Rep.RogersisadamantthattheCyberIntelligenceSharingandProtectionAct(CISPA)isaninformation “sharing” bill. But despitethebill’stitleandRep.Rogers'assurances,thebillisalsoasurveillancebill.Itsbroaddefinitionsallowprivatecompaniestomonitornetworktrafficandstoreddata—includingprivateemail—andtransfersuchprivatedatatothegovernmentorotherswithvirtuallynooversightorlegalaccountability.Thislackofoversightandaccountability stems from thesweepingimmunitiesprovidedtocompanies, which bypasslong-standingprivacylaw.
Japanese agricultural and industrial organizations have paid for a wrap ad in the Washington Post today publicizing their opposition to the Trans-Pacific Partnership (TPP) ahead of a summit meeting on April 30th between Japanese Prime Minister Yoshihiko Noda and President Barack Obama. The coalition has put out the ad in the U.S. paper in order to raise awareness and rally Americans against this trade agreement.
The ad makes it clear that there is growing internal Japanese opposition to this agreement around its chapters regarding agricultural tariffs. EFF specifically opposes the intellectual property chapter of the TPP, which would rewrite global rules on IP enforcement in a way that dangerously excludes any civil society or public input into the agreement. It is encouraging to see growing vocal resistance against such an overreaching secretive international agreement.
The campaign of attacks targeting Syrian opposition activists on the Internet continues to intensify. Since the beginning of the year, Syrian opposition activists have been targeted using severalTrojans, which covertly install spying software onto the infected computer, as well as phishing attacks which steal YouTube and Facebook login credentials.
Since April 9th, EFF has seen at least five new phishing attacks, the aim of which is to steal Facebook logins and passwords; some attacks also involve a component that covertly installs surveillance malware onto the targeted computer. One of these attacks was seeded through links in comments left on the Facebook pages of prominent members of the Syrian opposition, including Burhan Ghalioun, Chairman of the Syrian Opposition Transitional Council. Ghalioun has been the target of numerous hacking attempts. Last week, members of the Syrian Electronic Army leaked emails purporting to demonstrate collaboration between Ghalioun and officials in the United States and Saudi Arabia. Ghalioun's email account was reportedly targeted in retaliation for the Syrian opposition's leak of emails allegedly allegedly belonging to Syrian president Bashar Assad and his wife.
The link left in the comments section of Ghalioun's Facebook page led to a site, displayed in the screenshot below.
The site appears to offer a Facebook security application. Downloading the application provides you with a file called FacebookWebBrowser.exe, shown in the screenshot below. FacebookWebBrowser.exe is a malicious application which logs keystrokes and steals login credentials for email accounts, YouTube, Facebook, Skype, and others. At this time, FacebookWebBrowser.exe is recognized as malicious by six anti-virus vendors. The malicious application can be seen in the screenshot below.
The fake Facebook security application is hosted on a compromised domain: http://www.ckku.com. The index page appears to host a legitimate jewelery-vending website, but the domain has been hosting malicious content since March 18, 2012, as can be seen in the index of includes shown in the screenshot below.
Review of the compromised website reveals evidence of another malicious application disguised as a Document file (Document.doc .exe) and of additional Facebook phishing campaigns, including the phishing site shown in the screenshots below.
Phishing page from March 18th, 2012.
Phishing page from April 20th, 2012.
EFF has also reported on phishing attacks hosted by Cixx6, a free hosting website. Since that time, three additional Facebook phishing attempts targeted at Syrian activists, all using slightly different URLs, have been found hosted at this domain. The pages can be seen in the three screenshots below. These links are usually accompanied by descriptions in Arabic alleging the mistreatment of women by Syrian government forces during the ongoing uprising.
Phishing page from April 9th, 2012.
Phishing page from April 11th, 2012.
Phishing page from April 16th, 2012.
This attack steals usernames and passwords and could potentially give an attacker access to all of the private information in your Facebook account. Syrian Facebook users should also be cautious about clicking on links sent over Facebook by their friends, whose accounts may have been compromised.
Facebook users should be especially cautious about clicking on links in the comment sections of pro-Syrian-revolution forums, especially if they are accompanied by this text. Facebook users should beware of fake pages that resemble the Facebook login page. Always check the URL bar at the top of your browser to make sure it reads https://www.facebook.com. When in doubt, type https://www.facebook.com manually to get to Facebook.
EFF is deeply concerned to see targeted attacks on Syrian Internet activists continue. We are especially alarmed to see evidence of the targeting of high-profile figures in the Syrian opposition and indications that extended phishing campaigns are being carried out by multiple groups.
Just a few months ago in United States v. Cassidy, a court smacked downa prosecutor's attempt to use the federal anti-stalking law to punish a man for criticizing a religious leader on Twitter. The court ruled that the criminal charges brought against the critic ran afoul of his constitutional right to free speech. Because the law violated the First Amendment as applied to that specific Twitter user, though, the court chose not to go a step further and decide whether the statute is unconstitutional as written, which EFF had argued in a "friend of the court" brief.
Now the Senate is thinking about passing legislation to update that problematic law. Instead of fixing the statute's shortcomings, however, the bill would guarantee that it's blatantly unconstitutional on its face.
As originally written, the anti-stalking law made it a crime to intentionally put another person in reasonable fear of death or serious injury. But the law was expanded in 2006 through the Violence Against Women Act to criminalize causing "substantial emotional distress" to another person using an "interactive computer service" such as the Internet. The law doesn't even require that the offending speech be directed at a particular person — a tweet, Facebook status update, or blog post that distresses someone else could be enough to send the speaker to prison. As the Cassidy decision makes clear (and as EFF had argued), this language is so vague and overbroad that it could sweep up a great deal of legitimate online criticism squarely protected by the Constitution.
First, section 107 of the bill would broaden the anti-stalking law to criminalize conduct that "attempts to cause, or would be reasonably expected to cause" substantial emotional distress to another person. That's a significant expansion that only amplifies the statute's free speech problems.
To make matters worse, section 1003 would amend federal telecommunications law to punish anonymous online speech that "harass[es] any specific person,"as well as make it illegal to "repeatedly initiate communication with a telecommunications device, during which conversation or communication ensues, solely to harass any specific person." As Professor Eugene Volokh notes, these broad prohibitions would seem to apply even in situations where an online speaker is talking to the general public, rather than communicating directly with the target of the speech.
Anti-stalking laws serve an important purpose: to protect people who are put in legitimate fear for their wellbeing. Unfortunately, the language of the federal anti-stalking law is already dangerously vague and overbroad, and we're disappointed to see lawmakers think about compounding those problems with a proposal that amounts to Internet censorship legislation. (Just a few weeks ago, Arizona's legislature suffered a public backlash for passing a bill with similar flaws.) The Senate should craft a fix that protects victims while respecting free speech, not make an unconstitutional law even more unconstitutional.
We've seen some ridiculous DMCA takedowns over the years, but we might have a new champion. On Monday, radio host Rush Limbaugh -- who over a three-day period beginning in late February attacked Georgetown law student Sandra Fluke on air for the apparently unforgivable sin of testifying before Congress to advocate for legislation she supported (a bill mandating health insurance coverage for contraception) -- turned to copyright law to go after one of his most vocal critics, the left-leaning political site Daily Kos. The site's offense? Publishing a damning montage of Limbaugh's controversial comments about Ms. Fluke.
Limbaugh's curiously thin-skinned decision to resort to the quiet, low-cost censorship offered by copyright law doesn't exactly break new ground. Limbaugh joins a dubious club that includes:
NBC News and CBS News who, in the waning months of the 2008 presidential campaign, sent DMCA takedown notices to YouTube to shut down ads of the Obama and McCain campaigns respectively, ads that made clear fair uses of news footage to criticize their opponents.
While initiating frivolous legal processes to intimidate and silence critics is hardly new, Limbaugh actually seems to be taking a specific page out of the playbook of Michael Savage, his on-again/off-again compatriot and fellow conservative talk radio fixture. In 2007, Savage turned to copyright law in an ultimately futile attempt to silence the Council on American-Islamic Relations (CAIR) who did precisely what the Daily Kos has done here: post online a minutes-long montage of outrageous statements made by a radio host in order to criticize the host's behavior and expose it for a public audience. In Savage's case, he unsuccessfully sued CAIR for copyright infringement. (And, bizarrely, for racketeering, because posting his xenophobic anti-Muslim rant was clearly part of a vast global terrorist conspiracy targeting Michael Savage.) Limbaugh has (for now) chosen the more expeditious DMCA takedown route. Just as with Savage's ridiculous attempt to keep his own words from being used against him failed, though, so will Limbaugh's.
How would Limbaugh's copyright claim fare if he was actually serious about it instead of using it as a trumped-up pretext for a takedown notice? About as well as Savage's; that is, not well. District Court Judge Susan Illston's 2008 opinion dismissing Michael Savage's copyright claim against CAIR on fair use grounds provides a helpful roadmap. As Judge Illston pointed out, the "purpose and character" of the use (the first fair use factor) plainly supported the speakers as "it was not unreasonable for [the speaker] to provide the actual audio excerpts, since they reaffirmed the authenticity of the criticized statements and provided the audience with the tone and manner in which [the host] made the statements." The "amount and substantiality" of the portion used (the third fair use factor) -- the reproduction of four minutes out of a two-hour program -- also supported the critics. (In Limbaugh's case, he is actually objecting to slightly more than seven minutes of nine hours of his show, around 1.3% of the works in question versus approximately 3.3% of the Savage footage.) Finally, the "effect on the potential market for the copyrighted work" factor also clearly supports such uses as the alleged "harm" at issue -- the continued PR fallout from an on-air rant -- isn't properly addressed by copyright law. As the district court noted in rejecting Savage's claim, "Because this factor limits the evaluation of market impact to the original work at issue, not other works by the creator, the loss of advertising revenue for future shows, unrelated to the original work, does not give rise to a legal cognizable infringement claim." Limbaugh's claim, identical to Savage's, would fare no better.
As a result of the bogus complaint, Daily Kos's montage has been taken down from YouTube and -- if Google follows the terms of the DMCA safe harbors -- it will remain down for at least 10-14 days. Fortunately, Daily Kos has also made it available on (less-trafficked) Vimeo. Time will tell if Limbaugh intends to target that platform as well.
Limbaugh, who regularly traffics in self-described "absurdity," of course enjoys the protections of the First Amendment and regularly uses those protections for maximum effect. Had his own speech been similarly targeted by a frivolous lawsuit or takedown request, he would be justified in his own claims of attempted censorship. As we have repeatedlypointed out, however, the First Amendment says nothing about a right to advertiser-subsidized speech, and criticism aimed at undermining advertiser support is just as deserving of legal protection. Agree with Limbaugh or not, his decision to resort to the legal process to silence the speech of others deserves condemnation from First Amendment advocates of all stripes.
A closing question for Google: Want to reconsider? You're not legally obligated to comply with plainly abusive DMCA notices. You've restored videos that were improperly taken down by meritless DMCA notices in the past. How about this one?
[Updated]: On Tuesday afternoon PT (4/24/12), Google restored the Daily Kos video in question. The video can be seen YouTube here: http://www.youtube.com/watch?v=q1oOjKQflN0. Props to Google for doing the right thing when it was brought to their attention.
Today, a group of prominent academics, experienced engineers, and professionals published an open letter to members of the United States Congress, stating their opposition to CISPA and other overly broad cybersecurity bills.
We are writing you today as professionals, academics, and policy experts who have researched, analyzed, and defended against security threats to the Internet and its infrastructure. We have devoted our careers to building security technologies, and to protecting networks, computers, and critical infrastructure against attacks of many stripes.
We take security very seriously, but we fervently believe that strong computer and network security does not require Internet users to sacrifice their privacy and civil liberties.
The bills currently under consideration, including Rep. Rogers’ Cyber Intelligence Sharing and Protection Act of 2011 (H.R. 3523) and Sen. McCain’s SECURE IT Act (S. 2151), are drafted to allow entities who participate in relaying or receiving Internet traffic to freely monitor and redistribute those network communications. The bills nullify current legal protections against wiretapping and similar civil liberties violations for that kind of broad data sharing. By encouraging the transfer of users' private communications to US Federal agencies, and lacking good public accountability or transparency, these “cybersecurity” bills unnecessarily trade our civil liberties for the promise of improved network security. As experts in the field, we reject this false trade-off and urge you to oppose any cybersecurity initiative that does not explicitly include appropriate methods to ensure the protection of users’ civil liberties.
In summary, we urge you to reject legislation that:
Uses vague language to describe network security attacks, threat indicators, and countermeasures, allowing for the possibility that innocuous online activities could be construed as “cybersecurity” threats.
Exempts “cybersecurity” activities from existing laws that protect individuals’ privacy and devices, such as the Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act.
Gives sweeping immunity from liability to companies even if they violate individuals’ privacy, and without evidence of wrongdoing.
Allows data originally collected through “cybersecurity” programs to be used to prosecute unrelated crimes.
We appreciate your interest in making our networks more secure, but passing legislation that suffers from the problems above would be a grave mistake for privacy and civil liberties, and will not be a step forward in making us safer.
Bruce Schneier. Prominent security researcher and cryptographer, published seminal works on applied cryptography. Active in public policy regarding security issues; runs a weblog and writes a regular column for Wired magazine.
David J. Farber. Distinguished Career Professor of Computer Science and Public Policy, Carnegie Mellon University. Designer of the first electronic switching system. Was a major contributor to early programming languages and computer networking. EFF board member.
Donald Eastlake. Original architect of DNS Security, network security expert. Chair of IETF TRILL and IETF PPPEXT working groups.
Peter Swire. C. William O'Neill Professor of Law, Ohio State University. Former Assistant to President Obama for Economic Policy, and former Chief Counselor for Privacy in the U.S. Office of Management and Budget.
Eric Burger. Research Professor of Computer Science and Director, Georgetown Center for Secure Communications, Georgetown University. Chair of multiple IETF Working Groups.
Tobin Maginnis. Professor of Computer and Information Science, University of Mississippi. Operating system researcher, GNU/Linux expert, Web architecture researcher and networking expert.
Sharon Goldberg. Professor of Computer Science, Boston University. Network security researcher, member of FCC CSRIC working group on BGP security.
Peter G. Neumann. Principal Engineer, SRI International Computer Science Laboratory; moderator, ACM Risks Forum. Affiliation listed for purposes of identification only.
Stephen H. Unger. Professor Emeritus, Computer Science and Electrical Engineering, Columbia University. Board of Governors of IEEE Society on Social Implications of Technology (SSTI).
Geoff Kuenning. Professor of Computer Science and CS Clinic Director. Harvey Mudd College. File system researcher, built the SEER predictive hoarding system to predict what files mobile users will need while disconnected from a network.
Benjamin C. Pierce. Professor of Computer and Information Science, University of Pennsylvania. Research on differential privacy, which allows formal reasoning about real-world privacy.
Richard F. Forno. Lecturer of Computer Science focused on cybersecurity, signing as a private citizen.
Jonathan Weinberg. Professor of Law, Wayne State University. Chair of ICANN working group, and expert on communications policy.
Joseph “Jay” Moran. Distinguished engineer, AOL technical operations. Experienced executive working in technical operations and engineering for 20+ years.
Dan Gillmor. Technology writer and columnist. Director of Knight Center for Digital Media Entrepreneurship at Arizona State University, Fellow at the Berkman Center for Internet and Society, Harvard University. EFF pioneed award winner.
Armando P. Stettner. Technologist and senior member of IEEE, spearheaded native VAX version of Unix.
Gordon Cook. Technologist, writer, editor and publisher of “COOK report on Internet Protocol” since 1992.
Alexander McMillen. Entrepreneur and CEO, Sliqua Enterprise Hosting.
Sid Karin. Professor of Computer Science and Engineering, University of California, San Diego. Former founding Director of the San Diego Supercomputer Center (SDSC) and National Partnership for Advanced Computational Infrastructure (NPACI).
Eric Brunner-Williams. CTO, Wampumpeag. Signing as an individual.
Lawence C. Stewart. CTO, Cerissa research. Built the Etherphone at Xerox, the first telephone system working over a local area network; designed early e-commerce systems for the Internet at Open Market.
Ben Huh. Entrepreneur, CEO Cheezburger Inc.
Dave Burstein. Editor, DSL Prime.
Mikki Barry. Managing partner, Making Sense of Compliance.
Blake Pfankuch. Network engineer.
John Peach. Systems Administrator with 20+ years of experience.
Valdis Kletnieks. IT Professional, Virginia Tech University.
Darrell Hyde. Director of Architecture, Hosting.com.
Ryan Rawdon. Network and Security Engineer, was on the technical operations team for one of our country's largest residential ISPs.
Ken Anderson. VP of Engineering, Pacific Internet.
Andrew McConachie. Network engineer working on Internet infrastructure.
Richard Kulawiec. Senior network security architect with over 30 years experience.
Aaron Wendel. CTO, Whalesale Internet, Inc.
David Richardson. Center for High Performance Computing, University of Utah.
David M. Miller. CTO / Executive VP for DNS Made Easy.
Marshall Eubanks. Entrepreneur and CEO, America Free TV.
Edward Arthurs. Manager of Network Installations, Legacy Inmate Communications, Legacy Contact Center, Legacy Long Distance Intl. Inc.
Christopher Liljenstolpe. Chair of the IETF Operations and Management Area Working Group. Chief architect for AS3561 (at the time about 30% of the Internet backbone by traffic) and AS1221 (Australia's main Internet infrastructure).
Christopher McDonald. Vice President, PCCW Global.
Joseph Lorenzo Hall. Research Fellow focused on health information technology and electoral transparency, New York University.
Ronald D. Edge. IT expert.
David Henkel-Wallace. Vice President of Engineering. Terrajoule Corporation.
John Pettitt. Internet commerce pioneer, online since 1983, CEO Free Range Content Inc.; founder/CTO CyberSource & Beyond.com; created online fraud protection software that processes over 2 billion transaction a year
Ben Kamen. I.T./EE Professional.
Christopher Soghoian. Graduate Fellow, Center for Applied Cybersecurity Research, Indiana University.
Jo Young. IT professional.
Mark Hull-Richter. Senior software engineer.
Joop Cousteau. VP, Global Network Technology. KLM Airlines USA Ltd.
Jonathan Mayer. Graduate researcher, Security Lab and the Center for Internet and Society, Stanford University
Jeremy Sliwinski. Network engineer with 10+ years of experience.
Nathan Syfrig. Software Engineer and IT Consultant.
Brion Swanson. Senior Software Engineer.
Seth Johnson. Information Quality Specialist. Coordinator, The Internet Distinction.
Danny Moules. Security Consultant and Professional Member of BCS, The Chartered Institute for IT.
Geoff Dahl. Entrepreneur and CEO of SC5 Managed Hosting.
Eric Tenenbown. Network Engineer.
Mike Dunn. System technician.
Patrick Loftus. Software engineer with 10+ years experience.
Tom Halladay. Senior Software Developer with 10+ years experience.
Roger Nebel. CISO Defense Group, Inc., Georgetown University Adjunct, 30+ years of experience, signing as a private citizen.
David Baker. IT Consultant.
Robert Mathews. As a private citizen.
Leo A. Dregier III. IT security expert with 15+ years experience.
CISPA is going to the floor this week, but it is just the first among many cybersecurity bills that will be considered. If you are an academic, technologist, or professional in this space and would like to add your name to this letter for CISPA or future bills that suffer from similar problems, please email dan+letter at eff dot org.
And if you are not a network security expert, please take action here:
The recent Week of Action against CISPA, the dangerously vague ‘cybersecurity’ bill , highlights the growing bi-partisan disapproval of the many provisions that would gut all existing privacy laws. Internet users across the political spectrum voiced their concerns with how the bill allows companies to spy on users, filter content, and transfer personal information to agencies like the NSA.
This week, the Free Market Coalition, a coalition that includes FreedomWorks, the American Conservative Union, the Liberty Coalition, and Americans For Limited Government, reiterated problems EFF has mentioned in numerous articles. They are joined by Ron Paul, who described the bill as "Big Brother writ large." The Free Market Coalition sent a letter to Congress decrying the broad immunity provisions, unprecedented government information sharing, and the ability to supersede current federal and state privacy law. Among others, the groups join DemandProgress, Fight for the Future, Free Press, and the White House in expressing disapproval about core problems of the bill.
EFF also shares these concerns. That's why we encourage other groups to join our Voices of Opposition list. In addition, we hope individuals will continue to tweet and send emails to their member representative to make it clear that the government has no right to spy on our private lives.
On Monday, President Obama, in a speech at the Holocaust Memorial Museum in Washington, DC, announced new measures to help curb human rights violations by the Syrian and Iranian governments. These measures include an executive order targeting people and companies facilitating human-rights abuses with technology, as well as a set of “challenge grants” that would fund companies to help create new technologies for the purpose of warning citizens in countries where mass killings may occur.
While we applaud these efforts—which, it should be noted, are targeted and narrow enough so as not to cause the type of collateral damage we’ve previously condemned—we do have concerns about just how much the executive order, which is focused solely on Iran and Syria, will accomplish.
First, here’s what the order does accomplish:
It sanctions individuals and entities in Iran and Syria that are “complicit in their government’s malign use of technology” for the purposes of network disruption, monitoring, or tracking of individuals.
It aims to prevent entities (including companies) from facilitating or committing serious human rights abuses in Syria.
It bars the contribution or receipt of funds to any individual or entity named on the list contained within the order.
Notably, the order makes mention of companies that have “sold, leased or otherwise provided, directly or indirectly, goods, services or technology to Iran or Syria likely to be used to facilitate computer or network disruption, monitoring, or tracking that could assist in or enable serious human rights abuses by or on behalf of [the two countries’ governments]” (emphasis ours). This is notable because, when it was discovered that their products had made it to Syria and were being used by the regime to monitor network communications, executives of U.S. company BlueCoat denied knowledge of their products being in Syria.
Now, for what the order does not accomplish:
The order is solely focused on Syria and Iran, leaving out—most notably—Bahrain, where a protester was killed this weekend by police forces as well as, of course, other countries that engage in technology-related human rights violations. Bahraini human rights groups have documented the use of Trovicor technologies in surveillance there, leading to—in some cases—torture.
The order does not loosen existing restrictions by the Department of Commerce, which bar the export of “good” technologies—including web hosting, Google Earth, and Java—to Syrians. At the Stockholm Internet Forum for Global Development last week, Syrian activist Mohammad Al Abdallah raised the Commerce restrictions as a consistent frustration amongst Syrian activists on the ground. While Treasury restrictions on Iran have been revised time and again, Commerce restrictions go unchanged.
Ultimately, the executive order is a good thing and won’t—we hope—hurt Syrian or Iranian individuals, while having an impact on the companies and entities complicit in regime human rights abuses. We’re happy to see the Obama administration taking note of—and acting on—the dangers at the intersection of technology and human rights, but hope to see other issues raised in this post addressed as well.