The Peruvian National Anthem proudly proclaims: “We are free! May we always be so!” Yet the Peruvian Congress is considering a sweeping new computer crime bill that threatens the privacy and online free expression of law-abiding Peruvians. Peruvians should stand against this ill-conceived bill that will place limits on what they are allowed to do with their own computers. Peruvians should take a cue from Canadians, who mobilized resistance against its online surveillance bill earlier this year.
The bill's current words for security experts working to expose security flaws. As currently written, the bill threatens coders’ ability to access information systems for security testing without explicit permission. If the Peruvian Congress moves to enact this bill as currently written, Peruvian engineers who study others’ systems for legitimate security research and testing may become criminals. A bill like this threatens the ability of new, engineering-driven companies to develop a wide range of innovative third-party applications and platforms that are capable of interacting and interoperating with online companies. It also shuts down the possibility of fostering a local security industry that seeks to responsibly report security vulnerabilities, so as to improve security of Peru’s critical infrastructure.
The bill also threatens the privacy of law-abiding Peruvians. The Peruvian government plans to give police and prosecutors greater online surveillance powers to collect personal identifiers—including IP addresses, mobile device identifiers, and device owner's names—by excluding these identifiers from its current constitutional and regulatory framework protections.
Personal identifiers (such as IP addresses) when linked to another piece of information can reveal far more sensitive information than ever before, such as online identities, activities, social contacts, and location trails. Once an IP address is linked to an individual, it becomes easy to construct a dossier that can be profiled, mined, and analyzed. Mobile device identifiers also disclose a vast amount of personal information. New technologies can easily track people’s mobile devices to reveal their locations, this is why effective legal safeguards and check and balance are needed.
While the bill explicitly states its intention to exclude Peruvians’ IP addresses and other identifiers from constitutional protection, it also compels telecommunications and Internet companies to hand over these identifiers to law enforcement and prosecutors upon a judge’s authorization. This murky landscape shouldn't be murky: Personal identifiers should keep enjoying the same level of protection as currently guaranteed by the Peruvian Constitution and other regulatory frameworks, including its judicial guarantee.
In sum, the Peruvian Congress should postpone voting on the bill, and hold an open and democratic debate. This bill, as currently written, converts legitimate activities of ordinary people into "criminal" activities. Moreover, it jeopardizes the rights of law-abiding Peruvian citizens and hinders the development of an innovative technology industry. Stay tuned: We will keep an eye on the overall proposal as the debate unfolds.
UPDATE: Twitter has issued an apology to Guy Adams and clarified that they did "mess up" by notifying NBC about the tweet. They do, however, continue to claim that the tweet in question violated their Rules despite a sentence that states: "If information was previously posted or displayed elsewhere on the Internet prior to being put on Twitter, it is not a violation of this policy." The NBC executive's email was published online more than a year ago here.
Among the popular social networking sites, Twitter has often stood out for its stance on free speech. The company has stood up for its users in court, has pontificated on its role in protecting users' right to speak freely, and has even dubbed itself "the free speech wing of the free speech party." That is why, when British journalist Guy Adams' account was suspended after he tweeted the public e-mail address of an NBC executive, we were shocked.
According to Adams, his account was suspended for violating the Twitter Rules; specifically, he was informed that tweeting an e-mail address was in violation of those guidelines. A section of the platform's "help center" specifically states:
Posting another person’s private and confidential information is a violation of the Twitter Rules.
Some examples of private and confidential information are:
credit card information
social security or other national identity numbers
addresses or locations that are considered and treated as private
non-public, personal phone numbers non-public, personal email addresses
Keep in mind that although you may consider certain information to be private, not all postings of such information may be a violation of this policy. If information was previously posted or displayed elsewhere on the Internet prior to being put on Twitter, it is not a violation of this policy.*
In this case, the e-mail address in question—that of NBC Executive Gary Zenkel—was his corporate address, and has been published online for more than a year. Furthermore, NBC's firstname.lastname@example.org email address pattern can easily be found via a quick Google search. It therefore seems clear that Adams was not, in fact, in violation of the Twitter Rules. Complicating the matter, Adams' tweets were aimed at mocking NBC, which Twitter has partnered with for the Olympics. Worse yet, an NBC Executive claimed that employees from Twitter had contacted NBC's social media department to let them know about the tweet and how to report them.
The good news is that, this morning, Adams' account was reinstated. The reasoning provided by Twitter, however, is still problematic. Adams reported receiving the following message from the company:
Per our previous correspondence, your account was suspended because a complaint was filed stating that you had violated our Terms of Service regarding the posting of private information (such as a non-public email address), as stated in our Guidelines & Best Practices (https://twitter.com/rules). We have just received an updated notice from the complainant retracting the original request. Therefore, your account has been unsuspended, and no further action is required from you at this time.
It seems that after ample media coverage, NBC changed its mind and revoked their complaint. Though Twitter won't comment on specific cases, it's apparent from their message to Adams that the company still believes he broke the rules.
This is why Twitter needs an appeals system.
Companies make mistakes. Companies also have the right to create whatever rules they desire, but they also have the responsibility to be clear about those rules and, as we argued last year in a paper co-written with the Center for Democracy and Technology and the Berkman Center for Internet & Society, create clear processes and channels of communications with users.
Twitter has not done that.
On the other hand, YouTube (for example), offers a clear appeals process for users whose content has been removed, explained in detail here. Facebook, which just over a year ago would send banned users a message notifying them that "[this] decision is final and cannot be appealed," now offers an easy-to-use appeals form for users whose accounts have been deactivated (note: you must be logged out to access the form). Twitter, on the other hand, allows users to reply to notification e-mails, but typically responds with repeat automated e-mails. As Adams—a prominent journalist—noted, the company would not return his calls or e-mails.
Twitter is indeed a smaller company than Google or Facebook, but with more than 500 million users, it is imperative that they open up the lines of communication and reassure their users that they have a means of arbitration, when needed.
This week, the Senate will be voting on a slew of amendments to the newest version of the Senate’s cybersecurity bill. Senators John McCain and Kay Bailey Hutchison have proposed several amendments that would hand the reins of our nation’s cybersecurity systems to the National Security Agency (NSA). All of the cybersecurity bills that have been proposed would provide avenues for companies to collect sensitive information on users and pass that data to the government. Trying to strike the balance between individual privacy and facilitating communication about threats is a challenge, but one thing is certain: the NSA has proven it can’t be trusted with that responsibility. The NSA's dark history of repeated privacy violations, flouting of domestic law, and resistance to transparency makes it clear that the nation's cybersecurity should not be in its hands.
In case you need a refresher, here’s an overview of why handing cybersecurity to the NSA would be a terrible idea:
An executive order generally prohibits NSA from conducting intelligence on Americans’ domestic activities
Executive Order 12333 signed by President Reagan in 1981 (and amended a few times since1), largely prohibits the NSA from spying on domestic activities:
no foreign intelligence collection by such elements [of the Intelligence Community] may be undertaken for the purpose of acquiring information concerning the domestic activities of United States persons.
If amended, the Cybersecurity Act would allow the NSA to gain information related to "cybersecurity threat indicators," which would allow it to collect vast quantities of data that could include personally identifiable information of U.S. persons on American soil. Law enforcement and civilian agencies are tasked with investigating and overseeing domestic safety. The NSA, on the other hand, is an unaccountable military intelligence agency that is supposed to focus on foreign signals intelligence—and it’s frankly dangerous to expand the NSA’s access to information about domestic communications.
NSA has a dark history of violating Americans’ constitutional rightsIn the 1960’s, a Congressional investigation, led by four-term Senator Frank Church, found that the NSA had engaged in widespread and warrantless spying on Americans citizens. Church was so stunned at what he found, he remarked that the National Security Agency’s "capability at any time could be turned around on the American people, andno American would have any privacy left, such is the capability to monitor everything." (emphasis added) The investigation led to the passage of the Foreign Intelligence Surveillance Act, which provided stronger privacy protections for Americans’ communications—that is, until it was weakened by the USA-PATRIOT Act and other reactions to 9/11.
NSA has continued its warrantless wiretapping scandalIn 2005, the New York Times revealed that the NSA set up a massive warrantless wiretapping program shortly after 9/11, in violation of the Fourth Amendment and several federal laws. This was later confirmed by virtually every major media organization in the country. It led to Congressional investigations and several ongoing lawsuits, including EFF’s. Congress passed the FISA Amendments Act to granttelecom companies retroactive immunity for participating in illegal spying and severely weaken privacy safeguards for Americans communicating overseas.Since the FISA Amendments Act (FAA) passed, the NSA has continued collecting emails of Americans. A 2009 New York Times investigation described how a “significant and systemic” practice of "overcollection" of communications resulted in the NSA’s intercepting millions of purely domestic emails and phone calls between Americans. In addition, documents obtained via a Freedom of Information Act request by the ACLU, although heavily redacted, revealed "that violations [of the FAA and the Constitution] continued to occur on a regular basis through at least March 2010"— the last month anyone has public data for.
NSA recently admitted to violating the Constitution.Just last week, the Office of the Director of National Intelligence—which oversees the NSA—begrudgingly acknowledged that "on at least one occasion" the secret FISA court "held that some collection… used by the government was unreasonable under the Fourth Amendment." Wired called it a "federal sidestep of a major section of the Foreign Intelligence Surveillance Act," and it confirmed the many reports over the last few years: the NSA has violated the Constitution.
NSA keeps much of what it does classified and secretBecause cybersecurity policy is inescapably tied to our online civil liberties, it’s essential to maximize government transparency and accountability here. The NSA may be the worst government entity on this score. Much of the NSA's work is exempt from Freedom of Information Act (FOIA) disclosure because Congress generally shielded NSA activities from FOIA2. Even aside from specific exemption statutes, much information about NSA activities is classified on national security grounds. The NSA has also stonewalled organizations trying to bring public-interest issues to light by claiming the "state secrets" privilege in court. EFF has been involved in lawsuits challenging the NSA’s warrantless surveillance program since 2006. Despite years of litigation, the government continues to maintain that the "state secrets" privilege prevents any challenge from being heard. Transparency and accountability simply are not the NSA’s strong suit.
We remain unconvinced that we need any of the proposed cybersecurity bills, but we’re particularly worried about attempts to deputize the NSA as the head of our cybersecurity systems. And even the NSA has admitted that it does "not want to run cyber security for the United States government."
Thankfully, new privacy changes in the cybersecurity bill heading towards the Senate floor have explicitly barred intelligence agencies like the NSA from serving as the center of information gathering for cybersecurity. We need to safeguard those protections and fend off amendments that give additional authority to the NSA. We're asking concerned individuals to use our Stop Cyber Spying tool to tweet at their Senators or use the American Library Association's simple tool to call Senators. We need to speak out in force this week to ensure that America's cybersecurity systems aren't handed to the NSA.
2. Three of the most common statutes that NSA uses to fight transparency: Section 6 of the National Security Agency Act of 1959 (Public Law 86-36, 50 U.S.C. Sec. 402 note), which provides that no law shall be construed to require the disclosure of, inter alia, the functions or activities of NSA; The Intelligence Reform and Terrorism Prevention Act of 2004, 50 U.S.C. Sec. 403- 1(i), which requires under the Responsibilities and Authorities of the Director of National Intelligence that we protect information pertaining to intelligence sources and methods; and 18 U.S.C. Sec. 798, which prohibits the release of classified information concerning communications intelligence and communications security information to unauthorized persons.
Press freedom in Sri Lanka has come under further attack over the course of the past month. On June 29, the Criminal Investigation Department’s Colombo Crime Division raided the office shared by news websites Sri Lanka Mirror and Sri Lanka X News. The latter website is widely known as the official journalistic outlet of the United National Party (UNP), which is the main opposition party against the ruling coalition, United People’s Freedom Alliance. Authorities arrested nine journalists and confiscated much of both websites’ computer equipment for “propagating false and unethical news on Sri Lanka.”
Blogger Patta Pal Boru reported that the journalists, including one editor, were taken into custody under Section 118 of the penal code. However, the relevant portions of the Law of Criminal Defamation had been repealed in 2002, so the Colombo Magistrate ordered that the journalists be released on bail. Employees of the Sri Lanka Mirror filed six “fundamental rights petitions” with the Supreme Court, who heard the case at the end of July. However, after the Deputy Solicitor General responded that the website was not registered and had published “explicit” stories, further hearings were scheduled for February 7.
In order to avoid embarrassments such as the illegal June raid, the government plans to amend the 1973 Sri Lankan Press Council Act so that websites will be regulated by the same agency that regulates printed media. Media Minister Keheliya Rambukwalla said in a Cabinet media briefing on July 5 that the amendments would be designed “to ensure accountability” for national news websites. The amendments will make it easier to prosecute websites under similar content rules as for print media, and will require all websites to register with a government list. The announcement was made on the same day that the UN Human Rights Council endorsed a landmark resolution that upholds online freedom of expression and information.
Sri Lankan media outlets are skeptical that the new Press Council Act amendments are simply a bureaucratic change. Manik de Silva, a director of Sri Lanka's Press Complaint Commission and a member of the country's Editor's Guild, suggested that the amendments are “obviously to control the media… Any strengthening of media laws will be used to further the interest of political parties in power rather than the national interest.” Blogger Patta Pal Boru wrote that with regards to the illegal raids on the Sri Lanka Mirror and Lanka X News, “it is important the public agitate for accountability instead of their current passive acceptance of gross violation of the law by both the Govt. [sic]”
The strict regulation of online and offline news outlets in Sri Lanka is rooted in the decades-long conflict between Tamil separatists and the Sinhalese-majority government. Networking for Rights in Sri Lanka, a media advocacy group composed of exiled journalists and human rights defenders, pointed out in a statement condemning the raids that “TamilNet, a popular news and opinion site on Tamil issues was the first site blocked by the GoSL [Government of Sri Lanka]. On June 19, 2007, on the orders of the GoSL all Internet Service Providers in Sri Lanka blocked the access to the TamilNet website. Since then GoSL has blocked dozens of news and opinion web sites reporting on Sri Lanka.”
While the fronts of political conflict have shifted considerably since the resolution of the civil war in 2008, draconian media regulations meant to protect government interests have only increased in number. In a November 2011 statement, officials in Sri Lanka blocked several high-profile websites and released a statement that accused them of a “deliberate character assassination campaign” against the image of country, heads of State, ministers, senior public officials, and “very very Important People.” The EFF is deeply concerned by the legal challenges to Internet freedom in Sri Lanka, and will continue to monitor both cases against the journalists and the planned Press Council Act amendments.
In Israel, a heated debate is underway about whether Israel’s Interior Ministry will move ahead with the creation of a governmental biometric database containing digital fingerprints and facial photographs, which would be linked to “smart” national ID cards containing microchips. At the heart of the issue is a major concern about privacy: Aggregated personal information invites security breaches, and large databases of biometric information can be honeypots of sensitive data vulnerable to exploitation.
On July 23, Israel’s High Court of Justice held a hearing on a petition filed by civil rights advocates who sought to strike down a law establishing a governmental biometric database and an associated two-year pilot program. The law approving the database, enacted in 2009, met with public resistance until the government backed down and agreed to begin with only the pilot program. The pilot was supposed to be a test for determining whether it was actually necessary to move forward with building the biometric database, but an Interior Ministry decree that sanctioned the program did not actually contain any criteria to measure whether the program succeeded or failed.
While three justices voiced harsh criticism of the database, they didn’t move to cancel the project altogether. Instead, they determined that the pilot program description has to present clear criteria for success and failure, so that it would be conducted as a true test. The ruling requires the Interior Ministry to examine the very necessity of a central database, and to seriously weigh possible alternatives. The court also called for an independent review of the program, and preserved petitioners’ right to return and present their claims against the database and pilot program.
In the course of the hearing, several justices characterized the proposed database as a “harmful” and “extreme” measure. They have good reason to be skittish: Last fall, officials discovered that information in Israel’s primary population database had been hacked in 2006, and the personal records of some 9 million Israelis—both living and dead—were uploaded to the Internet and made freely available. The database contained substantial information including full names, identity numbers, addresses, dates of birth and death, immigration dates and familial relationships. Given this blemished track record, there is naturally a concern that a database that also contained biometric information would meet the same fate.
“Every once in a while, we find the census in .torrent files all over the web,” noted Jonathan Klinger, an attorney who teamed up with Association for Civil Rights in Israel (ACRI) lawyer Avner Pinchuk in opposing the biometric database. The petitioners included ACRI, the Movement for Digital Rights, Professor Karin Nahon of the University of Washington and Hebrew University, and Doron Ofek, an information security expert.
“The State in fact accepted the position of the petitioners and the Justices, according to which the order establishing the biometric database is illegal and does not enable an examination of the database’s necessity,” noted Pinchuk, the ACRI attorney. “The Interior Ministry’s intention to establish a database even before this essential flaw is amended demonstrates the hastiness and aggression that have characterized this dangerous project since its inception.”
Israel's biometric database is just one of several massive governmental identification programs moving forward at the global level. India is still working toward creating the world’s largest database of irises, fingerprints and facial photos, while Argentina is building a nationwide biometric database of it own. As more of these identity schemes crop up across the world, serious critical examination of these systems is urgently needed.
At the Black Hat security conference in Las Vegas this week, Javier Galbally revealed that it’s possible to spoof a biometric iris scanning system using synthetic images derived from real irises. The Madrid-based security researcher’s talk is timely, coming on the heels of a July 23 Israeli Supreme Court hearing where the potential vulnerabilities of a proposed governmental biometric database drove the debate. Consider the week’s events a reminder that if the adoption of biometric identification systems continues apace without serious contemplation of the pitfalls, we’re headed for trouble.
When it comes to the collection and storage of individuals’ digital fingerprints, iris scans, or facial photographs, system vulnerability is a chief concern. A social security number can always be cancelled and reissued if it’s compromised, but it’s impossible for someone to get a new eyeball if an attacker succeeds in seizing control of his or her digital biometric information.
Among all the various biometric traits that can be measured for machine identification--such as fingerprints, face, voice, or keystroke dynamics--the iris is generally regarded as being the most reliable. Yet Galbally’s team of researchers has shown that even the method traditionally presumed to be foolproof is actually quite susceptible to being hacked.
The project, unveiled for the first time at the security researchers’ conference, made use of synthetic images that match digital iris codes linked to real irises. The codes, which are derived from the unique measurements of an individuals’ iris and contain about 5,000 pieces of information, are stored in biometric databases and used to positively identify people when they position their eyes in front of the scanners. By printing out the replica images on commercial printers, the researchers found they could trick the iris-scanning systems into confirming a match.
The tests were carried out against a commercial system called VeriEye, made by Neurotechnology. The synthetic images were produced using a genetic algorithm. With the replicas, Galbally found that an imposter could spoof the system at a rate of 50 percent or higher. A Wired article hit on the significance of this discovery:
“This is the first time anyone has essentially reverse-engineered iris codes to create iris images that closely match the eye images of real subjects, creating the possibility of stealing someone’s identity through their iris.”
This revelation not only exposes a security hole in a commercial iris-recognition system, but also proves that prominent tech firm and FBI contractor B12 Technologies--which is building a database of iris scans for the Next Generation Identification System--was wrong when it when it noted on its website that biometric templates “cannot be reconstructed, decrypted, reverse-engineered or otherwise manipulated to reveal a person’s identity.”
Any new detection of biometric system flaws is relevant in the context of the massive governmental identification programs moving forward at the global level. There’s India’s bid to create the world’s largest database of irises, fingerprints and facial photos, for example, and Argentina’s creation of a nationwide biometric database containing millions of digital fingerprints. Just this week in Israel, High Court justices criticized a planned biometric database as a “harmful” and “extreme” measure. Lawmakers who approve such identification schemes should give serious consideration to any new information surfacing about biometric system vulnerabilities.
It's always heartening to see Congressmen make efforts to stand up for privacy rights. Yesterday, Rep. Hank Johnson launched AppRights.us, a website dedicated to promoting privacy, security, and transparency around mobile apps. Operating under the motto that "our apps should serve us—not spy on us," Johnson's website asks for feedback about issues surrounding mobile devices.
Mobile privacy and consumer rights are important issues to EFF, and we hope that Rep. Johnson keeps our previous work on the topic in mind—most notably our Mobile User Privacy Bill of Rights. This document contains key points for developers to keep in mind when it comes to respecting their users' privacy—including transparently focusing data collection on solely what is needed, as well as giving users more control over their personal data. EFF also recently filed comments with the Federal Communications Commission about mobile device privacy, bringing light to current troubling industry practices.
Earlier this month, the 47 member states of the United Nations Human Rights Council passed a landmark Resolution (A/HRC/20/L.13) to include the “promotion, protection, and enjoyment of human rights on the Internet.” The Resolution, which was presented by Sweden, was backed by more than 70 countries in all, both members and non-members of the HRC.
In the New York Times, Swedish Foreign Minister Carl Bildt called the Resolution a “victory for the Internet”, while US Secretary of State Clinton praised it as a “ welcome addition in the fight for the promotion and protection of human rights and fundamental freedoms online, in particular the freedom of expression.”
The Resolution builds on the work of UN Special Rapporteur Frank LaRue who, after a year of consultations with civil society groups, released a report on the promotion and protection of freedom of expression on the Internet. In his report, LaRue touched upon a variety of threats to free expression online, including the enforcement of "real name" systems; the use of national security or counterterrorism measures to restrict free speech; the overbroad use of defamation laws; and the widespread use of technological surveillance. LaRue concluded by calling upon states to take measures to ensure "as little restriction as possible to the flow of information via the Internet, except in few, exceptional, and limited circumstances prescribed by international human rights law."
At the time, EFF praised the Special Rapporteur's report, and continues to be pleased with the work he is doing. We therefore see this Resolution—which affirms that “the same rights that people have offline must also be protected online”—as a step in the right direction. Despite that, states are increasingly failing to comply fully with their international human rights obligations, including the adoption of necessary measures to make human rights effective.
As Dr. Matthias Kettermann points out in the European Journal of International Law, however, the Resolution does not rule out the possibility of countries abusing human rights online. Specifically, the Resolution references Article 19 of the International Covenant on Civil and Political Rights (ICCPR), which—as Kettermann explains—“allows for certain restrictions of the right [to free expression]” when provided by law, for “(a) respect of the rights or reputations of others; or (b) for the protection of national security or of public order (ordre public), or of public health or morals.”
Referring to Article 19 of the ICCPR, CCPR General Comment No. 10 notes that, "[W]hen a State party imposes certain restrictions on the exercise of freedom of expression, these may not put in jeopardy the right itself." Such restrictions may only be imposed by law and must be justified as being "necessary" for one of the purposes stated in Paragraph 3, subparagraph (b).
Despite such protections, however, a number of the 47 member states of the HRC censor the Internet and citizens’ right to free expression under such pretexts. For example, Qatar censors a variety of websites, including those critical of the royal family. The senior manager of the country’s largest ISP, Qtel, once explained this as a “desire to maintain ethical standards and protect the culture of the society.” India made headlines earlier this year for its designs to increase censorship on social networks. Turkey censors—both online and off—criticism of the country's founder, Kamal Atatürk, as well as insults to "Turkishness." And member states China, Cuba, Kyrgyzstan, Saudi Arabia and Thailand—among others—have all come under fire for heavy-handed censorship of websites.
Furthermore, a number of member states have used intellectual property as a justification for the installation of technical censorship mechanisms. In several countries, regulation that would cut an individual off from the Internet indefinitely—generally known as "three strikes laws"—has been proposed or enacted. Laws that prevent an individual from using the Internet entirely are surely a violation of human rights, and the Special Rapporteur agrees; in his report, he urged states to repeal or amend existing intellectual property laws that would permit disconnection of a user from the Internet, and to refrain from adopting such laws.
Lastly, the Resolution makes no mention of the ubiquity of online surveillance technologies, which are increasingly being used by governments to track down dissidents and stifle dissent, threatening to make meaningless the legal guarantees of privacy and free expression. From its widespread use in pre-revolutionary Tunisia and Egypt (both non-member signatory states) to its illegal use in the United States, online surveillance poses a huge threat to freedom of expression and must be considered as such.
All in all, however, UNHRC’s Resolution on Internet freedom is a positive step toward ensuring that human rights apply online, but it is only a first step, and it will not alone prevent countries determined to censor the Internet from doing so. The next step, of course, is putting action behind those words, and for that, the onus is on individual states.