PRISM, Local Edition: NY DA Employs 381 Secret Orders to Gather Complete Digital Dossiers from Facebook
Unfortunately, it appears that the lure of bulk surveillance is not just a temptation for the federal government. Last summer, about a month after new leaks exposed the NSA’s bulk content PRISM program, Cyrus Vance, Jr., the District Attorney for Manhattan, decided to go secretly fishing through 381 Facebook accounts, and wanted to ensure no one was allowed to stop him.
The DA was looking for evidence of disability fraud, and saw Facebook as a treasure trove. Many people put their lives online, sharing their daily ups and downs with a steady stream of photos, comments, and wall posts to friends and family. Perhaps some of them, after claiming a disability, would post a windsurfing selfie or write about their marathon training, and evidence their fraud.
So the DA put together nearly 400 search warrants, which ordered Facebook to provide near total access to the accounts, and gagged the social media giant from informing the users. Facebook reports that this "unprecedented request is by far the largest we’ve ever received—by a magnitude of more than ten." According to Facebook's appeals brief, the targets included a cross-section of America “from high schoolers to grandparents, … electricians, school teachers, and members of our armed services.”
Facebook's brief explains that the warrants sought “information that cannot possibly be relevant to the crimes the Government presumably continues to investigate,” including what “Group” people belong to (and who else is in that group), chat messages, private messages, friends list (including removed friends) and even past and future events. And indeed, for the vast majority of the target, the information was not relevant to any crime. Only 62 people were ultimately charged.
Sometimes “come back with a warrant” is not enough. The warrant must also conform to constitutional limitations, narrowly seeking evidence of a crime with particularity, based on probable cause. It is not a license for the government to rifle through the private lives of anyone it suspects. As the Supreme Court recognized just yesterday, the Fourth Amendment was the founding generation’s response to the reviled “general warrants” and “writs of assistance” of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity.
Facebook rightly challenged this overboard pile of warrants. Indeed, it was the only entity who could. The gag order prevented Facebook from giving notice, so none of the users was in a position to assert their constitutional rights, or even know those rights were in danger.
Nevertheless, the DA disputed Facebook’s right to challenge the warrant in court, and the New York state trial court agreed, holding that “it is the Facebook subscribers who could assert an expectation of privacy in their posting, not the digital storage facility, or Facebook.” The court reasoned that this wouldn’t be a problem, because a criminal defendant could move to suppress the evidence before trial.
But what about the users who are never charged? The court never grapples with that issue, perhaps not realizing that ultimately 80% would not be the fraudsters the DA was looking for. Instead, the opinion moves on to justify the non-disclosure provisions by raising the spectre of evidence tampering by the users.
Under this pair of holdings, no one is allowed to challenge the authority of the DA in court. Facebook is not allowed and the users don’t know. (Ironically, in an earlier case involving Twitter, the court had found that the user had no rights to challenge the NY DA's data demand on Twitter). To paraphrase yesterday’s landmark Supreme Court ruling, the Founders did not fight a revolution to gain Fourth Amendment rights that no one can assert.
Facebook has appealed this dangerous precedent, seeking to "invalidate these sweeping warrants and to force the government to return the data it has seized and retained." And, nearly a year after the warrants issued, the case has been unsealed. But, despite a temporary stay, Facebook was eventually forced to comply, and the DA continues to hold a digital dossier of the lives of over 300 people never charged with a crime.
Facebook’s appeal is well grounded. The Stored Communications Act, upon which the court relied to issue the warrants, specifically allows for service providers to challenge court orders. On the merits, the overly broad warrants go beyond what the Constitution permits by failing to identify with particularity the criminal evidence to be seized, and failing to put in place procedures to protect the privacy of the people whose lives were invaded by the government.
The information cannot be undisclosed, but the New York appeals court can still help right this wrong by overturning the erroneous criminal court decision, quashing the warrants and requiring the DA to destroy the ill-gotten evidence.Files: fbnyda_trial_court_order.pdf fbopening_brief_in_re_381_search_warrants.pdfRelated Cases: New York v. Harris
Share this: || Join EFF
It’s no secret that EFF is strongly opposed to the United States’ piecemeal approach to updating sanction provisions for the five U.S.-embargoed countries of Sudan, Syria, Cuba, North Korea, and Iran. We’ve noted that the fundamental problem with the United States’ reform method is that it’s “largely reactionary and ultimately prioritizes certain countries over others for reasons that are, to put it charitably, hard to discern.” For example, according to an article published by the Open Technology Institute, the Office of Foreign Assets Control (OFAC) issued Iran a new General License D-1—which replaces the old General License D—making it acceptable for U.S. companies to offer technology tools to Iran such as laptops and anti-virus software. Similar allowances have been made for Syria. Despite years of advocacy, Syrians did not enjoy greater access to technology until after civil war broke out in the country. Recognizing the need for communications technologies, the Department of Treasury issued a general license (§ 542.511) allowing for the access of “instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging ... provided that such services are publicly available at no cost to the user.”
Sudanese citizens have not enjoyed the same provisions. In fact, U.S. sanctions in Sudan actually “inadvertently aid the regime by blocking access to critical personal communications tools.” The simplest explanation for why sanction reforms have not yet occurred in Sudan seem to be a simple lack of political attention. In Iran, a greater capacity and market demand for technology led to a reconsideration of sanctions, while in Syria, the civil war triggered an advocacy effort to ensure access on the ground to key communications technologies. Unfortunately in Sudan—where 21 percent of the country’s 37 million citizens are online—people remain cut off from many important technologies, from medical resource sites to massive open online courses (MOOCs) and the Google Play store.
As we’ve written before, sanctions are only part of the problem. Since OFAC restrictions limit access to goods, technologies, and services from the U.S. or by a U.S.-person, corporate lawyers are often overly cautious, resulting in overbroad restrictions on access. For example, in 2009 Linkedin, in an effort to protect itself from liability, made the decision to delete the accounts of users in Syria, a decision that also affected usability in Iran, North Korea, Cuba, and Sudan. It wasn’t until after the company was called out for being overly cautious that they reinstated service to Syrian users, admitting overcompliance with export controls restrictions. SourceForge took similar action in 2010, and Apple and Airbnb have both been called out for restrictions placed on Iranians.
Demand for many of the banned technologies and websites are high. Dalia Haj Omar, a Sudanese activist and blogger, told us via e-mail that MOOCs and other online educational programs are “in great demand, especially from a younger population that is turning to online education,” in part because of a 1989 decision by the government to Arabize school curricula. “Many youth realize they can't compete regionally or nationally if they don't have better education,” says Haj Omar. “Some universities are also turning to MOOCs to supplement their curriculums, since access to hard copy books is hard and expensive.”
Sudanese activists are calling for a general license similar to those issued for Iran and Syria. Such a measure would provide residents of the country with much-desired access to sites like Mathworks.com, which provides engineers and scientists with software to discover, research, and innovate; anti-virus software updates from companies like Norton and AVG; and developer sites like SourceForge.
In the meantime, companies can help ease the pain of deprivation by applying for individual licenses. A company that wishes to export to Sudan can file an online application with OFAC for a license. Alternatively, companies may also request “interpretative guidance” as to whether or not they require a license.
Is your company looking to apply for a license? EFF wants to help!
We challenge those companies who are concerned about these restrictions to take the simple steps necessary to apply for a license. In fact, this is so important to us that EFF is willing to help companies that want to take these steps but don’t have the resources to do so. Please contact EFF's Legal Director, Cindy@eff.org, if you'd like our help.
In limiting access to these sites, the Department of Treasury is unjustly preventing Sudanese from accessing information and technologies that are necessary for the advancement, innovation, and democracy of the country. And the fact that users in other U.S.-sanctioned countries sometimes have access to these technologies, while Sudan is left on the sidelines to watch, is just a slap in the face.Related Issues: Free SpeechExport ControlsInnovationInternational
Share this: || Join EFF
The murky copyright situation surrounding phone unlocking could get a little bit clearer, thanks to the new and somewhat improved Unlocking Consumer Choice and Wireless Competition Act, a bipartisan bill in the Senate.
As a refresher: the notion that phone unlocking might violate copyright law comes from an ill-conceived section of the Digital Millennium Copyright Act (DMCA) that prevents the circumvention of technical measures around copyrighted works. If such measures are understood to include restrictions on phone software, then unlocking may violate the DMCA—an outcome Congress never intended.
It's not clear that such an argument would stand up legally, but for years the legal cloud was lifted thanks to a specific exemption to the anti-circumvention rules, granted by the Librarian of Congress in a triennial rulemaking procedure. But in the latest round, the Librarian ended that exemption, restoring a dangerous climate of legal uncertainty. Consumers, understandably, were outraged. A popular petition gathered over 100,000 signatures, drawing responses from the White House, the FCC, and legislators on both sides of the aisle, ultimately bringing us to this week's bipartisan language.
The bill, introduced by Senators Patrick Leahy and Chuck Grassley, offers a narrowly targeted fix to this specific issue, reversing the Librarian of Congress' denial and effectively putting the exemption back on the books until the next rulemaking concludes—about another year.
The bill also makes clear that the exemption does not require phone owners to perform the unlock themselves, and can direct others to unlock their devices without running afoul of the law. Moreover, it instructs the Librarian to consider extending the exemption to include other locked devices, such as tablets. Finally, unlike the House bill, it excludes the dangerous language targeting bulk unlocking, which we feared sent a message that Congress implicitly approves using copyright law to target a business model.
This is a good step in the right direction, but we have a ways to go. The fact is that phone or tablet unlocking, per se, isn't the real issue. The real issue is that an overbroad section of copyright law is sticking its nose in places where copyright simply does not belong. To the extent phone unlocking is affected, that's certainly a problem for users—but it's far from the only area the anti-circumvention rules in the DMCA have bitten the public. Any legislative solution that limits itself to phone unlocking is treating one symptom, and not the underlying disease.
All in all, this proposal is a fine fix for the specific problem of phone unlocking. It looks likely to pass, which is undeniably a good thing for phone owners.
But as we've told Congress before, users deserve better, too. They deserve a more holistic approach to the DMCA's anti-circumvention rules, and the unnecessarily burdensome process of repeatedly arguing for exemptions. It's not impossible to develop such an approach, either; Representative Zoe Lofgren's Unlocking Technology Act, introduced last year, would be a great start.
It may be more difficult politically to achieve a real solution than a fast and narrow fix, but as the damage from anti-circumvention measures continues to mount, it's clear that it is absolutely worth the effort.Related Issues: Fair Use and Intellectual Property: Defending the BalanceDMCADMCA RulemakingInnovationDRM
Share this: || Join EFF
San Francisco - The U.S. Supreme Court issued two big rulings in important technology cases today.
In a groundbreaking decision on cell phone privacy, the court set powerful limits for police searches of cell phones, ruling in two consolidated cases that law enforcement must get a warrant before accessing the data on an arrested person's cell phone. The Electronic Frontier Foundation (EFF) filed amicus briefs in both of the cell phone search cases that were at issue in today's decision.
"These decisions are huge for digital privacy," EFF Staff Attorney Hanni Fakhoury said. "The court recognized that the astounding amount of sensitive data stored on modern cell phones requires heightened privacy protection, and cannot be searched at a police officer's whim. This should have implications for other forms of government electronic searches and surveillance, tightening the rules for police behavior and preserving our privacy rights in our increasingly digital world."
In its opinion, the court confirmed the importance of the warrant requirement, writing "Our answer to the question of what police must do before searching a cell phone seized incident to an arrest is accordingly simple—get a warrant."
EFF also filed an amicus brief in American Broadcasting Companies v. Aereo, a case where TV-streaming company Aereo was innovating when and how consumers watch television programs. The court decided, incorrectly we believe, that Aereo needed copyright holders' permission to stream free over-the-air broadcast TV shows, creating new uncertainty for cloud storage systems and other new technologies that transmit content.
"With this ruling, the Supreme Court said that technology companies can't rely on the words of the Copyright Act—companies can follow the letter of the law but still get shut down if a court decides that their business is somehow similar to a cable company," said EFF Staff Attorney Mitch Stoltz. "This decision will make it harder for new independent media technologies to get launched and funded without the blessing of major media companies, and that's a loss for all of us."
EFF will have in-depth analysis of both these cases on its Deeplinks blog coming soon.
Electronic Frontier Foundation
Electronic Frontier Foundation
Share this: || Join EFF
The FBI plans to roll out the face recognition component of its massive Next Generation Identification (NGI) biometrics database this summer—but the Bureau has six years of catching up to do in explaining to Americans exactly how it plans to collect, use and protect this data. Today we called on Attorney General Eric Holder to do just that.
As we explained in the letter:
The capacity of the FBI to collect and retain information, even on innocent Americans, has grown exponentially. It is essential for the American public to have a complete picture of all the programs and authorities the FBI uses to track our daily lives and an understanding of how those programs affect our civil rights and civil liberties.
For this reason, it’s imperative that the FBI conduct and publish a current privacy impact assessment (PIA) for NGI.
The Privacy Act of 1974 requires all federal agencies that maintain records on Americans to explain how they collect, store, and use that information. As part of that process, agencies are required to perform a PIA and make that assessment available to the public. According to the DOJ’s own guidelines, this is not optional. Despite this, DOJ has not updated its PIA for the face recognition component of NGI since 2008.
As we said in the letter (and have said before):
The facial recognition component of NGI poses real threats to privacy for all Americans, and could, in the future, allow us to be monitored and tracked in unprecedented ways. NGI will include criminal and non-criminal photos, and the FBI projects that by 2015, the database could include as many as 52 million face images. 4.3 million of those would be taken for non-criminal purposes, such as employer background checks. It appears FBI plans to include these non-criminal images every time a law enforcement agency performs a criminal search of the database.
The extensive collection and sharing of biometric data at the local, national, and international level should raise significant concerns among Americans. Data accumulation and sharing may help solve crimes across jurisdictions or borders, but it can also perpetuate racial and ethnic profiling, social stigma, and inaccuracies throughout all systems and can allow for government tracking and surveillance on a level not before possible.
Given the threats NGI poses, the DOJ must conduct a robust assessment of the program to ensure it does not become a tool for the surveillance of innocent Americans—and DOJ must complete this process before NGI’s face recognition component becomes fully operational later this summer.
American Civil Liberties Union
Bill of Rights Defense Committee (BORDC)
Brennan Center for Justice
Center for Digital Democracy
Center for Democracy & Technology
Center for Financial Privacy and Human Rights
Center for National Security Studies
The Constitution Project
Consumer Federation of America
Council on American-Islamic Relations
Council for Responsible Genetics
Cyber Privacy Project
Defending Dissent Foundation
Electronic Frontier Foundation
Electronic Privacy Information Center (EPIC)
Friends of Privacy USA
Government Accountability Project
National Association of Criminal Defense Lawyers
National Urban League
Patient Privacy Rights
Privacy Rights Clearinghouse
R Street Institute
World Privacy Forum
Share this: || Join EFF