At first blush, it seems obvious that a picture could reveal your location. A picture of you standing in front of the Golden Gate Bridge sensibly leads to the conclusion you're in the San Francisco Bay Area when the photo was taken. But now that smartphones are quickly supplanting traditional digital cameras, and even traditional cameras now have wifi built in, many more pictures are finding their way onto the web, in places like Twitter, Flickr, Google+ and Tumblr. In a span of 10 days, popular photo social network Instagram added 10 million new users as a result of the release of its Android app and its acquisition by Facebook. And the location data hidden in these quick and candid pictures -- even when your location isn't as obvious as "standing in front of the Golden Gate Bridge" -- is becoming another easy way for anyone, including law enforcement, to figure out where you are.
Take the case of "w0rmer," a member of an Anonymous offshoot called "CabinCr3w," for example. According to the federal government (PDF), "w0rmer" broke into a number of differentlaw enforcementdatabases and obtained a wealth of sensitive information. In a Twitter post, "w0rmer" provided a link to a website that contained the sensitive information as well as a pictureof a woman (NSFW) posing with a sign taunting the authorities. Because the picture was taken with an iPhone 4, which contains a GPS device built in, the GPS coordinates of where the picture was taken was embedded into the picture's EXIF metadata. The FBI was able to use the EXIF data to determine that the picture was taken at a house in Wantirna South, Australia.
The FBI tracked down other online references to "w0rmer," with one website containing the name Higinio Ochoa. The feds took a look at Ochoa's Facebook account, which detailed that his girlfriend was Australian. Combined with the EXIF metadata, the government believed they had corroborated the identity of "w0rmer" as Ochoa, and in turn arrested him.
Even for photos not taken with a smartphone and not embedded with GPS coordinates (for example, point and shoot or SLR cameras that do not geotag), it's still possible for the police to get location information through EXIF metadata. You can upload a picture here and see the metadata stored in a picture for yourself. Contained within that metadata is the camera's serial number. Armed with that information, the police can easily scour the internet for other pictures tagged with the same serial number. In Australia, a man whose camera was stolen was able to track it down using stolencamerafinder.com because the thief had taken a picture with the camera and uploaded it to Flickr, where he had listed his address. But even if the thief's Flickr site didn't contain his address, police could have subpoenaed Flickr - like law enforcement have attempted to do with Twitter - for information concerning a user's temporarily assigned IP address, as well as session times and logs, to eventually determine where a person uploaded a picture from. All of which can be used to piece together a snapshot of not only your movements, but as in the case of "w0rmer," potentially your identity. In the United States, police are being trained about the broader investigative (PDF) potential of this information.
It might be tempting to say the problem is overblown, because some social media sites, including Facebook and Twitter, strip the metadata out of photos uploaded by their members. But not all do. Twitpic's default is to use a picture's location tag unless you opt out. Flickr gives you the option to hide a photo's EXIF data, but many casual photographers tempted by the rapid growth of photo sharing may not understand what EXIF data is, and the implication of making it publicly available.
The bigger problem is that courts have been expanding the police's right to search digital devices without a warrant under the "search incident to arrest" exception of the Fourth Amendment. While many of the cases involve warrantless searches of cell phones, there has been at least one case in California (PDF) where the police used the "search incident to arrest" exception to search a juvenile's digital camera. And there are other reported incidents of photojournalists having their cameras confiscated and searched when covering political protests and rallies. If the cops have the physical camera (and thus the memory cards that store the photos), whatever scrubbing that happens when a photo is uploaded to the web is no obstacle.
So if you value your privacy, you should take steps to ensure the EXIF metadata in your pictures isn't an easy way for anyone on the Internet to figure out your location. If you're using a smartphone to take pictures, disable geotagging from your pictures. If you're uploading your pictures to a website like Flickr or Twitpic that defaults to automatically include EXIF data and location information, take the steps to turn it off. And if you're using a traditional SLR or point and shoot camera that doesn't geotag, but does contain a breadth of EXIF data, the make sure you scrub its metadata before you upload it on the Internet. There are free online tools that will help you do precisely that. These simple steps will help ensure that the thousand words a picture describes doesn't include your location.
The second list we received includes all the manufacturers that have applied for authorizations to test-fly their drones. This list is less surprising and includes manufacturers like Honeywell, the maker of Miami-Dade's T-Hawk drone; the huge defense contractor Raytheon; and General Atomics, the manufacturer of the Predator drone. This list also includes registration or "N" numbers," serial numbers and model names, so it could be useful for determining when and where these drones are flying.
Unfortunately, these lists leave many questions unanswered. For example, the COA list does not include any information on which model of drone or how many drones each entity flies. In a meeting with the FAA today, the agency confirmed that there were about 300 active COAs and that the agency has issued about 700-750 authorizations since the program began in 2006. As there are only about 60 entities on the COA list, this means that many of the entities, if not all of them, have multiple COAs (for example, an FAA representative today said that University of Colorado may have had as many as 100 different COAs over the last six years). The list also does not explain why certain COA applications were "disapproved" and when other authorizations expired.
We raised these questions in our meeting with the FAA today and were assured the agency will release additional records with this important information soon. As we have written before and as Congressmen Markey and Barton (pdf) stated in their letter to the FAA today, drones pose serious implications for privacy, and the public should have all the information necessary to engage in informed debate over the incorporation of these devices into our daily lives. However, while we wait for additional information, these lists help to flesh out the picture of domestic drone use in the United States.
Here is a list of organizations and influential people that expressed concerns about the dangerous civil liberties implications of the bill. Though each organization or person may differ in their terminology, they all reach the same conclusion—CISPA is not a "sharing of information bill only." It is an expansive bill that enables spying on users and allows for unaccountable companies and government agencies that can skirt privacy laws.
To add your organization to this list, please email email@example.com.
“Rogers (the bill’s author) says that the bill aims to 'help the private sector defend itself from advanced cyber threats,' but what it does is allow unlimited sharing of personally identifiable data amongst and between private companies and the government, without a single safeguard for privacy or civil liberty.”
Access Now's petition for companies to withdraw support of CISPA can be found here.
"This bill would trump all current privacy laws including the forty-eight state library record confidentiality laws as well as the federal Electronic Communications Privacy Act, the Wiretap Act, the Foreign Intelligence Surveillance Act, and the Privacy Act.
Essentially, CISPA would establish a whole new system for our nation’s privacy laws and policies and legalize extraordinary intrusions into established privacy rights and civil liberties."
“Keeping our computer systems secure is a real concern, but CISPA is absolutely the wrong answer. The bill would create a loophole in all existing privacy laws, allowing companies to share Internet users' data with the National Security Agency, part of the Department of Defense, and the biggest spy agency in the world—without any legal oversight."
“The US Congress is sneaking in a new law that gives them big brother spy powers over the entire web—and they're hoping the world won't notice. We helped stop their Net attack last time, let's do it again.”
The Cato Institute has published a series of articles analyzing cybercrime, its truth, its myths, and the hard math behind legislation such as CISPA and the inherit problems with cyber security bills such as this.
"The cybercrime surveys we have examined exhibit [a] pattern of enormous, unverified outliers dominating the data. In some, 90 percent of the estimate appears to come from the answers of one or two individuals. In a 2006 survey of identity theft by the Federal Trade Commission, two respondents gave answers that would have added $37 billion to the estimate, dwarfing that of all other respondents combined. This is not simply a failure to achieve perfection or a matter of a few percentage points; it is the rule, rather than the exception. Among dozens of surveys, from security vendors, industry analysts and government agencies, we have not found one that appears free of this upward bias."
“If the bill merely extended to other companies the opportunity to receive classified attack signatures from the NSA so they could better defend their networks, CDT would actively support the legislation. However, the bill goes much further, permitting ISPs to funnel private communications and related information back to the government without adequate privacy protections and controls."
“CISPA demolishes existing barriers between the government and the private sector -- and between government agencies -- that restrict data sharing without cause, effectively allowing information about Americans' use of the Internet to slosh back and forth uninhibited.”
"The legislation amends and updates the National Security Act of 1947, which doesn’t contain provisions regarding cyber crime. While this law absolutely needs to be updated, this legislation is the latest example of Congress debating technology issues, while not understanding the full implications of the legislation they’re trying to pass.
CISPA would have technology companies, like video game systems, internet service providers (ISPs) and more share your use of technology with the Government under the guise of cyber security. It’s George Orwell’s classic book 1984 right here, right now."
Fight for the Future in its newly launched webpage focused on CISPA
"A cybersecurity bill that lets any company share your info with all of government, with no limits. In short, CISPA is the end of meaningful privacy for anyone with personal data on US-based services."
“As it stands, CISPA could lead all too easily to governmental and corporate violations of our privacy and attacks on our right to speak freely via the Internet. While there is a need to protect vital national interests, we can’t do it at the expense of our freedoms."
"CISPA aims to help companies defend against cyber attacks by facilitating the sharing of cyber threat information among government agencies and the private sector. Despite the bill's noble intentions, however, it risks unduly expanding federal power, undermining freedom of contract, and harming U.S. competitiveness in the technology sector. Our coalition letter articulates the following major problems with CISPA and explains how Congress can amend the bill to fix them.. (Continued in article)"
"H.R. 3523 will allow websites to share users’ personal information with the federal government in the name of cyber security, with no judicial oversight. It would authorize internet providers, social networking sites, and other websites that store personal information to monitor users’ personal emails for the vague purpose of “protecting the rights and property” of the provider."
"While we wholeheartedly support a more secure Internet, CISPA has a broad and alarming reach that goes far beyond Internet security. The bill infringes on our privacy, includes vague definitions of cybersecurity, and grants immunities to companies and government that are too broad around information misuse. We hope the Senate takes the time to fully and openly consider these issues with stakeholder input before moving forward with this legislation."
“In the name of the war on cyber crime, it would allow the government and private companies to deploy draconian measures to monitor, even censor, the Web. It might even be used to close down sites that publish classified files or information.”
"If the Cyber Intelligence Sharing and Protection Act (CISPA) passes, companies could intercept your text messages and emails to share with each other and the government – giving the US military the power to track, control, and share almost all of your online information without the use of a warrant. They could even block access to websites, or cut off your internet connection altogether. Like SOPA (which Facebook opposed), CISPA is a major threat to internet freedom and gives the government broad power to protect big media companies at your expense. It’s even a threat for internet users outside the US – because Facebook, Google and other major online service providers are headquartered in the US, even their non-American users’ online data could be used by the US military or corporations."
“The FOIA is, in many ways, the fundamental safeguard for public oversight of government's activities. CISPA dismisses it entirely, for the core activities of the newly proposed powers under the bill. If this level of disregard for public accountability exists throughout the other provisions, then CISPA is a mess. Even if it isn't, creating a whole new FOIA exemption for information that is poorly defined and doesn't even exist yet is irresponsible, and should be opposed.”
The White House’s Statement on Cyber Security in The Hill
“Any cybersecurity bill with information sharing provisions "must include robust safeguards to preserve the privacy and civil liberties of our citizens." The White House declared they would not support a bill that would "sacrifice the privacy of our citizens in the name of security."
"CISPA is essentially an internet monitoring bill that permits both the federal government and private companies to view your private online communications with no judicial oversight--provided, of course, that they do so in the name of “cybersecurity.” The bill is very broadly written, and allows the Department of Homeland Security to obtain large swaths of personal information contained in your emails or other online communication. It also allows emails and private information found online to be used for purposes far beyond any reasonable definition of fighting cyberterrorism."
“[It] is threatening the rights of people in America, and effectively rights everywhere, because what happens in America tends to affect people all over the world. Even though the Sopa and Pipa acts were stopped by huge public outcry, it’s staggering how quickly the US government has come back with a new, different, threat to the rights of its citizens.”
Bruce Schneier. Prominent security researcher and cryptographer, published seminal works on applied cryptography. Active in public policy regarding security issues; runs a weblog and writes a regular column for Wired magazine.
David J. Farber. Distinguished Career Professor of Computer Science and Public Policy, Carnegie Mellon University. Designer of the first electronic switching system. Was a major contributor to early programming languages and computer networking. EFF board member.
Donald Eastlake. Original architect of DNS Security, network security expert. Chair of IETF TRILL and IETF PPPEXT working groups.
Peter Swire. C. William O'Neill Professor of Law, Ohio State University. Former Assistant to President Obama for Economic Policy, and former Chief Counselor for Privacy in the U.S. Office of Management and Budget.
Eric Burger. Research Professor of Computer Science and Director, Georgetown Center for Secure Communications, Georgetown University. Chair of multiple IETF Working Groups.
Tobin Maginnis. Professor of Computer and Information Science, University of Mississippi. Operating system researcher, GNU/Linux expert, Web architecture researcher and networking expert.
Sharon Goldberg. Professor of Computer Science, Boston University. Network security researcher, member of FCC CSRIC working group on BGP security.
Peter G. Neumann. Principal Engineer, SRI International Computer Science Laboratory; moderator, ACM Risks Forum. Affiliation listed for purposes of identification only.
Stephen H. Unger. Professor Emeritus, Computer Science and Electrical Engineering, Columbia University. Board of Governors of IEEE Society on Social Implications of Technology (SSTI).
Geoff Kuenning. Professor of Computer Science and CS Clinic Director. Harvey Mudd College. File system researcher, built the SEER predictive hoarding system to predict what files mobile users will need while disconnected from a network.
Benjamin C. Pierce. Professor of Computer and Information Science, University of Pennsylvania. Research on differential privacy, which allows formal reasoning about real-world privacy.
Richard F. Forno. Professor of Computer Science focused on cybersecurity, signing as a private citizen.
Jonathan Weinberg. Professor of Law, Wayne State University. Chair of ICANN working group, and expert on communications policy.
Joseph “Jay” Moran. Distinguished engineer, AOL technical operations. Experienced executive working in technical operations and engineering for 20+ years.
Dan Gillmor. Technology writer and columnist. Director of Knight Center for Digital Media Entrepreneurship at Arizona State University, Fellow at the Berkman Center for Internet and Society, Harvard University. EFF pioneed award winner.
Armando P. Stettner. Technologist and senior member of IEEE, spearheaded native VAX version of Unix.
Gordon Cook. Technologist, writer, editor and publisher of “COOK report on Internet Protocol” since 1992.
Alexander McMillen. Entrepreneur and CEO, Sliqua Enterprise Hosting.
Sid Karin. Professor of Computer Science and Engineering, University of California, San Diego. Former founding Director of the San Diego Supercomputer Center (SDSC) and National Partnership for Advanced Computational Infrastructure (NPACI).
Eric Brunner-Williams. CTO, Wampumpeag. Signing as an individual.
Lawence C. Stewart. CTO, Cerissa research. Built the Etherphone at Xerox, the first telephone system working over a local area network; designed early e-commerce systems for the Internet at Open Market.
Ben Huh. Entrepreneur, CEO Cheezburger Inc.
Dave Burstein. Editor, DSL Prime.
Mikki Barry. Managing partner, Making Sense of Compliance.
Blake Pfankuch. Network engineer.
John Peach. Systems Administrator with 20+ years of experience.
Valdis Kletnieks. IT Professional, Virginia Tech University.
Darrell Hyde. Director of Architecture, Hosting.com.
Ryan Rawdon. Network and Security Engineer, was on the technical operations team for one of our country's largest residential ISPs.
Ken Anderson. VP of Engineering, Pacific Internet.
Andrew McConachie. Network engineer working on Internet infrastructure.
Richard Kulawiec. Senior network security architect with over 30 years experience.
Aaron Wendel. CTO, Whalesale Internet, Inc.
David Richardson. Center for High Performance Computing, University of Utah.
David M. Miller. CTO / Executive VP for DNS Made Easy.
Marshall Eubanks. Entrepreneur and CEO, America Free TV.
Edward Arthurs. Manager of Network Installations, Legacy Inmate Communications, Legacy Contact Center, Legacy Long Distance Intl. Inc.
Christopher Liljenstolpe. Chair of the IETF Operations and Management Area Working Group. Chief architect for AS3561 (at the time about 30% of the Internet backbone by traffic) and AS1221 (Australia's main Internet infrastructure).
Christopher McDonald. Vice President, PCCW Global.
Joseph Lorenzo Hall. Research Fellow focused on health information technology and electoral transparency, New York University.
Ronald D. Edge. IT expert.
David Henkel-Wallace. Vice President of Engineering. Terrajoule Corporation.
John Pettitt. Internet commerce pioneer, online since 1983, CEO Free Range Content Inc.; founder/CTO CyberSource & Beyond.com; created online fraud protection software that processes over 2 billion transaction a year
Ben Kamen. I.T./EE Professional.
Christopher Soghoian. Graduate Fellow, Center for Applied Cybersecurity Research, Indiana University.
Jo Young. IT professional.
Mark Hull-Richter. Senior software engineer.
Joop Cousteau. VP, Global Network Technology. KLM Airlines USA Ltd.
Jonathan Mayer. Graduate researcher, Security Lab and the Center for Internet and Society, Stanford University
Jeremy Sliwinski. Network engineer with 10+ years of experience.
Nathan Syfrig. Software Engineer and IT Consultant.
1. Correction: Edited to reflect that Popvox does not oppose CISPA. It is a nonpartisan organization.
On Monday, EFF launched our Stop Cyber Spying platform featuring our new Congressional Twitter Handle Detection Tool. Users can enter a zip code in order to find their Representative’s Twitter account. Folks are then urged to tweet messages to their Representatives highlighting the invasive nature of the CISPA cyber spying bill, a vaguely written piece of legislation that would let companies bypass privacy law and share private user information with the government.
And now, you can have our Congressional Twitter Handle Detection Tool for yourself!
Here's some code we cooked up to create an embeddable iframe version of the tool. We urge anyone who has a website to embed their own copy by pasting this code into their site, so more users will learn about CISPA and tweet at Congress to oppose it.
Want to customize it? Just replace https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=8444 with whatever URL you want to use as a next step. If you don't include a URL it will default to EFF's action alert against CISPA.
The tool relies on data from the Sunlight Foundation's Sunlight Congress API, which is a freely available API that programmers can use to look up legislators, districts, and committees in Congress. The data returned about each legislator not only includes address, phone numbers, faxes, websites, etc., but also Twitter handle, Facebook username, and YouTube channel. We are helping them improve their data set. Sunlight Labs also offers other services to write apps that deal with government data, including Transparency Data API, Open States API, Real Time Congress API, and Capital Words API.
The source code for our Stop Cyber Spying tool is available in this git repository. You can clone it with this command:
Thai journalist Chiranuch Premchaiporn, better know by her pen name Jiew, is awaiting an April 30th court verdict that could sentence her to years in prison for violating Thailand’s draconian crackdown against free speech. Jiew’s case has focused international attention on Thailand’s lèse majesté laws, which have been used to block websites and suppress political dissent. The ruling will help clarify liability for Internet intermediaries such as Jiew, who is the director of the popular Prachatai news site.
Jiew is charged with violating Thailand’s 2007 Computer Crime Act and paragraph 112 of the Thai Penal Code, which prohibits lèse majesté or offending the monarchy. She faces a 20-year prison sentence for not being sufficiently prompt in deleting comments posted to a Prachatai online forum deemed insulting to the Thai royal family. Thai authorities have used lèse majesté to impose long prison sentences on bloggers, texters, and website administrators and create a climate of fear and self-censorship in Thailand.
“In my case, we have intermediary liability. We are self-censoring. There are no clear boundaries, no protection from law enforcement, no safe harbor,” said Jiew during a conversation in Bangkok last month. “We have a problem with law enforcement and their understanding of how the Internet works."
An arrest warrant was first issued for Jiew in March 2009. Authorities added nine additional charges and a second warrant was issued in September 2010. Jiew was arrested at Bangkok International Airport as she was returning from speaking at the Internet at Libertyconference in Budapest, Hungary and the United Nations Internet Governance Forum in Vilnius, Lithuania. Her second arrest was prompted by pseudonymous comments published on Prachatai’s online forum in 2008 sparked by an interview with political activist Chotisak Onsoong. By the time she was detained at the airport, Jiew had already shut down the Prachatai forum to protect users. According to Jiew, visitors posting comments to the site were targeted for surveillance and police asked for log files that exceeded Thailand’s 90-day limit. Breaches of lèse majesté are considered threats to national security and Thai ISPs turn over the IP addresses of suspects to authorities without requesting warrants.
Using Intermediary Liability to Stifle Dissent
Thailand’s use of lèse majesté illustrates how intermediary liability can be used for unchecked suppression of the open Internet. During her trial, Jiew’s attorneys presented witnesses to clarify the impact of the law including Prachatai website moderator Kittiphum Juthasmit, who testified that the nonprofit news service was forced to recruit 12 volunteer moderators to remove unlawful content. But when the number of postings dramatically increased after Thailand’s September 2006 coup d’etat, it wasn’t possible for the site to review every comment. Wanchat Padungrat, the owner and administrator of Thailand’s largest web portal pantip.com, testified that his site used key-word filtering and five or six full-time employees to moderate comments. But Wanchat noted that the volume of postings and their ambiguity made it impossible to verify all comments - and doing so would prohibitively expensive for any Thai website.
“This will destroy the Thai Internet industry because we cannot compete with foreign companies,” said Jiew. “People will provide services from international companies and that will be the consequence of the chilling effect of this case.”
Under lèse majesté, even those with enhanced access to a website can be prosecuted. In March 2011, Thantawut Thaweewarodomkul, a web designer for Nor Por Chor USA was sentenced to 13 years in prison for three comments posted to the website. A Thai ISP revealed that an IP address belonging to Thaweewarodomkul connected to the website via an FTP site he used for uploading images. The court found Thaweewarodomkul guilty even though his traffic was sent on a different time and date than the messages. The judge in the case declined to examine the logs. “If you are a webmaster, administrator or moderator and you have higher access to an area of the site, then you can be held liable if you have more privileges,” said Arthit Suriyawongkul of the Thai Netizen Network.
Despite increasing prosecution under lèse majesté, Jiew is still optimistic that she can win her case. She says her judge understands that the verdict will have consequences for the Thai economy and has been open to evidence about international standards for the moderation of online forums. “Once we see clarity in the law, we can comply with the law,” said Jiew. “We didn’t intend to violate the law, but when the law is not clear, it provides an opportunity for officials and authorities to abuse it.”
Fabrication of Digital Evidence
Wason Liwlompaisarn, founder and webmaster of blognone.com, the Thai equivalent of Slashdot, believes that Jiew’s case could help set standards to help protect intermediaries from liability. But Liwlompaisarn is worried about misuse of digital evidence in lèse majesté cases. He points to the prosecution of 62-year-old truck driver Ampon Tangnoppakul who was sentenced to 20 years in prison for allegedly sending four text messages defaming the monarchy. Known in Thailand as “Uncle SMS,” Tangnoppakul denied the charges and told the judge he didn’t know how to text. Liwlompaisarn said the case has raised alarm in Thailand about the forging of IMEI phone identification numbers and a judiciary that declines to authenticate the source of digital evidence. He said the judge in the case refused to review the SMS logs which showed the texts in question were inbound, not outbound.
“With a mobile phone, you can craft evidence and send it to the police which they can use to prosecute. It’s easy to fabricate,” said Liwlompaisarn. “I don’t expect the judge to be highly technical, but they should have a basic knowledge to understand what’s happening.”
David Streckfuss, a scholar who monitors lèse majesté, told Reuters that 478 known cases had been submitted to the Thai Criminal Court since 2006. A recent report from Reporters Without Borders noted that 112 lèse-majesté cases were reviewed by Thai courts between January and October of 2011 alone. Deputy Prime Minister Chalerm Yubamrung announced in December that the government would expand online surveillance to enforce lèse majesté and invest $13 million dollars in a “lawful interception” system.
During the inauguration of Thailand’s new Cyber Security Operations Center the Minister of Information and Communications Technology (MICT) Anudith Nakornthap he said he no longer sought court orders to close or block offending web sites. Nakarnthap stated that his ministry blocked more than 60,000 websites from September to November of 2011 compared to 70,000 in the preceding three years. Freedom Against Censorship Thailand (FACT) reports that 839,556 Thai websites are now blocked, including all of YouTube which is inaccessible for the first time since 2007. According to FACT, MICT spends billions of baht (equivalent to tens millions of US dollars) to censor offending websites.
MICT demanded last year that Facebook delete 10,000 pages for violating lèse majesté. Thai Facebook users who click on the “like” or “share” buttons linked to content that violates lèse majesté continue to be prosecuted. Wipas Raksakulthai, the first Thai Facebook user arrested in April 2010, was declared a prisoner of conscience by Amnesty International.
When Twitter announced in January that it would introduce geolocated censorship based on the users country location, MICT permanent secretary Jeerawan Boonperm said he would work with Twitter to make sure that tweets in Thailand complied with local law. Jeerawan noted that MICT already had "good cooperation" from Google and Facebook.
Even those who violate lèse-majesté outside of Thailand are prosecuted by Thai authorities. Thai-born American citizen Joe Gordon was sentenced in December 2011 to two and a half years in prison for posting links on his blog to translated portions of The King Never Smiles, an unauthorized biography of Thai King Bhumibol Adulyadej. The infractions were committed while Gordon lived in the U.S. raising alarm about the reach of Thai law and its impact on foreigners.
“The Thai government has established judicial power over the entire world and they enforce it in Thai territory,” said Suriyawongkul of the Thai Netizen Network. “The U.S. counselor gave an interview to the media about the Gordon case and said she was disappointed in the judicial system. Right after that, the Embassy Facebook page was attacked and they locked the page.”
Denial of Bail for Defendants
Human Rights Watch reports that Thai courts often deny bail for those accused of lèse majesté. This is especially true for supporters of the opposition party United Front for Democracy against Dictatorship, also known as the Red Shirts. In February, a coalition of international human rights groups spoke out against denial of bail in lèse majesté cases. One of the “Red Shirts” denied bail is former editor Somyos Prueksakasemsuk who is facing 30 years in prison for refusing to reveal the name of one of his reporters. After being refused bail a seventh time in February, Somyos’s son went on a hunger strike to demand his father’s release.
Prachatai reports that veteran activist Surachai Danwattananusorn, denied bail and sentenced to seven years in prison under lèse majesté, intends to seek a royal pardon for all political prisoners, including those jailed for lèse majesté. In addition to Surachai, the letter will be signed by eight other prominent lèse majesté convicts and defendants including Somyos Prueksakasemsuk, Joe Gordon, Sathian Rattanawong, Wanchai Saetan, Nat Sattayapornpisut, Suchart Nakbangsai and Darunee Charnchoensilpakul. Thai free speech activists say the letter could help pressure the government to reconsider their efforts to undermine democracy and punish dissent. Amphon Tangnoppakul has withdrawn an appeal in his case and will also seek a royal pardon as will Thanthawut Thaweewarodomkul, once he knows the outcome of his bail request.
Over the past decade, and particularly in the past year, media and civil society have had success through naming and shaming companies acting as “repression’s little helper”: U.S. and E.U. companies who have helped authoritarian countries censor the Internet and surveil their citizens with sophisticated technology. Today, EFF published a whitepaper outlining our suggestions for how companies selling surveillance and filtering technologies can avoid assisting repressive regimes.
In that vein, the newly-amended Global Online Freedom Act (GOFA), just passed by a House Sub-Committee, while far from perfect, is an important step toward protecting human rights and free expression online.
This is not the first time that GOFA has been proposed, nor is it even the first time the bill has been approved by the House sub-committee; a 2007 version, which literally named the countries to which filtering technology would be restricted (Belarus, Cuba, Ethiopia, Iran, Laos, North Korea, the People’s Republic of China, Tunisia, and Vietnam), was also approved by the House but never came to the floor for a vote.
In the past, EFF has had extreme reservations about GOFA in part because it sought to add more items to the U.S. export restrictions, which could easily mean that activists and people seeking to secure their own networks would lose out more than repressive governments. But in many respects, GOFA has come a long way, thanks in large part to the efforts of its authors in seeking feedback from the tech community and civil society. The bill still needs more definitions and clearer definitions of key terms, and we are not yet ready to support it, but we'll be watching it closely. The current version of GOFA would:
Require government assessments of “ freedom of expression with respect to electronic information in each foreign country.”
Require disclosure from companies about their human rights practices, to be evaluated by an independent third party.
Limit the export of technologies that “serve the primary purpose of” facilitating government surveillance or censorship to governments in countries designated as “Internet-restricting.”
But let’s take a deeper look…
The bill contains a number of excellent measures that would ultimately encourage more transparency amongst software and hardware companies, as well as online service providers. The companies involved have been notoriously secretive and have often refused comment to reporters when their products have been found in authoritarian regimes.
Section 103 of the bill would require that the human rights reports already written for each country by the State Department include assessments of country’s Internet freedom, including the availability of Internet access, and government attempts to filter or censor nonviolent, political, or religious expression. Section 103 would also require assessments about the extent to which authorities in a given country have sought information on an individual or group relevant to their nonviolent activities, as well as the electronic surveillance practices of a given country.
These assessments--undertaken by US diplomatic personnel--would also include the input of human rights organizations, technology and Internet companies, and other “appropriate nongovernmental organizations.” The inclusion of NGOs is an important addition, since we are concerned that the State Department process could be vulnerable to politicization. Because of this, we'd like to see the role of non-governmental organizations increase as the bill develops further. Additionally, since the most robust research on Internet censorship and surveillance has come from the academic community and independent researchers, these must be added too.
Importantly, the bill should also be extended to require transparency from all companies providing tools and services that can be used for surveillance and censorship, and not just companies providing Internet communications services. Transparency from technology vendors and providers of other services is as important as transparency from Internet service providers. In fact, the transparency sections also can and should reach a broader range of technologies and companies than the export restrictions, which should remain narrow if they are to exist at all. As a result, we recommend decoupling the transparency and export restrictions.
Human Rights Standards for Companies
We also commend Sec. 201, which sets up a good framework for human rights due dillgence procedures for companies operating “in any Internet-restricting country” (a designation upon which we will comment below). It requires reports that must be approved by the most senior level of a company, and independently assessed by a third party. These reports would be made either to the Securities Exchange Commission or to a multi-stakeholder initiative that conducts independent third-party audits. Unfortunately, only the SEC reports are to be made publicly available online (with an exception for classified information). This should be fixed, but otherwise, the human rights due diligence standards are similar to those in the Human Rights and Technology Sales standards EFF has published today.
All of the aforementioned reports are to be constructed on the basis of Article 19 of the International Covenant on Civil and Political Rights, which states that everyone should have the right to: hold opinions without interference, freedom of expression (including the freedom to seek, receive, and impart information and ideas of all kinds, regardless of frontiers and through the media of his/her choice).
Internet Restricting Countries
While there is much to like in GOFA, we still have extreme reservations about giving the Secretary of State sole authority to determine that a country is an "internet-restricting country." The Secretary is to determine, based on the review of evidence, whether the government of the country is “directly or indirectly” responsible for a systematic pattern of substantial restrictions on Internet freedom during any part of the preceding 1-year period. As we noted above, one way to help mediate that is to increase the role of non-governmental organizations, academic institutions and independent researchers.
More transparency should also be injected into this process. Already a description of evidence used by the Secretary of State to make the determination, as well as all unclassified portions of the report must be posted online, which is good. Unfortunately, this only applies to countries placed on the “internet-restricting countries” list. The Secretary of State should include information about countries left off the list: Politics and diplomatic pressure can cut both ways. To better ward of claims of politicization, the public should be able to see the evidence for why a country has or has not been included.
We also have concerns about the “Safe Harbor” provision of the bill, in Sec. 201(a)(3), which would allow companies to circumvent reporting requirements by joining the Global Network Initiative (GNI) or another multi-stakeholder group (defined in the bill as a group made up of civil society, human rights organizations, and companies, and committed to promoting the rule of law, free expression, and privacy). While as members of the GNI, we believe that membership in it or similar initiatives should be encouraged, companies should not be given a pass for reporting to the public or fulfilling any other requirements merely for joining such groups. The Safe Harbor could still allow the companies to avoid reporting to the SEC, but it must not allow them to avoid public reporting. Moreover, companies should have to participate in a Multi-Stakeholder group as defined in the bill under section 201(a)(3)(B), including having an independent body provide honest analysis of a company’s exports laid out in the bill. The GNI could be one such group, of course, but it shouldn't have special status.
We also continue to be concerned about the export restrictions, although the bill is now much less worrisome than it once was. The authors smartly now propose only a very limited export restriction that reaches only sales to government end users in Internet restricting countries. As an organization with a long history of fighting the overbroad application of export restrictions, we’re still concerned, but the limited scope here can at least minimize the chances that these regulations could hinder activists in foreign countries from getting, for instance, technologies that can help them monitor their own communications for security vulnerabilities and backdoors. We will need to watch this process carefully, though. At a minimum, the bill should create a very clear and simple process for those seeking to provide technologies to people overseas to challenge any agency action that oversteps this narrow category.
We’re also concerned about the broad waiver provision. It allows the President on a case-by-case basis to certify to Congress that “it is in the national interests of the United States to” issue an exemption. We think the President should have to justify any waiver publicly, to the extent that any part of the analysis is not classified. Also, the standard should be more robust than just the recitation of “national interests.” That is too easily abused.
It’s not hard to see that much of the technology that was misused by governments during the “Arab Spring” was originally sold to countries that were “allies” of the US at the time. Yet, most of these technologies were easily and quickly used to suppress dissent of citizens. A prime example is Egypt, which likely was an ally of the U.S. when it purchased the Narus surveillance technologies used against democracy activists. Similarly, Libya bought technology from France under the guise of fighting terrorism, but used the technology to surveil activists, human rights campaigners, and journalists. Would such a waiver provision be used for Bahrain—still a staunch ally of the US—where several cases have emerged in which activists were tortured while being read transcripts of their text messages and phone calls?
Finally, for no good reason the bill now references intellectual property: “No provision under this Act shall be construed to affect a country’s ability to adopt measures designed to combat infringement of intellectual property.” This provision appears to have no substantive impact, but instead appears to have been included to appease Congressional offices (and their content industry patrons) that seemingly require that intellectual property be mentioned in any law that also mentions the Internet. Frankly, the inclusion of this provision makes Congress look unserious. It simply has no place in a legislative proposal aimed at curbing the use of technology to aid in torture, summary execution and other deadly serious human rights abuses. It should be removed.
EFF, OpenMedia.ca, CIPPIC and a number of civil society organizations have declared this to be ‘Stop Cyber Spying Week’ in protest of several controversial U.S. cybersecurity legislative proposals, including the bill currently before Congress and the Senate called CISPA, the Cyber Intelligence Sharing & Protection Act of 2011. While ‘Stop Cyber Spying Week’ is focused on U.S. initiatives, Canadians should be concerned as well as the adoption of a privacy-invasive U.S. cybersecurity strategy is likely to have serious implications for Canadian civil liberties. For this reason, Canadian civil society groups have joined the protest. In general, Canadians would do well to remain vigilant.
Using the guise of ‘cybersecurity’, CISPA aims to mobilize Internet intermediaries to institute a sweeping, privacy-invasive, voluntary information-sharing regime with few safeguards. The U.S. cybersecurity strategy, embodied in CISPA and other legislative proposals, also seeks to empower Internet companies to deploy ill-defined ‘countermeasures’ in order to combat these threats. Use of these powers is purportedly limited to situations addressing ‘cybersecurity’ threats, yet this term is so loosely defined that it can encompass almost anything – even, potentially, to investigate potential breaches of intellectual property rights!
The cornerstone of the privacy-invasive CISPA component is the establishment of private-public partnerships for information sharing. This creates a two-tiered regime that, on the one hand, facilitates the collection of personal Internet data by private Internet companies as well as the sharing of that information with the government and, on the other, allows government agencies to share information with private companies.
To enable information flows from Internet companies to government agencies, CISPA will grant Internet companies immunity from civil or criminal liability for any monitoring or sharing of user activity—as long as it is done in ‘good faith.’ Specifically, CISPA authorizes companies to “use cybersecurity systems to identify and obtain cyber threat information.” Aggrieved users who sue Internet companies for wrongfully handing over their data to the government will have to meet the incredibly high bar of proving the decision comprised ‘willful misconduct.’
The U.S. cybersecurity strategy will also permit Internet companies to employ dubiously defined ‘countermeasures,’ provided they are justified with equally vague and undefined ‘defensive intent.’ Internet companies will be permitted to deploy ‘cybersecurity systems’ – products designed to ‘safeguard...a network from efforts to degrade, disrupt, or destroy’. While it is unclear exactly what this would permit an Internet company to do, it could allow blocking of specific websites or individuals or even a much broader range of filtering. Given the potentially all-encompassing and inclusive definition of ‘cybersecurity’, it would not be surprising if these ‘countermeasures’ were ultimately used to block online entities such as Wikileaks or sites accused of copyright infringement. The inclusion of ‘degrade’ in the definition of permissible ‘cybersecurity systems’ could even raise net neutrality concerns, as ISPs have, in the past, claimed ‘network degradation’ as justification for the throttling of downstream services such as peer-to-peer applications. Indeed, U.S. cybersecurity laws have a history of being employed by private Internet companies to stifle downstream competition.
In sum, the U.S. cybersecurity strategy envisions a voluntary cooperative regime where Internet companies are given broad-ranging immunities to surveil Internet users and downstream online services. This amounts to an erosion of personal privacy safeguards currently in place. Under this regime, an online company need only to assert a vague ‘cybersecurity objective’ and it will have carte blanche to bypass domestic laws and protections against privacy invasion.
This legislation is likely to have direct implications for Canadians. Canada and the United States have agreed to a joint ‘Beyond the Borders Initiative’ [pdf] aimed at establishing a ‘secure perimeter’ around the two countries. Somewhat ironically given the borderless nature of the Internet, the Initiative envisions a secure cyber perimeter in addition to the secure physical perimeter it seeks to put in place. While the cybersecurity segment of this Initiative remains vague, it includes a commitment to:
Develop joint Canadian and U.S. programs, and analytic or communications products, aimed at enhancing the cross-border protection of critical infrastructure;
Enhance the two countries’ ability to ‘respond jointly and effectively’ to cyber incidents, including joint engagement with private sector entities as well as ‘real-time information sharing’ between cybersecurity operation centres across both countries;
Harmonize best practices and objectives on cybersecurity between Canada and the U.S., and actively advance these objectives in international Internet governance forums and bi-lateral interactions with third countries; and
Take steps to generally “make cyberspace safer for all our citizens.”
While lacking in specifics, the emphasis on joint information flows, references to bi-national cooperation with private sector entities, and a commitment to jointly advance cybersecurity and best practices all hint at a consolidation of laws and practices. Moreover, reference to joint cybersecurity ‘products’ is reminiscent of the ‘cybersecurity systems’ invoked by CISPA.
If CISPA passes in the U.S., Canadians could expect great political pressure to adopt similar measures in Canada. As Canada’s Federal and Provincial Privacy Commissioners recently noted in a Joint Resolution, there is currently nothing in the Initiative to guarantee Canadian privacy standards are maintained in this harmonization effort. Suggestions that programs subject to the a ‘shared vision’ [see p. 15] between Canada and the United States on privacy emphasize this.
In fact, two current legislative proposals in Canada, if passed, will remove any legal barriers to the type of public-private information sharing that is at the heart of CISPA. First, there is Bill C-12, which will amend Canada’s federal privacy protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA legally restricts the conditions under which private organizations such as telecommunications companies can disclose personal information about their customers to third parties, such as the government. Bill C-12 will significantly expand the conditions under which companies can share information without having to seek customer consent. It will permit telecommunications companies to hand over customer information to any organization seeking it for the purpose of performing ‘policing services’, a term that is increasingly being applied to public-private cybersecurity partnerships.
More concerning is a provision included in Bill C-30, the Canadian Government’s latest attempt to update its capacity to surveil the online activities of its citizens. Among the numerous privacy-invasive elements found in Bill C-30 is a provision granting organizations – including telecommunications companies – immunity from “any criminal or civil liability” if they voluntarily decide to preserve customers’ information or share it with law enforcement. This is evocative of the civil and criminal immunity CISPA offers U.S. companies for handing over their users’ data to the United States Government. While the scope of monitoring permitted under C-30 may not go as far as that in CISPA, the C-30 immunities for voluntary sharing of customer information to the Government are arguably broader.
Canadians would do well to take note of developments on CISPA in the United States. While the immunities granted in Bill C-30 may not have been included specifically with a cybersecurity purpose in mind, Canada is now tied to United States cybersecurity strategies through commitments in the joint perimeter security Initiative. If the CISPA vision is adopted in the United States, Canadians can expect similar strategies to appear soon after. If Bill C-30 passes, many of the legal tools for this unaccountable sharing regime will already be in place, ready for exploitation.
Rep. Rogers is adamant thatCISPA, the Cybersecurity Intelligence Sharing and Protection Act, is cybersecurity legislation intended to help protect critical infrastructure intrusions and private and government information. But as we've written in the past, CISPA is a bill that allows for companies to spy on users, pass along the information to government agencies like the NSA, and potentially filter or block Internet traffic, which could serve as justification for action against sites like Wikileaks. That's why we're calling on users to contact Congress to speak out against this bill.
One of the scariest parts of CISPA is that the bill goes above and beyond information sharing. Its definitions allow for countermeasures to be taken by private entities, and we think these provisions are ripe for abuse. Indeed, the bill defines "cybersecurity purpose" as any threat related to safeguarding or protecting a network. As long as companies act in "good faith" to combat such a cybersecurity threat, they have leeway to protect against “efforts to degrade, disrupt, or destroy [a] system or network.” This opens the door for ISPs and other companies to perform aggressive countermeasures like dropping or altering packets, so long as this is used as part of a scheme to identify cybersecurity threats. These countermeasures could put free speech in peril, and jeopardize the ordinary functioning of the Internet. This could also mean blocking websites, or disrupting privacy-enhancing technologies such as Tor. These countermeasures could even serve as a back door to enact policies unrelated to cybersecurity, such as disrupting p2p traffic.
The Cato Institute warned that one could imagine: "a sysadmin with a vigilante streak reading ['cybersecurity systems'] to include aggressive countermeasures, like spyware targeting suspected attackers." Their analysis continued, "After all, 'notwithstanding any other provision of law' includes provisions of (say) the Computer Fraud and Abuse Act that would place such tactics out of bounds." We think that a rogue sysadmin is not the only concern—no matter what the intention of the bill is now, as political realities change this language can be used to justify the sort of aggressive countermeasures that we've described, or more. This could happen not just in unusual circumstances, but as a matter of policy.
The defense of networks is one reason why the Heritage Foundation is backing the bills. In a letter of support (PDF), Heritage discussed how CISPA gives private entities "clear legal authority to defend their own networks." While we think private entities should be able to defend their networks, they should not be able to do without accountability in a manner that threatens free speech or disrupts the Internet.
CISPA is intended to protect against catastrophic cyberattacks and economic espionage, but the broad definitions of CISPA unfortunately allow for much more. Contrary to what Rep. Rogers says, CISPA is not "a sharing of threat information bill only." CISPA's language is so vaguely defined that it could allow private companies to take a wide range of actions in order to defend their networks. While some of these actions might be perfectly appropriate, others could have disastrous consequences for our civil liberties.