UPDATE: Disappointingly, neither Obama or Romney was asked a question about Internet freedom or digital civil liberties at the debate on October 3rd. But there are still two debates presidential debates remaining—tonight, October 16th and the final debate on the 22nd. Also, don't forget to follow the Internet 2012 Bus Tour, started by Reddit co-founder Alexis Ohanian, which is traveling to each of the Presidential debates promoting Internet Freedom.
Tonight at 9 pm eastern, President Barack Obama and Governor Mitt Romney will participate in the first of three presidential debates before the election on November 6th. Both Democrats and Republicans gave a general nod to Internet freedom in their party platforms for the first time this year, but we have yet to hear many specifics from either candidate.
Below are 14 questions—three for President Obama, three for Governor Romney, and eight for both candidates—we’d like to see answered in detail. Also, do not forget to go here and register to vote for Internet freedom on November 6th.
You have recently supported the reauthorization of both the Patriot Act and the FISA Amendments Act, two laws you previously opposed before you were president, citing how they violated Americans’ civil liberties. Why have you not sought to reform those bills as promised and will you in the future?
Under your administration, the Department of Homeland Security has unilaterally seized the domain names of many websites without due process on flimsy evidence of copyright infringement. No charges were filed and some of the domains were handed back a year later with no explanation. Do you believe this censorship tactic violates the First Amendment?
Questions for Mitt Romney:
The Republican platform calls for “full constitutional protection” from “government overreach” of personal data. Yet the Republicans in Congress overwhelmingly supported CISPA, which carved a huge hole in existing privacy laws in the name of cybersecurity. Do you support allowing companies to hand over personal information of its customers to the government like CISPA would have?
You’ve also previously supported the Patriot Act and the FISA Amendments Act—the former of which weakens digital privacy protections and the latter of which allows for warrantless wiretapping of Americans overseas communications. Do you support reform of these bills to protect Americans’ privacy from government overreach, as your party’s platform states? Do these bills violate the Constitution?
In 2007, you stated on the campaign trail on two different occasions that you would you require porn filters to be installed on all new computers sold in the United States. Won’t that violate the First Amendment and do you still support that policy?
Questions for Both Candidates:
A tremendous (and growing) amount of credible public evidence shows that the government has built a massive program that gives the NSA unfettered and warrantless access to the communications and communications records of ordinary Americans. Do you believe this is consistent with the Fourth Amendment? Do you believe that the courts should be able to decide whether widespread, non-targeted domestic surveillance is legal or constitutional?
Do you believe that the publication of truthful information on a matter of public importance is protected by the First Amendment? If so, doesn’t it protect WikiLeaks when it publishes classified information in the public interest, just as it protects the New York Times and Wall Street Journal?
The nation’s core electronic privacy law, the Electronic Communications Privacy Act (ECPA), was enacted in 1986—before the World Wide Web was invented—and provides weaker privacy protections than are required for physical mail and phone calls. Will you support efforts to update the law to require a warrant before the government can demand a person’s stored emails, location information, their address books, the websites they visit and similar information stored across the web?
In January, Americans protested the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA), which would have allowed large swaths of the Internet to be censored in the name of overzealous copyright enforcement. Do you pledge that you will veto a similar bill, or any other bill that allows corporations or government to censor the Internet without due process?
There is ample evidence the patent system, particularly when it comes to software patents, is broken and actively hurting the economy. Do you have plans to reform the patent system so big companies can free themselves of billion dollar lawsuits, and startups do not have to worry about patent trolls?
Last year alone, law enforcement officials demanded Americans’ cell phone location data at least1.5 million times, and in the vast majority of those cases, they did so without a warrant. Do you believe Americans should have a reasonable expectation of privacy when carrying their cell phone, given it can map a person’s exact movements for weeks or months at a time?
The FAA estimates as many as 30,000 drones will be flying over U.S. skies by the end of the decade. What privacy safeguards will your administration support to ensure Americans’ privacy is not violated by surveillance drones operated by law enforcement?
Location privacy took a hit in California yesterday when Governor Jerry Brown vetoedSB 1434, an EFF- and ACLU-sponsored bill that would have required law enforcement to apply for a search warrant in order to obtain location tracking information. Despite the bill's passing through the state legislature with overwhelming bipartisan support, despite local newspaper editorials in favor of the bill, and despite more than 1,300 concerned Californians using our action center to urge him to sign the bill into law, Governor Brown instead decided to sell out privacy rights to law enforcement.
It's not the first time, either. Last year, he did the same thing with SB 914, a bill that would have required police to obtain a search warrant before searching an arrested individual’s cell phone incident to arrest.
In a short veto statement (PDF), Governor Brown recognized the need to update our privacy laws, but explained
It may be that legislative action is needed to keep the law current in our rapidly evolving electronic age. But I am not convinced that this bill strikes the right balance between the operational needs of law enforcement and individual expectations of privacy.
For Governor Brown, it appears the “right balance” is to tip the scales decisively in favor of law enforcement. Because while vetoing SB 1434, Governor Brown did sign AB 2055, a competing bill sponsored by the Los Angeles County District Attorney’s Office and supported by almost every state law enforcement agency, which claims to “require the issuance of a search warrant before a law enforcement agency could obtain GPS location information from any electronic tracking device.”
AB 2055 is a narrow response to the U.S. Supreme Court’s decision in United States v. Jones, which held the Fourth Amendment required law enforcement to obtain a search warrant before installing a GPS device on a car. In theory, AB 2055 changes California law to explicitly permit law enforcement to apply to a judge for a search warrant to install a GPS device. But in fact, it does not requirepolice to obtain a search warrant. It just says they can apply for one. So to the extent it attempts to codify Jones, it fails. And, more basically, there’s no need to codify Jones: the Supreme Court’s decision is the law and California law enforcement officials have to follow it, regardless of what state law says.
That’s not the only problem with AB 2055. That law only applies to GPS devices, and not the other myriad ways law enforcement can obtain location information without installing a GPS device. With increasing concern about law enforcement’s growing addiction to warrantless cell phone tracking — which a federal appeals court in New Orleans will be hearing argument about tomorrow — any legislative action needs to be forward-looking and future-proof. And while we might expect a state that boasts the world's biggest technology companies and just legalized self-driving cars to move the law forward, Governor Brown has instead decided to maintain the status quo.
Ultimately law enforcement got exactly what it wanted with AB 2055, which is nothing at all. And while Governor Brown joins the chorus — which included Justice Alito in his concurring opinion in Jones — that solemnly speaks of the need to update our electronic privacy laws to reflect the changing technological landscape, his words ring hollow when he vetoes a bill that had bipartisan legislative support. Because in the end, all that's been done since the first federal electronic privacy bill was passed in 1986 has been a steady diet of allowing law enforcement to gorge itself on as much data and information they can eat without a warrant. It's no surprise that now they're hooked, they'll do whatever it takes to keep the information faucet on. Governor Brown's veto of SB 1434 only continues this dangerous trend.
Fast-growing online payment provider Stripeannounced on Friday that they were embracing transparency around government requests. When the company receives a legal request to shut down a user’s account, Stripe will send a copy to the transparency website Chilling Effects, a site maintained by EFF and law school clinics that accepts and publishes take down notices from across the web. Stripe is the first payment provider to participate in Chilling Effects. Stripe’s actions will help ensure that attempts by the government to silence sites by shutting down their revenue source will be open to public scrutiny and debate.
Stripe General Counsel Jon Zeiger explained on the company blog:
These issues rarely arise, and there’s no particular situation that makes this timely. We simply want to implement the right policies as early as possible, and we intend to build on these steps over time. For example, we’re thinking about ways to make data and statistics available in this area, such as what Google has done with their Transparency Report.
Our goal with Stripe is to help build the economic infrastructure of the Internet. Economic infrastructure, like other fundamental layers of the Internet, requires trust and transparency. We hope these policies increase both.
In the last few years, we’ve learned just how important payment providers are to upholding online speech and privacy. In 2010, after a series of publications that made international headlines, the whistle-blower website WikiLeaks faced a host of service providers shutting down its accounts. PayPal, MasterCard, and Visa terminated WikiLeaks’ accounts, leaving it with a crippling financial blockade. Other services providers cut the site off as well.
But one major company resisted government pressure. Twitter fought a secret court order to hand over private user data associated with the Wikileaks investigation, winning the right to inform the Twitter users that their data was sought by the government. In addition to taking one of the targets on as a client, EFF was inspired by Twitter’s actions to launch a campaign to promote policies of transparency about government access requests. Our annual When the Government Comes Knocking, Who Has Your Back? report rates companies on whether they commit to transparency about government access requests.
Payment providers are a vital financial pathway for activists, dissidents, and other controversial figures, but are also all too attractive points of control for anyone hoping to use Internet intermediaries as censors for our online speech—especially governments seeking to censor speech. We saw this in the proposed Stop Online Piracy Act (SOPA), which would have allowed content owners or the government to pressure payment providers to shut down accounts on the mere accusation of copyright infringement.
In other instances, we’ve seen payment platforms succumb to the temptation to police networks even without direct pressure from the government. Last February, PayPal threatened to cut off indie publisher Smashwords unless they agreed to stop selling otherwise legal fiction that explored issues of rape, incest, and bestiality. EFF, National Coalition Against Censorship, and American Booksellers for Free Expression led a coalition of free speech groups in fighting back, successfully convincing PayPal that books like Nabokov’s Lolita and the Bible should not be censored by arbitrary corporate policies.
There are only a handful of payment providers available, and yet at least one is necessary so that donations, payments, advertisements, auctions, and online stores can function. These payment providers can exercise powerful control over the content permissible online; a website owner may be forced to abandon controversial content rather than lose a payment provider, even when the content is Constitutionally protected. With its newest action, Stripe is setting an example for all payment processor to ensure that censorship requests are open to public scrutiny and users gain the knowledge they need to fight back against unwarranted data disclosures.
We urge all Internet intermediaries to follow suit and uphold transparency, privacy, and free speech by publicizing government access requests.
Game Over for Automatic Facebook Tag Suggestion in Europe
In a victory for consumer privacy, Facebook has agreed to suspend the automatic use of its facial-recognition tool in Europe. The tool suggests people to tag in users’ photographs when registered users upload them to Facebook pages. Facebook Europe has agreed that by Oct. 15, it will give EU users the choice as to whether to allow the use of facial recognition software.
The “tag suggestion” tool gives Facebook the ability to build a “signature” of an individual’s face, based on photos in which they have been tagged. Face.com – an Israeli company that Facebook acquired in June, which has stated that it has 31 billion face images profiled– developed the software. Facebook also agreed to delete all facial recognition data it stores about its European users.
Facebook made the announcement in response to an investigation by the Irish Data Protection Commission (DPC) as to whether its practices adhere to a series of recommendations the DPC made last December to ensure that the social network company was in compliance with European privacy laws and taking measures to protect users' privacy rights.
“Face recognition is here to stay, and, though many Americans may not realize it, they are already in a face recognition database. Facebook refuses to say how many face prints it has in its database and whether it creates a face print for photos of non-Facebook users. However, given that Facebook has approximately 170 million active monthly users in the United States alone, at least 54% of the United States population already has a face print.”
Freedom Not Fear Spurs New International Effort
The international Freedom Not Fear week of action, which wrapped up Sept. 17, brought activists together from Brussels to Sydney for protest events and workshops to highlight and challenge surveillance trends. Organizations from 11 European Union member states gathered for workshops in Brussels, and European Data Protection Supervisor Peter Hustinx met with advocates to discuss the upcoming European Union Data Protection Reform. He also delivered a detailed explanation of his interpretation of the “Freedom Not Fear” motto, saying, “Fear is always a bad adviser.”
A result of the gathering was the creation of a new International Working Group on Video surveillance. As EFF has explained before, closed circuit television cameras (CCTV) are becoming increasingly ubiquitous in the United Kingdom, and the introduction of a tool called Facewatch that is being used to target rioters in the London protests has activists especially concerned. The new working group has announced a campaign to react to the latest developments in privacy-intrusive technology, and targeting Facewatch is a high priority.
"The idea of 'Freedom Not Fear' is to give citizens and civil rights groups time and a place for networking in order to strengthen their engagement and personal efforts," says Michael Ebeling, part of the Freedom Not Fear organizing team. "We are glad that we are moving forward with this, bringing people from different countries together."
Australian Law Enforcement Pushing for Data Retention
Ongoing hearings are underway at the Australian Parliament about a package of National Security Inquiry proposals that would revise telecommunications interception laws and make it easier for law enforcement to eavesdrop on telephone and Internet communications. At a recent hearing, Australian police commissioners told members of Parliament they thought telecoms and Internet service providers should be required to store users’ digital communications for two full years, and that they wanted to help draft formal legislation to that effect. An article in an Australian publication called The Age suggests that police wanted data retention to extend even farther than the two-year time span:
[Australian Federal Police Commissioner Tony Negus] told the inquiry in Sydney that police would "ideally" prefer the information be held by telecommunication companies indefinitely, so it could be accessed by police at any time.
"The two-year proposal ... we could live with," he said. "It certainly wouldn't be ideal, but we could live with [it]."
The initial package of proposals, which was submitted by Australian Attorney General Nicola Roxon, contained only a very vague mention of a proposed data retention framework. Roxon submitted a letter to “clarify” the proposal on Sept. 19, leaving open the exact framework yet quoting extensively from the European Union Data Retention Directive, a policy instrument that EFF has joined international privacy advocates in opposing. The directive has been met with widespread resistance and has been found to be unconstitutional by several European courts.
Privacy advocates have criticized Roxon for withholding more detailed information about the mandatory data retention proposal until after civil society had submitted formal responses to Parliament based on the vague wording in her initial discussion paper. In late July, Roxon even told reporters that the "case has yet to be made" for the controversial data retention proposal. EFF will continue monitoring the status of the National Security Inquiry and data retention proposals in Australia.
Former New York Times reporter Kurt Eichenwald’s new book, published last week, provides yet more details about how the the NSA’s unconstitutional warrantless wiretapping program came about, and confirms that even top Bush Administration lawyers felt there was a “strong argument” that the program violated the law. “Officials might be slammed for violating the Fourth Amendment as a result of having listened in on calls to people inside the country and collecting so much personal data," Eichenwald wrote, and “in the future, others may question the legality” of their actions.
Eichenwald's book, 500 Days: Secrets and Lies in the Terror Wars, describes how the NSA’s illegal program—what he calls "the most dramatic expansion of NSA's power and authority in the agency's 49 year history"— was devised just days after 9/11 to disregard requirements in the Foreign Intelligence Surveillance Act (FISA). Instead of getting individualized warrants to monitor Americans communicating overseas, the Bush administration unilaterally gave the NSA the power to sweep up millions of emails and phone calls into a database for analysis without court approval:
Connections between a suspect e-mail address and others—accounts that both sent and received messages there, whether in the United States or not—would be examined. At that point, a more detailed level of analysis would be applied creating something of a ripple effect. The suspect e-mail address would lead to a second, the second to the accounts it contacted.
In other words, the NSA was given the green light to warrantlessly spy of Americans communications on American soil—a power that was illegal under FISA. And the government—instead of finding probable cause for surveillance like the Constitution requires—started using a burden of proof akin to the game Six Degrees from Kevin Bacon.
Eichenwald’s reporting, focused on the immediate aftermath of 9/11, unfortunately overlooks the NSA’s longstanding desire to live “on the network” reflected in its presentations to the incoming Bush Administration officials in December, 2000. The idea that the NSA only came up with this idea after 9/11 isn’t really accurate.1 But regardless, Eichenwald's reporting makes clear that Bush administration officials were terrified that this program would become public.
Of course, after several years, much of the NSA’s program did become public when the New York Times exposed its existence in their 2005 Pulitzer Prize winning investigation. Virtually every major news organization in the US subsequently reported on the NSA and its mass spying programs, which led to congressional investigations and a multitude of lawsuits—two which will be argued in the coming month.
Despite this all of this, the government recently filed a motion in the Northern District of California invoking the controversial “state secrets” privilege. Essentially, the government argues that—even if all of the allegations are true—the case should be dismissed entirely because admitting or denying any fact would potentially endanger national security, even in the face of the government’s own craftily wordsmithed “denials” before Congress and elsewhere.
In the ACLU’s case going before the Supreme Court this term, a group of journalists, lawyers, and human rights activists has sued over surveillance conducted after the passage of the FISA Amendments Act (FAA). The FAA was passed in 2008 and formalized some of the admitted portions of NSA’s program, allowing emails and phone calls to and from from overseas to continue to be acquired without a warrant. The government only needs one general court order to target large groups of people—even entire countries—communicating to Americans for an entire year.
The plaintiffs, given that their professions, regularly talk to people who are almost certainly spied on. They argue that surveillance of them without warrants renders the statute unconstitutional. But the government contends the case must be dismissed on “standing” grounds because the plaintiffs can’t prove with certainty they have been surveilled, because, in a perfectly circular argument, the government won’t “admit” they have been surveilled, as if public admissions by the government is the only way to prove illegal wiretapping.
As the ACLU writes, “The government theory of standing would render real injuries nonjusticiable and insulate the government’s surveillance activities from meaningful judicial review.” The same can be said of the ‘state secrets’ privilege in EFF’s case. The government is contending they can use government secrecy as a sword to terminate judicial accountability. It doesn’t matter how much evidence is in the public domain, just by telling the Court that the information implicates “national security," they can wall off entire subject matters from judicial oversight, effectively hiding illegality, unconstitutionality along with embarrassing or overreaching acts by NSA spooks and others.
Eichenwald is just the latest in a long line of journalists to discuss and organize details about the NSA’s unconstitutional program. At this point the American people are well aware of the NSA’s actions – only the courts have been kept in the dark. And if the courts go along with blinding themselves, the government will have been given a license to violate the law and constitution long into the future.
1. Before 9/11, the NSA asserted” “The volumes and routing of data make finding and processing nuggets of intelligence information more difficult. To perform both its offensive and defensive mission, NSA must ‘live on the network.’” Opsahl Decl. Ex. 4 [Vol. I, p. 214] (National Security Agency, Transition 2001 (December 2000), at 31). Moreover, the NSA asserted that its “mission will demand a powerful, permanent presence on a global telecommunications network that will host the ‘protected’ communications of Americans as well as the targeted communications of adversaries.” Id. at 32 [Vol. I, p. 215]
After years of being one of the most progressive regions in the world in terms of balanced copyright policy, Latin America is unfortunately sliding into copyright maximalism, enacting increasingly restrictive copyright enforcement measures into their federal laws.
While Chile spent years drafting their broad reform to the copyright system along with civil society groups, and Brazil excitedly discussed the reform of copyright law with unprecedented civil society participation to draft a balanced bill, Colombia and Panama have rushed to write and approve new copyright frameworks with drastic consequences for the digital generation. Why is this occurring? It is the result of top-down, harsh implementation of bilateral free trade agreements (FTAs) with the US, that require nations to enact far more restrictive language than what is found in the US itself.
This is precisely the kind of forum shifting and policy laundering we often blame on the US. But in these cases, Latin American governments should also be held accountable for their own choices.
Panama, which has had a long history of being susceptible to US political pressure, recently introduced a new copyright bill in order to fulfill the requirements of its FTA with the US. And they did so with no civil society consultation [PDF- Spanish]. Andres Guadamuz from Technollama called the bill, Bill 510, the “worst copyright law in history.” The Bill has been approved by the Panamanian Congress last Wednesday (September 26th), and is now awaiting the President’s signature which realistically could occur at any moment.
One of the major concerns with Bill 510 is that it completely abolishes due process from the proceedings of infringement claims. The law would create an administrative branch called the General Copyright Directorate (DGDA). The DGDA can slap users with an infringement charge and will only allow users 15 days to prove their innocence. Once arrested, they can be fined up to approximately $100k USD for the first offense, and $200k for the second1.
The monetary fines from users would not revert to cultural funds or to the copyright holders, but would go into the pockets of the government through the DGDA. Moreover, the public servant that imposes the fine wins a “bonus” of up to 50% of their salary. The absurdity of the law is that the enforcement agency will have the authority to investigate, accuse, assign the penalties, and get the final “revenues” of their work.
This is not only a clear violation of due process, but a system creating a direct incentive for the DGDA to immediately monitor all torrent use in Panama, and identify all people associated with IP addresses to be summoned and fined, regardless of legitimate infringement. Consequently, this law would pose undeniable threats to free speech, by striking fear into all users who share content, while also violating their privacy by enabling a system that allows a government agency to monitor all of their online communications. Nothing about this law is meant to promote new innovation or creative works. It will only produce new bureaucrats who have the authority to criminalize and intimidate Internet users. No other country has given the copyright office this sort of unchecked power before.
The cherry on the cake is that the law extends copyright protection to temporary electronic copies without establishing the necessary exception for the transient copies needed for the Internet to function. The Ministry announces that this law brings Panama to the new digital era, but what this provision could do is hold anyone in Panama liable for simply using the Internet, and even hold ISPs responsible for “cache” files of content that is copyrighted. Such rules are anything but technologically progressive.
While users and digital rights organizations are noting its absurdities, governments and content industry associations commemorate the law. The Minister of Commerce and Industry of Panama, Ricardo Quijano, seemed pleased with Bill 510’s passage through Congress: “[Wi]th the implementation of this new Act, our country [Panama] is being upgraded within the international and global context.”
During the session that approved Bill 510, the Panamanian Congress said: “...with this bill, the country will count with an appropriate and effective norm for the protection of authors, industry, culture, information, entertainment and telecommunications”.2 In no moment has it mentioned users’ rights or a balanced approach adequate to the digital age, nor proven to generate jobs or wealth for Panamanians.
In another corner of Latin America, harsher copyright enforcements are also being enacted to uphold terms of an FTA with the US. Colombia signed their trade agreement with the US six years ago, which bound it to implement stricter copyright enforcement measures. The FTA did not preclude Colombia from adopting flexible copyright exceptions and limitations that would protect Internet users and counterbalance the heightened IP enforcement obligations, but it also does not require them. Did Colombia take advantage of this flexibility, which is also protected under international treaties and “soft” law, such as the Development Agenda?
No, Colombia did not. Instead, they rushed a bill, nicknamed Ley Lleras, into law within three weeks before President Obama’s visit earlier this year. The short timeframe, the government’s lack of respect for civil society, and its neglectful treatment of Congress as a bureaucratic institution all undermine what should be the core of the discussion—the need for balanced and pragmatic reform that empowers Colombians as digital citizens.
Ley Lleras was fast tracked and signed into law on April 13, 2012. Its text, for instance, prevents the “broadcasting through the Internet by land, cable or satellite of television signals” without permission from the owner of the copyright for the signal or its contents “regardless of” any limitations and exceptions to the exclusive rights in Colombia’s legislation. This law also goes beyond what US law, and creates liability for circumventing technologically effective measures imposed to control “access and unauthorized uses of works”. Although the Colombia-US FTA only requires that “willful” criminal infringers be punished, the new Colombian Copyright law sanctions those who are unaware that their non-profit acts may constitute an infringement.
What Can Be Done
While the law has already been passed in Colombia, there is still a small chance that Bill 510 can be stopped in Panama. We urge the President of Panama not to sign this law and to provide civil society an opportunity to be part of this process. We also urge Panama to sign onto the Open Government Partnership and implement a 21st century democracy guided by participation and transparency. The Panamanian government should be aiming to implement policies that support and further innovation and creativity, rather than enact copyright policies that undermine the technological and economic advancement of their own nation.
2. Original in spanish “con este proyecto el país contará con un ordenamiento adecuado y eficaz para la protección de los autores de las industrias, la cultura, la información, el entretenimiento y las telecomunicaciones” Source
The government of India has amassed a database of 200 million Indian residents' digital fingerprints, iris scans, facial photographs, names, addresses and birthdates. Yet this vast collection of private information is only a drop in the bucket compared to the volume of data it ultimately intends to gather. The Unique Identity Authority of India (UIDAI), the agency that administers Aadhaar -- India's Unique Identity (UID) program -- has a goal of capturing and storing this personal and biometric information for each and every one of India's 1.2 billion residents. Everyone who enrolls is issued a 12-digit unique ID number and an ID card linked to the data.
Once it’s complete, the Aadhaar system will require so much data storage capacity that it is projected to be 10 times the size of Facebook. And while it's optional to enroll, the program is envisioned as the basis for new mobile apps that would facilitate everything from banking transactions to the purchase of goods and services, which could make it hard for individuals to opt out without getting left behind.
India’s is the largest biometric ID scheme in the world, and the masssive undertaking raises serious questions about widespread data sharing, a lack of legal protections for users’ data, and concerns about whether adequate technical safeguards are in place to keep individuals’ information safe and secure.
Recently, EFF attended a talk by Srikanth Nadhamuni, a technologist and one of the program’s chief architects, at UC Berkeley’s Center for Southeast Asian Studies. While he characterized Aadhaar as a cutting-edge tool for fighting corruption and assisting the rural poor, EFF has concerns about the privacy implications of this sweeping effort.
Is Biometric Collection Necessary to Achieve the Program's Goals?
Nadhamuni framed Aadhaar as a program that could alleviate the plight of India’s rural poor, a large subset of the population that lacks reliable access to government services. “The city governments … were still being run by leather-bound books and pen,” he explained. “Not using technology to improve service delivery was something that we wanted to change. … The thought that I had was, if we could embed a unique number for each baby that was born, and that number got used in all the different applications, then that service delivery could improve. Once you have enrolled yourself, then you can go and buy your rations, or banking transactions, and so on, using authentication.”
Nadhamuni said UID would serve to eliminate fraud in circumstances where it is now impossible to verify individuals' identities. He described the tedious and costly weekly journey of a laborer to cash a paycheck to illustrate how UID could be used to make peoples' lives more convenient. He described a system in which UID numbers would spur the development of mobile phone apps, which would allow vendors to scan fingerprints on a handheld device to use UID authentication for all kinds of purposes and transactions.
When evaluating biometric systems, it's important to determine whether the collection and processing of personal information fit with the program's stated objectives. The goal of assisting the rural poor is well-intentioned, but the means Nadhamuni is proposing to achieve this end should be carefully examined. It's also worth asking why, if the stated objective is to aid the rural poor, the UIDAI intends to extend Aadhaar's reach to each and every one of India's 1.2 billion residents. EFF remains concerned about the problems inherent in centralized biometric ID databases, systems that have been met with resistance elsewhere and, in the case of Britain, even dismantled in the face of public outcry stemming from privacy concerns.
The creation of such a system raises concerns about the security of users' highly sensitive personal information. Nadhamuni said very little about whether there is a contingency plan in the case of a data breach, like the one that transmitted Israel's entire population database onto the Internet in a freely available format. What happens if people start to spoof fingerprint scanners, which German hackers have already proven is a relatively easy feat? What if identity thieves take it a step farther, by spoofing iris scanners (which Javier Galbally showed was possible at the Black Hat Security Conference this past summer)? Unlike a PIN code, a fingerprint or an iris is impossible to cancel and re-issue.
A Centralized Unique ID System is Risky
Nadhamuni seemed to accept without question that implementing a universal ID card would benefit India. “There is no standard identity document in India,” he said. He justified the collection of biometric data by saying that insurmountable overlap between existing governmental databases makes it impossible to create a unique database by merging all existing data sets.
Yet the assumption that there is an inherent need for a governmental framework that would aggregate all individuals’ personal information in one place should not go unchallenged. There are fundamental flaws in a system with a centralized database at its core, which grants a disproportionate amount of control to a single governmental entity that collects and stores the information. Regardless of the security precautions Nadhamuni assured would be in place, the creation of such a database inevitably creates a honeypot of sensitive information that becomes a natural target for would-be criminals.
India has no data privacy protection law to speak of, and the fact that this program is moving ahead in the absence of such a safeguard is problematic, particularly given the widespread data-sharing that is contemplated under this endeavor. Similar proposals have run into legal trouble. In March 2012, the Conseil Constitutionnel, the highest authority on the French Constitution, declared the provisions of a law permitting judicial and police use of a centralized national ID database to be unconstitutional.
In other countries, we've seen how biometric data can ultimately be used for purposes other than stated intentions. In Argentina, for instance, a new centralized, nationwide biometric ID will allow law enforcement to “cross-reference” information with biometric and other data initially collected for the purpose of operating a general national ID registry. This reverses the traditional practice of limiting police fingerprint databases to those suspected or convicted of criminal offences.
Once it is built, an enormous system based on the personal information of 1.2 billion people can begin to serve all manner of previously unimagined purposes. What's more, Nadhamuni suggested biometric identification with Aadhaar could become a convenient part of everyday life: the UIDAI lets private parties accept the IDs and verify their content online, for outsourced financial transactions or authenticating users for third-party applications. For example, people could have their fingerprints scanned on a shopkeeper's mobile device as a way of paying for items at a shop. It's astonishing to think that the enormous flows of data that would result from these applications – and the associated potential for monitoring Indians' physical whereabouts and day-to-day lives – would come with few legal safeguards.
Beware of Function Creep
A telling moment in Nadhamhuni’s lecture came when an audience member asked whether Aadhaar would be used for national security purposes. “I don't know about the linkage between UID and security,” Nadhamuni responded. “I was head of technology, and the specification that I was given was to build a system for social inclusion and the poor. So if there's a linkage, I don't know of it, and so I can't comment on what that linkage is.”
It's disappointing that he didn't say more, particularly given this New York Times op-ed by Indian journalist Aman Sethi suggesting that national security was at the root of a government initiative to collect biometric ID that predates Aadhaar and is now moving ahead in sync with the UID program. Function creep – when a program is introduced for one purpose and ultimately used for another – is a serious consideration when assessing biometric ID systems. What will happen when data collected by the UIDAI is used in conjunction with a governmental surveillance program or national security initiative? So far, this question remains unanswered, but there are good reasons to be concerned.
This colossal, IT-driven effort is moving forward without adequate transparency or public dialogue, and it’s no wonder that activists have pushed back against the idea in India. Internet policy researcher Sunil Abraham, of the Bangalore-based Center for Internet and Society, has voiced concerns over Aadhaar’s identification system and proposed alternatives that would be far less privacy-invasive.
"Privacy protections should be inversely proportional to power," Abraham wrote in a Business Standard op-ed. "The transparency demanded of politicians, bureaucrats and large corporations cannot be made mandatory for ordinary citizens. Surveillance must be directed at big-ticket corruption, at the top of the pyramid and not retail fraud at the bottom. Even for retail fraud, the power asymmetry will result in corruption innovating to circumvent technical safeguards. Government officials should be required by law to digitally sign the movement of resources each step of the way till it reaches a citizen. Open data initiatives should make such records available for public scrutiny. With support from civil society and the media, citizens will themselves address retail fraud. To solve corruption, the state should become more transparent to the citizen and not vice versa."
A biometric data collection program of this scale, particularly in the absence of an existing data protection law, presents serious risks to individuals’ privacy. Rather than improving people’s lives, Aadhaar could place their highly sensitive personal information at risk.
The Trans-Pacific Partnership agreement (TPP) threatens to regulate and restrict the Internet in the name of enforcing intellectual property (IP) rights around the world, yet the public and civil society continue to be denied meaningful access to the official text and are even kept in the dark about what proposals countries are pushing in this powerful multilateral trade agreement. With users having sent over 80,000 messages to Congress asking them to demand transparency in the TPP using EFF's Action Center, Congress members have been urged into action to uncover the secrecy.
On September 20th, Representative Zoe Lofgren sent an additional follow-up letter to USTR, which EFF applauds. According to the letter, Rep. Lofgren, who has long been a strong advocate for digital rights and was a vocal opponent of SOPA, met with Ambassador Ron Kirk directly to discuss the TPP and her concerns over the lack of transparency in the process. The letter, which mentions that Ambassador Kirk told her he welcomed feedback on how to address the concerns, asks USTR to: balance TPP IP enforcement provisions with user privileges; diversify the policy perspectives on their Industry Trade Advisory Committee for IP; and be more transparent in its TPP negotiations overall.
“TPP's IP provisions must not undermine the free expression of Internet users, the ability to share and create content online, the free and open character of the Internet, or the freedom of digital service providers to innovate. Lack of transparency and overbroad IP enforcement requirements have held back other international trade agreements in the recent past – these same issues are now undermining the results [USTR seeks] to achieve with TPP."
They have yet to hear back with a response from the USTR.
This is not Congress' first attempt to unveil TPP. As we have reported, Senator Ron Wyden and Representative Darrell Issa are currently working on gathering signatures from their colleagues in Congress to ask the US Trade Representative Ron Kirk to reveal what they are seeking in the TPP's IP chapter, specifically in relation to provisions that would impact the Internet and access to pharmaceutical drugs. And in June of this year, 130 Members of the House of Representatives sent a detailed letter to the USTR asserting Congress' required role in the trade negotiations, making specific requests as to how they could make the process democratic and transparent while emphasizing the ways in which it fails to be neither of those things. Two months later, the USTR responded [PDF] in a letter that did not address any of the specific issues raised by Congress members.
The USTR claims that at the outset of the TPP negotiations in 2009, the participating countries signed a confidentiality agreement. In the June letter from 130 US Representatives, they explicitly asked for "a copy of the confidentiality agreement and an explanation as to what role USTR or other governments played in crafting it." In the USTR's response letter they completely ignored this request.
However, the model confidentiality agreement that served as a base for the TPP negotiators is a public document, available at a page on the New Zealand Ministry of Foreign Affairs and Trade website. The model agreement lays out the rules of confidentiality for signatory countries over TPP draft texts, proposals, communications, and other documents relating to the negotiations over the agreement. It is not clear, however, whether the model mirrors the exact agreement USTR signed, and USTR is likely subject to internal confidentiality policies in addition to the agreement.
While the confidentiality “model letter" itself is extremely vague, it does contain some interesting parts:
It states that the negotiating texts, government proposals, emails, and other related documents can be "provided" to government officials.
It states that documents can be accessed by "persons outside government who participate in that government's domestic consultation process and who have a need to review or be advised of the information in these documents."
It holds that "all participants plan to hold these documents in confidence for four years after entry into force of the Trans-Pacific Partnership Agreement, or if no agreement enters into force, for four years after the last round of negotiations."
It lays out the level of security needed to protect the confidentiality of the agreement, including that it may be kept in a "locked filing cabinet" or within a "secured building". Amusingly, the letter also assures that the documents "do not need to be stored in safes."
If in fact this letter parallels the provisions in the confidentiality agreement, these terms may be flexible enough to allow all government officials to have regular, easy access to the text. As of now however, elected members have not had access to view or comment on the text. Senator Wyden is a member of the Senate Finance Committee (which has jurisdiction over "reciprocal trade agreements; tariff and import quotas, and related matters thereto") and is Chair of its subcommittee on International Trade, Customs and Global Competitiveness. Neither he nor his staff, who have obtained proper security clearance, have been able to get access to material related to the TPP negotiations from the USTR.
Also unclear is how they make the determination as to whether "persons outside government" should be authorized to review the documents. Trade Advisory Committees (TACs) constitute 100's of individuals who are able to log in from their own computer to a platform to view and comment on the text of the official drafts of the agreement. If the language of the confidentiality agreement is as flexible as it is written in this model letter, it is questionable as to why all nations are bound to the level of confidentiality that is being enacted.
Ultimately, the USTR has an obligation to uphold the public interest. While they keep asserting that they are being as inclusive and transparent as possible in these negotiations, civil society and the public at large recognize that the process is far from embodying any principles of democratic rulemaking. We applaud Rep. Lofgren, Rep. Issa, and Senator Wyden for taking the lead as public representatives in standing up to demand an end to these secretive trade talks. Congress people need to know that breaking open the unnecessary confidentiality around the TPP is a priority, and that users are fed up with closed door tactics to restrict and regulate the Internet in the name of IP enforcement.
Even if you have already taken our Action Alert, please help us continue to send messages to our public representatives to make TPP transparency a political priority: