Aegean Associates, Inc.
5 The Strand, New Castle, Delaware 19720 (USA)
Reported on:
Thu, Apr 24 2014 02:51 -0400
Senator Dianne Feinstein—who traditionally is a stalwart defender of the intelligence community—came out swinging against them this week. While on the floor of the Senate, she laid bare a two year long struggle concerning CIA spying on Senate Intelligence Committee staffers investigating CIA's early 2000s torture and enhanced interrogation techniques. The spying by CIA crosses a line when it comes to Congressional oversight of the intelligence community. And it's an emblem of the extreme imbalance between the power of Congress and the power of the intelligence community. If the intelligence community thinks they can act in such a way towards the people who are supposed to oversee them, what else do they think they can do?
How Did This Happen?
According to Senator Feinstein, the spying occurred in a facility provided by CIA to Senate Intelligence staffers. As part of the investigation, CIA agreed to not interfere with the facility or with the Senate Intelligence staff's computers. After the staffers found a smoking gun document (an internal CIA review) that contradicted CIA's own conclusions, the staffers—just like with previous documents—transferred it back to their own facility in the Senate. Soon after, the CIA found out about the possession and deleted files on the Senate staffers' computers not once, but twice. Over 800 documents were deleted. Staffers do not know what those deleted documents contained.
The Oversight Regime Must Be Fixed
Senator Feinstein's speech is the first step to ensuring Congressional oversight prevails, but the Department of Justice, which is currently conducting an investigation, should not be the only entity to review the details. The latest breach of trust by the intelligence community must spur Congress to exert their oversight powers and begin a full investigation into these actions and the oversight regime at-large.
These are pressing topics. It's clear that the lack of oversight was a key factor in many of the egregious intelligence activities we learned about from the documents provided by Edward Snowden. The intelligence community evaded answering questions fully, or providing key documents to the intelligence committees. CIA spying is more proof that the oversight regime needs an overhaul. First and foremost, the American people—and Congress—need an oversight regime that works.
A Long Term Pattern
Some people are aghast at CIA's actions. Details about the spying are sparse; however, it seems CIA may be guilty—at the minimum—of obstruction laws. But we've seen this before from the intelligence community. And we don't have to draw from examples in the 1960s and 70s when the intelligence community was spying on Martin Luther King Jr. or anti-Vietnam activists. All we have to do is look at the past decade.
After the attacks on September 11, it took years for Senator Jay Rockefeller—then the chairman of the Senate Intelligence Community—to get a briefing and key documents for the entire committee about intelligence community actions. More recently, we saw obfuscation by the intelligence community in 2009 when it misled the FISA court. And just last year, the Director of National Intelligence, General James Clapper, lied to Congress about collecting data on innocent Americans. We also know members of Congress describe intelligence briefings as a game of 20 questions. Despite CIA's original cooperation, it seems clear CIA did not want the Senate staffers to conduct a full investigation.
It should be obvious to anyone that these actions paint a picture—and confirm a pattern—of out-of-control intelligence agencies. The American public is losing a tremendous amount of trust in the intelligence community—trust that is necessary for the intelligence community to conduct its job. But it's even more dangerous to the government body that is supposed to oversee the intelligence community: Congress.
Congress Must Act
Senator Feinstein's concern over CIA spying on her staff should extend to a concern about NSA's collection of all Americans' calling records. Both actions are examples of intelligence community overreach and abuse of their authorities. There are serious problems when the stalwart defender of the intelligence community takes to the Senate floor to discuss problems with the committee's oversight.
Beyond Senator Feinstein, Congress must retake its oversight role. For far too long has the intelligence community run roughshod over the intelligence committees. Time and time again, we've seen the inability for the intelligence committee to grapple with the behemoth of the intelligence community. This must stop. An investigation should be carried out not only into CIA spying, but into the oversight regime as a whole, the classification system, and the egregious actions by the intelligence community—including the activities of NSA. All of these topics are core problems concerning the inability for the Senate Intelligence Committee to be fully briefed—or even grasp—intelligence community actions. This week may have been a loss for Congressional oversight, but members of Congress must reassert their power. Their duty to serve as representatives of the American people demand it.
The NSA has seen the future of mass surveillance, and it appears they believe that the future lies in malware. Earlier this week, The Intercept reported on a series of slides and memos leaked by Edward Snowden describing the NSA's "more aggressive" approach to signals intelligence, which circumvents encryption such as web browsing via HTTPS and email using PGP, by installing spyware directly onto targets' computers. The NSA's Tailored Access Operations Unit, which develops and deploys malware tools, has been described in a Der Spiegel report as "a squad of plumbers that can be called in when normal access to a target is blocked", implying that they are a last resort for use when other methods of surveillance fail, but new slides reveal the explosive growth of TAO's data collection via malware "implants" and plans to scale the number of infected computers from the tens of thousands potentially into the millions using a system called TURBINE.
According to the leaked documents, TURBINE enables "exploitation on an industrial scale," by automating onerous tasks such as the collection of surveillance data from infected systems. Furthermore, evidence suggesting that NSA exploits Internet chokepoints for man-in-the-middle attacks and develops software to manage millions of "Computer Network Attack" implants at once demonstrates that their intent is to compromise computer security on a massive scale, rather than a tailored approach. With the help of TURBINE, the NSA's spyware network has grown from a few hundred implants in 2004, to somewhere between 85,000 and 100,000 implants around the world. Even if you believe that there may be a few hundred key systems with information vital to national security that the NSA cannot reach in any other way—even if you believe there are up to 100,000 such systems—pushing that number up into the millions stretches credulity to the breaking point. It appears that TURBINE is neither necessary for nor proportionate to the government's aims and that the NSA intends to recapitulate their mass surveillance program by installing spyware on every computer they can get their hands on.
Not only are implants a gross privacy violation, industrial scale exploitation makes everyone on the Internet less safe. As security researcher Matt Blaze points out in The Intercept's report, "How do we know it is working correctly and only targeting who the NSA wants? And even if it does work correctly, which is itself a really dubious assumption, how is it controlled?"
Even Mark Zuckerberg is concerned, to the extent of calling President Obama on the phone to complain. Zuckerberg is right to be angry at NSA for undermining the security that users expect from his company: according to The Intercept, NSA has set up fake Facebook servers and uses Facebook's cookies and other identifying data to associate a target's identity with the target's active device for malware delivery. "When our engineers work tirelessly to improve security," writes Zuckerberg, "we imagine we're protecting you against criminals, not our own government." In this context, the distinction between governments and criminals has become meaningless: an attacker is an attacker, and every website that wants to protect the privacy and security of its users ought to take note.
Slides reveal that a man-in-the-middle capability called SECONDDATE quietly redirects web browsers from the site they think they're visiting to NSA malware servers called FOXACID. The Intercept reports that "SECONDDATE is tailored not only for 'surgical' surveillance attacks on individual suspects. It can also be used to launch bulk malware attacks against computers."
EFF has the following recommendations for website operators who wish to protect their users from this kind of man-in-the-middle attack:
NSA has issued a confused press statement that dodged the issues and denied claims never made in The Intercept's article, adding that it keeps its "foreign intelligence operations . . . as tailored as possible" and that it never targets "any user of global Internet services without appropriate legal authority." EFF is skeptical, and users and website operators should be as well.
Related Issues: InternationalMass Surveillance TechnologiesSecurityState-Sponsored MalwareRussia's government has escalated its use of its Internet censorship law to target news sites, bloggers, and politicians under the slimmest excuse of preventing unauthorized protests and enforcing house arrest regulations. Today, the country's ISPs have received orders to block a list of major news sites and system administrators have been instructed to take the servers providing the content offline.
The banned sites include the online newspaper Grani, Garry Kasparov's opposition information site kasparov.ru, the livejournal of popular anti-corruption crusader Alexei Navalny, and even the web pages of Ekho Moskvy, a radio station which is majority owned by the state-run Gazprom, and whose independent editor was ousted last month and replaced with a more government-friendly director.
The list of newly prohibited sites was published earlier today by Russia's Prosecutor General, which announced that the news sites had been "entered into the single register of banned information" after "calls for participation in unauthorized rallies." Navalny's livejournal was apparently added to the register in response to the conditions of his current house arrest, which include a personal prohibition on accessing the Internet.
Russia enacted its first law permitting official government censorship of the Internet in 2012, when it was claimed its register would primarily be used to combat child pornography, drug use, and material promoting suicide.
Opposition leader and former chess champion Garry Kasparov tweeted in response to the new crackdown:
These are huge news sites, not political groups. Giant Echo of Moscow site now just gone. Grani, EJ, Navalny's blog, all blocked in Russia.
Mig Greengard, assistant to Mr. Kasparov, reported that Kasparov.ru's administrators had been contacted by government officials via letter, requesting that they shut down their servers directly. Though it may not be reachable from some Russian ISPs, Kasparov's website is currently still up, as is Navalny's blog and Ekho Moskvy. Grani's site, at present, shows a single message stating the news site is "blocked at the request of the Prosecutor General."
EFF is profoundly opposed to government censorship of the Internet, which violates its citizens right to freedom of expression, guaranteed under Article 19 of the Universal Declaration of Human Rights. We are especially concerned about the censorship of independent news and opposing political views, which are essential to a thriving civil society. Russians who wish to circumvent government censorship can continue to read these websites via the Tor Browser, which they can install using the Tor Browser Bundle.
We’ve asked the companies in our Who Has Your Back Program what they are doing to bolster encryption in light of the NSA’s unlawful surveillance of your communications. We’re pleased to see that four five six seven companies—Dropbox, Facebook, Google, Microsoft, Sonic.net, SpiderOak, and Twitter—are implementing five out of five of our best practices for encryption. See the infographic.
By adopting these practices, described below, these service providers have taken a critical step towards protecting their users from warrantless seizure of their information off of fiber-optic cables. By enabling encryption across their networks, service providers can make backdoor surveillance more challenging, requiring the government to go to courts and use legal process. While Lavabit’s travails have shown how difficult that can be for service providers, at least there was the opportunity to fight back in court.
While not every company in our survey has implemented every recommendation, each step taken helps, and we appreciate those who have worked to strengthen their security. We hope that every online service provider adopts these best practices and continues to work to protect their networks and their users.
Crypto Survey Results
UPDATE, November 20, 2013: Facebook and Tumblr have provided further information to supplement the Encrypt the Web Report. We're pleased to report that Tumblr is planning to upgrade its web connections to HTTPS this year and implement HSTS by 2014, and Facebook is working on encrypting data center links and implementing STARTTLS.
UPDATE, November 22, 2013: Google has provided further information to supplement the report on its use of HSTS. See the updated chart below and the notes for more information.
UPDATE, December 5, 2013: Microsoft has provided further information, announcing a plan to expand encryption across all its services, including encrypting links between data center and implementing forward secrecy by the end of 2014.
UPDATE, December 16, 2013: Microsoft has informed us that it is planning to support HSTS for public facing services that host or transmit email, personal or business documents and media, messaging, contacts, and credentials. This is an important step to make it more challenging for attackers to defeat security by bypassing encryption. In addition, Microsoft is planning to roll out STARTTLS in its outlook.com email service. This means that emails between outlook.com users and other email services that use STARTTLS, like Gmail, will be encrypted in transit.
UPDATE, December 19, 2013: An earlier version of this report incorrectly stated that the HSTS preload list in Firefox for Google domains was non-functional due to a bug. Firefox enables HSTS preloading but intentionally rejects domains that do not send an HSTS header with expiration time greater than 18 weeks. As far as we can tell, there are no Google domains that meet this requirement. We urge Google to change their HSTS implementation so that Firefox and Opera users receive the security benefits of HSTS.
UPDATE, March 13, 2014: Twitter has implemented STARTTLS for emails sent from its service to users—an especially important step, given that the contents of Direct Messages may be included in these updates. We've updated the chart to recognize their work in that category, bringing the company to a full five checkmarks.
Tumblr has released optional SSL as a setting for logged in users viewing their dashboards, and plan to roll it out as a default in the next several months. HSTS support is still planned in 2014.
Encrypts data center linksSupports HTTPSHTTPS Strict (HSTS)Forward SecrecySTARTTLSundeterminedlimitedundeterminedundeterminedNotes: The information in this chart comes from several sources; the companies who responded to our survey questions; information we have determined by independently examining the listed websites and services and published reports. Some of the surveyed companies did not respond to the survey.
Recognizing that some of these steps will take time to implement, we gave credit to companies that either (1) have implemented or (2) have concrete plans to implement the listed encrytion process, as noted.
For STARTTLS, the red and grey shading indicates whether or not the company is a major email service provider. While encourage all companies to implement STARTTLS, even if they only provide email for their own employees, the issue is most critical for companies that provide email communications to the public.
Google implements HSTS on accounts.google.com for all browsers that support HSTS, which at the time of this writing are Chrome, Chromium, Firefox, Opera, and Safari. HSTS on other Google domains is only functional in Chrome, Chromium, and Safari.
This graphic is also available as an image file.
Why Crypto Is So Important
The National Security Agency’s MUSCULAR program, which tapped into the fiber-optic lines connecting the data centers of Internet giants like Google and Yahoo, exposed the tremendous vulnerabilities companies can face when up against as powerful an agency as the NSA. Bypassing the companies’ legal departments, the program grabbed extralegal access to your communications, without even the courtesy of an order from the secret rubber-stamp FISA court. The program is not right, and it’s not just.
With that in mind, EFF has asked service providers to implement strong encryption. We would like to see encryption on every step of the way for a communication on its way to, or within, a service provider’s systems.
For starters, we have asked companies to encrypt their websites with Hypertext Transfer Protocol Secure (HTTPS) by default. This means that when a user connects to their website, it will automatically use a channel that encrypts the communications from their computer to the website.
We have also asked them to flag all authentication cookies as secure. This means cookie communications are limited to encrypted transmission, which directs web browsers to use these cookies only through an encrypted connection. That stops network operators from stealing (or even logging) users' identities by sniffing authentication cookies going over insecure connections.
To ensure that the communication remains secure, we have asked companies to enable HTTP Strict Transport Security (HSTS). HSTS essentially insists on using secure communications, preventing certain attacks where a network pretends that the site has asked to communicate insecurely.
All of these technologies are now industry-standard best practices. While they encrypt the communications from the end user to the server and back, the MUSCULAR revelations have shown this is not enough. Accordingly, we have asked service providers to encrypt communications between company cloud servers and data centers. Anytime a users’ data transits a network, it should be strongly encrypted, in case an attacker has access to the physical data links or has compromised the network equipment.
In addition, we have asked for email service providers to implement STARTTLS for email transfer. STARTTLS is an opportunistic encryption system, which encrypts communications between email servers that use the Simple Mail Transfer Protocol (SMTP) standard. When a user emails someone on a different provider (say, a Hotmail user writing to a Gmail user), the mail message will have to be delivered over the Internet. If both email servers understand STARTTLS, then the communications will be encrypted in transit. If only Gmail does but Hotmail does not (the current situation), they will be in the clear and exposed to eavesdropping, so it’s critical to get as many email service providers as possible to implement the system.
Finally, we have asked companies to use forward secrecy for their encryption keys. Forward secrecy, sometimes called ‘perfect forward secrecy,’ is designed to protect previously encrypted communications, even if one of the service providers’ keys is later compromised. Without forward secrecy, an attacker who learns a service provider’s secret key can use it to go back and read previously incomprehensible encrypted communications—perhaps ones that were recorded months or years in the past.
Related Issues: Encrypting the WebSan Francisco - Representing a large group of top computer science experts and professors, the Electronic Frontier Foundation (EFF) today submitted a brief to a federal appeals court supporting the American Civil Liberties Union's lawsuit over the NSA's mass call records collection program. At the core of the brief is the argument that metadata matters.
Intelligence officials have often downplayed privacy concerns over the NSA's interpretation of Section 215 of the Patriot Act by stating that the agency does not collect the "content" of calls, but only the metadata—who a person called, when, how long the conversation lasted and other information. EFF's brief begins with the line "It is not just metadata," and goes on to explain how metadata collected on a massive scale can often reveal more personal information about an individual than content. The brief outlines how metadata can show patterns of behavior, political and religious affiliations, and other personal details, especially when combined with other data sources.
"The metadata the government collects isn't just a list of numbers dialed and times—it's a window into the lives of millions of Americans," EFF Staff Attorney Mark Rumold said. "The law should provide the highest level of protection for this kind of information. The technology experts who signed the brief provide a valuable perspective for the court to consider."
The ACLU filed its lawsuit against the Director of National Intelligence, NSA, Department of Defense, Department of Justice and FBI last year after former intelligence contractor Edward Snowden revealed a secret legal order allowing for the indiscriminate capture of call metadata from Verizon Business Services.
EFF represents 17 professors who signed onto the brief, including: Profs. Harold Abelson and Ron Rivest of the Department of Electrical Engineering and Computer Science at the Massachusetts Institute of Technology; Prof. Andrew Appel, chair of Princeton University's computer science department; Prof. Steven Bellovin of Columbia University's computer science department; and Matthew Blaze, an associate professor in the University of Pennsylvania's Computer and Information Science Department. Other experts signed on to the brief come from Johns Hopkins University, the University of Michigan, Rice University and Purdue.
"Metadata equals surveillance," said security expert and EFF board member Bruce Schneier, another signer of the brief. "It's who we talk to, what we read, and where we go. When the president says 'don't worry, it's only metadata,' what he's really saying is that you're all under surveillance."
While EFF is acting as amicus in this case, it also has two ongoing lawsuits of its own that challenge NSA surveillance. In First Unitarian v. NSA, EFF represents 22 groups whose First Amendment rights to association are violated by the NSA program. Jewel v. NSA is a case on behalf of AT&T customers who were subject to the unconstitutional NSA spying.
For the text of the amicus brief:
https://www.eff.org/document/computer-scientists-amicus-aclu-v-clapper
Contacts:Mark Rumold
Staff Attorney
Electronic Frontier Foundation
mark@eff.org
Reporters Without Borders (RSF) released its annual “Enemies of the Internet” index this week—a ranking first launched in 2006 intended to track countries that repress online speech, intimidate and arrest bloggers, and conduct surveillance of their citizens. Some countries have been mainstays on the annual index, while others have been able to work their way off the list. Two countries particularly deserving of praise in this area are Tunisia and Myanmar (Burma), both of which have stopped censoring the Internet in recent years and are headed in the right direction toward Internet freedom.
In the former category are some of the world’s worst offenders: Cuba, North Korea, China, Iran, Saudi Arabia, Vietnam, Belarus, Bahrain, Turkmenistan, Syria. Nearly every one of these countries has amped up their online repression in recent years, from implementing sophisticated surveillance (Syria) to utilizing targeted surveillance tools (Vietnam) to increasing crackdowns on online speech (Saudi Arabia). These are countries where, despite advocacy efforts by local and international groups, no progress has been made.
The newcomers
A third, perhaps even more disheartening category, is the list of countries new to this year's index. A motley crew, these nations have all taken new, harsh approaches to restricting speech or monitoring citizens:
Russia: As RSF writes, Russia has been on a downward slope for more than a decade. Until fairly recently, however, the Russian government did not directly censor the Internet, preferring instead to employ subtle strategies to control online discourse. In 2012, that changed, when the Russian Duma overwhelmingly passed a bill allowing the creation of a national blacklist of websites. Today, that blacklist continues to grow, while the government continues to seek new ways of limiting online speech.
Pakistan: We’ve expressed concerns about Pakistan many times before, so we’re glad to see the country called out for its repressive behavior. Despite significant opposition from inside the country, the Pakistan Telecommunications Authority continues to add sites to its opaque blacklist, most notably YouTube following the ‘Innocence of Muslims’ debacle in 2012. Efforts from local activists have also demonstrated the willingness of foreign companies—in particular Canadian company Netsweeper—to aid in Pakistan’s repression of speech.
United States: This is the first time the US has made it onto RSF’s list. While the US government doesn’t censor online content, and pours money into promoting Internet freedom worldwide, the National Security Agency’s unapologetic dragnet surveillance and the government’s treatment of whistleblowers have earned it a spot on the index.
United Kingdom: The European nation has been dubbed by RSF as the “world champion of surveillance” for its recently-revealed depraved strategies for spying on individuals worldwide. The UK also joins countries like Ethiopia and Morocco in using terrorism laws to go after journalists. Not noted by RSF, but also important, is the fact that the UK is also cracking down on legal pornography, forcing Internet users to opt-in with their ISP if they wish to view it and creating a slippery slope toward overblocking. This is in addition to the government’s use of an opaque, shadowy NGO to identify child sexual abuse images, sometimes resulting instead in censorship of legitimate speech.
India: A country that has long censored certain types of speech, it’s surprising that India has never made it to RSF’s list before. Still, in the past two years, things have gotten significantly worse as the Indian government has enacted new laws to limit online speech and has slouched toward the NSA at a time when its neighbors have spoken out against surveillance.
Ethiopia: The African country has been on a downward spiral for the past few years, blocking VoIP services, sentencing bloggers to long prison sentences, and enacting laws to block online content. Most recently, EFF filed a lawsuit accusing the Ethiopian government of installing spyware on the device of an American citizen of Ethiopian origin. In a similar case, Privacy International filed a criminal complaint alleging the use of FinSpy on the device of a UK resident.
Missing from the list
There are a few countries that were left out of this year’s index that we think should have been included. These nations have all taken a turn for the worse in recent years:
Turkey: Although Turkey has shown up on RSF’s watchlist before, and despite a spate of arrests of social media users during last summer’s protests, Turkey managed to stay off this year’s index. The country has come under fire from human rights advocates for its online repression, and in 2012, the European Court of Human Rights found that Turkey had violated its citizens’ right to free expression by blocking Google sites. Turkey is definitely an enemy of the Internet.
Jordan: Despite local protests and international opposition, in June 2013, Jordan initiated a ban on more than 300 news sites that refused or failed to register with the Press and Publications Department. Those sites remain blocked.
Morocco: The North African nation’s approach to the Internet had improved somewhat in recent years, with the government unblocking sites that were formerly censored. The arrest of journalist Ali Anouzla in September 2013 and subsequent blocking of Lakome, the publication he co-founded, however, seems to signal a new era. Activists have expressed concern that bad legislation is just around the corner.
We urge the countries that find themselves on RSF's “Enemies of the Internet” list this year—as well as those that are glaringly missing from the list—to take note of countries, such as Tunisia and Myanmar (Burma), who have taken steps to ameliorate violations of Internet freedom and remove themselves from RSF's annual index.
Getty Images—among the world's largest providers of stock and editorial photos—has announced a major change to the way it is offering its pictures for sites to use. Beginning this week, in addition to the traditional licensing options, people can embed images in their sites at no cost and with no watermarks, so long as they use the provided embed code and iframe.
There's at least one reason this move is exciting and positive: it's encouraging to see companies experimenting with different business models and using the proverbial carrot instead of the stick. In other words, Getty is making it easier to engage in desirable behavior—giving proper attribution and a link—rather than simply raising the costs of being non-compliant with legal threats and suits. That's better for users, and it may ultimately be more effective for the company.
Getty's got a point of reference, too. It has pursued the latter strategy of threatening letters and even filing lawsuits against unauthorized users over the years. That isn't unprecedented either. Though the scale is dramatically different, the Recording Industry Association of America used the same general technique in its long-running and ill-fated campaign against its fans. There's no firm evidence that Getty has given up this strategy—according to Businessweek, the company filed five new copyright lawsuits in a single week in January—but if it has, that's a good development.
But in other ways, this move rings alarm bells—especially from a privacy perspective. Some of the complaints are common to all sites serving third-party scripts or resources: when a site embeds that content, whether it's Google Analytics, a YouTube video, a Facebook Like button, or now a Getty Images iframe, it is creating a connection between its readers and the third-party host. The third-party host can possibly get and log your IP address and the exact time of the request; information about the web browser you're using, your browser's version, your operating system, processor information, language settings, and other data; the URL of the website you're coming from; and sometimes tracking cookies.
This problem is, unfortunately, a fundamental property of the web as we know it. But a few facts about Getty make this situation especially troubling. For one thing, given its scale and popularity, Getty Images embeds may appear on a significant number of different sites that a single user visits. That would allow Getty to correlate more information about a user's browsing history than any single site could. That information, in turn, is subject to government requests, sales to data brokers, or even breaches or leaks.
These concerns might be mitigated by a strong privacy policy or some indication of what Getty intends to log and how it's going to use it. Unfortunately, we've gotten the opposite. A business development executive at Getty Images told The Verge that the company has "certainly thought about" monetizing usage data, but has no specific plans. We spoke to a representative of Getty Images who said that at this time it does not collect information beyond what's necessary to store aggregate viewing numbers for individual images. That's commendable, but since that practice is significantly more privacy-protective than what the company claims in its general privacy policy—last updated in May 2012—it could change at any time. Best practices are to minimize the amount of data collected and held to meet a site's needs, but that's at odds with an incentive to collect-it-all and sort out what's needed later.
Beyond what Getty Images does with user data, its current implementation also serves images over an unencrypted HTTP connection. As a result, others on the same network, or the user's ISP, can eavesdrop on those requests. In the case of a news site protecting its readers' privacy by serving over and HTTPS connection, this side channel could reveal what articles they are reading.
These privacy threats aren't likely to affect everybody, but they are real for some people. So too are the implications for archives and even web pages that are concerned about preserving their own history: letting another site host images may seem like an attractive bargain, but those images may not always be available, and could interfere with efforts like the Internet Archive's ability to preserve a page as it once appeared.
If Getty Images is going to continue offering images as iframe embeds, there are a few ways it can improve the deal for end users. It should offer images over an encrypted HTTPS connection by default. It should explain clearly and publicly what its practices are for minimizing the amount of data it collects and stores on users. And even if the company adheres to its current minimal data collection standards, it should commit to setting a high bar on following the Do Not Track spec: if users are sending a signal that they do not wish to be tracked, Getty Images should honor it fully.
Finally, websites should consider whether embedding a third-party resource is best for their readers. There are, after all, options. Some publications have described Getty Images as the largest provider of stock photos, but that overlooks a major category: Flickr alone has hundreds of millions of images released under Creative Commons licenses, and the Wikimedia Commons has tens of millions more. Unlike the Getty embedding terms of use, Creative Commons licenses allow images to be served directly by the host, aren't subject to change in the future, and sometimes even allow for the images to be remixed and mashed up.
It's good to see Getty exploring new avenues, and we'll be even more encouraged if this strategy replaces its earlier litigious stance entirely. But it's important that users know that, in some cases, embedding "free" photos might come at a real cost to readers.
Image: Camera Lens by Elliot Bennett, released under Creative Commons Attribution 2.0
Related Issues: Fair Use and Intellectual Property: Defending the BalancePrivacyEncrypting the WebLast week, the federal government finally dismissed 11 controversial counts from its overzealous prosecution of journalist Barrett Brown. These counts charged Brown with identity theft for sharing a link to records documenting improper and potentially illegal activities by the U.S. intelligence contractor, Stratfor Global Intelligence.
The fact that Brown has been in jail for 18 months, based in large part on these charges, has threatened and continues to threaten press freedom in the United States.
Before the government dropped its charges, we were less than five days away from filing an amicus brief in the case on behalf of EFF and some of the most influential organizations protecting the rights of journalists around the world, including Reporters Committee for Freedom of the Press, Reporters Without Borders, Freedom of the Press Foundation, and PEN American Center.
We may never know why the government finally decided to drop the charges, though it could have been due to the threat of our amicus brief. We called the Assistant U.S. Attorney handling the case on Tuesday to let her know we planned to file the brief (a formality). The next day, without any warning to us or to Brown’s lawyer, the government filed its motion to dismiss, which the court granted on Friday.
But as we argued in the brief, the government should never have brought these charges in the first place. Doing so violated the First Amendment and created a chilling effect on all journalists reporting in the United States.
Linking ≠ “Trafficking in Stolen Authentication Features”
The government charged Brown with trafficking in stolen authentication features and aggravated identity theft for sharing a link to records that included millions of emails discussing opportunities for rendition and assassination and detailing attempts to subvert journalists, political groups and even foreign leaders. They also included tens of thousands of credit card numbers and their verification codes. The records were published online after hackers broke into Stratfor’s servers. While the government alleged Brown transferred the link from one IRC channel to another, it never alleged he transferred the actual files or the credit card numbers or was in any way responsible for the Stratfor hack. Brown faced a minimum of two years in prison on each charge, and a real risk of 20 years if the court decided to run each two year sentencence consecutive.
Long-settled Supreme Court precedent establishes that the publication of truthful, lawfully obtained information about a matter of public concern is protected by the First Amendment. It doesn’t matter if the journalist knew someone else illegally obtained the information as long as she, herself, obtained it legally. As we argued in our brief, Brown’s actions clearly merited First Amendment protection.
Linking and Crowdsourcing Are Common in Journalism
Brown, who was a prolific writer for a number of publications, including Vanity Fair, The Guardian and Huffington Post, appears to have shared the link to the Stratfor files with a team of other journalists to crowdsource the review of the voluminous records. Earlier in 2011, Brown relied on crowdsourcing to review and report on 70,000 emails from HBGary, another government contractor, after Anonymous hacked into its servers.
By sharing the link and crowdsourcing review of these documents, Brown only did what thousands of other journalists do every day. For journalists, “linking” is crucial to effectively providing readers with background and context to stories. While this may seem like an obvious point, it apparently was not to the government.
Crowdsourcing has become quite common for both independent journalists and traditional media outlets too. It allows news organizations to work with others—including outside journalists, select groups of volunteers, or even the general public—to review huge troves of records. One need only look to the Snowden NSA releases to see how important linking—even to illegally-obtained records— and crowdsourcing has been for journalism and citizens around the world.
It all started on June 5, 2013, when The Guardian reported on and linked to a top-secret order issued by the Foreign Intelligence Surveillance Court (FISC) ordering Verizon to disclose telephone metadata of all of its customers. That order is still available online. As other organizations, including the New York Times, the Washington Post and CNN, reported on this breaking news, they too linked, not only to the Guardian’s article, but to the order itself on the Guardian’s site. And as more revelations about the NSA programs emerged, these media organizations linked to other top-secret orders and classified intelligence materials and shared the links with the public through social media like Facebook and Twitter.
Crowdsourced review has also been crucial in the NSA reporting, given the quantity of the documents and the technical information contained in them. Journalists have teamed up across newsrooms and with security researchers to better report on the material, ensuring its broader impact on society.
As stories continued to break, the public retweeted and shared these links with friends, coworkers and family members. By sharing these links, these media organizations—and any members of the public who shared the NSA records with each other—were also disseminating classified and top-secret national security information—information protected by statute (the Espionage Act) no less than the credit card records at issue in Brown’s case. But the government has yet to bring charges against anyone who shared the NSA information (except Snowden himself). In fact, a recent CRS report found that publication of national security information is likely protected under the First Amendment.
The Case Continues to Chill Speech
It is possible the government came to its senses and dropped these charges after realizing the First Amendment problems with its prosecution. Its initial determination to prosecute Brown may have been clouded by the fact that Brown admitted to being a heroin user and threatened an FBI agent and his children in a semi-coherent video posted to YouTube. (This happened after the FBI charged Brown’s mother with obstruction of justice for failing to produce Brown’s laptop.) Brown still faces charges for this threat in a separate criminal case, as well as charges of obstruction of justice for concealing evidence. However, Brown’s arguable lapse of judgment does not excuse the government for bringing specious identity theft charges against him for the simple act of sharing a link.
Ultimately, the government’s prosecution of Mr. Brown continues to threaten not only journalists and the press, but the public at large. We rely on the media to report on government and corporate impropriety—even when that reporting requires a journalist to review and share illegally obtained records. However, if journalists fear they could be charged with a crime for newsgathering and reporting (even if the charges are later dropped), they may think twice about whether the publication is really worth the risk.
This case threatens the public in another way. Just like journalists, we all regularly share links with friends and family through email and social media platforms like Facebook and Twitter. These links may be to news and human-interest stories, medical research, gossip about movie stars, or shopping deals, but these communications are all threatened by the government’s broad application of the criminal statutes at issue in Brown’s case.
You can read our full amicus brief here.
Image: Barrett Brown by Free Barrett Brown, released under Creative Commons Attribution-Share Alike 3.0.
This past Monday, the Human Rights Committee commenced its one hundredth and tenth session in Geneva from March 10-28. During this session, the Committee will review the reports of several countries on how they are implementing the provisions of the International Covenant on Civil and Political Rights (ICCPR), an international human rights treaty and one of the bedrocks of human rights protections.
Countries that have ratified the ICCPR are required to protect and preserve basic human rights through various means including administrative, judicial, and legislative measures. Additionally, these countries are required to submit a report to the Human Rights Committee, a body of independent experts who monitor the implementation of States’ human rights obligations, every four years. The United States ratified the ICCPR in 1992 and is thus tied to these obligations, and required to regard the treaty the same as it would any domestic law. The Human Rights Committee will review the US’s human rights records on Thursday, March 13. In particular, the Committee will be scrutinizing the US’s mass surveillance practices and its compliance with Article 17 on the right to privacy.
At the opening session of the Human Rights Committee meeting, the UN High Commissioner for Human Rights, Navi Pillay, made it clear that the topic of privacy and surveillance is a priority:
“Powerful new technologies offer the promise of improved enjoyment of human rights, but they are vulnerable to mass electronic surveillance and interception. This threatens the right to privacy and freedom of expression and association.”
We are pleased that the Human Rights Committee has the opportunity to clarify the scope of United States legal obligations under Article 17 on the right to privacy, especially in light of the recent revelations on mass surveillance leaked by Edward Snowden. Worldwide, the general public is privy to the fact that several US programs have the potential for serious privacy rights violations in the form of mass surveillance both at home and abroad; a blatant violation of the United States' ICCPR obligations.
We are asking the Human Rights Committee to look at the 13 International Principles for the Application of Human Rights to Communications Surveillance—or more commonly, the Necessary and Proportionate Principles, which are supported by over 400 organizations and 300,000 individuals, as a guide for understanding a State Party’s compliance with Article 17.
Moreover, the Electronic Frontier Foundation and the Human Rights Watch submitted a joint shadow report that flags several issues for the Human Rights Committee to consider when reviewing the United States’ report this Thursday.
Among the main issues are:
I. The US has extraterritorial obligations to uphold the right to privacy of individuals outside its borders
Given the extraordinary capabilities and programs of the US to monitor global communications, the Committee should ask the US to acknowledge that its obligations with respect to the right of privacy apply extraterritorially to persons whose communications it scans or collects. To accept otherwise would defeat the object and purpose of the ICCPR with regard to the privacy of borderless, global digital communications.
Accepting the US’s view that the right to privacy does not extend to its actions abroad would defeat the object and purpose of Article 17 as applied to online or digital communications. If states adopted a similar position, it would permit governments to conduct arbitrary or unlawful surveillance on the communications of any persons physically located outside their territory or jurisdiction. This position would thwart efforts of other governments to protect the privacy rights of their own residents if every other government if free to violate that right. The US’s position is also contrary to the principle of the universality of rights and suggests that the right to privacy can be abrogated on the basis of citizenship and legal status.
II. Collection of personal information is an interference with privacy
In responding to the Snowden revelations, US government officials have implied that the US does not consider electronic information to have been “collected” until that information is searched or processed in some way.
The Committee should recognize that the acquisition of copying of personal information can constitute an “interference” with the right to privacy under Article 17, regardless of whether the information is subsequently processed, examined, or used by the government.
Furthermore, the US government continues to assert a distinction between the content of communications and “metadata” or transactional data. Communications metadata generally consists of information other than the content of the communications, including the phone number dialed, time or date of a phone call, mobile phone location information, Internet Protocol address, or website URL visited. In litigation challenging its communications surveillance programs, the US maintains that while individuals have a “reasonable expectation of privacy” in the content of their communications, they do not have such an expectation for their metadata, and such metadata enjoys significantly weaker privacy protections. In addition, the US contends that individuals forfeit their privacy rights in information that they share with the third-party company that provides communications services. As a consequence of these two contentions, the US asserts that it may collect metadata from phone and Internet companies without implicating their customers’ legal rights to be free from unwarranted searches and seizures.
We hope the Human Rights Committee directly challenges these arguments.
As explained in the "Necessary & Proportionate Principles," traditionally the invasiveness of communications surveillance has been evaluated on the basis of old categories that are no longer appropriate for measuring the degree of the intrusion that communications surveillance makes into individuals’ private lives and associations. One of the main considerations in drafting the principles has been to ensure that the level of protection accorded to information properly corresponds to the degree of intrusion into people’s lives that can result from access to the data by third parties. Thus any formerly used labels—such as “metadata”—that do not reflect these real-life effects should be rejected.
III. Mass collection of data is fundamentally arbitrary and disproportionate
The Committee should find that mass, indiscriminate collection, search, or retention of electronic information is fundamentally arbitrary and disproportionate. Dragnet searches or collection on large groups without some threshold showing of individualized suspicion that the information to be acquired is necessary to protect national security, or another legitimate interest of the United States, should be presumptively impermissible.
EFF believes the Principles could assist the commission in developing an understanding of the right to privacy in the light of new technologies. Established international human rights law is often still new in terms of its application in the new global digital world, and one of the main aims of the Principles is to provide guidance and make suggestions in that regard; to ensure that individuals do not lose precious protection built up over many years simply because the concepts and approaches developed in a pre-digital world do not always “fit” the new reality. The Principles look beyond the current set of revelations to take a broad look at how modern communications surveillance technologies can be addressed consistently with human rights and the rule of law.
The question remains: If the Human Rights Committee, after reviewing the fourth periodic report of US, provides the member state with recommendations, also known as “concluding observations,” will the US finally comply?
Michael Posner, the former assistant secretary for human rights said he hoped the US would “take the next step, which is to say, ‘This isn’t just policy—it is an international legal obligation.’ ”
Follow along—the entire US ICCPR review will be webcast on UN TV on March 13 and 14.
Files: EFF and Human Rights Watch Joint SubmissionRelated Issues: State Surveillance & Human RightsNSA SpyingOne of the two cases against satellite TV company DISH Network settled last week, with Disney ending its quest to have DISH's automatic commercial-skipping feature, AutoHop, made illegal. In addition to calling off its lawyers, Disney agreed to stream some shows from its popular networks like ABC, Disney Channel, and ESPN over the Internet to DISH subscribers. In exchange, DISH agreed to disable the commercial-skipping functionality for three days after a show is aired - corresponding to the period that the Neilsen Company includes in its audience measurements.
We're pleased that Disney dropped its silly legal challenge against DISH's digital video recorder. Although Disney had put together a convoluted legal argument against DISH, at the end of the day Disney could only succeed if it could convince the a federal court that TV-watchers are breaking the law when they skip commercials. As EFF argued in our amicus brief along with Public Knowledge and the Organization for Transformative Works, commercial-skipping is legal no matter how convenient DISH might make it. Disney's effort seemed especially futile after another appeals court rejected a similar case brought by Fox last year.
Still, DISH's agreement to lock out the ad-skipping feature until three days have elapsed from the original broadcast is disappointing, given that the law has nothing to say about commercial-skipping. Aside from dropping a lawsuit that Disney was likely to lose anyway, the quid pro quo for crippling the Ad Hopper seems to be making some programming available to DISH subscribers online. Walling up online video content and making it available only to cable or satellite subscribers - known as the 'TV Everywhere' strategy - seems destined to keep Internet video an add-on to expensive pay-TV packages instead of a low-cost competitor in its own right. If this settlement is just another step down that road, plus a less useful DVR than the one DISH released two years ago, it’s not much cause for celebration.
Related Issues: Fair Use and Intellectual Property: Defending the BalanceDigital VideoAs Facebook turned ten years old last month, a legal case it brought against Power Ventures almost six years ago demonstrates the continued hurdles facing developers who seek to empower users to interact with closed services like Facebook in new and creative ways. In a new amicus brief, we caution the Ninth Circuit Court of Appeals not to extend crippling civil and criminal liability on services that provide competing or follow-on innovation.
Power Ventures made a web-based tool that allowed users to log into all of their social networking accounts in one place and aggregate messages, friend lists, and other data so they could see all their information in one place. To promote its service, it offered a $100 reward to users who could invite, through the Facebook Events system, a certain number of friends to sign up for Power's service. Because of the way Facebook designed its Events system, the messages appeared to come from Facebook directly, although the messages clearly identified the individual user who sent the invitation, as well as Power's service. Facebook eventually blocked one of several IP addresses Power used to connect to Facebook, and Power eventually stopped allowing Facebook users to use Power's service.
In 2008, Facebook sued Power, claiming it had violated the Computer Fraud and Abuse Act (CFAA) and California Penal Code § 502 when it allowed users to access Facebook data after it blocked a specific IP address Power was using to connect to Facebook data. Facebook also claimed that Power violated the CAN-SPAM Act, the federal law that prohibits sending commercial emails with materially misleading information, when Power encouraged users to invite their friends to try Power. We've filed a number of amicus briefs in this case, arguing that Facebook's theories of liability were wrong and dangerous, and that users have the right to choose how they access their data.
While the district court initially agreed with us that Facebook could not prove a CFAA violation by merely showing that Power violated Facebook's terms of service, it nonetheless ruled in 2012 that Power was liable to Facebook under the CFAA and CAN-SPAM and, in 2013, ordered Power to pay more than $3 million in damages to Facebook, a significant amount that was remarkably less than the staggering $18 million Facebook initially sought. Power is now bankrupt and the case is before the Ninth Circuit, where we again filed an amicus brief in support of Power.
On the CFAA claims, our brief explains working around an IP address block is a common non-criminal act in most instances. The CFAA is intended to go after hackers who circumvent technical restrictions in order to access data they are not otherwise entitled to, not users who utilize a third-party service to access their own data. Plus circumventing a technical block merely enforcing Facebook's terms of service is not a violation of the CFAA. The only way to determine whether Power was violating the CFAA was to look at Power's motivation for working around Facebook's IP block. Here, the facts were in dispute: Facebook claimed Power was trying to circumvent the IP block, but Power claimed its business practice was to use multiple IP addresses and when one was blocked, it stopped trying to access Facebook. But the court never resolved this factual dispute, instead finding that using technology that merely has the capability to circumvent a technical restriction—regardless of what the technology actually did circumvent or regardless of the user's motivation for trying to circumvent—is enough to violate the CFAA. This is a dangerous idea, criminalizing innovations like Power's service, and turning Facebook users that used Power to access their own data into criminals.
Facebook's CAN-SPAM claims are just as dangerous. Congress passed CAN-SPAM to go after big time spammers who hide their identities in order to bombard users with malware and phishing schemes. Captive email systems like Facebook's, where a user has no control over the header information of the message, were not contemplated in CAN-SPAM, which was signed into law on December 16, 2003—two months before Facebook was even launched. Plus the messages weren't misleading since a Facebook user that got an invitation knew all three parties to the communication: the friend who sent the invite, Facebook who facilitated the message, and Power who's service was being promoted. But by finding Power liable, the lower court puts all Facebook users who use Events at unreasonable legal risk. For example, if a Facebook user is in a band and, using Facebook Events, invites friends to a local show with a small cover charge, that user has arguably sent a "misleading" commercial message under CAN-SPAM because, even though the friend sent the message, the header information will show the message came from Facebook. That user could be guilty of a crime and liable for a significant financial penalty for every message sent. This is an absurd interpretation of the law that criminalizes routine Internet behavior.
Facebook's claims here are dangerous, threatening to put the power of law—including serious criminal penalties—behind Facebook and other companies' anti-competitive decisions to thwart consumer choice and innovation that doesn't meet their approval. The information put into a social networking site belongs to the user, who should be able to access, export, and aggregate the data as they please. Hopefully the Ninth Circuit will understand and appreciate this, reversing a lower court decision that equates consumer choice with legal risk.
Files: EFF Facebook v. Power 9th Circuit Amicus BriefRelated Issues: Terms Of (Ab)UseCoders' Rights ProjectComputer Fraud And Abuse Act ReformRelated Cases: Facebook v. Power VenturesThe campaign for open access to publicly funded research was going in the right direction: the White House issued a strong mandate last year, federal agencies have taken up the mantle to create public access policies, and the solid open access bill FASTR was introduced in both the House and the Senate.
And then yesterday happened. House Science Committee Chair Lamar Smith and Rep. Larry Buchson introduced the FIRST Act (PDF), a scientific research bill that contains language that sends the progress made on the open access front in the exact opposite direction. We've written about this bill's bad draft language before, and we hoped the substance would change before the bill was introduced. Unfortunately, it did not.
Markup is on Thursday. Tell your lawmakers that the FIRST Act is not the open access reform we need, and to support FASTR instead.
Section 303 of the FIRST Act—which stands for the Frontiers in Innovation, Research, Science and Technology Act, H.R. 4186—restricts access to publicly funded research articles by up to three years. This is unheard of in the world of public access. The current NIH policy, for example, makes sure important health research is publicly available within a year. A three year delay is chilling to scientific and technological progress, especially when many researchers and startups cannot access articles in the first place due to exorbitant journal costs.
The bill also still allows federal agencies to link to final copies of articles, rather than archive them themselves. As the publishing industry is in a period of flux right now, this option is far from scalable; archiving the papers, which is what the NIH—which is responsible for $30 billion of the federal research budget—already does, clearly is a more sustainable option. Having a more centralized source for research papers also lends itself better to meta-analysis and downstream work.
Section 303 puts up too many unnecessary obstacles that hinder the research, academic, and technological communities that its STEM mandate hopes to spur. A prime example: the bill calls for agencies to go through an 18-month planning period to figure out how to implement its policies, which they are already going through right now through the White House mandate. When it comes to FIRST, the only winners are big publishers, who have clearly hijacked the bill's language to serve their own needs.
Let's stop this nonsense. Demand open access reform that actually works.
Files: hr4186-303.pdfRelated Issues: Open AccessSan Francisco - The Electronic Frontier Foundation (EFF) asked the U.S. Supreme Court Monday to set limits on warrantless searches of cell phones, arguing in two cases before the court that changing technology demands new guidelines for when the data on someone's phone can be accessed and reviewed by investigators.
The amicus briefs were filed in Riley v. California and U.S. v. Wurie. In both cases, after arresting a suspect, law enforcement officers searched the arrestee's cell phone without obtaining a warrant from a judge. Historically, police have been allowed some searches "incident to arrest" in order to protect officers' safety and to preserve evidence. However, in the briefs filed Monday, EFF argues that once a cell phone has been seized, the police should be required to get a search warrant to look through the data on the phone.
"Allowing investigators to search a phone at this point – after the device has been secured by law enforcement but before going to a judge and showing probable cause – is leaving 21st Century technology outside the protections of the Fourth Amendment," said EFF Staff Attorney Hanni Fakhoury. "If we're going to truly have privacy in the digital age, we need clear, common-sense guidelines for searches of digital devices, with meaningful court oversight of when and how these searches can be conducted."
In the not-so-distant past, our pockets and purses carried only limited information about our lives. But in the age of the smartphone, we are walking around with a complete, detailed history of our work schedules, our medical concerns, our political beliefs, and our financial situations. Our phones include pictures of family gatherings, videos of friends, apps that help manage our health and our money, and email and text messages from both our personal and professional lives.
"Our phones include an extraordinary amount of sensitive information – our past, our present, our plans for the future," said Fakhoury. "We can't let investigators rummage through this data on a whim. It's time for the Supreme Court to recognize the important role that judicial oversight must play in searches of cell phones incident to arrest."
Today's brief was filed in conjunction with the Center for Democracy and Technology. The brief was authored with the assistance of Andrew Pincus of Mayer Brown LLP and the Yale Law School Supreme Court Clinic.
For the full brief filed in Riley and Wurie:
https://www.eff.org/document/amicus-brief-supreme-court
For more on search incident to arrest:
https://www.eff.org/issues/search-incident-arrest
Contact:
Hanni Fakhoury
Staff Attorney
Electronic Frontier Foundation
hanni@eff.org
Today, the Human Rights Committee, a body of independent experts that monitors the implementation of States human rights obligations, is holding its one hundredth and tenth session in Geneva from 10th to 28th March. During this meeting, the Committee will review the reports of the United States (among other countries) on how they are implementing the provisions of the International Covenant on Civil and Political Rights. In particular, the Committee will be scrutinizing the United States' mass surveillance practices and its compliance with Article 17 on the the right to privacy.
We are pleased that the Human Rights Committee now has the opportunity to clarify the scope of United Sates legal obligations under Article 17 on the right to privacy, especially in light of the recent revelations on mass surveillance leaked by Edward Snowden. We call upon the Human Rights Committee to look at the 13 International Principles for the Application of Human Rights to Communications Surveillance—or more commonly, the Necessary and Proportionate Principles, which are supported by over 400 organizations and 300,000 individuals, as a guidance for understanding a State Party’s compliance with Article 17.
EFF believes the Principles could assist the commission in developing an understanding of the right to privacy in the light of new technologies. Established international human rights law is often still new in terms of its application in the new global digital world, and one of the main aims of the Principles is to provide guidance and make suggestions in that regard, to ensure that individuals do not lose precious protection built up over many years simply because the concepts and approaches developed in a pre-digital world do not always “fit” the new reality. The Principles look beyond the current set of revelations to take a broad look at how modern communications surveillance technologies can be addressed consistently with human rights and the rule of law.
Some of the key factors are:
Protect Critical Internet Infrastructure: No law should impose security holes in our technology in order to facilitate surveillance. Dumbing down the security of hundreds of millions innocent people who rely on secure technologies in order to ensure surveillance capabilities against the very few bad guys is both overbroad and short-sighted. Yet one of the most significant revelations this year has been the extent to which NSA, GCHQ and others have done just that—they have secretly undermined the global communications infrastructure and services. They have obtained private encryption keys for commercial services relied upon by individuals and companies alike and have put backdoors into and have generally undermined security tools and even key cryptographic standards relied upon by millions around the world. The assumption underlying such efforts—that no communication can be truly secure—is inherently dangerous, leaving people at the mercy of "good guys" and "bad guys" alike. It must be rejected.
Protect Metadata: It’s time to move beyond the fallacy that information about communications is not as private as the content of communications. Information about communications—also called metadata or non-content—can include the location of your cell phone, clickstream data, and search logs, and is just as invasive as reading your email or listening to your phone calls, if not more so. What is important is not the kind of data is collected, but its effect on the privacy of the individual. Thus, the law must require high standards for government access—for criminal prosecutions this means the equivalent of a probable cause warrant issued by a court (or other impartial judicial authority)—whenever that access reveals previously nonpublic information about individual communications. This includes revealing a speaker’s identity if it is not public; the websites or social media one has encountered; the people one has communicated with; and when, from where, and for how long. In the pre-Internet age, the much more limited amount and kind of “metadata” available to law enforcement was treated as less sensitive than content, but given current communications surveillance capabilities, this can no longer be the case. Our metadata needs to be treated with the same level of privacy as our content.
Monitoring Equals Surveillance: Much of the expansive state surveillance revealed in the past year depends on confusion over whether actual "surveillance" has occurred and thus whether human rights obligations apply. Some have suggested that if information is merely collected and kept but not looked at by humans, no privacy invasion has occurred. Others argue that computers analyzing all communications in real-time for key words and other selectors is not "surveillance" for purposes of triggering legal protections. These differences in interpretation can mean the difference between targeted and mass surveillance of communications.
Definitions Matter. This is why one of the crucial points in our Principles is the definition of "communications surveillance", which encompasses the monitoring, interception, collection, analysis, use, preservation and retention of, interference with, or access to information that includes, reflects, or arises from or a person’s communications in the past, present or future. States should not be able to bypass privacy protections on the basis of arbitrary definitions.
Mission Creep: Contrary to many official statements, the modern reality is that state intelligence agencies are involved in a much broader scope of activities than simply those related to national security or counterterrorism. The NSA and its partners, for example, have used the expansive powers granted to them for political and even economic spying—things that have little to do with the safety of the state and its citizens. Worse, the information collected by foreign intelligence agencies, it turns out, is routinely (and secretly!) re-used by domestic agencies such as the Drug Enforcement Agency, effectively bypassing the checks and balances imposed on such domestic agencies.
The Necessary and Proportionate Principles state that communications surveillance (including the collection of information or any interference with access to our data) must be proportionate to the objective they are intended to address. And equally importantly, even where surveillance is justified by one agency for one purpose, the Principles prohibit the unrestricted reuse of this information by other agencies for other purposes.
No Voluntary Cooperation: As we've learned about extralegal and voluntary deals between tech companies and intelligence agencies, it's become increasingly clear that the terms of cooperation between governments and private entities must be made public. The Necessary and Proportionate principles clarify that there is no scope for voluntary cooperation from companies unless a warrant has met the proportionality test.
Combat a Culture of Secret Law: The basis and interpretation of surveillance powers must be on the public record, and rigorous reporting and individual notification (with proper safeguards) must be required. The absence of transparency in surveillance laws and practices reflects a lack of compliance with human rights and the rule of law. Secret laws—whether about surveillance or anything else—are unacceptable. The state must not adopt or implement a surveillance practice without public law defining its limits. Moreover, the law must meet a standard of clarity and precision that is sufficient to ensure that individuals have advance notice of, and can foresee, its application. When citizens are unaware of a law, its interpretation, or its application, it is effectively secret. A secret law is not a legal law.
Notification: Notification must be the norm, not the exception. Individuals should be notified of authorization of communications surveillance with enough time and information to enable them to appeal the decision, except when doing so would endanger the investigation at issue. Individuals should also have access to the materials presented in support of the application for authorization. The notification principle has become essential in fighting illegal or overreaching surveillance. Before the Internet, the police would knock on a suspect's door, show their warrant, and provide the individual a reason for entering the suspect’s home. The person searched could watch the search occur and see whether the information gathered went beyond the scope of the warrant.
Electronic surveillance, however, is much more surreptitious. Data can be intercepted or acquired directly from a third party such as Facebook or Twitter without the individual knowing. Therefore, it is often impossible to know that one has been under surveillance, unless the evidence leads to criminal charges. As a result the innocent are the least likely to discover their privacy has been invaded. Indeed, new technologies have even enabled covert remote searches of personal computers. Any delay in notification has to be based upon a showing to a court, and tied to an actual danger to the investigation at issue or harm to a person.
Restore Proportionality: Authorities must have prior authorization by an independent and impartial judicial entity in order to determine that a certain act of surveillance has a sufficiently high likelihood to provide evidence that will address a serious harm. Any decisions about surveillance must weigh the benefits against the costs of violating an individual's privacy and freedom of expression. Respect for due process also requires that any interference with fundamental rights must be properly enumerated in law that is consistently practiced and available to the public. A judge must ensure that freedoms are respected and limitations are appropriately applied.
Cross-Border Access Protection: Privacy protections must be consistent across borders at home and abroad. Governments should not bypass national privacy protections by relying on secretive informal data sharing agreements with foreign states or private international companies. Individuals should not be denied privacy rights simply because they live in another country from the one that is surveilling them. Where data is flowing across borders, the law of the jurisdiction with the greatest privacy protections should apply.
More To Be Done: The Necessary and Proportionate Principles provide a basic framework for governments to ensure the rule of law, oversight and safeguards. They also call for accountability, with penalties for unlawful access and strong and effective protections for whistleblowers. They are starting to serve as a model for reform around the world and we urge governments, companies NGOs and activists around the world to use them to structure necessary change. The technology companies’ statement last week is a welcome addition and a good start. It also highlights the conspicuous silence of the telecommunications companies, which appear to have a much bigger and deeper role in mass surveillance.
But while the Principles are aimed at governments, government action isn’t the only way to combat surveillance overreach. All of the communications companies, Internet and telecommunications alike, can help by securing their networks and limiting the information they collect. EFF has long recommended that online service providers collect the minimum amount of information for the minimum time that is necessary to perform their operations, and to effectively obfuscate, aggregate and delete unneeded user information. This helps them in their compliance burdens as well: if they collect less data, there is less data to hand over to the government.
Working together, legal efforts like the Necessary and Proportionate Principles serving as a basis for international and national reforms, plus technical efforts like deploying encryption and limiting information collected, can serve as a foundation for a new era of private and secure digital communications.
Related Issues: InternationalState Surveillance & Human RightsSan Francisco - Electronic Frontier Foundation (EFF) Staff Attorney Daniel Nazer has become the new "Mark Cuban Chair to Eliminate Stupid Patents." Nazer succeeds former Senior Staff Attorney Julie Samuels and will lead EFF's campaign to reform the patent system and smash patent trolls. Samuels has left EFF to become the new executive director of Engine Advocacy, one of EFF's key partners in defending innovation in the start-up sector.
Entrepreneur and Dallas Mavericks owner Mark Cuban funded the title and Nazer's position with a $250,000 donation in 2012. Together, Nazer and Samuels, along with the other members of EFF's Intellectual Property team, have worked tirelessly to reform the patent system on multiple fronts, including in the courts, in Congress, at the White House, and before the US Patent and Trademark Office. On Wednesday, Nazer scored a victory against Personal Audio when a judge agreed to quash the notorious patent troll's subpoena for the names of donors who supported EFF's Save Podcasting campaign.
"This is an exciting time to be working on patent reform," said Nazer, who practiced law at Keker & Van Nest LLP before joining EFF at the start of 2013. "The next few months could see new legislation, important Supreme Court decisions, and action from the president. We need to make sure we get real reform that stops the flood of abusive patent troll litigation. I look forward to building on Julie Samuel's success as the Mark Cuban Chair to Eliminate Stupid Patents."
One of the first items of business will be to push Congress to pass meaningful reform. With the Innovation Act overwhelmingly passing in the House (by a vote of 325 to 91), it is now the Senate's turn. Over 5,000 inventors, entrepreneurs, investors, and concerned citizens have signed EFF's letter urging the Senate to act. EFF will continue to develop TrollingEffects.org, an online clearinghouse of crowd-sourced intelligence on patent trolls launched last year in collaboration with a coalition of organizations and law schools.
"Daniel has been an invaluable colleague, and I know he will head up EFF's patent work with dedication and success," Samuels said. "I look forward to continuing to collaborate with him, and the entire EFF patent team, as we all work toward fixing a broken patent system."
For a high resolution image of Daniel Nazer with formal bio:
https://www.eff.org/about/staff/daniel-nazer
Daniel Nazer
Staff Attorney and Mark Cuban Chair to Eliminate Stupid Patents
Electronic Frontier Foundation
daniel@eff.org
Within a week, over 5,000 individuals have urged the Senate to pass meaningful patent reform. These individuals represent over 900 inventors, 700 investors, and well over 1300 entrepreneurs who drive the innovation economy—yet are suffering billions of dollars in losses at the hands of patent trolls and rampant litigation.
What is meaningful reform? There must be immediate changes to remove incentives from the patent troll business model: fee shifting to raise trolls' financial stakes, for example; strong end user protections to stop trolls from targeting users of off-the-shelf technologies; transparency provisions preventing bad actors from hiding behind shell companies, striking with misleading demand letters, then stepping back into the shadows.
But reform must go beyond trolls' present tactics; meaningful reform would strike at the root. We must urge the Senate to put an end to destructive patent troll and troll-like behavior by addressing their weapon of choice: overbroad software patents. While fundamental reform may not be in the picture, the Senate has a chance to reintroduce language—for example, expanding the Covered Business Method provision—that would allow individuals and companies to trim down seriously vague patents after they have been issued.
The House recently passed the Innovation Act, which, while quite comprehensive, dropped its patent quality provisions in a last-minute push to gain the favor of older technology companies and their associated Congressional champions. It lies on the Senate to not only quell the current troll-ridden battlefield, but to also start restoring sanity to the patent system as a whole.
Five-thousand people have spoken out in the last week, and the number is still rising. Join us in securing the patent reform we need this year.
Related Issues: PatentsLegislative Solutions for Patent ReformPatent TrollsThe U.S. Attorney for the Northern District of Texas today filed a motion to dismiss 11 charges against Barrett Brown in a criminal prosecution that would have had massive implications for journalism and the right of ordinary people to share links. EFF has written extensively about the case and had planned to file an amicus brief on Monday on behalf of several reporters groups arguing for the dismissal of the indictment.
Brown, an independent journalist, was prosecuted after he shared a link to thousands of pages of stolen documents in an attempt to crowdsource the review of those documents—a common technique for many journalists. The records came from the US government contractor, Stratfor Global Intelligence and documented discussions of assassination, rendition and how to undermine journalists and foreign governments. They also included thousands of stolen credit card numbers. Brown had no involvement in the hack, but was charged nonetheless with identity theft.
In response to the decision by the federal prosecutor’s office to drop some, but not all of Brown's charges, EFF issued the following statement:
"We are relieved that federal prosecutors have decided to drop these charges against Barrett Brown. In prosecuting Brown, the government sought to criminalize a routine practice of journalism—linking to external sources—which is a textbook violation of free speech protected by the First Amendment. Although this motion is good news for Brown, the unnecessary and unwarranted prosecution has already done much damage; not only has it harmed Brown, the prosecution—and the threat of prosecution it raised for all journalists—has chilled speech on the Internet. We hope that this dismissal of charges indicates a change in the Department of Justice priorities. If not, we will be ready to step in and defend free speech.”
EFF plans to publish its draft brief and deeper analysis later this week.
Files: barrett_brown_mtd.pdfRelated Issues: Free SpeechRemember when Rep. Mike Rogers likened opponents of pernicious cybersecurity legislation to 14-year-olds? It turns out that middle-school-age students are also well-prepared to debate him on the NSA's programs as well.
EFF congratulates students from two middle schools who took home top prizes in the C-SPAN StudentCam 2014 competition for young filmmakers with their documentaries on mass surveillance. Students were tasked with answering the question: “What’s the most important issue the U.S. Congress should consider in 2014?”
According to the C-SPAN press release:
Peter Jasperse, Antonia Torfs-Leibman and Madeleine Hutchins, eighth graders at Eastern Middle School in Silver Spring, Md., are national First Prize winners in the Middle School division. Peter, Antonia and Madeleine will share $3,000 for their First Prize documentary, 'The NSA: The Lengths of America's Security,' about NSA surveillance."
The video, featuring an interview with author James Bamford, will air on C-SPAN at 6:50 a.m. E.T. and throughout the day on April 23. You can also watch it online.
Ben Blum, a filmmaker at Saint Mark's School in San Rafael, California, scored second place in the same category for his documentary "Data Obsession," featuring EFF Activist Parker Higgins. It will air on Friday, April 11 and you can watch it below:
Privacy info. This embed will serve content from youtube-nocookie.comUPDATE- March 5, 2014:
After a grueling meeting where dozens of speakers expressed concerns about privacy, racial profiling, and political repression, the Oakland City Council voted to move forward with a reduced Domain Awareness Center. The motion that was approved will remove city cameras and ShotSpotter from the DAC components, but does not address many of the questions EFF and others have raised. The final vote was a 4-4 tie, with Councilmembers Rebecca Kaplan, Libby Schaaf, Noel Gallo, and Lynette Gibson McElhaney voting no and Councilmembers Dan Kalb, Pat Kernighan, Desley Brooks, and Larry Reid voting yes. Mayor Jean Quan cast the tie-breaking yes vote, and has indicated that she will seek to add more systems to the DAC “one at a time” in the future. EFF will now be scrutinizing the development of the privacy policy and the DAC system itself very closely.
After an encouraging debate at the Oakland City Council meeting on February 18, EFF has submitted another letter opposing Oakland’s Domain Awareness Center (DAC). The DAC is a potent surveillance system that could enable ubiquitous privacy and civil liberties violations against Oakland residents. The city appeared set to approve a resolution that would have handed the City Administrator authority to sign a contract for completion of the project. However, after strenuous discussion, Councilmember Desley Brooks made a motion to delay the vote for two weeks in order to get more information about the potential civil liberties and financial impacts of the DAC. The council passed the motion with 6 yes votes and 2 abstentions.
Phase I of the DAC, funded by a Department of Homeland Security grant, is already operational. It integrates Port security cameras and an intrusion detection system with City of Oakland traffic cameras, city geographic information system (GIS) mapping, and a gun shot detector called ShotSpotter. The information from these various data sources is integrated using “Physical Security Information Management” PSIM. This allows law enforcement and other agencies to access and analyze all of these data sources through a single user interface. This means DAC staff can look at a single screen and see various video and information feeds at once, allowing much more invasive surveillance of Oaklanders.
At the February 18 meeting, speakers raised myriad issues. One of those was the racial profiling of Yemeni, Muslim, and African-American communities already happening in Oakland. Mokhtar Alkhanshali, a community organizer, talked about how law enforcement already targets the thousands of Muslims in Oakland, stating, “I represent people who are afraid to come here." Fred Hampton, Jr., son of the murdered Black Panther Party member Fred Hampton, reminded the council about the legacy of surveillance and targeting experienced by African-American activists.
At issue now is whether the Oakland City Council will approve an expansion of the system to include more data sources, considering all the outstanding questions. The council seemed to hear the concerns raised by community members and asked a lot of their own questions at the meeting. The council directed staff to provide further information. Unfortunately, as EFF’s letter states, the most recent staff report:
continues to punt key issues around the DAC to the future, regardless of the fact that many members of the Council prudently expressed concern about approving the project without a full delineation of what is being approved. These questions include, among others, what types of cameras and other data sources will be included, what relationships and information sharing agreements exist between the City and federal agencies, how DAC analytics will work, how exactly public engagement will occur, when the privacy policy advisory committee will meet and who will be on that committee.
Another major concern expressed at the meeting was the connection between the Domain Awareness Center and other law enforcement agencies, including the FBI. While city staff has repeatedly assured the public and the Oakland City Council that there are no information sharing agreements with federal agencies, the city already works several of them. EFF’s letter addresses this:
implying that there is any sort of firewall between DAC information and the federal government is disingenuous at best. As has been pointed out to the Council, Oakland already shares information with the FBI through its participation in a Joint Terrorism Task Force. Similarly, the Oakland Police Department participates in the Bay Area Urban Area Security Initiative (UASI), a Department of Homeland Security program. In fact, Renee Domingo is part of the “Approval Authority” for UASI. The Approval authority “provides policy direction and is responsible for final decisions regarding projects and funding,” to UASI.
Implying that the DAC has no relationship to fusion centers is also disingenuous. UASI is one of the primary funders for the Northern California Regional Intelligence Center (NCRIC), the regional Bay Area fusion center. Furthermore, the DAC itself has been “featured” regarding information sharing in relationship to NCRIC and other federal agencies; in a 2013 port security workshop that included Department of Homeland Security, NCRIC and Port of Oakland officials and brought in other federal agencies, law enforcement, and private interests, the DAC and NCRIC were used as models for information sharing relationships. In fact, pursuant to City Council resolutions, the Oakland Police Department and Fire Department staffed the Northern California Regional Intelligence Center in 2011 and 2012.
EFF joins the ACLU of Northern California, National Lawyers Guild and the Oakland Privacy Working Group (OPWG) in opposing the DAC. A group letter from OPWG has amassed over 35 signatories, including faith leaders, political party leaders, and community groups from the Arab, Muslim, Asian, and African-American communities. The Council has the opportunity to halt the DAC now, and to address the existing systems in place:
A no vote today is not the last step. The Council must then take responsibility for addressing Phase 1 of the DAC. EFF warns the Council that it must seriously consider how exactly a port-only DAC will work, taking into account the serious technical and legal concerns that accompany the DAC even as it currently exists. EFF again reminds the Council that any financial consequences of limiting the DAC are no reason to pursue a course of action that will seriously endanger civil liberties in Oakland. EFF urges the Council to consider the egregious lack of information and transparency that has surrounded this project and to vote against any expansion of the DAC.
The Mexican website 1dmx.org (mirror here), was set up in the wake of a set of controversial December 1st 2012 protests against the inauguration of the new President of Mexico, Enrique Peña Nieto. For a year, the site served as a source of information, news, discussion and commentary from the point of view of the protestors. As the anniversary of the protests approached, the site grew to include organized campaign against proposed laws to criminalize protest in the country, as well as preparations to document the results of a memorial protest, planned for December 1, 2013.
On December 2nd, 2013, the site disappeared offline. The United States host, GoDaddy, suspended the domain with no prior notice. GoDaddy told its owners that the site was taken down "as part of an ongoing law enforcement investigation." The office in charge of this investigation was listed as "Special Agent Homeland Security Investigations, U.S. Embassy, Mexico City." (The contact email pointed to "ice.dhs.gov," implying that this agent was working as part of the Immigration and Customs Enforcement wing, who have been involved in curious domain name takedowns in the past.)
Email received by 1dmx.org owners from GoDaddy.Luis Fernando García, 1dmx.org lawyer for the protestors, suspected that the call to bring down the site came from further afield than the U.S. embassy, and is suing several authorities in the Mexican courts to discover exactly which government agency passed on the order to the U.S. Embassy. Their court case, announced today, will continue to pursue the Mexican authorities to find the source of the demand, which the case contends violates Mexico's legal protections for freedom of expression.
If there are many questions to be answered by the Mexican authorities about this act of prior restraint on speech, there are no shortage of queries about the United States' involvement in this takedown. Why did GoDaddy take down content with the excuse of it being part of a legal investigation, when the company did not request or relay any formal judicial documents or an official court order? And why is the U.S. Embassy acting as a relay for an unclear legal process that resulted in censorship within the United States?
We look forward to following the result of the website owners' court case in Mexico, and to the responses of GoDaddy and the United States Embassy in Mexico City to this developing story.
Related Issues: Free SpeechBloggers' RightsInternational
