Protecting Yourself From Suspicionless Searches While Traveling

The Ninth Circuit's recent ruling (pdf) in United States v. Arnold allows border patrol agents to search your laptop or other digital device without limitation when you are entering the country. EFF and many civil liberties, travelers’ rights, immigration advocacy and professional organizations are concerned that unfettered laptop searches endanger trade secrets, attorney-client communications, and other private information. These groups have signed a letter asking Congress to hold hearings to find out what protocol, if any, Customs and Border Protection (CBP) follows in searching digital devices and copying, storing and using travelers’ data. The letter also asks Congress to pass legislation protecting travelers’ laptops and smart phones from unlimited government scrutiny.

If privacy at the border is important to you, contact Congress now and ask them to take action!

In the meantime, how can international travelers protect themselves at the U.S. border, short of leaving their laptops and iPhones at home?

Many travelers practice security through obscurity. They simply hope that no border agent will rummage through their private data. Too many people enter the country each day for agents to thoroughly search every device that crosses the border, and there is too much information stored on most devices for agents to find the most revealing and confidential tidbits. But for travelers who may be targeted based on their celebrity, race or other distinguishing factor, obscurity is not an option. As last week's news that Microsoft is giving away forensic tools that can quickly search an entire hard drive on a USB “thumb drive” shows, it won't be long before customs agents can efficiently perform a thorough search on every machine. So long as there are no protocols or oversight for these searches, every traveler's personal information is at risk.

Encryption is one (imperfect) answer.

If you encrypt your hard drive with strong crypto, it will be prohibitively expensive for CBP to access your confidential information. This answer is imperfect for two reasons—one is practical, the other is technological.

[Read the entire post]

Stopping Abuse of the State Secrets Privilege

Update: A victory! On Thursday, the Senate Judiciary Committee approved the State Secrets Protection Act. Thanks to everyone who contacted their Senator. Stay tuned to Deeplinks for more info as the bill moves through the Senate.

This week presents an opportunity to put a stop to one of the main tactics in the Bush administration's bag of sketchy legal tricks.

The State Secrets Privilege allows the White House to hide evidence of wrongdoing, and even to try to dismiss important lawsuits, with a unilateral claim that "State Secrets" are endangered. This doctrine was adopted by the Supreme Court in the McCarthy era, and was originally meant to be used only in exceptional circumstances. However, since 2001, the Bush Administration has repeatedly abused the Privilege in attempts to cover up potentially embarrassing or illegal activities.

For instance, when the ACLU sued the NSA in 2006, asserting that domestic spying activities were unconstitutional, the Justice Department misused the privilege to keep the court from deciding the case on its merits. And, right now, the Bush administration is trying to do the same thing to the EFF's lawsuit against AT&T and other lawbreaking phone companies.

Now, Congress may finally be ready to act to stop these abuses. On Thursday, the Senate Judiciary Committee will consider S.2533, the State Secrets Protection Act, which would bring much-needed judicial supervision that could help eliminate bogus state secrets claims, while carefully protecting legitimate interests in national security.

In the wake of the Act's introduction, there's been important media attention to SSP abuse. National Journal detailed how "the government has shown, time and time again, that it cannot be trusted not to use bogus national security claims to avoid exposure of misconduct or embarrassment." On Friday, The New York Times editorial board asked "Whose Privilege?," writing that the bill "would go a long way toward restoring the balance and the accountability and openness that are essential for a democracy." And this week, The New Yorker published an article discussing the problems states secrets abuse poses for targeted organizations like the Islamic charity Al Haramain.

If one of your Senators is on the Judiciary Committee, then you're uniquely positioned to encourage the Committee to approve this legislation and make a real difference in fighting government secrecy. Contact them now and tell them to support the State Secrets Protection Act.

[Permalink]

Department of Homeland Security "Blinks" and Offers Real ID Extensions to Holdout States

We've written previously about the showdown between the states and the Department of Homeland Security (DHS) over Real ID -- a federal mandate that seeks to turn states' driver's licenses into national identity cards. Several states have rightfully vowed to oppose Real ID because it's expensive and a massive violation of privacy for their citizens.

Earlier this year, the Department of Homeland Security gave the states an ultimatum: If you aren't going to implement Real ID by May 2008, file for an extension by March 31, 2008. If you don't file for an extension, you risk having your states' ID's rejected when your citizens try to get on planes or enter federal buildings in May.

The DHS offered this extension option partially because the May deadline was too tight for many states, regardless of whether they approved or opposed Real ID. More sneakily, however, the extension offer was also a way for the DHS to delay a looming conflict with states that refused to implement the destructive provisions.

A few holdout states refused to cave to the delaying tactic. Days before the March 31st deadline, Montana and South Carolina stood strong and stared down the agency's threats, rejecting Real ID in letters addressed to DHS Secretary Michael Chertoff -- but the DHS "blinked" and responded by treating the letters as requests for extensions instead. The agency also sparred with Maine, eventually granting an post-deadline extension after negotiating over some of the more isolated Real ID provisions.

Ultimately, the delays and extensions can't stand against the arguments overwhelmingly pointing to the repeal of the flawed Real ID Act. Even states that made extension requests have included caveats -- take California, whose Director of the Department of Motor Vehicles wrote, "California's request for an extension is not a commitment to implement REAL ID, rather it will allow us to fully evaluate the impact of the final regulations and precede with necessary policy deliberations prior to a final decision on compliance."

Otherwise, leaders in Congress recognize Real ID as flawed legislation and it faces broad opposition from the states saddled with implementing it. Keep the issue on Congress' plate by demanding a repeal of Real ID through our Action Center.

[Permalink]

PrivacyFinder.org: Search, but with Privacy

The level of privacy offered by search engines is generally woeful. Last year, the three big players (Google, Yahoo! and MSN) made some improvements by limiting the duration for full retention of logs about who has searched and what they've searched for. That means that after a year or two, it would be harder — though probably not impossible — for the major search engines and their advertising partners to reconstruct a complete history of your searches.

Ask.com went further with their AskEraser feature, which allows users to have their logs deleted and to opt-out of being tracked (Ask.com could have done better by finding a way for opt-out to be available without a cookie).

Despite these improvements, the average Internet user still has very little privacy for their search history. We have documented the measures you can take to protect yourself, but they aren't all that simple.

So it's exciting to report that one small search engine is experimenting with ways to be an aide, rather than a threat, to privacy. PrivacyFinder is a research project at the CMU Usable Privacy and Security Laboratory (full disclosure: Lorrie Cranor, who heads the lab, is also on the EFF Board). It offers an interface to Yahoo! and Google, but with two notable improvements: an excellent logging/data retention policy, and a feature that shows the user information about sites' privacy policies along with the search results. That way, if two sites offer the same service but one of them is better from a privacy point of view, the user will see that quickly. The PrivacyFinder researchers tell us they've observed that people will, for instance, pay more for an item from an online store if they can see that it has an excellent privacy policy.

PrivacyFinder seems to be making productive use of P3P, an old privacy standard that has, in many other respects, fallen short of expectations. If you run a search on the site, you can quickly see when one result matches your standards and others don't.

Privacyfinder's logging policy is amongst the best in the industry (Ixquick is also first-rate). Privacyfinder only keeps search records for a week, unless the user explicitly opts in to being tracked. Because the CMU Laboratory wants to do research on the use of search engines, it's offering prizes for people who are willing to be tracked for research purposes. That's the way we like to see it done.

Meanwhile, several other developments are in the works. New York State legislators have been talking about taking parts of the search privacy problem into their own hands. There are rumors of new startups planning to enter the "privacy search" market. And EFF is working on a scorecard for systematically evaluating the effectiveness of various privacy measures at search engines. Stay tuned to Deeplinks for future developments!

[Permalink]

House Judiciary Committee Slams Immunity and Calls for Deeper Investigation of Warrantless Surveillance

For weeks, the House has been deliberating on its response to the Senate's FISA Amendments Act, which aims to grant retroactive immunity for telecoms involved in warrantless wiretapping. While it's seemed like a possibility that the House was going to cave and agree to grant immunity, the tides have shifted in a big way in the last few days.

Yesterday, House leaders announced a bill that would not grant telecom immunity, and today, House Judiciary Chairman John Conyers, Jr. (D-MI) and 19 Members of the House Judiciary Committee issued a strong statement dismantling flawed pro-immunity arguments and delivering concrete findings and recommendations on dealing with the secretive terrorist surveillance program and telecom immunity.

Phone or email your Representative today -- urge them to maintain opposition to retroactive immunity.

[Permalink]

Advocacy Groups Urge Congress to Hold Fast Against Immunity

In light of new allegations of unusual and suspicious telecom systems, 34 prominent advocacy groups have signed a letter urging Congress to hold fast in defending against telecom immunity.

Citing a significant body of opposition to telecom immunity, including a letter from leaders from the House Energy and Commerce Committee, long-standing evidence of telecom lawbreaking from AT&T whistleblower Mark Klein, whistleblower Babak Pasdar's allegations of an unsecured gateway to wireless communications at a major telecom, and a strong letter from four former senior intelligence officials, the groups say:

If Messrs. Pasdar and Klein are telling the truth, they have described the tip of an iceberg. Congress must find out what is underneath. Accordingly, we urge you to investigate these matters fully and not grant retroactive immunity in the meantime.

[Permalink]

Real ID Rebellion Roundup

Pedro Nava, a prominent California Assemblymember, introduced a non-binding resolution today that asks California's members of Congress to oppose Real ID, the unfunded federal mandate to turn driver's licenses into a national ID card. It highlights the state's growing opposition to Real ID as legislators and citizens begin to realize the astronomical cost and catastrophic privacy implications of participating in the federal program.

The California resolution comes hot on the heels of a widely-heard NPR interview with Brian Schweitzer, the governor of Montana, who outlines his state's staunch opposition to the Real ID mandates. In the interview, he cites such concerns as state sovereignty and the absence of systems to actually facilitate Real ID. Also, in the interview, Gov. Schweitzer boldly announces that his state will call the federal government's "bluff" on the issue of air travel -- the Department of Homeland Security has threatened that on May 11th, states that have not embraced Real ID will find their licensees treated differently in regards to air travel and access to federal buildings.

Finally, Real ID opposition at the federal level features an budget amendment sponsored by Sen. Jon Tester (D-MT) that seeks to funnel budget money away from Real ID to be used to benefit veterans instead. Stay tuned for more about the Tester amendment later this week.

For more information about Real ID, its impact on privacy, and the looming showdown between the federal government and the states, check out News.com's four-part series on Real ID.

[Permalink]

A New Digital Right?

The German Constitutional Court (the Bundesverfassungsgericht) ruled today on a what the German press is calling "a new basic right" - one that guarantees the confidentiality and integrity of computer systems.

The court spelled out the protection as part of its judgement (available in German) on the constitutionality of a law that let police infiltrate a suspect's computer by using trojan horses or rootkits. Such police powers had been repeatedly called for by the Federal Minister of the Interior, Wolfgang Schäuble, as well as the head of the German Federal Police.

The first implementation of the law by the Federal state of Nordrhein-Westfalen was struck down by the court, who said that such invasions of computer systems clashed with the "general personality right" - a right the court had previously derived from the Constitution's basic right to human dignity and personal freedom.

It's easy to see this as a new right in itself - but perhaps it is better to understand it, as the court did, in terms of a reasonable (and perhaps overdue) updating of the language of traditional human liberties.

Just as EFF has argued that the United States' Constitution's wording against warrantless searches should protect the privacy of the contents of your computer and email as strongly as it does the privacy of real world "papers and effects", so the German constitutional court said that the 1949 constitution protects the digital contents of a PC or laptop (or any other "informationstechnischer Systeme") against secret surveillance as tightly as your possessions in the real world. A virtual trojan horse is as uncivilized a tool of the police as sneaking an officer into your own home.

As with an earlier decision on wiretapping, the court also held that the essential core of private life must never be surveilled by the state: the act of practicing a religion, say, or conversation between family members.

Germany, a country with a proud (and hard-learned) modern tradition of protecting the privacy of its citizens, now has some interesting new legal territory to explore. On the modern Internet, the core of citizen's private life is increasingly distributed among many different computers. A conversation between family members can take place on Facebook (or StudiVZ, its German equivalent); the private contents of your home PC may be backed up on an online storage service.

German law enforcement will have to tread carefully not to violate its citizens' basic rights in a world where even the most private life is remotely accessible and spread far and near. We hope that the techniques they develop will be shared and spread with the rest of the world's law makers and law enforcement community.

[Permalink]

Embedded Video and Your Privacy

We've recently started embedding video from YouTube and elsewhere into Deeplinks and other areas of EFF.org. This posed a challenge: On one hand, embedded video is an important tool that we want to be able to use. But, on the other hand, embedded video has worrisome privacy implications that we thought we should do something about.

All embedded, in-line, or off-site content on the World Wide Web implies some privacy risk because of the way most web browsers work. Whenever you follow a link, or download an embedded or off-site resource, your browser sends a referer header (sic) that tells the web site what web page you came from. And whenever you load any document, your browser may send cookies that show whether you've visited the same site before, and that may even identify you directly. For instance, if you're logged into YouTube and you watch an embedded YouTube video on some other site, YouTube can still recognize you because your browser will still send a personalized YouTube cookie.

This means that loading an embedded video from within a blog could enable the video hosting site (and, in some cases, its advertising partners) to compile a history of which blog entries you were reading and when — even if you didn't try to play the video. When the video hosting site uses an <IFRAME> tag (an increasingly common technique), your browser will automatically load an entire web page from the hosting site; in the course of displaying that page, your browser might send several dozen cookies to several different entities including portal sites or advertising networks. (Even using software like a Flash blocker won't stop this from happening.)

So, that's the challenge we faced: We want to embed video here in the Deeplinks blog because it's an important way of communicating with our readers. But we've also gone to great lengths to protect our visitors' privacy; we believe that when you visit EFF.org, nobody but you should know about it. (For example, when you use our Google-based site search, EFF proxies the search result to Google with a special CGI script on our server, thus hiding your IP address and your Google cookie, if any, from Google's servers.)

As a compromise, we've developed a script called MyTube to protect your privacy. When we embed a video using MyTube, Deeplinks readers will see only a thumbnail from the embedded video — hosted on EFF's own servers — in their web browsers. MyTube prevents the third-party-hosted video from being loaded until and unless the user clicks to play it. (MyTube is currently implemented as a Drupal module — we'll be open-sourcing the code in Drupal CVS soon, as well as looking for ways to make the functionality available to non-Drupal websites.)

You can see it in action here and here.

This prevents YouTube.com (and other third-party video-hosts) from knowing you've been to EFF.org or reading Deeplinks unless you specifically click to watch the video.

As the web gets smarter and more powerful, a broad range of exciting new tools for enabling collaboration and communication are emerging, of which embedded video is just one. As these capabilities grow, it's important to keep an eye on the unexpected privacy implications. Increasingly often, loading a website or even using a desktop application can send information to multiple third-parties without the user's knowledge or consent. EFF encourages the web community to help us find ways to make these information leaks transparent and controllable for the average user.

[Permalink]

Google Gets Healthy

In its endless quest to wring value from users’ personal data, Google is branching out into health records. The Internet search giant has just announced a pilot project that would allow users to combine all their personal health records (PHRs) -- information about prescriptions, allergies, injuries, health history etc -- into a single new service that would be as accessible as a Gmail account.

The convenience factor is clear -- the new service would make it easier for people who may have multiple health providers to make sure their doctors all have the same information. And for people who seek medical attention while traveling, the ability to bypass their HMO's byzantine bureaucracy in order to have a prescription filled might be welcome.

Google isn't the only business interested in helping people manage their health records. Microsoft launched HealthVault last year, and WebMD and Revolution Health are also competing in this area. These services are all part of a trend towards storing PHRs online, where they can be served up to the consumer, or to the consumer's health care professionals, instantly.

But how sure can you be that your PHRs remain private and secure once Google or some other company has them in its vast and constantly growing database? Who has access to that data, and what laws exist to protect it?

It isn't that there aren't privacy standards that seek to protect your health information. The Health Insurance Portability and Accountability Act (HIPAA) provides minimum privacy standards for records kept by health care providers and insurance companies -- standards that privacy advocates say don't go far enough. But as the World Privacy Forum recently pointed out, HIPAA’s limited protections won't necessarily cover records that are handed over to a third party such as Google:

HIPAA’s protections generally do not “travel” with or follow a medical record that is disclosed to a third party outside the health care treatment and payment system. If a health care provider (such as a hospital or a pharmacy, etc.) or a health plan maintains a health care record, the record is protected under HIPAA. But if a third party that is not a covered entity under HIPAA obtains the records, then HIPAA does not usually apply.

As the AP article on Google's new program puts it:

That means a patient who agrees to transfer medical records to an external health service run by Google or Microsoft could be unwittingly making it easier for the government or some other legal adversary to obtain the information...

If the medical records aren't protected by HIPAA, the information conceivably also could be used for marketing purposes.

At the moment, Google is testing its new program in a clinic in Cleveland. When they finally unveil the finished product to the public, we’ll be watching to see what their terms of service and privacy policy say. If the consumer wants to opt out, can they? Aside from questions of how and when Google shares the data, what else are they doing with it? And what sort of privacy and security architecture are they using? Then we'll know if their stated commitment to privacy extends to their customer's private medical records.

[Permalink]