In that particular case, the two young women—both of Palestinian origin—complied with officials’ requests but were nonetheless detained overnight before being deported. In another, similar case, a U.S. citizen who refused access to her email was told she was probably hiding something and was refused entry to the country. Israeli security (Shin Bet) told a reporter that “the actions taken by the agents during questioning were within the organization's authority according to Israeli law.”
Not unlike travelers to the U.S., travelers to Israel face serious privacy challenges at the border. The government generally has broad authority to search through your personal possessions, including your laptop, for any reason at all. When you cross the border to Israel, the Israeli government retains the authority to question you and examine your belongings, which it interprets as also allowing it to go through your electronic devices and computer files. More recently, authorities have also been known to demand user passwords to online accounts.
As we state in our guide to U.S. border searches:
For doctors, lawyers, and many business professionals, these border searches can compromise the privacy of sensitive professional information, including trade secrets, attorney-client and doctor-patient communications, research and business strategies, some of which a traveler has legal and contractual obligations to protect. For the rest of us, searches that can reach our personal correspondence, health information, and financial records are reasonably viewed as an affront to privacy and dignity and inconsistent with the values of a free society.
EFF recently asked Jonathan Klinger, an Israeli attorney, for his thoughts on the law and government practices that apply to searches at the Israeli border, and here is his analysis.
The Situation at the Israeli Border
At the Israeli border, there are some limited legal protections against the search itself. Based on a collection of experiences, however, it seems that mentioning these protections to border officials can be considered antagonism, and can limit your ability to enter Israel. Those concerned about the security and privacy of the information on their devices at the border should therefore use technological measures in an effort to protect their data. They can also choose not to take private data across the border with them at all, and then use technical measures to retrieve it from abroad.
There is, however, little to prevent a scenario in which one’s email is searched, as refusal to allow the search may result in deportation. With that in mind, concerned travelers should think ahead and review their online accounts before traveling.
Why Can My Devices Be Searched at the Border?
Article 7 of Israel's Basic Statute of Human Dignity and Freedom1 states that every person is entitled to his privacy, and that his property may not be searched, apart from where it is required under legal authority. This generally means that the government has to show probable cause that a crime has been committed and get a warrant before it can search a location or item in which you have a reasonable expectation of privacy; moreover, a recent Supreme Court ruling stated that there is no such thing called consensual search,2 and where there is no probable cause, the state cannot rely on a person's consent in order to search in his possessions. But searches at places where people enter or leave Israel are subject to different statutes. The two applicable statutes are the Aviation Act (Security in Civil Aviation), 19773and the General Security Service Act, 20024; the two acts altogether provide two different state authorities the right to search on a person's body and in his property. However, they do not refer to computer searches at all.
The Aviation Act allows security personnel, police officers, soldiers and members of the civil defense forces to search at border crossings if “the search is required, in [the officer's] opinion, to keep the public's safety or if he suspects that the person unlawfully carries weapons or explosives, or that the vehicle, the plane or the goods has weapons or explosives.”
Similarly, the General Security Service Act states that in order to prevent unlawful activities, secure persons or any other activity that the government authorized with the approval of the Knesset committee for the Shin Bet5 to perform, any employee of the Shin Bet (the service) may search a person's body, property, baggage or other goods and collect information, as long as the person is present.
Only in extreme cases, where there is an object that needs to be seized for a vital role in the Shin Bet's activity, can the Shin Bet also search without a person's presence.
However, nothing in these acts authorizes computer searches. Recently, the Israeli Justice office proposed a new anti-terror bill,6 which is yet to pass through the legislative process. This Anti-Terror bill does request to correct the current General Security Service act to specifically state that computers may be searched.
How the Government Searches Devices at the Border
There are three government agencies primarily responsible for inspecting travelers and items entering Israel: the General Security Service (Shin Bet), The Customs Authority and the Immigration authority.
The law gives the Shin Bet and other officials a great deal of discretion to inspect items coming into the country. There is no official policy published in respect to border search of electronic devices and accounts. And when recently requested to comment, the Shin Bet stated that its acts are “according to law.”
Keep in mind that the Shin Bet can keep your computer or copies of your data for “the time required for the seizure.” There is no specific consideration regarding forensic practices and the ways that your computer files may be copied during the seizure. This is unlike the Israeli Criminal Procedure Order (Arrest and Search), 1969,7 which deals specifically with the forensic procedures of copying computer materials and requires two witnesses for any file duplication.
The Israeli Customs Authority, under Article 184,8 allows any customs official to search every person for contraband or drugs given probable cause. Moreover, the customs official may also request urine, blood or saliva samples and request persons to undress. However, nothing in the law allows them to search through computer materials.
In short, border agents have a lot of latitude to search electronic devices at the border or take them elsewhere for further inspection for a short period of time, whether or not they suspect a traveler has done anything wrong.
We do not have the exact numbers or methods of how such searches are handled, and the Shin Bet is exempt from the Israeli Freedom of Information Act.9;However, the frequency of technology-oriented searches at the border may increase in the future. Researchers and vendors are creating tools to make forensic analysis faster and more effective, and, over time, forensic analysis will require less skill and training. Law enforcement agencies may be tempted to use these tools more often and in more circumstances as their use becomes easier.
The decision faced by dictators to shut off the Internet (and risk economic loss) or keep their citizens online (and risk an Internet-assisted revolt) has been referred to by some as the "dictator's dilemma." In the case of Sudan, where anti-austerity protests have been raging for five days and calls to overthrow the regime have been reported, the dictator's decision is made a bit easier by the fact that only about one in ten citizens has access to the Internet.1
Thus far, there is only speculation as to whether or not the Sudanese government has shut down--or might shut down--communications networks. As reported by Global Voices, Sudanese activists and journalists in the country have heard rumors of an impending shutdown. In preparation, Twitter users in the country have been sharing the numbers for Speak to Tweet, the service that was created during the Egyptian uprising in January 2011 that allowed individuals on the ground to call a number and leave a message which was then tweeted to the public.
Also bolstering the rumors is the fact that authorities have arrested several journalists and activists over the past few days. Among those that have been detained are Maha El-Sanosi, a blogger with Global Voices (who has since been released) and a citizen journalist named Usamah who has been active on Twitter for years under the name @Simsimt. Usamah was arrested shortly after an appearance on the television program Al Jazeera Stream and his whereabouts remain unknown.
In addition to rumors of an Internet shutdown, there is also speculation that authorities are using technology to track activists and journalists. In 2011, authorities reportedly set up a Facebook page calling for protest, then used it to entrap and detain activists. There have also been reports over the past year of authorities demanding--or torturing for--the Facebook and email passwords of detainees.
As the protests continue, citizen journalists are using social media to disseminate photos, videos and news from the ground.
EFF will be keeping a close eye on developments; in the meantime, we urge activists and journalists to take security precautions when using digital communications tools. Our Surveillance Self-Defense International report provides tips on how to use technology defensively to protect oneself from government surveillance.
1. According to the most recent data from the International Telecommunications Union, Sudan's Internet penetration rate was 10.8% in 2010.
In recent weeks, the corner of the blogosphere that concerns itself with Internet-related policy has come alive with posts, comments and op-eds addressing the theory that a little-known United Nations telecom agency, the International Telecommunication Union (ITU), is gearing up for an Internet power grab. Concerns about this possibility spurred a U.S. Congressional hearing last month, and across the Atlantic, a June 19 workshop hosted at the European Parliament in Brussels provided a forum to sort out “Challenges to the Internet Governance Regime” as they relate to the ITU.
The UN agency, which is made up of 193 member states and specializes in information and communication technologies, is in the midst of preparing for a December conference where it will re-negotiate an important treaty establishing the International Telecommunication Regulations (ITRs). These regulations lay the ground rules for how big telecoms interact with one another in an international context, setting up systems for things like revenue-sharing, and have historically only dealt with telephony and never reached into the realm of Internet architecture. At Tuesday’s workshop, representatives from the European Commission, civil society organizations, Google, and other organizations were on hand to share their insights about the how this treaty revision may affect Internet governance.
William Drake, an International Fellow of the University of Zurich and expert on Internet policy, challenged the framework that has been debated so far. “It isn’t in fact the case that the UN will send in black helicopters to take over the Internet,” he assured participants. Waving a slim green booklet totaling fewer than 30 pages, he declared, “This is what all the fuss is about.” It was the latest compilation of the ITRs, the telecom rules that ITU member states last agreed upon in 1988 – long before mobile devices with Internet connectivity revolutionized the telecommunications industry.
While Drake said he thought some discussions around the revisions could be discounted because they seemed “driven by various political agendas,” he was nevertheless very clear that he viewed certain proposals as highly problematic since they would indeed result in “a restrictive effect on the Internet” if approved.
Drake’s analysis of the situation was that it has less to do with a hostile takeover and more to do with the financial upheaval that has impacted the telecommunications industry in the last couple decades. The Internet has turned the traditional business model of major phone companies on its head. Big telecoms are seeking to recover their losses, he argued, and they’re trying to redraw the lines around who and what would be regulated by the ITRs.
It reflects “an effort by telecom companies in many parts of the world to leverage a multinational institution to recover market shares that they had lost in the face of liberalization,” Drake suggested. “And in that context … many other issues are being added to the pot: cybersecurity, censorship and so forth.” As preparations for the conference move forward, many countries have tossed in their pet projects “to see what will stick,” in his view.
Some ideas, such as proposed cybersecurity provisions put forward by Russia, could reinforce state surveillance power, Drake said. Taken as a whole, he added, the proposed regulatory revisions would essentially subject “everybody involved in providing Internet services” to the ITRs.
Andrea Glorioso, an Italian Policy Officer with the European Commission, touched on the geopolitical context out of which these proposals have emerged, acknowledging that some proposals are being advanced by nations that are unhappy with the status quo.
“We do believe that the Internet has become so essential on the global stage that we need to be thinking seriously about the geopolitical balance that this entails,” he said. “And what I’m trying to say here is that even though we are broadly fine with the current setup of global Internet governance, we also believe that we need to engage in a dialogue with those parts of the world that are not fine with the current setup. … At the end of the day, when we go to a discussion where numbers are counted, we need to count the numbers. What we are trying to achieve here is dialogue.”
Meanwhile, comments from members of civil society organizations also shed some light on how European stakeholders are framing the debate. Joe McNamee, EU Advocacy Coordinator of European Digital Rights (EDRi), aired criticism both of the ITU and the U.S. Government, which has positioned itself as an opponent to any ITU efforts to subject the Internet to new regulatory controls.
The ITU, McNamee said, “is fundamentally unsuitable for the regulation of the Internet. It’s slow-moving, it’s closed, and its high corporate membership fees can only be seen as a way of selling influence in the organization. It’s so closed that it’s not even possible for citizens to gain access to their documents without paying for them,” he added, giving a nod to civil society organizations’ public demand several weeks ago for greater ITU transparency.
The U.S. has positioned itself against expanded ITU powers over the Internet, but McNamee also doled out a harsh critique of the U.S.’s own Internet-related policy proposals, invoking the now-defunct Stop Online Piracy Act (SOPA) which was hotly debated by Congress earlier this year.
McNamee seemed convinced that the bureaucratic ITU would do its best to subject Internet-related entities to the ITRs as a kind of power grab. Paraphrasing “a wise person,” he said, “old bureaucracies don’t die, they file themselves in a different folder. Their next folder is the Internet, unfortunately.”
The debate surrounding the ITU and its upcoming renegotiation of the ITRs continues on. While Drake and McNamee clearly believe a problem for Internet freedom is looms on the horizon with the negotiation of the ITRs, Milton Mueller of the Internet Governance Project noted in this blog that as long as the ITU boundaries are kept within international telecommunication services, the worst consequences could be avoided.
EFF agrees. If we don’t maintain this distinction, we face the prospect of bringing an intergovernmental organization into Internet governance. ITU's mandate should be kept as it is: International telecommunications service. The ITRs' definitions should not be amended to include Internet services or cyber-security as part of international telecommunications. It’s also important to ensure that any changes made to the way telecom companies interconnect don’t empower monopolistic companies to act as gatekeepers to Internet services.
These issues will culminate at the treaty-writing forum in December, when the ITU’s World Conference on International Telecommunications (WCIT-12) is held in Dubai. The ITRs were last updated in 1988, so any problematic provisions that make their way into the treaty renegotiation this winter will stay with us for a very long time, and could shape things for decades to come. The highly bureaucratic ITU is subject to political influence, and the agenda of an industry that is worried about preserving its bottom line. In this context, it is negotiating proposals without transparency and behind closed doors. Therefore, civil society organizations must remain alert, and push back against any measures that could have a restrictive effect on the Internet. EFF will continue monitoring this issue, particularly as it pertains to cybersecurity.
Yesterday, a House Committee grabbed national attention by voting to approve a recommendation that Attorney General Eric Holder be held in contempt of Congress. The vote stemmed from the Department of Justice’s repeated refusals to release documents concerning the handling of an investigation known as “Fast and Furious” – a botched DOJ law enforcement operation aimed at slowing the flow of illegal weapons from the United States to drug cartels in Mexico. In an effort to head off a contempt vote, President Obama asserted “executive privilege” on Wednesday in an attempt to legitimize the DOJ’s refusal to disclose the requested documents. Multiplereportsnoted that this was the first time the President had asserted the privilege since taking office.
If only that were true of the entire executive branch. Unfortunately, the DOJ asserts the privilege in EFF’s FOIA cases all the time. So Congress, we know what you’re going through, we feel your pain, and we’ve got a way you can fix the problem.
If Congress really wants to send a message to the DOJ, it should forget about a contempt vote and focus on a long-term solution: cabining the Executive’s ability to assert the privilege in the first place.
In general, evidentiary privileges protect the compelled disclosure of information in formal government proceedings. Some of the more familiar privileges are the attorney-client privilege, the privilege against self-incrimination, and the doctor-patient privilege. The executive branch, too, has its own set of privileges, which come in a few different varieties, all with differing legal foundations and scope. For example, the presidential communications privilege (sometimes referred to, confusingly, as the executive privilege) is constitutionally grounded and, when invoked, protects any document or communication between, or generated for, the President and his closest advisors. Another type of privilege available to the Executive, the state secrets privilege, is not constitutionally grounded but, instead, has its roots in the common law. The state secrets privilege can only be used to withhold information concerning foreign relations and military affairs.
The privilege asserted by the President on Wednesday is the deliberative process privilege (pdf), a common law-based privilege that, properly applied, is applicable to a narrower and more specific type of record than the presidential communications privilege, yet is available to a larger swath of the executive branch. The deliberative process privilege only protects internal, executive branch communications created in the course of government policy formation. The rationale behind the privilege is that, if executive officials are not allowed to keep some internal deliberations secret, officials will be inhibited from freely expressing ideas and opinions; and, as a result of this inhibition, the process of policy formulation will be less robust and resulting government policies will suffer.
In the abstract, the privilege makes sense. However, in practice – and in EFF’s FOIA cases in particular – the DOJ’s assertion of the privilege rarely aligns with the underlying rationale.
For example, in our FOIA lawsuit over a secret DOJ Office of Legal Counsel legal opinion setting forth the FBI's authority under federal surveillance law, the DOJ asserted the deliberative process privilege (along with other FOIA exemptions) to withhold the binding opinion in its entirety. The DOJ invoked the privilege despite the fact that the memo was a final version (as opposed to a draft), despite the fact that the opinion had been distributed outside DOJ to other government agencies and to members of Congress and their staffs; and despite the fact that the memo shapes and interprets the privacy rights of citizens under federal law. In effect, the DOJ relied on the privilege, at least in part, to hide a body of secret surveillance law from EFF and the American public.
In another case involving the deliberative process privilege, EFF sued to obtain records related to the High Level Contact Group – a joint EU and U.S. working group tasked with negotiating a set of common principles on the transnational sharing of citizens’ personal information for law enforcement purposes. EFF sought all DOJ records that reflected the negotiating positions of the EU and the U.S. – positions which were necessarily disclosed outside the DOJ (to officials of foreign governments, no less) simply by virtue of the nature of bilateral negotiations. Again, the DOJ claimed the deliberative process privilege protected much of the requested information. According to the DOJ’s interpretation of the privilege, while disclosure of the information to foreign government officials was no problem at all, disclosure to EFF and the American public would cause grave harm to the agency’s deliberative process. These types of assertions of the privilege turn its legitimate rationale on its head, only serving to obstruct the public’s ability to know what its government is up to.
At its essence, nearly every FOIA case EFF litigates is identical to the battle playing out right now between Congress and the Executive. Congress has requested documents to shed light on government practices and to keep the executive branch accountable to the public. Instead of being forthcoming and transparent, the Executive has instead chosen to rely on a tenuous interpretation of the deliberative process privilege to stymie the process and obstruct the public’s ability to hold executive officials truly accountable.
But, at least in the FOIA context, Congress can fix the problem. Instead of wasting time with a symbolic (and, ultimately, pyrrhic) contempt vote, Congress should act to change the deliberative process privilege through statute. Unlike the presidential communications privilege, the deliberative process privilege is not constitutionally based, so a law cabining the Executive’s invocation of the privilege is less likely to create constitutional separation-of-powers problems. So, for example, Congress could amend FOIA to require a Court – whenever the deliberative process privilege is invoked to withhold information – to balance the public interest in disclosure of the information against the magnitude of the potential harm to the executive agency’s deliberations. This type of balancing is already used in other FOIA exemptions and would go a long way towards preventing some of the more egregious invocations of the privilege. A balancing test would also provide an agency enough space to rely on the privilege when it is being legitimately invoked, yet would prevent agencies, in case after case, from simply repeating the same generic and speculative assertions of harm to agency deliberations.
So Congress, if you’re serious about sending a message to the Attorney General and the DOJ, forget about the contempt vote. Instead, hit them where it counts: their FOIA exemptions.
Two days ago, EFF launched Defend Innovation, outlining seven proposals to address the egregious abuses of software patents. Since we launched, we’ve already received an amazing response (the initial traffic overwhelmed our servers) and now we’re watching as more and more people sign the petition and leave comments. This campaign isn’t just about our proposals – it’s also about creating a space for the tech community, inventors, academics, and others to express their concerns and suggestions for dealing with the patent system. The comments we collect will be the basis for a whitepaper we’ll use to educate lawmakers and the public about the problems with the software patent system – and how we can address them.
Here is a sample of what we've seen so far:
Many people are worried about patent trolls, or corporate entities that buy up patents with no intention of ever using them for anything other than collecting rents and settlements. We've written about the problems patent trolls pose to innovation before.
Steven Baker, a patent owner in Austin, TX, comments:
The real evils start when patents can be bought and sold by companies who have no interest in using the technology - have no intention of ever making a product - and exist only to game the legal system for profit. This kind of behavior is abusive and does absolutely nothing to encourage innovation or to boost the nations bottom-line.
Other people voice their support for our second proposal, which calls for patent trolls to pay the fees and costs of those people they wrongfully sue for infringement. Nathan Hourt, a software developer at Rensselaer Polytechnic Institute, suggests that such measures should go even further:
Patent trolls ought not get away with breaking up a target's workflow, intimidating them, wasting their time, and potentially damaging their public image for nothing but some paltry legal fees that didn't stop them from suing in the first place. When the plaintiff's claims in a patent suit are found to be invalid, the plaintiff should be required to pay to the defendant at least triple the damages they were seeking. This would serve to offset the harm done to the defendant, as well as even further reducing the risk of patent trolling. Another benefit is that it would encourage plaintiffs to think twice about whether the damages they seek in a patent suit are reasonable.
Jesse Carlaftes, a senior systems engineer in Tuscon, points out one of the major issues with the software patent process - that those approving the patents often do not have the specialized knowledge needed to make an accurate judgment about the validity of the patent:
Software patents generally cover ideas, and not implementations as currently defined in patent law. Patent Approvers are not well versed enough in Comp Science to determine novelty of an idea. Too many common ideas are patented with the simple modifier 'in software/internet/phone/etc'
Christopher Perry, a computer programmer in Okemos, Minnesota, draws attention in his comment to the challenges the current software patent regime present for small businesses:
The current patent system makes it nearly impossible for small businesses to take off. In order to mitigate risk, each developer realistically needs a team of patent lawyers in support to let the developer know that the idea that just popped into their head is covered by a patent already. The patent waters are unnavigable for an individual and small business and has created a system where established businesses can crush new competition, not through the act of competing, but by legally prohibiting the competing endeavor to event start….
This kind of feedback is incredibly valuable to EFF on our fact-finding mission to find out how the tech community feels about software patents and what Congress (and others) need to do to address these problems. Please join the conversation. Visit defendinnovation.org, review the proposals and comments, and add your voice to the growing movement that is seeking real solutions to the problems arising from software patents.
“No iPad for you!” The sentiment may have evoked the fictional SoupNazi, but the salesperson was completely serious. After hearing 19-year-old Sahar Sabet speaking Persian with her uncle, an Apple store employee refusedtosellSabetaniPad, stating (according to Sabet): “I just can't sell this to you. Our countries have bad relations.”
While the Apple employee was wrong here, in other, not too different circumstances, that employee may have been right. Restrictions placed upon U.S. persons1 by the Department of Treasury’s Office of Foreign Assets Control (OFAC) state:
In general, a person may not export from the U.S. any goods, technology or services, if that person knows or has reason to know such items are intended specifically for supply, transshipment or reexportation to Iran. Further, such exportation is prohibited if the exporter knows or has reason to know the U.S. items are intended specifically for use in the production of, for commingling with, or for incorporation into goods, technology or services to be directly or indirectly supplied, transshipped or reexported exclusively or predominately to Iran or the Government of Iran.
While Sabet told a reporter that she had mentioned nothing about traveling back to Iran, companies--fearing the high penalties2 placed upon violators of the OFAC regulations--often restrict sales or services on the fear that an Iranian citizen could take the product(s) to Iran.
For example, Google reportedly blocks Persian-language advertisements because of the prohibition on financial transactions targeting Iranians. Given that there are only small pockets of Persian speakers outside of Iran, it would be difficult for Google to argue they're not targeting Iranians with ads in Persian; therefore, blocking the advertisements entirely ensures that they're in compliance with the regulations.
In this case, however, Apple was in the wrong. A statement Wednesday by Department of State spokesperson Victoria Nuland in response to the incident clarified that:
[T]here is no U.S. policy or law that prohibits Apple or any other company from selling products in the United States to anybody who’s intending to use the product in the United States, including somebody of Iranian descent or an Iranian citizen or any of that stuff. If you do want to take high-technology goods to Iran, you need a license. But that is a separate issue.
A statement was also issued on the US virtual embassy to Iran’s Facebookpage.
Given that exports to Iran are strictly controlled, where does the US government draw the line? Not at the border, as one might expect. A rule of the Department of Commerce (both Commerce and Treasury are involved in export controls), dubbed the “deemed export” rule, states that the Department’s Bureau of Industry and Security (BIS) “has jurisdiction for the ‘export’ or release of controlled technology and software to a foreign national in the United States.” A BISpolicydocumentonIran clarifies, however, that the “deemed export” rule does not apply to “persons who are permanent residents in the United States or are ‘protected individuals’ under the Immigration or Naturalization Act.3
So what does this mean for Iranians and other individuals from sanctioned countries? Basically, an Iranian student temporarily residing in the US with intent to go back to Iran may legitimately be denied purchase of an Apple product under export regulations, but a US Permanent Resident or someone with Iranian dual citizenship cannot be. Furthermore, a company or individual that wishes to export to Iran must apply for a license through the Department of Treasury’s OFAC.4
Additionally, it is unlawfulforanyonetravelingtoIran to bring controlled items (such as laptops or satellite cell phones) into Iran even temporarily without authorization from OFAC.
As we’ve previously written, there are notable exceptions to these rules. In 2010, OFAC issuedagenerallicense for companies to export communications software and services to users in Iran, Sudan, or Cuba:
“certain services and software incident to the exchange of personal communications over the Internet, such as instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging, provided that such services are publicly available at no cost to the user.”
Similar amendments have been made for citizens for Syria.
While we hope this may have cleared some things up for those following the Apple story, the fact remains that the sanctions rules and other export controls remain unclear to many companies and individuals, even as the Internet and new technologies mean that goods and services cross borders more than ever before. To that end, we are continuing to work on this issue as it pertains to communications technology and services. While there have been some improvements, the U.S. sanctions and export regimes still deny too many critical tools to activists working to secure freedom in repressive countries.
As for Apple--which, as of 2:55pm on Wednesday, was still refusingcomment on the story--we hope that the company will issue an apology immediately, help Sabet get her iPad if she still wants one, and further clarify their own policies to both the public and to their employees to insure an incident like this doesn’t happen again.
1. U.S. persons, in this context, includes “companies, non-profit groups, government agencies, etc.”
2.Criminalpenalties for violations of the Iranian Transactions Regulations may result in a fine up to $1,000,000, and natural persons may be imprisoned for up to 20 years.
3. “Protected individuals” can be United States nationals, temporary residents, recent lawful permanent residents, refugees and asylees
4. Guidance on such an application is available here.
Coders have never been more important to the security of the Internet. By identifying and disclosing vulnerabilities, coders are able to improve security for every user who depends on information systems for their daily life and work. Yet this week, European Parliament will debate a new draft of a vague and sweeping computer crime legislation that threatens to create legal woes for researchers who expose security flaws.
On Thursday, the European Parliament will discuss the latest agreement between European Parliament and Council of a draft Directive on Attacks Against Information Systems. In our submission to the European Parliament earlier this year, EFF opposed the wholesale criminalization of tools that can be used to commit attacks against information systems. While they can be used for malicious purposes, they are also crucial for research and testing, including for "defensive" security efforts to make systems stronger and to prevent and deter attacks. EFF also told the European Parliament that their initial draft jeopardized coders' rights to conduct essential security research. The current version, while better, still doesn't address this problem.
As currently written, the latest version of the Draft Directive threatenscoders’ ability to access information systems for security testing without explicit permission. If the European Parliament moves to enact this provision, researchers who study others’ systems in the course of good faith for legitimate research may become criminals.
Article 3 of the Draft Directive criminalizes intentional access to information systems without prior authorization where the actor infringes a security measure.At the heart of the problem is the directive’s reliance on the concept of accessing information systems “without right,” which is defined as “access, interference, interception, or any other conduct referred to in this Directive, not authorized by the owner, other right holder of the system or part of it, or not permitted under national legislation.”
Another major problem with the draft directive is Article 7, which criminalizes the production, sale, procurement, import, or distribution of tools used to access systems for committing other offenses. This new article rightly tries to link punishment to malicious intent behind using the tool, rather than simply criminalizing the use, production, sale, or distribution of such tools per se. By doing so, this article tries to avoid the criminalization of dual-use tools that can be used for bad purposes, but also for desirable security efforts to prevent and deter attacks. However, Article 7 remains problematic because it relies upon the murky definition of access “without right” and uses Article 3 as a reference for defining criminal intent, which, as we explained above, is vague.
Another improvement is that the directive seeks to limit criminal punishment to cases that are “not minor.” However, the directive fails to explain what "minor" means in the text itself, leaving the option open for member states to define the term as they see fit.According to the directive’s present wording, maximum penalties for offenses (including distributing tool software) are at least 2 years of imprisonment, 3 years when using botnets and 5 years when committed in the context of organized crime, causing serious damage, or committed against a critical infrastructure.
Security researchers are a crucial part of any effective security strategy. Unfortunately, this directive creates a very real possibility that they may face serious criminal punishments for their work, which creates a strong disincentive for them to do it. While the directive’s legally non-binding recitals suggest a number of safeguards, including human rights, security testing, it is troubling that those protections are not included in the articles themselves.
The European Union should implement a target-hardening strategy to provide strong incentives and support for security researchers to identify and disclose vulnerabilities and motivate providers to quickly issue patches and updates.Please tune in this Thursday at 11:00 am Brussels time for a live stream of the directive debate in the European Parliament.
If you thought passing the bar was hard, try winning one of the coveted EFF Cyberlaw Pub Quiz victory steins. Last night, the best legal minds in San Francisco scrambled to answer 7 rigorous rounds of cyberlaw trivia (one of Fenwick & West's teams pictured left). EFF's attorneys, technologists and activists worked tirelessly for weeks to construct quiz questions, delving deep into the rich canon of privacy, free speech, and intellectual property law, and then uncovering the supremely trivial facts.
For many of the contestants, winning means more than just a fancy cup. It proves that you have lived and breathed the most important cases for digital rights of our time. The competition was fierce, and every team acquitted themselves well in the face of tough questions.
Please join us in congratulating this year's winners:
Honorary Mention: EFF the Children for being the highest ranked (4th place) team of EFF interns in five years of trivia nights (pictured right, sporting EFF's new t-shirt).
EFF’s Cyberlaw Pub Trivia Night is an important opportunity for us to thank our friends in the legal community who help protect online freedom in the courts. Among the many firms that dedicate their time, talent and resources to the cause, we would especially like to thank Ridder, Costa, and Johnstone LLP for sponsoring this year’s Trivia Night.
Test Your Internet Law Expertise
You too can play along at home. If you read the EFF blog regularly or recently aced EFF’s Know Your Rights Quiz, you may be feeling pretty confident about your knowledge of Internet law. But could you answer seven rounds of questions like these? The winning team (pictured right) probably answered every question below without breaking a sweat. Courtesy of EFF’s 5th Annual Cyberlaw Pub Trivia Night:
2. Justice Alito in U.S. v. Jones imagined how one might have conducted surveillance comparable to GPS tracking in 1791. Which was not part of his hypothetical:
(a) a tiny constable
(b) incredible fortitude and patience
(c) a hand-written writ
(d) a gigantic coach