Individual Control. Consumers have a right to exercise control over what personal data companies collect and how they use it.
Transparency. Consumers have a right to easily understandable and accessible information about privacy and security practices.
Respect for Context. Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
Security. Consumers have a right to secure and responsible handling of personal data.
Access and Accuracy. Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
Focused Collection. Consumers have a right to reasonable limits on the personal data that companies collect and retain.
Accountability. Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
The Administration vowed to push toward enacting these foundational principles into law, and encouraged Congress to give the Federal Trade Commission the sign-off to enforce them. The Department of Commerce will also bring together companies, consumer groups, and other stakeholders to develop legally enforceable codes of conduct for particular markets.
Finally, the Administration's framework will encourage global data protection by promoting mutual recognition of nations' privacy frameworks and cooperative enforcement among countries.
EFF applauds the principles underlying the White House proposal and believes it reflects an important commitment to safeguard users' data in the networked world without stifling innovation. Only time will tell whether the proposal will be implemented in a way that effectively protects user privacy, and that's where the rubber meets the road. We'll have more to say about that in the coming days.
Yesterday morning, journalist Marie Colvin of the Sunday Times of London was killed, along with French photographer Rémi Ochlik, in the beseiged city of Homs, Syria, where more than 400 people have been reported dead in recent weeks.
Disturbingly, the Telegraph, the TorontoGlobe and Mail, and the Associated Press all reported that Colvin and Ochlik were likely deliberately killed by the Syrian army and their location may have been tracked down through their satellite phones.
On Monday night, Colvin appeared on CNN, telling Anderson Cooper that “the Syrian army is shelling a city of cold, starving civilians.” Responding to Syrian president Bashar Al Assad’s statement that he was not targeting civilians in the barrage of rocketfire raining on Homs, Colvin accused the regime of “murder” and said: “There are no military targets here…It's a complete and utter lie that they are only going after terrorists.” A few hours later, she was dead.
The Telegraph quoted Jean-Pierre Perrin, a journalist for the Paris-based Liberation newspaper who was with Colvin in Homs last week, as saying: “The Syrian army issued orders to 'kill any journalist that set foot on Syrian soil'” and that the Syrian authorities were likely watching the CNN broadcast. The Telegraph then described how “[r]eporters working in Homs, which has been under siege since February 4, had become concerned in recent days that Syrian forces had‘locked on’ to their satellite phone signals and attacked the buildings from which they were coming” (emphasis ours).
How could this happen?
At this point, we don’t know how Colvin and Ochlik were located, but based on the various reports, it is possible that they were located using surveillance technology that tracked their satellite phones.
There are a few different ways by which satellite phones can be tracked. The first—and easiest for a government actor—would be to simply ask or pressure a company to hand over user data. This is not beyond the realm of possibility (readers might recall an incident in which Yahoo handed over information about a Chinese dissident to his government, resulting in a ten year prison term), but is just one of several methods.
Satellite phones can also be tracked by technical means and there is ample technology already on the market for doing so. For example, this portable Thuraya monitoring system by Polish company TS2, which also counts several US government agencies as clients; these systems for monitoring Thuraya and Iridium phones, created by Singaporean company Toplink Pacific; or this satellite phone tracking technology from UK based Delma MMS.
Authorities can find the position of a satellite phone using manual triangulation, but in order to track a phone in this manner, the individual would need to be relatively close by. Nowadays, however, most satellite phones utilize GPS, making them even easier to track using products widely available on the market such as those mentioned above. Some of these products allow not only for GPS tracking, but also for interception of voice and text communications and other information.
Security researcher and Tor developer Jacob Appelbaum says that satellite communications systems do not respect user location privacy needs, and aside from surveillance without the cooperation of a satellite phone provider, “such a company may betray a user’s location on purpose or by accident.” Research published last year by the German Horst-Goertz Institute for IT Security, found that satellite phones use weak cryptographic ciphers that could easily be broken by sophisticated attacks. The research identified serious security flaws in the encrpytion systems used by the two competing satellite phone standards, GMR-1 and GMR-2.1
Appelbaum added via email:
Satellite phone systems and satellite networks are unsafe to use if location privacy or privacy for the content of communications is desired. These phone protocols are intentionally insecure and tracking people is sometimes considered a feature. Some high security users are given special access that merely send the spot beam ID, rather than the full GPS into space and thus to the satellite network. This privacy option should be available to everyone today without any action on their part - it would partially improve the location privacy needs of users. Sadly, direction finding would be entirely unaffected. Also sadly, it will not make the communications secure but it would probably save lives. It's too bad that journalists have had to die for this discussion to happen.
A Growing Problem
The news of this potentially deliberate attack on journalists, possibly using surveillance gear sold to them by Western companies, follows areport by CNN on Sunday which claimed that dozens of opposition activists in Syria have found their computers infected with malware that can spy on their every move. The virus, according to CNN, “passes information it robs from computers to a server at a government-owned telecommunications company.” And just today, the New Scientistquoted several Syrian activists fearful of the regime's technological capabilities.
Earlier this week, EFF profiled Italian mass surveillance company Area SpA, which in 2011 was rushing to install mass surveillance gear for Syrian intelligence agents just as the Syrian government was ramping up its violent crackdown on peaceful democratic protesters. As Bloomberg originally reported, Area SpA was to install “monitoring centers” that would give the Syrian government the ability “to intercept, scan and catalog virtually every e-mail that flows through the country” as well as “follow targets on flat-screen workstations that display communications and Web use in near-real time alongside graphics that map citizens’ networks of electronic contacts.” After a barrage of media attention and local protests at its Italian headquarters, Area SpA announced in late November that it would not complete the project as planned.
Previously, Syria was found to be using technology made by US company Blue Coat Systems to censor and surveil Internet users, despite initial denials from the company.
Colvin has put a human face on a problem that has plagued citizens of the Middle East for years now: surveillance equipment being used by despotic governments to track down journalists and activists, provided to them by Western technology companies. Now it’s possible this equipment directly led the murder of an American journalist. The White Houseacknowledged Colvin’s death, saying, “It's a reminder of the incredible risks that journalists take...in order to bring the truth about what's happening in a country like Syria to those of us at home and in countries around the world.” It is time the President and Congress get serious about stopping these companies from selling this dangerous technology to authoritarian government who violate human rights.
To that end, EFF has proposed a “know your customer” framework, based on already existing legal frameworks in the U.S. and E.U. that can be implemented without significant overhead cost to government or businesses. Simply put, companies selling surveillance technologies to governments or government providers need to affirmatively investigate and "know their customer" before and during a sale. EFF has already detailed extensive framework for such regulations including questions, definitions, and procedures for how to accomplish it.
1. Benedikt Driessen et al., Don’t Trust Satellite Phones: A Security Analysis of Two Satphone Standards, Horst-Goertz Institute for IT Security, http://gmr.crypto.rub.de/
We're happy to announce the arrival of the new EFF Issues T-shirt! The back displays the full constellation of EFF's work areas: Privacy, Free Speech, Transparency, Fair Use, International, and Innovation.
In our ongoing search for a women's T-shirt with the perfect fit, we printed the women's style on Hanes ComfortSoft. These tees feature flattering sleeves and a more comfortable fit for greater ease whether you're navigating a server room, a court room, or the local coffee shop. See our T-shirt size chart for more information.
If you donated to EFF recently, be on the lookout for your long-awaited member swag with our gargantuan current shipment. In fact, for a limited time we are offering free expedited shipping so that new members can participate in Wear Your Swag to Work Day on March 8th!
If you haven't joined or renewed your EFF membership yet, what are you waiting for? Show your solidarity and celebrate 22 years of defending civil liberties online. Thank you for allowing us to keep fighting.
In a potentially troublesome decision, a federal district court has found that a start-up violated anti-spam and computer crime laws by creating and marketing a browser to let users view their social networking accounts in one place. The case demonstrates the difficulties facing those who seek to empower users to interact with closed services like Facebook in new and innovative ways.
Unfortunately, the latest round of the case has taken a downward turn in ways that could have serious implications for other innovators and users.
First, the court gave a tremendous cudgel to Facebook against commercial users who displease it when it decided that Power violated the federal CAN-SPAM Act by sending "misleading" messages. These messages encouraged users to send Facebook "Event" invitations to their friends to promote Power's service. As EFF pointed out in an amicus brief (pdf), though, the allegedly "misleading" elements of the message are supplied by Facebook itself—and can't be changed by users. This means that any user who sends a commercial message on Facebook is technically in violation of the law, since it appears to come from Facebook. The CAN-SPAM Act, passed in 2003, simply doesn't contemplate closed systems where the service provider controls many elements of a message.
To make matters worse, the CAN-SPAM Act only allows service providers to bring lawsuits, and it lets them seek crippling damages. Here, Facebook sought over $18 million. This is a clear example of a law vulnerable to misuse because technology has changed since it was written, and it wasn't even written a decade ago. EFF will be watching how Facebook and other services with closed messaging systems use CAN-SPAM in the future.
Second, the court found that Power violated state and federal computer crime laws merely by designing its tool to connect to Facebook using multiple IP addresses, which preemptively thwarted Facebook's efforts to keep users from accessing their Facebook accounts though the Power website. This precedent is especially troubling because these laws have both civil and criminal penalties. EFF is concerned that this precedent could be used in the future to criminalize the creation of tools that are capable of bypassing technological barriers, even if they are never actually used to do so, forcing innovators to anticipate every technical block that any interoperable system or program might possibly impose. This is an unworkable rule.
Facebook's case against Power is dangerous as a matter of policy, threatening to put the power of law—including serious criminal penalties—behind Facebook's anti-competitive decision to thwart consumer choice and innovation that doesn't meet its approval. It doesn't bode well for the future and should encourage all of us to think more seriously about the collateral problems created by closed networks.
And yet on the basis of a charge no more consequential than speeding ticket, the New York City District Attorney's office sent a poorly worded subpoena to Twitter requesting "any and all user information, including email address, as well as any and all tweets posted for the period of 9/15/2011-12/31/2011" regarding Mr. Harris' Twitter account, @destructuremal. Unsurprisingly, the government wanted to keep it quiet, but thankfully Twitter didn't listen. Instead, as it has consistently warned law enforcement, Twitter notified Mr. Harris, who through his lawyer, Martin Stolar of the National Lawyers Guild, has moved to challenge the subpoena in court.
The subpoena is astonishing not only for its poor grammar, but also for the breadth of information the government wants for a trivial crime that hardly requires it. The government's request that Twitter hand over Tweets is unlikely to succeed because consistent with the Stored Communications Act, Twitter releases "contents of communication" (effectively Tweets and private messages between Twitter users) only with a search warrant. In any event, Mr. Harris' account is "public", meaning the government could obtain Tweets simply by checking out Mr. Harris' Twitter feed. Plus, requesting Tweets only highlights the absurdity of the entire situation: why would the government need Tweets from both before and after the October 1 protest to prove he was obstructing traffic on the bridge? Government fishing expeditions like this raise serious First Amendment concerns. Mr. Harris was very outspoken about his support of and involvement in the Occupy Wall Street movement. With this overbroad subpoena, the government would be able to learn about who Mr. Harris was communicating with for an extensive period of time not only through Tweets, but through direct messages. And with the government's request for all email addresses associated with @destructuremal, they could subpoena Mr. Harris' email provider to get even more information about who he communicated with. The First Amendment shouldn't be trampled with only an expansive subpoena in a case that barely registers as "criminal."
Given that much of Mr. Harris' Twitter information (like Tweets and followers) is already public, it's very likely that the government was really after something else: location data. By attempting to subpoena these records, the government can get around the Fourth Amendment's prohibition against warrantless searches by requesting information that includes IP addresses. Twitter keeps track of IP address information regarding every time a person logged into Twitter, as well as the IP address information related to a Twitter user's direct messages to other users, and the date and time information related to these log ins and direct messages. Armed with IP addresses, the government -- without a warrant -- can go to an ISP to determine who was assigned that particular IP address. And if that person connected on a mobile device -- which is where the majority of Twitter users access their accounts -- the ISP will hand over to the government the specific cell tower (and its corresponding geographic location) which that person used to access Twitter. This allows the government to piece together a map of where a person physically is when he opens Twitter on his smartphone, sends a direct message to a friend, or Tweets. And with that information, the government could get a record of Mr. Harris' movement over the three months it requested from Twitter. It's no surprise then that the government singled out Mr. Harris for this request: he currently has over 1,500 followers and 7,200 Tweets.
Allowing the government to gets its hands on this data with nothing more than an administrative subpoena renders the Fourth Amendment meaningless. Only with the protection of a search warrant, and the heightened judicial supervision that comes along with it, can the voracious appetite of law enforcement be curbed. As we've consistently argued, the Fourth Amendment protects this information. But another way to impose privacy protection from the prying hands of law enforcement is through Congressional reform of the badly outdated Electronic Communications Privacy Act ("ECPA"). As part of the Digital Due Process coalition, EFF has been calling for Congress to update ECPA to conform with the realities of the 21st century.
It looks like judicial momentum may finally be on our side. In January of this year, the United States Supreme Court issued a landmark decision in United States v. Jones(PDF), ruling that law enforcement could not physically install a GPS device on private property without a search warrant. The majority opinion resolved the Fourth Amendment issue by looking exclusively at the physical installation of the GPS device. Importantly, however, in a concurring opinion, Justice Sotomayor warned that "physical intrusion is now unnecessary to many forms of surveillance." Collecting IP addresses of a prolific Tweeter, and matching it with other easily obtainable information from other service providers, demonstrates this problem. In writing that society is unlikely to accept extensive warrantless surveillance as "reasonable", Justice Sotomayor called into question "the appropriateness of entrusting to the Executive, in the absence of any oversight from a coordinate branch, a tool so amenable to misuse, especially in light of the Fourth Amendment’s goal to curb arbitrary exercises of police power to and prevent 'a too permeating police surveillance.'” Similarly, Justice Alito's concurring opinion noted that with "dramatic technological change, the best solution to privacy concerns may be legislative."
Hopefully with the public breathing down its neck, Congress can finally act to fix a antequated set of laws. Malcolm Harris, like Birgitta Jonsdottir before him, took a stand to protect our privacy rights. You can too by telling Congress that its time to update ECPA and tell law enforcement once and for all that in order to get a person's location data, it needs to come back with a warrant.
Iranian netizen under immedate threat of execution
According to a report from Reporters Without Borders (RSF), Saeed Malekpour, the 36-year-old web and circumvention tool developer who in January was sentenced to death, is now under threat of immedate execution. In the report, RSF writes: "The family of Saeed Malekpour [has reported] that his sentence order has been sent to the office responsible for carrying out sentences, which means that he could [be] executed at any time during the coming hours or days." Malekpour is currently in solitary confinement in Tehran's notorious Evin Prison.
EFF is extremely concerned for Malekpour. We stand with the scores of human rights and freedom of expression advocates in condemning his sentence issued by the Iranian state and urge Iran to reconsider Malekpour's sentence.
Syrian blogger released, others remain imprisoned
As we reported last week, more than a dozen Syrian human rights activists were arrested on January 16 during a raid on the Syrian Center for Media and Freedom of Expression. Among them were bloggers Razan Ghazzawi (who was conditionally released on February 18) and Hussein Ghrer, both of whom were imprisoned in 2011 without trial. Ghrer remains in prison.
EFF condemns the Syrian state for these attacks on free expression, and calls for the immediate release of those arrested in the raid. We renew our call on the international community to take notice of these alarming events unfolding in Syria, and to demand the Syrian authorities to end their campaign of repression by continuing to discuss and publicize these events on as many online venues as possible.
89 "online" journalists imprisoned all over the world
The Committee to Protect Journalists (CPJ) has released their 2011 annual 'Attacks on the Press' report, detailing the global threats to press freedom. CPJ's research documented a total of 179 journalists imprisoned as of December 1, 2011, a whopping 89 of which were "journalists whose worked appeared primarily online."
Though the entirety of the lengthy report is of interest to free expression advocates, Executive Director Joel Simon's chapter, entitled 'The Next Information Revolution: Abolishing Censorship' will be of particular interest to those concerned with digital rights. The chapter elucidates the jurisdictional concerns pertinent to the globalized nature of the Internet, highlighting the need for a "broad global coalition against censorship that brings together governments, the business community, civil society organizations, and the media" to ensure that freedom of information is respected in practice.
[UPDATE 2/22/2012]It is important to note that disabling Web History in your Google account will not prevent Google from gathering and storing this information and using it for internal purposes. More information at the end of this post.
Here's how you can do that:
1. Sign into your Google account.
2. Go to https://www.google.com/history
3. Click "remove all Web History."
4. Click "ok."
Note that removing your Web History also pauses it. Web History will remain off until you enable it again.
[UPDATE 2/22/2012]: Note that disabling Web History in your Google account will not prevent Google from gathering and storing this information and using it for internal purposes. It also does not change the fact that any information gathered and stored by Google could be sought by law enforcement.
With Web History enabled, Google will keep these records indefinitely; with it disabled, they will be partially anonymized after 18 months, and certain kinds of uses, including sending you customized search results, will be prevented. If you want to do more to reduce the records Google keeps, the advice in EFF's Six Tips to Protect Your Search Privacy white paper remains relevant.
If you have several Google accounts, you will need to do this for each of them.
This is the second part in an EFF series. Part I, on UK-based FinFisher and France-based Amesys, can be read here.
On Sunday, CNN reported that dozens of activists in Syria have had their computers infected with malware that allows supporters of dictator Bashar al-Assad to spy on their every move. The virus, according to CNN, “passes information it robs from computers to a server at a government-owned telecommunications company.” Meanwhile in Iran, the government has cut off most encrypted web traffic flowing through the country, meaning ordinary Iranians have lost the ability to safely use many popular communications tools like Gmail, Twitter, and Facebook.
Unfortunately, these stories are just the latest examples of authoritarian governments stifling Internet freedom, as many governments in the Middle East have a long history of using technology to censor, track, and arrest dissidents. Critically, though, these governments would not have these capabilities without the help of American and E.U. companies that sell this state-of-the-art spying equipment. Two of the worst purveyors of this technology, Trovicor and Area SpA, are profiled here:
Area SpA—based outside Milan, Italy
In 2011, at the same time that news of Syria’s violent crackdown on democratic protests graced the pages of the world’s newspapers, an Italian company called Area SpA was busy helping the Syrian’s dictator Bashar al-Assad electronically track the dissidents his army was firing upon in the streets. Area SpA had begun installing “monitoring centers” that would give the Syrian government the ability “to intercept, scan and catalog virtually every e-mail that flows through the country” as well as “follow targets on flat-screen workstations that display communications and Web use in near-real time alongside graphics that map citizens’ networks of electronic contacts.”
Worse, as the violence in Syria escalated in mid-2011, “Area employees [were] flown into Damascus in shifts” in the government’s push to finish the project, according to a report from Bloomberg News.
Fortunately, following the Bloomberg investigation, local papers picked up the story and protests sprung up outside Area SpA’s Italian office. Area SpA announced at the end of November it would not complete the contract and released a statement saying the company is “against all forms of repression and disapproves of any use of technology for violating human rights.” Yet Syria’s violent crackdown was well underway in March while Area SpA was actively moving equipment into the country. “With the gear in Syria, deployment of [Area SpA’s surveillance technology] unfolded in parallel with Assad’s escalating crackdown,” Bloomberg reported.
By the time Area SpA claimed it would exit the country in November, the civilian death toll in Syria already stood at more than 3,000.
According to Bloomberg, Area SpA has stated “it was exploring legal options for the release of proprietary materials, without identifying any parties.” Italian authorities should take them up on their offer and force them to answer questions about their business in Syria and any other country where human rights are routinely violated.
Trovicor, owned by Perusa Partners Fund 1 LP—based in Germany
Trovicor is perhaps the most prolific of the mass surveillance companies, having sold spy technology to a dozen countries in the Middle East and North Africa.
The company first made headlines two years ago when they were still a subsidiary of Nokia Siemens for reportedly supplying technology to Iran in the wake of the 2009 post-election uprising. Protests over the sale eventually forced Nokia Siemens to divest from Trovicor, but the company lives on under its new owners, Perusa Partners Fund, and is still actively helping dictators spy on their citizens.
In Bahrain, Trovicor helped install and still maintains sophisticated “monitoring centers” used to surveil democratic activists’ emails, text messages and phone calls despite ample evidence of human rights violations. Almost two-dozen former political prisoners recently testified to the England and Wales lawyers association that they were beaten and subsequently interrogated while being shown transcripts of emails and text messages. There have been at least 140 documented allegations of torture in Bahrain in the past last year.
In Tunisia, Trovicor was also one of many companies selling equipment to former president Ben Ali, whose system was so advanced, it prompted the new head of the Tunisian Internet Agency Moez Chakchouk to say, "I had a group of international experts from a group here lately, who looked at the equipment and said: 'The Chinese could come here and learn from you.'"
Here’s how Bloomberg describes Trovicor’s dangerous capabilities:
[Trovicor’s] toolbox allows more than the interception of phone calls, e-mails, text messages and Voice Over Internet Protocol calls such as those made using Skype. Some products can also secretly activate laptop webcams or microphones on mobile devices. They can change the contents of written communications in mid-transmission, use voice recognition to scan phone networks, and pinpoint people’s locations through their mobile phones. The monitoring systems can scan communications for key words or recognize voices and then feed the data and recordings to operators at government agencies.
Dutch member of the EU parliament Marietje Schaake has called on the EU Commission to investigate Trovicor and other companies that have sold surveillance equipment to Bahrain, along with Tunisia, Egypt, Syria, and Iran. EFF echoes MEP Schaake’s call for an investigation, as transparency about who these companies are selling to and what the technology is being used for is the first step towards solving the problem.
In addition, EFF has recommended the EU and US push companies to adopt “know your customer” standards that would prevent them from selling surveillance technology to governments known for violating human rights. The EU and US can easily induce companies to adopt such policy by tying it to government contracts. This could help prevent these types of sales from happening again, as many companies, including Area SpA and Trovicor, also sell equipment to the Western government for legitimate lawful purposes.
As long as these companies believe that it is okay to sell this technology to dictators, democracy activists, human rights activists, bloggers, and journalists around the world will continue to suffer.