install the attacker’s malware, for example.

But this method does not always work, and relies on a user taking action to download and run software. Instead, attackers can exploit software vulnerabilities in the browser that the victim is using in order to gain access to her computer. When a victim’s browser loads a website, the software has to perform tasks like parsing text given to it by the server, and will often load browser plugins like Flash that run code given to it by the server, in addition to executing Javascript code given to it by the server. But browser software—which is becoming increasingly complex as the web gains more functionality—doesn’t work perfectly. Like all software, it has bugs, and sometimes those bugs are exploitable security vulnerabilities that allow an attacker to gain access to a victim’s computer just because a particular website was visited. Once browser vendors discover vulnerabilities, they are generally patched, but sometimes a user has out of date software that is still vulnerable to known attack. Other times, the vulnerabilities are known only to the attacker and not to the browser vendor; these are called zero-day vulnerabilities.

The NSA has a set of servers on the public Internet with the code name “FoxAcid” used to deploy malware. Once their Quantum servers redirect targets to a specially crafted URL hosted on a FoxAcid server, software on that FoxAcid server selects from a toolkit of exploits in order to gain access to the user’s computer. Presumably this toolkit has both known public exploits that rely on a user’s software being out of date, as well as zero-day exploits which are generally saved for high value targets.2 The agency then reportedly uses this initial malware to install longer lasting malware.

Once an attacker has successfully infected a victim with malware, the attacker generally has full access to the user’s machines: she can record key strokes (which will reveal passwords and other sensitive information), turn on a web cam, or read any data on the victim’s computer.

What Can Users Do To Protect Themselves?

We hope that these revelations spur browser vendors to action, both to harden their systems against exploits, and to attempt to detect and block the malware URLs used by the FoxAcid servers.

In the meantime, users concerned about their security should practice good security hygiene. Always keep your software up to date—especially browser plugins like Flash that require manual updates. Make sure you can distinguish between legitimate updates and pop-up ads that masquerade as software updates. Never click a suspicious looking link in an email.

For users who want to go an extra step towards being more secure—and we think everyone should be in this camp—consider making plugins like Flash and Java “click-to-play” so that they are not executed on any given web page until you affirmatively click them. For Chromium and Chrome, this option is available in Settings => Show Advanced Settings => Privacy => Content Settings => Plug-ins. For Firefox, this functionality is available by installing a browser Add-On like “Click to Play per-element”. Plugins can also be uninstalled or turned off completely. Users should also use ad blocking software to stop unnecessary web requests to third party advertisers and web trackers, and our HTTPS Everywhere add-on in order to encrypt connections to websites with HTTPS as much as possible.

Finally, for users who are willing to notice some more pain when browsing the web, consider using an add-on like NotScripts (Chrome) or NoScript (Firefox) to limit the execution of scripts. This means you will have to click to allow scripts to run, and since Javascript is very prevalent, you will have to click a lot. For Firefox users, RequestPolicy is another useful add-on that stops third-party resources from loading on a page by default. Once again, as third-party resources are popular, this will disrupt ordinary browsing a fair amount. Finally, for the ultra paranoid, HTTP Nowhere will disable all HTTP traffic completely, forcing your browsing experience to be entirely encrypted, and making it so that only websites that offer an HTTPS connection are available to browse.


The NSA’s system for deploying malware isn’t particularly novel, but getting some insight into how it works should help users and browser and software vendors better defend against these types of attacks, making us all safer against criminals, foreign intelligence agencies, and a host of attackers. That’s why we think it’s critical that the NSA come clean about its capabilities and where the common security holes are—our online security depends on it.

1. The term “man-in-the-middle” is sometimes reserved for attacks on cryptographically secure connections, for example using a fraudulent SSL certificate. In this context, however, we mean it more generally to mean any attack where the attacker sits between the victim and the intended website.
2. According to the Guardian article, “the most valuable exploits are saved for the most important targets.”

EFF: Technology Is Not To Blame In Silk Road Takedown

This article, written by Parker Higgins, was originally published by the Electronic Frontier Foundation on Oct. 3.

The man alleged to be “Dread Pirate Roberts,” the founder and operator of the Silk Road—an online marketplace where bitcoins were traded for a range of goods and services, including drugs—was arrested by the FBI in San Francisco yesterday. The criminal complaint, released today, provides many details about how the site and its users relied on widespread anonymity technology, including Tor and Bitcoin.

The increased attention on this technology is a good reminder about how important it is not to blame these tools for the actions of a small portion of their users. The public wouldn’t tolerate a campaign to malign the car because of its utility as a getaway vehicle for bank robbers; we must apply the same critical thinking to essential privacy-preserving technology.

In certain parts of the complaint, even the federal agent behind the investigation and the Justice Department attorney in charge of the case acknowledge this. In describing how Tor was required to access the Silk Road (the site was configured as a Tor hidden service), they state that “Tor has known legitimate uses”. Similarly, “Bitcoins are not illegal in and of themselves and have known legitimate uses.”

Elsewhere the complaint goes astray. For example, it asserts that the suspect’s efforts to “‘hide the identities of those that run Silk Road’ reflect his awareness of the illegal nature of the Silk Road enterprise.” Of course, that explanation overlooks the countless lawful reasons why a person would want to engage in anonymous speech—and in the process hide the identities of those behind the technical infrastructure—that don’t involve breaking the law.

Similarly, the complaint’s description of the bitcoin “tumbler” that the Silk Road employed to obscure the parties involved in each transaction is alarmingly limited. According to the complaint, “the only function served by such ‘tumblers’ is to assist with the laundering of criminal proceeds.” Really, the purpose of a tumbler is to attempt to make a bitcoin transaction as anonymous and private as cash. Certainly one can take issue with Silk Road’s use of the technology in particular. It’s incredibly dangerous, though, to say that anonymous currency—whether bitcoins or traditional cash—is only of interest to drug dealers or money launderers.

It’s essential that the use of encryption, anonymization techniques, and other privacy practices is not deemed a suspicious activity. Rather, it must be recognized as an essential element for practicing freedom of speech in a digital environment.

In some ways, the complaint provides encouragement to those who depend on this technology to engage in speech privately and anonymously. After all, it was human error, and the chance discovery of nine fake ID cards in a routine package inspection at the border, that led to the final round of investigation. This summer’s revelations about the NSA’s subverting certain cryptographic technologies have definitely heightened fears in the security community. Although there are still some unanswered questions about the investigation, it’s a small relief that, for now, those fears weren’t confirmed by the criminal complaint.

The point remains, however, that relegating these technologies by associating them only with their criminal use threatens to undermine their ability to enable important, lawful speech.

Unfortunately, we’ve witnessed that sort of demonization of technology before. We’ve seen it in attempts to target peer-to-peer protocols because they can be used for copyright infringement; in the outrageous stacking of penalties that can result in decades of possible prison time for violations of the Computer Fraud and Abuse Act; in the original “Crypto Wars” of the 1990s and their reprise today; and in many other places besides.

The allegations against the Silk Road are serious, and may get even more so as the case progresses to formal charges and a trial. But if the government puts undue weight on the suspect’s use of technology, instead of the actual crimes of which he is accused, the public will be worse off for it.

Join EFF And The Stopwatching.Us Coalition To Stop Government Spying

This post originally appeared on the Electronic Frontier Foundation’s website.

This summer, some of our worst fears and suspicions about the NSA have been confirmed. We now have evidence that the NSA is actively undermining the basic security of the Internet. It is collecting millions and millions of phone records of individuals not suspected of any crime. It is surveilling journalists.

The NSA’s overreaching surveillance is creating a climate of fear and chilling free speech. Its addiction to secrecy makes real accountability impossible

But there’s a movement forming to change all of this. And we’re about to take the next step.

On the weekend of October 26 — the 12th anniversary of the signing of the USA PATRIOT Act — thousands of people from across the political spectrum will unite in Washington, D.C. to take a stand against unconstitutional surveillance. Please join EFF in D.C. for a day of grassroots training and citizen lobbying on October 25th and a historic rally and petition delivery on October 26th.

Stopwatching.Us is a politically diverse coalition including more than 100 public advocacy organizations and companies, including EFF, ACLU, FreedomWorks, Free Press, Mozilla, National Libertarian Party, reddit, Restore the Fourth and Thoughtworks.

We want you to join us in D.C. for this event. There will be speakers, privacy experts, live music, and an opportunity to be part of the official delivery of the Stop Watching Us petition to Congress – a petition in which over a half million people have called for an end to mass, suspicionless surveillance.

Join us in Washington.

– RSVP on the event page (privacy policy here): https://rally.stopwatching.us
– RSVP for the lobby day here: https://rally.stopwatching.us/lobbyday.html

Note: you do not need to RSVP to attend the rally, but it helps us gauge numbers. RSVPing to the event means that you may be contacted about other Stopwatching events and updates. If you would prefer not to have that type of contact, please RSVP to EFF here.

We’re planning a two-day event. Here are the details:

Friday, October 25th: Training and lobby day

If you are coming from out of town, you should plan to arrive in D.C. on Thursday night so you can join us for trainings on Friday morning. EFF is working with our friends Public Knowledge and other members of the Stopwatching.us coalition to host a lobby day in D.C. on NSA surveillance. On Friday morning, we’ll give you an overview of NSA surveillance, including talking points and handouts, and prepare you to meet with staffers. Then you will meet with key Hill staffers and elected officials to explain your concerns about NSA surveillance. Don’t worry – we schedule the meetings for you. We’ll be done by midafternoon.

In person meetings are the most effective way for an individual to influence Congress on an issue (except maybe giving them a lot of money).  Even if you’ve never considered lobbying on an issue, this is a not-to-be-missed opportunity to change America’s stance on surveillance.

Saturday, October 26th: Rally against mass surveillance

The Stopwatching.us coalition is hosting a historic rally in Washington D.C on Saturday October 26th – the 12th anniversary of the signing of the Patriot Act.  We’ll be joined by YACHT, the indie pop duo that’s sweeping the nation with its new song, “Party at the NSA.”  With your help, we’re going to create an amazing rally for privacy. Will you be there?

Hundreds of thousands of people have spoken out since the major NSA leaks began this June. Dozens of members of Congress have introduced bills aimed at reining in the NSA, and hundreds of organizations and companies are uniting to end the NSA’s unconstitutional surveillance.

But we will only succeed if we take the next step and raise our voices. RSVP now.

U.N. Launches Thirteen Principles Against Unchecked Surveillance

Geneva - At the 24th Session of the United Nations Human Rights Council on Friday, six major privacy NGOs, including the Electronic Frontier Foundation (EFF), warned nations of the urgent need comply with international human rights law to protect their citizens from the dangers posed by mass digital surveillance.

The groups launched the “International Principles on the Application of Human Rights to Communications Surveillance” at a side event on privacy hosted by the governments of Austria, Germany, Hungary, Liechtenstein, Norway, and Switzerland. The text is available in 30 languages at http://necessaryandproportionate.org.

“Governments around the world are waking up to the risks unrestrained digital surveillance pose to free societies,” EFF International Rights Director Katitza Rodriguez said during the official presentation of the principles. “Privacy is a human right and needs to be protected as fiercely as all other rights. States need to restore the application of human rights to communications surveillance.”

The document was the product of a year-long negotiation process between Privacy International, the Electronic Frontier Foundation, Access, Human Rights Watch, Reporters Without Borders, and the Association for Progressive Communications. The document spells out how existing human rights law applies to modern digital surveillance and gives lawmakers and observers a benchmark for measuring states’ surveillance practices against long-established human rights standards. The principles have now been endorsed by over 260 organizations from 77 countries, from Somalia to Sweden.

Included in the 13 principles are tenets such as:

Necessity: State surveillance must be limited to that which is necessary to achieve a legitimate aim.

Proportionality: Communications surveillance should be regarded as a highly intrusive act and weighed against the harm that would be caused to the individual’s rights.

Transparency: States must be transparent about the use and scope of communications surveillance. Public Oversight: States need independent oversight mechanisms.

Integrity of Communications and Systems: Because compromising security for state purposes always compromises security more generally, states must not compel ISPs or hardware and software vendors to include backdoors or other spying capabilities.

EFF and its co-signers will use the principles to advocate at national, regional and international levels for a change in how present surveillance laws are interpreted and new laws are crafted, including urging the United States government to re-engineer its domestic surveillance program to comply with international human rights law.

The event, “How to Safeguard the Right to Privacy in the Digital Age,” featured speakers including Navi Pillay, the United Nations High Commissioner for Human Rights–who highlighted the recent scandals over British and US surveillance programs in her introductory remarks to the Human Rights Council this week—and Frank La Rue, the United Nations Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression. Earlier this year, LaRue released a report that details the widespread use of state surveillance of communications in several countries, stating that such surveillance severely undermines a citizenry’s ability to enjoy private lives, freely express themselves and exercise their other fundamental human rights.

“Member states of the Human Rights Council should assess their surveillance laws and bring them into compliance with the 13 benchmarks,” Rodriguez says. “We must put an end to unchecked, suspicionless, mass spying online.”

EFF Explains Google Street View Ruling And What It Means for Researchers And Cops

This post, written by staff attorney Hanni Fakhoury, was originally published on the EFF website on Monday.

Is a Wi-Fi signal the equivalent of an FM radio station, blasting classic rock ballads through your car speakers?

Not to the Ninth Circuit Court of Appeals, which issued its long awaited decision in Joffe v. Google this week, the case where Google was sued for allegedly violating the Wiretap Act when its Street View cars sucked up data from wireless routers as it passed by.

The Background

Google’s Street View feature allows users to see photographs of specific addresses on a Google map. To generate these pictures, Google deployed a fleet of cars with cameras mounted on top of their roofs to drive across the world and take pictures of everything it could. From 2007 to 2010 Google also equipped these cars with antennas and software that were capable of scanning wireless routers nearby in order to capture information like the network’s name, a router’s MAC addresses and whether a Wi-Fi network was encrypted or not.

Google did this to enhance the accuracy and precision of its location based services. But it also captured “payload data,” or the actual data transmitted through the Wi-Fi networks, including emails, usernames, passwords and more. After Google was criticized for the collection it apologized for the program in 2010, grounded the cars and has been ordered to delete the data in some countries.

The Lawsuit and the Law

Numerous class action lawsuits were filed against Google in 2010, claiming the company had violated federal and state wiretap laws by collecting this data. Although the Wiretap Act generally prohibits the interception of electronic and wire communications, Google moved to dismiss the case, arguing it didn’t violate the law because its collection of the data was permitted under an exception to the Wiretap Act. Under 18 U.S.C. § 2511(2)(g)(i), the interception of an “electronic communication” that “is readily accessible to the general public” is permitted.

This is really two related exceptions. The first covers electronic communications that are “readily accessible to the general public.” For example, a message posted on a public message board. The second exception comes from the definition of “readily accessible to the general public” in 18 U.S.C. § 2510(16)(a), which includes an unencrypted “radio communication.” In essence, an unencrypted radio communication is always considered to be “readily accessible to the general public.” So you can tune the radio in your car to any station without being guilty of wiretapping.

Google ultimately argued that its collection of the unencrypted Wi-Fi traffic was legal under the Wiretap Act for two reasons; first because unencrypted Wi-Fi signals are a “radio communication” which by definition is “readily accessible to the general public.” And second, even if it wasn’t a “radio communication,” it was an electronic communication that in practice was “readily accessible to the general public.”

Unfortunately, the Wiretap Act doesn’t more specifically define what “radio communication” means and so the trial court had to resolve whether Wi-Fi signals are in fact what Congress meant by “radio communications” or not.

The lower court, after all the cases were consolidated, ultimately denied Google’s motion, finding that unencrypted Wi-Fi signals weren’t “radio communications,” but rather electronic communications. It then rejected Google’s fallback argument, finding that unencrypted Wi-Fi signals aren’t “readily accessible to the general public.”

The Ninth Circuit agreed with the trial court. On the “radio communication” issue, the appellate court ruled that Congress meant a “radio communication” to mean a “predominantly auditory broadcast” like an AM/FM or CB radio broadcast. Because data sent over a Wi-Fi signal isn’t auditory, the Court held that it was not a “radio communication” under the Wiretap Act, regardless of whether a wireless access point used radio frequencies to communicate.

Having found that the “radio communication” exception didn’t apply, it also rejected Google’s second argument that unencrypted Wi-Fi signals are “readily accessible to the general public.” The Court noted that unlike, for example, an FM radio station which could broadcast for miles, Wi-Fi signals are “geographically limited and fail to travel far beyond the walls of the home or office where the access point is located.” In addition, the Court reasoned Wi-Fi signals aren’t “accessible” because capturing them “requires sophisticated hardware and software” and “most of the general public lacks the expertise to intercept and decode payload data transmitted over a Wi-Fi network.” As a result, the lawsuit against Google will now continue.

The Good and The Bad

First, the bad. If you’re a security researcher in the Ninth Circuit (which covers most of the West Coast) who wants to capture unencrypted Wi-Fi packets as part of your research, you better call a lawyer first (and we can help you with that). The Wiretap Act imposes both civil and serious criminal penalties for violations and there is a real risk that researchers who intentionally capture payload data transmitted over unencrypted Wi-Fi—even if they don’t read the actual communications —may be found in violation of the law. Given the concerns about over-criminalization and overcharging, prosecutors now have another felony charge in their arsenal.

On the other hand, the decision also provides a strong argument that the feds and other law enforcement agencies that want to spy on data transmitted over unencrypted Wi-Fi will need to get a wiretap order to do so. We’ve seen the government use a device called a “moocherhunter” without a search warrant to read Wi-Fi signals to figure out who’s connecting to a particular wireless router. This decision suggests that to the extent the government uses a device like this (or even a “stingray” to the extent it can capture Wi-Fi signals) to capture payload data —even if just to determine a person’s location—they’ll need a wiretap order to do so. That’s good news since wiretap orders are harder to get than a search warrant.

It’s doubtful this will be the last word; lower courts have disagreed with each other and the Ninth Circuit is the first appellate court to rule on the tricky issue. We’ll be following the cases closely to especially see how the government interprets the decision, both to see whether it prosecutes security researchers and whether it gets a wiretap order to use its exotic surveillance tools.

A Cheat Sheet To Congress’ NSA Spying Bills

This post, by Policy Analyst and Legislative Assistant Mark M. Jaycox, originally appeared on the Electronic Frontier Foundation website on Sept. 11.

The veil of secrecy around the government’s illegal and unConstitutional use of both Section 215 of the Patriot Act and Section 702 of the Foreign Intelligence Surveillance Act (FISA) is being lifted. As a result, Congress has seen a flurry of legislation to try and fix the problems; however, as we’ve been saying since June there are far more questions than answers about the spying. And Congress must create a special investigative committee to find out the answers. Right now, the current investigations are unable to provide the American public with the information it needs.

For now, here’s a quick summary of the bills in Congress drafted after the June leaks that have a chance to go forward. They try to fix Section 215 of the Patriot Act, curtail the secret law being created by the surveillance court overseeing the spying (the Foreign Intelligence Surveillance Court, or FISA court), and change how the FISA court operates. Unfortunately, there is no bill in Congress with prospects of moving forward that tackles Section 702 of FISA — the section used for PRISM.

Quick Links:

Section 215 Bills:

Senator Patrick Leahy: The FISA Accountability and Privacy Protection Act of 2013

Representatives John Conyers and Justin Amash: The LIBERT-E Act

Ending Secret Law:

Representatives Adam Schiff and Todd Rokita: The Ending Secret Law Act

Corporate Disclosure:

Senator Al Franken: The Surveillance Transparency Act of 2013

Representatives Rick Larsen and Justin Amash: The Government Surveillance Transparency Act of 2013

Restructuring the FISA Court:

Senator Richard Blumenthal: The FISA Court Reform Act of 2013 and the FISA Court Judge Selection Reform Act

Representative Adam Schiff: The Presidential Appointment of FISA Court Judges Act

Representative Steve Cohen: The FISA Court Accountability Act

Section 215 Bills

Here are the bills that focus on trying to fix Section 215 of the Patriot Act:

Senator Patrick Leahy: The FISA Accountability And Privacy Protection Act Of 2013

Leahy’s bill is an overarching bill that includes language to try and stop mass spying, increase the number of reports about the spying and publicly disclose the secret law supposedly justifying the programs. The bill makes sure a Section 215 order must include “specific and articulable facts” that the information is relevant to an investigation and that the order “pertains to” an individual. It’s a good start; however, with the released Administration White Paper, the Leahy language doesn’t look strong enough to stop the abusive use of Section 215. Leahy has said that he will continue to refine the bill as it moves forward. This is good news, as a bill from Senators Mark Udall and Ron Wyden’s uses similar language.

Representatives John Conyers And Justin Amash: The LIBERT-E Act

Conyers and Amash present one of the few Section 215 fixes in the House of Representatives with the potential to move forward. Similar to Senator Leahy’s bill, the bill by Conyers and Amash mandates every order include “specific and articulable facts.” But the bill is also more specific: It adds that an order must “pertain only to an individual” under investigation. Other bills introduced to stop the abuse of Section 215 include bills by Representative Dennis Ross and Representative Michael Fitzpatrick. Both are similar to Conyers’ and Amash’s bill, except that Fitzpatrick includes a requirement that the records sought are “material” to an investigation. Representative Rush Holt also has a bill completely repealing Section 215 and Section 702.

Lastly, Representatives Jim Sensenbrenner and Zoe Lofgren have also announced they plan to propose legislation tackling many of the issues brought forward by the June leaks. Both representatives have been at the forefront of fighting against the Administration’s use of Section 215 to obtain innocent Americans’ calling information, and the Electronic Frontier Foundation is excited to see what they come up with.

Ending Secret Law

Currently, almost all of the decisions and orders by the secret FISA court are unknown to the public. The bills by Leahy, Udall, Merkley Conyers all have sections that create processes for the release of the secret law supposedly justifying the NSA’s programs. But there are also bills in Congress solely dedicated to disclosing the opinions:

Representatives Adam Schiff And Todd Rokita: The Ending Secret Law Act

The bill by Schiff and Rokita compels the Attorney General to release all decisions, orders and opinions with significant legal interpretations of the law. All opinions submitted to Congress before enactment must be released within 180 days, and all opinions submitted to Congress after enactment must be released within 45 days. If the Attorney General decides the opinions cannot be released due to national security, then he must release a summary of the decision. The same bill was introduced in the Senate by Senators Jeff Merkley and Mike Lee, and also in the House by Representative Sheila Jackson-Lee.

Corporate Disclosure

Senator Al Franken: The Surveillance Transparency Act Of 2013

There are also bills allowing companies to disclose further details any secret FISA order they receive for customer information. For instance, Franken’s Surveillance Transparency Act of 2013 requires the government to provide more reports to Congress and the public about its use of the Foreign Intelligence Surveillance Act, how many orders were filed and how many individuals it impacted. The bill also ensures companies can disclose similar information every six months.

Representatives Rick Larsen And Justin Amash: The Government Surveillance Transparency Act Of 2013

A bill by Larsen and Amash also seeks to increase reporting on how the government uses FISA. The bill, HR 2736, requires in aggregate numbers the number of orders the government filed using the Foreign Intelligence Surveillance Act, the number of people impacted by the orders and a general description of the information sought by the order.

Restructuring The FISA Court

Lastly, there are bills that seek to reorganize the FISA court. Currently, the judges on the court are selected by the Chief Justice of the Supreme Court. The court is also one-sided: When the government requests the calling information for every American, there is no one to argue against it. There are quite a few bills that seek to restructure and fix the FISA Court.

Senator Richard Blumenthal: The FISA Court Reform Act Of 2013 And The FISA Court Judge Selection Reform Act

Blumenthal has introduced two bills, S 1460 and S 1467 to change how the FISA court operates. The first bill establishes an Office of the Special Advocate (OSA) which introduces an adversary to the court. The OSA can contest FISA court orders, appeal orders all the way to the Supreme Court, request declassification of documents and call for public amicus briefs in certain cases.

The second bill, seeks to address the problem of judicial selection. What’s resulted as a result of FISA court judges being picked by the Chief Justice of the Supreme Court is a court heavily slanted toward former prosecutors and the eastern part of the United States. Instead of having a secret selection process, the second bill mandates each chief judge of a Federal circuit to publicly nominate a judge from their circuit to serve on the FISA court.

Other Bills

Other bills touching FISA court structural reform include bills by Schiff (which has the President, with the advice and consent of the Senate, nominating FISA court judges) and Representative Steve Cohen (which has the Chief Justice, and the majority and minority leaders of each house of Congress choosing judges).

More Bills To Follow

All of these bills are a start to tackling many of the problems raised by the leaked files. But none of them fix Section 702 of the Foreign Intelligence Surveillance Act, which the government is using to collect innocent Americans’ communications. As a result of the NSA spying, mass collection of innocent Americans’ information must stop. We look forward to the bills moving through Congress, but a full investigation of the NSA spying by a special Congressional must also occur. Join the more than 100 organizations and half-a-million people pushing Congress to stop the spying and fully investigate it.

Organizations, Activists Lining Up To Sue Against NSA Surveillance

This post originally appeared on the Electronic Frontier Foundation website on Sept. 10.

Five new groups—including civil-rights lawyers, medical-privacy advocates and Jewish social-justice activists—have joined a lawsuit filed by the Electronic Frontier Foundation (EFF) against the National Security Agency (NSA) over the unconstitutional collection of bulk telephone call records. With today’s amended complaint, EFF now represents 22 entities in alleging that government surveillance under Section 215 of the Patriot Act violates Americans’ First Amendment right to freedom of association.

The five entities joining the First Unitarian Church of Los Angeles v. NSA lawsuit before the U.S. District Court for the Northern District of California are: Acorn Active Media, the Charity and Security Network, the National Lawyers Guild, Patient Privacy Rights and The Shalom Center. They join an already diverse coalition of groups representing interests including gun rights, environmentalism, drug-policy reform, human rights, open-source technology, media reform and religious freedom.

“The First Amendment guarantees the freedom to associate and express political views as a group,” EFF legal director Cindy Cohn said. “The NSA undermines that right when it collects, without any particular target, the phone records of innocent Americans and the organizations in which they participate. In order to advocate effectively, these organizations must have the ability to protect the privacy of their employees and members.”

In June, The Guardian newspaper published a secret order from the Foreign Intelligence Surveillance Court (FISC) that authorized the wholesale collection of phone records of all Verizon customers, including the numbers involved in each call, the time and duration of the call, and “other identifying information.” Government officials subsequently confirmed the document’s authenticity and acknowledged the order was just one of a series issued on a rolling basis since at least 2006.

EFF originally filed the lawsuit on June 16, arguing the tracking program allows the government to compile detailed connections between people and organizations that have no correlation to national security investigations. Along with adding the new plaintiffs, the amended complaint also adds new information about “contact chaining” searches through the vast trove of phone records, adds James B. Comey as a defendant now that he is the head of the FBI, and makes some additional changes.

For Rabbi Arthur Waskow of The Shalom Center, the revelations come with a sense of déjà vu.

“Jewish tradition for at least the last 2,000 years has celebrated the right of privacy of the people against surveillance by a ruler,” Waskow said. “A generation ago, I joined with other antiwar activists to successfully sue the FBI over its ‘COINTELPRO’ program, which violated our right to assemble in opposition to the Vietnam War. Now, as director of The Shalom Center—a religious organization advocating for peace, social justice and environmental sustainablility—I am concerned that the NSA has greatly surpassed the FBI in undermining our Constitutional rights.”

The National Lawyers Guild, a public-interest legal association that has defended civil rights for more than 75 years, notes that surveillance has substantially impeded its ability to communicate with those seeking legal assistance.

“Applied on a massive scale, government surveillance becomes a form of oppression,” the Guild’s Executive Director Heidi Boghosian said. “Knowing that we are likely monitored, we have curbed our electronic interactions. Sensitive discussions about cases are confined to in-person meetings and letters. We have no illusions that our hotline for individuals visited by the FBI is private; we don’t even ask for specific details for fear of government eavesdropping.”

EFF also represents the plaintiffs in Jewel v. NSA, a class-action case filed on behalf of individuals in 2008 aimed at ending the NSA’s dragnet surveillance of millions of ordinary Americans. The Jewel case is set for a conference with the Court on September 27 in San Francisco.

For the amended complaint:

Tahoe And Tor: Building Privacy On Strong Foundations

Tahoe-LAFS draws from a combination of computer security philosophies, backed up with cryptography implement in open-source code.

The Principle of Least Authority
In computer science, the principle of least authority means granting the minimum set of permissions necessary to accomplish a task. For example, someone who is a contributing blogger on a website doesn’t need full administrator access to a site. Tahoe attempts to apply this principle to online file storage by ensuring through encryption that the organization storing your data can’t see all your data, and that users can be given fine-grained access through cryptographic capabilities.

Cryptographic capabilities
In Tahoe-LAFS, you can read or write a file in the system only if you know a (rather long) set of characters, or key. The capability keys are different for each file, which means you can share a picture by sending a friend one capability key without giving them access to everything. You can also give people power to create or even edit files by sending them different keys. Using capability-based security means there’s no central authority that manages access control for you, as with Dropbox or Google Docs. You’re in charge of spreading (or withholding) your capability keys.

Erasure coding
A method of redundantly storing data over a number of servers that allows data to be reconstructed, even if a certain number of those servers get shut down or corrupted. In the default Tahoe network, data is spread over 10 drives and can be read even if seven of those servers are lost. That means you don’t have to rely on one provider and makes Tahoe storage harder to disrupt.

This post, by International Director Danny O’Brien, originally appeared on the Electronic Frontier Foundation website on Sept. 6.

Many people want to build secure Internet services that protect their users against surveillance, or the illegal seizure of their data. When EFF is asked how to build these tools, our advice is: Don’t start from scratch. Find a public, respected project that provides the privacy-protecting quality you want in your own work, and find a way to implement your dream atop these existing contributions.

So, for instance, the New Yorker’s Strongbox, a dropbox for anonymous sources, uses Tor as its basis to provide anonymity to its users. If you want anonymity in your app, building your tool on top of Tor’s backbone means you can take advantage of its experience and future improvements, as well as letting you contribute back to the wider community.

Anonymity is only one part of what will make the Net secure and privacy-friendly, though. The recent National Security Administration revelations as well as glitches and attacks on single services like GitHub, Amazon, Twitter and The New York Times, have prompted demand for online data storage that doesn’t depend on companies that might hand over such data or compromise security to comply with government demands, nor depend on one centralized service that could be taken down through external pressure.

The Tahoe Least Authority File System (Tahoe-LAFS) has been actively developed since 2007. Just as Tor concentrates on anonymity, Tahoe-LAFS’s developers have worked hard to create a resilient, decentralized, infrastructure that lets you store online both data you’d want to keep private, as well as data you want to share with selected groups of friends. It’s also able to protect against a single source of failure or censorship, like a commercial service being attacked or responding to a takedown.

Tahoe-LAFS is open source, but this month, some of the Tahoe project’s founders launched S4, a commercial “PRISM-proof” secure, off-site backup service that uses Tahoe as a backend and Amazon as a storage site.

Tahoe’s protections against third-party snooping and deletion have the kind of strong mathematical guarantees that reassure security experts that Tahoe-LAFS is well-defended against certain kinds of attack. That also means its privacy and resilience are not dependent on the good behavior or policies of its operators. (See the box for more information.)

Secure online backups like S4 are one possible use for Tahoe’s time-tested code and approach. You and your friends can run your own Tahoe network, sharing storage space across a number of servers, confident that your friends can see and change only what they have the caps to see, and that even if a sizable number of those servers disappear, your data will still be retrievable. Services like git-annex-assistant, a decentralized Dropbox-like folder synchronizer, already optionally offer it as backend. Some privacy activists have run private Tahoe networks over Tor, creating an anonymous, distributed and largely censorship-proof storage system.

It’s great to see commercial services like S4 emerging in the face of our new knowledge about pervasive online surveillance. Even better is the possibility that others, including entrepreneurs, designers and usability experts, will stand on the shoulders of the secure possibilities that protocols like Tor and Tahoe provide and give us all innovative Internet tools that can truly keep users and their data safe and sound.

EFF: Hundreds of Pages of NSA Spying Documents to be Released As Result of Lawsuit

In a major victory in one of EFF’s Freedom of Information Act (FOIA) lawsuits, the Justice Department conceded yesterday that it will release hundreds of pages of documents, including FISA court opinions, related to the government’s secret interpretation of Section 215 of the Patriot Act, the law the NSA has relied upon for years to mass collect the phone records of millions of innocent Americans.

In a court filing, the Justice Department, responding to a judge’s order, said that they would make public a host of material that will “total hundreds of pages” by next week, including:

[O]rders and opinions of the FISC issued from January 1, 2004, to June 6, 2011, that contain a significant legal interpretation of the government’s authority or use of its authority under Section 215; and responsive “significant documents, procedures, or legal analyses incorporated into FISC opinions or orders and treated as binding by the Department of Justice or the National Security Agency.”

While the government finally released a white paper detailing its expansive (and unconstitutional) interpretation of Section 215 last month, more important FISA court opinions adopting at least part of that interpretation have remained secret. The results of EFF’s FOIA lawsuit will finally lift the veil on the dubious legal underpinnings of NSA’s domestic phone surveillance program.

This victory for EFF comes on the heels of another FOIA success two weeks ago, when the Justice Department was also forced to release a 2011 FISA court opinion ruling some NSA surveillance unconstitutional.

Like our lawsuit over that 2011 FISA opinion—where the government posted the results on Director of National Intelligence’s new Tumblr account—the Justice Department may attempt to portray this release as being done out of the goodness of its heart and as a testament to its commitment to transparency. While we applaud the government for finally releasing the opinions, it is not simply a case of magnanimity. The Justice Department is releasing this information because a court has ordered it to do so in response to EFF’s FOIA lawsuit, which was filed on the tenth anniversary of the enactment of the Patriot Act—nearly two years ago.

For most of the duration of the lawsuit, the government fought tooth and nail to keep every page of its interpretations secret, even once arguing it should not even be compelled to release the number of pages that their opinions consisted of. It was not until the start of the release of documents leaked by NSA whistleblower Edward Snowden that the government’s position became untenable and the court ordered the government to begin the declassification review process.

It also should be noted, that on the same day the government agreed to release this information, GOP Rep. Jim Sensenbrenner, the author of the Patriot Act, submitted an amicus brief authored by EFF supporting ACLU’s constitutional challenge of the NSA phone collection program that relies on Section 215. In other words, even the author of Section 215 thinks the government has twisted and distorted its language to justify something that the law was never supposed to allow. Now, we will finally see that tortured interpretation.

EFF’s Open Letter to John Kerry: Tell Ethiopia to Release Eskinder Nega and Stop Imprisoning Bloggers

The following open letter, written by the Electronic Frontier Foundation, addresses a very frightening global trend: Nations increasingly using terror prevention as justification to lock up dissidents. Based on some provisions in the most recent National Defense Authorization Act, it is possible that similarly extreme cases could occur in the U.S.

Dear Secretary of State John Kerry,

This month marks the second anniversary of Eskinder Nega’s imprisonment.  When you visited Ethiopia in May, Eskinder Nega had already been imprisoned – and thus silenced – for over a year. It’s time for the United States to use its considerable influence to vigorously and directly advocate Nega’s freedom and, in the process, to promote free expression and independent journalism throughout Ethiopia.

Now is a crucial moment for the Secretary to speak out. Over the weekend, Ethiopian security forces in Addis Ababa brutally suppressed a demonstration calling for political reforms and the release of jailed journalists and dissidents.

Eskinder Nega is an internationally recognized Ethiopian reporter-turned-blogger.  His award-winning journalism on political issues in Ethiopia – and his refusal to stop publishing or flee the country – has made him the target of persecution by the Ethiopian government for many years. Nega was arrested in September 2011 and then convicted under a new, extremely broad anti-terrorism law in Ethiopia. Nega’s so-called crime was writing articles and speaking publicly on topics such as the Arab Spring and Ethiopia’s poor record on press freedom. For that, he was sentenced to 18 years in prison.

In July, the New York Times published a letter from Eskinder Nega in prison, who explained that Ethiopia’s anti-terrorism law “has been used as a pretext to detain journalists who criticize the government.”  He elaborated on the actions that landed him in prison on charges of terrorism:

I’ve never conspired to overthrow the government; all I did was report on the Arab Spring and suggest that something similar might happen in Ethiopia if the authoritarian regime didn’t reform. The state’s main evidence against me was a YouTube video of me, saying this at a public meeting. I also dared to question the government’s ludicrous claim that jailed journalists were terrorists.

As Leslie Lefkow, deputy Africa director at Human Rights Watch, said, “The use of draconian laws and trumped-up charges to crack down on free speech and peaceful dissent makes a mockery of the rule of law.”

EFF has joined other free speech advocates and human rights organizations around the world in calling for Nega’s release. The UN Working Group on Arbitrary Detention has joined the movement calling for Nega’s freedom. And Amnesty International has rightly declared Nega a prisoner of conscience and is petitioning for his release.

Journalists and human rights organizations around the world have condemned Nega’s sentence and called for his release. It’s time for the United States, and especially the State Department, to do the same.

We’re writing today to urge you to use your relationship with Ethiopia to campaign for Eskinder Nega’s freedom and the freedom of all peaceful bloggers in Ethiopia.

We appreciate the public statements that the State Department has made about Nega’s imprisonment, but that’s not enough. Nega has already spent two years in prison, and other bloggers in Ethiopia have also been silenced by similar unjust imprisonments.

A free and independent media is vital to democracy and justice. We are calling on you to speak out on behalf of Eskinder Nega and raise his case with your contacts within the Ethiopian government. We urge you to more strongly tie American economic and political support for  Ethiopia to its  record on press freedom. The Ethiopian government should understand that the imprisonment of Eskinder Nega has real and continuing consequences to the health of its global diplomatic and financial relationships with its partners.

The United States has deep ties with Ethiopia. Please use this access and influence to champion the rights of free expression and press freedom that are guaranteed by the Ethiopian constitution and international law.


Electronic Frontier Foundation

An Illustration Of How The NSA Misleads The Public Without Technically Lying

This article, written by activist Trevor Timm, originally appeared on the Electronic Frontier Foundation website on Aug. 29.

The Wall Street Journal published an important investigation on Aug. 20, reporting that the National Security Agency (NSA) has direct access to many key telecommunications switches around the country and “has the capacity to reach roughly 75% of all U.S. Internet traffic in the hunt for foreign intelligence, including a wide array of communications by foreigners and Americans.” Notably, NSA officials repeatedly refused to talk about this story on their conference call with reporters the next day. Instead, the Director of National Intelligence and the NSA released a statement about the story later that evening.

If you read the statement quickly, it seems like the NSA is disputing the WSJ story. But on careful reading, the NSA actually does not deny any of it. As we’ve shown before, often you have to carefully parse NSA statements to root out deception and misinformation, and this statement is no different. The NSA has tried to deflect an accurate story with its same old word games. Here’s a breakdown:

The NSA does not sift through and have unfettered access to 75% of United States online communications…The report leaves readers with the impression that the NSA is sifting through as much as 75% of the United States online communications, which is simply not true.

Of course, The Wall Street Journal never says the NSA “sifts through” 75 percent of U.S. communications. It reported that the NSA’s system “has the capacity to reach roughly 75% of all U.S. Internet traffic.” The NSA’s new term, “sift,” is undefined; but regardless of what the NSA is doing or not doing to 75 percent of Americans’ emails, it does have the technical capacity to search through it for key words — which it does not deny.

In its foreign intelligence mission, and using all its authorities, NSA “touches” about 1.6%, and analysts look at 0.00004% of the world’s Internet traffic.

See what the NSA did there? The Wall Street Journal was talking about U.S.-only communications traffic, not the world’s total Internet traffic. The vast majority of the world’s Internet traffic is video-streaming and downloads. According to a study done by Cisco, video made up more than half of all Web traffic in 2012 — and that does not include peer-to-peer sharing. By 2017, Cisco predicts 90 percent of all Internet traffic will be video.

As Jeff Jarvis aptly documented, the NSA can vacuum up an extraordinary percentage of the world’s (and American) communications while touching only 1.6 percent of total Internet traffic.

Oh, and that 0.00004 percent? That math may be wrong, too. The Atlantic Wire double-checked the NSA’s numbers when it first used that stat and determined the NSA’s math was off by an order of magnitude; it actually searches 10 times more than the NSA says it does.1

The assistance from the providers, which is compelled by the law, is the same activity that has been previously revealed as part of Section 702 collection and PRISM.

First, notice that the NSA is conflating PRISM, which involves collection from Internet companies like Facebook, with the “upstream” collection The Wall Street Journal reports on: telecommunications companies like AT&T that give the NSA direct access to the fiber optic cables that all Internet traffic travels over. Here’s the NSA’s own leaked graphic explaining the difference:

nsa graphic

Second, siphoning off large portions of Internet traffic directly from the Internet backbone is not “compelled by law.” In fact, as the Electronic Frontier Foundation argued in court for years, the telecoms’ participation in this program with the NSA was both illegal and unConstitutional. Obviously, they knew it, because that’s why Congress passed retroactive immunity for companies like AT&T in 2008. But that immunity only extended to the telecom, and EFF’s case against the ongoing illegal surveillance continues.

Section 702 specifically prohibits the intentional acquisition of any communications when all parties are known to be inside the U.S.

Yes, Section 702 prohibits the intentional acquisition of U.S. communications, but once U.S. communications are in an NSA database — which happens often — the NSA can search them without a warrant, as documents recently published by The Guardian revealed. Unknown or anonymous people are assumed to be foreign, meaning many U.S. people will be caught up in the dragnet.

The law specifically prohibits targeting a U.S. citizen without an individual court order based on a showing of probable cause.

We’ve previously dissected the NSA’s warped definition of “target.”  NSA agents have to be only 51 percent sure the person they’re spying on is foreign. Additionally, a host of loopholes exist that allow the NSA to keep U.S. communications if they’re encrypted, if there’s evidence of a crime and more.

And as The New York Times reported on its front page on Aug. 8, officials admit the NSA is “searching the contents of vast amounts of Americans’ e-mail and text communications into and out of the country” under the guise of looking for information about targets, not just communications to targets.

If that communications involves a US person, NSA must follow Attorney General and FISA court [Foreign Intelligence Surveillance Court] approved “minimization procedures” to ensure the Agency protects the privacy of US persons.

Those “minimization procedures” do not ensure that the NSA protects privacy. Rather, they are woefully inadequate, primarily concerned with minimizing the amount of data to be removed from the database and expanding on the circumstances under which the NSA can keep the data and share it with other agencies.

So there you have it: how the NSA pretends to deny a media report without denying it at all. We are still awaiting an honest account of the NSA’s capabilities. Tell your representative to demand an independent investigation today.

  • 1. In response to The Atlantic, the NSA said the figure is nevertheless valid, because “classified information that goes into the number is more complicated than what’s in your calculation.”


EFF Explains Perfect Forward Secrecy, an Important Web Privacy Protection

This article, written by activist Peter Higgins, originally appeared on the Electronic Frontier Foundation website on August 28.

When you access a Web site over an encrypted connection, you’re using a protocol called HTTPS. But not all HTTPS connections are created equal. In the first few milliseconds after a browser connects securely to a server, an important choice is made: the browser sends a list of preferences for what kind of encryption it’s willing to support, and the server replies with a verification certificate and picks a choice for encryption from the browser’s list. These different encryption choices are called “cipher suites.” Most of the time, users don’t have to worry about which suite the browsers and servers are using, but in some cases it can make a big difference.

One important property is called “perfect forward secrecy,” but only some servers and only some browsers are configured to support it. Sites that use perfect forward secrecy can provide better security to users in cases where the encrypted data is being monitored and recorded by a third party. That particular threat may have once seemed unlikely, but we now know that the NSA does exactly this kind of long-term storage of at least some encrypted communications as they flow through telecommunications hubs, in a collection effort it calls “upstream.”

How can perfect forward secrecy help protect user privacy against that kind of threat? In order to understand that, it’s helpful to have a basic idea of how HTTPS works in general. Every Web server that uses HTTPS has its own secret key that it uses to encrypt data that it sends to users. Specifically, it uses that secret key to generate a new “session key” that only the server and the browser know. Without that secret key, the traffic traveling back and forth between the user and the server is incomprehensible, to the NSA and to any other eavesdroppers.

But imagine that some of that incomprehensible data is being recorded anyway—as leaked NSA documents confirm the agency is doing. An eavesdropper who gets the secret key at any time in the future—even years later—can use it to decrypt all of the stored data! That means that the encrypted data, once stored, is only as secure as the secret key, which may be vulnerable to compromised server security or disclosure by the service provider.

That’s where perfect forward secrecy comes in. When an encrypted connection uses perfect forward secrecy, that means that the session keys the server generates are truly ephemeral, and even somebody with access to the secret key can’t later derive the relevant session key that would allow her to decrypt any particular HTTPS session. So intercepted encrypted data is protected from prying eyes long into the future, even if the website’s secret key is later compromised.

It’s important to note that no flavor of HTTPS, on its own, will protect the data once it’s on the server. Web services should definitely take precautions to protect that data, too. Services should give user data the strongest legal protection possible, and minimize what they collect and store in the first place. But against the known threat of “upstream” data collection, supporting perfect forward secrecy is an essential step.

So who protects long-term privacy by supporting perfect forward secrecy? Unfortunately, it’s not a very long list—but it’s growing. Google made headlines when it became the first major web player to enable the feature in November of 2011. Facebook announced last month that, as part of security efforts that included turning on HTTPS by default for all users, it would enable perfect forward secrecy soon. And while it doesn’t serve the same volume as those other sites, www.eff.org is also configured to use perfect forward secrecy. Outside of the web, emails encrypted using the OpenPGP standard do not have forward secrecy, but instant messages (or text messages) encrypted using the OTR protocol do.

Supporting the right cipher suites—and today, for the Web, that means ones that support perfect forward secrecy—is an important component of doing security correctly. But sites may need encouragement from users because, like HTTPS generally, supporting perfect forward secrecy doesn’t come completely without a cost. In particular, it requires more computational resources to calculate the truly ephemeral session keys required.

It may not be as obvious a step as simply enabling HTTPS, but turning on perfect forward secrecy is an important improvement that protects users. More sites should enable it, and more users should demand it of the sites they trust with their private data.

EFF Outlines Three Illusory “Investigations” Of The NSA Spying That Will Never Succeed

This article, written by policy analyst Mark M. Jaycox, was originally published on August 23, 2013 by the Electronic Frontier Foundation.

Since the revelations of confirmed National Security Agency spying in June, three different “investigations” have been announced. One by the Privacy and Civil Liberties Oversight Board (PCLOB), another by the Director of National Intelligence, Gen. James Clapper, and the third by the Senate Intelligence Committee, formally called the Senate Select Committee on Intelligence (SSCI).

All three investigations are insufficient, because they are unable to find out the full details needed to stop the government’s abuse of Section 215 of the PATRIOT Act and Section 702 of the Foreign Intelligence Surveillance Act. The PCLOB can only request—not require—documents from the NSA and must rely on its goodwill, while the investigation led by Gen. Clapper is led by a man who not only lied to Congress, but also oversees the spying. And the Senate Intelligence Committee—which was originally designed to effectively oversee the intelligence community—has failed time and time again. What’s needed is a new, independent, Congressional committee to fully delve into the spying.

The PCLOB: Powerless to Obtain Documents

The PCLOB was created after a recommendation from the 9/11 Commission to ensure civil liberties and privacy were included in the government’s surveillance and spying policies and practices.

But it languished. From 2008 until May of this year, the board was without a Chair and unable to hire staff or perform any work. It was only after the June revelations that the President asked the board to begin an investigation into the unconstituional NSA spying. Yet even with the full board constituted, it is unable to fulfill its mission as it has no choice but to base its analysis on a steady diet of carefully crafted statements from the intelligence community.

As we explained, the board must rely on the goodwill of the NSA’s director, Gen. Keith Alexander, and Gen. Clapper—two men who have repeatedly said the NSA doesn’t collect information on Americans.

In order to conduct a full investigation, the PCLOB will need access to all relevant NSA, FBI, and DOJ files. But the PCLOB is unable to compel testimony or documents because Congress did not give it the same powers as a Congressional committee or independent agency. This is a major problem. If the NSA won’t hand over documents to Congress, then it will certainly not give them to the PCLOB.

The Clapper Investigation: Overseen by a Man Accused of Lying to Congress

The second investigation was announced by President Obama in a Friday afternoon news conference. The President called for the creation of an “independent” task force with “outside experts” to make sure “there absolutely is no abuse in terms of how these surveillance technologies are used.” Less than two days later, the White House followed up with a press release announcing the task force would be led by Gen. Clapper and would also report to him. What’s even worse: the task force was not tasked with looking at any abuse. It was told to focus on how to “protect our national security and advance our foreign policy.” And just this week, ABC News reported the task force will be full of thorough Washington insiders–not “outside experts.” For instance, one has advocated the Department of Homeland Security be allowed to scan all Internet traffic going in and out of the US. And another, while a noted legal scholar on regulatory issues, has written a paper about government campaigns to infiltrate online groups and activists. In one good act, the White House selected Peter Swire to be on the task force. Swire is a professor at Georgia Tech and has served as the White House’s first ever Chief Privacy Officer. Recently, he signed an amicus brief in a case against the NSA spying by the Electronic Privacy Information Center arguing that the NSA’s telephony metadata program is illegal under Section 215 of the PATRIOT Act. Despite this, and at the end of a day, a task force led by General Clapper full of insiders,—and not directed to look at the extensive abuse—will never get at the bottom of the unconstitutional spying.

The Senate Intelligence Committee Has Already Failed

The last “investigation” occurring is a “review” led by the Senate Intelligence Committee overseeing the intelligence community. But time and time again the committee has failed at providing any semblance of oversight. First, the chair and ranking member of the committee, Senators Dianne Feinstein (CA) and Saxby Chambliss (GA), respectively, are stalwart defenders of the NSA and its spying activities. They have both justified the spying, brushed aside any complaints, and denied any ideas of abuse by the NSA.

Besides defending the intelligence community, the committee leadership have utterly failed in oversight—the reason why the Senate Intelligence Committee was originally created by the Church Committee. As was revealed last week, Senator Feinstein was not shown or even told about the thousands of violations of the spying programs in NSA audits of the programs. This is in direct contradiction to her statements louting the “robust” oversight of the Intelligence Committee. Lastly, the committee is prone to secrets and hiding behind closed doors: this year, the Senate Intelligence Committee has met publicly only twice. What’s clear is that the Intelligence Committee has been unable to carry out its oversight role and fresh eyes are needed to protect the American people from the abuses of the NSA.

A New Church Committee

All three of these investigations are destined to fail. What’s needed is a new, special, investigatory committee to look into the abuses of by the NSA, its use of spying powers, its legal justifications, and why the intelligence committees were unable to rein in the spying. In short, we need a contemporary Church Committee. It’s time for Congress to reassert its oversight capacity. The American public must be provided more information about the NSA’s unconstitutional actions and the NSA must be held accountable. Tell your Congressmen now to join the effort.

EFF Victory Results In Release Of Foreign Intelligence Surveillance Court Opinion Finding NSA Surveillance UnConstitutional

In response to EFF’s FOIA lawsuit, the government has released the 2011 FISA court opinion ruling some NSA surveillance unConstitutional.

For almost two years, EFF has been fighting the government in Federal court to force the public release of an 86-page opinion of the secret Foreign Intelligence Surveillance Court (FISC). Issued in October 2011, the secret court’s opinion found that surveillance conducted by the NSA under the FISA Amendments Act was unConstitutional and violated “the spirit of” Federal law.

Today, EFF can declare victory: a Federal court ordered the government to release records in our litigation, the government has indicated it intends to release the opinion today, and ODNI called a  press conference to discuss “issues” with FISA Amendments Act surveillance, including a discussion of the opinion.

It remains to be seen how much of the opinion the government will actually make available to the public. President Obama has repeatedly said he welcomes a debate on the NSA’s surveillance: disclosing this opinion—and releasing enough of it so that citizens and advocates can intelligently debate the Constitutional violation that occurred—is a critical step in ensuring that an informed debate takes place.

Here are examples of documents previously released by the administration in response to our Freedom of Information Act request. Anything even resembling those “releases” would be utterly unacceptable today. But we’ve come a long way since then, it took filing a lawsuit; litigating (and winning) in the FISC itself; the unprecedented public release of information about NSA surveillance activities; and our continuing efforts to push the government in the district court for release of the opinion.

Release of the opinion today is just one step in advancing a public debate on the scope and legality of the NSA’s domestic surveillance programs. EFF will keep fighting until the NSA’s domestic surveillance program is reined in, Federal surveillance laws are amended to prevent these kinds of abuse from happening in the future, and government officials are held accountable for their actions.

EFF: Court Rules Accessing a Public Website Isn’t A Crime, But Hiding Your IP Address Could Be

This article, written by staff attorney Hanni Fakhoury, was originally published on August 20, 2013 by the Electronic Frontier Foundation.

In the ongoing legal battle between craigslist and 3taps, a new court opinion makes clear that people are “authorized” under the Computer Fraud and Abuse Act (CFAA) to access a public website. But what the court gave with one hand it took with the other, as it also ruled that sending a cease-and-desist letter and blocking an IP address is enough to “revoke” this authorization.

3taps collects real-estate data from craigslist and makes it available to other companies to use. One of those companies, Padmapper, republished craigslist apartment postings over a map to enable users to view apartment listings geographically, a feature then unavailable on the craigslist site. Craigslist’s terms of service prohibits people from “scraping” or copying data from craigslist’s site.

After learning about 3Taps and its clients, craigslist sent 3taps a cease-and-desist letter demanding they stop using craigslist data this way and then blocked 3taps’ IP address from accessing the craigslist site. Ultimately, craigslist sued 3taps in federal court, arguing that 3taps had violated the CFAA. 3taps moved to dismiss the case, arguing that under the Ninth Circuit Court of Appeals decision in United States v. Nosal, 3taps could not be liable under the CFAA for violating craigslist’s terms of service.

While the court agreed with 3taps on this point, it questioned whether the CFAA even protected information available on a publicly accessible website like craigslist in the first place. After the court agreed to accept additional briefing on this point, we along with a number of law professors, filed an amicus brief with the court urging it to rule that everyone is “authorized” to visit a public website under the CFAA.

Last week, the court ruled that this interpretation of the CFAA “makes sense,” meaning that everyone starts out as “authorized” to access a publicly accessible website. But it found that, with respect to 3taps, craigslist had used its “power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its website” by sending the cease and desist letter and blocking 3taps’ IP address. The decision is certainly a mixed bag.

First the positive.

It is encouraging to see courts recognize that the CFAAwhich creates both civil and criminal liabilitydoesn’t criminalize accessing information from a publicly accessible website. The government used that precise theory to prosecute Andrew “Weev” Auernheimer for exposing an AT&T security flaw that publicly revealed thousands of customers’ email addresses. The possibility of imposing CFAA liability on someone from using information made freely available on the web posed a major threat on the openness and innovation of the Internet.

Moreover, by focusing on the IP blocking, the court essentially agreed with the basic principle we’ve suggested as a means to limit the reach of the CFAA: that there must be circumvention of a technological barrier before a person can be found to have “accessed” information or data “without authorization.” In fact one proposal to reform the CFAA currently before Congress, “Aaron’s Law,” defines “access without authorization” to mean precisely that: “knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.” The court adopted this idea in principle when it found that craigslist’s CFAA claim was based on something more than violating the terms of service of a publicly accessible website, and indeed something more than the cease and desist letter alone.

Now for the troubling part of the court’s opinion.

We believe that the CFAA requires hackingdoing something that breaches a technological barrier, like cracking a password or taking advantage of a SQL injection.

Changing your IP address is simply not hacking. That’s because masking your IP address is an easy, common thing to do. And there’s plenty of legitimate reasons to do so, whether its to protect your privacy, preserve innovation or avoid price discrimination. Plus, in the context of this case, craigslist’s IP address blocking and cease-and-desist letter combined to essentially act as a “use” restriction. In other words, craigslist relied on these two things to enforce its terms of service upon 3taps.

There’s a serious potential for mischief that is encouraged by this decision, as companies could arbitrarily decide whose authorization to “revoke” and need only write a letter and block an IP address to invoke the power of a felony criminal statute in what is, at best, a civil business dispute.

Hopefully future courts thinking about these issues can use the good aspects of this decision to recognize that violating a technological measure is necessary. But they need to think more critically about whether IP address blocking, even if coupled with a cease and desist letter, is enough for a CFAA violation.

Accessing a public website isn’t a crime. Neither is hiding your online identity.

Electronic Frontier Foundation: The Three Pillars of Government Trust Have Fallen

The Electronic Frontier Foundation has reacted to Thursday’s Washington Post story on the National Security Agency’s eye-opening audit, which dismantled the fallacy that there are adequate oversight mechanisms built into the government’s program of domestic spying, with a timely column that explains just how far America’s leadership has fallen in abusing the public trust. Act now to join the growing number of Americans demanding an end to unConstitutional NSA spying.


By Cindy Cohn and Mark M. Jaycox

The Electronic Frontier Foundation

With each recent revelation about the NSA’s spying programs government officials have tried to reassure the American people that all three branches of government—the Executive branch, the Judiciary branch, and the Congress—knowingly approved these programs and exercised rigorous oversight over them. President Obama recited this talking point just last week, saying: “as President, I’ve taken steps to make sure they have strong oversight by all three branches of government and clear safeguards to prevent abuse and protect the rights of the American people.”  With these three pillars of oversight in place, the argument goes, how could the activities possibly be illegal or invasive of our privacy?

Today, the Washington Post confirmed that two of those oversight pillars—the Executive branch and the court overseeing the spying, the Foreign Intelligence Surveillance Court (FISA court)—don’t really exist. The third pillar came down slowly over the last few weeks, with Congressional revelations about the limitations on its oversight, including what Representative Sensennbrenner called “rope a dope” classified briefings. With this, the house of government trust has fallen, and it’s time to act. Join the over 500,000 people demanding an end to the unconstitutional NSA spying.

First, the Executive. After a review of internal NSA audits of the spying programs provided by Edward Snowden, the Post lays out—in stark detail—that the claims of oversight inside the Executive Branch are empty. The article reveals that an internal NSA audit not shown to Congress, the President, or the FISA Court detailed thousands of violations where the NSA collected, stored, and accessed American’s communications content and other information. In one story, NSA analysts searched for all communications containing the Swedish manufacturer Ericsson and “radio” or “radar.” What’s worse: the thousands of violations only include the NSA’s main office in Maryland—not the other—potentially hundreds—of other NSA offices across the country. And even more importantly, the documents published by the Post reveal violations increasing every year. The news reports and documents are in direct contrast to the repeated assertions by President Obama (video), General James Clapper (video), and General Keith Alexander (video) that the US government does not listen to or look at Americans’ phone calls or emails. So much for official pronouncements that oversight by the Executive was “extensive” and “robust.

Second, the FISA Court. The Post presents a second article in which the Chief Judge of the FISA Court admits that the court is unable to act as a watchdog or stop the NSA’s abuses: “The FISC is forced to rely upon the accuracy of the information that is provided to the Court,” its chief, US District Judge Reggie B. Walton, said in a written statement. “The FISC does not have the capacity to investigate issues of noncompliance.”  Civil liberties and privacy advocates have long said that the FISA Court is a rubber stamp when it comes to the spying, but this is worse—this is the Court admitting that it cannot conduct the oversight the President and others have claimed it is doing. So much for claims by officials from the White House (video), NSA, DOJ, and Intelligence Committee members of Congress that the FISA Court is another strong pillar of oversight.

Third, the Congress. Last week, Representative Sensenbrenner complained that “the practice of classified briefings are a ‘rope-a-dope operation’ in which lawmakers are given information and then forbidden from speaking out about it.” Members of Congress who do not serve on the Intelligence Committees in the both the House and Senate have had difficulty in obtaining documents about the NSA spying. Last week, it was even uncovered that the Chairman of the House Intelligence Committee, Rep. Mike Rogers, failed to provide freshmen members of Congress vital documents about the NSA’s activities during a key vote to reapprove the spying. Senators Wyden and Udall have been desperately trying to tell the American people what is going on, but this year the House Intelligence committee’s Subcommittee on Oversight has not met once and the Senate Intelligence committee has met publicly only twice.

One, two, three pillars of government, all cited repeatedly as the justification for our trust and all now obviously nonexistent or failing miserably. It’s no surprise Americans are turning against the government’s explanations.

The pattern is now clear and it’s getting old. With each new revelation the government comes out with a new story for why things are really just fine, only to have that assertion demolished by the next revelation. It’s time for those in government who want to rebuild the trust of the American people and others all over the world to come clean and take some actual steps to rein in the NSA. And if they don’t, the American people and the public, adversarial courts, must force change upon it.

We still think the first step ought to be a truly independent investigatory body that is assigned to look into the unconstitutional spying. It must be empowered to search, read and compel documents and testimony, must be required to give a public report that only redacts sensitive operational details, and must suggest specific legislation and regulatory changes to fix the problem—something like the Church Committee or maybe even the 9/11 Commission. The President made a mockery of this idea recently, by initially handing control of the “independent” investigation he announced in his press conference to the man who most famously lied to Congress and the American people about the spying, the Director of National Intelligence James Clapper.

The three pillars of American trust have fallen. It’s time to get a full reckoning and build a new house from the wreckage, but it has to start with some honesty.

EFF: Multiple New Polls Show Americans Reject Wholesale NSA Domestic Spying

This article, published Tuesday by the Electronic Frontier Foundation (EFF), demonstrates Americans’ growing mistrust of the Federal government’s Orwellian and secretive programs that enable law enforcement agencies to spy on U.S. citizens without warrants, probable cause or informing us we’re being targeted. Follow the link at the end to add your voice to the growing number of people who demand the government come clean about its domestic surveillance operations, and to urge Congress to reform our Nation’s broad, permissive laws that have nurtured the expansion of Federal spy programs.

By Mark M. Jaycox  and Trevor Timm

Polls further confirm that Americans are deeply concerned with the unconstitutional NSA spying programs. In a July 10 poll by Quinnipiac University, voters were asked whether the government’s efforts “go too far in restricting the average person’s civil liberties” or “not far enough to adequately protect the country.” The poll revealed that Americans largely believe that the government has gone too far by a margin of 45% to 40%. This is a clear reversal from a January 2010 survey in which the same question found that 63% of voters believed the government didn’t “go far enough to adequately protect the country.”

Polls further reveal Americans as highly skeptical of the programs. In an Economist/YouGov poll, 56% of Americans do not think the NSA is telling the truth about the unconstitutional spying. The same poll found that 59% of people disapprove of the spying, while only 35% approve of it. These numbers are not outliers and are supported by a recent Fox News poll (.pdf) finding 62% of Americans think the collection of phone records is “an unacceptable and alarming invasion of privacy rights.”

The latest poll, performed by Pew, affirms every one of these conclusions. Not only are Americans skeptical about the program, but they also believe the government has gone too far—the same exact conclusion found in the Quinnipiac poll. In a series of questions, Pew asked Americans whether they supported or opposed the program with different phrasings. As Pew reports: “Under every condition in this experiment more respondents oppose than favor the program.” The Pew poll is full of evidence supporting the fact that Americans oppose the unconstitutional spying, are skeptical of government claims about the unconstitutional NSA spying, and are increasingly concerned about their privacy rights.

In the 1950s and 60s, the NSA spied on all telegrams entering and exiting the country. The egregious actions were only uncovered after Congress set up an independent investigation called the Church Committee in the 1970s after Watergate. When the American public learned about NSA’s actions, they demanded change. And the Church Committee delivered it by providing more information about the programs and by curtailing the spying.

Just like the American public in the 1970s, Americans in the 2010s know that when the government amasses dossiers on citizens, it’s neither good for security nor for privacy. And a wide range of polls this week show widespread concern among the American people over the new revelations about NSA domestic spying.

Yesterday, the Guardian released a comprehensive poll showing widespread concern about NSA spying. Two-thirds of Americans think the NSA’s role should be reviewed. The poll also showed Americans demanding accountability and more information from public officials—two key points of our recently launched stopwatching.us campaign.

But there’s more. So far, Gallup has one of the better-worded questions, finding that 53% of Americans disapprove of the NSA spying. A CBS poll also showed that a majority—at 58%—of Americans disapprove of the government “collecting phone records of ordinary Americans.” And Rasmussen—though sometimes known for push polling—also recently conducted a poll showing that 59% of Americans are opposed to the current NSA spying.

The only poll showing less than a majority on the side of government overreach was Pew Research Center, which asked Americans whether it was acceptable that the NSA obtained “secret court orders to track the calls of millions of Americans to investigate terrorism.” Pew reported that 56% of Americans said it was “acceptable.” But the question is poorly worded. It doesn’t mention the widespread, dragnet nature of the spying. It also neglects to describe the “information” being given—metadata, which is far more sensitive and can provide far more information than just the ability to “track the calls” of Americans. And it was conducted early on in the scandal, before it was revealed that the NSA doesn’t even have to obtain court orders to search already collected information.

Despite the aggregate numbers, many of the polls took place at the same time Americans were finding out new facts about the program. More questions must be asked. And if history is any indication, the American people will be finding out much more. Indeed, just today the Guardian reported that its working on a whole new series with even more NSA revelations about spying.

One thing is definitely clear: the American public is demanding answers and needs more information. That’s why Congress must create a special investigatory committee to reveal the full extent of the programs. Democracy demands it.

Head over to the Electronic Frontier Foundation to take action by signing the organization’s letter to Congress demanding a full accounting of the NSA’s U.S. citizen surveillance activities.