Aggregated News

The Clock is Still Running: Neither NSA Reform Nor Reauthorization Advances in Senate

eff.org - Sat, 23/05/2015 - 15:51

Tonight, the US Senate failed to move ahead with the USA Freedom Act, an NSA reform bill that would address phone record surveillance and FISA Court transparency and fairness. It also was unable to muster votes for a temporary reauthorization of Section 215 of the Patriot Act, the section of law used to justify the mass phone records surveillance program. That’s good news: if the Senate stalemate continues, the mass surveillance of everyone’s phone records will simply expire on June 1.

Section 215 of the Patriot Act has been wrongly interpreted in secret by the government for years. We commend every Senator who voted against reauthorizing the unconstitutional surveillance of millions of law-abiding Americans.

In the wake of tonight’s vote, Congress must stop stalling and address the surveillance and secrecy abuses of our government.

The battle isn't over. Senator Majority Leader Mitch McConnell is calling for another attempt to reauthorize Section 215 on Sunday May 31, only hours before the provision is set to expire.

EFF urges Congress to again reject Section 215 reauthorization, and then turn to addressing other surveillance abuses by the US government, including mass surveillance of the Internet, the secretive and one-sided FISA Court, and the problems of secrecy and over-classification that have created the environment that allowed such spying overreach to flourish.

Related Issues: NSA Spying
Share this:   ||  Join EFF
Categories: Aggregated News

Oversight Report on FBI’s Use of Patriot Act Highlights Need for Intelligence Reform at Crucial Moment

eff.org - Sat, 23/05/2015 - 10:39

The Justice Department’s Office of the Inspector General (OIG) yesterday released another report on the Federal Bureau of Investigation’s use of Section 215 of the Patriot Act between 2007 and 2009. The report was long delayed due to declassification and redaction issues, but the timing is appropriate considering that the Senate is spending the waning hours of its legislative session considering the impending expiration of Section 215. 

That’s because the OIG report heightens the case for meaningful reform of the intelligence community by undermining many of the flimsy defenses offered by defenders of the status quo. Above all, the report demonstrates that secrecy and lack of oversight in the administration of surveillance laws is perhaps as significant as outright misuse.

Section 215 is most famously the authority that the National Security Agency claims allows it to conduct mass collection of Americans’ telephone records. A federal appeals court recently ruled that this interpretation was “unprecedented and unwarranted” and that the NSA’s program was illegal. However, the FBI is actually the agency that administers the law, presenting applications for the collection of information to the secretive Foreign Intelligence Surveillance Court (FISC) on behalf of NSA, as well as the FBI itself.

When the Patriot Act was reauthorized in 2005, Congress sought to address some concerns about Section 215 by mandating review by the OIG. The new report is the third to discuss the FBI’s use of Section 215, and it revisits some of the problems uncovered by the previous reports. Most egregiously, the FBI took seven years to obey a law intended to protect Americans’ privacy.  The 2005 reauthorization required the FBI to adopt particularized “minimization procedures” to limit the amount of private information retained and disseminated by the FBI under Section 215 by no later than March 2006. But the FBI didn’t do so until March 2013. During that time, of course, the FBI was continually assisting the NSA by filing applications for ongoing mass collection of telephone records, using an illegal interpretation of Section 215.

But the new report also shows that government’s unauthorized interpretation of the “relevance” provision in Section 215 wasn’t the only strained statutory reading of the law. During its seven years of foot-dragging over Section 215 minimization procedures, the FBI instead used a set of “Interim Procedures” that incorporated existing FBI National Security Investigations (NSI) Guidelines and “construed” them to meet the new requirements of the 2005 reauthorization. But “FBI agents were already required to comply with the NSI Guidelines in their entirety,” so “the Interim Procedures did not add any new requirements.” In other words, the FBI unilaterally decided it could meet a new duty imposed by Congress by declaring its preexisting duty was enough.

As bad as the FBI’s years-long failure to comply with the law are the failures of the FBI’s overseers. The OIG first noted the problems with the FBI’s Interim Procedures in its 2008 report, but not until 2009 did the FISC, the court charged with evaluating the FBI’s 215 applications, take notice and ask the FBI to explain. Given that it still took another four years for the FBI to adopt the final procedures and that the FISC uniformly continued approving 215 applications all the while, it’s not clear the FISC’s involvement mattered much.

Nor does the ultimate outcome of this story instill much confidence in the process. Even the final Section 215 minimization procedures from 2013 contain key language allowing retention of information “necessary to understand foreign intelligence.” As the report notes, this standard is undefined and is subject to open-ended interpretation by government lawyers, risking undermining the minimizations procedures’ privacy protections

As we’ve described at length, the FISC is hamstrung by its secrecy and the one-sided nature of its proceedings, something this report illustrates in detail. Moreover, the OIG itself had repeated difficulty obtaining certain information for its reports because the FBI claimed that it was not allowed to disclose this information for “oversight purposes.”

The new OIG report also has large swaths of information redacted from the public version, and some of these redactions are troubling for anyone who favors robust oversight. For example, the report discusses the use of Section 215 for bulk surveillance—a fact the government only officially acknowledged after Edward Snowden disclosed proof—but the only unredacted information in this section of the report concerns the NSA’s phone records program. Despite the redactions, it is clear that Section 215 is used for bulk collection of other records, something that has been previously reported. Other examples abound: the report notes that the FBI employs a “classified directive” to define the term “U.S. Person” and that the agency cannot definitively say what information counts as “metadata.” The withholding of this information from public scrutiny confounds true oversight, including any attempt to do an accounting of how many Americans are subject to surveillance under Section 215.

Public debate about surveillance reform and Section 215 has understandably focused on the NSA and the phone records program. The OIG report, however, is an excellent reminder of several key points as we continue to fight: 1) Our concerns about the NSA should not cause us to ignore the FBI’s role in illegal surveillance; 2) Section 215 is about much more than bulk collection of phone records; and 3) so long as the intelligence and law enforcement communities can easily hide behind “it’s classified,” true reform will be a long way off.


Share this:   ||  Join EFF
Categories: Aggregated News

Why Mitch McConnell Cannot Be Allowed to Decide the Fate of the Patriot Act

eff.org - Sat, 23/05/2015 - 08:55

Senate Majority Leader Mitch McConnell has made it clear this week that, while the Senate is rapidly approaching recess, the Senate “will stay in [session] until a deal is struck to extend” the Patriot Act. McConnell has also introduced legislation for both long-term and short-term reauthorization of the Patriot Act’s expiring provisions. It seems that McConnell is trying to bully the entire Senate into passing short-term reauthorization, giving him more time to further weaken reform efforts.
A look at McConnell’s history makes this unblinking support of unconstitutional surveillance less surprising. But what is impressive is his commitment to supporting untenable positions. He acts as if the Snowden leaks, which helped expose just how out of control NSA spying is, as well as the recent Second Circuit decision holding that the NSA’s telephone records program was unlawful, never happened. 

This was especially apparent today, when McConnell stood on the Senate floor and rattled off a litany of the exaggerated threats that NSA defenders have been relying on to scare Americans into submission: ISIL, Al Qaeda, Al Shabaab, safe havens in Syria for extremists, and safehouses in Yemen for terrorists. He wrapped it up with an all time greatest hits of NSA defenders, explaining why he thinks we need bulk collection (more on that below).

So what was McConnell saying pre-Snowden? An op-ed he wrote in support of Patriot Act reauthorization in 2007 shows that he hasn’t changed his tune at all in eight years. In fact, he practically could have been reading sections of the article as he stood on the Senate floor today to defend NSA spying. And earlier this month, he said, “This has been a very important part of our effort to defend the homeland since 9/11.” In 2011, after President Obama signed the most recent Patriot Act extension, he claimed that the Patriot Act has “ kept us safe for nearly a decade and Americans today should be relieved and reassured to know that these programs will continue.” That’s been his position all along, without regard to the what the rest of Americans (or the world, for that matter) think, after all they’ve learned about NSA overreach .

Here’s why, in his own words (which apparently are evergreen, no matter how much we find out about NSA spying abuses), McConnell is clearly the wrong person to be calling the shots when it comes to NSA reform:

McConnell: Intelligence officials tell us the Patriot Act is as valuable today as the day it was signed. They have given us real-world examples of its positive impact in discovering and disrupting terrorist plots overseas and at home.

While intelligence officials have certainly maintained that surveillance under the Patriot Act is valuable, we (and Mitch McConnell) know those claims are overblown, and sometimes simply false. Although surveillance under the Patriot Act has been shrouded in secrecy, because of Snowden’s leaks, claims about the efficacy of these programs have come under scrutiny. The specific contention that “54 attacks have been stopped” by bulk phone records collection has been thoroughly debunked. In fact, Sen. Patrick Leahy forced former NSA director Keith Alexander to admit that the “54 attacks” claim was inaccurate in front of Congress.

Independent studies from the President’s Review Group, the Privacy and Civil Liberties Oversight Board, and the New America Foundation have all made it clear: we don’t need bulk phone records collection.  

McConnell: After all, the best piece of evidence is the one that is most obvious and most important: not a single successful attack on U.S. soil since the morning we awoke to the danger and acted on it in our laws. 

While this may have been accurate in 2007, it is, unfortunately, not true now. The Boston Marathon bombing was a tragic example of a terrorist attack on U.S. soil. After the attack, there were questions about whether the FBI could have done more, but the FBI made it clear that there was nothing else it could have done. And while some have claimed that’s because of the legal limits on what the FBI can do (more on that below), Rep. Jim Sensenbrenner very sensibly pointed out that mass records collection can actually be detrimental: “It didn't stop the Boston Marathon Massacre. Sometimes too much information means that what you are looking for is actually a very small needle in a very large hay stack. You can be drowned in too much information.”

And while the Boston Marathon bombing got a justifiably significant amount of media attention, there’s also an epidemic of domestic terrorism against American Muslims that’s getting little attention. In particular, the arson of mosques has become more and more widespread. This kind of terrorism isn't what Section 215 of the Patriot Act was aimed at addressing. But domestic terrorism was a significant focus of other provisions of the law. Yet these crimes are never talked about in the same breath as the Patriot Act—and that’s not only because terrorism against Muslims is low on the media and government’s list of concerns. It’s also because hate crimes against Muslims have dramatically increased since the passage of the Patriot Act, not decreased. There’s no official government estimate of how many of these qualify as terrorism. But under the definition from Section 802 of the Patriot Act itself, nearly any hate crime would qualify.[1] This epidemic of terrorism simply doesn’t fit into the contrived narrative of why we need the Patriot Act. But since these are terrorist attacks against Americans, McConnell might want to focus on this blatant homeland security failure, instead of trying to reauthorize a program of limited usefulness.

McConnell: [The provisions in the Patriot Act] removed bureaucratic barriers that had kept intelligence officials and criminal investigators from sharing information, a simple but major shift that FBI director Robert Mueller has credited with "significantly alter[ing] the landscape for conducting terrorism investigations.”

The oft-repeated claim that had the Patriot Act been in place before 9/11, the NSA would have been able to stop the attack is simply false. According to a 2004 report from the 9/11 Commission, authored by Senior Counsel Barbara Grewe, which the government did not declassify until five years after it was written:

The information sharing failures in the summer of 2001 were not the result of legal barriers but of the failure of individuals to understand that the barriers did not apply to the facts at hand. Simply put, there was no legal reason why the information could not have been shared.

These problems still persist. According to the Government Accountability Office website, as of 2015 “The sharing of terrorism-related information has been designated as high risk [for fraud, waste, and abuse, or mismanagement] because the government faces formidable challenges in analyzing and disseminating this information in a timely, accurate, and useful manner.”

McConnell:Indeed, alarmist concerns notwithstanding, the Patriot Act is one of the most important and overdue pieces of legislation in a generation. My guess is that most Americans were more alarmed to discover that arcane laws once hobbled intelligence agents from tracing terrorist phone calls than they are by the streamlined practice of it now.

McConnell was certainly right when he said the Patriot Act is one of the most important pieces of legislation in a generation. But that’s not because of the reasons he may have thought. It’s one of the most important pieces of legislation in a generation because it is under the guise of the Patriot Act that the NSA has committed some of the most blatantly unconstitutional surveillance this country has ever grappled with.

And he’s also wrong about how Americans feel about surveillance. A recent study by Global Strategy Group (commissioned by ACLU) found:

By nearly a 2:1 margin (60%  modify, 34%  preserve), Americans  believe the  Patriot Act should not  be  reauthorized in its current  form. With broad, bipartisan support across all ages, ideologies and political parties, voters are rejecting  the  argument that the Patriot Act should be preserved with no changes because of potential terrorist threats. 

What’s more, the 2004 Grewe report made it clear that it was actually a severe lack of understanding of what McConnell is calling “arcane laws,”—in particular Foreign Intelligence Surveillance Act [FISA]—that led to intelligence failures. Agents missed information-sharing opportunities because of an “overabundance of caution” on the sharing of information by the NSA, as well as a failure to use all the tools available. For instance, the FBI knew it had reason to be concerned about would-be 9/11 hijacker Zacarias Moussaoui. But because they had considered starting an investigation that might require a FISA warrant, when it came to using a criminal warrant to get the information they needed “they just did not think about that option at the time.”  

When it came to sharing information about the movements of hijacker Khalid al-Mihdhar, the report explains: “everyone was confused about the rules governing the sharing and use of information gathered in intelligence channels.” What’s more, in the years, months, and days before 9/11, the NSA already had access to a massive database of Americans’ call records. Analysts—at NSA or CIA—could have easily searched the database for calls made from the U.S. to the safehouse in Yemen. They simply didn't.

What should be most alarming to Americans is the level of incompetence that these failures, which could have possibly prevented the tragedy of 9/11, demonstrate. Yet these same intelligence agencies continue to conduct invasive, overbroad surveillance and ask for ever more authority—without ever really addressing the problems that led to their massive failure in 2001.

McConnell: If there is one lesson from Sept. 11 that we should have learned by now, it is that the people who protect us from terrorism should have more, not fewer, tools to do their jobs. The Patriot Act and FISA are among the most valuable. It is time we acknowledged as much.

Senator McConnell’s bald-faced use of the tragedy of 9/11 as an excuse for surveillance programs that trample on the Constitution is as repugnant now as it was then. EFF has always thought that bulk collection was unconstitutional—that’s why we’ve been suing the NSA since 2008, years before the first Snowden leak. And now, unlike then, the truth has been very clearly demonstrated. Of course, it’s not because the government decided to come clean. We know the truth because of those leaks and because of all the transparency work being done by privacy advocates. Quality over quantity must be the rule for surveillance tools. The people who protect us from terrorism should have tools that actually work, while maintaining the privacy and civil rights of all Americans. If you agree, call Congress now and let them know.

 

 

 

 

 


[1] "Domestic terrorism" means activities with the following three characteristics:

  • Involve acts dangerous to human life that violate federal or state law;
  • Appear intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination. or kidnapping; and
  • Occur primarily within the territorial jurisdiction of the U.S.

 

Related Issues: NSA SpyingRelated Cases: Smith v. ObamaKlayman v. ObamaJewel v. NSAFirst Unitarian Church of Los Angeles v. NSA
Share this:   ||  Join EFF
Categories: Aggregated News

The Unexpected Policy Laundering Implications of the Garcia v. Google Dissent

eff.org - Sat, 23/05/2015 - 07:13

The Ninth Circuit Court of Appeals this week sensibly, if belatedly, reversed its mistaken order requiring Google to take down a controversial video based on a specious copyright claim. But there’s more to this story than the free speech win. Unfortunately, Judge Alex Kozinski's dissent points to an alarming policy laundering trend in its reliance on the Beijing Treaty for Audiovisual Performances, a deeply problematic international agreement that the United States has signed but not yet ratified.

Two major factors make Judge Kozinski's dependence on the Beijing Treaty a stretch. For one, the Treaty doesn't even go into effect until 24 more countries ratify it. For another, he cites specifically to the Patent and Trademark Office Fact Sheet—and as the majority notes, that agency "lacks legal authority to interpret and administer the Copyright Act."

All of that said, the really troubling part about Judge Kozinski's Beijing Treaty citation is that it may herald a new and particularly pernicious form of policy laundering.

The scholar Margot Kaminski explained how that might be the case earlier this year, after Judge Kozinski mentioned the Beijing Treaty during Garcia oral arguments. The concerns she outlined then are even more resonant now:

Policy laundering—the idea that policy makers can use international law to make legal changes domestically—is familiar to IP attorneys. But such laundering has occurred in the past when Congress used new international obligations as justification for altering domestic law. Judge Kozinski’s thinking … would create a new, sleeker, opportunity for policy laundering, one in which Congress is almost entirely uninvolved.

Supporters of secretive agreements like the Trans-Pacific Partnership (TPP) argue that they don't require a change to U.S. law. Because new policies won't end up getting laundered in, they claim, transparency is less important.

Judge Kozinski's argument demonstrates the problem with that reasoning. Even if you take negotiators' word that they're hewing close to U.S. law, they're still engaging in what Kaminski has elsewhere dubbed “regulatory paraphrasing”: because they're not transcribing U.S. law verbatim, they're necessarily making interpretations. Those interpretations can make non-obvious but important changes, like transforming a standard into a rule, or vice-versa.

Ambiguities in the law, which should properly be interpreted by judges, end up getting settled by negotiators and the corporate lobbyists that influence them. When judges cite these interpretations, it can close the policy laundering loop, crystallizing policy made through an inappropriate (and often secretive) legal process. We saw hints of it from the Solicitor General in the Aereo Supreme Court argument, and we see it too with legislators who bring up possible conflicts with international agreements as an argument against domestic reform.

Judge Kozinski has written compelling and impressive dissents before—the 1993 White v. Samsung is a classic in the genre. Unfortunately, in Garcia he missed the mark. We’re glad the majority rejected arguments and chose instead to support traditional copyright principles.

Related Issues: Fair Use and Intellectual Property: Defending the BalanceRelated Cases: Garcia v. Google, Inc
Share this:   ||  Join EFF
Categories: Aggregated News

Victory: Photo Hobbyist Prevails Over Junk-Patent Bully

eff.org - Sat, 23/05/2015 - 04:12
Garfum Abandons Case Against ‘Vote-For-Your-Favorite’ Online Competitions

Camden, New Jersey – Patent bully Garfum has abandoned its lawsuit against an online photo hobbyist, just one day after a federal judge set the date for a face-off in court against lawyers for the Electronic Frontier Foundation (EFF).

EFF together with Durie Tangri LLP represent Bytephoto.com, which has hosted user-submitted photos and run competitions for the best since 2003. In 2007, a company called Garfum.com applied for a patent on the “Method of Sharing Multi-Media Content Among Users in a Global Computer Network.” The patent takes the well-known concept of a competition by popular vote and applies it to the modern context of generic computer networks, and Garfum claims that it covers the rights to online competitions on social networks where users vote for the winner—despite the fact that courts have ruled that this kind of abstract idea using generic computer technology cannot be patented.

Garfum used this patent to accuse EFF’s client of infringement, filing a federal lawsuit without warning. EFF moved to dismiss the complaint earlier this year, arguing that the junk patent should be declared invalid. But after all the briefing had been completed and just one day after the court scheduled a hearing on the motion to dismiss, Garfum capitulated: it dropped its case with a promise not to sue Bytephoto.com again rather than defend its patent before a judge.

“We’re pleased that Garfum has abandoned its claims against our client. But it’s a travesty that this case was ever filed in the first place,” said EFF Staff Attorney Daniel Nazer, who is also the Mark Cuban Chair to Eliminate Stupid Patents. “Our client began running online ‘favorite photo’ competitions years before this patent was filed. The idea that you could patent this abstract idea, find innocent enthusiasts online and demand settlement money—and then slink away once challenged and before the court issues a ruling—goes against any sense of fair play.”

“Patent bullies count on not having to defend their weak patents in a court of law. They drive up costs with baseless lawsuits and then bow out before getting a decision they don’t like,” said EFF Staff Attorney Vera Ranieri. “So while we are glad our client doesn’t have to worry about Garfum anymore, there’s still a lot of work to do the fight against bad patents.”

Joe Gratz of the law firm Durie Tangri LLP and Frank Corrado of Barry, Corrado & Grassi, PC are co-counsel with EFF.

For more on this case:
https://www.eff.org/cases/garfum-v-reflections-ruth

Contact:  Daniel NazerStaff Attorney and Mark Cuban Chair to Eliminate Stupid Patentsdaniel@eff.org Vera RanieriStaff Attorneyvera@eff.org
Share this:   ||  Join EFF
Categories: Aggregated News

California Attorney General Locks Down Wiretap and Other Criminal Justice Data

eff.org - Sat, 23/05/2015 - 02:55

The California Attorney General's office is required every year to compile details on each state-level wiretap order filed by local prosecutors. 

Mandated by the legislature as a transparency measure in the highly secret process of electronic surveillance, the annual California Electronic Interceptions Report is a wellspring of information for criminal justice research. But this year, the California Department of Justice (CADOJ) says that, from here on out, these reports—and potentially all of its criminal justice data—will only be issued as locked PDFs, significantly limiting the public’s ability to analyze the information in alternative formats.

California Attorney General Kamala Harris' new policy is a slap in the face to transparency and is a step in the opposite direction of the nationwide trend to embrace open data.

The 2014 California Electronic Interceptions Report, released last month, clocks in at 168 pages, with data on electronic surveillance from around the state presented in a series of complex tables, some spanning more than 30 pages. For each wiretap, the document outlines how many people were affected, how many communications were intercepted, the costs of the surveillance, and the number of arrests and the amount of property and drug seized as a result of the investigation. 

Download ZIP file of the California Electronic Interceptions Report PDF files 2009 - 2014. 

Download ZIP file of California Electronic Interceptions Report DOC files 2009 - 2013. 

Among the highlights:

  • California law enforcement agencies filed 971 wiretap applications in 2014, a increase of more than 44 percent compared to 2013. 
  • Wiretap orders led to approximately 480 arrests, the largest portion of which were drug related. Only 41 people were convicted in 2014 as a result of that surveillance.
  • Riverside County remains the leader in wiretaps in the state, with 624 orders filed in 2014. That’s far more than every other reporting county combined. That’s also more than four times the number of wiretaps applied for by Los Angeles County, the state’s most populous county.
  • Wiretaps in California in 2014 cost a total of $31 million, of which $28 million was spent on personnel and $3.1 was spent on equipment, supplies, and installation fees. This represents a 17% increase over 2013.
  • 35 counties, including San Francisco, San Mateo, and Santa Cruz, reported filing no wiretap applications at all.

This information can be spotted with the naked eye, but much more information would be available if the researchers could analyze the data in a machine-readable format.

CADOJ offers little explanation regarding the massive expansion of wiretaps in the state, providing only a single page of cheerleading for all the drug trafficking seizures and arrests reported by law enforcement. In this introduction to the report, CADOJ staff recommends that the sprawling tables “should be read in conjunction with one another to evaluate the impact intercepts have on public safety.” However, the department's decision to published the document as a locked PDF impedes researchers’ ability to conduct exactly this type of impact analysis.

Last year, when EFF filed a California Public Records Request for the raw electronic interceptions data, CADOJ anticipated it would be extremely time-consuming to export. Instead, EFF and CADOJ agreed on an expedient compromise: it would provide EFF with the Microsoft Word document version of the reports, from which it would be much easier for to extract the data.

This year, we filed a CPRA request with the CADOJ requesting the data on the same terms. No deal, they said:

… our Office has changed its security protocol regarding reports and other documents that are made available electronically to members of the public on our public web site. Now, all such reports and documents appearing on our public website are only made available to members of the public in a locked PDF format. We have made this change in order to better protect the security and integrity of the data in our public records.

This new policy position will have significant ramifications for public access to criminal justice data across the board. The position also sets a precedent for local law enforcement around the state to make it more difficult for the public to access data.

It is also wrong as matter of law. In California, state agencies are required to produce records in “any electronic format in which it holds the information.” But the CADOJ is citing a section of the law that says agencies don’t have to hand over records in electronic format that would “jeopardize or compromise the security or integrity of the original record.”

We formally asked CADOJ to explain how, exactly, providing either a Word document, spreadsheet, or other data file jeopardizes the security or integrity of the data any more than publishing a PDF. After all, a PDF can be as easily doctored as any other file.

A month later, CADOJ has yet to respond.

Right now, it would take significant expertise to scrape all the data from the electronic intercept reports from a PDF while maintaining the accuracy of the information. When we asked Steven Rich, database editor for investigations at the Washington Postfor his evaluation, he wrote back: 

It's possible to get the data out of the PDF but it's an amazing amount of work to get it in a usable form. This is an insanely difficult format, given that the file, based on the metadata, came out of Word. The only format worse than a PDF in this case is a scanned PDF.

If the California Attorney General were to release the data openly, it would provide the public with a variety of ways to view how wiretaps are conducted in California. For example, the public could learn:

  • in aggregate, the number of people whose communications were intercepted across the state;
  • in aggregate, the number of communications that were intercepted across the state;
  • the total percentage of communications that were actually incriminating, versus communications that were irrelevant;
  • the number of wiretaps in which the agency did not provide any information required by law; and
  • trends in how wiretap use compares year over year, county by county.

Open data would also allow for outside researchers and organizers to create interactive systems for searching and analyzing the data, which could uncover many more interesting trends and anomalies and create new opportunities for public oversight of the criminal justice system. 

The California Attorney General’s office ought to rethink its policies immediately. The state legislature is currently considering new data collection powers for CADOJ regarding issues such as racial profiling and police use of force—most of which declare from the get-go that these records should be public.

Rather than worry about the integrity of the data, CADOJ should be worrying about its own integrity when it come to transparency in California’s criminal justice system.


Share this:   ||  Join EFF
Categories: Aggregated News

La Regulación de Inteligencia en Colombia Se Raja en los Derechos Humanos

eff.org - Fri, 22/05/2015 - 20:10

En la actualidad, cada vez los Estados cuentan con más medios para vigilar las comunicaciones de las personas debido a los constantes avances tecnológicos. Ahora más que nunca, los Estados cuentan con una mayor capacidad para realizar vigilancia simultánea, pasiva, invasiva y de larga escala. Esto plantea un riesgo para distintos derechos reconocidos en las constituciones de los Estados y en tratados internacionales de derechos humanos ratificados por ellos.

Así inicia el informe “Vigilancia de las comunicaciones por la autoridad y protección de los derechos fundamentales en Colombia” elaborado por Katitza Rodríguez, directora internacional de derechos humanos de la Electronic Frontier Foundation (EFF) y el abogado colombiano Juan Camilo Rivera, quienes señalan como la regulación de inteligencia en Colombia se está rajando en el tema de derechos humanos.

El informe es el resultado de una investigación realizada por la Electronic Frontier Foundation, la Comisión Colombiana de Juristas, y la Fundación Karisma. En el análisis que ofrece el informe, se establece cómo en Colombia no hay suficientes garantías legales ni suficiente transparencia gubernamental que permitan proteger los derechos fundamentales en el ejercicio de actividades de vigilancia estatal.

El documento hace parte de una iniciativa global liderada por 350 organizaciones de la sociedad civil, que fue originalmente materializada en los 13 Principios Internacionales sobre la aplicación de los Derechos Humanos a la vigilancia de las comunicaciones, el cual ha sido citado en el último informe de la Comisionada de Derechos Humanos de Naciones Unidas sobre la privacidad en la era digital y el informe de privacidad de la relatora de libertad de expresión de la Comisión Interamericana de Derechos Humanos.

Durante la elaboración del informe, dejamos claro que es el momento que los Estados cumplan sus obligaciones internacionales de derechos humanos cuando conduzcan actividades de vigilancia. La vigilancia masiva y descontrolada no tiene cabida. 

Mateo Gómez, de la Comisión Colombiana de Juristas, sobre las recomendaciones del informe:

“Urgen a las instancias de control de las actividades de inteligencia y contrainteligencia del Congreso colombiano, no solo que verifiquen que labores de vigilancia persiguen fines legítimos, sino que además se corrobore que estas sean necesarias, idóneas y proporcionales.”

El documento hace una descripción de la forma cómo se afectan los derechos fundamentales en Colombia, cuando los operadores de servicios de telecomunicaciones tales como Claro, Telefónica o ETB, son obligados por ley a retener datos de sus usuarios por un período mínimo de 5 años. Un plazo exagerado desde todo punto de vista, si se considera que la Corte Europea de Justicia (CEJ) de la Unión Europea declaró inválida la directiva que establecía la obligación de retener datos por un mínimo de 6 meses y un máximo de 2 años.

El informe hace un llamado para garantías legales frente a la vigilancia descontralada, teniendo en cuenta escándalos recientes en Colombia:

“Los cambios que se hicieron después de las chuzadas del DAS no evitaron los cuestionamientos a PUMA, ni nos permitieron saber qué pasó realmente en Andrómeda. Eso sí, demostraron que la seguridad nacional se persigue con una exacerbada vigilancia llena de cámaras de seguridad, información biométrica, monitoreo de comunicaciones y recopilación de datos para saberlo todo de todos, sin contrapesos.”

La socialización de este trabajo se realizará ante las principales instituciones públicas que tienen a su cargo la regulación, ejercicio o control de la vigilancia de las comunicaciones el 22 de mayo.

Files:  Vigilancia de las comunicaciones por la autoridad y protección de los derechos fundamentales en ColombiaRelated Issues: InternationalSurveillance and Human Rights
Share this:   ||  Join EFF
Categories: Aggregated News

Federal Anti-SLAPP Bill Introduced in the House

eff.org - Fri, 22/05/2015 - 11:43

A bipartisan group of representatives, including Reps. Blake Farenthold (R-TX) and Anna Eshoo (D-CA), recently introduced the SPEAK FREE Act of 2015, a bill that would help protect victims of Strategic Lawsuits Against Public Participation, also known as SLAPPs.

Plaintiffs who bring SLAPPS are not primarily interested in winning the lawsuits. Instead, their goal is to harass, intimidate, and ultimately silence critics through the drama, cost and time-consuming nature of litigation. Anti-SLAPP laws provide defendants with a procedural mechanism to quickly dismiss the case and, often, to obtain attorneys fees, thereby creating a disincentive for plaintiffs to file harassing lawsuits that target speech.

EFF has followed for a long time the problem of SLAPPs in the online space, including against speakers who wish to remain anonymous. There are all kinds of SLAPPs brought against all kinds of defendants. In one case, EFF defended the creator of the online comic The Oatmeal after he was sued for defamation for criticizing the rival humor website FunnyJunk.

The most significant aspect of the SPEAK FREE Act is the breadth of its applicability. The bill would authorize the transfer of cases originally brought in state court to federal court. This “removal” authority would be beneficial to defendants who are sued in state court in the 22 states that do not have an anti-SLAPP law, as well as in states with weaker anti-SLAPP laws. Authorizing the removal of cases to federal court would be a powerful means of enabling SLAPP defendants to invoke the federal procedural defense created by the SPEAK FREE Act.

A federal anti-SLAPP law would also significantly advance the free speech interests of defendants originally sued in federal court. A federal anti-SLAPP law is needed because state anti-SLAPP laws do not apply to cases in federal court based on federal law. For cases in federal court that include some or all state law claims, there is a split in precedent: the DC Circuit, for example, said that DC’s local anti-SLAPP law cannot be applied to cases in federal court that are based on state law; whereas, other circuits have said that state anti-SLAPP laws can be applied to state claims in federal court cases. A federal anti-SLAPP law would apply to all relevant cases filed in (or removed to) federal court.

Once a case is in federal court, the SPEAK FREE Act would allow a SLAPP defendant to quickly end the case by filing a special motion to dismiss. Importantly, the bill would also provide protection for a SLAPP defendant who wishes to remain anonymous by authorizing the filing of a motion to quash a plaintiff’s request for the defendant’s personally identifying information (such a request is usually sent to an online service provider).

In the special motion to dismiss, the defendant would have to make “a prima facie showing that the claim at issue arises from an oral or written statement or other expression by the defendant that was made in connection with an official proceeding or about a matter of public concern.”

A “matter of public concern” is broadly defined as an issue related to health or safety; environmental, economic, or community well-being; the government; a public official or public figure; or a good, product, or service in the marketplace. The intent is to protect a wide variety of speakers, including online reviewers who find themselves as defendants in the typical modern SLAPP.

In order to overcome the motion to dismiss and enable the case to move forward, the plaintiff would have to demonstrate that “the claim is likely to succeed on the merits.”

The judge would be able to consider the “pleadings and affidavits stating the facts on which the liability or defense is based,” similar to the summary judgment standard in federal court. The judge would also be permitted to order targeted discovery if needed to decide the motion to dismiss, but full discovery would be paused (“stayed”) during the consideration of the motion.

If the defendant wins the special motion to dismiss, the judge would be required to dismiss the case with prejudice (the plaintiff cannot file the case again) and award the defendant reasonable attorneys fees, litigation costs, and expert witness fees. However, if the defendant loses the motion and the judge finds that it was “frivolous” or was “solely intended to cause unnecessary delay,” the judge would have to award reasonable attorneys fees, litigation costs, and expert witness fees to the plaintiff.

The judge would be required to rule on the special motion to dismiss within 30 days of the motion being briefed or argued. The idea is to force a speedy resolution when a case implicates free speech interests. The party that loses the motion would be permitted to immediately appeal the decision.

The bill includes some exceptions where a defendant would not be permitted to file a special motion to dismiss the case: when the plaintiff brings a claim in the public interest; when the plaintiff is the government in an enforcement action; and when the defendant is a business being sued for speech about its product or service or that of a competitor (such as false advertising).

A federal anti-SLAPP law would be an important addition to existing constitutional and statutory law that protects free speech online, including the Supreme Court’s creation of the higher actual malice standard under the First Amendment for allegations of defamation of public officials and public figures; courts’ application of the First Amendment to protect anonymous speakers; and Section 230, which largely protects Internet intermediaries from being held liable for illegal content posted by their users.

EFF applauds the bipartisan effort of the representatives who introduced the SPEAK FREE Act. We hope Congress will quickly act on this important legislation.

Disclosure: I am on the board of directors of the Public Participation Project, which advocates for a federal anti-SLAPP law.

Related Issues: Free SpeechAnonymityCyberSLAPPRelated Cases: Carreon v. Inman
Share this:   ||  Join EFF
Categories: Aggregated News

Colombianos a sus ISPs: ¿Dónde Están Mis Datos?

eff.org - Fri, 22/05/2015 - 04:37

En la sociedad actual todo está conectado en Internet. La información sobre dónde vivimos o trabajamos, cuáles son nuestros ingresos, nuestros gustos o preferencias, relaciones personales y actividades cotidianas, filiación política, inclinación sexual e identificación religiosa se encuentran en línea, puede ser recogida por terceros y forma parte de la vigilancia que adelantan tanto Gobiernos como otros actores. Mientras las compañías que ofrecen servicios de Internet están sujetos a diversas regulaciones relacionadas con la forma en que manejan nuestros datos personales y confidenciales, sus políticas de privacidad y sus términos de servicio carecen de claridad sobre los protocolos que usan para proteger la información de sus clientes. Por eso vale la pena preguntarse ¿sabe usted dónde están sus datos en este momento?, ¿acaso estas empresas los cuidan?, ¿le cuentan si el Gobierno los pide? Para responder estas preguntas surge el informe “¿Dónde están mis datos?”

La Fundación Karisma, una de las principales ONG latinoamericanas que trabajan en la promoción de los derechos humanos en el mundo digital, y la Electronic Frontier Foundation (EFF), han unido esfuerzos en una iniciativa que busca fomentar mayor transparencia entre los proveedores de servicios de Internet (PSI) en América Latina. Este esfuerzo es coordinado por la EFF en cinco países de la región en alianza con Red en Defensa de los Derechos Digitales, en México; Hiperderecho, en Perú; InternetLab, en Brasil; TEDIC, en Paraguay y Fundación Karisma, en Colombia.

La Fundación Karisma es pionera en esta iniciativa, publicando el primer informe de este tipo en América Latina bajo el nombre “¿Dónde están mis datos?”. El informe analiza cuál de los proveedores de acceso a Internet apoya a sus clientes y adopta la transparencia como una norma frente a las solicitudes de información del Gobierno. El objetivo es  permitir a los y las usuarias tomar decisiones informadas sobre las empresas con las que hacen negocios. El informe busca promover la adopción de buenas prácticas de transparencia por parte de las empresas en relación con el flujo de datos hacia el Gobierno y pretende también fortalecer su compromiso público con la defensa de los derechos de los y las usuarias.

"Los proveedores de servicios de Internet en Colombia deben ser transparentes respecto a la medida en que proporcionan los datos de sus usuarios al Gobierno", dijo Katitza Rodríguez, Directora de Derecho Internacional de la EFF hoy durante el lanzamiento del evento en Bogotá. "El reporte '¿Dónde Están Mis Datos?' de la Fundación Karisma examina las políticas de privacidad de los proveedores de Internet más populares de Colombia, para ofrecer una visión clara de la transparencia de estas compañías hacia sus usuarios acerca de las peticiones gubernamentales de información. El informe es una herramienta importante para los usuarios que buscan tomar decisiones informadas sobre compañías respetuosas con su información."

Para este informe, la Fundación Karisma examina las políticas y términos y condiciones de uso públicamente disponibles de las cuatro compañías intermediarias de acceso a Internet más importantes del país de acuerdo con el número de suscriptores. Un dato que se basa en el Boletín Trimestral de las TIC Banda Ancha publicado en septiembre de 2014 por el Ministerio de las Tecnologías de la Información y las Comunicaciones colombiano que muestra que cerca del 91% de los suscriptores registrados son clientes de una de estas empresas que operan en Colombia: Telmex Colombia S.A. (CLARO), UNE EPM Telecomunicaciones S.A., Colombia Telecomunicaciones S.A. (Telefónica) y Empresa de Telecomunicaciones de Bogotá S.A. (ETB). Además, se incluyó una quinta compañía -DIRECTV- puesto que recientemente empezó a ofrecer el servicio de acceso a Internet y es una empresa multinacional de gran impacto en el país. También es necesario mencionar que, aunque UNE y Tigo se fusionaron en el 2014, las dos empresas mantienen políticas independientes, por lo tanto se decidió mantener la evaluación sobre UNE con el fin de revisar una empresa que tiene gran influencia por fuera de la capital del país.

Fundación Karisma realizó una evaluación de la información pública disponible en las páginas web de las cinco empresas. Fueron evaluadas de acuerdo a qué tanto divulgan a sus clientes sus políticas de privacidad y documentos de términos y condiciones de uso.  La evaluación se hizo teniendo en cuenta cinco criterios:

  1. Si el PSI publica informes de transparencia. El informe evalúa si las empresas entregan datos sobre los requerimientos de datos personales del Gobierno y otra información sensible. Estos informes ofrecen a las personas alguna información sobre el alcance y naturaleza de las solicitudes de información de los y las usuarias que hacen los Gobiernos para sus procesos de investigación y vigilancia. Si bien las empresas no están obligadas legalmente a publicar estos informes de transparencia y sí están limitados por los Gobiernos en relación con el alcance de lo que pueden publicar, entregar estos documentos es una buena práctica y demuestra que las empresas se preocupan por sus clientes. Cada día más empresas de Internet y de medios alrededor del mundo están publicando estos informes, así lo hacen Google, Facebook, Twitter, Microsoft y Vodafone. Los informes de transparencia incluyen información con cantidad de solicitudes que una empresa recibe del Gobierno, número de veces que la empresa ha rechazado estas solicitudes (con los argumentos que han esgrimido), detalles sobre las peticiones en relación con las autoridades que las piden, tipo de solicitudes, propósito y número de cuentas afectadas en cada petición, por ejemplo;
  2. Si el PSI notifica a los y las usuarias sobre las solicitudes de datos del Gobierno. Este es un punto importante porque permite a los y las usuarias enfrentar las peticiones de vigilancia o buscar otros mecanismos de defensa;  
  3. Si las políticas de protección de datos del PSI son públicas y de fácil acceso para los y las usuarias. Aunque existe la obligación legal para publicar la política de privacidad, esto no significa que en la práctica estos documentos sean fáciles de encontrar o sean comprensibles para los y las usuarias;
  4. Si el PSI publica manuales de cumplimiento de obligaciones legales que pueden afectar la intimidad de los y las usuarias. Es decir, si tiene manuales que indiquen cómo cumplen con su obligación de entregar datos personales de sus clientes a petición de una autoridad competente, por cuánto tiempo retienen esos datos y cómo los eliminan, si es que lo hacen, y;
  5. Si el PSI es claro con los y las usuarias sobre las formas en que filtra, retira o bloquea contenidos y cancela o suspende servicios. Si bien legalmente los PSI deben bloquear contenidos justificados por pornografía infantil e incluso ellos mismos suelen incluir en sus contratos listados de motivaciones para hacer filtrados, bloqueos y retiros de contenidos, se requiere que tengan más claridad con los y las usuarias respecto del por qué y cómo lo hacen e indiquen qué tipo de acciones pueden realizar cuando consideran que hay abusos.

“¿Dónde están mis datos?” pretende impulsar mejores prácticas empresariales de los PSI para beneficio de los y las usuarias; busca identificar áreas donde es necesaria la transparencia y quiere sensibilizar acerca del uso que los PSI y el Gobierno le están dando a los datos personales de los y las usuarias, para que éstos y éstas puedan tomar decisiones más informadas al elegir un proveedor de servicios de Internet.

Los criterios de análisis se definieron inspirados en la metodología que emplea EFF y otros proyectos similares alrededor del mundo y teniendo en cuenta las particularidades del caso colombiano. Los resultados se pueden visualizar por medio de estrellas o partes de estrellas (dependiendo de si la información consultada se encontraba disponible de manera completa, parcial o nula). Una estrella completa significa que el PSI cumplió con el criterio, media estrella significa que la información encontrada era parcial. En algunos casos se otorgó un cuarto de estrella como reconocimiento al desarrollo de buenas prácticas en sus políticas. No se concedió estrellas cuando no había información.

La Fundación Karisma contactó a las cinco compañías que fueron evaluadas, para explicarles el objetivo del informe, exponerles los resultados preliminares obtenidos por cada una, y darles la oportunidad de retroalimentar el análisis, identificar temas que no se habían contemplado y proporcionar evidencia que pudiera mejorar la evaluación. Las observaciones y comentarios hechos por los PSI fueron considerados en la evaluación final.

Los resultados: Políticas vagas y poco claras, además de ausencia de transparencia acerca del rol que juegan estas empresas en la entrega de información personal al gobierno, dejan mucho espacio para mejorar.

Este año DirecTV fue la única empresa que ganó una estrella completa por publicar su política de protección de datos de forma clara y accesible al público. Desafortunadamente, los resultados del informe ¿Dónde están mis datos? muestran que ésta es la excepción a la regla; lo corriente es que los y las usuarias la tienen difícil para encontrar estos documentos en las páginas oficiales de los PSI, que éstos son vagos y contienen previsiones exageradas como la retención de datos personales incluso después de finalizado el contrato.

Karisma estableció que en la mayoría de los términos y condiciones de uso de los PSI no se establece si estas empresas notifican a sus suscriptores cuando el Gobierno hace solicitudes de información de sus datos, o en caso de hacerlo, no se sabe cómo. Es importante resaltar que esta notificación es esencial para que los usuarios puedan controvertir tales solicitudes o buscar otros recursos legales.

DirecTV es la única empresa que declara públicamente que notifica a sus clientes sobre estas solicitudes, pero tal declaración es discrecional y vaga, no explica la forma en que lo hace. Un resultado alentador es que UNE afirma que analiza la legalidad de tales solicitudes y lleva un registro de la forma en que las atiende, aunque falla al no tomar el siguiente paso y notificar a sus usuarios y usuarias afectados.

Desafortunadamente ninguno de los PSI analizados publica manuales o guías donde se explique la forma en que cumplen con su obligación legal de entregar información personal al Gobierno. De otra parte, tampoco los términos y condiciones de uso de estas empresas describen la forma en que el contenido es filtrado, bloqueado o removido, o lo que sucede si un servicio es cancelado o suspendido.

Los PSI en Colombia aún tienen mucho que mejorar en relación con la protección de los derechos de los y las usuarias y en la transparencia sobre la entrega de datos de sus clientes. Esperamos publicar este informe anualmente para incentivar a las empresas a mejorar sus prácticas de transparencia y protección de la intimidad de sus usuarios. De esta manera todos los colombianos tendrán acceso a información acerca de cómo están siendo usados y controlados sus datos personales por las PSI, y puedan tomar decisiones de consumo inteligentes. Desde Karisma se espera que el próximo año la tabla de resultados brille con muchas más estrellas.

Haga clic aquí para descargar el PDF.

Files:  Informe Dónde Están Mis DatosRelated Issues: InternationalSurveillance and Human Rights
Share this:   ||  Join EFF
Categories: Aggregated News

Africa's Worst New Internet Censorship Law Could be Coming to South Africa

eff.org - Fri, 22/05/2015 - 01:18

Only once in a while does an Internet censorship law or regulation come along that is so audacious in its scope, so misguided in its premises, and so poorly thought out in its execution, that you have to check your calendar to make sure April 1 hasn't come around again. The Draft Online Regulation Policy recently issued by the Film and Publication Board (FPB) of South Africa is such a regulation. It's as if the fabled prude Mrs. Grundy had been brought forward from the 18th century, stumbled across hustler.com on her first excursion online, and promptly cobbled together a law to shut the Internet down. Yes, it's that bad.

But don't just take our word for it—read some of its provisions for yourself. First, the regulation applies, in the first instance, to films and games (regardless of subject matter), as well as to publications containing certain loosely-described forms of sex, violence and hate speech. As to these types of content:

5.1.1 Any person who intends to distribute any film, game, or certain publication in the Republic of South Africa shall first comply with section 18(1) of the Act by applying, in the prescribed manner, for registration as film or game and publications distributor.

5.1.2 In the event that such film, game or publication is in a digital form or format intended for distribution online using the internet or other mobile platforms, the distributor may bring an application to the Board for the conclusion of an online distribution agreement, in terms of which the distributor, upon payment of the fee prescribed from time to time by the Minister of DOC as the Executive Authority, may classify its online content on behalf of the Board, using the Board's classification Guidelines and the Act …

If you are a video blogger creating films from your basement, the prospect of FPB officers knocking on your door to classify your videos probably isn't that appealing. So, being the forward-thinkers that they are, without actually providing an exception for user-generated content (or a sensible definition of it), the FPB provides an alternative system which places the burden of classifying such content onto Internet intermediaries:

7.5 In the event that such content is a video clip on YouTube or any other global digital media platform, the Board may of its own accord refer such video clip to the Classification Committee of the Board for classification.

7.7 Upon classification, the Board shall dispatch a copy of the classification decision and an invoice payable by the online distributor within 30 days, in respect of the classification of the content in question.

A few definitions are in order here: an “online distributor” could be a South African ISP, which might have no connection with the “global digital media platform” that actually hosts the content. Nonetheless, the ISP is assumed to have the capacity to take down the original video, and to upload a new, classified, version containing the FPB's logo:

7.10 The online distributor shall, from the date of being notified by the Board in writing of the classification decision, take down the unclassified video clip, substitute the same with the one that has been classified by the Board, and display the Film and Publication Board Logo and classification decision as illustrated in clause 5.1.6.

Oh, but it gets worse. Since classification rules already apply to offline films, games and proscribed publications, the regulation purports to be doing nothing more than to be extending the classification scheme to online versions of those materials, so that anyone distributing them over the Internet also has to obtain a license to do so. But then there's this:

7.4 With regard to any other content distributed online, the Board shall have the power to order an administrator of any online platform to take down any content that the Board may deem to be potentially harmful and disturbing to children of certain ages.

That's right, any online platform can be ordered to take down any content distributed online that the Board may deem to be potentially harmful and disturbing. Traditional publishers are subject to no such sweeping, extrajudicial censorship power.

What kind of content might we be talking about here? Much of the preamble of the document talks about sex. Indeed, sex sells, and it sells censorship legislation as well as it sells cigarettes and soft drinks. However the regulation, even on its face, goes much further. Its background section gives an example of non-sexual videos that, even under the current law, were issued a classification by the FPB—videos depicting a Pretorian pastor “ordering members of his congregation, some of whom were minors, to graze like cattle and drink petrol to prove that humans can eat anything provided by God”. Under the new proposed regulation, the FPB could simply order such videos—which are obviously newsworthy—to be removed from the Internet.

“Draconian” is a word that we use quite often on Deeplinks, but by any standard of draconian, this proposed regulation is it. It bears all the hallmarks of being the response to a wish-list from a single, puritanical special interest group, without taking the other broader free speech rights of the public into account.

Thankfully, section 195 of the South African Constitution does direct the public administration that “People's needs must be responded to, and the public must be encouraged to participate in policy-making”, and in accordance with this directive, the proposed Draft Online Regulation Policy has been opened for public comment, which remains open until July 15. Local groups like Right to Know have already been mobilizing against the proposal, and are collecting supporters for a petition and social media campaign, which EFF heartily endorses.

South Africa is one of Africa's largest and fastest growing economies, and for it to adopt such an extreme preemptive Internet censorship regulation would be a serious setback for South Africa's burgeoning online industry, as well as, needless to say, a serious blow to human rights. If you are South African, or have any friends or colleagues who are, please take action by signing the Right to Know petition, and spreading the word about this looming threat.


Share this:   ||  Join EFF
Categories: Aggregated News

Que Provedores de Internet Contam Aos Colombianos Onde Estão Os Seus Dados?

eff.org - Thu, 21/05/2015 - 03:16

Na sociedade de hoje, tudo se conecta através da Internet. Informações sobre onde vivemos ou trabalhamos, sobre a nossa renda, nossos gostos e preferências, nossas relações pessoais e atividades diárias, nossas filiações políticas, nossa orientação sexual e identificação religiosa estão online. E elas podem ser recolhidas por terceiros e examinadas sob vigilância conduzida por governos e outros atores. Enquanto as empresas que oferecem serviços de Internet estão sujeitas a vários regulamentos, que regem como elas devem lidar com as nossas informações confidenciais, suas políticas de privacidade e termos de uso, muitas vezes, não deixam claro exatamente quais medidas são tomadas por elas para proteger dados pessoais. É por isso que vale a pena perguntar: Você sabe onde estão seus dados agora? Será que que essas empresas protegem você? Elas deixam claro se permitem que terceiros tenham acesso as suas informações? Para responder a essas perguntas, estamos lançando o relatório intitulado Where Is My Data? (Onde estão meus dados?).

A Fundação Karisma, uma ONG latino-americana que trabalha na promoção dos direitos humanos no mundo digital, e a Electronic Frontier Foundation (EFF) uniram forças em uma iniciativa que visa promover mais transparência entre os provedores de internet na América Latina. O esforço é coordenado pela EEF em cinco países da região, com a participação de Red en Defensa de los Derechos Digitales no México, Hiperderecho no Peru, InternetLab no Brasil, TEDIC no Paraguai, e Fundação Karisma na Colômbia.

A Fundação Karisma está dando início a essa iniciativa com o projeto Where Is My Data - o primeiro relatório do tipo a analisar quais dos provedores de acesso à Internet na Colômbia defendem seus usuários e usuárias e abraçam a transparência em relação a solicitações de dados pessoais pelo governo. O objetivo deste relatório é permitir que usuários e usuárias tomem decisões mais conscientes sobre as empresas com as quais fazem negócios. Ele também foi concebido para incentivar as empresas a adotarem melhores práticas, a serem transparente sobre a troca de dados com o governo, e a fortalecerem o compromisso público de defesa dos direitos de usuários e usuárias.

"Os provedores de serviço de internet (ISPs, na sigla em inglês) na Colômbia devem ser transparentes sobre em que medida eles fornecem dados de usuários para o governo '', disse a diretora de direito internacional da EFF, Katitza Rodriguez, durante a abertura do evento em Bogotá. "O relatório 'Where Is My Data', da Fundação Karisma, faz uma análise das políticas de privacidade dos provedores mais populares da Colômbia, com o objetivo de fornecer uma perspectiva mais clara sobre o quão transparentes eles são para os consumidores em relação aos pedidos de informação de usuários feitos pelo governo. O relatório é uma ferramenta importante para os usuários que desejam tomar decisões mais conscientes sobre quais empresas ele pode confiar suas informações".

Para este relatório, a Fundação Karisma examinou políticas e termos de uso, disponíveis publicamente, de quatro dos maiores Provedores de Serviços de Internet (ISPs, em inglês), de acordo com o número de assinantes. Nos baseamos no relatório TIC trimestral, do Ministério de Tecnologias da Informação e Comunicação (MinTIC), que mostra que quase 91% de assinantes usam uma das quatro empresas que operam na Colômbia: Telmex Colombia S.A., UNE EPM Telecomunicaciones S.A., Colombia Telecomunicaciones S.A. (Telefónica) e ETB S.A. (ETB). Também incluímos uma quinta empresa, a DirecTV, já que ela começou a oferecer serviços de Internet recentemente e, como uma empresa multinacional, tem tido um grande impacto na Colômbia. As empresas UNE e Tigo se fundiram em 2014, no entanto, mantêm políticas distintas. O relatório se concentra apenas na UNE, que opera substancialmente fora da capital Bogotá.

A Fundação Karisma realizou uma avaliação das informações públicas disponíveis nos sites destas cinco empresas, e as classificou de acordo com a quantidade de informações divulgadas aos seus usuários e usuárias em suas políticas de privacidade e termos de uso. Focamos em cinco áreas:

  1. O Provedor de Serviços de Internet publica relatórios de transparência??Esses relatórios fornecem aos indivíduos informações limitadas sobre o escopo e a natureza dos pedidos de informação feitos pelo governo para investigações ou vigilância. As empresas não são legalmente obrigadas a fornecer relatórios de transparência, e os governos limitam a quantidade de dados que podem ser divulgados, mas publicá-los é uma boa prática, e mostra que as empresas se preocupam com a proteção de seus consumidores e consumidoras. Cada vez mais empresas de internet e de mídias sociais têm se esforçado para fornecer esses relatórios, incluindo Google, Facebook, Twitter, Microsoft e Vodafone. Relatórios de transparência contêm, por exemplo, informações sobre o número específico de solicitações que uma determinada empresa recebeu do governo, o número de vezes que rejeitou os pedidos (e as razões para negar), a discriminação dos pedidos por autoridade responsável pelas investigações, tipo e finalidade, e o número de contas afetadas por cada pedido.
  2. O provedor de serviços de internet notifica os usuários e usuárias sobre as requisições de dados feitas pelo governo? Isto é importante porque permite que as pessoas possam contestar a vigilância ou buscar outras soluções eficazes.
  3. A política de proteção de dados do provedor de serviços de internet é pública e facilmente acessível? Há a obrigação legal de publicar uma política de privacidade, mas isso não significa que, na prática, estes documentos são fáceis de encontrar ou que eles são compreensíveis para as pessoas.
  4. O provedor de serviços de internet publica as diretrizes para o cumprimento da obrigação legal de entregar dados de usuários e usuárias para o governo??E por quanto tempo a empresa guarda dados pessoais, e como ou se eles descartam esses dados?
  5. O provedor de serviços de internet é transparente em relação a como os conteúdos são filtrados, removidos ou bloqueados, e em relação ao que acontece com os dados quando o serviço é cancelado ou suspenso? Há bases legais e contratuais para a filtragem e remoção de conteúdo. Os usuários e usuárias devem ser capazes de saber por que motivo e como os dados são removidos, e quais as soluções possíveis quando sentem que há abusos.

Onde estão meus dados? tem o objetivo de promover, para o benefício de usuários e usuárias, melhores práticas de negócios no âmbito dos provedores de serviços de internet. O projeto busca identificar as áreas que precisam de mais transparência, além de sensibilizar as pessoas sobre como seus dados são utilizados por esses provedores e pelo governo, para que possam tomar decisões mais conscientes na hora de escolher um provedor de Internet.

A análise foi baseada em metodologias desenvolvidas pela EFF e usadas ??em projetos similares ao redor do mundo, levando em conta as leis vigentes na Colômbia. As empresas ganharam estrelas completas e parciais para cada uma das cinco áreas de foco: estrelas completas foram concedidas quando havia maior transparência; estrelas pela metade quando as informações eram divulgadas parcialmente; e um quarto de estrela para reconhecer o desenvolvimento de boas práticas, mesmo quando faltava transparência. Quando nenhuma informação era fornecida aos consumidores, as estrelas foram negadas.

A Fundação Karisma entrou em contato com as cinco empresas presentes no relatório para explicar o processo de avaliação, fornecer os resultados iniciais, e dar-lhes a oportunidade de fornecer uma resposta, identificar problemas e apresentar evidencias da melhoria de políticas e práticas. As observações e comentários feitos pelos provedores foram considerados na avaliação final.

Os Resultados: Políticas vagas e pouco claras, e falta de transparência em relação as requisições e a vigilância governamental deixam muito espaço para melhorias

Este ano, a DirecTV foi a única empresa a receber uma estrela completa por publicar  sua política de privacidade de forma clara e acessível. Infelizmente, Where Is My Data? mostrou que esta é uma exceção à regra - a maioria das políticas de privacidade dos provedores são difíceis de encontrar, são vagas em relação aos detalhes, e mostram que algumas empresas retêm dados pessoais até muito tempo depois do fim da assinatura do serviço.

Além disso, a Fundação Karisma constatou que, das políticas e termos de uso avaliados, a maioria não indica se os usuários e usuárias receberão notificações em relação ao pedidos de entrega de dados pessoais por parte do governo. A notificação é essencial para que as pessoas possam contestar as requisições ou buscar outras soluções.

A DirecTV é a única empresa que declara em seus termos de uso que poderá notificar os usuários e usuárias se e quando tais pedidos forem feitos, mas a declaração da empresa é discricionária, vaga e carece de detalhes sobre como as informações seriam divulgadas. Ficamos esperançosos quando a UNE prometeu examinar a legalidade das requisições e manter os registros delas, mas a empresa falhou em dar o próximo passo, e a se comprometer a notificar os usuários e usuárias sobre tais as solicitações.

Infelizmente, nenhum dos provedores de serviço de internet revisaram as diretrizes relacionadas à sua obrigação legal de entregar dados de usuários e usuárias para o governo, e os termos de uso das empresas também não descrevem como os conteúdos são filtrados, removidos ou bloqueados, ou o que acontece com eles quando o serviço é cancelado ou suspenso.

As empresas na Colômbia têm um longo caminho a percorrer em relação a proteção de dados pessoais e em ser transparentes sobre quem tem acesso a eles.Nós pretendemos lançar o relatório anualmente, visando incentivar as empresas a melhorarem a transparência e a proteger dados pessoais. Desta forma, todos os colombianos e colombianas terão acesso à informações sobre como seus dados são tratados, e como eles são controlados pelos provedores, para que possam tomar decisões mais inteligentes. Temos a esperança de que, no próximo ano, o relatório possa brilhar com a luz de mais estrelas.

Descargue el reporte completo aquí:

Related Issues: InternationalSurveillance and Human Rights
Share this:   ||  Join EFF
Categories: Aggregated News

Colombian Users to ISPs: "Where Is My Data?"

eff.org - Thu, 21/05/2015 - 03:03

Technology companies in Colombia are privy to our most sensitive information: conversations, photos, location data, and more. Our data may be collected by third parties and scrutinized under surveillance conducted by governments and other actors. While corporations offering Internet service in Colombia are subject to various regulations governing how they handle our personal information, their privacy policies and terms of service often lack clarity about exactly what steps they take to protect their users’ data. That is why Karisma Foundation, a leading Latin American NGO working on the promotion of human rights in the digital world, and the Electronic Frontier Foundation have asked Colombians: Do you know where your data is right now? Do these companies stand with you? Do they let you know if they let others access your information? To answer this question, we are issuing a report entitled Where Is My Data? (¿Dónde están mis datos?).

Karisma Foundation and EFF have joined forces on an initiative that aims to foster greater transparency among Internet providers in Latin America. The effort is coordinated by EFF in five countries in the region with the participation of Red en Defensa de los Derechos Digitales in Mexico, Hiperderecho in Peru, InternetLab in Brasil, TEDIC in Paraguay, and Karisma Foundation in Colombia.

Karisma Foundation is kicking off the initiative with Where Is My Data?—the first report of its kind to analyze which Internet access providers in Colombia stand with their users and embrace transparency around government data requests. The purpose of this report is to allow users to make informed decisions about the companies with whom they do business. It is also designed to incentivize companies to adopt best practices, be transparent about how data flows to the government, and strengthen the public commitment to defending users rights.

"Internet service providers in Colombia should be transparent about the extent to which they provide user data to the government,'' EFF International Rights Director Katitza Rodriguez said today during the launch of the event in Bogota. "Karisma Foundation's `Where Is My Data' report examines the privacy policies of Colombia's most popular ISPs to provide a clear picture of how open they are with customers about government requests for user information. The report is an important tool for users seeking to make informed decisions about which companies they should trust with their information.''

For this report, Karisma Foundation examined publicly-available policies and terms of use of four of the largest Internet service providers (ISPs) as measured by number of subscribers. We relied on the quarterly ICT report of the Ministry of Information and Communication Technology (MinTIC, in Spanish) which shows that  nearly 91 percent of registered subscribers use one of four companies operating in Colombia: Telmex Colombia S.A., UNE EPM Telecomunicaciones S.A., Colombia Telecomunicaciones S.A. (Telefónica) and ETB S.A. (ETB). We also included a fifth company—DirecTV—because it recently began offering Internet service and, as a multinational company, it has had a great impact in Colombia. While UNE and Tigo merged in 2014, both companies have separate policies and the report focuses only on UNE, which operates substantially outside the capital, Bogota.

Karisma Foundation conducted an assessment of the public information available on the websites of these five companies. They were rated on how much they disclosed to their users in their privacy policies and terms of service. We focused on five areas:  

  1. Does the ISP publish transparency reports? These reports provide individuals with limited information about the scope and nature of government requests for user information for investigations and surveillance. While companies are not legally obligated to provide  transparency reports and they are limited by governments as to how much data they can disclose, publishing them is a good practice and shows that companies care about protecting their customers. More and more Internet and social media companies  around the globe are stepping up to provide these reports, including Google, Facebook, Twitter, Microsoft and Vodafone. Transparency reports contain aggregate information about the specific number of requests a particular company has received from the government, the number of times a company has rejected the requests (and their reasons for denying them), a breakdown of the requests by investigation authority, type, and purpose, and the number of accounts affected by each request, for example.

  2. Does the ISP notify users about government data requests? This is important because it enables users to challenge the decision for surveillance or seek other effective remedies.

  3. Is the ISP's data protection policy easily available to the users? There is a legal obligation to publish a privacy policy but this does not mean that in practice these documents are easy to find or that they are understandable to users.

  4. Does the ISP publish compliance guidelines regarding their legal obligation to disclose user data to the government, the duration the company keeps user data, and how or if they dispose of it?

  5. Does the ISP offer clarity to users about the ways in which content is filtered, removed or blocked, and what happens to data when service is canceled or suspended? There are legal and contractual grounds for filtering and removing content.  Users should be able to know why and how data is removed, and what possible remedies are available when they feel there are abuses.

Where Is My Data? aims to promote best business practices among ISPs for the benefit of users. It seeks to identify areas where more transparency is needed and raise awareness among customers  about how their data is used by ISPs and the government so they can make more informed decisions when choosing an Internet provider.

The analysis was based on methodologies developed by EFF and used in similar projects around the world, taking into account current laws in Colombia.  Companies earned whole stars and partial stars for each of the five area of focus. Whole stars were awarded for the most transparency, half stars were given when information was partially disclosed and a fourth of a star was given this time to recognize the development of good practices even when disclosure was lacking. Stars were withheld when no information was provided to customers.  

Karisma Foundation contacted the five companies in the report to explain the ratings process, provide the initial results, and give them an opportunity to supply  feedback, identify issues, and provide evidence of improved policies and practices. The observations and comments made by ISPs were considered in the final evaluation.

The Results: Vague, Unclear Policies, Lack of Disclosure About Government Surveillance Requests Leave Lots of Room For Improvement  

 

This year, DirecTV was the only company given a full star for publishing  its privacy policy in a clear and accessible way. Unfortunately, Where Is My Data? showed that this is the exception to the rule—most ISPs’ privacy policies are difficult for users to find, vague on specifics, and show that some of the companies retain personal data long after users unsubscribe.

What’s more, Karisma Foundation found that of the policies and terms of services reviewed, most did not state users would be notified about government demands for personal data.  Notification is essential for users to challenge data requests or seek other remedies.

DirecTV is the only company that declares in its terms of service that  it may notify users if and when such requests are made, but the company’s statement is discretionary,  vague,  and lacks specifics on how the information would be disclosed. We were encouraged that UNE promised to scrutinize the legality of inquiries and keep a record of the requests, but the company failed to take the next step and commit to notifying users about requests.

Unfortunately, none of the ISPs reviewed publish compliance guidelines regarding their legal obligation to disclose user data to the government, nor do the companies’ terms of service describe the ways in which content is filtered, removed or blocked, or what happens to it when service  is canceled or  suspended.

Companies in Colombia have a long way to go in protecting customers’ personal data and being transparent about who has access to it. We expect to release this report annually to incentivize companies to improve transparency and protect user data. This way, all Colombians will have access to information about how their personal data is used and how it is controlled by ISPs so they can make smarter consumer decisions. We hope the report will shine with more stars next year.

Click here to download the full report in Spanish (PDF):

Related Issues: InternationalSurveillance and Human Rights
Share this:   ||  Join EFF
Categories: Aggregated News

Hundreds of Tech Companies to Congress: TPP and Fast Track Harms Digital Innovation and Users’ Rights

eff.org - Wed, 20/05/2015 - 23:56

In a joint letter to Congress released today, more than 250 technology companies and user rights organizations say that the extreme level of secrecy surrounding trade negotiations have led to provisions in agreements like the Trans-Pacific Partnership (TPP) that threaten digital innovation, free speech, and access to knowledge online, and the letter calls on Congress to come out against the Fast Track, also known as Trade Promotion Authority (TPA), bill for legitimizing this secretive process. Its signatories include AVG Technologies, DreamHost, Namecheap, Mediafire, Imgur, Internet Archive, BoingBoing, Piwik, Private Internet Access, and many others.

The letter specifically identifies the TPP's threats based on leaked texts of the agreement—how it threatens fair use, could lead to more costly forms of online copyright enforcement, criminalize whistleblowing and investigative journalism, and create investor-state dispute settlement (ISDS) courts that would further jeopardize user protections in domestic laws. The Fast Track bill, the companies write, would legitimize the exclusive process that has led to these and other provisions, as well as undermine lawmakers' efforts towards striking the right balance between the interests of copyright holders and those of innovators and users.

“We simply cannot allow our policymakers to use secret trade negotiations to make digital policy for the 21st century,” said Maira Sutton, global policy analyst at the Electronic Frontier Foundation. “Leaks of the TPP agreement have revealed time and time again that this opaque process has led to provisions that undermine our rights to free speech, privacy, and innovation online. The TPP is a huge threat to the Internet and its users. Full stop.”

“The future of the Internet is simply too important to be decided behind closed doors,” said Evan Greer, campaign director of Fight for the Future. “The Fast Track / Trade Promotion Authority process actively silences the voices of Internet users, startups, and small tech companies while giving the biggest players even more power to set policy that benefits a few select companies while undermining the health of the entire Web.”

Harvey Anderson, Chief Legal Officer of the popular anti-virus software company AVG Technologies: "The current administration has done much to promote openness and transparency as governance principles and in managing Internet policy, they can, and we expect, that they can do much better than the current Fast Track bill."

Carl Wilcox, CEO of nanotech firm Advanced Surfaces and Processes, Inc.: “Technology companies like us, especially startups and emerging companies, need a level business playing field, not one where mega corporations make the rules and can sue them in a mega-corporation court whose judges and attorneys are all employed by mega-corporations. TPP impacts us negatively when they dictate intellectual property, food safety, the price of prescription drugs, weak environmental, buy local and labor safety rules.”

David Heinemeier Hansson, partner at Basecamp and creator of the popular Ruby on Rails web development framework: “TPP makes a mockery of democratic legislative ideals. It's shrouded in secrecy exactly because it would wither in sunlight. It's a terrible piece of overreach to endow a few special interests with enormous and unsavory power. The whole thing needs to be scrapped and started over. International trade is too important to have it hitched to this collection of wishful thinking by a select few.

Cory Doctorow, author, journalist, and co-editor of Boing Boing: "Democracies make their laws in public, not in smoke-filled rooms. If TPP's backers truly believed that they were doing the people's work, they'd have invited the people into the room. The fact that they went to extreme, unprecedented measures to stop anyone from finding out what was going on—even going so far as to threaten Congress with jail if they spoke about it —tells you that this is something being done *to* Americans, not *for* Americans."

Founder of the Copia Institute, Mike Masnick: “In the last two decades the Internet has been one of the main drivers of economic growth, progress and prosperity worldwide. And, yet, leaked portions of the TPP agreement and the current fast track bill shows that no one is even considering the impact on the digital economy and digital rights. The TPP and TPA are not designed for an Internet era, or even taking the Internet economy into account. That the whole thing has been written in secret only makes this more concerning over the impact it will have on the most dynamic and important sectors of the economy today.”

For the full letter, visit: https://www.eff.org/document/tech-company-and-user-groups-letter-congress-urging-their-opposition-tpp-fast-track

For further comment, contact:

Maira Sutton
Global Policy Analyst, Electronic Frontier Foundation
press@eff.org

Evan Greer
Campaign Director, Fight For the Future
press@fightforthefuture.org

Related Issues: Fair Use and Intellectual Property: Defending the BalanceInternationalTrade Agreements and Digital RightsTrans-Pacific Partnership Agreement
Share this:   ||  Join EFF
Categories: Aggregated News

The Senate’s Excuses for Reauthorizing Section 215–and Why They’re Wrong

eff.org - Wed, 20/05/2015 - 09:36

Three provisions of the Patriot Act expire on June 1 and Senate Majority Leader Mitch McConnell is trying to delay taking action on the issue by calling for a two month or 5-year reauthorization of Section 215—the provision of the Patriot Act the NSA relies on to collect millions of Americans call records.

Before June 1 we expect to see plenty of fear-mongering from intelligence officials and national security hawks. Last year, the Wall Street Journal began the foray with an op-ed by Former NSA Director General Mike Hayden and former Attorney General Michael Mukasey—key architects of many of the NSA's unlawful activities. This time, the mongering started with op-eds by John Yoo, Senator Marco Rubio, and Senator Tom Cotton.

Here are the top excuses officials will use to continue spying on Americans calling records and why they're wrong:

Congress Needs Time to Debate

“I don’t know how we have the kind of fulsome debate that is going to be required on NSA without passing a temporary extension,” —Sen. John Cornyn

Congress has had two full years to publicly debate the NSA’s use of Section 215. Indeed, the debate has been vigorous and thoughtful. While Congress didn't create a separate investigative committee, it was still able to hold over a dozen hearings where Section 215 was discussed. The hearings, which called upon officials like the Attorney General, Director of National Intelligence, and Director of the NSA, included hours of testimony on the programs, what they collect, and their effectiveness.

Congress has also debated Section 215 via Senator Patrick Leahy and Jim Sensenbrenner's reform bill called the USA Freedom Act. Last year, the House passed a gutted bill of the USA Freedom Act, but debated the legislation for days. This year, the House debated a stronger version of the USA Freedom Act and passed it 338 to 88.

The Senate has also debated the legislation. Last year, after two days of debate, the Senate failed to advance a stronger version of the USA Freedom Act by two votes. Congress has had more than enough time to discuss these authorities and must act.

The Section 215 Program is Effective

"This has been a very important part of our effort to defend the homeland since 9/11." —Sen. Majority Leader Mitch McConnell

There’s one problem: there’s no evidence to support that. Two independent commissions concluded the calling records program was not effective and has not been used to stop a terrorist attack. The first, called the President's Review Group on Signals Intelligence, concluded "Our review suggests that the information contributed to terrorist investigations by the use of section 215 telephony meta-data was not essential to preventing attacks."

Like the President’s Review Group, the Privacy and Civil Liberties Oversight Board also concluded:

Based on the information provided to the Board, including classified briefings and documentation, we have not identified a single instance involving a threat to the United States in which the program made a concrete difference in the outcome of a counterterrorism investigation. Moreover, we are aware of no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack.

The quotes speak for themselves.

Fixing Section 215 Puts the Nation at Risk

"[The USA Freedom Act] would be rolling [the nation] back to exactly where we were pre-9/11. —Sen. Richard Burr

The Attorney General, Director of National Intelligence, and House Intelligence Chair and Ranking Members do not think reforming the Section 215 program will harm national security. Attorneys General Eric Holder and Loretta Lynch and Director of National Intelligence James Clapper wrote letters (.pdf) to Congress noting that Section 215 reform would preserve both "vital national security authorities" and "essential Intelligence Community capabilities."

The Program is "Lawful"

“Contrary to irresponsible rumors, the [bulk surveillance] program is lawful, carefully monitored, and protects personal privacy. The program does not conduct mass surveillance of American citizens—or any surveillance at all." —Sen. Cotton and Rep. Mike Pompeo

Apparently, one of the "irresponsible rumors" Sen. Tom Cotton and Rep. Mike Pompeo reference is a decision by the Second Circuit Court of Appeals. (The circuit courts are the federal courts directly below the Supreme Court). The Second Circuit held that the NSA’s telephone records program went far beyond what Congress authorized when it passed Section 215 of the Patriot Act in 2001. The court rejected the government’s secret reinterpretation of Section 215 that has served as the basis for the telephone records collection program. The Second Circuit’s opinion stands as a clear sign that the courts are ready to step in and rule that mass surveillance is illegal.

In addition, the program is "surveillance." As we've repeatedly said: the collection of metadata matters. It reveals a host of information and context about a person’s habits, traits, and beliefs. The Circuit Court opinion explained that metadata is often a proxy for the content of the communication, and that phone records can "reveal a startling amount of detailed information" about callers. The court also recognized that aggregation of calling records matters because collection of large amounts of metadata plus the application of sophisticated data processing technologies gives the government access to even more revealing portraits of individuals and groups.

Congress Must Say No to a Short-Term Reauthorization

In the next few days, Congress will begin to debate whether or not they should vote for a short-term reauthorization of Section 215. The answer is clearly no. Join us now in telling your lawmaker to vote against any short-term reauthorization.


Share this:   ||  Join EFF
Categories: Aggregated News

Fast Track Amendments Are Too Little Too Late to Salvage the TPP Agreement

eff.org - Wed, 20/05/2015 - 09:32

As part of the congressional to-and-fro over the pending Fast Track bill, senators with concerns about the process and substance of trade negotiations have been putting forward some proposed amendments. None of these amendments would alter the substance of what Fast Track is—a bill to authorize the President to enter into binding trade agreements such as the Trans-Pacific Partnership (TPP) without proper congressional oversight over these secretive, industry-led deals. As such, even if they were to be adopted, the amendments do not address our most fundamental concerns with the bill.

Nevertheless, they do hone in on a couple of the most egregious problems with Fast Track and with the trade deals that it enables, including the TPP and Trans-Atlantic Trade and Investment Partnership (TTIP). Perhaps the issue that has received the most attention has been that of investor-state dispute settlement (ISDS); which gives foreign corporations a free pass to overturn or receive compensation for the effects of democratically-enacted laws that negatively affect their business.

Senators Elizabeth Warren and Heidi Heitkamp, with support of 13 other senators, have tabled an amendment that would exclude access to the Fast Track procedure [PDF] for any trade agreement that contains an ISDS clause. As things stand, that would include both the TPP and the TTIP, which means that both of those agreements would have to come before Congress before the United States signs them—which in turn would probably defeat the agreements.

A second amendment, from Sens. Blumenthal, Brown, Baldwin, and Udall, addresses the lack of transparency of the agreement, and would require “all formal proposals advanced by the United States in negotiations for a trade agreement” to be published on the Web within five days of those proposals being shared with other parties to the negotiations. This would bring the United States up to the same level as the European Commission, which has already begun publishing its own TTIP position papers and text proposals to the public.

Sooner or later, these sorts of reforms are inevitable, as pressure for the U.S. Trade Representative to adopt them is echoing from all sides. Apart from its own senators, multiple calls for the U.S. to improve the transparency of trade negotiations and to reject ISDS have issued from law professors [PDF], economists, pro-trade think tanks, businesses and users. EFF has also proposed that standards of transparency and participation in trade negotiations be incorporated into the next set of commitments that the United States adopts under the Open Government Partnership.

From Congress on down, there has never been such a broad consensus that secretive trade negotiations and ISDS processes must be condemned as illegitimate. Thus, we do not think it is a question of whether these will ultimately be rejected, but when. However, time is not on our side. With the TPP negotiations widely tipped to conclude this year (if they conclude at all), the time to take a stand against these undemocratic processes is now. And our best opportunity to do so is by not merely amending Fast Track, but rejecting it, and the TPP along with it. Tell your representative to do that now.

Read about all of our concerns with the TPP agreement:


Share this:   ||  Join EFF
Categories: Aggregated News

Federal Court of Appeals Blocks Use of Trademark for Censorship

eff.org - Wed, 20/05/2015 - 08:48

Today, in an important First Amendment decision, the Fourth Circuit Court of Appeals blocked an attempt by the NAACP to use trademark as a tool to censor unwanted online criticism—a result we had urged in an amicus brief filed with the court back in October. The Fourth Circuit overruled a federal district court in Virginia, which had previously ruled that the Radiance Foundation’s use of the moniker “NAACP” infringed on the organization’s trademark.

The case, Radiance Foundation v. NAACP, arose out of a Radiance blog post criticizing the NAACP’s stance on abortion. The Radiance Foundation is a conservative non-profit that advocates for what it perceives to be appropriate family values. The blog post, entitled “NAACP: National Association for the Abortion of Colored People,” claimed that the NAACP embraces “all things liberal, most things socialistic, and nothing pro-life.”

In an attempt to get the post taken down, the NAACP sent Radiance a cease-and-desist letter, threatening to sue Radiance for trademark infringement if the organization did not stop “using” the NAACP’s trademark. After Radiance sought protection from the courts, the federal district court ruled in favor of the NAACP, finding that Radiance’s post infringed on NAACP’s trademark, despite the First Amendment.

Radiance appealed the judge’s decision. EFF and the ACLU of Virginia filed a joint amicus brief in support of Radiance—not because we agreed with Radiance’s message, but because the lower court’s decision holding it liable for trademark infringement threatened a huge range of expression. As we explained in our brief, the lower court’s decision misread both trademark law and the First Amendment. Fierce criticism is not trademark infringement.

The Fourth Circuit agreed with us in its unanimous and strongly-worded opinion. The court recognized that trademark protection “comes at a potential cost to free expression” and found that trademark law should be read narrowly in cases involving non-commercial speech. The court held that the lower court’s decision had extended the Lanham Act—the primary federal trademark statute—far beyond the purposes it was intended to serve. As the court stated, “To find Lanham Act violations under these facts risks a different form of infringement -- that of Radiance’s expressive right to comment on social issues under the First Amendment.” As the court further noted:

The most scathing speech and the most disputable commentary are also the ones most likely to draw their intended targets’ ire and thereby attract Lanham Act litigation. It is for this reason that law does not leave such speech without protection.

This is the second victory for free speech this week. Yesterday, the Ninth Circuit Court of Appeals blocked the use of copyright for censorship in Google v. Garcia

Thanks again to Professor Eugene Volokh and the First Amendment Clinic at UCLA School of Law for their excellent work on our amicus brief, which was cited by the Fourth Circuit in its opinion.

Related Issues: Free Speech
Share this:   ||  Join EFF
Categories: Aggregated News

EFF Joins Nearly 150 Organizations, Security Experts, and Companies to Urge President Obama to Support Strong Encryption

eff.org - Wed, 20/05/2015 - 08:18

Email. Online banking. Facebook. Your doctor’s office. These are all places where we rely on encryption to keep the private details of our lives safe. Without encryption, none of these services would be remotely safe to use, and even with encryption breaches are too common. We all want the digital world to be safer, not less secure. That’s why EFF joined the nearly 150 privacy and human rights organizations, technology companies and trade associations, and individual security and policy experts who sent a letter urging President Obama to

reject any proposal that U.S. companies deliberately weaken the security of their products. We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth, and human rights, both here and abroad.

 As the letter points out, “Strong encryption is the cornerstone of the modern information economy’s security.” And it’s under threat. Congress is considering incredibly flawed cybersecurity legislation, as well as potential reforms to NSA surveillance that don’t address the NSA’s use of “backdoors”—security flaws engineered into products and services to enable or facilitate government control or access to devices. These backdoors enable access to and warrantless searches of the contents of communications and other data.

The intelligence community has also spent a lot of time fearmongering about the growing use of encryption. Both the FBI and NSA Directors have recently urged companies to install security backdoors into hardware or software. They argue that the growing use of encryption is a serious threat to their investigative abilities.

This isn’t new. We’ve watched the government propose a variety of ways to control encryption techology since 1993, when the Clinton White House introduced the Clipper Chip, a plan for building in hardware backdoors to communications technologies. In 2011, then-FBI General Counsel Valerie Caproni even claimed that the FBI was “going dark” because it couldn’t collect some evidence that courts had authorized it to collect.   Of course, that makes no logical sense—a court order is no guarantee that a search or seizure will be successful.   

Indeed, former Clinton and Obama administration adviser and privacy and cyberlaw expert Peter Swire pointed out in a 2011 paper that in fact:

We live in a “golden age for surveillance” because investigatory agencies have unprecedented access to information about a suspect. In addition, data mining provides unprecedented tools for identifying suspects.

That remains as true today as it was then—more so in fact. Law enforcement has many investigative tools at hand, and technology that allows them to gather data has been improving for years. And as we, and many others have pointed out, the government can get a warrant, use traditional investigative techniques, or gather data from the vast array of sources available to them in the modern world instead of relying on back doors. Ultimately, the government hasn’t provided any good public evidence that encryption has been a real obstacle.    

Yet the government continues to insist that back doors are necessary, ignoring the fact that the protection against criminal and national security threats provided by encryption would be:

undermined by the mandatory insertion of any new vulnerabilities into encrypted devices and services. Whether you call them “front doors” or “back doors”, introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government’s own experts.

At a time when concerns about computer and network security are high, and weaknesses already abound, it is simply bad policy to create more.  And there’s a lot of technical skepticism about the government's suggestion that these vulnerabilities wouldn’t affect everyone. That skepticism is shared by members of Congress who understand these issues. Rep. Ted Lieu, who has bachelor's degree in computer science from Stanford, has said:

It is clear to me that creating a pathway for decryption only for good guys is technologically stupid. You just can't do that.

What’s more, there's an understandable lack of trust in what the government is saying about backdoors, given the evidence that the government deploys security vulnerabilities and its knowledge of them for surveillance purposes. That's on top of the trust deficit from the secret, illegal phone records bulk collection program and other secret programs we've learned about.  

While we think Congress should prohibit the use of backdoors, and the government should make details about its “Vulnerabilities Equities Process” for publicly disclosing vulnerabilities it knows about, the President can help a little by supporting the uncompromised deployment of strong crypto now.

You can read the full letter and see all the signers here.

 

Related Issues: Export ControlsPrivacyNSA Spying
Share this:   ||  Join EFF
Categories: Aggregated News

Diverse Groups United Against Any Short-Term Reauthorization of Section 215

eff.org - Wed, 20/05/2015 - 05:49

In a letter sent today, groups spanning the political spectrum spoke out loudly against Senate Majority Leader Mitch McConnell and Senate Intelligence Chair Richard Burr's attempt to reauthorize Section 215 of the Patriot Act through July 2015.

The letter strongly urges the Senate to vote against any short-term reauthorization:

We urge you to oppose bringing up this measure for a vote, or to vote against any such measure that extends expiring provisions of the USA Patriot Act in their current form.

The country has spent the past two years debating the wisdom of mass collection of Americans' records. It is time for Congress to finally act. Senators should vote against any reauthorization. Even if Senators were to vote for the short-term reauthorization, the extension would still have to go to the House where leaders have already said they will not vote for such a reauthorization.

Urge your member of Congress now to vote against any short-term reauthorization.


Share this:   ||  Join EFF
Categories: Aggregated News

Internet.org No Es Neutral, No Es Segura, y No Es Internet

eff.org - Tue, 19/05/2015 - 09:39

El proyecto Internet.org de la red social Facebook, que ofrece a personas de países en vías de desarrollo acceso móvil gratuito a un grupo selecto de sitios web, ha sido presentado como una iniciativa filantrópica de conectar a dos terceras partes de la población mundial que no tienen acceso a Internet. Estamos totalmente de acuerdo que la brecha digital a nivel mundial debe cerrarse. Sin embargo, cuestionamos si ésta es la forma correcta de hacerlo. Como nosotros y otras organizaciones hemos notado, hay un riesgo real de que los pocos sitios web que Facebook y sus socios eligieron para Internet.org (incluyendo, por supuesto, al propio Facebook) terminen convirtiéndose en un gueto para usuarios pobres en vez de ser un peldaño hacia el ancho Internet.

El anuncio hecho por Mark Zuckerberg de la expansión de Internet.org como plataforma a inicios de este mes estaba dirigido a revertir algunas de las críticas. Pero en pocas palabras, los cambios anunciados permitirán a cualquier administrador de un sitio web de presentar una solicitud para ser incluido en Internet.org, siempre que cumpla con las guías del proyecto. Estos requisitos son neutrales en cuanto a las páginas, pero sí imponen ciertas limitaciones técnicas previstas para asegurar que los sitios no saturen las redes de las operadoras móviles, y que funcionen a la par en teléfonos de gama baja como en los más sofisticados.

El cumplimiento con los requisitos será revisado por el equipo de Internet.org, que luego hará disponible los sitios para sus usuarios en forma gratuita, al encaminar la comunicación a través del servidor proxy de Internet.org. Este servidor proxy permite a los sitios pasen a la "tasa cero" de las operadoras móviles participantes del proyecto; dando lugar al retiro automático de contenido que viole las directivas —como imágenes de tamaño mayor a 1MB, vídeos, llamadas de voz sobre IP, applets de Flash y Java e incluso JavaScript— e inserta un anuncio intersticial de advertencia si el usuario trata de salirse de los sitios de tasa cero dentro de Internet.org, a fin de prevenirlos de ser accidentalmente cobrados por un uso de datos que tal vez no tengan condiciones de abonar y que no tengan intención de incurrir en gastos.

Estamos de acuerdo que algún tipo de acceso a Internet es mejor que ninguno, y si eso es lo que Internet.org realmente proporciona-por ejemplo, a través de una tasa limitada uniforme o un límite de datos gratuito- podría tener todo nuestro apoyo. Pero no lo tiene; y continúa imponiendo condiciones y restricciones que no sólo lo hace menos que un verdadero servicio de Internet, sino que pone en riesgo la privacidad y la seguridad de las personas.

Esto se debe a que la estructura técnica de Internet.org previene a algunos usuarios de acceder a través de conexiones HTTPS cifradas. Como mencionamos más arriba, un componente crítico de Internet.org es su servidor proxy, por donde el tráfico debe atravesar para que la tasa cero y el anuncio intersticial de advertencia funcionen correctamente. Algunos dispositivos, como los teléfonos Android que ejecuten la aplicación de Internet.org, tienen la capacidad técnica de hacer las conexiones HTTPS cifradas a través del servidor proxy sin llegar a ser vulnerables a una intervención del tipo "hombre en el medio", o de exponer cualquier dato (más allá del dominio solicitado) para Facebook. La aplicación para Android de Internet.org también puede colocar automáticamente el anuncio intersticial de advertencia cuando la aplicación analiza los enlaces (a diferencia de Facebook que advierte a través de su servidor proxy).

Pero los teléfonos con funciones más básicas que no ejecutan aplicaciones para Android, no respaldan las advertencias desde el teléfono sobre este tipo de proxy sobre las conexiones HTTPS. Para estos teléfonos, el tráfico atraviesa el proxy de Internet.org sin cifrado, lo que significa que cualquier información que los usuarios envíen o reciban de los servicios de Internet.org podría ser interceptada por la Policía local o las agencias de inteligencia nacionales, exponiendo a los usuarios a peligros. Mientras que Facebook está trabajando para resolver este problema, es extremadamente difícil desde una perspectiva técnica, sin una solución evidente.

Incluso si Facebook fuese capaz de encontrar una manera de dar soporte al proxy en HTTPS en los teléfonos básicos, su posición como porteros de Internet sigue siendo ampliamente problemático. Por erigirse en guardianes del acceso libre a (partes de) la Internet global, Facebook y sus socios han entregado una invitación abierta para que los gobiernos y grupos de interés presionen, persuadan o amenacen para que retengan el contenido particular de su servicio, que será mucho más difícil de censurar en la Internet global.

Aunque aplaudamos los intentos de Facebook en alentar que más sitios web brinden soporte a los teléfonos con funciones de gama baja al sustituir el contenido "pesado", nos interesaría ver que Internet.org se esfuerce más para lograr su loable objetivo de conectar los dos tercios restantes del mundo a Internet. Tenemos la confianza de que sería posible proporcionar un servicio de acceso a Internet gratuito y limitado que sea seguro, y que no dependa de Facebook y sus socios para mantener una lista central de sitios aprobados. Hasta entonces, Internet.org no estará a la altura de su promesa, o de su nombre.


Share this:   ||  Join EFF
Categories: Aggregated News

Internet.org Is Not Neutral, Not Secure, and Not the Internet

eff.org - Tue, 19/05/2015 - 09:08

Facebook's Internet.org project, which offers people from developing countries free mobile access to selected websites, has been pitched as a philanthropic initiative to connect two thirds of the world who don’t yet have Internet access. We completely agree that the global digital divide should be closed. However, we question whether this is the right way to do it. As we and others have noted, there's a real risk that the few websites that Facebook and its partners select for Internet.org (including, of course, Facebook itself) could end up becoming a ghetto for poor users instead of a stepping stone to the larger Internet.

Mark Zuckerberg's announcement of the expansion of the Internet.org platform earlier this month was aimed to address some of these criticisms. In a nutshell, the changes would allow any website operator to submit their site for inclusion in Internet.org, provided that it meets the program's guidelines. Those guidelines are neutral as to the subject matter of the site, but do impose certain technical limitations intended to ensure that sites do not overly burden the carrier's network, and that they will work on both inexpensive feature phones and modern smartphones.

Compliance with the guidelines will be reviewed by the Internet.org team, which may then make the site available for Internet.org users to access for free, by routing the communication through the Internet.org proxy server. That proxy server allows the sites to be “zero rated” by participating mobile phone operators; allows the automatic stripping out of content that violates the guidelines—such as images greater than 1Mb in size, videos, VoIP calls, Flash and Java applets and even JavaScript; and inserts an interstitial warning if a user attempts to leave Internet.org's zero-rated portion of the Internet, so as to prevent users from accidentally being billed for data charges they may not be able to afford and didn't mean to incur.

We agree that some Internet access is better than none, and if that is what Internet.org actually provided—for example, through a uniformly rate-limited or data-capped free service—then it would have our full support. But it doesn't. Instead, it continues to impose conditions and restraints that not only make it something less than a true Internet service, but also endanger people's privacy and security.

That's because the technical structure of Internet.org prevents some users from accessing services over encrypted HTTPS connections. As we mentioned above, a critical component of Internet.org is its proxy server, which traffic must pass through for the zero-rating and the interstitial warning to work correctly. Some devices, like Android phones running Internet.org's app, have the technical ability to make encrypted HTTPS connections through the proxy server without becoming vulnerable to man-in-the-middle attacks or exposing any data (beyond the domain being requested) to Facebook. Internet.org's Android app can also automatically bring up the interstitial warning directly on the phone by using the app to analyze links (as opposed to Facebook serving the warning via its proxy server).

But most inexpensive feature phones that can't run an Android app don't support phone-based warnings or this sort of proxying of HTTPS connections. For these phones, traffic must pass through Internet.org's proxy unencrypted, which means that any information users send or receive from Internet.org's services could be read by local police or national intelligence agencies and expose its users to harm. While Facebook is working to solve this problem, it's extremely difficult from a technical perspective, with no obvious solution.

Even if Facebook were able to figure out a way to support HTTPS proxying on feature phones, its position as Internet gatekeepers remains more broadly troublesome. By setting themselves up as gatekeepers for free access to (portions of) the global Internet, Facebook and its partners have issued an open invitation for governments and special interest groups to lobby, cajole or threaten them to withhold particular content from their service. In other words, Internet.org would be much easier to censor than a true global Internet.

While we applaud Facebook's efforts to encourage more websites to provide support for low-end feature phones by stripping out “heavy” content, we would like to see Internet.org try harder to achieve its very worthy objective of connecting the remaining two thirds of the world to the Internet. We have confidence that it would be possible to provide a limited free Internet access service that is secure, and that doesn't rely on Facebook and its partners to maintain a central list of approved sites. Until then, Internet.org will not be living up to its promise, or its name.


Share this:   ||  Join EFF
Categories: Aggregated News

Advertising

 


Advertise here!

Syndicate content
All content and comments posted are owned and © by the Author and/or Poster.
Web site Copyright © 1995 - 2007 Clemens Vermeulen, Cairns - All Rights Reserved
Drupal design and maintenance by Clemens Vermeulen Drupal theme by Kiwi Themes.