It’s looking like we might be on the brink of another crypto war. The first one, in the 90s, was a misguided attempt to limit the public’s access to strong, secure cryptography. And since then, the reasons we need the good security provided by strong crypto have only multiplied. That’s why EFF has joined 20 civil society organizations and companies in sending a letter to the National Institute of Standards and Technology (NIST) to “re-emphasize the importance of creating a process for establishing secure and resilient encryption standards, free from back doors or other known vulnerabilities.”
As the letter points out, in September 2013, ProPublica, the Guardian, and the New York Times revealed that the NSA had systematically “circumvented or cracked much of the encryption, or digital scrambling” that protects the Internet, “collaborating with technology companies in the United States and abroad to build entry points into their products.” As ProPublica explained,
[T]he agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.
And these broken standards appear to have led to a serious impact on U.S. technology companies, which "may lose as much as $35 billion in the next three years from foreign customers choosing not to buy their products over concern they cooperate with spy programs.”
Although NIST has taken some steps to remedy these problems, more is needed “to rectify NIST’s trust deficit.” The letter lists specific recommendations to improve transparency, strengthen NIST’s cryptography work, and increase public understanding and engagement. For example:
NIST should establish a policy wherein the Agency publicly explains the extent and nature of the NSA’s consultation on future standards and any modifications thereto made at NSA’s request.and NIST should begin a review process to ensure that wherever possible the same information is published for standards that are currently in use.
The coalition’s recommendations were “heavily echoed in the reports submitted by the members of NIST’s appointed Committee of Visitors (CoV). The CoV is a distinguished panel of experts appointed by NIST. . .” The CoV also made recommendations to NIST, several of which are emphasized in the letter:
NIST must expand to include independent full-time technical expertise and additional funding in order to decrease reliance on the NSA and other members of the Intelligence Community.
We hope that NIST will take the recommendations seriously. U.S. businesses are suffering, and the NSA’s actions have made the Internet less safe for everyone. Serious action is needed to restore trust in NIST— and to protect the public good.
You can read the full text of the letter and see the signatories here.Files: coalition-nist-nov2014.pdfRelated Issues: Export ControlsPrivacyEncrypting the WebNSA Spying
Share this: || Join EFF
New Mexico law is so devoid of any established authority for this practice, a reasonable prosecutor, upon the exercise of diligent research could determine that the practice was very probably unlawful.
- Judge John Paternoster, Eighth Judicial District of New Mexico
The National Security Agency isn’t the only agency that’s willing to flout the laws of the land in order to obtain your telephone records. As we’re learning from a case out of New Mexico, local prosecutors may be to willing to ignore rights enshrined in the Constitution for an unfair advantage in criminal cases.
The case at hand involves the office of the District Attorney for the Eight District of New Mexico, which covers three counties in Northern New Mexico, including Taos. D.A. Donald Gallegos and one of his subordinates are facing disciplinary charges after they were caught issuing at least 91 bogus subpoenas to eight telephone companies for customer call records.
The subpoenas came to light during the prosecution of a 2013 armed robbery at an electric cooperative. Suspecting it was an inside job, the Taos police department worked with the prosecutor’s office to begin issuing subpoenas to telecoms for records related to dozens of phone records. Several batches of subpoenas were discovered related to other cases.
The problem is the District Attorney had no authority to issue “stand-alone subpoenas” under court rules, state law, or the New Mexico Constitution [PDF, PDF]. Prosecutors are only allowed to subpoena records when they represent a party in a case, (i.e. a grand jury has been convened or a criminal case has been filed) and they cannot use subpoenas during the police investigative process. Instead the prosecutor attached a generic case number—the kind usually reserved for miscellaneous court matters, such as bond forfeitures and oaths of office—not cellphone records requests.
The subpoenas weren’t signed by a judge or authorized by a grand jury. They weren’t even the right form [PDF] for issuing requests for records. As such, the subpoenas did not include the "essential" language alerting the recipient of remedies and protective measures. Rather, the documents threatened contempt of court sanctions for any telephone provider that failed to hand over the records.
A stand-alone subpoena, in improper form, issued and signed by a prosecutor in aid of police investigation, before a criminal cause is properly commenced, as in the instant facts is simply without precedent, analogy or lawful authority in New Mexico law.
The subpoenas in question were issued by the prosecutor without any judicial oversight, and allowed the police to obtain evidence during a criminal investigation without meeting the requirements of Article II 10 of the Constitution of New Mexico.
It is objectively unreasonable for the prosecutor to believe that his conduct was lawful.
The prosecutor had no reasonable basis in law for issuing the subpoenas and had no reasonable basis in law to present the evidence to the grand jury, and therefore acted in objective bad faith, and tainted the grand jury with evidence.
Judicial smackdowns don’t come much harder than that. The district attorney is appealing, but at the same time the oversight body authorized by the New Mexico Supreme Court to review allegations of attorney misconduct has completed its own investigation. The Disciplinary Board is now pursuing formal professional misconduct charges against the lawyers [PDF, PDF].
That process will play out over the next few months, but in the meantime there’s another piece of the puzzle worth addressing. If the subpoenas were so obviously illegal, why didn’t a single one of the telecommunications company question their legitimacy?
According to the filings, eight telecommunications providers complied with the questionable subpoenas and handed over customer call records. They are:Verizon AT&T (Cingular)
T-MobileCommnetCricket (since acquired by AT&T)Level 3 CommunicationsMetroPCSSprint/Nextel
As we told each of these providers in a letter [PDF], EFF strongly believes that part of a telecommunication company’s cost of doing business in any particular state is to ensure that local law enforcement requests for customer data comply with state law. That is particularly true when state laws, such as New Mexico’s, contain stronger legal protections than those that exist under the Fourth Amendment to the U.S. Constitution or the federal Stored Communications Act.
We are asking the involved companies to take a few concrete actions in response to the bad-subpoena scandal:
First, they should go back and review all subpoenas that the district attorney’s issued, determine if other subpoenas it received were similarly defective and release the actual numbers of subpoenas they processed that may have been illegal.
Second, they should review their own legal process to identify how the company’s legal compliance team assesses the validity of subpoenas under state law. Then they should institute new polices to make sure it doesn’t happen again.
Finally, they should confirm whether the customers targeted by the subpoenas were informed of the existence of these subpoenas. If not, customers should be informed immediately.
So far, T-Mobile is the only provider to respond to our letter. While Senior Corporate Counsel Patricia Cauldwell indicated that they were unaware of the controversy until we brought it to their attention, she argued that T-Mobile acted in good faith and defended the company’s practice of rejecting requests when they appear to be defective.
“[W]e would not expect to see a prosecutor in New Mexico use subpoenas like these again in a criminal investigation before convening a grand jury and we expect that the judicial system in New Mexico is well capable of correcting the problem,” Cauldwell wrote [PDF].
We’re not convinced that’s a safe bet. The telecommunications industry is very well aware that the public is becoming more and more skeptical of how these companies interact with intelligence and law enforcement agencies. But for all the NSA and FBI’s questionable practices, local law enforcement agencies are just as prone to shenanigans.
Phone companies need to not only tell cops to come back with a warrant or subpoena, but come back with one that’s actually legal.Files: 5-511_nmra.pdf 5-511_subpoena_form.pdf 2014.10.01_specification_of_charges_d_gallegos.pdf 2014.10.01_specification_of_charges_e_chavez.pdf 2014.04.08_decision_on_mtn_to_quash.pdf 2013nmconst.pdf letter_from_the_electronic_frontier_foundation_regarding_new_mexico_subpoenas.pdf letter-from-t-mobile-redacted.pdfRelated Issues: Know Your RightsCell Tracking
Share this: || Join EFF
This week EFF attended a meeting of the Human Rights Working Group of the Global e-Sustainability Initiative (GeSI), a global industry forum that includes many of the world's largest IT and communications companies, including AT&T, BlackBerry, HP, Microsoft, Telefónica, Verizon, and Vodafone.
Responding to both global and regional calls for industry to share more responsibility for the human rights impacts of ICT products and services, GeSI's human rights project aims to enliven greater vigilance amongst its members as to the human rights impacts of their activities throughout the supply chain.
GeSI members themselves are the best evidence of the need for this project. The most proximate example is given by the meeting's host AT&T, which a few days before the meeting announced that it had ceased to secretly track its mobile Internet users with unblockable super cookies. Frankly, a company with annual revenues exceeding a hundred billion dollars should not be making this kind of glaring obvious privacy mistake to begin with.
The new human rights projects which GeSI members are discussing, and which EFF broadly supports, aim to provide them with a clear road map of possible human rights impacts across the ICT value chain, with particular emphasis on the possible unforeseen impacts of new technologies, and drawing on case studies from GeSI members. We made the clear point that external stakeholders—and not just customers, but also other affected communities—should also be an integral part of that conversation.
Whilst we were grateful for the invitation and happy to contribute our views, we remain to be fully convinced that large ICT companies have yet given enough priority to addressing the human rights impacts of their operations. Too much of the industry discourse around human rights—as the GeSI working group actually acknowledged—revolves around how human rights impacts affect stakeholder perceptions and contribute to business risk, rather than placing the severity of those impacts on vulnerable stakeholders front and center.
This is not to doubt the sincerity of the corporate representatives who participated, many of whose jobs are dedicated to fulfilling their employers' corporate social responsibilities. Even so, there were some grumblings about “budget limitations”, about how activists “love bad news and ignore good news”, and how GeSI should “not be too ambitious” with its human rights projects. These point towards the need for a more fundamental cultural shift within industry boardrooms to ensure that human rights concerns receive priority attention.
It also underlines that we should not rely too heavily on self-regulation and corporate social responsibility to protect users' rights. This lesson was reinforced by EFF's experience with the Global Network Initiative (GNI, a representative from which was also present), which manifestly failed to prevent its corporate members from becoming complicit in the out-of-control NSA spying program.
Even so, we appreciate that GeSI (and the GNI) are conscious of industry's need to improve its sensitivity to its own human rights impacts, and to respond more proactively when vulnerable communities are exposed to harm. The latest planned GeSI human rights projects are a positive indication of this awareness, which we hope will be well supported by participants and will produce outcomes of value. For our part, EFF will surely continue to hold these ICT companies to a high standard should they ever slip up.Files: Presentation on Human Rights and Corporate ResponsibilityRelated Issues: InternationalThe Global Network Initiative
Share this: || Join EFF
If you missed our live teach-in yesterday on the Trans-Pacific Partnership (TPP) agreement and its restrictive, anti-user provisions, you can still check out the video of our discussion. It's embedded below. We invited experts from digital rights groups from several TPP countries—all members of the Fair Deal Coalition—and we discussed the various ways this massive, secret trade deal threatens our rights on the Internet and over our digital devices.
A recent leak of the TPP's Intellectual Property chapter confirmed that the provisions on anti-circumvention, copyright terms, ISP liability, and criminal enforcement has further deteriorated. But it also revealed new, dangerously vague text on the misuse of trade secrets which could be used to enact harsh criminal punishments against anyone who reveals or even accesses information through a "computer system" that is allegedly confidential. This language could have alarming consequences if nations are obligated to enact new laws that could be used to crack down on journalists and whistle blowers.
We held this teach-in because things are moving fast now. President Obama and the US Trade Representative are determined to conclude this agreement, organizing dozens of meetings with TPP delegates to resolve some of the longstanding disagreements in the text. On the US front, Congress is likely to introduce another Fast Track bill in January that would tie these representatives' own hands from debating or modifying the terms of this agreement after the White House has secretively negotiated it for years.
When the time comes, we’ll need to step up the fight against this agreement on a coordinated, global front. So watch this video, share it, and continue to spread the world about this secret, Hollywood-driven agenda to chip away at our digital rights.Privacy info. This embed will serve content from youtube-nocookie.com
var mytubes = new Array(1); mytubes = '%3Ciframe src=%22//www.youtube-nocookie.com/embed/YifI1tn1aJI?rel=0%22 allowfullscreen=%22%22 width=%22560%22 frameborder=%220%22 height=%22315%22%3E%3C/iframe%3E'; Related Issues: Fair Use and Intellectual Property: Defending the BalanceInternationalTrans-Pacific Partnership Agreement
Share this: || Join EFF
Recent years have seen a boom in the adoption of surveillance technology by governments around the world, including spyware that provides its purchasers the unchecked ability to target remote Internet users' computers, to read their personal emails, listen in on private audio calls, record keystrokes and passwords, and remotely activate their computer’s camera or microphone. EFF, together with Amnesty International, Digitale Gesellschaft, and Privacy International have all had experience assisting journalists and activists who have faced the illegitimate use of such software in defiance of accepted international human rights law.
Software like this is designed to evade detection by its victims. That's why we've joined together to support Detekt, a new malware detection tool developed by security researcher Claudio Guarnieri. Detekt is an easy-to-use, open source tool that allows users to check their Windows PCs for signs of infection by surveillance malware that we know is being used by government to spy on activists and journalists.
Some of the software used by states against innocent citizens is widely available on the Internet, while more sophisticated alternatives are made and sold by private companies and sold to governments everywhere from the United States and Europe to Ethiopia and Vietnam.
Detekt makes it easy for at-risk users to check their PCs for possible infection by this spyware, which often goes undetected by existing commercial anti-virus products.
Because Detekt is a best-effort tool and spyware companies make frequent changes to their software to avoid detection, users should keep in mind that Detekt cannot conclusively guarantee that your computer is not compromised by the spyware it aims to detect. However, we hope that the availability of this tool will help us to detect some ongoing infections, provide advice to infected users, and contribute to the debate around curbing the use of government spyware in countries where it is linked to human rights abuses.
We hope that members of the open source and information security communities will contribute to this important project.
Share this: || Join EFF
We are disappointed that the Senate has failed to advance the USA Freedom Act, a good start for bipartisan surveillance reform that should have passed the Senate.
The Senate still has the remainder of the current legislative session to pass the USA Freedom Act. We continue to urge the Senate to do so and only support amendments that will make it stronger. We strongly oppose any amendment that would water down the strong privacy, special advocate, and transparency provisions of the bill.
We also urge the Senate to remember that the USA Freedom Act is a first step in comprehensive surveillance reform. Future reform must include significant changes to Section 702 of the Foreign Intelligence Surveillance Amendments Act, to the operations of Executive Order 12333, and to the broken classification system that the executive branch counts on to hide unconstitutional surveillance from the public.Related Issues: NSA Spying
Share this: || Join EFF
Think you know how your local cops are spying on you? The ACLU of California’s “Making Smart Decisions About Surveillance: A Guide for Communities” is a new resource that can help you figure out what surveillance technology is being deployed in your community—and what you can do about it. And as we’ve pointed out, while we hope everyone continues to let Congress know that it’s time for real changes to spying by federal agencies, the use of surveillance techniques and technology by local law enforcement is an area ripe for grassroots organizing.
Although the guide is specifically directed at California, it contains a wealth of information and ideas that are helpful for grassroots activists across the country who are concerned about the proliferation of drones, automated license plate readers, facial recognition, and more in their community. From Washington state to Washington D.C., the model ordinance and tips are useful for any concerned residents.
The guide focuses on the need for community engagement, noting: “[T]he time to engage with your community is at the very beginning of the process, before any funding is sought, technology is acquired or system is used.”
Fortunately, ACLU provides a step by step process activists can take to ensure this happens, explaining how to do a “surveillance impact report.” The process includes an assessment of all costs—including potential costs to civil liberties:
Surveillance can easily intrude upon the rights of residents and visitors if it is used, or creates the perception that it may be used, to monitor individuals and groups exercising their rights to freedom of expression, association, and religion — freedoms that public officials are sworn to protect. In addition, surveillance can erode trust in law enforcement, making it harder for officers and community members to work together to keep the community safe.
We were especially pleased to see the focus on understanding technology. The guide recommends that a surveillance impact report include “information describing the technology, how it works, and what it collects, including technology specification sheets from manufacturers.”
This is an issue that we repeatedly emphasized during the fight around Oakland’s Domain Awareness Center, a surveillance system that could enable ubiquitous privacy and civil liberties violations against Oakland residents. The DAC was pushed through Oakland’s City Council with little review until activists put serious pressure on the Council.
In two letters, EFF pointed out that the Council didn’t appear to have a clear understanding of how the system would work and certainly hadn’t provided that information to the community. After a long battle, the DAC was reduced in scale—but not until after the cash-strapped city of Oakland was forced to spend money removing components of the system due to the community backlash.
The DAC fight is among the valuable case studies ACLU includes in the guide. These case studies provide inspiration and experience for anyone who wants to use the resources included. We hope that activists will use this guide as a way to ensure that, when it comes to local use of surveillance equipment, everyone knows: the community is watching the watchers.
Share this: || Join EFF
Once again, a federal court will decide whether police can track your movements over an extended period of time without a search warrant. Federal and state courts have divided over whether the Fourth Amendment requires police seek a search warrant to obtain historical cell site location information (CSLI)—the records of which cell phone towers your phone has connected to in the past. We’ve weighed in, filing a new amicus brief in one of the most important legal cases to watch in 2015.
In United States v. Davis, police obtained 67 days of cell site location information about Quartavious Davis without a search warrant and used it to pinpoint him at various robberies in Florida. When Davis’ case was on appeal before a three-judge panel of the Eleventh Circuit Court of Appeals, we joined a number of organizations and filed an amicus brief arguing that, because location information like CSLI reveals sensitive information about where a person has been, the Fourth Amendment requires a warrant. In June, the three judge panel agreed with us, finding Davis had a Fourth Amendment expectation of privacy in the location information generated by his cell phone and held police needed to get a warrant to access this information from the cell phone company.
The government was naturally unhappy with this ruling, as it conflicted with a 2013 decision from the Fifth Circuit Court of Appeals, which held police didn’t need a warrant to access this data. Additionally, the Davis panel decision got other federal judges questioning the government’s practices, so the government convinced all of the judges of the Eleventh Circuit to rehear the case en banc. With the full court now looking at the issue again, we filed a new amicus brief explaining why it’s reasonable for Americans generally and Floridians specifically to expect this sensitive location information is private and worthy of warrant protection.
A Pew Research Center study published last week showed that 82% of Americans consider the details of their physical location over time to be sensitive information—more sensitive than their relationship history, religious or political views, or the content of their text messages. It’s no surprise then that the last few months have seen a number of state courts and legislatures take steps to safeguard this data with warrant protection. That includes the Florida Supreme Court, which held last month police needed a warrant to track a person in real time via their cell phone.
As our brief in Davis makes clear, the fact that Florida has specifically promised its residents that their cell phone location records are private, and the fact that more and more Americans live in places that also protect this sensitive information, show it’s reasonable for people to expect CSLI is private, and it's unreasonable for the government to argue otherwise.
Interestingly, immediately after the Davis panel issued its opinion, we wondered whether telephone providers would begin to demand law enforcement use a warrant to get location information. And while we don’t know if providers are demanding warrants, AT&T did file an amicus brief in this case suggesting that the “third party doctrine”—the idea that there’s no Fourth Amendment protection for information disclosed to third parties, like a cell phone provider—should not control the court’s analysis. We’ve been saying the same thing for years.
The fact that one of the largest cell phone companies in the U.S. decided to weigh in only bolsters our point about the need to protect this sensitive data with a warrant. Even the phone companies recognize that cell phones are an integral part of modern life, capable of revealing detailed sensitive information about where we go and with whom. If state courts, legislatures, and the phone companies can all see why this information is sensitive and worthy of legal protection, why can’t the government?
We expect oral argument before the Eleventh Circuit sometime in the spring of 2015.Files: US v. Davis EFF En Banc Amicus BriefRelated Issues: PrivacyCell TrackingLocational PrivacyRelated Cases: United States v. Davis
Share this: || Join EFF
San Francisco - The Ninth Circuit Court of Appeals ruled today that Proposition 35, a 2012 California ballot initiative that would have restricted the rights of registered sex offenders to communicate on the Internet, is likely unconstitutional. The opinion affirms an earlier district court ruling in Doe v. Harris, a lawsuit filed by the American Civil Liberties Union (ACLU) of Northern California and the Electronic Frontier Foundation (EFF) in 2012.
Proposition 35, also known as the Californians Against Sexual Exploitation Act (CASE Act), requires anyone who is a registered sex offender—even people with decades-old, low-level offenses whose offenses were not related to the Internet—to turn over a list of all their Internet user names and online service providers to law enforcement. Under the law, more than 73,000 Californians would have been forced to provide this information to the government, and report any new account or screen name within 24 hours of setting it up, even if the new screen name is their own real name. Violations would have potentially resulted in years in prison.
"The Ninth Circuit has agreed that the onerous online speech restrictions required by Prop. 35 violate the First Amendment," said Linda Lye, senior staff attorney at the ACLU of Northern California. "The portions of Prop. 35 that unconstitutionally limit what people say online won't help us end human trafficking. Anonymity is key to protecting speech by unpopular or controversial groups and allowing robust political debate."
The ACLU of Northern California and EFF filed a lawsuit the day after the law was passed in 2012, challenging these reporting requirements as a burden on the First Amendment right to free and anonymous speech. A lower court agreed with the groups in January 2013 and issued a preliminary injunction, halting enforcement of the law. Today, the Ninth Circuit upheld that lower court ruling.
"[T]he CASE Act directly and exclusively burdens speech, and a substantial amount of that speech is clearly protected under the First Amendment," Ninth Circuit Judge Jay Bybee wrote in the opinion.
The court noted that the law was overly broad, affecting speech unrelated to sexual offenses, such as "blogging about political topics and posting comments to online news articles. " This creates the "inevitable effect of burdening sex offenders' ability to engage in anonymous online speech," Bybee wrote. The court also found that there was no evidence that throwing out this part of Proposition 35 would hamper the state's ability to investigate online sex offenses.
"We're pleased the court recognized important First Amendment principles of free and anonymous speech apply to everyone, regardless of what crimes they may have committed in the past," EFF Staff Attorney Hanni Fakhoury said. "While the law may be well-intentioned, its broad language opened the door for the government to chill free speech. Restrictions targeting sex offenders are often a stepping stone for the expansion of law enforcement power against other classes of unpopular people."
The court's ruling means the preliminary injunction prohibiting enforcement of the reporting requirements of the CASE Act remains in effect.Contact:
Media Relations Coordinator
Electronic Frontier Foundation
Share this: || Join EFF
Update, Nov 18: The USA Freedom Act does not renew the entirety of the Patriot Act, which consisted of over 100 sections changing numerous electronic surveillance laws. The USA Freedom Act does extend three provisions of the Patriot Act: the "lone wolf" provision, the "roving wire tap" provision, and a reformed Section 215.
The USA Freedom Act, the leading contender for NSA reform, is set for a vote this week. The bill has some problems, but is a major step forward for surveillance reform. That's why we're asking you to call your Senator and urge them to support the USA Freedom Act. Here's a rundown of what's to come, what you need to know, and what may happen this week:What is the USA Freedom Act and How Did we Get Here?
The USA Freedom Act is a bill that was first proposed last year by Senator Patrick Leahy and Representative Jim Sensenbrenner. The original version of the bill limited the NSA's call records collection program, introduced a special advocate into the secretive court overseeing the spying, mandated much needed transparency requirements, and included significant reform of Section 702 of the Foreign Intelligence Surveillance Amendments Act (FISAA), the law used to collect Americans’ communications in bulk.
It took several months, but the original version of the bill was finally taken up by the House of Representatives in May. Unfortunately, prior to a vote on the original bill in May, the House made significant, last-minute changes that watered down the bill’s privacy protections. Nevertheless, the House passed a new—weaker—“USA Freedom Act” against the protests of privacy advocates. In response, Senator Leahy vowed to move a stronger bill forward that provided meaningful surveillance reform.
What resulted is the current version of the USA Freedom Act, which was released in July of this year. The current version does many of the same things as the original bill except it doesn't offer significant reform of Section 702 of FISAA. The current version is the bill up for debate this week.Where We're Going
The Senate will hold two major votes this week. On Tuesday night, it will vote whether or not to move forward to debate the USA Freedom Act. Senator Leahy needs 60 Senators to vote in favor of moving forward. After obtaining the 60 votes, the Senate will then begin to debate the bill and any amendments. After the debate, it will probably hold another vote on Wednesday or Thursday on the final bill text, but could also wait until the first week of December. Stay tuned.
There is a very real possibility that the Senate—just like the House—may try to weaken the bill. That's why when you call your Senator it's important to stress that Senators support the USA Freedom Act and oppose any amendments that would weaken the bill.What You Can Do
Help us get to 60 votes by calling your Senator now. This is the most important step since the Senate must obtain 60 votes before it will begin to debate the USA Freedom Act. During the debate, we urge Senators to offer amendments that strengthen the bill. These amendments would:
- Ensure the illegal "backdoor" search of Americans' communications ends;
- Grant additional power to the "special advocate" in the secret FISA court;
- Shorten the FISA Amendments Act sunset to 2015;
- Enhance the Privacy and Civil Liberties Oversight Board powers;
- Provide Americans a clear path to assert legal standing to sue the government for privacy abuses;
- Ban the NSA from undermining commonly used encryption standards; and,
- Fix the National Security Letter statute.
After the debate, a final vote on the final text will probably occur Wednesday or Thursday.Time to Pass NSA Surveillance Reform
The first hurdle to overcome this week is the Tuesday vote. Once the Senate comes up with 60 votes, there may be a whirlwind of amendments altering the bill on Wednesday or Thursday. Stay tuned to our twitter account and home page for any analysis or statements on the amendments. A final vote on the bill will most likely occur Wednesday night or Thursday. And as we said last week when Senate Majority Leader Reid moved the USA Freedom Act forward: We urge the Senate to pass the bill without any amendments that will weaken it.Related Issues: PrivacyNSA Spying
Share this: || Join EFF
San Francisco - The Electronic Frontier Foundation (EFF) is helping to launch a new non-profit organization that aims to dramatically increase secure Internet browsing. Let's Encrypt is scheduled to offer free server certificates beginning in summer 2015.
"This project should boost everyday data protection for almost everyone who uses the Internet," said EFF Technology Projects Director Peter Eckersley. "Right now when you use the Web, many of your communications—your user names, passwords, and browsing histories—are vulnerable to hackers and others. By making it easy, fast, and free for websites to install encryption for their users, we will all be safer online."
Currently, most Internet traffic is unencrypted, meaning most interactions you have with websites leave your accounts vulnerable to eavesdropping by everyone from a minimally competent hacker to the U.S. government. The HTTPS protocol—in contrast to HTTP—encrypts your connection and verifies the authenticity of sites, protecting your data and personal information. EFF has been campaigning successfully for a number of years to spread HTTPS from payment pages and banking sites to email, social networking, and other types of sites. But there are still hundreds of millions of domains that lack this protection.
The new Let's Encrypt project aims to solve that. Let's Encrypt is a new free certificate authority, which will begin issuing server certificates in 2015. Server certificates are the anchor for any website that wants to offer HTTPS and encrypted traffic, proving that the server you are talking to is the server you intended to talk to. But these certificates have historically been expensive, as well as tricky to install and bothersome to update. The Let's Encrypt authority will offer server certificates at zero cost, supported by sophisticated new security protocols. The certificates will have automatic enrollment and renewal, and there will be publicly available records of all certificate issuance and revocation.
Let's Encrypt will be overseen by the Internet Security Research Group (ISRG), a California public benefit corporation. ISRG will work with Mozilla, Cisco Systems Inc., Akamai, EFF, and others to build the much-needed infrastructure for the project and the 2015 launch.
"The Let's Encrypt certificate authority will dramatically increase the ability of websites around the world to implement HTTPS, increasing the security of hundreds of millions of Internet users every day," said Eckersley.
For Let's Encrypt:
For more on Let's Encrypt and how it will work:
Technology Projects Director
Electronic Frontier Foundation
Share this: || Join EFF
Today EFF is pleased to announce Let’s Encrypt, a new certificate authority (CA) initiative that we have put together with Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan that aims to clear the remaining roadblocks to transition the Web from HTTP to HTTPS.
Although the HTTP protocol has been hugely successful, it is inherently insecure. Whenever you use an HTTP website, you are always vulnerable to problems, including account hijacking and identity theft; surveillance and tracking by governments, companies, and both in concert; injection of malicious scripts into pages; and censorship that targets specific keywords or specific pages on sites. The HTTPS protocol, though it is not yet flawless, is a vast improvement on all of these fronts, and we need to move to a future where every website is HTTPS by default.With a launch scheduled for summer 2015, the Let’s Encrypt CA will automatically issue and manage free certificates for any website that needs them. Switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.
The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS requires. We’re all familiar with the warnings and error messages produced by misconfigured certificates. These warnings are a hint that HTTPS (and other uses of TLS/SSL) is dependent on a horrifyingly complex and often structurally dysfunctional bureaucracy for authentication.
Let's Encrypt will eliminate most kinds of erroneous certificate warnings
The need to obtain, install, and manage certificates from that bureaucracy is the largest reason that sites keep using HTTP instead of HTTPS. In our tests, it typically takes a web developer 1-3 hours to enable encryption for the first time. The Let’s Encrypt project is aiming to fix that by reducing setup time to 20-30 seconds. You can help test and hack on the developer preview of our Let's Encrypt agent software or watch a video of it in action here:
Let’s Encrypt will employ a number of new technologies to manage secure automated verification of domains and issuance of certificates. We will use a protocol we’re developing called ACME between web servers and the CA, which includes support for new and stronger forms of domain validation. We will also employ Internet-wide datasets of certificates, such as EFF’s own Decentralized SSL Observatory, the University of Michigan’s scans.io, and Google's Certificate Transparency logs, to make higher-security decisions about when a certificate is safe to issue.
The Let’s Encrypt CA will be operated by a new non-profit organization called the Internet Security Research Group (ISRG). EFF helped to put together this initiative with Mozilla and the University of Michigan, and it has been joined for launch by partners including Cisco, Akamai, and Identrust.
The core team working on the Let's Encrypt CA and agent software includes James Kasten, Seth Schoen, and Peter Eckersley at EFF; Josh Aas, Richard Barnes, Kevin Dick and Eric Rescorla at Mozilla; Alex Halderman and James Kasten and the University of Michigan.Related Issues: PrivacyEncrypting the WebSecurity
Share this: || Join EFF
San Francisco - The Electronic Frontier Foundation (EFF) is joining a broad coalition of local and national public interest groups for a rally and forum in support of strong net neutrality rules at San Francisco City Hall on Thursday, November 20, at 5:30 pm.
"Bay Area Speaks: A People's Hearing on the Future of the Internet" comes at a key moment in the debate over net neutrality. The Federal Communications Commission (FCC) has a proposal that does not provide full protections for the Internet and could vote to enact the plan early as December. Meanwhile, President Obama has issued a statement urging the FCC to change course and reclassify the Internet as a telecommunications service. This reclassification would be the best way to achieve strong rules against blocking, throttling, and paid prioritization online, and echoes the demands of millions of Americans who have submitted their own comments to the FCC over the last few months.
Former FCC Commissioner Michael Copps will be one of the speakers at Thursday's rally, along with EFF Intellectual Property Director Corynne McSherry and many others. The event is free and open to the public, and there will be time for community comment. The public testimony will be submitted to the FCC.
"Bay Area Speaks: A People's Hearing on the Future of the Internet"
Thursday, November 20
Rally – 5:30 pm
Forum – 7 pm
San Francisco City Hall
1 Dr Carlton B Goodlett Place
San Francisco, CA 94102
For more information and to RSVP:
Media Relations Director
Electronic Frontier Foundation
Share this: || Join EFF
On September 9, 2009, a patent troll called Ultramercial sued a bunch of Internet companies alleging infringement of U.S. Patent 7,346,545. This patent claims a method for allowing Internet users to view copyrighted material free of charge in exchange for watching certain advertisements. Yes, you read that correctly. Ultramercial believed that it owned the idea of showing an ad before content on the Internet.
In the years that followed, the litigation became a central battleground over the legitimacy of abstract software patents. The Federal Circuit, in opinions written by former Chief Judge Randall Rader, twice found the patent valid. The Supreme Court vacated both of these rulings and sent the case back for reconsideration (the second time after its landmark patent-eligibility decision in Alice v. CLS Bank). As the case bounced back and forth, EFF filed four amicus briefs (1, 2, 3, and 4) urging the courts to find the patent invalid.
Today, on its third try, the Federal Circuit finally held the patent invalid. This is a big victory for common sense and innovation. Tying an elementary business practice (like showing an ad before a video) to the Internet doesn’t deserve patent protection. We congratulate the successful defendant, WildTangent, for its victory. Its win means that Ultramercial can no longer assert this patent against anyone.
The ruling is also significant because the Federal Circuit upheld the district court’s decision to dispose of the case on a motion to dismiss (although the appeal dragged on for years, the trial court did a good job and threw out the case quickly). This gives defendants a tool to dispose of cases early and makes it harder for patent trolls to use the cost of defense to extort settlements.
This case joins other recent decisions applying Alice v. CLS Bank to invalidate abstract software patents. The patents thrown out so far are a rogue’s gallery of absurdly broad software patents (like bingo on a computer or upselling on a computer). Contrary to the hyperbolic warnings from some fans of software patents, the death of abstract patents has not led to the death of innovation. While Alice v. CLS Bank does not solve all problems with the patent system, it at least rids the system of many of the silliest software patents. Other than patent trolls, no one needs these patents to do business.Files: ultramercial-remand-opinion_10-1544.opinion.pdfRelated Issues: PatentsPatent TrollsInnovationRelated Cases: Abstract Patent Litigation
Share this: || Join EFF
Julia Angwin reported late Thursday that AT&T is dropping their tracking supercookie program. This comes in the wake of massive customer pressure over the discovery that AT&T and Verizon were quietly inserting unique tracking identifiers in their customers' web browsing and app data, by means of an HTTP header. The tracking identifiers quickly became known as "supercookies" because they enable tracking, like cookies, but cannot be removed.
AT&T told Angwin that the header program "has been phased off our network." Security researcher Kenn White, who operates a site to check whether a carrier inserts the header, partially confirmed the report. White said "it's not zero, but as a relative proportion, down over 90% and falling." At least one person found that AT&T is still sending the header, so it's important that AT&T do a full review of their network to ensure the phase-out is truly complete. Angwin also reports that Verizon is continuing its tracking program. EFF's own tests so far confirm the tracking header is now absent from accounts that were previously subject to header injection.
Decline in observed AT&T headers. Chart by Kenn White.
This move by AT&T leaves Verizon out in the cold as the only remaining US provider to insert these tracking headers, and shows that concerned customers can produce meaningful change in their carriers' policies. It is also a victory for carrier non-interference with customer data. We call on Verizon to follow AT&T's lead and terminate their tracking header injection program or convert it to a true opt-in, immediately.
There have also been reports of international mobile providers doing similar tracking header injection. We call on all network providers globally to respect their customers' data and not inject tracking headers.Related Issues: AnonymityNet NeutralityInternationalPrivacy
Share this: || Join EFF
Who pays for government surveillance? Taxpayers. And we should all heed the age-old message: buyer beware. Fusion centers are an excellent example of why. The point of fusion centers is to enable intelligence sharing between local, state, tribal, territorial, and federal agencies. But because they involve actors from various jurisdictions and agencies, the price is a lack of clarity around lines of responsibility and accountability. Fusion centers have been criticized by Congress for wasting taxpayer dollars on “’intelligence’ of uneven quality – oftentimes shoddy, rarely timely, sometimes endangering citizens’ civil liberties and Privacy Act protections.” But because of the way they are organized, it’s unclear who is responsible for these problems. That’s why fusion centers deserve additional public scrutiny and reform.
The Government Accountability Office (GAO) has come out with a new report that exposes the lack of accountability for use of federal funds at fusion centers. But it doesn’t address the most serious issue with fusion centers: that they’re yet another weapon in the government’s bloated surveillance arsenal—and there’s virtually no oversight for what they’re doing and how they may be violating peoples’ rights. To make matters worse, although spying by the federal government is a serious problem, the sheer numbers of local law enforcement are staggering, and enlisting them in the surveillance state exponentially multiplies the potential for privacy and civil liberties violations.
The most obvious conclusion from the report is that fusion centers are a waste of taxpayer dollars. And a lot of dollars are being spent. Although the Federal Emergency Management Agency (FEMA, which administers the federal grants that partially fund fusion centers) has no system in place to accurately account for how much is spent, the report notes: “According to federal cost inventory reports, federal agencies provided fusion centers with non- personnel support totaling about $32.8 million in fiscal year 2011 and about $18 million in fiscal years 2012 and 2013.” Federal agencies also have deployed 288 staff to these centers.
The government’s accounting of how much is spent is flawed. But there’s even less accounting for whether those expenditures are useful.
That’s because the Department of Homeland Security (DHS) has been simply assessing the capabilities of fusion centers, “such as implementing specified policies and procedures,” rather than their impact or efficacy. As the report notes, “developing an analytical production plan may not equate to effectively meeting the plan’s targets or producing the types of reports identified therein.”
The GAO report notes that DHS is developing “performance” measures. But many of these measures look at numbers that aren’t necessarily meaningful, for example:
- Number of threat tips and leads processed by fusion centers
- Number of suspicious activity reports submitted by fusion centers
- Number of suspicious activity reports vetted and submitted by fusion centers that result in the initiation or enhancement of an investigation by the FBI
- Percentage of requests for information from the Terrorist Screening Center (TSC) for which fusion centers provided information for a TSC case file
As we’ve written before, suspicious activity reports (SARs) are based on standards ripe for abuse of discretion: the specific set of behaviors listed in the national SAR standards include innocuous activities such as “demonstrating unusual interest in facilities, buildings, or infrastructure.” And they have been abused. Public records act requests have shown that people of color make up a disproportionate number of SARs filed.
Yet fusion centers’ performance measures are mainly a numbers game. With little examination of outcomes, this simply encourages submission of more (flawed) SARs, rather than improved efficiency or accuracy, especially as fusion centers compete for federal dollars. And where the measures go beyond numbers, they still don’t look at the outcomes most people would care about, such as “Number of lives saved by intelligence information from a fusion center.”
What’s more, the report confirmed the extent to which fusion centers host staff from federal agencies: “As of June 2014, the FBI had deployed 94 intelligence analysts, special agents, and others to 58 fusion centers, and had installed its secure data system (FBINet) at 51 centers.” This is unsurprising. What may be more surprising is that the centers also host approximately 30 Immigrations and Customs Enforcement staff, and approximately 20 Customs and Border Patrol Officers. This makes it clear: fusion centers truly are a local arm of the surveillance state.
The report also noted that fusion centers have their own lobbying association, the National Fusion Center Association. The NFCA issued a 2014-2017 National Strategy [pdf] for the National Network of Fusion Centers, which the GAO report references.
That’s not where the lobbying ends, though. The report notes that the DHS has highlighted the need for “expanded involvement in local government bodies to promote improved collaboration.” What does that mean? Northern California provides an example. The director of the Northern California fusion center fusion center has attended city council meetings to encourage implementation of automated license plate readers (a technology we’ve been concerned about for years now), and to oppose implementation of civil liberties protections in Berkeley.
There’s no leap needed to show why accountability at fusion centers is necessary. Fusion centers facilitate political repression and racial profiling, all while making the separation between local law enforcement and the federal law enforcement agencies engaging in unconstitutional surveillance negligible. And they do it without even providing a tangible benefit.
It’s possible that the Privacy and Civil Liberties Oversight Board will take a close look at fusion centers, per EFF’s comments on the Board’s agenda. But if it doesn’t, it might be time to start thinking about state and local fights. Federal funding for fusion centers is decreasing. But you can still tell your elected representative in Congress that you are concerned. And what’s even easier, you can take action at the local level, by making public records act requests, engaging in grassroots organizing to get regulations on fusion centers passed or funding decreased, and educating your community members about this issue.
 It’s worth noting that PCLOB was supposed to be involved in the development of the DHS’ Fusion Center Initiative. But at the time fusion centers were being expanded, PCLOB had been effectively destroyed by Congress.Related Issues: PrivacyNSA Spying
Share this: || Join EFF
A court filing unsealed late Wednesday shows that the U.S. Department of Justice (DOJ) made a highly misleading argument to an appeals court in October during a hearing on the constitutionality of National Security Letters (NSLs).
On October 8, the Electronic Frontier Foundation argued before the United States Court of Appeals for the Ninth Circuit that provisions in the USA PATRIOT Act that prohibit service providers from discussing NSLs they may have received violates the First Amendment. During the hearing, the judges’ questioning addressed concerns that the government is using its NSL authority to stifle recipients’ constitutionally protected right to comment on the government’s actions. But DOJ Attorney Douglas Letter countered that these companies are free to discuss the “quality” of NSLs letter they received from the FBI—a claim that contradicted the government’s prior position and turned out not to be true.
Following the hearing, EFF’s clients requested that the DOJ reconcile the statement Letter made to the court with the department’s longstanding contention that companies could not discuss having received NSLs at all. In response, the DOJ filed a letter with the court admitting that Letter’s statements were incorrect, reaffirming its position that the broad gag includes any statement about the NSLs they have received. The DOJ also apologized to the court.
EFF Legal Director Cindy Cohn issued the following statement in response to the retraction:
EFF’s clients have consistently challenged the indiscriminate use of gag orders in combination with National Security Letters. In particular, they have challenged the government’s contention that NSL recipients can’t even use their experiences receiving overbroad NSLs to push for reform in Congress or in the broader public debate. This is especially the case now that the USA FREEDOM Act, which has some limited NSL reform, is going to be discussed in the Senate.
At the oral argument, the judges were very concerned that the government is using its NSL authority to stifle recipients’ constitutionally protected right to comment on the government’s actions. We were surprised to hear, in response to those concerns, the government retreat from its position that the NSLs gags prevent recipients from talking about "very fact of having received" an NSL.
When we wrote to the government asking if this new position meant that our clients could indeed talk about the quality of the NSLs they have received, the government retracted its statements to the court and apologized. But it's troubling that we had to raise the issue before the government addressed it and that it seems the government was willing to let the court believe that the gag was narrower than it actually is in order to win the case.
EFF represents two companies challenging NSLs—a telecom company and an Internet company. The names of these companies remain under seal, as the government continues to insist that even identifying them might endanger national security. In March 2013 a federal district court judge in San Francisco agreed with EFF and ruled the NSL provisions unconstitutional, barring future NSLs and accompanying gag orders. That ruling was stayed pending appeal, however, and the district court has subsequently enforced separate NSLs—including NSLs issued to both EFF clients—and indicates that it will continue to do so until the Ninth Circuit rules on EFF’s challenges.
Here's what Doug Letter originally told the court (mp3 available here):
There is a category that the deputy attorney general provided that recipients can make disclosures and there is a category of 0-249 so recipients can disclose that. They’re allowed to disclose within these bands. And they can fully participate in the public debate, they can say as we have disclosed we’re in that band 0-249 and it can say the very things that [EFF Senior Staff Attorney Kurt Opsahl] said they can’t. They can say and we think the government is asking for too much in many of the NSLs we received and we want to talk to our fellow recipients and see if they too have felt that there’s too much and we think Congress ought to do something about that. They can do all of that. There’s nothing that says that they can’t comment, they’re allowed to make specific comments about quantity, there’s absolutely no ban on them commenting on the quality of those they’ve received.
Here's an excerpt from the subsequent retraction:
In the course of discussing disclosures described in this letter, approximately 49 minutes into the Court's recording of the argument, government counsel indicated that if a company discloses that it is in one of these two bands starting with zero, it could publicly discuss the fact that it had received one or more NSLs and could discuss the quality of the specific NSL(s) that it had received. That suggestion was mistaken. The district court correctly noted that “the NSL nondisclosure provisions . . . apply, without distinction, to both the content of the NSLs and to the very fact of having received one."
For the full text of the Justice Department's letter:National Security LettersTransparencyRelated Cases: National Security Letters (NSLs)In re: National Security LetterIn re National Security Letter 2013 (13-80089)In re National Security Letter 2013 (13-1165)
Share this: || Join EFF
We're pleased to see Sen. Harry Reid move toward a final vote on the Senate version of the USA FREEDOM Act, S. 2685. EFF has consistently urged the Senate to move forward on the bipartisan bill since it was first introduced in July.
The USA FREEDOM Act is a good first step towards successful surveillance reform. It will limit the NSA's program collecting Americans' calling records, introduce a special advocate into the secretive court overseeing the spying, and introduce much needed transparency requirements. While this bill is not a comprehensive solution to overbroad and unconstitutional surveillance, EFF urges the Senate to pass the bill without any amendments that will weaken it.
After its successful passage, Congress must turn to Section 702 of the Foreign Intelligence Surveillance Amendments Act, which is being used to collect Americans' communications (and a key aspect in our Jewel v. NSA litigation). It must also begin public investigations of Executive Order 12333, the authority used to regulate the president's spying occurring outside of the Foreign Intelligence Surveillance Act.Related Issues: NSA Spying
Share this: || Join EFF
The San Francisco Bay Area has been most vocal in the fight for net neutrality, and there's a reason: Internet openness is crucial to the trailblazing new artists, technologies, and businesses that thrive in this state. And San Francisco’s own Mayor Ed Lee has been an outspoken supporter of net neutrality; he even drafted a resolution this summer calling on the FCC to protect the open Internet.
Thursday, November 20, concerned Bay Area Internet users are gathering at San Francisco City Hall to hold an open forum on net neutrality. The event is called “Bay Area Speaks: A People’s Hearing on the Future of the Internet” and the public is invited to testify at City Hall about why net neutrality matters to Bay Area communities. Attendees will also receive an update from the lawyers, policy analysts, and activists who have been working on the front lines to make sure the FCC takes the right path forward.
Before the hearing, supporters are planning to rally outside City Hall at 5:30pm and are encouraged to bring cell phones, laptops, and flashlights for a cell phone vigil and to hold signs and colorful art to demonstrate support for Internet freedom. Download this image to display on your screen at the rally.Here are the details:
What: “Bay Area Speaks: A People's Hearing on the Future of the Internet.”
Who: Former FCC Commissioner Michael Copps; Amy Sonnie, Outreach Director of the Oakland Public Library; Jay Nath, Chief Technology and Innovation Officer for the City of San Francisco; Corynne McSherry, Director of Intellectual Property at the Electronic Frontier Foundation; and Malkia Cyril, Executive Director of the Center for Media Justice, among others.
Date: Thursday, November 20
Time: Rally – 5:30 pm, Hearing – 7 pm
Where: San Francisco City Hall
1 Dr Carlton B Goodlett Place
President Obama shifted the conversation on Monday, echoing the concerns of the four million of Americans who have spoken out by demanding the Federal Communications Commissions craft a set of rules that will firmly uphold the principles of net neutrality.
The White House’s support of effective net neutrality rules was a game changer. President Obama endorsed a route to net neutrality via a mechanism known as Title II reclassification, the same reform agenda that millions of Internet users worldwide have been rallying for since January—including EFF. It’s a major win, but the FCC hasn’t yet signaled that they are following the President’s lead.
To be clear, the FCC hasn’t passed any rules yet. And that’s exactly why Bay Area city officials, librarians, artists, entrepreneurs, technologists, and everyday Internet users have joined forces to keep the conversation alive.
Back in August, EFF and dozens of other advocacy organizations invited the FCC Commissioners to get out of DC and visit the Bay Area to hear directly from some of the millions of Americans who have submitted comments in their rulemaking process. We felt the Commission would benefit from hearing the stories and concerns of local people who care about the future of the Internet.
Although the Commissioners are not going to attend, this issue is too big to only be debated in Washington D.C.. So EFF teamed up with organizations like the Center for Media Justice, Free Press, and Media Alliance to hold a People’s Hearing at City Hall in San Francisco to collect testimony for the public record about why an open Internet is essential for the future of the Bay Area’s diverse communities.
We need to make sure California voices are heard in the national discussions. If you’re in the Bay Area, we invite you to join us on November 20 at San Francisco City Hall. The fight isn’t over yet; come join us at the front lines.RSVP TO ATTEND Related Issues: Net NeutralityStudent and Community Organizing
Share this: || Join EFF