Update June 22, 2016: The Senate failed to pass an amendment to expand the FBI's National Security Letter powers and to make the "lone wolf" provision of the Patriot Act permanent; however, the amendment will probably be voted on again soon. Senate Majority Leader Mitch McConnell switched his vote to "No" at the last minute so that he may be able to bring up the amendment during future debate. The amendment was included as part of the Commerce, Justice, Science and Related Agencies Appropriations Act, which will have a final vote on the Senate floor later this week. Tell your Senators to Vote NO on the amendment.
The controversial National Security Letter (NSL) statute could be significantly expanded under two separate bills currently being debated by the Senate. Every year, the FBI issues thousands of NSLs to telephone and Internet companies, demanding records about their customers and gagging the companies from informing the public about these requests. NSLs are inherently dangerous to civil liberties because their use is rarely subject to judicial review. But NSLs are not magic, and they don’t require recipients to do whatever the FBI says. Above all, the type of information available to the FBI with an NSL is quite limited, reflecting the need to tightly control the extrajudicial nature of this controversial power.
The Senate’s proposed changes would allow the FBI to get a much larger range of Internet records, such as email to/from headers, Internet browsing history, and more, all of which it could not previously get with an NSL. Particularly given the FBI’s well-documented history of abusing NSLs, EFF opposes expanding the scope of this unconstitutional surveillance power to include even more revealing records. Yesterday we joined with a broad coalition of organizations and companies to urge the Senate not to pass these proposals.Does Congress Need an NSL Autocorrect?
Amending a surveillance law to let the FBI issue warrantless demands for new types of Internet users’ records—without even needing to go before a judge—is a significant expansion of that law. But to hear FBI Director James Comey explain it, the bills amount to a mere “typo fix.” That’s because the FBI thinks it was already entitled to get these records using NSLs, and Congress simply messed up when it drafted the law. The problem with this theory? The Justice Department’s Office of Legal Counsel, which issues definitive interpretations of the law for the rest of the executive branch, looked at the issue in 2008 and concluded the FBI was flat wrong [.pdf].
As currently written, the NSL statute describes the types of companies who can be issued NSLs—“wire or electronic communication service providers”—and the limited types of records that the FBI can request from those companies about their customers—“name, address, length of service, and local and long distance toll billing records.” We don’t think about toll billing records much in these days of vanishing landlines and unlimited talk and text, but they are simply records kept by telephone companies of their customers’ calls for billing purposes. The law also says that companies must “comply with a request for” something called “electronic communication transactional records” (ECTRs). Unhelpfully, the law doesn’t say what ECTRs are, though the legislative history suggests it was not intended as an expansion of NSLs. (In case you were wondering, it’s common to pronounce ECTR to rhyme with “nectar.”)A History of Abuse, in Secret
Because nearly all NSLs are accompanied by self-certified gag orders signed by the FBI, it’s supremely hard for the public to get clear information about them. The ECTR question is no different. Despite the hundreds of thousands of NSLs issued since 2001, the public has seen only a handful.
One exception is the NSL issued in 2004 to Nicholas Merrill, who ran a small ISP called Calyx. There, the FBI interpreted the law to allow it to request a lot more than the basic info about Calyx’s subscriber; it asked for assigned IP addresses and an essentially unbounded amount of “other information else you consider to be an” ECTR. Merrill fought this NSL for over a decade, before it was finally unsealed in full last year. The judge in that case noted [.pdf] that one key piece of evidence in this unsealing was a Justice Department manual claiming that the FBI could get even more information, including URL browsing history, email headers and even cell phone location data.
It should go without saying that the information that the FBI thought it could request is extremely revealing—it’s not “just metadata.” For example, URLs may reveal the content of a website that users have visited, their location, and so on.
What is also clear is that the FBI viewed the statute’s list of information available using NSLs as more of a loose guideline than an exhaustive list. This was a boom time for the FBI’s use of NSLs—the Bureau sent out 56,507 in 2004 alone, and we know that many of these NSLs were issued improperly. It’s no stretch to guess that these tens of thousands of NSLs included requests for revealing ECTRs under the FBI’s expansive and erroneous definition, as well as other information not named in the law, all without any prior judicial oversight.A Huge Expansion, Not a Typo
In 2008, however, the Office of Legal Counsel finally weighed in and seemingly put a stop to this particular form of NSL abuse. According to the OLC’s memo [.pdf], the limited list of information in the statute is truly exhaustive, and the stray reference to ECTRs simply allowed the FBI to issue NSLs to entities other than telephone companies and request only “information parallel to subscriber information and toll billing records for ordinary telephone service.”
But the FBI wasn’t happy with this decision. According to testimony by a Justice Department official from 2011, other sections of DOJ concluded the FBI could request IP addresses and “other non-content information” considered ECTRs. We also know that the FBI continued to demand ECTR information from Internet companies, like an unnamed client of EFF’s [.pdf] and Yahoo, which last week published an NSL it received in 2013. Some Internet companies refused, but ubiquitous NSL gags prevented them from talking about their responses to specific NSLs.
Since the FBI was caught misusing NSLs to collect revealing ECTR information, it has been pushing to rewrite the statute and expand its authority under the guise of fixing a so-called typo. The Senate is considering two proposals that would give the FBI what it wants. The first [.pdf] was proposed by Senator Cornyn as an amendment to the Email Privacy Act, and along with several other controversial amendments, it threatens to hold up the Senate’s consideration of a bill that passed unanimously out of the House. If that weren’t bad enough, the second ECTR change was included as part of a secret Intelligence Committee Authorization bill already passed out of committee. The public wouldn’t even know about this proposal if it not for a press release by the tireless Senator Ron Wyden.
Meanwhile, EFF is fighting on in its lawsuit on behalf of two unnamed NSL recipients, arguing that the NSL gag orders are unconstitutional. After a disappointing ruling in the district court, we’re headed back to the Ninth Circuit Court of Appeals later this summer. Even when they're used as the law specifies, NSLs allow the FBI to operate in secret, obtaining information and gagging recipients without any court oversight in the overwhelming majority of cases.
In light of the FBI’s ability to use NSLs out of the public view and without a judge to evaluate its interpretation of the law, the information that the agency can obtain with an NSL must be very tightly controlled. Far from a simple “fix,” the Senate proposals to include of a wide variety of electronic records under the NSLs represent a very worrying expansion of the FBI's surveillance authority.
National Security Letters are a dangerous and unconstitutional power as is. This expansion must be rejected.Related Cases: National Security Letters (NSLs)
Share this: Join EFF
What happens when you try to push a dangerous policy through without the Internet noticing? The Internet fights back.
A few days ago, we warned of an impending rule change that would dramatically increase law enforcement’s authority to hack into computers. We encouraged people, organizations, and companies to add a special banner to their websites for one day, calling on Congress to stop the updates to Rule 41 of the Federal Rules of Criminal Procedure.
Today, the Internet has come out in full force. Dozens of websites are running the “Reject the Rule 41 Proposal” banner. Over 50 organizations and companies have joined EFF in signing a letter to Congress (PDF), including Tor, the Open Technology Institute, R Street Institute, DuckDuckGo, Google, PayPal, and many others. Most importantly, thousands of you have already spoken out to Congress, urging lawmakers to take action before it’s too late.
If Congress does nothing, then the rule change will automatically go into effect on December 1, dramatically expanding law enforcement’s authority to hack computers both inside and outside the United States.
A bipartisan group of senators has introduced the Stopping Mass Hacking Act (S. 2952), which will keep the rule change from taking effect. Sen. Ron Wyden, the bill’s sponsor, posted a video message on Twitter explaining why it’s essential that Congress pass the Stopping Mass Hacking Act.
If the updates to Rule 41 take effect, this massive expansion of power will affect Internet users all over the world. If you haven’t already, we encourage you to write to Congress today or sign our petition if you live outside of the United States.
Dozens of fellow users’ rights organizations are also speaking out today against the Rule 41 changes. Here are just a few of them.
- Access Now: What is this “Rule 41” and why am I hearing so much about it?
- ACLU: Take Action to Stop FBI Mass Hacking
- Demand Progress: The DOJ and FBI want permission to hack into computers all over the world. Only Congress can stop it.
- Government Accountability Project: GAP Joins Coalition to Oppose Changing “Rule 41” to Safeguard Americans’ Privacy Rights
- National Association of Criminal Defense Lawyers: Congress should stop government hacking and protect the Fourth Amendment
- Niskanen Center: A Day of Action in Opposition to Rule 41
- Open Technology Institute: OTI Joins Over 45 Groups & Companies for Day of Action to Say No to Rule 41 Changes
- Tor: Day of Action: Stop the Changes to Rule 41
Share this: Join EFF
Today at the OECD Ministerial Meeting on the Digital Economy in Mexico, the Global Commission on Internet Governance released its final report, One Internet. Despite its important-sounding name, the Commission is not an official body, but a think tank convened in 2014 by the Center for International Governance Innovation (CIGI) and Chatham House, composed of a diverse panel of 29 invited experts from industry, government, academia, and civil society (including EFF Pioneer Award recipient Anriette Esterhuysen).
The Commission had a broad and open mandate to articulate and advance a strategic vision for the future of Internet governance in light of some of its most hotly-disputed global political challenges. Foremost among these challenges are the betrayal of Internet users' trust by states engaged in mass online surveillance, and moves by authoritarian states to control and restrict the open Internet. In light of these challenges, the Commission's report suggests a series of recommendations, many of which EFF supports, towards creating a more open, secure, trustworthy, and inclusive Internet.Policy Recommendations
The recommendations are wide-ranging, so here we highlight the ones that touch on the areas in which EFF works:
- Net neutrality. Recognizing net neutrality as a key principle to help preserve the Internet's accessibility, the Commission makes a number of relevant recommendations to further this principle by promoting competition and access to network infrastructure, and sanctioning non-neutral practices such as blocking, filtering, and zero-rating. On this last point, its recommendation that "In the absence of sufficient competition to enable consumer choice, there should be no exclusive agreements to provide zero-rated content" broadly aligns with EFF's view.
- Mass surveillance. Echoing the Necessary and Proportionate principles, the Commission recommends that "Interception of communications and collection and analysis of data over the Internet by law enforcement and government intelligence agencies should be for legitimate purposes, openly specified in advance, authorized by law and requiring the application of the principles of necessity and proportionality." The report also recommends that "International data-sharing agreements between governments should not be used to circumvent the national laws of a country and should respect human rights."
- Privacy and data protection. Since users' privacy is threatened not only by official surveillance but also by commercial data collection, the Commission recommends that users of online services "should know about and have some choice over the full range of ways in which their data will be deployed," and that "To assure the public that their data is being appropriately protected, states that do not already have comprehensive personal data protection legislation and a privacy enforcement authority with legal enforcement powers should take steps to create such regimes."
- Intermediary liability. The Commission cites the Manila Principles on Intermediary Liability and affirms that it "fully supports" the legal principles of "shielding intermediaries from liability for third-party content; the requirement of judicial authority for content takedowns; necessity and proportionality; clarity and due process; and transparency and accountability. The Commission also believes that actors in the digital ecosystem—whether technology companies or intermediaries such as content hosts or ISPs—should not be required to perform the functions of law enforcement, except as required by appropriate judicial order."
- Encryption. The Commission recognizes that "Governments should not create or require third parties to create “back doors” to access data that would have the effect of weakening the security of the Internet," and further notes that "States should not rely upon the weaker data collection rules that govern private companies to get access to information that they could not obtain themselves through legal channels."
In some cases, given the complexity of the areas tackled and the diversity of the panel, no recommendation is given by the Commission, or its recommendations are fudged or tentative. For example, the panel covers both sides of the arguments around improving the transparency of the algorithms behind online services that we all use, but fails to reach much of a conclusion other than that more discussion and study is needed.
Similarly, the Commission fails to make much headway in reconciling its support for encryption with the demands of law enforcement, and rolls out some unhelpful stereotypes about encrypted services as the "shadowy underbelly of the Internet." It does, however, recommend that in seeking to reconcile law enforcement demands with users' rights, "any solutions should be derived through a multi-stakeholder process, broadly agreed, and must be subject to legal oversight, governed by principles of necessity, proportionality and avoidance of unintended consequences."Meaningful Stakeholder Inclusion in Internet Governance
A problem here is that the supposed multi-stakeholder processes through which such solutions to highly contested policy issues could be rolled out don't really exist yet, outside of the very narrow area of Internet names and numbers, handled by ICANN. Although the OECD, which meets this week in Mexico, makes claims to following a multi-stakeholder model of policy development, by taking advice from a Civil Society Information Society Advisory Council (CSISAC, in which EFF is a participant), this is a rather shallow form of consultation that invites community input only once governments have already set the agenda, and provides little assurance that this input will actually be taken into account by policy makers.
The Commission report hits the nail on the head by noting the hypocrisy of governments' claims to uphold a multi-stakeholder model of Internet policy development, while actually pursuing their policy objectives in closed fora:
In practice, the principle of multi-stakeholder governance may be honoured as much in the breach as in the observance. In terms of real-world impact, bilateral and multilateral free trade agreements can significantly affect Internet governance issues. Many, such as the Trans Pacific Partnership Agreement, specifically address important issues such as data localization, encryption, censorship and transparency, all of which are generally regarded as forming part of the Internet governance landscape; However, they are negotiated exclusively by governments and usually in secret.
As EFF and its partners have also observed, this is clearly not sustainable. The Commission's own research affirms this, finding that in answer to the question "how much do you trust each of the following to play an important role in running the Internet," the fewest people (36%) would trust the United States, whereas the most (57%) would trust a combined body of technology companies, engineers, non-governmental organizations and institutions that represent the interests and will of ordinary citizens and governments. No such body yet exists, and the Commission does not recommend creating one afresh.
Short of creating a new body, is it possible to utilize a more meaningfully inclusive multi-stakeholder environment for the development of recommendations on global Internet policy? Some have held out hope that the Internet Governance Forum (IGF) could provide a forum for the development of such recommendations, but it has not lived up to this promise, hampered by accountability problems and a chronic lack of funding. The Commission accordingly recommends, "The United Nations should take practical steps to implement the decision of member states to extend the mandate of the IGF, including providing the necessary funding for its base budget."Social Compact for a Digital Society
Meanwhile, the Commission sets its sights a little lower than wholesale reform of global governance arrangements, suggesting instead the need for a new collaboratively-developed "Social Compact for a Digital Society," containing some basic principles to secure the Internet's future. It even suggests some elements around which such a compact might be based, beginning with the statement that "Fundamental human rights, including privacy and personal data protection, must be protected online. Threats to these core human rights should be addressed by governments and other stakeholders acting both within their own jurisdiction and in cooperation."
As welcome as this sounds, we don't know whether such a compact is really a realistic prospect. The Commission itself acknowledges the difficulty and perhaps impossibility of developing such a compact that would be truly universal, given the likely antipathy of those states that are "erecting borders in cyberspace and asserting the government’s right to impose significant constraints on the free flow of information on the Internet."
That said, there is an undoubted need to help all stakeholders find areas of agreement in addressing current challenges in Internet governance, and the Commission's One Internet report is a worthy contribution to that ongoing endeavor. EFF doesn't agree with everything in the report, but commends it as worthy reading for policymakers and stakeholders who share the vision of an more accessible, inclusive, secure, and trustworthy Internet, even if that utopian end state may never be fully realized.
Share this: Join EFF
It’s time to lift the cloak of secrecy that has until now shielded the NSA from judicial scrutiny. EFF served the agency with information requests late last week in Jewel v. NSA, EFF’s signature case challenging government surveillance. Since we filed the case in 2008, leaks about government spying—much of which have been confirmed by intelligence agencies—have vindicated our claims that the U.S. government is and was illegally spying on millions of innocent Americans. Now, we are seeking answers to basic questions about the nuts and bolts of the government’s Internet and telephone mass surveillance programs.
Not only does this mark the first opportunity to obtain evidence since the case was filed nearly eight years ago, but it’s also the first time any party has been allowed to gather facts about the programs’ inner workings from the NSA in a case involving the agency’s warrantless surveillance.
It’s unusual for a case to go eight years before reaching this point, called “discovery,” the routine process by which one party obtains evidence to support their case from another party. But we were barred from conducting discovery since 2008 because the government succeeded in putting evidence gathering on hold while it tried to get the case thrown out—thereby preventing us from requesting important information about how the NSA’s mass surveillance programs worked. But the government failed to get the case thrown out. And earlier this year—after a Ninth Circuit judge expressed shock [at 30:03] that discovery had been stayed for so long—U.S. District Court Judge Jeffrey White in Oakland, California, authorized EFF, on behalf of the plaintiffs, to finally seek information from the NSA.
We’ve learned a great deal about the government’s telephone and Internet mass surveillance programs in the past few years, thanks to the leaks of many whistleblowers, including Edward Snowden, the work of investigative journalists, and statements by public officials. But there is still a lot we don’t know about how these programs operate. And in Jewel, the government has convinced the court that the publicly available information does not paint a sufficiently complete picture of how the NSA collects Internet traffic. The court can’t decide whether the program is legal, the government says, with only the information that’s been made public.
Yet, in an absurd Catch-22 move, the government won’t provide any clarification or explanation of its assertions that we are “wrong” on the facts. Instead, the government is sticking with its signature practice of revealing only bits and pieces of how its massive surveillance operations function while actively obscuring how those pieces fit together and issuing carefully crafted denials of our allegations.
We are now seeking answers to some basic questions that will provide enough clarification for a real judicial decision. For instance, we asked the NSA to describe the basic process by which it acquires, copies, filters, and searches Internet communications in transit over the Internet backbone without any warrant or court order authorizing it to do so. We asked the agency to describe how AT&T’s Folsom Street facility in San Francisco fits into its operations, and all the facts on which it bases its conclusion that it would be “impracticable” to get a warrant supported by probable cause before invading people’s privacy. And we asked the agency to provide documentation to support its answers.
We also asked the NSA to admit various facts about both its Internet and telephone mass surveillance programs, and to explain itself should it refuse to make unqualified admissions. For instance, we asked the NSA to admit that it procured from AT&T bulk Internet and telephone call records without any warrant, court order, or subpoena. And we asked the NSA to admit that it procured AT&T to copy, via fiber-optic splitters, all electronic communications at the Folsom Street facility transiting between AT&T’s Internet facilities and the Internet facilities of non-AT&T electronic communications service providers, and that it later searched the contents of those communications.
These are not technical questions about the intricacies of the NSA’s systems. The answers will not add to what the bad guys know in any material way. These are high-level, operational questions about the government’s mass warrantless spying programs—questions for which the public has long deserved answers, and for which the courts need answers to adequately evaluate whether ours laws have been broken.
Congress should be asking these very same questions. But so far, it has failed to do so. Indeed, in the eight years since Congress enacted reforms to the Foreign Intelligence Surveillance Act (FISA), it has failed to gain a functional understanding of NSA Internet surveillance or to consider its impacts on democracy. It’s clear from a recent hearing that Congress does not even know how many Americans are impacted by Section 702 of the law, which was designed to allow U.S. intelligence services to collect electronic intelligence on foreign targets related to our national security interests but which the government has used to sweep up data on hundreds of millions of people, including countless Americans, who have no connection to a terrorist investigation. Section 702 is set to expire next year, and the complete lack of transparency regarding the government’s use of the law is a key reason why the digital rights community is calling on Congress to let it expire as scheduled.
The government has 30 days to answer our questions, although we expect they will try to delay things. We also expect that the government will try to block our discovery requests entirely by claiming, as it has in the past, that the state secrets privilege protects it against both discovery and liability. Judge White previously rejected that argument for our statutory claims under the Wiretap Act, FISA, the Electronic Communications Privacy Act, and the Stored Communications Act. Any attempt by the government to evoke that privilege here would also be improper and should be rejected.
While we don’t expect to get there without a fight, we look forward to finally getting to the nuts and bolts of this extraordinarily important lawsuit.Jewel v. NSA
Share this: Join EFF
EFF Urges Citizens, Websites to Fight Rule Changes Expanding Government Powers to Break Into Users’ Computers
San Francisco—The Electronic Frontier Foundation (EFF), the Tor Project, and dozens of other organizations are calling today on citizens and website operators to take action to block a new rule pushed by the U.S. Justice Department that would greatly expand the government’s ability to hack users’ computers and interfere with anonymity on the web.
EFF and over 40 partner organizations are holding a day of action for a new campaign—noglobalwarrants.org—to engage citizens about the dangers of Rule 41 and push U.S. lawmakers to oppose it. The process for updating these rules—which govern federal criminal court processes—was intended to deal exclusively with procedural issues. But this year a U.S. judicial committee approved changes in the rule that will expand judicial authority to grant warrants for government hacking.
“The government is attempting to use a process designed for procedural changes to expand its investigatory powers,” said EFF Activism Director Rainey Reitman. “Make no mistake: these changes to Rule 41 will result in a dramatic increase in government hacking. The government is trying to avoid scrutiny and sneak these new powers past the public and Congress through an obscure administrative process.”
Right now, Rule 41 only authorizes federal magistrate judges to issue warrants to conduct searches in the judicial district where the magistrate is located. The new Rule 41 would for the first time authorize magistrates to issue warrants when “technological means,” like Tor or virtual private networks (VPNs), are obscuring the location of a computer. In these circumstances, the rule changes would authorize warrants to remotely access, search, seize, or copy data on computers, wherever in the world they are located.
“Tor users worldwide could be affected by these new rules,” said Kate Krauss, Director of Public Policy and Communications for the Tor Project. “Tor is used by journalists, members of Congress, diplomats, and human rights activists who urgently need its protection to safeguard their privacy and security—but these rules will give the Justice Department new authority to snoop into their computers."
The changes to Rule 41 would also take the unprecedented step of allowing a court to issue a warrant to hack into the computers of innocent Internet users who are themselves victims of a botnet, EFF and its partners said in a letter to members of Congress today.
EFF and its partners launched noglobalwarrants.org, a campaign page outlining problems with the changes to Rule 41 and listing over 40 Internet companies, digital privacy providers, and public interest groups that support the project. The coalition is asking website owners to embed on their sites unique code that will display a banner allowing people to email members of Congress or sign a petition opposing Rule 41. The groups are also calling on citizens to speak out against Rule 41 on social media and blogs. The aim is to send a message to Congress that it should not authorize this expansion of government hacking and must reject Rule 41 changes.
For the coalition letter:
Share this: Join EFF
This week marks the second anniversary of the Supreme Court’s landmark decision in Alice v. CLS Bank. In Alice, the court ruled that an abstract idea does not become eligible for a patent simply by being implemented on a generic computer. When the case was decided, we wrote that it would be a few years until we knew its true impact. Two years in, we can say that while Alice has not solved all problems with software patents, it has given productive companies a valuable tool for fighting back against patent trolls. And while it has been bad for the trolls, there’s little reason to think the Alice decision harmed real software companies.
When Alice was being argued, many supporters of software patents claimed that weakening software patents would harm the industry. For example, Judge Moore of the Federal Circuit argued (PDF) that invalidating all of the patent claims at issue would “would decimate the electronics and software industries.” Others made similar claims after the Supreme Court’s decision.
How did the doomsayers fare? Well, those who that thought Alice would “decimate” the software industry might want to try to rent an apartment in San Francisco right now. Demand for software engineers remains extremely strong. And software companies, including many with large patent portfolios, have generally done fine. In fact, if you had invested in a software ETF the day after Alice you would have handily beat the market. This isn’t to say that Alice is the reason the industry is thriving, but it is a reminder that software patents and the software industry are not the same thing.
While companies that actually write software and employ people are doing fine, Alice has put a dent in the business model of bottom-feeding trolls. Specifically, it has provided a valuable tool for getting abstract software patents thrown out early in litigation. This makes it harder for trolls to leverage the cost of defending a lawsuit and lets startups and other productive companies get on with the business of innovating. Consider these examples:
- eDekka: The most litigious troll of 2014 had 168 cases thrown out when a judge found patent claims on storing and labeling information invalid under Alice.
- Eclipse IP LLC: Another prolific patent troll had claims from multiple patents (on computer-based notification systems) ruled invalid under Alice. We later awarded a similar Eclipse patent our Stupid Patent of the Month award for April 2015. (Note that Eclipse IP LLC subsequently changed its name to Electronic Communication Technologies LLC.)
- Garfum.com Corporation: EFF helped a photographer fight back against a company claiming to own the idea of having a vote-for-your-favorite photo competition. The patent owner dismissed its case rather than face a ruling on the merits under Alice.
- White Knuckle: This patent on remotely updating sports video games was our Stupid Patent of the Month in January 2015. On June 2, 2016, a federal judge ruled that since remotely updating software was already conventional when the application was filed, the patent’s claims (which included things like updating the grass at a virtual stadium) were invalid.
Alice has not solved all problems with the patent system. But without the ruling, it is likely that these cases others like them would have dragged on until the defendant was effectively forced to settle. Two years in, we can celebrate Alice as a qualified success. We’ll keep working to ensure that the ruling is applied diligently and for more fundamental patent reform to protect innovators.Related Cases: Abstract Patent Litigation
Share this: Join EFF
Two years ago, the House stood united across party lines, voting by a remarkable margin of 293–123 to support the same measures, which would enhance security and privacy by limiting the powers of intelligence agencies to conduct warrantless backdoor searches targeting Americans, and to undermine encryption standards and devices.
This week, the intelligence community broke that consensus by inappropriately politicizing the recent tragedy in Orlando. Before Thursday's vote, the chair of the House Intelligence Committee, Rep. Devin Nunes (R-CA), circulated a letter falsely claiming that:
If this amendment were enacted, the Intelligence Community would not be able to look through information lawfully collected under FISA Section 702 to see if...the Orlando nightclub attacker was in contact with any terrorist groups outside the United States.
These claims were downright disingenuous.
As members of the intelligence committee well know, the government will have no problem securing warrants to search the Orlando attacker's online communications. Warrants are not difficult to secure when appropriate. The only thing a warrant requirement would do is prevent the government from abusing its powers, as it repeatedly has in the past.
The clever misrepresentations about the proposed amendment, and unproven and ultimately spurious claims that it would undermine national security, prompted efforts to correct the debate and inform policymakers of the truth, leading dozens of members of Congress to switch sides in both directions. Ultimately, the House chose to reverse two previous votes overwhelmingly supporting precisely the same amendment.
We are greatly disappointed that the House chose to abandon its prior votes defending the rights of constituents, and particularly in those members who accepted the canard that simply requiring the government to obtain a judicial warrant before searching Section 702 intelligence databases would hinder investigations.
Observers who share our concerns have opportunities to impact the debate going forward. First, contact your federal representative to share your views, especially if yours was one of the dozens who shifted their position.
But don’t stop there: August will present a key point in time when—visiting their districts just a few months before an election with likely high turnout driven by a presidential election cycle—members of Congress will be at their most politically vulnerable, exposed, and therefore receptive to grassroots concerns.
If you’d like to take advantage of the opportunity to share your views with your representatives in a forum more influential than a phone call, confirm how your representative voted, recruit a handful of friends to form a local group, and join the Electronic Frontier Alliance.
Share this: Join EFF
Next week, the House Judiciary Committee will finally hold a hearing on the SPEAK FREE Act (H.R. 2304), over a year after the bill was introduced in the Congress. We support the SPEAK FREE Act, which would help protect victims of strategic lawsuits against public participation, commonly known as SLAPPs.
A SLAPP is a technique that’s used to silence speech on the Internet and elsewhere, usually because that speech is embarrassing for the plaintiff. Plaintiffs who bring SLAPPs often aren’t interested in winning the case. Their goal is simply to silence their critics through the threat of time-consuming and expensive litigation. SLAPPs threaten the defendants’ freedom of expression, as well as everyone else’s right to hear diverse opinions and points of view.
We’re glad to see that the SPEAK FREE Act is still alive and gaining support. Supporters of the bill are asking SLAPP victims to sign a letter to the House Judiciary Committee. If you’ve been targeted with a SLAPP, your story could help open lawmakers’ eyes to this growing problem.
Share this: Join EFF
EFF convoca a un día de acción el 21 de junio. Por favor, únete a nosotros.
El Departamento de Justicia de los Estados Unidos está impulsando, de manera poco clara, un cambio de reglas que incrementarán la capacidad de las fuerzas del orden para intervenir las computadoras de todo el mundo. Es una adenda a la regla 41 del Reglamento federal de procedimientos criminales. Si el Congreso de los Estados Unidos no hace nada, este cambio masivo será efectivo a partir del primero de Diciembre.
EFF, The Tor Project y docenas de otras organizaciones están preocupadas sobre el futuro de nuestra seguridad digital y están tomando una posición a favor de los usuarios en todos lados. Estamos organizando una campaña y un día de acción para pronunciarnos contra los cambios a la Regla 41.
Pero no podemos hacerlo solos, si tienes un sitio web, necesitaremos tu ayuda.
El código mostrará automáticamente el banner el mismo día de nuestra acción: Jueves 21 de Junio. Después de ese día, el banner desaparecerá automáticamente. Mira un ejemplo del banner:
Si prefieres alojar tu propio banner, puedes insertar esta imagen en tu sitio y vincularlo a NoGlobalWarrants.org (la página web estará activa el 21 de junio).
No administras un sitio web? Aún puedes ayudarnos.
Incluso si no administras un sitio web donde puedas alojar el banner, aún puedes ayudar. En o antes del 21 de junio, puedes enviar un email a tu miembro del Congreso. Escribe sobre la Regla 41 en las redes sociales o un blog, y pide a tus amigos que hablen del tema. No dudes en ser creativo organizando eventos en tu comunidad de origen, toma fotos y enviánoslas.
Déjanos saber lo que estás pensando (ya sea alojando un banner o no) a través del siguiente formulario.
Por qué debería importarte:
Hemos escrito una explicación detallada de los cambios Regla 41 que detalla por qué esta actualización se traducirá en un aumento dramático en la intervención informática del gobierno. He aquí un resumen de algunas de las principales razones que nos conciernen:
Una mayor frecuencia en las intervenciones de los agentes del gobierno en las computadoras de la gente es una receta para el desastre. Las fuerzas del orden incrementarán su explotación de las vulnerabilidades de seguridad en los productos de software más comunes, eso significa que las vulnerabilidades que podrían afectar a millones quedará abiertas en lugar de ser parchadas.
Las fuerzas del orden se dedicarán a la selección de cortes propicias, en búsqueda de jueces favorables al Gobierno dispuestos a firmar órdenes judiciales con una conexión remota al distrito judicial.
Las fuerzas del orden va a presionar a los jueces para autorizar búsquedas remotas de miles de ordenadores con una sola orden - una violación directa de la Cuarta Enmienda y un patrón que ya estamos viendo.
Este cambio en la regla afecta especialmente a las personas que utilizan las tecnologías de protección de privacidad como Tor o VPN, por lo que estamos pidiendo a las herramientas de privacidad a unirse en la defensa de los usuarios, el 21 de junio.
Share this: Join EFF
The Department of Justice is using an obscure procedure to push through a rule change that will greatly increase law enforcement’s ability to hack into computers located around the world. It’s an update to Rule 41 of the Federal Rules of Criminal Procedure. If Congress does nothing, this massive change will automatically go into effect on December 1.
EFF, the Tor Project, and dozens of other organizations concerned about the future of our digital security are taking a stand for users everywhere. We’re organizing a campaign and day of action to speak out against the changes to Rule 41.
But we can’t do it alone. If you run a website, we need your help.
The code will automatically display the banner on our day of action: Tuesday June 21. After that day, the banner will disappear automatically. See an example of the banner.
If you’d rather host your own banner, you can insert this image into your site and link it to NoGlobalWarrants.org (website will be live on June 21).Don’t run a website? You can still help.
Even if you don’t run a website where you can embed the banner, you can still help. On or before June 21, you can send an email to your member of Congress. Please post about Rule 41 on social media or a blog, and ask your friends to speak out. Feel free to get creative by hosting events in your home community, taking a photo, and sending it our way.
Let us know what you’re planning (whether embedding a banner or not) by filling out this form.
Why you should care
We’ve written a detailed explanation of the changes to Rule 41, which explains why this update will result in a dramatic increase in government hacking. Here’s an overview of some of the main reasons we are concerned:
- Government agents hacking into computers more frequently is a recipe for disaster. Law enforcement will increase their exploitation of security vulnerabilities in common software products, meaning vulnerabilities that could affect millions will be left open instead of patched.
- Law enforcement will forum shop, finding government-friendly magistrate judges to sign off on warrants with a loose connection to the judicial district.
- Law enforcement will pressure judges to sign off on remote searches of thousands of computers with a single warrant—a direct violation of the Fourth Amendment and a pattern we’re already seeing.
This rule change especially impacts people using privacy protective technologies like Tor or VPNs, which is why we’re asking privacy tools to join us in standing up for users on June 21.
Want to join our day of action? Just let us know what you’re planning, especially if you can embed the banner.
Share this: Join EFF
The Second Circuit has released its long-awaited opinion in Capitol Records v. Vimeo, fully vindicating Vimeo’s positions. EFF along with a coalition of advocacy groups, submitted a friend-of-the-court brief in the case, supporting Vimeo.
The Second Circuit considered three important issues. First, whether a service provider could rely on the DMCA safe harbor when it came to pre-1972 sound recordings. Second, whether evidence of Vimeo employees watching certain well-known songs was enough to create “red flag” knowledge that the videos were infringing. And third, whether Vimeo was “willfully blind” to infringement occurring on its service.
For each of these issues, the Second Circuit ruled for Vimeo.The DMCA Safe Harbor Applies to Pre-1972 Sound Recordings
In an important decision, the court held that the DMCA safe harbors apply to pre-1972 sounds recordings.
Pre-1972 sound recordings, “for reasons not easily understood,” are not subject to federal copyright laws, but instead are governed by a patchwork of state laws that provide varying degrees of protections and rights. Because these recordings fall under state law, the labels, relying on a supporting opinion from the Copyright Office, argued that the DMCA also did not apply.
The Second Circuit rejected the labels’ and the Copyright Office’s argument. It based its decision on the statutory text of the DMCA, which was supported by the policy goals the DMCA was intended to achieve. Specifically:
To construe § 512(c) as leaving service providers subject to liability under state copyright laws for postings by users of infringements of which the service providers were unaware would defeat the very purpose Congress sought to achieve in passing the statute. Service providers would be compelled either to incur heavy costs of monitoring every posting to be sure it did not contain infringing pre-1972 recordings, or incurring potentially crushing liabilities under state copyright laws. It is not as if pre-1972 sound recordings were sufficiently outdated as to render the potential liabilities insignificant.Some Employees Watching “Recognizable” Videos Isn’t Enough to Create Red Flag Knowledge
In reaffirming Viacom v. YouTube, the Second Circuit clarified that the “reasonable person” standard incorporated into the red flag knowledge standard was an ordinary person, not someone with specialized knowledge of copyright law or music. The Second Circuit also clarified that the burden of showing red flag knowledge is on copyright holder, not on the service provider claiming the protections of the DMCA. That is:
[A] showing by plaintiffs of no more than that some employee of Vimeo had some contact with a user-posted video that played all, or nearly all, of a recognizable song is not sufficient to satisfy plaintiffs’ burden of proof that Vimeo forfeited the safe harbor by reason of red flag knowledge with respect to that video.
The Second Circuit sent this part of the case back to the district court to determine whether the plaintiffs could “point to evidence sufficient to carry [plaintiffs’] burden of proving that Vimeo personnel either knew the video was infringing or knew facts making that conclusion obvious to an ordinary person who had no specialized knowledge of music or the laws of copyright.” If the plaintiffs can’t show that, Vimeo can’t be said to have “red flag” knowledge of infringement.Vimeo Was Not Willfully Blind
Finally, the Second Circuit upheld the lower court’s finding that Vimeo was not willfully blind to infringement on its platform, so as to remove DMCA safe harbor protections. The rightsholders had argued that Vimeo was willfully blind to infringement based on three facts: Vimeo monitored videos for infringement of video content (but not audio content); Vimeo had a duty to investigate further once it learned facts that made would make it suspicious of infringement; and Vimeo itself encouraged infringement, thus couldn’t “close its eyes” to resulting infringement.
Each of these arguments was rejected by the Second Circuit. The Court held that (1) there was no duty to monitor for infringement, (2) that suspicion of infringement wasn’t enough unless infringement was obvious, and (3) a few sporadic videos out of millions where Vimeo employees “inappropriately” encouraged users to post infringing videos was insufficient to remove the DMCA safe harbor protections, especially where the videos did not relate to the videos at issue in the lawsuit.
The Second Circuit's finding that Vimeo didn't have a duty to investigate is important and essential to an open Internet that includes user-generated content. A duty to investigate would place a significant burden on small companies and non-commercial hosts, making it less likely that a new company could compete with those already entrenched in the market, or a non-commercial host can survive. More broadly, however, we're concerned about how often companies get hauled into court to challenge their safe harbors or worse. This ruling protects Vimeo, but it is disappointing that it took several years, and surely several million dollars, to get there.Related Cases: Capitol v. Vimeo
Share this: Join EFF
The Federal Communications Commission (FCC) is collecting comments from the public about how the laws that govern consumer privacy over broadband networks should be applied. In its response, EFF has called on the FCC to ensure that the legal obligations of Internet Service Providers (ISPs) to their customers are clearly established and that the agency prohibits practices that exploit the powerful position ISPs hold as gatekeepers to the internet.
When the FCC reclassified broadband internet service providers as "telecommunications" providers as part of its Open Internet Order, the agency left open the question of how the privacy obligations of telecommunications providers must fulfill apply to ISPs. The Notice of Proposed Rulemaking (NPRM) sets out to answer those questions.
How Best to Protect Consumers
Congress has given several regulatory powers to the FCC for protecting consumer privacy, such as: establishing what type of information is sensitive enough for legal protection; setting restrictions on how private information can be disclosed by companies; determining what type of information cannot be used at all for purposes unrelated to provision of service to the customer; and establishing the steps ISPs must take in order to secure permission from the consumer. These protections are critical because consumers do not have a lot of options when choosing high-speed internet access. In fact, most Americans only have one choice for speeds above 25 mbps—so you can’t really shop for a more privacy-friendly ISP. Given that most consumers have no real choice among ISPs, establishing a strong legal duty is necessary to protect private consumer information.
One of the most pivotal privacy provisions within the Communications Act is Section 222(a), which establishes that "every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to...customers." We argue that this legal duty to protect confidential information prohibits ISPs from harvesting consumer data through deep packet inspection (DPI) for purposes that are unrelated to actually providing broadband communications.
We also argued that as part of their general duty to customers, ISPs should not retain personal information for an extended period of time beyond that which is necessary for legitimate business purposes. This, along with restraints on DPI use by ISPs, would ensure that consumers are given the highest level of protection for their confidential information and would avoid making ISP databases of customer information the targets of criminal or foreign governments seeking to exploit that data. Of course, sometimes it doesn’t even take an outside actor to violate consumer privacy: in California, the Public Utilities Commission had to investigate a breach by Comcast when the names, addresses, and telephone numbers of 75,000 Californians was accidentally published despite the fact that these Comcast customers paid extra money to keep their information private.
How to Keep The Rules Up to Date
The FCC is thinking about what types of information falls within protected categories, but trying to be too surgical could end up defeating the purpose of these privacy protections. We've proposed that the agency establish a broad rule covering all of the content of all communications so that an ISP complying with the rules does not need to inquire into the specific contents of a communication to determine if it’s protected. Companies have developed extraordinarily sophisticated methods to collect an array of seemingly unimportant data in order to learn a lot of personal information about an individual. The Commission could weaken the privacy rules it seeks to adopt if it allows certain content to be accessible to the ISP via these methods. Furthermore, given how technology continues to rapidly evolve in this space, the FCC should provide the industry with illustrative examples of what type of information practices comply with the new rules and update those examples frequently.
Transparency is essential for keeping the ISP industry accountable to its customers. The FCC has a few proposals in the right direction, but we think some improvements can be made. Specifically, the agency asks whether ISPs should publish the names of the specific entities they intend to share customer information with. We answer that question with an unequivocal "yes," as the cost of compliance would be negligible and the value to consumers who opt-in is tremendous. In fact, we think it would be a benefit to the industry: consumers would be more willing to opt in to sharing their information because they will be able to check into the third parties that partner with ISPs and decide if they want their information shared. Finally, much in the same vein as the Open Internet Order, the FCC must have the rules apply equally to wireless providers (if not more stringent rules, given that wireless carriers have highly sensitive location information).
Some Potentially Dangerous Loopholes
Two proposals that the NPRM requests comment on involve instances when an ISP can access private information without permission. The Commission’s overall permissions or consent framework sets out three categories: opt-in, opt-out, and no customer approval (or notice) needed. We disagree strongly with the Commission’s assessment that the privacy provisions in the Communications Act allow for a category of personal data where the ISP never needs to notify its customers of its use. Rather, the law envisions ISP use of consumer data to be tied to authorized use through some form of approval. The law does not allow for an ISP to consider "no approval" as "approval."
The NPRM also proposed that ISPs be allowed to invade your privacy under an exemption for investigating “unlawful uses,” particularly in the areas of copyright and trademark infringement. We are concerned that ISPs would simply use DPI technology for all content on the grounds that they are investigating unlawful uses, thus defeating the purpose of the privacy rules. EFF recommended that the agency avoid providing an exemption for copyright and trademark infringement given that Congress already protects ISPs from liability. It should not be the ISPs job to police content as opposed to passing data traffic in a non-discriminatory manner. However, if the agency decides to provide an exemption, it should adopt a narrow rule that requires an ISP to have concrete and specifically identified instances of infringement first, and that notice be provided to the customer.
The FCC is entering its final stage of listening to the public and will begin to make decisions in the coming months on how it should use its legal authority to establish the privacy obligations of ISPs. If you wish to read EFF's full submission you can find it here. EFF will continue to fight for consumers's privacy interests and against efforts to have the agency adopt rules that do little to protect the privacy rights of internet users. Congress passed these laws to curtail the ability of telecommunications carriers to harvest their customer's data and the agency must do its part to update and enforce the law.
Share this: Join EFF
Today the federal Government Accountability Office (GAO) finally published its exhaustive report on the FBI’s face recognition capabilities. The takeaway: FBI has access to hundreds of millions more photos than we ever thought. And the Bureau has been hiding this fact from the public—in flagrant violation of federal law and agency policy—for years.
According to the GAO Report, FBI’s Facial Analysis, Comparison, and Evaluation (FACE) Services unit not only has access to FBI’s Next Generation Identification (NGI) face recognition database of nearly 30 million civil and criminal mug shot photos, it also has access to the State Department’s Visa and Passport databases, the Defense Department’s biometric database, and the drivers license databases of at least 16 states. Totaling 411.9 million images, this is an unprecedented number of photographs, most of which are of Americans and foreigners who have committed no crimes.
The FBI has done little to make sure that its search results (which the Bureau calls “investigative leads”) do not include photos of innocent people, according to the report. The FBI has conducted only very limited testing to ensure the accuracy of NGI's face recognition capabilities. And it has not taken any steps to determine whether the face recognition systems of its external partners—states and other federal agencies—are sufficiently accurate to prevent innocent people from being identified as criminal suspects. As we know from previous research, face recognition is notoriously inaccurate across the board and may also misidentify African Americans and ethnic minorities, young people, and women at higher rates than whites, older people, and men, respectively.
As the Report points out, many of the 411.9 million face images to which FBI has access—like driver’s license and passport and visa photos—were never collected for criminal or national security purposes. And yet, under agreements we’ve never seen between the FBI and its state and federal partners, the FBI may search these civil photos whenever it’s trying to find a suspect in a crime. As the map above shows, 18 more states are in negotiations with the FBI to provide similar access to their driver’s license databases.
The states have been very involved in the development of the FBI’s own NGI database, which includes nearly 30 million of the 411.9 million face images accessible to the Bureau (we’ve written extensively about NGI in the past). NGI includes more than 20 million civil and criminal images received directly from at least six states, including California, Louisiana, Michigan, New York, Texas, and Virginia. And it appears five additional states—Florida, Maryland, Maine, New Mexico, and Arkansas—can send search requests directly to the NGI database. As of December 2015, FBI is working with eight more states to grant them access to NGI, and an additional 24 states are also interested.
The GAO Report spends a significant number of pages criticizing FBI for rolling out these massive face recognition capabilities without ever explaining the privacy implications of its actions to the public. Federal law and Department of Justice policies require the FBI to complete a Privacy Impact Assessment (PIA) of all programs that collect data on Americans, both at the beginning of development and any time there’s significant change to the program. While the FBI produced a PIA in 2008, when it first started planning out the face recognition component of NGI, it didn’t update that PIA until late 2015—seven years later and well after it began making significant changes to the program. It also failed to produce a PIA for the FACE Services unit until May 2015—three years after FACE began supporting FBI with face recognition searches. As GAO notes, the whole point of PIAs is to give the public notice of the privacy implications of data collection programs and to ensure that privacy protections are built into the system from the start. The FBI failed at this.
The single bright spot in the report reiterates that FBI decided not to allow searches of civil photos enrolled in NGI to “better protect individuals’ privacy.” This is a hollow victory, however, because if you’ve ever been arrested for any crime at all—including blocking a street as part of a public protest—your civil photos will be linked to your booking photo and subject to face recognition searches along with all the other 29.7 million images in NGI.
The GAO’s findings are especially shocking, given the timing. Just over a month ago the FBI demanded its face recognition capabilities be exempt from several key provisions of the federal Privacy Act—and provided the public with only 30 days to respond. Over and over, the FBI’s secret data collection practices confirm why we need more transparency, not less. In the coming weeks, we’ll be asking you to sign on to our comments to the FBI’s proposal. Help us send a message to the FBI that its practices are unacceptable and must change.Related Cases: FBI's Next Generation Identification Biometrics DatabaseFBI Facial Recognition Documents
Share this: Join EFF
Last week, Santa Clara County—which encompasses much of Silicon Valley—set a new standard in local surveillance transparency after months of activism by residents and allies from across the Bay Area. Their efforts, and the policy it enabled, suggest an overlooked strategy in the national battle to curtail unaccountable secret mass surveillance.
While federal agencies play a controversial role in monitoring Americans, their local counterparts also conduct similar activities—not only in the context of counterterrorism, but also in the name of routine public safety. Concerns about the militarization of local police have long united Americans across the political spectrum, but the metastasis of surveillance platforms across local police departments, county sheriffs, and state highway patrols too often went largely unnoticed until recently.
Cell-site simulators (commonly referred to by the trade name of the early versions of the devices, Stingray) are an example of police surveillance equipment that have grown particularly controversial. They essentially mimic cell phone towers in order to monitor data and voice traffic, and were so secret that prosecutors around the country resigned cases based on evidence collected from cell-site simulators rather than disclose their existence to courts.
But while Stingrays have prompted increasingly widespread concerns in the last few years, they have been deployed in U.S. cities for a decade. In Baltimore alone, they were used thousands of times without judicial oversight or legislative awareness—let alone approval—since 2007.
The new measure will impose several requirements on all Santa Clara County agencies. First, it will require them to seek affirmative approval from the county Board of Supervisors before purchasing new surveillance equipment. It will also require agencies to develop usage policies providing protections for civil rights and civil liberties for the Board to review and approve. Finally, it will require annual reports to the Board enabling meaningful oversight of how agencies deploy surveillance equipment that the Board allows them to purchase.
Supervisor Joe Simitian, who sponsored the new Santa Clara law, emphasized that it will subject not only existing surveillance technologies to legislative oversight, but also technologies that have yet to be developed. As explained by the ACLU of Northern California’s Nicole Ozer, "Silicon Valley's local lawmakers made sure the law passed today was future-proof by creating consistent rules for all the surveillance technology that currently exists and those we know will come."
Each new government surveillance technology raises a thicket of difficult questions. Should it be adopted at all? What are the benefits and costs? Will it actually make us safer? What are the privacy safeguards?
These questions should be answered by the Santa Clara County Board, before any county agency adopts a new surveillance technology. The general public should be heard, too. When all concerned stakeholders participate, we make better decisions.
Among the other voices promoting the bill were three local groups participating in the Electronic Frontier Alliance, including the Oakland Privacy Working Group, Restore the Fourth-Bay Area, and the Peninsula Peace and Justice Center. Members of each of these groups spoke before the county Board of Supervisors, organized support for the proposal in live events and over social media, and reached out to other organizations and their communities to seek their support for greater transparency.
Other cities around the Bay Area have previously taken steps to curtail surveillance by local police. For example, San Francisco adopted a measure in 2008 reiterating local privacy standards to curtail federally coordinated surveillance using city resources. In particular, it required S.F. Police Department officers participating in FBI-coordinated Joint Terrorism Task Forces to comply with more protective state & local standards, rather than opportunistically choosing federal law where more permissive.
Securing even greater protection for civil liberties beyond transparency, the City of Berkeley adopted a policy in 2012 imposing substantive and procedural limits on intelligence collection. That policy included five discrete components approved by the City Council that require reasonable suspicion of criminal activity as a predicate to justify the collection of intelligence information, categorically prohibit Suspicious Activity Reports (SARs) based on non-violent civil disobedience, allow city officials to review intelligence reports submitted to regional fusion centers, and require an annual audit of all SARs.
The measures adopted in Berkeley promote transparency while also aiming to prohibit the untethered, unfocused, and unconstitutional monitoring that has grown routine in many jurisdictions, where functional limits on collection, retention, or dissemination of intelligence information have remained elusive. Like Santa Clara County, the measure in Berkeley required sustained mobilization by a diverse local coalition that rendered opposition by local policymakers untenable.
In addition to challenging intelligence collection unhinged from suspicion of crime, the Coalition for a Safe Berkeley also mounted several other successful campaigns. One restrained police militarization by blocking the procurement of an armored vehicle, and another limited cooperation with federal officials using local public safety resources to facilitate immigration enforcement and build a vast biometric database including Americans.
As similar efforts proliferate across the country, we plan to invite local coalitions to collaborate on shared, decentralized campaigns to address continuing controversies at the federal level. For instance, grassroots efforts to seek greater transparency into police use of surveillance technology can build local networks poised to support the scheduled expiration next year of section 702 of the Foreign Intelligence Surveillance Act.
If you'd like to bring the battle to stop mass surveillance to your community, join the Electronic Frontier Alliance.
Share this: Join EFF
EFF’s team of fearless lawyers defends your rights on the frontlines of technology and the law, from police stops on the street to arguments in the courtroom to the halls of government where policies are ground out. EFF’s latest hire, Criminal Defense Staff Attorney Stephanie Lacambra, is a fierce and accomplished public defender who will lend her unique expertise to our ongoing and emerging battles against law enforcement and prosecutorial overreach.
I sat down with Stephanie to learn more about her story up until now and where she hopes this new endeavor will take her.
What kind of cases did you work on before joining EFF?
I was a public defender trial attorney for 12 years. I served first as a federal defender in San Diego fighting federal felony illegal entry and drug and alien smuggling cases for two years, then spent the next decade at the San Francisco Public Defender's office fighting everything from DUIs to robbery and attempted murder cases. My clients were all indigent, in that they could not afford their own attorney, and most came from some of the most disenfranchised and marginalized groups in our community.
What drew you to EFF?
I was drawn to work for EFF because of the phenomenal reputation it has for identifying issues of government overreach and shaping our fundamental rights to free speech and privacy in the digital age. The Internet has globalized our communities in an unprecedented way, but if we don't safeguard the individual liberties of users, we risk sacrificing our freedom of thought and expression. The purpose of EFF is to safeguard our right to have a voice unfettered by the prejudices and interests of those in power and to protect our basic right to self determination.
What issues are you looking forward on working on in the next few months?
I hope to organize and mobilize a network of criminal defense attorneys to identify and engage in tackling the worst cases of government overreach, whether it be via dragnet “network investigative techniques” or cell-site simulator searches or unwarranted electronic surveillance. We need to build a coalition of defense experts capable of shining a light on the government's unconstitutional practices of invading personal privacy and chilling free speech and thought.
What advice do you have for individuals who are stopped by police? What if the police want to search their phones?
The first words out of your mouth should always be: “I want my lawyer and I do not consent to any search." Then be quiet! Do not answer any questions and wait to speak to your attorney. The cops are allowed to lie to you and try to unduly influence you to talk. Do not listen to them. Once you have asked for a lawyer, they are supposed to stop talking to you.
How much should we be worried about how police are using new technologies?
We should be very worried about how police are using new technologies. Right now at the state level, police are routinely asking detainees and arrestees to unlock their phones and computers or to provide passwords for access. Do not provide such information. It will not help you to cooperate with law enforcement. Police are also using peer-to-peer sharing sites as well as other undercover web identities to induce people into agreeing to commit crimes like prostitution and possession of child pornography. Additionally, the FBI and some police departments are attempting to use cell-site simulator devices that trick your cell phone into transmitting specific location information directly to law enforcement.
Why should EFF—or lawyers in general—defend people even if they're not very sympathetic characters?
We have an obligation to provide rigorous defense for all those accused of crimes—sympathetic or not—because to do otherwise would render our criminal justice system completely meaningless. If I only represented people who I believed were innocent of all wrongdoing, I would not be serving as defense counsel but as judge, jury, and executioner. Often, the most marginalized and disenfranchised in our communities are themselves the most victimized by the system and in need of our help.
We hear you're a Star Trek fan—who is your captain and why?
I am a Star Trek TNG fan. I would pick Capt. Jean Luc Picard (Patrick Stewart) over the cocky and impulsive Capt. Kirk any day of the week; even if Picard would likely die in battle with Kirk, who would shoot first and ask questions later.
Share this: Join EFF
In a crucial win for Internet users, today a federal appeals court upheld [PDF] clear net neutrality rules that will let us all use and enjoy the Internet without unfair interference from Internet service providers. The rules will keep providers from blocking or slowing traffic, or speeding up traffic for those who pay.
Last year, EFF and other advocacy groups, along with millions of Americans, called on the FCC to do its part to defend Internet expression and innovation. We urged them to adopt focused rules based on a legal framework that would finally stand up to the inevitable legal challenge, but also limit their own authority in order to help prevent a future FCC from abusing its regulatory power. The FCC responded with an Open Internet Order that largely did just that.
The court today affirmed that Order.
In the process, the court firmly rejected a host of legal and policy arguments from major service providers. In fact, it was a blowout. Did the FCC have the authority to issue such rules? Yes. Did it follow proper procedures? Yes. Are the rules constitutional? Yes.
This is good news for the Internet. The net neutrality rules were a clear victory for the people of the Internet over special interests, and today the Court solidified that victory.
At the same time, we note a few elements of the decision that don’t quite match with the way we would have analyzed the matter. For instance, we are not fans of the “general conduct rule,” a catch-all provision that allows the FCC to police telecom practices on an ad hoc basis. The FCC says that decisions will follow a “seven-factor analysis,” but we do not know how the factors will be weighed. We urged the court to interpret the rule in a way that would create more certainty and prevent possible abuse by a future FCC, but the court did not believe this was necessary.
We are also concerned about the possible expansion of one of the FCC’s authorities. While the rules were, for the most part, clearly grounded in specific powers granted to the FCC, the Court also justified some on the basis of a less-clear provision: Section 706. Section 706 tasks the FCC with promoting the deployment of broadband Internet service. The FCC believes that this grants it broad authority to impose whatever regulations it believes will increase broadband deployment. We would prefer to see a limited, concrete authority used as the basis for regulation, and we are concerned about what restrictions a future FCC, less sympathetic to the open Internet, might impose with such broad-seeming authority.
We will be watching the FCC’s actions, and will challenge any overreach if necessary. And we will doubtless need to defend the gains we have made – the telecoms will doubtless seek to challenge the ruling in Congress and the Supreme Court.
But for now, the Internet should celebrate — our hard work has paid off once again.Related Cases: U.S. Telecom Association v. FCC
Share this: Join EFF
Congress has passed reforms to the Freedom of Information Act, which EFF hopes signals the beginning of a larger overhaul of the transparency law that will mark its 50th birthday in July.
Earlier this year both chambers passed dueling FOIA reform bills. The House passed the FOIA Oversight and Implementation Act (H.R. 653) in January, while the Senate approved it's own version – the FOIA Improvement Act of 2016 (S. 337) – in March. On Monday, the House approved the Senate bill, which will head to President Obama. He has previously indicated that he would sign it.
EFF supported the Senate bill over the House version because it did not contain harmful carve-outs for national security and intelligence agencies (for EFF’s breakdown of both bills, click here and here). We are therefore pleased to see the Senate version pass.
The Senate bill’s biggest change to FOIA codifies a restriction on agencies’ ability to arbitrarily withhold records. Under the bill, agencies cannot withhold records unless another law prohibits their disclosure or the agencies articulate how disclosure will harm an interest protected by FOIA’s exemptions.
EFF remains cautiously optimistic that this new language will lead to greater government openness.
The Senate bill also contains other changes to FOIA, including a provision that should help requesters seeking historic records. The bill puts a 25-year limit on agencies’ claims that records would disclose internal decision-making, in what is known as the deliberative process privilege. It also mandates that the government create a central online portal for anyone to file a request with any federal agency.
Although the bill is a positive step forward, it falls short of fixing some of FOIA’s biggest problems, including agency delay and stonewalling. EFF has previously called on Congress to provide more resources – both technical and financial – to speed up agency processing of FOIA requests. We think those incentives should be combined with penalties for agencies that do not meet deadlines or for personnel who actively thwart disclosure.
We’ve argued for big changes to the law that would mandate disclosure of records in close cases – the public interest in disclosure should outweigh secrecy. We’ve also argued for small changes, including adding a comma to make controversial law enforcement techniques more public and a requirement that all agencies accept FOIA requests via email.
EFF would like to thank Sens. John Cornyn (R-TX.) and Patrick Leahy (D-VT.) for sponsoring the Senate bill, along with Rep. Jason Chaffetz (R-UT.) for getting the bill through the House. We look forward to working with them on future improvements to FOIA.
Share this: Join EFF
Law enforcement agencies should not expand their electronic surveillance capabilities until they have addressed core problems of corruption, incompetence, poor oversight, and inadequate training.
Echoing concerns long raised by EFF, that’s the message the U.S. Department of Justice (DOJ) sent the Calexico Police Department (CPD) following a years-long investigation into alleged corruption by officers.
The shocking state of affairs in the California town of Calexico, which sits on the Mexican border, was laid bare in a scathing report released by the DOJ last month. Prompted by a 2014 incident in which a Calexico resident was allegedly kidnapped and beaten by police officers, the DOJ's Community Oriented Policing Services (COPS) found department-wide corruption and incompetence. One of the most notable examples of the unethical department culture includes spending roughly $100,000 in seized assets on surveillance equipment (such as James Bond-style spy glasses) to dig up evidence of dirty deeds by city council members and complaint-filing citizens with the aim of blackmail and extortion. The DOJ also listed numerous operational oversights, including broken police radios in approximately half of the patrol cars, confusion regarding policies on use of force, and a total lack of record-keeping for equipment issued to employees.
Despite the well-known allegations, the Calexico city council approved the purchase of city-wide street cameras and automatic license plate reader technology in June 2015. The city council did not make the implementation of these surveillance programs contingent upon the CPD adopting 169 recommendations to remedy department failures made in the DOJ report.
Mass surveillance devices, such as license-plate recognition systems that record the movement of vehicles and city-wide street cameras that record the activity of everyone and everything, have been approved for use in Calexico despite a pervasive lack of basic law enforcement training, supervision, oversight, and competence. The CPD will get to snoop on the city's inhabitants after decades of violating the public's trust.
This is a department that needs to be reined in. We should all be wondering (loudly) why city leaders are instead entrusting this entity with high-tech spying gear for mass data gathering.
During a community listening session initiated by the DOJ last July, Calexico residents expressed their lack of trust in both the CPD and the city council, stating that corruption and political games have compromised actual policing and investigative work. Taking that into account in their report, the DOJ team recommended that the CPD make major institutional overhauls before focusing on new surveillance techniques:
...[G]iven the personnel shortages, funding gaps, and significant organizational and technical deficiencies the organization is currently facing, the CPD needs to prioritize addressing these fundamental deficiencies while balancing the initial implementation of these [cameras].
Calexico is a microcosm of an epidemic we are seeing throughout American communities—the belief that mass surveillance and data gathering are panaceas that can take the place of honest police work. The DOJ report is a message to police departments everywhere that having more cameras pointed at citizens does not mitigate the need for proper training, competent leadership, and community engagement.
The residents of Calexico should not be spied on by the same police department that routinely fails to abide by federal policing standards at every level.
Share this: Join EFF
A bipartisan group of House members are preparing to introduce measures widely supported by their colleagues that would rein in NSA domestic surveillance and protect encryption. But a change in procedure adopted by the House leadership may deny the House a chance to even consider their proposal.
Based on their successful amendments to the House Defense Appropriations bill two years ago, Representatives Thomas Massie (R-KY), Zoe Lofgren (D-CA), and Ted Poe (R-TX) aim to reintroduce measures backed by civil liberties organizations and activists as amendments to the Defense Appropriations bill currently moving through the House.
By prohibiting backdoor searches and preventing the NSA and CIA from undermining encryption devices and standards, their proposals would represent a significant step forward in the ongoing battle to secure privacy and security in the face of ongoing unconstitutional surveillance documented in 2013 by Edward Snowden.
Stopping Backdoor Searches
The first measure would prohibit government funds from being spent to perform warrantless backdoor searches. Backdoor searches are when the government searches its database of intercepted online traffic for the communications of specific Americans—without a warrant, prior court authorization, or any external restriction.
Even policymakers can be targets of warrantless backdoor searches. For instance, members of Congress who exchange emails discussing a controversial foreign policy issue—say, for example, the nuclear anti-proliferation agreement with Iran—are likely to be included as NSA programs collect related communications. The same is true for any constituents who discuss foreign policy issues, either with their representatives or among themselves. Once one agency (often NSA) collects those communications to include in a government database, other agencies (such as the FBI) are able to search those communications without any restriction.
These searches are controversial because the Foreign Intelligence Surveillance Act (FISA) requires agencies to seek and secure a judicial warrant in order to intercept communications involving domestic targets. Backdoor searches circumvent this law by enabling agencies to spy on Americans without legal restrictions imposed by FISA to minimize the collection of intelligence about United States persons, and the retention or dissemination of that data.
Under the Massie-Lofgren amendment, the NSA would be prohibited from using any funding from the Defense Appropriations bill to conduct these kinds of warrantless searches targeting Americans.
A second provision would protect encryption standards and devices. In particular, it would prohibit Defense Department funds from being spent to create security vulnerabilities in software or hardware manufactured by American companies beyond their obligations already imposed under other laws.
In the past, the NSA has undermined encryption, user privacy, and security through a range of efforts, from "extend[ing] the reach of surveillance under cover of advising companies on protection," to intercepting hardware shipments and surreptitiously undermining their operation.
In the wake of widespread controversy stemming from the government's efforts to undermine the device encryption of Apple iPhones, public appreciation for encryption has only grown in the two years since the Massie-Lofgren amendment first passed the House.
When allowed an opportunity to support similar measures in 2014, policymakers came together across party lines to approve them, with 2/3 of the House in agreement to defend encryption and protect privacy. Their vote reflected a remarkable—and increasingly rare—bipartisan consensus.
Despite overwhelming support across both major political parties to defend encryption and curtail backdoor searches, Congressional leaders from both major political parties came together that fall to block meaningful reform by stripping the Massie-Lofgren measures from the final Senate bill. Today, their bipartisan sponsors are ready to introduce them again as amendments to this year’s Defense Appropriations bill.
Unfortunately, however, changes to the House rules imposed under Speaker Paul Ryan (R-WI) may prevent members from even considering the Massie-Lofgren amendments. The House Rules Committee could allow an open rule enabling amendments, or it could choose to maintain a closed rule permitting no debate on amendments to protect privacy and security.
Closing the backdoor search loophole and protecting encryption would continue the initial steps that Congress began in last year's USA Freedom Act, which imposed some limits on the collection and retention of telephone records and increased transparency at the secret FISA court.
Approving the Massie-Lofgren measures would also set the stage for the scheduled expiration in 2017 of other legal authorities enabling Internet spying, namely section 702 of the Foreign Intelligence Surveillance Act. While civil liberties groups remain united in calling for section 702 surveillance to end absent significant reform, Congress should take advantage of the bipartisan consensus across the House to impose limits before then on NSA and CIA activities that indirectly target Americans and undermine encryption standards that keep us safe.
At the very least, members of Congress should have a chance to consider the proposals, and an opportunity to cast their votes.
Share this: Join EFF