Looks like proponents of the Internet Blacklist Bills are finally beginning to realize that they won't be able to ram through massive, job-killing legislation without a fight. First, Sen. Patrick Leahy, sponsor of the PROTECT-IP Act (PIPA), announced on Thursday that he would recommend that the Senate further study the dangerous DNS blocking provisions in that bill before implementation. Then, a group of six influential senators wrote to Sen. Harry Reid, the Senate Majority Leader, urging that the Senate slow down and postpone the upcoming vote on PIPA. Sen. Ben Cardin, a co-sponsor of PIPA, also took a measured stance against the bill, saying he "would not vote for final passage of PIPA, as currently written." Cardin cited consituent activism as the primary reason for the about-face.
On the House side, Rep. Lamar Smith, sponsor of PIPA's dangerous counterpart, the Stop Online Piracy Act (SOPA), announced today that he would completely remove the DNS blocking provision from the House bill.
It's heartening to see Congress take steps in the right direction, and it wouldn't have happened without the work and commitment of the many internet communities who have rallied to fight these dangerous bills. We should be proud of the progress we've made.
But let's be clear – we still have a long fight ahead and we face formidable foes. Both bills still contain fundamental flaws that threaten freedom of speech and the future of the Internet. We’ve written before, for example, about the threats to the human rights community, to students, to software development, and to the economy. These threats remain. What is worse (and we can't say this enough), is that this legislation, if made law, will do little to stop online infringement. These bills cannot be fixed – they must be killed. So let's keep the pressure on!
Security Experts and Tech Investors Scheduled to Testify; Worldwide Internet Protest Gathering
There’s some good news in the efforts to stop the Internet blacklist bills (SOPA/PIPA): Representative Darrell Issa, an outspoken SOPA critic and the author of alternative legislation called the OPEN Act, has announced that the Oversight and Government Reform Committee will hold a hearing on January 18 to hear from actual technical experts, technology job creators, Internet investors and legal scholars.
EFF’s activists will be providing live coverage of the event through our EFFLive Twitter account. A number of online activists are strategizing plans for a “SOPABlackout” — “censoring” websites and logos to draw attention to the hearing and showcase the widespread opposition to the censorship bills. We’re glad to see lots of sites participating and we’re urging folks to use social networks on January 18 to help spread the word.
The Oversight Committee hearing will address the topic of Domain Name Service (DNS) and search engine blocks generally, and explore ways for the government to avoid legislation that would hamper economic growth. Of course, as active and controversial legislation, SOPA and its evil twin in the Senate, the PROTECT IP Act (PIPA) are certain to be discussed at length.
Here’s a look at the witnesses scheduled to speak:
Alexis Ohanian is a founder of Reddit, the social news platform that has been the site of numerous anti-SOPA discussions. He’s spoken out against the bill personally, saying: “This legislation affects my entire industry and livelihood. We never would’ve been able to start Reddit if SOPA were the law, and I worry about all of the future innovation we’d miss out on if it were to pass.”
Stewart Baker, the former Homeland Security Assistant Secretary and former General Counsel for the NSA, is certainly an expert on the issue of cyber-security and the law. He’s also been a vocal critic SOPA, explaining the security problems with the original bill and the manager’s amendment in an extremely cogent blog post titled SOPA-rope-a-dopa.
Brad Burnham is a founder of the prestigious Union Square Venture investment firm. Union Square has been behind some very high-profile tech companies, like Twitter and Foursquare, in the seven years since its founding, supporting job creation and innovation in the tech sector. Burnham is rightly concerned that leglislation like SOPA could undermine his investments and the Internet itself. In a personal blog post, he lays out the problem:
The current legislation in Congress does not just create an administrative burden, it requires service providers who have built wonderful businesses on a deep conviction about human nature to change their relationship with their users in a way that subverts their core values.
Daniel Kaminsky is the well-known security expert known for discovering a major vulnerability in the DNS system — the sort that the DNSSEC initiative is designed to address. He is one of 21 “Trusted Community Representatives” involved in the DNSSEC implementation process. He is a signer of the “Open Letter From Internet Engineers” first published by EFF and read into the Congressional record by Representative Issa.
Lanham Napier is the CEO of Rackspace, a major IT company based in Chairman Smith’s home state of Texas. Rackspace serves 160,000 business customers, including 40% of Fortune 100 companies, and thus has a serious stake in the health of the Internet. In a post on the Rackspace blog, Napier describes SOPA as “a deeply flawed piece of legislation … bad for anyone who uses the Internet … bad for job creation and innovation.”
Dr. Leonard Napolitano is the Director of the Center for Computer Sciences & Information Technology at Sandia National Laboratories, a government-owned institution devoted to national security. Napolitano sent a letter to Representative Zoe Lofgren, another Congressional opponent of the bill, in response to her request that Sandia conduct a technical assessment of the legislation. The letter reports Sandia’s conclusion that SOPA and PIPA would “negatively impact U.S. and global cybersecurity and Internet functionality”
These witnesses, indisputably experts in their fields, are exactly the kind of people Congress should consult before crafting laws that would fundamentally affect the Internet.
Chairman Issa is doing important work bringing these issues to the attention of the Oversight Committee, but the legislators need to hear your voice too.
If there were ever a lawsuit that invited sanctions against the people who filed it, this one is it: a case against two database developers by a company that claims a copyright on the time of day.
Quick background: last fall, Astrolabe, an astrology software company, sued Arthur David Olson and Paul Eggert, researchers who have coordinated the development of a database of time zone information for decades.The database is an essential tool used by computers around the world to determine local time so, for example, files and email messages can organized and time-stamped accurately.Astrolabe claimed that Olson and Eggert had infringed its copyright because the database relies, in part on information in an atlas to which Astrolabe owns the rights (the ACS International Atlas).
We’ve seen a lot of bogus lawsuits over the years, but this one is a doozy.Facts are not copyrightable, which means the developers were free to use the Atlas as a source. What is more, it appears that Astrolabe knew that the database contained only facts from the Atlas – its Complaint states repeatedly that the database developers copied “information” – i.e., facts. Indeed, the case would be laughable but for the dangerous consequences: Confronted by this legal threat, and lacking the resources to defend himself, Olson promptly took the database offline, to the shock and dismay of the many users and developers who relied upon it.
But Olson and Eggert soon found they had allies in the fight. EFF signed on to defend them, with assistance from Boston copyright attorneys Adam Kessel and Olivia Nguyen, of Fish & Richardson. And then we waited for Astrolabe to actually serve Olson and Eggert, which would allow litigation to commence in earnest. Perhaps realizing the absurdity of its legal position, however, Astrolabe didn’t bother to take that next step, leaving Olson and Eggert in legal limbo.
Today, we’re taking the battle to Astrolabe, and starting the process for seeking sanctions under Rule 11 of the Federal Rules of Civil Procedure.Rule 11 requires litigants to conduct a reasonable inquiry into the facts and law before filing any paper with the court.Obviously, that didn’t happen here.Astrolabe now has 21 days to withdraw its Complaint.If it doesn’t do so, the Rule 11 “safe harbor” expires and we’re free to ask the court for sanctions.Once the court reviews Astrolabe’s preposterous claims, and their dangerous consequences, we expect it will agree with us and punish both the company and its attorney so they never again try to abuse the legal process.
The Iranian regime is doing everything they can to scare their citizens into silence. Ranked among the worst in the world in terms of online censorship, Iran has taken harsher, increasingly sophisticated steps to stifle free expression online and condemn the act of information sharing in light of increasing political and economic tensions. While a recent initiative to create a national “halal” Internet would essentially block Iranians from the outside world, last week the country’s Ministry of Information Communication Technology (MICT) also issued regulations that force Internet cafés to install security cameras, document users’ browsing history and usage data, as well as collect personal information for each session of use.Worse still, bloggers continue to be arrested, detained, and now, even sentenced to death.
This week, Reporters Without Borders reported that two bloggers sentenced to death in January 2011 over charges of promoting anti-state, anti-Islamic sentiments have just had their sentences confirmed.Both men have been detained since 2008 and have reported torture.
Vahid Asghari, a 24-year-old student in India, was arrested on May 11, 2008 at Tehran Airport and accused of hosting websites with “pornographic” content critical of the government. Amnesty International reports that Asghari wrote to a judge that “he had been subjected to torture, forced to make a televised ‘confession’ and forced to make spying allegations against high profile blogger Hossein Derakhshan.”
Saeed Malekpour, a 36-year old web and circumvention tool developer based in Canada, was arrested over several charges, including “acting against national security through propaganda against the Islamic Republic,” “insulting and desecrating the principles of Islam,” and “production and publication of obscene materials through computer systems.”United for Iran reports that he had created a photo-uploading program, and that it had been used to upload pornographic images without his knowledge. He was sentenced to death last week as a “corrupter of the earth.” While the government officially acknowledges executing 17 people since the start of the new year, Amnesty International reports receiving information that the true number may be closer to 39 executions.
Other bloggers are also under threat. In December 2011, 50-year-old Iranian blogger, Mohammad Reza Pour Shajari (AKA Siamak Mehr) was charged for “waging war against God” by openly criticizing the state on his blog, Iran Land’s Report.And Rojin Mohammadi, a medical student in the Philippines, was arrested in November and is being held without charges at Iran’s notorious Evin Prison
New restrictions on Internet use
In another front in their war against free expression, the MICT last week issued 20 new regulations on cybercafés. This crackdown is notable because these cafés have become a cultural center for youth in many towns and neighborhoods, attracting activists and others who believe that their own computers could be compromised. The data collection program is intended to curb political activities and ensure that they have records of anyone who attempts to circumvent content blocks or bans. Collected information includes the date and time of usage, and IP address and URLs of the websites they visited. Cybercafés will also be required to write down “forename, surname, name of the father, national identification number, postcode, and telephone number of each customer.” This information must be retained by cafés for at least six months. On January 1st, 43 Internet cafés in the Birjand region have already been raided by the Iranian Internet Police for failing to follow these new regulations.
The Iranian government’s plans to create a “national Internet” that would cut off a majority of their citizens from the global web and “replace” it with their own appear to have entered an implementation phase. Whereas current censures target content related to political opposition, social movements, and any other content they deem to be offensive, this new parallel domestic network would effectively block any foreign site regardless of its content and only allow internal communication within the country. If the Iranian government succeeds in creating this so-called ‘halal’ Internet, Iran would essentially cease to have access to the global Internet at all and be, limited to an intranet only carrying state-controlled content. Recent reports of slow Internet connections in the country indicate that this so-called “halal Internet” is truly underway. The Wall Street Journal reports domestic media sources as stating that it is already set to go live within the next couple weeks.
Iranian sources report that in the two and a half years since protests overtook the streets of Iran, opposition groups have increasingly taken to the Internet to express their dissatisfaction with the government.By restricting citizens’ access to the Internet and threatening bloggers with death, the Iranian regime seeks to paralyze its citizens into silence.
Despite what the regime may believe about the effectiveness of fear mongering, these atrocious acts of state repression will only further antagonize the youth opposition movement, including the thousands of Iranians with the technical capacity to circumvent these measures. Meanwhile, the arrests, executions, and attempts at censorship will continue to help organizations seeking to mobilize international attention. While Iran will surely continue to violate human rights, cutting the Iranian people off from the Internet will also do immeasurable damage to the Iranian economy and its ability to maintain any global competitive edge in technological or creative innovation. The question is: at what cost will they continue to put their country in the dark?
EFF stands with Amnesty International, Reporters Without Borders, United For Iran, and other organizations in condemning these grave state actions, and supports the thousands of Iranian bloggers and activists who bravely fight for free expression.
China's repression of online dissent is no secret. The country leads the way in both sophistication and extent of its online censorship, and tops the list of countries that jail bloggers by a landslide. In 2012, it would seem things are only getting worse.
According to the Committee to Protect Journalists (CPJ), "online critic" Chen Xi, initially detained for activities unrelated to his writing, was sentenced to ten years in prison for "inciting subversion against state power" on December 26, with the court citing more than thirty articles published by Chen online. CPJ's Asia program coordinator Bob Dietz condemned the sentence, stating that it "indicates that Chinese authorities are tightening their control of dissent."
EFF condemns China's latest attempts at repressing online dissidents and will continue to monitor the situation closely.
Bahraini human rights activist attacked
As Bahrain's uprising approaches its one-year anniversary, the government's crackdowns on activists--many of whom are well-known for their online activity--continues. In mid-December, Zainab Al-Khawaja (who tweets prolifically as @angryarabiya) was brutally arrested while taking part in a protest. Last Friday Nabeel Rajab, director of the Bahrain Centre for Human Rights, was injured when security forces attacked protesters in Manama. Rajab recently described his ordeal to Amnesty International.
While the attacks on Al-Khawaja and Rajab were not directly related to their online activism, reports indicate that Rajab's status as a prominent human rights activist may have worsened the attack. In a recent Al Jazeeraarticle, Rajab stated that when he identified himself as Nabeel Rajab, "[riot police] beat me more."
The targeting of prominent human rights activists has had a chilling effect on Bahrain's lively blogosphere. EFF condemns the continuing repression of free expression in Bahrain.
Online journalist's murder has grave implications for free expression in Rwanda
The fatal December shooting of Rwandan online journalist Charles Ingabire, a fierce critic of the Kagame government, has raised criticism of the government for not doing enough to protect journalists. Though Ingabire was shot in neighboring Uganda, some Rwandan critics have suggested that Ingabire's murder was a political assassination motivated by his criticism of the government.
Ingabire is the second Rwandan journalist to be killed in less than two years. EFF echoes calls on the Ugandan government to identify the culprits and bring them to justice.
Turkish academics sign declaration in protest of new filters
Last week, we reported on the biases present in Turkey's new opt-in filtering system. Now, a group of fifteen Turkish academics have penned a declaration protesting the system, declaring the filter as "arbitrary, state-run, centralized censorship." The statement also alleged that the filter was limiting freedom of expression and is "being imposed across society."
Comparing Turkey's system to those administered by China, Iran, and Saudi Arabia, the campaigners also note that Turkey is the only OSCE member state applying a centralized filtering system.
As we've stated previously, filtering is costly, easy to circumvent, and often overbroad. In light of Turkey's history as a pervasive censor of the Internet, we continue to have grave concerns about the trajectory of this new filtering scheme.
Today, EFF filed suit against the Federal Aviation Administration seeking information on drone flights in the United States. The FAA is the sole entity within the federal government capable of authorizing domestic drone flights, and for too long now, it has failed to release specific and detailed information on who is authorized to fly drones within US borders.
Up until a few years ago, most Americans didn’t know much about drones or unmanned aircraft. However, the U.S. military has been using drones in its various wars and conflicts around the world for more than 15 years, using the Predator dronefor the first time in Bosnia in 1995, and the Global Hawk drone in Afghanistan in 2001. In the Iraq and Afghanistan wars, the US military has used several different types of drones to conduct surveillance for every major mission in the war. In Libya, President Obama authorized the use of armed Predator drones, even though we were not technically at war with the country. And most recently in Yemen, the CIA used drones carrying Hellfire missiles to kill an American citizen, the cleric Anwar al-Awlaki. In all, almost one in every three U.S. warplanes is a drone, according to the Congressional Research Service. In 2005, the number was only 5%.
Now drones are also being used domestically for non-military purposes, raising significant privacy concerns. For example, this past December, U.S. Customs and Border Protection (CBP) purchased its ninth drone. It uses these drones inside the United States to patrol the U.S. borders—which most would argue is within its agency mandate—but it also uses them to aid state and local police for routine law enforcement purposes. In fact, the Los Angeles Times reported in December that CBP used one of its Predators to roust out cattle rustlers in North Dakota. The Times quoted local police as saying they “have used two unarmed Predators based at Grand Forks Air Force Base to fly at least two dozen surveillance flights since June.” State and local police are also using their own drones for routine law enforcement activities from catching drug dealers to finding missing persons. Some within law enforcement have even proposed using drones to record traffic violations.
Many drones, by virtue of their design, their size, and how high they can fly, can operate undetected in urban and rural environments, allowing the government to spy on Americans without their knowledge. And even if Americans knew they were being spied on, it’s unclear what laws would protect against this. As Ryan Calo, the ACLU (pdf) and many others have noted, Supreme Court case law has not been friendly to privacy in the public sphere, or even to privacy in areas like your backyard or corporate facilities that are off-limits to the public but can be viewed from above. The Supreme Court has also held that the Fourth Amendment’s protections from unreasonable searches and seizures may not apply when it’s not a human that is doing the searching. None of these cases bodes well for any future review of the privacy implications of drone surveillance.
However, there are some reasons to hope that the courts will find the ability of drones to monitor our activities constantly, both in public and—through the use of heat sensors or other technology—inside our homes, goes too far. For example, in a 2001 case called Kyllo v. United States, the Supreme Court held the warrantless search of a home conducted from outside the home using thermal imaging violated the Fourth Amendment. The Court held that, “in the sanctity of the home, all details are intimate details”—it didn’t matter that the officers did not need to “enter” the home to “see” them. United States v. Jones, argued before the Supreme Court this term, could also have ramifications for drones. The D.C. Circuit Court of Appeal’s opinion in this case held that warrantless GPS-enabled 24/7 surveillance of a car violated the Fourth Amendment, noting, “When it comes to privacy . . . the whole may be more revealing than the parts.” Though the outcome of the case at the Supreme Court is far from clear, the Court did seem surprised during oral argument that, under the government’s theory of the case, the justices themselves could be tracked without a warrant and without probable cause. Drones that use heat sensors to “see” into the home and that can track one or many people around the clock wherever they go are not much different from the technologies at issue in Kyllo and Jones.
EFF will keep monitoring this issue. We hope to learn from our lawsuit against the FAA which entities in the United States—whether they are government agencies, state or local law enforcement, research institutions or private companies—are currently authorized to fly drones and which entities are seeking or have been denied authorization. Once we have that information we will be better able to define the scope of the problem and can further assess and address the privacy issues at stake.
Two years ago, the UK dismantled their national ID scheme and shredded their National Identity Registry in response to great public outcry over the privacy-invasive program. Unfortunately privacy protections have been less rosy elsewhere. In Argentina, the national ID fight was lost some time ago. A law enacted during the military dictatorship forced all individuals to obtain a government-mandated ID. Now, they are in the process of enhancing its mandatory National Registry of Persons (RENAPER) with biometric data such as fingerprints and digitized faces. The government plans to repurpose this database in order to facilitate “easyaccess” to law enforcement by merging this data into a new, security-focused integrated system. This raises the specter of mass surveillance, as Argentinean law enforcement will have access to mass repositories of citizen information and be able to leverage existing facial recognition and fingerprint matching technologies in order to identify any citizen anywhere.
In the waning days of 2011, Argentinean President Cristina Fernández de Kirchner issued an executivedecree ordering the creation of the Federal System of Biometric Identification (SIBIOS), a new centralized, nation-wide biometric ID service that will allow law enforcement to “cross-reference” information with biometric and other data initially collected for the purpose of operating a general national ID registry. Historically, police fingerprint databases were limited to those suspected or convicted of criminal offences. Recently, however, the Argentinean Federal Police (Policía Federal Argentina – PFA) was given a large database holding digital fingerprints collected from random Argentineans as part of the national ID and passport application process. Since March 2011, this database has been fed by data collected through the RENAPER national ID application process. The PFA has managed to amass a database of about 8 million fingerprints, yet this process appears to have been too slow for the Argentinean government. Further to the new decree, the SIBIOS initiative will give PFA access to RENAPER’s database (and vice versa), doubling PFA’s reach to approximately 14 million digitized fingerprints. Starting with the first New Year’s baby of 2012, Argentina hasevenbegunregistering newborn biometric information with the SIBIOS. Argentina projects that, as national IDs and passports expire and are renewed (and new babies are born), the SIBIOS database will grow to over 40 million within the next two years.
But the SIBIOS initiative will do far more than expand the number of digitized fingerprints the FPA will have ready access to. According to President Fernández deKirchner, the SIBIOS will be fully “integrated” with existing ID card databases, which, aside from biometric identifiers, include an individuals’ digital image, civil status, blood type, and key background information collected since her birth and across the various life stages. Further, it is not just the FPA that will have access to this new information sharing system. SIBIOS is designated for use by other federal security forces, including the National Directorate of Immigration, the Airport Security Police, and the National Gendarmerie, and is even available to Provincial enforcement entities, upon agreement with the National State. However, there has been no public discussion about the conditions under which public officials will have access to the data. Supporters of the SIBIOS program tout that it would give law enforcement easy, real-time access to individuals’ data, but whether any of the safeguards typically used to put checks on state surveillance will limit access remains an open question.
Perhaps the most troubling part of this new SIBIOS initiative is the technologies Argentinean law enforcement intends to leverage in order to exploit these databases. The FPA, for example, will be able to use its new facial recognition capacities to search the immense RENAPER digital image repository in order to identify people in photos, and maybe even on surveillance cameras! Argentinean police are also equipping themselves with mobile fingerprinting devices that will allow them to check the fingerprints of any passing Argentinean against the database itself.
The Dangers of Surveillance Society
National IDs and similar methods of data centralization increase state capacity for intrusive surveillance. Coupled with the simultaneous collection of biometricidentifiers, such as digitized faces, it creates an additional layer of tracking that is even more pervasive and dangerous. As is the case in Argentina, biometrics are inherently individuating and interfaces easily with database technology, making widespread privacy violations easier and more harmful.
To our alarm,President Fernández deKirchner has gone so far as to embrace the potential to link unidentified faces obtained through surveillance cameras with identified images through the SIBIOS system. Due to the technology’s relative affordability, street cameras and video-surveillance are now everywhere. Therefore this functionality is especially dangerous with the potential to lead to mass political surveillance. (This visualization shows how there are over 1,000 cameras installed in the Argentinian capital of Buenos Aires alone.)
Given the prevalence of street cameras and how easy it hasbecometo identify one unnamed face amidst thousands, individuals who care about their privacy and anonymity will have a very difficult time protecting their identity from biometrics databases in the imminent future. There are extreme unforeseen risks in a world where an individual’s photo, taken from a street camera or a social network, can be linked to their national ID card. Additionally, matching technologies will only improve with time. (Check here and here to learn more about facial recognition). EFF haslongargued that perfect tracking is inimical to a free and democratic society. Citizens have a reasonable expectation of privacy and anonymity, particularly with regard to profiling. A combination of government-run biometric ID systems and facial recognition violates core elements of freedom by making it easy to locate and track people, and dangerously centralizing this data makes it ripe for state exploitation.
As Beatriz Busaniche of FundacionViaLibre notes, this type of mass surveillance can have serious repercussions for those who are willing to voice political dissent:
“In the name of public security, Argentina has pushed for mass surveillance policies, including the heightened monitoring of public spaces. Privacy is particularly crucial for our country since throughout our long history of social and political movements, calls for action have often taken to the streets. It is of higher importance for activists to remain anonymous in their demonstrations, especially when they are at odds with the government itself. In this way, SIBIOS not only challenges their privacy and data protection rights, but also poses serious threats to their civil and political rights.”
Mora Arqueta, Director of RENAPER, noted inaninterview that the current purpose of the national ID scheme is to retain the “maximum amount of personal data, and treat the citizen as an individual who interacts with the State in many places.” Her comments admit to a direct perversion of the existing national identification system, from one that has simply assigned an ID number to an individual, to one that outright violates personal data minimization principles through massive and unnecessary collection of sensitive personal information. The problem with allowing the government to retain so much sensitive data is that it gives it too much unchecked concentrated power. One wonders, for example, whether those who enacted the decree considered what would have occurred if Argentina's military dictatorship had access to such an expansive database. The public debate in Argentina should therefore be about power and the possible limits of actors in society to know. A healthy amount of distrust is necessary to sustain an open, democratic society.
Fernández de Kirchner’s arguments that SIBIOS provides “a major qualitative leap in security, in the fight against crime” are troubling and represent a further deviation from the purpose for which the RENAPER databases were first created. This argument is misleading, and fails to analyze SIBIOS’ risks and limitations as well as its impact on civil liberties and data protection. Time and again, we have heard the dubious rhetorical argument that biometrics are needed to fight against crime and increase security. In fact, these massive biometrics databases are a honeypot of sensitive data that remains extremely vulnerable for exploitation by criminals and identity thieves themselves.
The rights to privacy and data protection are enshrined in international law and the Argentinean Constitution. Given the long list of privacy concerns surrounding biometrics, and the plausibility of future security breaches, it is irrationally excessive to collect biometric data in a nation-wide ID scheme.The Argentinean government needs to limit the unnecessary collection, processing, retention, and sharing of this very sensitive data. EFF and Fundacion Via Libre in Argentina will work together to fight against these intrusive measures.
The Center for Democracy and Technology has released a memo (PDF) on the economic costs, technical complications, and privacy implications of a data retention mandate. Data retention mandates would force Internet companies such as ISPs to keep records on their historical assignment of IP addresses and make that and other customer data available to law enforcement. CDT’s memo points out the technical issues surrounding IP address assignment, noting that there are a multitude of situations in which IP addresses are shared (such as in coffee shops, work places, and airports) and that they can’t reliably identify an end user. We couldn’t agree more. They also rightly note that "a data retention mandate would require the collection and management of vastly larger quantities of data than seemed necessary even a few years ago, at costs that could be prohibitive, especially for smaller and rural service providers, while yielding data less reliable in identifying end-user devices."
This memo couldn’t come at a better time. Congress is currently considering misguided data retention legislation that could compromise user privacy and burden ISPs. Learn more about the privacy issues surrounding data retention mandates by visiting EFF’s issue page. You should also use the EFF action center to send a letter to Congress telling them not to force Internet companies to spy on users.
Smart Meter Hacking for Privacy
On day four of the 28th Annual Chaos Communication Congress, Smart Hacking for Privacy explored the privacy-intrusive potential of smart meter technology. EFF has articulated the privacy concerns around smart meters – including how this technology can be used to monitor what appliances a consumer uses in the home and exactly when she uses them. According to Network World, Smart Hacking for Privacy went a step further and showed that under certain circumstances, researchers could use smart meters to "determine devices like how many PCs or LCD TVs [were] in a home, what TV program was being watched, and if a DVD movie being played had copyright-protected material." This builds off of research (PDF) by a team at the University of Washington on the electromagnetic interference (EMI) signatures produced by televisions. Smart Hacking for Privacy also demonstrated how smart meters could be hacked so that the readings were incorrect. The entire presentation is available on YouTube.
German Police Using Hundreds of Thousands of “Silent” SMS Messages for Tracking Suspects
The 28th Annual Chaos Communications Congress also featured a presentation from researcher Karsten Nohl on Defending Mobile Phones (click for full YouTube presentation). As both Tomsguide and FSecure pointed out, one of the most interesting facts discussed in the presentation was that German law enforcement was relying on "silent SMS" technology for tracking suspects. SMS is the protocol by which standard text messages are delivered to your cell phone; a “silent” SMS message would deliver a "message" to the phone without the user being aware. In other words, the user wouldn’t see a text message; she wouldn’t see any notice at all on her phone. That "silent" SMS interaction, in turn, leads to the creation of a log with the cell phone company that reveals what cell phone towers the phone was closest to when the SMS was received. German law enforcement apparently likes this technique so much they pinged cell phones with silent SMS over 440,000 times in 2010.
This isn’t the first time we’ve known law enforcement to invisibly ping a mobile phone to hone in on the phone’s location without the user being aware. In United States v. Forest, the police used a similar technique using "silent" telephone calls to generate cell site logs with the provider where there otherwise wouldn’t be any, providing more frequent location fixes to help with tracking.
As this story demonstrates, the cell tower network can provide detailed data about a user’s daily movements based not just on your phone calls but on other communications activities as well. Last year, for example, Malte Spitz demonstrated the precision and breadth of data collected through cell phone tracking when he forced his cell phone carrier to hand over the records they had on him. Those records revealed that the carrier had collected over 35,831 data points about his location - not only his location during phone calls but also when he sent or received SMS messages or used the Internet – in a mere 6 months.