The campaign to use social engineering to install surveillance software that spies on Syrian activists is growing ever more complex as violence in Syria has escalated. Since the beginning of the year, Syrian opposition activists have been targeted using severalTrojans, including one disguised as a Skype encryption tool, which covertly install spying software onto the infected computer, as well as a multitude of phishing attacks which steal YouTube and Facebook login credentials.
The latest campaign contacts targeted Syrian activists over Skype and delivers a Trojan by getting the targets to download a fake PDF purporting to contain a plan to assist the city of Aleppo, where opposition protest has been growing steadily since a raid on Aleppo University dormitories resulted in the deaths of four students and a temporary shutdown of the state-run school earlier this month. Like many of the attacks we have reported on, this one installs a Trojan called DarkComet RAT, a remote administration tool that allows an attacker to capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more--and sends that sensitive information to the same Syrian IP address used in attacks described by TrendMicro, Symantec, Cyber Arabs, and in several of EFF's blog posts.
The attack is initiated over Skype with the following message in Arabic:
[29/05/2012 18:03:44] Aleppo Team || ...: اخر تعديل لخطة حلب حان وقت الجهاد
[29/05/2012 18:03:46] Aleppo Team || ...: أرسل الملف "خطة النهاية2.rar"
Roughly translated into English as:
[29/05/2012 18:03:44] Aleppo Team | | ...: Last modified plan Aleppo time for Jihad
[29/05/2012 18:03:46] Aleppo Team | | ...: Send the file "plan eventually 2.rar"
Extraction of the rar file creates a directory called:خطة حلب or "Plan Aleppo," shown in the screenshot below.
Inside this is a file called: aleppo_plan_ خطة_تحريك_حلب cercs.pdf. The right-to-left text display makes this appear to be a PDF file, but is it an SCR, shown in the screenshot below.
The SCR file is malware.
The file that we have analyzed is aleppo_plan_ خطة_تحريك_حلب cercs.pdf, md5Sum bc403bef3c2372cb4c76428d42e8d188.
It displays a PDF while dropping the following files, shown in the screenshot below:
C:\Documents and Settings\Administrator\StartMenu\Programs\Startup\(empty).lnk
It runs explorer.exe, which installs DarkComet RAT and also opens a PDF which describes a plan to assist Aleppo in the revolution. The document includes a detailed discussion of logistics and would potentially be very interesting to Syrian dissidents and activists. Some of the content may be genuine, but there are also some aspects of the PDF that might raise the suspicions of a keen-eyed reader, including the flag across the top of the document, which is the flag of the Assad regime rather than the flag of the revolution.
Innovation for the win: A federal judge ruled today that Java's APIs are not copyrightable. The federal district judge in the widely reported Oracle v. Google case ruled in favor of innovation and interoperability, allowing software to use Application Programming Interfaces without paying a license fee. Judge Alsup's opinion is important news for software developers and entrepreneurs.
To recap: Oracle, the current owner of Java, sued Google for, among other things, using Java APIs in its Android OS. Oracle claimed that Google infringed both its patents and copyrights. The Court disagreed, and Judge Alsup ruled that “Google and the public were and remain free to write their own implementations to carry out exactly the same functions of all methods in question.”
Earlier, the jury summarily disposed of Oracle's patent claims and also found that, assuming one could get a copyright on an API, Google might have infringed (the jury failed to answer whether Google’s use was a legal fair use). All of this left open arguably the most important question: whether APIs could be copyrighted. As we previously explained, the answer must be "no" under current law, and extending copyright to APIs would have a disastrous effect on interoperability, and, therefore, innovation. We are glad to report that Judge Alsup agreed.
The court clearly understood that ruling otherwise would have impermissibly – and dangerously – allowed Oracle to tie up “a utilitarian and functional set of symbols,” which provides the basis for so much of the innovation and collaboration we all rely on today. Simply, where “there is only one way to declare a given method functionality, [so that] everyone using that function must write that specific line of code in the same way,” that coding language cannot be subject to copyright.
Judge Alsup, a coder himself, got it right when he wrote that “copyright law does not confer ownership over any and all ways to implement a function or specification of any and all methods used in the Java API.” It's a pleasure to see a judge so fundamentally understand the technology at issue; indeed the first part of the opinion reads like an Introduction to Java class (and, to be certain, if Oracle appeals, Judge Alsup's lesson will do a fantastic job teaching the appeals court how Java works). It's that fundamental understanding that allowed Judge Alsup to explain:
That a system or method of operation has thousands of commands arranged in a creative taxonomy does not change its character as a method of operation. Yes, it is creative. Yes, it is original. Yes, it resembles a taxonomy. But it is nevertheless a command structure, a system or method of operation — a long hierarchy of over six thousand commands to carry out pre-assigned functions. For that reason, it cannot receive copyright protection — patent protection perhaps — but not copyright protection.
Judge Alsup’s opinion implicitly recognizes that the copyright laws, mostly recently overhauled in the 1970s, simply were not intended to cover claims like those made by Oracle in this case. Here, Oracle poured through 15 million lines of Android code searching for infringment, and found only nine lines (one function!) that had been copied from Java, a circumstance the Court found “innocuous and overblown.” Such functionality may be subject to patenting, which has a shorter life span and more opportunities to challenge its validity, but Oracle’s attempts to shoehorn its upatented APIs into copyright law were met with the proper rejection.
It's not all good news for innovation: in yet just another example of an intellectual property system gone awry, this lawsuit has likely already cost each side millions (if not tens of millions) of dollars (and that’s before damages). Those resources, including the person-hours, can and should be dedicated to developing new technologies and business models, not improving a few law firms' bottom lines. Oracle v. Google is just the latest in a long line of cases that ratchet up high-stakes litigation surrounding intellectual property rights – whether it be software patents or copyrights. This dangerous trend creates insurmountable barriers to entry and harms innovation. If this process has taught us anything, it is that this practice needs to stop. This is why EFF will continue to fight for an intellectual property system that has the breathing room to allow for innovation.
And in the meantime, developers everywhere can breathe a sigh of relief – this judge got it right.
The Senate is moving quickly to take up the issue of cybersecurity, with a potential vote looming in early June. This is a particularly dangerous situation because the Cyber Intelligence Sharing and Protection Act (CISPA) already passed the House, authorizing companies to spy on sensitive user content and pass that data to the government with few restrictions. Under CISPA, the government can use the information it receives for vaguely-defined “national security” purposes or share it with intelligence agencies like the NSA.
There are several bills pending in the Senate. The first one to come up is the Cyber Security Act (Lieberman-Collins). The bill is well over a hundred pages long and includes many components other than sections about sharing data with the government. Here’s a guide to help you understand the information sharing sections of the bill, the civil liberties concerns, and how you can speak out.
Will Internet companies be able to intercept and read my email?
Under the bill, the provisions for “monitoring” are very broad. Companies (“any private entity”) are granted “affirmative authority” to “monitor information systems” and “information that is stored on, processed by, or transiting the information systems” for cybersecurity threats. A company could also monitor someone else’s network if it has been granted authority to do so, for example an outside consulting firm hired to help with network security.
The companies in question include both online service providers like Google or Facebook, as well as Internet Service Providers (ISPs) like Comcast. When you use a web-based service like Google, your communications pass through lots of intermediaries. Under the bill, it is not only Google that can monitor your traffic, but also any intermediary.
Under this bill, how are “cybersecurity threats” defined?
A cybersecurity threat, under the Cyber Security Act, is defined as “any action that may result in unauthorized access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information that is stored on, processed by, or transiting an information system.”
But the definition of cybersecurity threat indicator in the bill is much more important, since this determines the actual information that can be shared with the government.
How are “cybersecurity threat indicators” defined?
Cybersecurity threat indicators are the types of data that a company can share with the government (via a “cybersecurity exchange,” see below). The bill defines a “cybersecurity threat indicator” as information that indicates or describes one or more of eight things:
“Malicious reconnaissance” which the bill defines as including “anomalous patterns of communication that reasonably appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat”
A method of defeating a technical control
A technical vulnerability
A method of defeating an operational control
A method of causing a user with legitimate access to an information system of information to “unwittingly” enable the defeat of a technical or operational control
Malicious cyber command and control
Actual or potential harm caused by an incident, including data exfiltrated as a result of subverting a technical control if it is necessary in order to identify or describe a cybersecurity threat
“Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law”
The last one– “any other attribute” – is very broad indeed! This type of language is dangerously vague, giving companies lots of wiggle room to make creative arguments.
However, there’s also one very important privacy protection to how the bill defines “cybersecurity threat indicators” – it insists that “reasonable efforts” must be made to “remove information that can be used to identify specific persons unrelated to the cybersecurity threat.”
In addition to monitoring, what else can companies do?
The act also allows companies to deploy "countermeasures" to protect a given network. Countermeasures include the ability to modify or filter Internet traffic. Even if you are an innocent user, if companies think you are engaging in a cyberthreat, they could filter or modify your Internet traffic.
What are countermeasures and how would they work?
The term “countermeasures” refers to actions to “modify or block data packets” associated with online communications, so long as it is done “with defensive intent” for the purposes of protecting information systems from cybersecurity threats.
Under the Cyber Security Act, private entities are granted “affirmative authority” to operate countermeasures on their own information systems to “protect the information systems and the information that is stored on, processed by or transiting the information system.” Companies can also operate countermeasures on third party networks, if the third party grants them lawful access.
How are “countermeasures” different from ordinary behavior already in widespread use by ISPs and companies to protect their networks?
The limits on the “countermeasures” allowed under this bill have not been established. If this bill passes, it could take judicial interpretation to establish those limits -- but only if cases make it to court. Companies already use firewalls to protect their networks. ISPs do filtering as well, for example disallowing end users from hosting certain services, or de-prioritizing certain types of traffic. But this bill makes no effort to restrict the definition of countermeasures to reasonable techniques in use today.
Does this bill create new exemptions to the Freedom of Information Act?
Yes. Under the Cyber Security Act, any cybersecurity threat indicator disclosed by a non-Federal entity (like a company) to a cybersecurity exchange is exempt from disclosure. A recent letter organized by OpentheGovernment.org and signed by dozens of civil liberties advocacy organizations criticized both the SECURE IT Act and the Cyber Security Act, stating:
“Unnecessarily wide-ranging exemptions [to FOIA] of this type have the potential to harm public safety and the national defense more than they enhance those interests; the public is unable to assess whether the government is adequately combating cybersecurity threats and, therefore, unable to assess whether or how to participate in that process, and to hold officials accountable.”
Under the Cybersecurity Act, if a company improperly hands over my information to the government, do I have an effective remedy?
Probably not. This legislation holds a very high standard for holding companies accountable through civil action. Assuming that you know about the privacy invasion in the first place, you would need to prove that the company:
Was not monitoring for the purpose of detecting cybersecurity threats and
Did not have a "good faith" belief that they were allowed to do it (whether they are right or wrong); or
"Knowingly" and "willfully" violated the restrictions of the law
What is a “cybersecurity exchange” and how would it work?
The Cyber Security Act would set up “cybersecurity exchanges” to receive and distribute cybersecurity threat indicators. There would be one Lead Federal Cybersecurity Exchange, appointed by the Department of Homeland Security, but other ones might also be created. Existing federal agencies can be designated as cybersecurity exchanges, including military and intelligence agencies like the National Security Agency. The Department of Homeland Security could appoint itself as the Lead Federal Cybersecurity Exchange.
There is considerable debate in Washington over whether the lead agency should be the civilian DHS or the military (i.e. the NSA). The bill punts on this question, but gives the edge to DHS for future bureaucratic fights.
Will the new “cybersecurity exchange” create new bureaucracies?
Of course. The Cyber Security Act’s extensive discussion of the creation of a federal exchange and potential civilian exchange involves coordination between an alphabet soup of agencies, including DHS, DOJ, ODNI, DOD and DOS. They have to make a lead exchange, consider others, consult with each other, and report to Congress. The Cyber Security Act attempts to diffuse this the easy way: “Nothing in this section may be construed to authorize additional layers of Federal bureaucracy for the receipt and disclosure of cybersecurity threat indicators.” At most, this will prevent people from calling the new layers of bureaucracy what they really are.
What safeguards are in place to ensure that this legislation won’t be used as a method of sharing data with the National Security Agency?
There are no provisions in the Cyber Security Act that would ensure this bill could not be used to funnel information to the National Security Agency. In fact, the National Security Agency could be designated as a “cybersecurity exchange” and receive great quantities of sensitive user information.
The ACLU has joined EFF in strongly criticizing a bill that allows the NSA to receive cybersecurity data, stating: “It is a long held American value that the military is not permitted to spy on Americans and their communications. Authorizing the NSA to turn its powerful spying apparatus on Americans would pose a significant threat to Americans’ privacy and would represent a major departure from American values about the role of the military on US soil.”
Can cyber security threat indicators collected under this legislation be used for other, unrelated purposes?
Yes. The data collected under the Cyber Security Act can be shared with law enforcement if it “appears to relate to a crime” either past, present, or near future.
Senator Wyden, talking about a similar provision in CISPA, noted “They would allow law enforcement to look for evidence of future crimes, opening the door to a dystopian world where law enforcement evaluates your Internet activity for the potential that you might commit a crime.” The CSA suffers the same ‘future crime’ flaw.
Whoa! Sharing what “appears to relate to a crime” is crazily broad, and surely will impinge on civil liberties. Does the Cyber Security Act throw me a bone, with some sort of vague promise to maybe think about civil liberties in the future?
Sure. Recognizing that the provision for sharing with law enforcement could impact privacy and civil liberties, the Cyber Security Act attempts to diffuse criticism by forming a committee to write “policies and procedures” at some future date that are supposed to “minimize the impact.” It also provides that the Privacy and Civil Liberties Oversight Board will look over the situation. Unfortunately, there currently are no members of this board, and have not been since 2007.
Our civil liberties are too important to just have faith that future regulations will solve all the problems or to have oversight by a non-staffed board.
If the Cyber Security Act passes the Senate, will we have a chance to fight it in the House?
Unfortunately, the House of Representatives has already passed a cybersecurity bill (CISPA). CISPA includes few privacy safeguards, allowing companies to spy on Internet communications and pass sensitive user content to the government. This means that if any cybersecurity bill passes the Senate – even one that has privacy protections – it will be conferenced with the House version of CISPA. The conferencing process is a backroom negotiations in which there’s a lot of compromising – and House backers of CISPA could well seek to remove any privacy protections we might put in place in a Senate bill. The conferencing process would almost undoubtedly be bad news for online civil liberties.
There are amendments pending on this bill. Will it get better or worse for civil liberties?
That’s a hard question. In early May, according to the Hill blog, Senate leadership was reportedly “quietly revamping cybersecurity legislation in an attempt to pick up Republican votes.” This could mean any number of things – including the possibility that the legislation will be adjusted to remove regulatory aspects or reduce the existing privacy protections for Internet users. It’s also possible amendments could be presented that would add in safeguards for privacy.
Right now, all of the amendments –whether good or bad for Internet rights – are being negotiated behind closed door, away from public discussion and accountability. This means Internet users are being kept largely in the dark until most of the negotiations are over.
We encourage individuals to use our action center to speak out; tell Congress not to sacrifice civil liberties in a rush to pass cybersecurity debate. Hearing from constituents is the best way to ensure privacy rights stay front and center in this debate.
How can I speak out against this bill?
We urge Internet users to contact Congress and tell them to support privacy-protective amendments and oppose the cybersecurity bills. You can use our action center to send an email or call your Senator.
China: Twitter-Clone Weibo Introduces a Points System for Punishing Content Violations
Chinese microblogging site Sina Weibo introduced new user conditions on Monday under which users will be deducted “points” for violating its content policy. Users will be suspended from the website once they run out of points. Rules that prohibit advocating protests or “spreading rumors” have always been a part of overall Chinese internet policy, but the points system is an innovation.
The new user contract arrives after the parent company Sina admitted that they had not fully implemented Chinese real-name registration rules by the March deadline. Reporters Without Borders suggests that “It remains to be seen whether or how this points system will be applied to the mass of information circulating on Sina Weibo. It may well be a lost cause but the company could be more interested in looking good in the government’s eyes.” Real-name registration is one of the ways in which Weibo users can recover lost points, which will effectively further reduce anonymous expression in China.
Malaysia: Amended Evidence Act Makes Intermediaries Liable, Shifts Burden of Proof to Defendants
The Malaysian government has recently made a series of troubling amendments to the Evidence Act 1950. Among the changes: an amendment that holds intermediaries liable for seditious content posted anonymously on their networks, services, or websites and an amendment that shifts the burden of proof from the government to the defendant. In Malaysia, not only can you be held liable for someone else’s allegedly seditious comment on your website, or an anonymous comment posted using your open wifi connection, but it is up to you to prove that you didn’t do it.
These amendments may lead to profound chilling effect on free expression and innovation because intermediary content providers like corporations, social networks, and bloggers will be obliged to constantly monitor the activity of third-party contributors. In the United States, Section 230 of the Communications Act protects intermediary “interactive computer services” from certain kinds of liability for third-party content, including defamatory or seditious speech. Centre for Independent Journalism executive officer Masjaliza Hamzah said the Malaysian laws “may force some sites to stop the comment feature because having to vet comments themselves may become untenable, and if this happens, it has a huge impact on the interactive nature of online media favored by readers.”
Bahrain: Activist Nabeel Rajab Released from Jail
Nabeel Rajab, president of Bahrain Centre for Human Rights, was released from jail after he posted bail of 300 dinars ($796). Rajab has been imprisoned since May 5 on charges of “cyber-incitement” of illegal rallies using social networking sites and defaming Bahrain's security forces. With over 146,000 Twitter followers, he is a high-profile critic of the King Hamad al-Khalifa and the Bahraini government. Rajab is banned from travelling abroad as part of the conditions of his release. In the past 15 months, Bahraini security forces have detained and beaten many journalists, protestors, and other critics.
Rajab described his arrest as "a political decision" in court earlier this month. He told the court, “I only practiced my right to free expression… I did not commit a crime.” Meanwhile, Rajab’s many supporters include Bahraini human rights activist Abdulhadi al-Khawaja, who began a hunger strike in February after also being detained for allegedly trying to “depose” the royal family. Upon Rajab’s release from jail, Khajawa voluntarily ended his hunger strike and described the event as successfully drawing attention to the issue of imprisoned Bahraini political dissidents.
Ethiopia: Restricting VOIP, Initiating Deep Packet Inspection
Last Thursday, the Ethiopian parliament ratified a new Telecom Service Infringement Law meant to impede Voice over Internet Protocol (VoIP) calls and faxes. The rules are primarily aimed at protecting the state service provider Ethio-Telcom from competition and “telecom fraud” by granting the Ministry of Communications and Information Technology the right to license companies engaged in producing or distributing any information communication technology. Additionally, a “national security” section in the new law includes anti-terrorism and anti-defamation provisions for content regulation. Prominent Ethiopian blogger Endalk has referenced the latest law as a “creative copy of SOPA and PIPA,” both of which fellow blogger Frank Nyakairu had predicted would lead to “opportunistic” spin-offs in multiple African dictatorships. Already, the Committee to Protect Journalists reports that about 25% of exiled journalists in Africa are from Ethiopia. Not only does the Telecom Service Infringement law block journalists’ access to important communication pathways such as VoIP, but the broad “national security” content regulations will give the government even greater official latitude in shutting down the country’s small but active blogging community.
The new telecom regulations are part of an ongoing pattern of increased Internet surveillance and censorship. Even though Ethiopia has internet penetration of less than 1 percent, its online political censorship regime is one of the most complex in sub-Saharan Africa, aided by Chinese capital and technology. Ethiopian ISPs recently initiated covert deep-packet inspection, and also began blocking Tor.
This morning, the House Judiciary Committee held an important hearing on the FISA Amendments Act (FAA) and the scope of the NSA’s warrantless wiretapping program. The FAA, which gutted privacy protections governing the interception international phone calls and e-mail to and from the United States, is set to expire at the end of the year, and Attorney General Eric Holder says it is his “top priority” to see it renewed.
President Obama had promised during his campaign to demand civil liberties protections and privacy safeguards when the FAA came up for renewal, yet his administration is now demanding Congress to renew it with no changes, despite the fact that the FAA allows for dragnet surveillance of Americans’ international communications.
A detailed explanation of the law’s constitutional deficits can be read here, but as ACLU’s deputy director Jameel Jaffer explained to the committee, the law is written so broadly that a phone call to someone overseas discussing general foreign affairs could be listened in on. Even putting aside the massive constitutional violations perpetrated by the NSA and its warrantless wiretapping program before the FAA was passed in 2008, the NSA has still unlawfully collected “millions” of Americans’ domestic communications since 2009, according to reporting by the New York Times and documents the ACLU received via the Freedom of Information Act (FOIA).
Rep. Trey Gowdy (R-SC) remarked to Jaffer that no court has ruled the FAA unconstitutional. But he conveniently left out the fact that the Obama Justice Department (DOJ) has resisted every effort to have courts hear any evidence on the matter. DOJ is now arguing before the Supreme Court that the ACLU’s lawsuit over the FAA should be dismissed before trial on “standing” grounds, despite lower courts ruling the case should move forward on the merits. In addition, in EFF’s own case challenging the dragnet portion of the NSA warrantless wiretapping program, the government has invoked the “state secrets” privilege, arguing that even if the allegations of constitutional violations are true, the case should be dismissed because it could hurt “national security.” All this despite the fact that federal courts have ruled the NSA’s warrantless wiretapping program unconstitutional in other cases.
EPIC Privacy executive director Marc Rotenberg, another witness at the hearing, implored the committee to install new transparency requirements so Americans can understand exactly how many people are being spied on. This could be done easily and anonymously without jeopardizing any investigation, he said, and can be modeled on the transparency requirements already in place for domestic wiretaps.
Kenneth L. Wainstein, who worked on creation of FISA during his tenure at the Justice Department during the Bush administration, countered that there is already “oversight” built into FISA, but there is scant proof of that in practice. The administration has kept its interpretation of the FAA secret, has refused to declassify any of the FISA opinions (despite previously promising to), and won’t release numbers on how many Americans have been affected, as multiple Senators have demanded. All of this is particularly troubling since the FISA court received over 1,700 applications for blanket wiretaps last year and none were rejected.
Wainstein’s argument about how supposedly “vital” warrantless wiretapping is to national security also flies in the face of the official Inspector General report, which casted doubts on its usefulness.
The hearing was a step in the right direction, however, and it was encouraging to see so many members of Congress question the dangerous scope of the bill. Rep. Scott said, "An untold amount of NSA data collection is affecting citizens in America," Rep. Conyers demanded an official from the FISA courts testify on the matter, and others questioned the warrantless surveillance of American citizens. Given the massive constitutional implications of renewing FISA, and the ample evidence it is being abused, Congress has a duty to follow through and dramatically reform the bill or refuse to renew it entirely.
We took a stand for Twitter users Wednesday, and in an amicus brief (PDF) urged a New York City judge to reconsider his decision authorizing a broad subpoena to Twitter that seriously threatens the First Amendment and privacy rights of everyone on the Internet.
We started writing about the case of Malcolm Harris in February, when the New York City District Attorney's Office sent a subpoena (PDF) to Twitter, requesting information about Harris, one of the 700 protesters arrested on the Brooklyn Bridge in October 2011 in connection with an Occupy Wall Street protest. The prosecutors requested Twitter turn over reams of information it had on Harris, including the content of tweets, IP addresses from where he accessed Twitter, and any email addresses it had on file.
We believe the government is after Harris' location, and the fact that he was a prolific tweeter with almost 1,500 followers and 7,200 tweets -- and an outspoken Occupy Wall Street sympathizer -- would give the government a tremendous amount of insight into the Occupy movement's activities and membership. The fact that the subpoena came out of a criminal investigation for disorderly conduct, a trivial crime with a maximum punishment of a $250 fine or 15 days in jail, made it seem all the more like a politically motivated witch hunt. And the government confirmed that it was indeed trying to use the information from Twitter to figure out Harris' location on the day in question, but inexplicably requested three months of data from Twitter.
The judge's opinion (PDF) authorizing the subpoena was worse than we could have imagined. The court ruled Harris didn't have legal standing to challenge the subpeona because the information -- including all of his tweets -- belonged to Twitter. It allowed the government to get the content of communication -- tweets -- with simply a subpoena, and not a search warrant as required by the Fourth Amendment and the Stored Communications Act. It gave the keys to location information, IP addresses that could be used to determine where a person is when he logs into Twitter, without a search warrant.
As we say in our brief, individuals have long had the legal ability to challenge government requests to third parties that implicate constitutional rights. After all, the data the government wants pertains to Harris, not Twitter. And while we (and others) applauded Twitter for standing up for its user in this instance, many tech companies holding tons of data about their users won't, leading to potential constitutional violations that have no way to be challenged in court. Its crucial for users to be able to stand up for themselves, instead of hoping that other companies follow Twitter's lead.
We also argue that the subpoena violates the First and Fourth Amendments. In order to protect free speech, the First Amendment demands that the government demonstrate an “overriding and compelling” need for the information and a substantial nexus between the information and a government investigation. The trivial charges and weak excuse, combined with the breadth of the subpoena demonstrate the government has failed to meet this high standard.
With respect to the Fourth Amendment, content and location require a search warrant. In the last few years, thanks to some of the workwe've done (and are stilldoing), courts have begun to recognize that the Fourth Amendment applies even when information is disclosed to a third party for a limited purpose, like when email is sent through a server in order to be delivered to its recipient, or a cell phone company keeps track of your location in order to complete your phone call. And with U.S. Supreme Court Justice Sotomayor's concurring opinion in United States v. Jones -- which ruled that the Fourth Amendment applies to the installation of a GPS tracking device on a car -- commenting it was time to reconsider the idea that disclosing some information for a limited purpose to a third party eliminates any privacy rights in that information, we're hopeful the judicial tide has turned on this issue.
We're also hopeful the judge will reconsider his decision after hearing from us and Twitter. Search warrants are an integral part of balancing law enforcement's voracious appetite with the right to privacy guaranteed in the Constitution. Broad subpoenas in trumped up loitering cases shouldn't undermine this important bulwark against the overzealous government.
Update 6/7/2012: Customers who have already purchased Humble Indie Bundle V will automatically have these three new games added to their download pages. Folks who have yet to purchase the bundle will need to pay more than the average price at the time of their visit to get access to the games.
Braid and Super Meat Boy are oft-requested by customers who missed the previous Humble Indie Bundles featuring those games (#2 and #4, respectively), so we're pretty excited to give people another chance to check them out. And Lone Survivor is one of the most stunning titles to come out in the first half of this year—a four-years-in-the-making, side-scrolling, survival horror opus by Jasper Byrne.
Humble Bundle has just launched its most impressive bundle yet, featuring five indie games that have already become classics in their respective genres: Psychonauts, LIMBO, Superbrothers: The Sword & Sworcery EP, Amnesia: The Dark Descent, and Bastion. These games have each been lauded as not just fun and entertaining, but also artistic and meaningful. By putting together such a great package of DRM-free games and offering purchasers the option of designating some of the profits to charity, Humble Bundle is putting users first at the same time it fosters a socially conscious indie gaming ecosystem.
Over the past two years, nearly one million purchases of independent video games have gone to support the Electronic Frontier Foundation through Humble Indie Bundles. These "pay-what-you-want" promotions let gamers set their own price for a lineup of killer games and choose the percentage of each purchase used to support the game developers, Humble Bundle and/or selected charities.
We have written extensively about the benefits of Humble Bundle's model to consumers. The games are distributed DRM-free across three different platforms (Windows, Mac and Linux). In the first Humble Indie Bundle, four of the game developers released their source code under an open license after the Bundle reached a $1,000,000 milestone. The Humble Bundle model shows that there is a way for small copyright owners to compete and succeed in a digital economy without draconian new laws and counter-productive restrictions that punish paying customers.
But the benefits don't stop there. Donations directed to EFF by Humble Bundle customers have helped us to successfully identify and defeat threats to civil liberties online. EFF works to convince Congress and courts that video games -- like websites, blogs, and software code -- should not be limited by regulations and restrictions that undermine our Constitutional right to free speech. Video games are a form of expression that should be protected under the First Amendment.
EFF wants to thank Humble Bundle and its customers who have chosen to support our work, and we encourage other gamers to join our fight to defend your rights. A free and open Internet is vital to innovation, entrepreneurship, creativity and the marketplace of ideas. You depend on it, we depend on it, the world depends on it. And the future of independent games depends on it.
Check out the Humble Indie Bundle V today. Independent games are thriving, and EFF will continue to defend gamers and developers as the industry grows. Support EFF in our efforts by designating a portion of your Humble Bundle purchase to EFF!
Imagine going to court and potentially facing prison time over someone else’s comment in your blog. Thai webmaster Chiranuch Premchaiporn, also known by her online handle Jiew, has been facing that reality since her October 2010 arrest for violating the intermediary liability provisions of the 2007 Computer Crime Act and for "Lèse Majesté," or defamation of the Thai royal family. Jiew was not the author of the offending comments—she was the webmaster of the popular news site Prachatai that hosted them. In 2008, Prachatai published an interview with Chotisak Onsoong, a Thai man known for refusing to stand at attention during the Thai Royal Anthem—a dangerous political act in Thailand, but not technically a crime. The interview received huge attention, drawing over 200 comments from Thai citizens. On April 28, 2008, complaints were filed against Prachatai alleging that several comments on that interview were a defamation to the Monarchy. These complaints led to Jiew’s arrest months later.
A Thai court handed down Jiew’s sentence yesterday, signaling the end of a protected legal battle: a one-year suspended sentence, further reduced to eight months, and a 20,000 baht ($625) fine, which she paid immediately in cash. It’s not the acquittal Jiew had hoped for, but it’s far from the 32-year maximum sentence for the charges against her.
Even though it could have been worse, the verdict still spells bad news for freedom of expression in Thailand. Jiew herself is quick to point out that “I still think the verdict will have an impact on self-censorship."
"By convicting the manager of a news website of a crime, the Thai authorities are showing the extreme lengths they are willing to go to stifle free expression," Brad Adams, Asia director of Human Rights Watch, said in a prepared statement. "More and more web moderators and Internet service providers will censor discussions about the monarchy out of fear they too may be prosecuted for other people's comments."
Internet intermediaries were quick to condemn the ruling. Taj Meadows, Asia Pacific spokesman for Google, wrote via email:
"Telephone companies are not penalized for things people say on the phone and responsible website owners should not be punished for comments users post on their sites. The precedent set today is bad for Thai businesses, users and the innovative potential of Thailand's Internet economy."
Even without the threat of jail time, the Thai government has pressured global Internet intermediaries such as Google, Facebook, and Twitter to censor content. The Ministry of Information and Communications Technology (MICT), which regulates the Internet in Thailand, demanded last year that Facebook delete 10,000 pages for violating the lèse majesté law. Thai Facebook users who click on the “like” or “share” buttons linked to content that violates lèse majesté continue to be prosecuted. Wipas Raksakulthai, the first Thai Facebook user arrested in April 2010, was declared a prisoner of conscience by Amnesty International.
When Twitter announced in January that it would introduce country-by-country content blocking based on geolocation, MICT permanent secretary Jeerawan Boonperm said he would work with Twitter to make sure that tweets in Thailand complied with local law. Jeerawan noted that MICT already had "good cooperation" from Google and Facebook.
Intermediaries large and small continue to be threatened by the lèse majesté law. EFF is happy to see Chiranuch Premchaiporn receive a sentence that will probably not require her to serve jail time, but the threat that this law represents to freedom of expression in Thailand remains dire.