In February, we documented how a judge in the Northern District of Florida halted 27 copyright troll cases naming over 3,500 individuals to determine whether the copyright troll lawyer, TarikHashmi, initiated the cases while being unlicensed to practice law in Florida.
In response to the judge, Hashmi did not deny practicing without a license and instead tried to substitute a lawyer to continue the cases. This week, as noted in the Order attached below, the court not only dismissed the substitution, but also all of the cases.
The Order notes that Hashmi had signed an affidavit promising not to practice law in Florida until he was properly licensed. It states that Hashmi "suggested no plausible reading" of the affidavit that nonetheless allowed him to file the actions. Finally, it noted that dismissal of the cases was proper because Hashmi's clients in the 27 cases had presented no evidence, including evidence that they were unaware of Mr. Hashmi's illegal status or whether they had "demanded settlements through Mr. Hashmi and retained the proceeds."
The cases were dismissed "without prejudice," meaning that they can still be refiled by other lawyers, but the order provides further evidence about the dubious business model of copyright trolls. We will keep an eye out to see if the cases are refilled. For now, the current cases are dismissed.
Since the beginning of the year, pro-Syrian-government hackers have steadily escalated the frequency and sophistication of their attacks on Syrian opposition activists. We have reported on severalTrojans, which covertly install spying software onto the infected computer, as well as phishing attacks which steal YouTube and Facebook login credentials.
The latest surveillance malware comes in the form of an extracting file which is made to look like a PDF if you have file extensions turned off. The PDF purports to be a document concerning the formation of the leadership council of the Syrian revolution and is delivered via Skype message from a known friend. The malware installs a remote administration tool called DarkComet RAT, which can capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more. It sends this data back to the same IP address in Syrian IP space that was used in several previous attacks, including the attacks reported by CNN in February, the Xtreme RAT Trojan EFF reported in March, and this sample from March 21st.
Syrian Internet users should be extremely cautious about clicking on suspicious-looking links, or downloading documents over Skype, even if the document purportedly comes from a friend.
The screenshot below shows the file with the fake Adobe icon.
The self-extracting file is named:
ورقة حول مجلس القيادة_asrcs.fdp.scr
On extraction, it performs several actions, including opening a PDF file, which you can see in the screenshot below.
The screenshot below shows the other files that are dropped:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\(Empty).lnk
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ورقة حول مجلس القيادة.pdf
Additionally, after you start typing, it creates a keylogger directory:
The screenshot below shows process that indicates the DarkComet RAT is running on your computer. Go to your Windows Task Manager by pressing Ctrl+Shift+Esc and click on the Processes tab. The process is called svchost.exe and runs under your username. In this example, the user is Administrator.
The screenshot below shows the empty start-up link which is created by the Trojan.
As of Wednesday April 4th, this Trojan is not detected by any anti-virus program. However, it is detectable by the DarkComet RAT removal tool, written by the same developer that originally wrote DarkComet RAT. The screenshot below shows the removal tool detecting DarkComet RAT on an infected computer. The YouTube phishing attack also installed DarkComet RAT and is detectable via the DarkComet RAT removal tool DarkComet RAT Remover v1.0.
EFF is deeply concerned to see targeted attacks on Syrian Internet activists continue. We are even more concerned by evidence suggesting that a subset of the attacks are being carried out by the same individual or group somewhere inside of Syria. We will continue to keep a close eye on developments.
Does the government have a responsibility to protect innocent third parties from collateral damage when it seizes their property in the course of prosecuting alleged copyright infringement? That is the question a federal district court will consider next week in the latest skirmish in the legal battle between the U.S. government and Megaupload.
When the government shut down Megaupload three months ago, it made it impossible for innocent third parties, like our client Kyle Goodwin, to access their data stored on that site. Others—like service provider Carpathia—have also voiced legitimate complaints about their property getting caught up in the government’s dragnet. But the government has tried to wash its hands of all responsibility, insisting it doesn’t control the property anymore and that the court has no authority to intervene. On April 13, a judge in the Eastern District of Virginia will hear arguments concerning what should happen with Mr. Goodwin’s data and Carpathia’s servers. Ahead of that hearing, here are some specifics on who will be there and what they will argue:
Kyle Goodwin: EFF represents Mr. Goodwin, who owns a business called OhioSportsNet that covers local high school sporting events in sports-crazed Ohio. Mr. Goodwin and his producers used Megaupload to store and share video files of sports games; he also backed those files up on a personal hard drive. As luck would have it, that hard drive crashed a few days before the Megaupload shut down, leaving Mr. Goodwin with no access to the files he needs to run his business.
Mr. Goodwin has asked the court to set up a process that would allow him, and others in the same boat, to access his paid Megaupload account and get those files back.
Carpathia: Megaupload leased 1,103 servers from Carpathia, which contain approximately 25 petabytes of data (yes, 25 petabytes!). Carpathia still owns the servers and has not deleted the data, despite the government’s claims that Carpathia has no obligation to maintain that data (more on that below). From the outset, Carpathia has worked to preserve users’ data, but it claims that “it does not own and cannot access the data” and, as such, is not able to return it to its rightful owners.
Because the government has frozen all of Megaupload’s funds, Carpathia has been stuck eating the costs of maintaining those servers — approximately $9,000 a day. Carpathia has asked the court to allow it to repurpose the servers after allowing a brief period of access, to require another party to take control of the servers and pay Carpathia for them, or to require the parties to pay Carpathia to continue maintenance.
MPAA: The MPAA claims that its members “are certain to own the copyrights in a substantial percentage of the infringing files” stored on Carpathia’s servers. (Of course, the MPAA does not actually know what’s on those servers, but it and its cohorts never been afraid to shoot first and investigate later). The MPAA has asked the court to prohibit transfer of Carpathia’s servers to any third party.
Indeed, the organization insists that even a court-mandated transfer violates copyright law, since the servers presumably contain at least some copyrighted material. You read that right: the MPAA claims that a transfer of the servers to a third party (whether or not that third party could or would access the files on it) would constitute an infringement of the copyrighted material on those servers (without regard to whether the underlying use was licensed or otherwise a fair use).
The MPAA also expresses concern that Megaupload would obtain the servers and relaunch its service in a foreign jurisdiction. We think this unlikely. But, even so, the courts and the parties have the power to create a legal framework to ensure this doesn’t happen.
Finally, the MPAA claims that it has no plans to sue individual Megaupload customers. Yet without filing a lawsuit and making a case that those customers actually infringed copyrights, the MPAA — or the government — has no right to keep their data from them. So while we are glad that the MPAA won’t be suing Megaupload customers, it is still outrageous that it wants to prevent those customers from accessing their property without due process.
Megaupload: Megaupload has not filed a substantive brief yet, but we know that its attempts to work with the government to preserve the data on Carpathia’s servers have not been successful.
The Government: We had hoped the government would work with Mr. Goodwin, Carpathia, and the other parties to ensure that the innocent folks swept up in this mess were made whole again. Unfortunately, the government is doing its very best to avoid taking any responsibility in the matter. In its brief, the government argued that it has no obligation to help preserve the data on Carpathia’s servers. Even more troubling, the government argued that the court has no power to order Carpathia or others to maintain or return the data (we think the government is wrong on this point, as we argued in our brief).
To be clear, as part of its criminal case against Megaupload, the government has frozen all of Megaupload’s funds. This means that Megaupload cannot pay Carpathia to turn the servers back on to allow its customers access to their data. When the government shut down Megaupload’s business, seized its domains, and froze its funds, it also deprived Mr. Goodwin and others of their rightful property. The government should make those parties whole again by working with the court, Megaupload, and Carpathia to devise a process to get their data returned.
The court will hear arguments next Friday. We will be there to make the case that Mr. Goodwin and others like him should get their files back. And we’re hoping that whatever process the court adopts for doing that can serve as a model in future cases where the government seizes websites with third-party content on them, a tactic that we fear we will see all too often in the future.
On Sunday, the United Kingdom’s Prime Minister David Cameron and the Interior Ministry were forced to defend a sweeping wiretapping proposal, which would aim to monitor every single email, text message, and phone call flowing through the whole country. The proposal would likely force all UK Internet Service Providers (ISPs) to install “black boxes” on their systems that use Deep Packet Inspection (DPI) technology, which would give authorities access to all communications data without a warrant or any judicial oversight.
Law enforcement would have access to IP addresses, email addresses, when you send an email, to whom you send it, and how frequently—as well as corresponding data for phone calls and text messages. The government has claimed this proposal is needed to fight “terrorism and serious crimes,” but of course, it would be available to law enforcement for all purposes.
As the Washington Post reported, many privacy advocates in the UK say, “the move would intrude so deeply into the lives of British citizens that it would rival or exceed measures used by totalitarian governments.” While there’s still no public draft of the proposal, the government insists that law enforcement will not have access to the content of communications; however, retaining allother identifying information can easily reveal vast troves of information about a user’s private life. Mathematician and security researcher George Danezis explains:
Basically you can think of blanket traffic data retention and access as having a policeman following you around 24h a day / 7 days a week, and making notes about where you have been, what you have looked at, who you are talking to, what you are doing, where you are sleeping (and with whom), everything you bought, every political and trade union meeting you went to, … – but not actually hearing any of the conversation or seeing what you wrote. Traffic data provide an X-ray of your whole life, and the policy suggests they should be available to law enforcement and the intelligence services without any judicial oversight (only political review or police oversight).
Unfortunately for the UK government, a lot of popular email and social media services, like Google and Facebook, use SSL encryption to protect their users' data, so the government may not be able to access the information through DPI. Under this proposal however, Google and Facebook would be forced to comply with every data request.
In the UK, user data—such as IP address and contact information—already has relatively weak protection. Under the Regulation of Investigatory Powers Act, law enforcement can get user data on a case-by-case basis from UK-based Internet Service Providers (ISPs) “upon request.” ISPs cannot challenge the request. But as Privacy International explains, the new proposal would also put non-UK based services like Google and Facebook under this regime, forcing them to comply with any request, regardless of its validity.
Currently, Google only provides data to governments when the request “complies with both the spirit and the letter of the law.” If not, Google says will refuse to hand over user information to the government. For example, according to Google’s Transparency Report, from January-June 2011 last year, they received 1,279 user data requests from UK authorities and refused to comply with 37%. Under this proposal, that number of refusals would drop to zero.
In addition to the massive encroachment on privacy, the new proposal has many security risks and potential for further abuse, as Privacy International has laid out in this helpful FAQ. While government advocates insist such an expansive bill is required to stop “terrorism” (a familiarrefrain), Privacy International explains:
“In a terrorism investigation, the police will already have access to all the data they could want. This is about other investigations - it is about the millions of requests made every year by local law enforcement and other authorities in the investigation of serious—and less serious—crime.”
In an ironic twist, a similar plan was shot down in 2006 by a minority coalition of Liberal Democrats and Conservative party members, some of whom now make up the ruling party that has put forth the new proposal. Thankfully, other members of Parliament are speaking up. Conservative lawmaker David Davis remarked, “It is not focusing on terrorists or criminals. It is absolutely everybody…This is an unnecessary extension of the ability of the state to snoop on ordinary innocent people in vast numbers.”
EFF stands with the diverse group of civil liberties organizations, privacy advocates, and ordinary citizens of the UK in opposing this truly Orwellian law.
New data from law enforcement agencies across the country has confirmed what EFF has long been afraid of: while police are routinely using cell phone location tracking information, only a handful of agencies are bothering to obtain search warrants.
Now new data -- obtained from a coordinated FOIA request by the ACLU -- shows just how pervasive cell phone tracking is throughout the United States. The ACLU obtained 5,500 pages of records from over 200 different law enforcement agencies. The records revealed that most law enforcement agencies are using location tracking information routinely, with only 10 out of the more than 200 claiming they had not tracked cell phones.
And even more troubling, the records demonstrate that different agencies use different standards to obtain this information, with only a few agencies obtaining search warrants in order to track. It looks like local law enforcement agencies are taking their lead from the federal government, who has been using cell location data obtained without a search warrant for years. The case of Antoine Jones is one example. If his name sounds familiar, its because in January of this year, the U.S. Supreme Court ruled in a landmark decision that the warrantless surveillance of Jones for 28 days through a GPS device violated the Fourth Amendment. Now unable to use the GPS data, the government is turning to cell location data which it also obtained without a search warrant. In another case, the government has appealed to the Fifth Circuit Court of Appeals to reverse the decision of a magistrate judge - who we supported in an amicus brief - that required the government to obtain a search warrant in order to obtain cell tracking information. A magistrate judge in Massachusetts (PDF), and a district court judge in Maryland (PDF) have recently reached the opposite conclusion, ruling that the government didn't need a search warrant to obtain cell location data.
To civil liberties organizations like us and the ACLU, the privacy implications of obtaining this data without a search warrant are obvious and troubling. But it seems that at least one law enforcement agency recognized the likely public outrage too. The New York Times reports that the Iowa City Police Department warned officers in a training manual not to "mention to the public or the media the use of cellphone technology or equipment used to locate the targeted subject,” and even to keep them out of police reports.
But the story doesn't just end with location data. Because once the police find the phone they've been tracking, its getting easier (and more frequent) for them to search the contents of the phone without a warrant, and to obtain reams of your personal data in minutes. A video demonstration posted online by Micro Systemation, a Swedish mobile forensics company that sells its devices to law enforcement agencies, demonstrated how easily police can crack a cell phone's security and suck all of the data out in seconds. Unsurprisingly, once the video went viral last week, it was pulled from YouTube.
And as we've noted before, recent court decisions have allowed the police to search an arrested person's cell phone "incident to arrest" without a warrant, or any reason to believe they will find anything incriminating on it. The Seventh Circuit Court of Appeals is the latest court to authorize this practice, issuing a decision (PDF) in February finding no Fourth Amendment violation in a warrantless search of a cell phone of an arrested person. The police have now been armed to turn any pretextual arrest - say, an Occupy Wall Street arrest for disorderly conduct - into a cell phone fishing expedition, getting access to your calendar, contacts, emails, text messages, voicemails and reading and web browsing history.
All this gloom and doom can be fixed in two ways. First, courts need to recognize that the Fourth Amendment prohibits pervasive and sustained government surveillance unless the police get a search warrant. For centuries, the government's biggest limitation was technological; it was difficult - if not impossible - to follow a person for days at a time. But with surveillance tools becoming smaller and cheaper, its easier for the government to use surveillance information from our own cars to investigate mundane, non-violent crimes. The Fourth Amendment needs to keep up with the changes in technology in order for its longstanding privacy protections to have meaning.
Second, Congress needs to step up and update our electronic privacy laws. The law that governs cell phone location data - the Electronic Communications Privacy Act ("ECPA") - is more than 25 years old, enacted in a time where cell phones were far from ubiquitous. The law has been unable to keep up with the rapid technological changes that have occurred since 1986, and the conflicting court opinions on the constitutionality of warrantless cell phone location tracking noted above is the end result. It's time for Congress to reexamine the law and bring it in line with our expectations of privacy today.
You can do your part by getting informed and checking out the ACLU's location data map to figure out whether the cops where you live use location tracking data. Regardless of whether or not you live in a state where the cops track, you can tell Congress that its time to fix our broken and ancient technology laws by signing our action alert, and taking a stand to protect our locational privacy from the prying eyes of the government.
It can't be easy to convince millions of subscribers that there's no reason to be worried when their service providers agree to collaborate with big content to tackle online infringement -- especially when those subscribers weren't given a chance to review or comment on the deal. But yesterday's announcement of the membership of the executive and advisory boards for the Center for Copyright Information, which is in charge of implementing the "graduated response" program announced last year, seemed to be an attempt to do just that. The press release stressed the free speech credentials of the executive director and the identified the various consumer advocates who have agreed to serve on the advisory board. So, all will be fine, right?
Wrong. An advisory board is just that: a group of advisors, not decisionmakers. No matter how you slice it, subscribers don't have a seat at the table now any more than they did in the earlier negotiations.
For those who haven’t been following this, here’s a brief sampling of issues subscribers might have wanted to address, if they'd been given a chance:
The alerts and other measures contemplated in the original "memorandum of understanding" released last summer are prompted by a mere allegation of infringement, based on detection mechanisms users cannot independently investigate (there is a process for independent review, but the reports won’t be public), with no way to hold content owners accountable for mistakes.
Subscribers can challenge improper notices -- but they get just 10 days to prepare their case, and can only assert certain limited defenses.
Thus far, while various reports about the system are supposed to be generated, there’s no mechanism to make those public, nor the “prevailing legal principles” the reviewers are supposed to apply.
The ISPs and the media groups announced the project last summer to much fanfare and criticism. But a funny thing happened on the way to the final rollout: Internet users joined together to tell policymakers and big media, in no uncertain terms, that we oppose backroom deals governing the Internet. That this deal applies to Internet access, among other things, makes it no less palatable; quite the contrary.
Given the importance of Internet access today, it's crazy to imagine being cut off for unproven accusations from a record label, movie studio, or book publisher. You can tell the participating ISPs today to publicly commit to not use this program to cut off users from the Internet.
And here's one more idea for the groups involved in negotiating this agreement: press reset. This collaboration has been years in the making, with the ISPs under heavy pressure from the content industries and government officials. It may be that they made the best deal they could under the circumstances, but since then the world has changed. If the ISPs decided to take this back to drawing board, we think their customers will stand with them, loudly and publicly -- but only if they also insist that their customers have voice in the process.
ACLU Public Records Requests Shed New Light on Use of Cell Phone Tracking
Over the weekend, the ACLU released an exhaustive study of state and local law enforcement’s surveillance practices in regards to how often police forces are tracking citizens’ movements through their cell phones. The findings were staggering. As the New York Timesreported, the documents prove warrantless cell phone tracking “has become a powerful and widely used surveillance tool for local police officials, with hundreds of departments, large and small, often using it aggressively with little or no court oversight, documents show.”
Thirty-five ACLU affiliates helped file over 380 public records requests, and they received over 5,500 pages of documents in response from over 200 local law enforcement agencies. Despite the invasive nature of cell tracking, “only a tiny minority”—10 agencies total—consistently obtained a warrant before tracking someone through their cellphone.
EFF has repeatedly argued that law enforcement should be required to get a warrant before tracking someone’s movements through their phone. The ACLU’s important work shows that the problem is much more widespread than previously reported and underscores the need for either Congress or the courts to definitively declare that a warrant should be required before the police can turn a device in your pocket into a surveillance tool.
FOIA Lawsuits Seek Answers on Federal Government’s Drone Programs
In a stinging blog post, New York Times editorial page editor Andrew Rosenthal accused the Obama administration of using secrecy to avoid legal accountability, declaring, “In some ways, his administration is even worse than the Bush team when it comes to abusing the privilege of secrecy.”
Rosenthal referred to two Freedom of Information Act lawsuits the ACLU filed that demanded the government release evidence and the legal authority used to justify the killings of American citizen Anwar al-Alwaki with a drone in Yemen. The Times is also suing for the release of the legal memo justifying the extrajudicial killing. In response, the government has invoked the controversial “state secrets” privilege, arguing that they can neither “confirm nor deny” the drone program’s existence, despite mountains of public evidence that the program exists.
As Rosenthal notes, former CIA director and current Defense Secretary Leon Panetta has repeatedly acknowledged the drone program in public. President Obama has also commented that “obviously a lot of these [drone] strikes have been in” Pakistan. And the administration has continually leaked information about the program to newspapers when it suits their purpose. “So this is not a secret program, but the government continues to hide behind the secrecy shield to avoid turning over the legal document justifying (or at least rationalizing) it,” Rosenthal concluded.
To underscore the absurdity of the government’s secrecy argument, the same week the ACLU was highlighting the government’s refusal to acknowledge the program, the Associated Press published information leaked by anonymous US officials discussing their ongoing negotiations with the Pakistani government to continue to conduct strikes within Pakistan.
Separately, EFF is also still waiting for results from our lawsuit against the FAA, asking that they release information on who has received authorization to fly drones in the United States and for what purpose.
Documents Expose Disturbing Aspects of FBI National Security Investigations
In a stunning revelation, Wired’s Danger Room published documents showing FBI training material instructing agents that it was okay to “bend or suspend the law and impinge on freedoms of others” in the FBI’s hunt for terrorists and criminals. The documents, according to Danger Room, also “warned agents against shaking hands with ‘Asians’ and said Arabs were prone to ‘Jekyll & Hyde temper tantrums.’”
A letter from Senator Richard Durbin to FBI Director Robert Mueller initially tipped Wired off that the documents existed, but the FBI initially refused to release it. The FBI eventually relented and released the full document, “but refused to say who prepared the document; how long it was in circulation; and how many FBI agents, analysts and officials received its instruction.”
Worse, no one at the FBI has been punished for telling its agents to break the law, and there is no plan to re-train the agents who were exposed to the materials. As Senator Dick Durbin said, “It’s stunning that these things could be said to members of our FBI in training. It will not make them more effective in their work and won’t make America safer.”
As the result of a Freedom of Information Act request, the ACLU also received separate FBI guidelines, further illuminating the FBI’s expansive approach to terrorism investigations. As the Washington Postreported, the documents showed “the bureau’s San Francisco division used its Muslim outreach efforts to collect intelligence on religious activities protected by the Constitution.”
Under the U.S. Privacy Act, the FBI is generally prohibited from maintaining records on how people practice their religion unless there is a clear law enforcement purpose. ACLU lawyers said the documents, which the organization obtained under the Freedom of Information Act, showed violations of that law.
The FBI denied to the Post that such surveillance violated any laws. But as past EFF Freedom of Information Act requests have shown, widespread violations involving the FBI’s surveillance authorities are nothing new, especially in national security investigations. These new documents are just another example of why the FBI needs greater accountability when it comes to protecting Americans’ constitutional rights.
The Electronic Frontier Foundation has signed on to a joint statement with a global coalition of organizations to demand the Pakistani Ministry of Information Technology, the Information Communication Technology Research & Development Fund, and the Prime Minister, to publicly commit to stop all efforts to mandate a national Internet filtering and blocking system.
As a global community, we actively campaigned to stop the impending firewall and to inform the government and international surveillance companies of the repercussions this will have on academia, businesses, trade, and civil society. As a result, five major international companies known to sell surveillance, filtering, and blocking systems have publicly committed not to apply for the government’s call for proposals.
In Pakistan, only approximately 20 million out of 187 million people have access to the Internet. Despite this, the Internet generates positive benefits for Pakistan through economic growth, education, entrepreneurship, and exchange of culture. The ICT R&D Fund was developed to further the use of ICTs and promote research in the field. An announcement contrary to the progress and development of ICTs from the same organization is disappointing.
While it has become common knowledge that surveillance and censorship technologies are often used in Pakistan, the extent to which this is taking place has only recently become apparent with public reports on censorship and surveillance technologies by a large number of international companies. We also understand the Pakistan government may attempt to involve an academic institution in developing the system, making the biggest victim of this technology also a contributor.
Bushra Gohar, member national assembly, recently informed us of a verbal commitment by Secretary IT, Mr Farooq Awan, that the plan for a national URL filtering and blocking system has been withdrawn. However, no public statement exists.
As members of civil society and organizations committed to ensuring the government upholds democratic principles in Pakistan, and with concerns about restrictions on privacy as well as access to information, we strongly urge the ICT R&D fund of the Ministry of IT to reconsider its decision to filter URLs in Pakistan and make a public commitment that they will not purchase the URL filtering and blocking technology. If the Pakistani government wants to further develop business, innovation, entrepreneurship, trade, and academia, it must realize the adverse effects this filtering system would have on these priorities, and hence, not go ahead with this plan.