This week, EFF—along with a host of other civil liberties groups—are protesting the dangerous new cybersecurity bill known as CISPA that will be voted on in the House on April 23. EFF has compiled an FAQ detailing the how the bill's major provisions work and how they endanger all Internet users' privacy.
Update 1: The White House released a statement on Tuesday criticizing CISPA and said any cybersecurity bill with information sharing provisions "must include robust safeguards to preserve the privacy and civil liberties of our citizens." The White House declared they would not support a bill that would "sacrifice the privacy of our citizens in the name of security." Below are all the ways CISPA would violate that principle.
CISPA stands for The Cyber Intelligence Sharing and Protection Act, a cybersecurity bill written by Rep. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) (H.R. 3523). The bill purports to allow companies and the federal government to share information to prevent or defend from cyberattacks. However, the bill expressly authorizes monitoring of our private communications, and is written so broadly that it allows companies to hand over large swaths of personal information to the government with no judicial oversight—effectively creating a “cybersecurity” loophole in all existing privacy laws. Because the bill is so hotly debated now, unofficial proposed amendments are also being circulated and the actual bill language is in flux.
Under CISPA, can a private company read my emails?
Yes. Under CISPA, any company can “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the company. This phrase is being interpreted to mean monitoring your communications—including the contents of email or private messages on Facebook.
Right now, well-established laws, like the Wiretap Act and the Electronic Communications Privacy Act, prevent companies from routinely monitoring your private communications. Communications service providers may only engage in reasonable monitoring that balances the providers' needs to protect their rights and property with their subscribers' right to privacy in their communications. And these laws expressly allow lawsuits against companies that go too far. CISPA destroys these protections by declaring that any provision in CISPA is effective “notwithstanding any other law” and by creating a broad immunity for companies against both civil and criminal liability. This means companies can bypass all existing laws, as long as they claim a vague “cybersecurity” purpose.
What would allow a company to read my emails?
CISPA has such an expansive definition of "cybersecurity threat information" that many ordinary activities could qualify. CISPA is not specific, but similar definitions in two Senate bills provide clues as to what these activities could be. Basic privacy practices that EFF recommends—like using an anonymizing service like Tor or even encrypting your emails—could be considered an indicator of a “threat” under the Senate bills. As we have stated previously, the bills’ definitions “implicate far more than what security experts would reasonably consider to be cybersecurity threat indicators—things like port scans, DDoS traffic, and the like.”
A more detailed explanation about what could constitute a “cybersecurity purpose” or “cyber security threat indicator” in the various cybersecurity bills can be read here.
Under CISPA, can a company hand my communications over to the government without a warrant?
Yes. After collecting your communications, companies can then voluntarily hand them over to the government with no warrant or judicial oversight whatsoever as long is the communications have what the companies interpret to be “cyber threat information” in them. Once the government has your communications, they can read them too.
Under CISPA, what can I do if a company improperly hands over private information to the government?
Almost nothing. CISPA would affirmatively prevent users from suing a company if they hand over their private information to the government in virtually all cases. A broad immunity provision in the proposed amendments gives companies complete protection from user lawsuits unless information was given to the government:
(I) intentionally to achieve a wrongful purpose;(II) knowingly without legal or factual justification; and(III) in disregard of a known or obvious risk that is so great as to make it highly probably that the harm of the act or omission will outweigh the benefit.
As Techdirt concluded, “no matter how you slice it, this is an insanely onerous definition of willful misconduct that makes it essentially impossible to ever sue a company for wrongly sharing data under CISPA.” This proposed immunity provision is actually worse than the prior version of the bill, under which companies could be sued if they acted in “bad faith.”
UPDATE: The most current version has switched back to the standard giving companies immunity as long as they act in "good faith" - still a very weak standard that would leave users with no recourse in virtually all cases.
What government agencies can look at my private information?
Under CISPA, companies can hand “cyber threat information” to any government agency, which then passes that information to the Department of Homeland Security (DHS). Once it’s in DHS’s hands, the bill says that DHS can then hand the information to other intelligence agencies, including the National Security Agency, at its discretion.
Can the government use my private information for other purposes besides “cybersecurity” once they have it?
Yes. When the bill was originally drafted, information could be used for all other law enforcement purposes besides “regulatory purposes.” A new amendment narrows this slightly. Now—even though the information was passed along to the government for only cybersecurity purposes—the government can use your personal information for either cybersecurity or national security investigations. And as long as it can be used for one of those purposes, it can be used for any other purpose as well.
Can the government use my private information to go after alleged copyright infringers and whistleblower websites?
Up until last Friday the answer was yes, and now it’s changed to maybe. In response to the overwhelming protest from the Internet community that this bill would become a backdoor for SOPA 2, the bill authors have proposed an amendment that rids the bill of any reference to “intellectual property.”
The bill previously defined “cyber threat intelligence” and “cybersecurity purpose” to include “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.” Now the text reads:
(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information
But it is important to remember that this proposed amendment is just that: proposed. The House has not voted it into the bill yet, so they still must follow through and remove it completely.
A more detailed explanation of how this provision could be used for copyright enforcement and censoring whistleblower sites like WikiLeaks can be read here.
What can I do to stop the government from misusing my private information?
CISPA does allow users to sue the government if they intentionally or willfully use their information for purposes other than what is described above. But any such lawsuit will be difficult to bring. For instance, the statute of limitations for such a lawsuit is two years from the date of the actual violation. It’s not at all clear how an individual would know of such misuse if it were kept inside the government.
Moreover, suing the government where classified information or the “state secrets privilege” is involved is difficult, expensive, and time consuming. EFF has been involved for years in a lawsuit over Fourth Amendment and statutory violations stemming from the warrantless wiretapping program run by the NSA—a likely recipient of “cyber threat information.” Despite six years of litigation, the government continues to maintain that the “state secrets” privilege prevents the lawsuit from being heard.
Given that DHS is notorious for classifying everything—even including their budget and number of employees—they may attempt to prevent users from finding out exactly how this information was ever used. And if the information is in the hands of the NSA and they claim “national security,” then it would get even harder.
In addition, while CISPA does mandate an Inspector General should issue a report to Congress over the government’s use of this information, its recommendations or remedies do not have to be followed.
Why are Facebook and other companies supporting this legislation?
Facebook and other companies have endorsed this legislation because they want to be able to receive information about network security threats from the government. This is a fine goal, but unfortunately CISPA would do far more than that—it would eviscerate existing privacy laws by allowing companies to voluntarily share users’ private information with the government.
Facebook released a statement Friday saying that they are concerned about users’ privacy rights and that the provision allowing them to hand user information to the government “is unrelated to the things we liked about HR 3523 in the first place.” As we explained in our analysis of Facebook’s response: the “stated goal of Facebook—namely, for companies to receive data about cybersecurity threats from the government—does not necessitate any of the CISPA provisions that allow companies to routinely monitor private communications and share personal user data gleaned from those communications with the government.” Read more about why Facebook should withdraw support from CISPA until privacy safeguards are in place here.
What can I do to stop this bill?
It’s vital that concerned Internet users tell Congress to stop this bill. Use EFF’s action center to send an email to your Congress member urging them to oppose this bill.
We’re also joining other civil liberties organizations in Stop Cyber Spying Week, a week of action to protest CISPA. The goal of this week of action is simple: get Congress to back off of any cybersnooping legislation that sacrifices the civil liberties of Internet users. We’ve set up a dedicated Twitter tool to help Internet users tweet messages to their Congressional representatives opposing CISPA.
Numerous commentators have noted the sore thumb in the group of supporters for The Cyber Intelligence Sharing and Protection Act (CISPA): Facebook. Why would a social network be endorsing a bill that would allow companies to pass personal information about Internet users to the government without any form of judicial oversight? A number of recent articles have discussed the issue, and already one digital rights group has launched a campaign to convince Facebook to drop support of the bill. In response to the criticisms, Facebook’s Vice President of US Public Policy Joel Kaplan published a statement on Friday admitting that there were privacy concerns with the bill. He also noted that Facebook’s major cybersecurity goal is to receive more data about cybersecurity threats from the government—something that doesn’t necessitate the sweeping data sharing provisions currently outlined in CISPA.
In the statement, Kaplan stated:
[W]e recognize that a number of privacy and civil liberties groups have raised concerns about the bill—in particular about provisions that enable private companies to voluntarily share cyber threat data with the government. The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity.
Even as he noted the civil liberties criticisms, Kaplan assured users that Facebook has "no intention" of sharing private user data with the government and stated that CISPA "would impose no new obligations on us to share data with anyone."
But let’s be clear: Internet users don’t want promises from companies not to intercept our private communications and share that data with one another and the government. We want strong laws that make such egregious privacy violations illegal, that require the government to follow legal process (judicial oversight in most case), and that allow us or the government to sue persons who break the law. Ironically, hard-won, long-standing privacy laws—like the Wiretap Act and the Electronic Communications Privacy Act—already exist, although they are by no means ideal. There are already too many exceptions that allow the government to gain access to sensitive user data. But CISPA would upend these existing legal protections and leave the door wide open to companies handing sensitive personal information to the government without so much as a subpoena, let alone a warrant.
Kaplan discussed Facebook’s motivation for supporting the bill: "if the government learns of an intrusion or other attack, the more it can share about that attack with private companies (and the faster it can share the information), the better the protection for users and our systems." He also noted that the "things we liked about HR 3523 in the first place—[were] the additional information it would provide us about specific cyber threats to our systems and users." This stated goal of Facebook—namely, for companies to receive data about cybersecurity threats from the government—does not necessitate any of the CISPA provisions that allow companies to routinely monitor private communications and share personal user data gleaned from those communications with the government.
Kaplan expressed hope that Congress would produce "legislation that helps give companies like ours the tools we need to protect our systems and the security of our users’ information, while also providing those users confidence that adequate privacy safeguards are in place." If Facebook wants more timely and accurate data about cybersecurity threats from the government while providing "adequate" privacy safeguards, it should withdraw support from CISPA until those safeguards are in place.
Judges Increasingly Catching On to Copyright Trolls' Unfair Tactics
Life under the bridge is a bit less comfortable for copyright trolls these days, as a series of legal losses continues to undermine their misguided business model. Trolls make their money through variations on a simple scheme: file mass copyright lawsuits against thousands of people at once without regard for whether they're in the right court, get a judge to give them power to obtain identifying information for the anonymous “Does,” and then send settlement demand letters threatening to name these Does in a lawsuit if he or she doesn’t pay up. In many cases, troll lawsuits are based on allegations of downloading pornography, creating additional pressure to settle rather than risk the embarrassment of being publicly named as watching dirty movies online.
The strategy may be simple, but courts are increasingly rejecting it. In the past few months, judges around the country have picked up the pace and gone after both the legal tactics used for trolling and the lawyers engaging in them.
One battleground is in Florida, where copyright trolls are on a real losing streak. Earlier this month a federal judge in the Northern District of Florida dismissed 27 cases targeting over 3,500 Does — because the lawyer Tarik Hashmi was practicing without a license.
That victory for the legal system follows two major decisions that have collectively taken a shaky legal tactic off the table for trolls. Florida trolls had attempted to use a state law to force ISPs to identify suspected file-sharers. Two different judges rejected that legal theory, quashing subpoenas or dismissing cases outright for nearly 1000 anonymous defendants. Notably, the motions in these cases were brought by the ISPs themselves, which are not happy to be assisting in the process of extorting their customers.
Those decisions are characteristic of what Northern District of Illinois Judge James F. Holderman called a "stiffening judicial headwind" against copyright trolls’ abuse of the legal system. Judge Holderman provided that analysis in an opinion rejecting conspiracy charges [pdf] brought by a troll on similarly legally suspect grounds.
In the Northern District of California, Judge Howard R. Lloyd has been even more direct with the lawyers bringing troll suits. In an order issued late last month [pdf] in Hard Drive Productions v. Does 1-90 the Judge wrote:
the court will not assist a plaintiff who seems to have no desire to actually litigate but instead seems to be using the courts to pursue an extrajudicial business plan against possible infringers (and innocent others caught up in the ISP net).
It's clear that many judges are running out of patience for extrajudicial shakedown operations wasting court resources and victimizing Internet users at large. The Northern District of Texas Court Judge David C. Godbey granted sanctions motions brought by EFF and Public Citizen late last year against prolific porn troll lawyer Evan Stone, complaining in his opinion about Stone's "staggering chutzpah." Judge Godbey's colleague Judge John McBryde echoed that sentiment in another opinion [pdf], saying that Stone "failed to demonstrate the level of candor the court expects of members of the bar of this court."
Sadly, these judges' views are not universally held: too many courts are letting these cases go forward even after being apprised of their fundamental flaws. Several Internet service providers (with amicus support from EFF) have asked a federal judge who signed off on some of these lawsuits in a widely cited opinion to reconsider her determination or let them raise the issue before an appellate court. With hundreds of cases pending, and hundreds of thousands of individuals' right to anonymity online at stake, it is high time for an appeals court to put some uniformity on the law and stop the trolls’ unsavory tactics.
EFF recently received records from the Miami-Dade Police Department in response to a Public Records request for information on its drone program. These records provide additional insight into domestic drone use in the United States, and they reinforce the importance of public access to information on who is authorized to fly drones inside US borders.
The COA and the other records EFF received show that Miami-Dade’s drone program is quite limited in scope. The two small drones the MDPD is flying—Honeywell T-Hawks—are able to fly up to 10,000 feet high, can record video or still images in daylight or infrared, and can “Hover and stare; [and] follow and zoom,”(pdf) according to the manufacturer. However, the COA limits their use to flights below 300 feet. The drones also must remain within visual line of sight of both a pilot and an observer and can only be flown during the day. They cannot be flown within the Miami city limits or over any high-rise buildings, populated beaches, outdoor assemblies of people, or heavily trafficked roadways (which seems to severely limit their range).Also, the MDPD has stated it doesn’t use the drones to record incidents or store image files and that the drone is set up to “clear the picture upon the next picture being captured.” (It is not clear from MDPD’s records whether the department has another system set up to retain the image files.)
MDPD sent EFF a copy of its “Standard Operating Procedures” for flying the T-Hawks, though these procedures are still in draft form. However, neither they nor the COA discuss any legal restrictions on flights or information collected to protect privacy or civil liberties. MDPD said in a separate email that the department does not require a warrant or any other form of court process prior to flying the drones.
Although EFF would like to see the MDPD incorporating court oversight into its use of drones, we commend the department for following the example of the Texas Department of Public Safety and being forthcoming about its drone program. We hope the FAA will use these agencies as a model as it prepares its response to EFF’s lawsuit and Freedom of Information Act request for copies of all COAs the agency has issued to fly drones domestically.
The United Arab Emirates signed a deal with telecommunications company, Etisalat, to embed citizens' national ID information into mobile phones. They will now be exploring a system that would utilize an NFC or Near Field Communication application, which allows cell phones to communicate data via radio frequency within very close range. The UAE has had a national ID system since 2004, with IDs carrying a chip similar to one on a credit card and holding a person's name, birthday, gender, photograph, fingerprint, and ID number.
Etisalat, based in the UAE, has had a history working with the Emirati government on various initiatives. Notably, the company helped the government develop surveillance malware to be installed on Blackberry devices. However, it was quickly revealed that the "network upgrade" in disguise was in fact meant to spy on its mobile users.
EFF has long opposed national ID systems because they are fraught with potential abuse in every aspect of their creation and operation. Not only is it extremely costly to implement, the risk of fraudulent and flawed identification cards is very serious: these cards needs to distributed on such a scale that even a small percentage of errors could cause major social disruption. Moreover, such a mass collection of data leaves a high potential for abuse by both private and public actors.
Since carrying an ID card is mandatory in the UAE, this may mean that Emirati citizens may begin to be required to carry their phones on them at all times. Their objectives for working towards implementing this system currently unknown. However, integrating personal data with mobile phones can only bring trouble.
47% of All Internet Users Experience Censorship, Says OpenNet Initiative
According to the OpenNet Initiative (ONI)--a joint initiative of Harvard University, the University of Toronto and the SecDev Group--47% of the world's Internet users experience some form of fractured Internet. ONI bases their research on technical testing in 74 countries, 42 of which the researchers found engage in "some form of filtering of content." Though the aforementioned statistic (47%, or 960 million Internet users) includes countries like Morocco that engage only in "selective" blocking of websites, 31% of the world's Internet users live in countries that engage in "substantial" or "pervasive" online censorship.
Vietnam Aiming to be Enemy #1 (of the Internet)
Vietnam--which has been named an "enemy of the Internet" by Reporters Without Borders two years in a row--appears to be vying for first place on that list, in light of two recent news items. The first is a report that claims that the trial of eleven detained activists, including several bloggers, is "imminent." The report, from Radio Free Asia, calls the charges against the activists as "part of a larger crackdown" on activists and citizen journalists in the country.
In separate news, a brief from exiled political organization Viet Tan outlines a new decree by Vietnam's government that would require Internet users to register with their real names. In addition, it would require foreign Internet companies to relocate their data centers and establish local offices in Vietnam. According to Viet Tan, "These new rules could have serious consequences for companies such as Google and Facebook which have millions of Vietnamese users but are not physically located in the country." The draft decree, which can be found on Viet Tan's website, is dubbed "Decree on the Management, Provision, Use of Internet Services and Information Content Online."
EFF will be closely following the developments surrounding this proposed decree.
Iran Denies Plans to Cut Off Citizens from Internet
While Iran has not backtracked on its plans for a "halal Internet", this week Iranian authorities condemned a rumor that the country was planning to cut its citizens off from the global Internet by August. While that's all well and good, as MSNBC points out, "a firewalled Internet, much like those in China and North Korea, is not propaganda. In Iran, it's not a matter of if, but when."
Chinese Internet Users Cut Off--Briefly--From the World
For more than an hour on Thursday, Chinese Internet users were cut off from the global Internet, while Chinese sites were inaccessible from users outside of mainland China. While the cause of the blackout has not yet been determined, several media outlets theorized that it was either a result of the massive earthquakes near Sumatra (that may have damaged an undersea cable) or that the "Great Firewall" was undergoing routine maintenance.
Raise a glass with us and discover our latest work protecting digital innovation, privacy, and free speech, and learn more about the continuing fight to defend your freedom online. EFF's Speakeasy events are free, informal meetups that give you a chance to mingle with local members and speak with the people behind the world's leading digital civil liberties organization. It is also our chance to thank you, the EFF supporters who make it possible.
SPEAKEASY: BOSTON EFF Members-Only Happy Hour
Thursday, April 19, 2012 from 6-8 PM
Current donors in the Boston Area received an email invitation with location details on Tuesday, 4/10. Space is limited, so reserve your spot. If you are traveling through Boston that day and would like an invitation, contact email@example.com.
Not a member yet? Help defend our future when you join today!
New Yorkers: Worried about whether you will have a right to watch local TV broadcasts on your Internet devices? Aereo is a company that lets users watch their local channels by renting a dime-sized antenna at Aereo's facility - one per customer. The signal from that antenna gets sent over the Internet to a single user. In effect, the company moves the "rabbit ears" antenna from the top of your TV set to a central facility. Aereo, like the VCR, the DVR, and many other video technologies, simply lets people watch the TV shows they already have a legal right to watch at different places and times, and on different devices. And just like they did with many of those technologies, copyright owners are suing to shut it down. Aereo is beingsued by TV networks and stations who claim that providing antennas to individual TV watchers in their home city is a "public performance" that infringes copyright.
EFF wants to hear from Aereo customers as we explore how to keep broadcast TV free. If you are an Aereo customer, live in New York City, and want your voice heard, please send EFF an email at firstname.lastname@example.org. Tell us about how you use Aereo and why you think it should stay legal. The public airwaves belong to you - help us protect your right to access them when and how you choose.