The former NSA official held his thumb and forefinger close together. “We are, like, that far from a turnkey totalitarian state,” he says.—Wired Magazine, April 2012
Last week, in Wired Magazine, noted author James Bamfordreported on an expansive $2 billion “data center” being built by the NSA in Utah that will house an almost unimaginable amount of data on its servers, along with the world’s fastest supercomputers. Part of the purpose of this new center, according to Bamford, is to store “all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital ‘pocket litter.’”
In the Wired article, Bamford interviewed former NSA official William Binney, a “crypto-mathematician largely responsible for automating the agency’s worldwide eavesdropping network.” Binney further shed light on the NSA’s warrantless wiretapping program, first exposed by the New York Times in 2005 and the subject of EFF’s long running suit Jewel v. NSA, which challenges the constitutionality of the NSA’s program.
The NSA claims it only has access to emails and phone calls of non-U.S. citizens overseas, but Binney provides more detail to the many previous reports by the New York Times, USA Today, New Yorker, and many more that the program indeed targets US based email records. In the 11 years since 9/11, Binney estimates 15 to 20 trillion “transactions” have been collected and stored by the NSA. From the Wired article:
He explains that the agency could have installed its tapping gear at the nation’s cable landing stations—the more than two dozen sites on the periphery of the US where fiber-optic cables come ashore. If it had taken that route, the NSA would have been able to limit its eavesdropping to just international communications, which at the time was all that was allowed under US law. Instead it chose to put the wiretapping rooms at key junction points throughout the country—large, windowless buildings known as switches—thus gaining access to not just international communications but also to most of the domestic traffic flowing through the US. The network of intercept stations goes far beyond the single room in an AT&T building in San Francisco exposed by a whistle-blower in 2006. “I think there’s 10 to 20 of them,” Binney says. “That’s not just San Francisco; they have them in the middle of the country and also on the East Coast.”
The Director of NSA, General Keith Alexander, testified at a House subcommittee hearing Tuesday and Rep. Hank Johnson (D-GA) grilled him on the details of the Wired story. He appeared to deny the main points of the article, including that the NSA was intercepting emails, phone calls, Google searches, and phone records of individuals in the United States—as well as the technical capabilities of the program’s software described by Binney. But perhaps more strangely, Alexander also seemed to claim the NSA did not have the technical ability to collect Americans’ emails and Internet traffic even if it weren’t required to get a warrant:
Gen. Alexander: In the United States we’d have to go through the FBI process, a warrant to get that and serve it to somebody to actually get it.
Rep. Johnson: But you do have the capability of doing it?
Gen. Alexander: Not in the United States.
Rep. Johnson: Not without a warrant?
Gen. Alexander: We don’t have the technical insights in the United States, in other words, you have to have something to intercept or some way of doing that. Either by going to a service provider with a warrant, or you have to be collecting in that area. We’re not authorized to collect, nor do we have the equipment in the United States to actually collect that kind of information. (emphasis ours)
In our lawsuits, EFF has provided evidence that the NSA operated a monitoring center out of AT&T’s switching facility in San Francisco that has the ability to do exactly what Gen. Alexander says the NSA can’t. In light of all the evidence, it is hard to take comfort from Gen. Alexander’s apparent denial. In previous discussions of the warrantless wiretapping program, the government has used crabbed and unusual definitions of words to make misleading statements that also seem like denials but turn out to be largely word games.
In one prominent example, then Principal Deputy Director of National Intelligence Michael Hayden said in a 2006 statement: “Let me talk for a few minutes also about what this program is not. It is not a driftnet over Dearborn or Lackawanna or Freemont grabbing conversations….” Later, when confronted with evidence of a wider drift net program during his confirmation hearing, he explained “I pointedly and consciously downshifted the language I was using. When I was talking about a drift net over Lackawanna or Freemont or other cities, I switched from the word ‘communications’ to the much more specific and unarguably accurate 'conversation.'”
Notably, the NSA’s interpretation of what it means to “collect” communications seems to be quite limited. Under Department of Defense regulations, information is considered to be “collected” only after it has been “received for use by an employee of a DoD intelligence component,” and “[d]ata acquired by electronic means is ‘collected’ only when it has been processed into intelligible form[,]” So, under this definition, if the communications of millions of ordinary Americans were gathered and stored indefinitely in Utah, it would not be “collected” until the NSA “officially accepts, in some manner, such information for use within that component.”
The illegality of warrantless wiretapping, however, does not depend on when the NSA officially accepts the information or processes it into intelligible form (whatever that means). Americans' privacy and constitutional protections do and should not hinge on word games. We are looking forward to establishing, in the Jewel v. NSA case, a simpler proposition: that the government can’t spy on anyone, much less everyone, without a warrant.
On March 20, to coincide with the Iranian holiday of Nowruz, President Obama recorded a video message in which he offered assistance to the Iranian people in communicating beyond Iran's borders. Consistent with the Department of State's "Net Freedom" initiative, Obama issued new guidelines to make it easier for American businesses to provide software and services to Iranians in order to facilitate communications using free technologies (as opposed to paid ones). The new guidelines also include a "favorable licensing policy" through which U.S. individuals and companies can request approval from the Office of Foreign Assets Control for paid products like web hosting and services like Skype Credit and Google Talk. The guidelines, which are basically clarifications, are helpful, but they could have gone much further.
Justifying the new guidelines, a White House blog post outlined some of the ways in which the Iranian government has earned its titles as an "Internet enemy" (Reporters Without Borders) and one of the "top 10 online oppressors" (Committee to Protect Journalists), including:
Monitoring and filtering online content
Limiting access to the Internet
Suspending access to the Internet
Employing a "cyber army"
Prosecuting citizens for political speech
Spying in Internet cafes
Tracking and targeting citizens using technology
Indeed, the Iranian government has earned its place amongst the world's Internet enemies. Notably, however, there is another country that employs all of the above tactics and was named to RSF and CPJ's most recent lists. Exports to that country are also limited by a department of the United States government, preventing access by ordinary citizens to the same tools President Obama claimed were vital for Iranians. The same country is also experiencing upheaval, just like Iran. That country is Syria.
While EFF commends the new guidelines as far as they go, we can't help but wonder why Syrians aren't provided the same consideration. Back in September, we called on the Obama administration to clarify the export controls inhibiting Iranians, Syrians, and others from accessing important communications tools. We specifically highlighted the restrictions on Syria under the Department of Commerce, noting that Syrians are often prevented from using individual hosting services as well as free tools like Google Earth (which proved important for Tunisian activists seeking to map their country's torture chambers).
Although a process exists through which U.S. companies can apply for licenses to export to Syria, Syrians tell us that certain important communications tools remain inaccessible. As we've previously noted, applying for a license is a fairly simple process that takes approximately 90 days. Companies may also request “interpretative guidance” as to whether or not they require a license from BIS, which takes only 30 days. EFF is happy to assist any companies that are interested in doing so (contact Legal Director Cindy Cohn at Cindy@EFF.org).
Nevertheless, a process that takes up to 120 days is too long when upwards of 50 Syrians are being killed by their government every day. We therefore call on the Obama administration to give the same consideration as they gave Iranians and urge the Department of Commerce offer a "favorable" and quick licensing procedure for American companies wishing to export communications tools to Syria.
And once that's done, it's time to get serious about getting the U.S. government out of the way of the Americans and American companies who want to help the movements for freedom around the world. As we said last fall, "it’s time for the U.S. to stop this piecemeal approach and affirmatively allow unlicensed distribution of communications tools and services to people in all countries of the world."
UPDATE: As expected, the Supreme Court send Myriad, the breast cancer gene case, back to the Federal Circuit for rehearing in light of its ruling in Mayo. Hopefully the Federal Circuit will accept the high court's invitation to hold that DNA is not patentable.
We're happy to report that the patent system is getting a much need jolt of sanity, in the form of a clear Supreme Court ruling affirming a basic, but sometimes forgotten, principle: laws of nature, and obvious methods of working with them, are not patentable.
Earlier this month, we bemoaned the Federal Circuit’s propensity to further confuse the standard for unpatentable subject matter in the wake of In re Bilski. Specifically, we wrote that a recent ruling in Ultramercial v. Hulu“could impermissibly (and dangerously) expand the scope of patentable subject matter.”
So,we were pleasantly surprised yesterday by the Supreme Court’s ruling in Mayo v. Prometheus, where it unanimously struck down a patent covering a medical diagnostic test. You may remember that three categories of "inventions" are not patentable: laws of nature, natural phenomena, and abstract ideas. In this case, Prometheus' patent covered a method of giving a drug to a patient, testing the metabolite levels in the patient, and tweaking the dosage accordingly. Correctly, the Supreme Court held the patent invalid because it took laws of nature and merely included “well-understood, routine, conventional activity previously engaged in by researchers in [the] field.”
Hopefully, the Federal Circuit will heed the message that, as the Supreme Court put it, “simply appending conventional steps, specified at a high level of generality, to laws of nature, natural phenomena, and abstract ideas cannot make those laws, phenomena, and ideas patentable.” This is particularly important because, as we’ve said before, merely tying an idea that is otherwise abstract – in the case of Ultramercial, for example, displaying an ad before a viewer can access content – to the Internet, without more, is not enough to make the idea patentable.
As more and more of our everyday lives go online, using the Internet as a medium should not be enough to support a patent monopoly on an otherwise abstract idea.
Throughout its opinion, the Supreme Court reiterated its “concern that patent law not inhibit further discovery by improperly tying up the future uses of the laws of nature.” We couldn’t agree more. In light of Mayo, it seems likely the Supreme Court will send some high-profile cases – like Ultramercial and Myriad (the breast cancer gene case) – back to the Federal Circuit for reconsideration. If so, the Federal Circuit should reverse its rulings that allowed dangerous patents representing nothing more than abstract ideas and laws of nature to exist, since these are the very types of patents that ensure the patent system fails to do its core job: protect innovation in America.
Over the last few years, we've beenbattlinglaws that require a person arrested to give a DNA sample as part of the routine booking process. The law makes this DNA collection automatic and mandatory; law enforcement do not need a reason to collect the DNA and they can do so without a search warrant. Given the incredibly sensitive information that DNA can reveal about a person - details like a person's medical history, predisposition to disease and even sexual orientation - government access to this information must be strictly limited. But a recent decision (PDF) by the Ninth Circuit Court of Appeals found no constitutional problems with the government's ability to collect DNA from recent arrestees without a search warrant.
The case, Haskell v. Harris, is a lawsuit brought by the ACLU of Northern California, challenging Proposition 69, a California initiative that requires the warrantless collection of DNA from any person arrested for a felony. The four plaintiffs in Haskell were all arrested for a variety of crimes, but ultimately none were convicted of anything. Nonetheless, at the time of their bookings, each person was required to provide a DNA sample to the police who, as required by California law, placed the DNA sample into CODIS, a DNA database maintained by the federal government.
Every state participates in CODIS, which allows law enforcement the ability to search DNA through the database. Almost all of the DNA in CODIS comes from the criminal justice system, with the federal government and 47 states collecting DNA from convicted felons, and 22 states and the federal government collecting DNA from individuals merely arrested for a crime. Once a DNA sample is collected, state and federal law enforcement can search CODIS for matches to other individuals or crime scenes already contained in CODIS. As of January 2012, CODIS had over 10 million DNA profiles in its system, with over 17% of those samples coming from the state of California.
The ACLU brought suit, challenging the warrantless collection and search of DNA from mere arrestees as violating the Fourth Amendment's prohibition against unreasonable searches and seizures. A three judge panel of the Ninth Circuit Court of Appeals in San Francisco rejected the challenge, finding the warrantless search reasonable under the Fourth Amendment. The ACLU asked the entire Ninth Circuit to rehear the case, and we're supporting their cause with an amicus brief (pdf) of our own.
As we explain in our brief, a blanket, suspicionless collection of DNA for the sole purpose of law enforcement investigation cannot survive Fourth Amendment scrutiny. As DNA collection becomes cheaper, it also becomes more widespread. The collection of DNA from individuals in the criminal justice system exemplifies this risk. When the federal DNA Act that Prop 69 is modeled after was first enacted, it required DNA collection from individuals convicted of violent crimes. It was then expanded to include individuals convicted of any felony, violent or not, and now requires DNA collection from any individual merely arrested (not convicted) of a crime. California law has followed the same expansive course. And because a person who is not yet convicted of a crime is presumed innocent until proven guilty, Prop 69 essentially collects DNA from innocent people. The only way to avoid this slippery slope towards a future where everyone's DNA is collected by the government is by having courts insist on Fourth Amendment protection for DNA, and authorizing its collection only with a search warrant. As Chief Judge Kozinski of the Ninth Circuit has previously written (PDF) regarding warrantless DNA collection, “the time to put the cork back in the brass bottle is now—before the genie escapes.”
Last week, EFF joined eight international press and digital freedom organizations in sending a letter to the Vietnamese government to call on them to release five youth activists currently held in detention in Hanoi without access to legal counsel. The activists are all active bloggers and contribute to prominent citizen journalist sites.
Concerned individuals and organizations should send their own letters to Prime Minister Nguyen Tan Dung to support our opposition to the Vietnamese government's continuing crackdown on free expression. Addresses are provided below.
12 March 2012
Nguyen Tan Dung
Socialist Republic of Vietnam
Office of the State
1 Bach Thao
Re: Request for the immediate release of Dang Xuan Dieu, Ho Duc Hoa, Nguyen Van Duyet, Nong Hung Anh and Paulus Le Van Son, and the dismissal of all charges
Dear Prime Minister Nguyen Tan Dung,
We write to express our deep concern over the unfounded arrest and detention of bloggers and human rights defenders Dang Xuan Dieu, Ho Duc Hoa, Nguyen Van Duyet, Nong Hung Anh and Paulus Le Van Son. We call on the Government of Vietnam for their immediate release.
The five are among a group of youth activists belonging to the Congregation of the Most Holy Redeemer that have been arrested in one of the largest crackdowns in recent years. Mr. Dieu and Mr. Hoa were arrested in the late days of July 2011 and Mr. Duyet, Mr. Anh and Mr. Son were arrested in the beginning of August 2011. Since then, they have been held in detention in Hanoi. None of the five arrested has had access to legal counsel. During their detention, only Mr. Duyet, Mr. Hoa and Mr. Anh have once been allowed a brief visit from their family. Mr. Dieu and Mr. Son have not been allowed any visitors at all; they have been held incommunicado since their arrest.
No details of the reasons for their arrest have been given, other than that the five are suspected of "carrying out activities aimed at overthrowing the people's administration" under Article 79 of Vietnam's Penal Code.
There are no grounds for such charges against any of the five. Mr. Dieu is an engineer and community organizer. Mr. Hoa is also a community organizer, Mr. Duyet is the President of the Association of Catholic Workers of Vinh, and Mr. Anh is a student at Hanoi University. Mr. Son is a blogger. All are active contributors to prominent citizen journalist sites, including Vietnam Redemptorist News (VRNs).Their blogging and social activities are grounded in the promotion of human rights. Their detention on the basis of an alleged violation of Article 79 is therefore unjustified and unfounded.
We would like to remind the Government of Vietnam that as an ASEAN Member State, it is obliged to respect the principle contained in Article 2 sub 2(i) of the ASEAN Charter, which requires "respect for fundamental freedoms, the promotion and protection of human rights, and the promotion of social justice." We do not believe that the ongoing detention of these five men can be justified in light of this obligation.
We would furthermore remind the Government of Vietnam that as a State Party to the International Covenant on Civil and Political Rights, it is legally bound to respect the right to freedom of expression; the right to liberty and security of the person; and the right to be free from torture and inhuman or degrading treatment.
Arbitrary deprivation of liberty violates Article 9 of the International Covenant on Civil and Political Rights. The UN Working Group on Arbitrary Detention has found that the prolonged or indefinite nature of detention contributes to its arbitrary nature. Mr. Dieu, Mr. Hoa, Mr. Duyet, Mr. Anh and Mr. Son have been in detention for over 6 months now, without any indication as to when their detention might come to an end.
This type of detention, for no apparent reason, without any set limits of its duration, and with severe restrictions on any form of communication with the outside world also amounts to a violation of Article 7 of the International Covenant on Civil and Political Rights, which proscribes torture and cruel, inhuman and degrading treatment; as well as Article 10 of the International Covenant on Civil and Political Rights, which provides for humane treatment during detention. This applies all the more so to the case of Mr. Dieu and Mr. Son, who are being held incommunicado.
Finally, refusing access to legal counsel violates Article 14(3) of the International Convention on Civil and Political Rights.
We call on the Vietnamese Government to dismiss any charges against Mr. Dieu, Mr. Hoa, Mr. Duyet, Mr. Anh and Mr. Son, to immediately release them from custody, and to allow them immediate access to a legal counsel of their choice.
Christine Laroque, Asia Programs Manager, ACAT France
Brett Solomon, Executive Director, Access Now
Agnès Callamard, Executive Director, Article 19
Jillian York, Director for International Freedom of Expression, Electronic Frontier Foundation
Mary Lawlor, Director, Front Line Defenders
Rohan Jayasekera, Deputy CEO, Index on Censorship
H.R. Dipendra, Executive Director, Media Defence - Southeast Asia
Peter Noorlander, Executive Director, Media Legal Defence Initiative
Gayathry Venkiteswaran, Executive Director, Southeast Asian Press Alliance (SEAPA)
CC: ASEAN Chair, the Kingdom of Cambodia
Attn.: H.E. Samdech Hun Sen
Australian Embassy, Hanoi
Attn.: HE Mr. Allaster Cox
British Embassy, Hanoi
Attn.: Dr Antony Stokes
Embassy of Canada, Hanoi
Attn.: Her Excellency Deborah Chatsis
Embassy of France, Hanoi
Attn.: H.E Jean-François Girault
Royal Norwegian Embassy, Hanoi Attn.: H.E. Ståle Torstein Risa
Embassy of Switzerland, Hanoi Attn.: H.E Andrej Motyl
Embassy of the United States, Hanoi Attn.: Ambassador David Shear
General Secretariat of the Council of the European Union Attn.: High Representative of the European Union for Foreign Affairs and Security Policy Catherine Ashton
There is a spate of proposed cybersecurity legislation working its way through the House and Senate. The bills are aimed primarily at facilitating cooperation regarding so-called “cybersecurity” issues among different branches of government as well as between government and the private sector. The bills range from being downright terrible to appropriately intentioned, yet they all suffer from the fundamental inability to clearly define the threats which are being defended against and the countermeasures that can be taken against those threats. Without good definitions and an emphasis on transparency, we cannot be certain that government entities and corporations will refrain from abusing their power, interpreting the definitions in the statute expansively, and infringing on civil liberties. Below we provide some pitfalls of broad definitions, with a separate legal analysis forthcoming.
Defining threats too broadly
How do the bills define cybersecurity threat? Each bill has its own nomenclature, but the core concepts are quite similar. In Senator Joseph Lieberman's Cybersecurity Act of 2012 (S. 2105), for example, a "cybersecurity threat" is what is being guarded against, and a "cybersecurity threat indicator" is the activity of a possible cybersecurity threat that allows private or government entities to monitor and operate countermeasures. For technical readers, a cybersecurity threat could be stealing passwords from a secure government server, and the corresponding threat indicator could be a port scan to search for vulnerabilities. Senator John McCain's SECURE IT Act (S. 2151) does not use the term "cybersecurity threat indicator" but uses virtually identical language to define "cyber threat information." In all cases, the language of what constitutes the notion of a "threat" and "threat indicator" is just too vague.
For example, one current provision of the Lieberman bill states:
The term “cybersecurity threat” means any action that may result in unauthorized access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information that is stored on, processed by, or transiting an information system. [text]
Moreover, a cybersecurity threat indicator is defined in the text as a huge disjunction of vaguely worded scenarios that include, for example: “a method of defeating a technical [or operational] control.” Such a broad definition implicates far more than what security experts would reasonably consider to be cybersecurity threat indicators --- things like port scans, DDoS traffic, and the like. Indeed, merely using a proxy or anonymization service to let you browse the web privately could be construed to be a cybersecurity threat indicator. Using cryptography to protect one's communications or access systems securely could similarly be taken as a way to defeat an operational control. Measuring the performance of one's Internet service provider, or analyzing whether packets are being modified maliciously could all be seen as cybersecurity threats under this definition. Finally, it is conceivable that violating intellectual property rights could be construed as a threat, in which threat indicators could be as innocuous as the use of the BitTorrent protocol.
This definition of threat indicators is troubling because § 701 of the Lieberman bill and § 102(a)(1) of the McCain bill would each authorize private sector entities to surveil any traffic that transits their own networks for cybersecurity threats or cyber threat information, without being bound by the Wiretap Act or other legal limits. Effectively, the broad definitions of threats could immunize a whole host of monitoring activities by a huge swath of different government and non-government actors.
Defining countermeasures too broadly
In addition to defining threats, these bills also authorize private entities to operate “countermeasures.” Once again, the language varies from bill to bill, but for the most part, the strongest restriction on the countermeasures is that there be a “defensive intent” (language that appears in both the Lieberman and McCain bills). The Lieberman bill mentions "modify[ing] or block[ing] data packets," while the McCain bill is more vague. But without more restrictions on what sorts of countermeasures are allowed, the door is open to a host of abuses.
Let's consider one example scenario, where we examine a particular threat and the myriad possible mitigation techniques that an intermediary might employ. One straight forward cybersecurity threat is DDoS, in which many different IP addresses are used to send an incredible amount of traffic towards a target, knocking it offline and making the targeted service unavailable to legitimate users. No doubt this is a hazard that can be hugely detrimental to the service in question, and it is quite legitimate for a bill about cybersecurity to aim to defend against this threat. But how exactly do we defend against it? In this case, the devil is very much in the details.
One way to defend against DDoS attacks would be for the entity under attack to disclose a list of traffic sources to its ISP and ask the ISP to temporarily filter out traffic from these sources, effectively blocking them from accessing the resource during the blackout period, say, of a few hours. This seems like a pretty reasonable thing to do. But suppose instead of waiting for the DDoS victim to disclose the traffic sources, the ISP uses its own traffic inspection tools to detect the DDoS and stop it preemptively. Well that's nice, but are ISPs now inspecting everyone's traffic? Are they looking at content of data packets, or just the destination and volume of traffic? More ISP involvement in traffic analysis is an alarming trend that would raise many civil liberties concerns.
Our hypothetical DDoS-mitigating ISP could go even further. Tor is an extremely valuable privacy-enhancing technology that routes one's web traffic through a rigorous anonymization service. Our ISP could find that it is too hard in general to distinguish the legitimate Tor traffic from the illegitimate, and so either on purpose or by accident start blocking Tor traffic entirely under the guise of operating cybersecurity countermeasures.
And why stop with one pesky privacy-enchancing technology? Our ISP could block all traffic on certain ports, or filter at the DNS level or based on the content of packets. Cryptographic protocols could be crippled, all in the name of defensively “operating countermeasures” against the alleged threat of DDoS. Finally, our ISP could decide that your computer is part of a botnet, and so trick you into downloading software that gives the ISP or other agencies access to your computer so that it can root out the botnet. After all, the best defense in many cases is a strong offense. Furthermore, beyond the DDoS example, operating countermeasures could be taken to include intellectual property enforcement, for example by filtering at the DNS level.
The above scenarios are speculatory, and we have no idea what countermeasures actually will be employed. The important point is that beyond the phrase “defensive intent,” the bills give no guidance at all as to which countermeasures outlined above are reasonable. The real decisions will be made behind closed doors with no input from stakeholders outside of the intelligence community and the private sector, and with no transparency about what is actually being done.
Towards a better bill
In order to write a cybersecurity bill that appropriately safeguards civil liberties, specificity is of the utmost importance. The bill's authors have chosen to avoid using specific language (e.g. port scan, DDoS, intrusion detection system), presumably because they want the bill to stay relevant even as technology changes. While this is a laudable goal, it is unrealistic given how rapidly the technological landscape changes. A better approach is to use concrete language, and to be crystal clear about what information is being shared and how. The particulars should NOT be left to be decided via an opaque process, but rather debated openly and transparently right now. Being specific has the ostensible disadvantage that it makes the bill less relevant in the future as technology changes. We actually think this is an advantage, since it effectively limits the lifetime of the bill, and forces new legislation and a fresh look once the technology changes and we are facing a potentially very different set of issues.
We've so far discussed the pitfalls of vagueness without getting into what we think are the right answers are. While it is beyond the scope of this post to, say, propose an entire draft of a better cybersecurity bill, there are some guidelines we can give from the technical point of view when deciding upon the specifics.
Keep the Internet working and reliable. Giving ISPs and other entities the ability to operate countermeasures poses a serious threat to the reliability of Internet communications. Limiting countermeasures to "defensive intent" is not enough of a safeguard to ensure the reliability and availability of systems that we rely upon.
Cybersecurity for the 99%. The intelligence community within the government benefits from keeping attacks secret so that they can be deployed against our enemies, and very likely stockpiles zero-day exploits for this offensive purpose. There is then pressure to selectively harden sensitive targets while keeping the attack secret from everyone else and leaving popular software vulnerable. This is "security for the 1%," and it makes the rest of us less safe. A good cybersecurity bill serious about defending against security threats would address this issue directly and insist that any threats that are found are fixed for everyone, and explicitly disallow any clandestine operations that do not disclose vulnerabilities.
Privacy-enhancing technologies are not threats. Tools such as Tor are used every day by activists around the world in sensitive situations. These should be explicitly protected in a good cybersecurity bill.
As written, these bills could provide immunity to ISPs and other private and government actors for all of the egregious behavior outlined above involving the monitoring, blocking, and modification of data packets. Until a better bill emerges, we urge you to take action to oppose these bills in their current form.
Last week, the San Francisco Board of Supervisors voted to pass the Safe San Francisco Civil Rights Ordinance, legislation that ensures that the San Francisco Police Department's counterterrorism activities are controlled by San Franciscans, rather than by the FBI. The ordinance requires San Francisco police officers working with the FBI's Joint Terrorism Task Force to obey San Francisco's civil rights laws, follow San Francisco's anti-spying policies, and subjects them to civilian oversight by San Franciscans.
San Francisco has enacted especially robust protections for First Amendment activity to make sure that you can be yourself in public without worrying that the police are covertly tracking you. These protections include Department General Order 8.10, first adopted by the Police Commission in 1990, which requires that intelligence-gathering involving any First Amendment activity be based on reasonable suspicion of significant criminal activity. Additionally, the California Constitution requires an articulable criminal predicate for all intelligence-gathering activity.
Without local control, weaker federal standards apply. As things stand currently, there is no effective way to prevent SFPD inspectors assigned to the Joint Terrorism Task Force from joining FBI agents in collecting intelligence on San Franciscans without any particular factual predication, and without reasonable suspicion of wrongdoing. The Safe San Francisco Civil Rights Ordinance will hold the SFPD to the strong protections for privacy and free speech that have been backed by generations of the city's mayors, commissioners, police chiefs and community activists.
Now there is concern that Mayor Ed Lee will veto the ordinance unless the Board of Supervisors passes it with eight votes, a veto-proof margin, when it goes up for a final vote. Two district supervisors, Scott Wiener and Malia Cohen, have not yet announced their positions. The ACLU of Northern California has drafted a letter which San Franciscans can send to their Supervisors, asking them to stand up for free speech and privacy and support the Safe San Francisco Civil Rights Ordinance. San Franciscans can also contact Mayor Ed Lee directly at (415) 554-6141 or email email@example.com.
Last Friday marked the end of Sunshine week, a national initiative to promote dialogue about the importance of open government and freedom of information. It’s the third year for the Obama administration, which has been taken to task for reversing early promises on transparency. Have they improved? Here’s our review:
Ahead of Sunshine Week, the Obama administration debuted a welcome addition to government transparency: the newly-redesigned ethics.gov, which, as Politico reported, “puts various public records databases in a centralized location, including White House Visitor Records, lobbyist disclosure records, and campaign finance reports. Most of these databases were previously available online, but users can now search across all available datasets simultaneously.”
Attorney General Eric Holder also gave a speech touting that the Justice Department has “made meaningful, measurable progress in improving the way our Department—and its partners and counterparts—respond to disclosure requests.” He claimed the DOJ released documents in either full or in part 94.5% of the time and reduced its backlog by 26%. He also said the Justice Department will begin posting monthly lists of Freedom of Information Act requests and will publicly identify the subject matter of the requests.
Unfortunately, the same numbers that Eric Holder touted in his press conference were soon called into doubt by FOIA experts. The National Security Archive stated that only about 60% of FOIA requests are fulfilled for all intents and purposes (compared to 94.5%). And former Justice Department FOIA official Daniel Metcalfe told The Atlantic Wire Holder’s numbers were “grossly wrong.”
Commendably, at a Senate Judiciary Committee hearing on Sunshine Week, Senators from both parties quizzed a Justice Department representative on the numbers, along with the agency’s notoriously bad relationship with FOIA. Senator Patrick Leahy also grilled other agency representatives, prodding the Office of Management and Budget to submit its required reports on FOIA recommendations. Leahy even went as far as accusing the OMB of not following the law. “The law’s pretty clear about us getting the reports. We haven’t gotten the report. Who’s at fault?....My question is: who's not following the law?” Leahy demanded.
Senator Chuck Grassley later stated: “Agencies under the control of President Obama’s political appointees have been more aggressive than ever in withholding information from the public and from Congress,” Grassley said. “There’s a complete disconnect between the President’s grand pronouncements about transparency and the actions of his political appointees.”
Separately, as the Sunshine Foundation noted, the House Oversight and Government Reform Committee also made their thoughts known about the administration’s approaching to government secrecy, concluding “that many federal agencies have failed to track basic information in response to FOIA Requests. The Department's of Homeland Security, Defense, and Justice were among the least compliant."
Unfortunately, in the midst of its Sunshine Week-push to defend its transparency record, the administration also went to Congress to urge them to pass the new “cybersecurity” bill. EFF has detailed its extensive privacy problems, but according to the Washington Post, it would also “keep secret a whole new category of information even under the Freedom of Information Act.” In the process the administration criticized a recent Supreme Court ruling that narrowly interpreted one of FOIA’s many exemptions the government frequently relies on to keep documents secret—a decision hailed by EFF and other open government groups.
Its attitude toward secrecy was also on display in the courts, where the Justice Department released its first batch of documents in EFF’s suit over its secret interpretation of the Patriot Act. While thankfully, the Justice Department finally admitted the interpretation actually exists, the documents it gave EFF told us virtually nothing about the way section 215 is secretly being used. Separately, Senators Ron Wyden and Mark Udall implored the government to release the secret court rulings on which the interpretation is based, saying, “We believe most Americans would be stunned to learn the details of how these secret court opinions have interpreted section 215 of the Patriot Act.” The Justice Department has, of course, refused.
Meanwhile, the ACLU filed a brief in its lawsuit against the CIA demanding information on the CIA’s “secret” drone program, which has been used to carry out targeted killings around the world. Despite the Secretary of Defense and former CIA chief Leon Panetta and President Obama both acknowledging the program exists—the program is regularly the subject of front page stories in the nation’s newspapers, after all—as the ACLU noted “CIA takes the position in this lawsuit that it can neither confirm nor deny whether it has a drone strike program at all.”
And finally, remember those White House visitor records the Obama administration has mentioned as part of its “good” transparency initiatives? While the administration is willing to make that information available on a voluntary basis, it insists that it is not required to do so. In fact, the Justice Department filed an appellate brief earlier this month arguing that White House visitor logs are not covered by the FOIA and that the White House is not legally obligated to make them available to the public.