This week EFF released a new version its HTTPS Everywhere extension for the Firefox browser and debuted a beta version of the extension for Chrome. EFF frequently recommends that Internet users who are concerned about protecting their anonymity and security online use HTTPS Everywhere, which encrypts your communications with many websites, in conjunction with Tor, which helps to protect your anonymity online. But the best security comes from being an informed user who understands how these tools work together to protect your privacy against potential eavesdroppers.
Whenever you read your email, or update your Facebook page, or check your bank statement, there are dozens of points at which potential adversaries can intercept your Internet traffic. By using Tor to anonymize your traffic and HTTPS to encrypt it, you gain considerable protection, most notably against eavesdroppers on your wifi network and eavesdroppers on the network between you and the site you are accessing. But these tools have important limitations: your ISP and the website you are visiting still see some identifying information about you, which could be made available to a lawyer with a subpoena or a policeman with a warrant.
Protecting your security and anonymity against real-time government wiretapping is considerably more difficult. In a country where ISPs are controlled by the government or vulnerable to government bullying, Internet users should be especially aware of what kinds of information is still visible to ISPs and may be subject to government surveillance. To a lesser degree, websites may be subject to the same kinds of government bullying and may be compelled to give up information about their customers.
Finally, government agencies with particularly vast resources, such as the NSA, may be able to circumvent the protection provided by Tor through what is known as the “Global Network Adversary” attack. If the Global Network Adversary (GNA) controls the relay through which you enter the Tor network and the relay through which you exit, the GNA can correlate the size and timing of your traffic to identify you on the Tor network. In this scenario, the GNA will have the origin and destination of your traffic, but if you are using HTTPS, they will not be able to read the content. You can help combat the GNA by running a Tor relay, adding to the strength and diversity of the Tor network.
EFF has put together an interactive graphic to explain the ways in which HTTPS and Tor work together to provide you with certain kinds of protection against a variety of potential adversaries. Click on the image to try it out.
Last Saturday, the Canadian government announced it would put proposed online surveillance legislation temporarily "on pause" following sustainedpublic outrage generated by the bill. Since its introduction two weeks ago, Canadians have spoken out en masse againstBill C-30, the Canadian government’s latest attempt to update police online surveillance powers. As currently drafted, the bill represents a dramatic and dangerous attempt to leverage online service providers as agents of state surveillance.
The bill introduces new police powers that would allow Canadian authorities easy access to Canadians’ online activities, including the power to force ISPs to hand over private customer data without a warrant. Adding insult to injury, the proposed legislation would also pave the way to gag orders that would prevent online service providers from notifying subscribers that their private data has been disclosed—a move that would make it impossible for users to seek legal recourse for privacy violations. C-30 is the misshapen offspring of theCybercrime Convention. Countries have been using this treaty as an excuse to invade citizens’ privacy for years since it was first opened for signature in 2001. Many of these new surveillance powersgo far beyond the Convention’s intended levels of intrusiveness.
The bill has inspired Canadian netizens to unleash the full creative force of the Internet in voicing their concerns. They generated creativerants,parodies,videos,t-shirts,LOL memes, and even a hashtag where Canadians tried to save the Government the trouble of increasing online surveillance powers by telling Public Safety Minister Vic Toews "everything." The proposed legislation has also attracted widespread condemnation fromprivacy experts, Privacy Commissioners (including specific concerns from theFederal andOntario Commissioners, as well as general concerns on behalf of all Canadian privacy officerscollectively),telecommunications companies, major Canadiannewspapers, all opposition political parties, and over 115,000 Canadians who, to date, have signed anonline petition against Bill C-30 hosted byOpenMedia.ca.
Widespread condemnation of this bill comes in spite of months ofobfuscation by the Canadian government. The government has consistently insisted that the bill does no more than apply existing surveillance capacities to the online world and that, regardless, it's main focus is on child pornography. Matters came to a head a few weeks ago when Minister Toews introduced Bill C-30 and proclaimed that all those opposed to the legislation were “with the child pornographers.” In alast minute change, Bill C-30 was even dubbed the "Protecting Children from Internet Predators Act"—this is in spite of information gathered via an access to information request by Canadian reporter Sarah Schmidt that demonstrated, in the Government’s own internal justifications for the legislation, that the powers in question areactually needed for non-criminal investigations, not child pornography.
Rhetoric aside, Bill C-30 poses serious threats to online privacy. As the majority Canadian government is not likely to give up on this proposed legislation, it is important for Canadians to keep the pressure on! We will be discussing these issues in greater deal in our second post on this topic. For now, we urge supporters to join the over 115,000 Canadians who have already signed the stopspying.ca petition against Bill C-30. You can also write a letter to your MP using the Ontario Information & Privacy Commissioner’s letter writing tool.
Earlier this week we released version 2.0.1 of HTTPS Everywhere for Firefox, and also, a new beta version for Chrome! You can install HTTPS Everywhere here:
(Firefox 2.0.1 Download)
Firefox users will find a number of improvements in version 2.0. In addition to support for four hundred more sites, a crisper user interface, and translation into a dozen languages, there is a new optional feature called the Decentralized SSL Observatory. It detects and warns about security vulnerabilities as you browse the Web. Firefox users can turn on this setting from the Tools->HTTPS Everywhere->SSL Observatory Preferences menu, or from the HTTPS Everywhere toolbar button, which looks like this:
In that Preferences page, check the box marked "Use the Observatory":
If you turn on this feature, it will send anonymous copies of certificates for HTTPS websites to EFF's SSL Observatory database, which will allow us to study them and detect problems with the web's cryptographic and security infrastructure. The Decentralized SSL Observatory is also capable of giving real-time warnings about these problems.
At the moment, the Observatory will give warnings if you connect to a router, VPN, firewall or similar device that has an insecure private key due to the random number generator vulnerabilities that were recently discovered by twoteams of researchers, using data from the SSL Observatory and other sources. We will be adding more kinds of certificate and key auditing to the Decentralized Observatory in the future.
The case arises out of the federal government's investigation of New York attorney Robert Simels for conspiracy to obstruct justice. As part of its investigation, the government asked a judge for authorization to wiretap conversations between Simels and his client. The Wiretap Act requires that intercepts be "minimized," meaning the government can only capture conversations relevant to the ongoing criminal investigation. The judge issued the wiretap but required the government to contemporaneously minimize the communications it was intercepting. Later, a different judge found the government failed to comply with the court's order and suppressed the wiretaps, preventing the government from using them at trial. The court suppressed under 18 U.S.C. § 2515, which says that when a communication has been illegally intercepted in violation of the Wiretap Act, "no part of the contents of such communication and no evidence derived therefrom may be received in evidence in any trial."
After Simels testified in his own defense at trial, the government asked the judge for permission to play the suppressed wiretap recordings to the jury, intending to show that Simels had testified inconsistently with what he had said on the recordings. Despite the clear prohibition against the use of illegally intercepted communications in any trial, the judge nonetheless ruled that the Wiretap Act contained an implicit exception that allowed the government to use an illegally intercepted communication to impeach (or discredit) a witness. Simels was ultimately convicted, and the Second Circuit Court of Appeals rejected his argument that the judge was wrong in allowing the jury to hear the illegally intercepted communications.
In our brief to the Supreme Court, we argue that a judicially-created impeachment exception to the Wiretap Act not only contravenes the plain text of 18 U.S.C. § 2515, which contains no impeachment exception, but also goes against Supreme Court precedent governing how to interpret statutes. Most importantly, allowing exceptions to the Wiretap Act's otherwise absolute bar against the use of illegally obtained wiretap evidence will only continue the growing privacy intrusions caused by wiretaps.
In the ten years since the passage of the PATRIOT Act, the number of wiretap authorizations has almost doubled.1 And the estimated2 number of people who are being wiretapped has increased as well.
Meanwhile, the percentage of intercepts considered "incriminating" is decreasing.
So has the percentage of intercepts resulting in actual convictions.
And one last alarming statistic stands out: between 2001 and 2010, while there were 19,282 wiretaps authorized, only three(!) wiretap applications were denied.3 The conclusion is simple: more people and conversations not connected to criminal activity are being recorded with little judicial scrutiny. Allowing courts to create exceptions to the strong privacy protections in the Wiretap Act only encourages this dangerous trend. While the lower court should be applauded for holding the government accountable to the minimization requirements of the Wiretap Act, it nonetheless aided the government in defeating privacy by allowing it to play to the jury an illegally obtained recording. So despite breaking the cookie jar, the government gets to have its cake and eat it too.
Hopefully, the Supreme Court will grant certiorari and restore the strong protection in the plain text of the Wiretap Act. And if courts are concerned that litigants can get away with perjury absent an impeachment exception to the Wiretap Act, the solution is for Congress to amend the law, not for judges to invent exceptions to the Wiretap Act out of whole cloth—particularly when these invented exceptions only lead to greater privacy risks to innocent individuals.
12 years ago, hundreds of thousands of Serbians filled the streets of Belgrade, blocking the entire city in protest of Slobodan Milošević’s regime. At the time such a widespread protest had seemed unimaginable. Before the uprising, the mood in the country was melancholic, cynical, and hopeless amid disillusionment with a government that became plagued with corruption, repression, and war. An unprecedented campaign of civil resistance against the Milošević regime paved the way for eventual democratic reform and the Serbian independence in 2006. One influential aspect to this movement was the young students who inspired their country to leap into political and creative action through a 100 day plan—100 days of debate, dancing, performances, and workshops.
These days, activism and political engagement continues to be prevalent around the world. People are now largely relying on the Internet for raising political awareness and organizing campaigns in their communities. Through the Arab Spring, the Occupy movement, Internet protests against SOPA, PIPA, and ACTA, as well as other popular movements, the world continues to see how the Internet unleashes the creative potential of the massesto transform political attitudes and policy debates. The SHARE Conference in Serbia builds on these leading movements, rekindling the passion of anti-Milošević protests to tackle a new repressive threat: Internet censorship, surveillance, and locks on digital culture.
The SHARE conference is in its second year. It was founded by many of the young activists who started the instrumental student campaign in 2000 to resist the Milošević regime. Now called the Exit Festival, the movement has turned into one of the biggest annual music festivals in southeastern Europe. Staying truthful to their activist roots, however, Exit Festival hosts various talks on Internet and politics, in which EFF has participated.
On April 26 - 28, EFF will again participate in the conference in Belgrade, Serbia, speaking against surveillance regimes. SHARE will gather more than two thousand thinkers, innovators, and activists for three days of enlightening lectures, engaging workshops, contemporary music, and nights full of dancing, at the Dom Omladine — Belgrade Youth Center.
SHARE by Day: The Internet as a Space for Resistance
This year’s SHARE conference comes at a watershed moment in the Internet freedom movement. SHARE’s speakers will include street-art groups, security researchers, dissidents, innovators, and freedom fighters — individuals who have used the Internet to inspire radical change and community action. This year’s SHARE conference focuses on both the benefits and challenges of the Internet. Participants will discuss how they use the Internet to create, learn, innovate, and stir political action for positive social change. At the same time, they will examine the Internet’s dangers and the methods of mitigating its capacity to trace, track, and secretly surveil individuals.
SHARE by Night: Art, Music and Activism
“SHARE by Night,” the conference’s music program, presents innovative international electronic and contemporary music blended together with the talents of the local clubbing scene. Last year, Improv Everywhere stormed the streets of Belgrade with a “mobile party.” Crowds of onlookers stood in awe and joined in the celebration as speakers and young attendees danced through the night. SHARE by Night is keeping its full performance lineup secret until the date approaches, and no one can foresee all the spontaneous events that will surely take place throughout the conference.
A few EFF picks from Share’s 2012 lineup ...
Voina — A collective of provocative Russian street-artists known for its politically charged performance art. Since the very beginning, Voina has been involved in a variety of radical art against former KGB headquarters, police repression measures, and the Russian political system at large. Due to its radical art, members of their collective were jailed until Banksy bailed them out in 2010.
George Hotz — A security researcher who developed a code to jailbreak the iPhone and Sony Playstation 3. Last year, Sony sued Hotz and other security researchers who disclosed security vulnerabilities in the PS3 that had allowed users to install and run the Linux operating system on their consoles.
Slava Mogutin — Siberian-born artist and writer exiled from Russia at the age of 21 for his queer writings and activism. In the past decade, Mogutin’s photography and multimedia work have been exhibited internationally. At SHARE, he will present his work and his ongoing battle with censorship.
Vuk Ćosić — Active in politics, literature and art since 1994, Ćosić is well known for his ground-breaking work as a pioneer in the field of net.art. His evolving oeuvre is characterized by an interesting mix of philosophical, political, and conceptual network-related issues on the one hand, and an innovative feeling for contemporary urban and underground aesthetics on the other.
Rob Van Kranenbrug—Kranenbrug will examine the impact Radio Frequency Identification has on cities and the wider society. At the same time, he will reflect on possible alternative network technologies to safeguard our privacy and empower citizens. It will be both a timely warning and a call to arms.
Peter Sunde — Berlin-based Swedish IT expert best known for co-founding The Pirate Bay. Sunde is currently working on the Flattr project, which is a microdonation system that enables viewers of websites to make small donations by clicking a "Flattr this" button.
Khannea Suntzu — Apart from being a conceptual artist, an independent blogger, a futurist, and a hobbyist-philosopher, Khannea supports radical democratization and advocates the extension of fundamental human rights. Her work resounds a warning about the dangers of "technological unemployment" in creating effectively irreversible societal divisions. She argues for proactive social activism against this growing disparity.
Sawor Mon — Of Hmong descent, Mon lives in Burma, a country that was until recently, under military dictatorship and is currently led by a military-backed government. The most common term among activists for this type of government is the “hybrid regime.” Mon argues that the Internet is an essential tool for combating political brainwashing and propaganda.
Church of Kopimism / Isak Gerson — Isak Gerson, a philosophy student from Stockholm, had a couple of issues while attempting to get the Church of Kopimism recognized by the Swedish authorities. The main belief of this religion is that copying and sharing information are ethically and morally correct. One of their key dogmas is that CTRL+C and CTRL+V are sacred symbols.
SHARE partners with Bturn — an international online magazine covering music, film, and art in Balkan and Eastern European cultures. Bturn will continue to highlight picks in the days to come until the day of the Conference.
SHARE will also host discussions by Smari Mc Carthy, and the crowd source reform of the Icelandic Constitution, Jeremie Zimmerman from La Quadrature du Net on arguments against ACTA, Elizabeth Stark on the Open Video Alliance, EFF’s Katitza Rodriguez on the reality of mass surveillance as seen in films, Desiree Miloshevic from Afilias, and Google. There will be more speakers to come.
PayPal has instituted a new policy aimed at censoring what digital denizens can and can’t read, and they’re doing it in a way that leaves us with little recourse to challenge their policies in court. Indie publisher Smashwords has notified contributing authors, publishers, and literary agents that they would no longer be providing a platform for certain forms of sexually explicit fiction. This comes in response to an initiative by online payment processor PayPal to deny service to online merchants selling what they deem to be obscene written content. PayPal is demonstrating, again and to our great disappointment, the dire consequences to online speech when service providers start acting like content police.
Mark Coker, founder of Smashwords, described the new policy in a recent blog post. The policy would ban the selling of ebooks that contain “bestiality, rape-for-titillation, incest and underage erotica.” Trying to apply these definitions to all forms of literary expression raise questions that can only have subjective answers. Would Nabokov’s Lolita be removed from online stores, as it explores issues of pedophilia and consent in soaring, oft-romantic language? Will the Bible be banned for its description of incestuous relationships?
This isn’t the first time PayPal has tried its hand at censorship. In 2010, they cut off services to the whistleblower WikiLeaks, helping to create the financial blockade that has hamstrung the whistleblower organization. And as we explained when WikiLeaks was facing censorship from service providers: the First Amendment to the Constitution guarantees freedom of expression against government encroachment—but that doesn't help if the censorship doesn't come from the government. Free speech online is only as strong as private intermediaries are willing to let it be.
Frankly, we don’t think that PayPal should be using its influence to make moral judgments about what ebooks are appropriate for Smashwords readers. As Wendy Kaminer wrote in a forward to Nadine Strossen’s Defending Pornography: “Speech shouldn’t have to justify itself as nice, socially constructive, or inoffensive in order to be protected. Civil liberty is shaped, in part, by the belief that free expression has normative or inherent value, which means that you have a right to speak regardless of the merits of what you say.”
But having a right to speak is not the same as having a right to be serviced by a popular online payment provider. Just as a bookseller can choose to carry or not a carry particular books, PayPal can choose to cut off services to ebook publishers that don’t meet its “moral” (if arbitrary and misguided) standards.
Online payment providers like PayPal help many websites fund their very existence. As we explained in our interactive graphic Free Speech is Only as Strong as the Weakest Link, a payment provider can shut down controversial online speech by cutting off their means of financial support. And PayPal, the behemoth of online payment providers, has little incentive to compromise with small businesses that are punished through these arbitrary policies.
Unfortunately, Congress knows just how vulnerable online speech can be to the vagaries of payment providers. The Stop Online Piracy Act, defeated earlier this year after Internet-wide protests, contained language that would have allowed individuals and companies to cut off financial support for a website simply by sending an infringement notice to its payment providers or ad networks. No judge or jury would have been required.
The censorship of Smashwords is a blow to free speech and adds to the ever-growing list of examples of payment providers turned into content police.
Earlier this month, EFF called for the protection of Saudi blogger and journalist Hamza Kashgari, who had fled Saudi Arabia after tweets he wrote about the Prophet Mohammed provoked clerics to demand that he be tried for apostasy, and members of the public to call for his murder. Kashgari had been a columnist for the Jeddah-based newspaper Al Bilad until outrage over the tweets, when Saudi Minister of Culture and Information Abdul Aziz Khoja ordered Kashgari “not to write in any Saudi paper or magazine,” an order which Kashgari also posted to his Twitter account. As outrage mounted, Kashgari retracted his statements, deleted his Twitter account, apologized for the comments, and finally fled the country in response to mounting threats on his life.
Upon arriving at the airport in Kuala Lumpur, Malaysia, on his way to seek refuge in New Zealand, Kashgari was arrested by security officials at the request of the Saudi government. Malaysia and Saudi Arabia do not have an extradition treaty, but they do maintain good relations. EFF was among the many organizations that called on Malaysian Prime Minister Najib Tun Razak release Kashgari from detention and stop extradition proceedings, reminding the Prime Minister that Malaysia that as member of the UN Human Rights Council, his nation is committed to upholding the highest human rights standards, which is inconsistent with allowing Kashgari to be extradited back to a country where he faces serious threats to his life.
Mohammed Noor, Kashgari’s lawyer in Malaysia, was able to obtain a court order to prevent the deportation, but he was not allowed to see his client before he was put on a plane and repatriated to Saudi Arabia. Noor told the Associated Press:
“We are concerned that he would not face a fair trail back home and that he could face the death penalty if he is charged with apostasy.”
Kashgari is now in detention in Saudi Arabia. Several sites and petitions have been set up to support him and call for his release. Kashgari is being represented by prominent human rights lawyer Abdul-Rahman al-Lahem, who has stated that he will push for this case to be argued before a committee in the information ministry instead of a Sharia court. Even if Kashgari is not charged with apostasy, a crime with carries the death penalty, the blogger and journalist continues to face threats to his life from Saudi militants. A Facebook page titled “The Saudi people want the execution of Hamza Kashgari,” has over 26,000 members. It is not enough for the Saudi government to release Kashgari—they must allow him to leave the country for his own safety.
The Electronic Frontier Foundation will continue to keep a close eye on developments in Saudi Arabia. Freedom of expression is a fundamental human right. No one deserves to be killed, whether by his or her government or by fellow citizens, for something they write in a 140-character tweet.
The world’s attention has recently turned to the question of how to hold companies accountable for knowingly marketing, selling and adapting the tools of surveillance to repressive regimes. U.S. and E.U. companies’ equipment has been linked to torture and other human rights violations in many Middle East and North African countries, along with longstanding cases involving similar allegations in China. Most recently, evidence suggests prominent American journalist Marie Colvin may have been tracked via her satellite phone before being killed by government forces in Syria. Public pressure on companies to “Know Your Customer” and take other actions to avoid having their tools used as part of human rights violations is intensifying. The European Parliament has begun the first steps in banning sales of this technology to authoritarian governments, and the U.S. Congressman Chris Smith (R-NJ) introduced a bill, the Global Online Freedom Act, which is in part aimed at this problem.
But there is another avenue for justice: the U.S. courts.
Aiding and abetting, and conspiracy to commit crimes, have long been illegal under U.S. law, and it’s not difficult to see how surveillance tools used to commit human rights violations — especially ones specifically and knowingly modified or supported by a company — could qualify under these or other longstanding laws. In fact, there are two pending cases in the U.S. right now raising those claims against Cisco based on evidence that the company knowingly marketed, sold and specially adapted and tools that the Chinese government uses to target Chinese democracy activists and members of the Falun Gong religious minority.
That’s right. Two years after holding that corporations must be allowed to fully participate in funding candidates in U.S. elections, the Supreme Court will consider whether corporations are nonetheless completely immune from claims alleging that they helped commit gross human rights abuses.1
There’s nothing particularly novel about corporate liability for facilitating the bad acts of others. While a corporation cannot go to jail, corporations are regularly held civilly and even criminally liable for involvement in the offenses done by others. Thus, a company that facilitates money laundering can be held liable, and, as EFF members well know, a company can also be secondarily liable for the copyright infringements of others. The two cases concern two different laws: the Alien Tort Statute (ATS) in Kiobel and the Torture Victim Protection Act (TVPA) in Mohamad. While the constitutional analysis under the First Amendment in Citizens United and the statutory interpretation of the TVPA and ATS in these cases are not exactly the same, the public’s concern that the Supreme Court may embrace a world in which corporations have the all rights, but none of the responsibilities, of ordinary people is very real.
How did we get here? In the United States, people have long been held liable for knowingly assisting in human rights abuses even when they are committed overseas. Under case law going back to Filártiga v. Peña-Irala in 1979, people who helped foreign governments engage in torture, summary execution or slavery have been held responsible in both civil and criminal courts. Recently these same claims, on the same standard, have been applied to companies, ranging from one using slave labor to build a pipeline in Burma, to one who helped in the wrongful hanging of Nigerian human rights hero Ken Saro-Wiwa. The cases are not easy, and only apply to a set of extreme human rights violations like torture and execution, but they provide a measure of justice to those who have faced horrific human rights abuses, and hopefully, a strong disincentive for corporations to get involved in the dirty business of assisting in human rights abuses abroad in the first place.2
This is where mass surveillance companies selling technology to authoritarian regimes come in. For months now, we have seen increasing evidence that U.S. and E.U.-based companies have been selling spying technology that has led to the torture and summary execution of journalists, human rights advocates, and democratic activists.
In Bahrain, dozens of recent political prisoners have testified that government officials tortured them before reading back transcripts of text messages and emails likely obtained through these technologies. In Syria, just as the government was ramping up its deadly crackdown on democratic protests, the Italian company Area SpA rushed to complete a “monitoring center” that could not only read every email in the country, but track citizens’ locations via GPS in virtual real-time. Technology from U.S. based companies Hewlett Packard and NetApp have also been linked to Syria, according to Bloomberg. And in Libya, the Wall Street Journalreported that, “a surveillance center in Tripoli provides clear new evidence of foreign companies' cooperation in the repression of Libyans under Col. Gadhafi's rule.” Similar reports have emanated from Iran.
Despite these damning investigations from Bloomberg and the Wall Street Journal, dozens of companies are still operating with little oversight or accountability if they knowingly sell and facilitate their products for use to commit these human rights abuses. On the contrary, business appears to be booming; the market for these products has increased to $5 billion a year.
Those looking for tools to help hold companies accountable for selling the surveillance state to foreign despots should be watching the Supreme Court closely. Kiobel and Mohamad will be argued February 28, and should be decided by late June. More information about the cases is available at corporateaccountabilitynow.org. While some judicial avenues will still exist even if these cases fail, if the Court does require the same responsibilities of corporations not to torture that it already requires of humans, it may help hold these surveillance companies accountable in the courts when they are responsible for assisting in human rights atrocities around the world, and more importantly, it may hopefully help dissuade companies from getting into bed with these repressive governments in the first place.
1. There’s nothing particularly novel about corporate liability for facilitating the bad acts of others. While a corporation cannot go to jail, corporations are regularly held civilly and even criminally liable for involvement in the offenses done by others. Thus, a company that facilitates money laundering can be held liable, and, as EFF members well know, a company can also be secondarily liable for the copyright infringements of others.
2. Note that EFF is counsel in one of the cases, Bowoto v. Chevron, involving Chevron’s helicoptering in, overseeing and payment of Nigerian forces who opened fire on protesters in Nigeria, and in that capacity we also signed on to an amicus brief in the Supreme Court urging the Supreme Court to find that corporations can be liable under the TVPA.