The United States Government is taking its stance pressuring the European Union to weaken its new strengtened data protection bill. The European Union has a history of strong data protection standards, emboldened by the European Charter’s explicit provisions upholding data protection as a fundamental right. European Digital Rights (EDRi) revealed today awidespreadU.S. lobbying effort against the November 29thleakedversion of the legislative proposal for a Data Protection Regulation (DPR). DPR will repeal the existingEUDataProtectionDirective, which details regulations regarding personal data processing within the European Union, and is due for official release on January, 25th 2012.
The U.S. lobbying efforts include phone calls and correspondence from senior figures in the U.S. Department of Commerce to top-level staff at the European Commission regarding a broad range of topics. An "informal note" was circulated, articulating U.S. concerns about DPR, which complained that the draft proposal “will break with international standards” and could “undermine” global interoperability between different privacy “regimes” around the world.
Some of the U.S. criticisms are fair. For instance, under the First Amendment, older minors possess greater rights than pre-adolescents, and should not be treated the same way. Similarly, the “right to be forgotten” creates free expression tensions; to its credit, the EU draft proposal appears to provide exceptions for free speech. The U.S. position on interoperability, however, is of concern.
The U.S. - EU Safe Harbor Framework was cited as an example of a bilateral interoperability program. The Framework is an agreement between the European Commission and the United States Department of Commerce, whereby companies can join the Safe Harbor to demonstrate--in theory--compliance with the strong protection afforded by the EU Data Protection Directive.1 The framework was widely criticized in 2002, 2004, and 2008 for its lack of effectiveness to protect privacy. For many, the Safe Harbor represents a weak compromise between the comprehensive legislative model selected by the European Union, versus the self–regulatory model adopted by the U.S. which fails to meaningfully protect privacy (Read here, here and here to learn more about the criticisms against the Safe Harbor Framework).
In today’s statement, EDRicriticizes the U.S.’s own global interoperability work. In practice, EDRi said, that the concept of “interoperability” has often meant that data is simply being transferred to the U.S., where there are no data protection laws that would protect the data of non-U.S. persons. The concept of interoperability remains contested and in flux as discussed at the recent OECDPrivacyConferenceinMexico, where EFF representedCSISAC. In that meeting, we voiced concern over the concept of “interoperability”, arguing that it should not be used as a way to circumvent strong privacy safeguards. Recent incidents of high profile privacy invasions and subsequent public outcries demonstrate a general erosion of users’ trust and indicate a pressing need for strong and consistent privacy protections. During the same meeting, Mme Françoise Le Bail of the European Commission also emphasized that interoperability must not be promoted at the expense of high standards.
Nigel Waters of Privacy International said, "interoperability must not be allowed to justify purely self regulatory models that lack credibility." In the United States, self-regulation has failed to protect users' privacy expectations, especially given the increasing commodification of personal data. A U.S. study hasshown that self-regulatory privacy programs emerge only when companies feel threatened by potential legislation, but dissipate when companies believe that the threat has passed. Such an approach fails to address user trust issues or adequately protect privacy rights in the United States.
This ongoing process requires continued vigilance of vested interests intent on promoting a watered-down version of privacy protections in the name of interoperability. According to EDRi, U.S. lobbying effort are aimed at weakening proposed privacy standards established in the DPR, based on objections that are “flawed” and “interest-driven”. It must be noted that data protection laws are no longer a European phenomenon. A study done by Graham Greenleaf shows that there are now 29 legal frameworks that protect privacy outside Europe, 78 national data privacy laws in total. Despite these efforts, the U.S. government has still failed to implement OECD Privacy Guidelines into their national law.
EFF will be monitoring the current negotiations to review existinginternationalprivacyinstruments at theOECD, theCouncilofEuropeand theEuropeanUnion. 2012 will be a key year for data protection. We must keep our eyes open to make sure the U.S. government does not force the worst of its policies -- that are detrimental to user privacy rights -- into the international fora.
The European Parliament will vote soon on an agreement to formalize US procedures for retaining and providing EU based Passenger Name Record (PNR) data of EU and US citizens traveling into, out of, and through the United States. The agreement will determine how the Department of Homeland Security (DHS) will be able to use the broad swath of sensitive PNR information that is based in the European Union. PNR data contains a passenger’s travel itinerary and consists of 19 different data metrics ranging from your name and address to your seat number and any general comments made by the ticketing agent. Travel agents, airlines, hotels, car rental companies, and railways collect the data whenever you make a reservation to travel or buy a ticket. The data is stored in central databases called Computer Reservation Systems (CRSs), and is pushed from the CRSs to DHS for passenger screening.
Until now, there has been little press on the agreement as European politicians were not informed of its evolution, were barred from reading the document outside of a "sealed room," and were only briefed by the commissioner responsible for negotiations a week after the commissioner gave public interviews.1 Edward Hasbrouck, of the US traveler privacy organization Identity Project, leaked an early version of the document late last month.
The draft agreement acknowledges privacy principles found in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and DHS's Fair Information Practice Principles (FIPPs), but relies heavily on DHS and US statutes in order to inform how EU and US citizens can obtain PNR data. Unfortunately, DHS has a poor track record when it comes to respecting travelers’ rights to their PNR data.
Despite an OECD guideline granting the right to obtain data from a data controller, the agreement only compels DHS to respond to a request for PNR data in a "timely" fashion. As of its last privacy report in 2008, DHS admitted that PNR data requests take longer than a year to answer.2
As a result of one such delay, Hasbrouck initiated a lawsuit in 2007 to obtain PNR data that DHS refused to disclose. The case is ongoing, but DHS contends that the data and any related procedures for its handling can be withheld under Freedom of Information Act exemptions. A few years later, DHS exempted PNR data under federal regulations published in 2010. That same year, the Associated Press reported that senior political advisers at DHS prolonged FOIA records requests by probing information about the requesters and delaying disclosures deemed "too politically sensitive." These actions seem to contradict the proposed agreement’s requirement of "timely" response.
Equally troubling is citizens’ inability to correct their PNR data. The agreement mandates DHS inform citizens "without undue delay" whether DHS will correct any mistakes in the data. To correct passenger data, DHS relies on its Traveler Redress Inquiry Program (TRIP), a system that provides citizens with the ability to correct data and file a complaint over difficulties experienced while traveling. TRIP does not allow EU and US citizens to challenge an agency decision in court and is exempted from certain Privacy Act requirements, such as the right to "contest the content of the record."3
The proposed agreement uses lofty language about traveler rights, but previous actions by DHS are discouraging. DHS has been slow to release PNR data, barred its release under the Privacy Act, and investigated citizens for requesting the data. If this is the norm for US citizens with explicit legal redress, what will be the norm for EU citizens requesting such data?
The Agreement and U.S. Statutes
The agreement references the Administrative Procedure Act, the Freedom of Information Act, and the Privacy Act as other avenues citizens can use to obtain and correct their PNR data. As shown above, citizens relying on the Privacy Act and the Freedom of Information Act face major obstacles, while the Administrative Procedure Act only allows for disclosure of the exact procedures and rules of the agency, not the actual data.
Even if DHS were to release procedures relating to PNR data, the agency is currently incapable of documenting precise access to PNR data. While DHS’s FIPPs assures the public that DHS will "audit" the use of personal information, and the agreement mandates documenting all access to PNR data, DHS admitted in court that DHS does not keep precise access logs and that it "would be unable to provide a list of employees who accessed a specific PNR." EFF is skeptical that DHS can or will satisfy the agreement’s mandate of documenting access precisely.
Despite these issues, last week the European Council approved the agreement, which now waits for the consent of the European Parliament. Sadly, the draft agreement focuses on what citizens are entitled to request, but not on what citizens are entitled to receive. EFF is concerned that DHS will continue its practices of failing to give users access to their own PNR data, of unduly delaying responses to data requests, and of failing to keep proper access logs.
EFF is not alone in raising these issues. In April of this year, an independent European advisory body created by the European Commission to comment on the use of PNR data issued a nine-page opinion on EU PNR agreements. The advisory body voiced concerns about the collection of huge amounts of personal passenger data, the length of time the data is kept, and the need to keep strict access logs. As recently as last week, the European Data Protection Supervisor and the German government voiced similar concerns. The issues raised are emblems of the large gap between the United States and the European Union approach to sensitive personal data.
In early December, 21 nonprofit advocacy groups issued a joint letter urging the European Parliament to reject the proposed agreement. They argued that "travelers are not informed which personal data is stored and processed" and "information requests to airlines travel agencies usually answered insufficiently." We echo these concerns and urge the European Parliament to reject the proposal, which does not live up to the standards of the FIPPs and OECD's guidelines for protecting privacy.
1. Baker, Jennifer. "EU Parliamentarians Speak Out Over Gag Order on Data Deal." PC World, November 18, 2011. Accessed December 4, 2011, https://www.pcworld.com/businesscenter/article/244224/eu_parliamentarians_speak_out_over_gag_order_on_data_deal.html.
2. "A Report Concerning Passenger Name Record Information Derived From Flights Between The US and The European Union." Privacy Office, DHS. December 18, 2008. Page 26.
3. Nakashima, Ellen. "Collecting of Details on Travelers Documented." Washington Post, September 22, 2007. Accessed December 4, 2011, http://www.washingtonpost.com/wp-dyn/content/article/2007/09/21/AR2007092102347.html.
In the past month—thanks to reporting from the Wall Street Journal and Bloomberg, as well as WikiLeaks and its media partners—a little sunlight has finally exposed a large but shadowy industry: Western technology companies selling mass spying software to governments. The amazing and dangerous capabilities of these tools are described in hundreds of marketing documents that were recently leaked to the media organizations.
The Wall Street Journal laid out many of the tools in detail, explaining how they can be used to spy on millions of the world’s citizens, most of whom are completely innocent. It’s also easy to see how tools can be used to track and repress those working for human rights and fundamental freedoms:
“The techniques described in the trove of 200-plus marketing documents, spanning 36 companies, include hacking tools that enable governments to break into people's computers and cellphones, and "massive intercept" gear that can gather all Internet communications in a country.”
Much of what this software does would be considered malicious “black-hat hacking” if used by a private citizen. In fact, as the Wall Street Journal reported, many of these companies market their products as the kinds “often used in ‘malware,’ the software used by criminals trying to steal people's financial or personal details.”
One program manufactured by the company FinFisher, reportedly falsifies updates to popular software like iTunes, and when the user downloads it, the perpetrator can monitor the user’s every move—even see into their webcam, according to this promotional video. Another company, Packet Forensics, brags about its “man in the middle attack” capabilities, in which it can get in between two parties communicating and read the contents of any message, even when encrypted.
WikiLeaks and OWNI put together an excellent interactive map that details, country-by-country, which companies are operating where and what forms of communication are potentially being monitored. The list is long and worrisome.
The promoters of this ugly market have so far had a callous attitude. Jerry Lucas, president of TeleStrategies—the company behind International Support Systems (ISS)—recently remarked it’s “not my job to determine who's a bad country and who's a good country. That's not our business, we're not politicians … we're a for-profit company. Our business is bringing governments together who want to buy this technology."
But the recent reports and press coverage seem to be having an effect. Tatiana Lucas, world policy director for ISS, made a lame attempt to tie the sale of repressive technologies to jobs, as if facilitating human rights and privacy abuses should be thought of as an economic recovery tool. She even bemoaned the fact that her clients are missing out on U.S. taxpayer money because of the lack of an “intercept mandate” on service providers (i.e. CALEA expansion, a very bad idea). Yet even so, she the admitted, “Attention of this kind makes U.S. manufacturers gun shy about developing, and eventually exporting, anything that can remotely be used to support government surveillance.”
With the names of these companies, and their troubling marketing pitches known, it’s time for the next step: Who are their customers? Bloomberg gave us a great head start with this infographic highlighting Syria, Iran, Bahrain and Tunisia, but given the long list of companies and technologies vying for business at ISS, there are likely many more.
In our “know your customer” post, we proposed standards these companies should voluntarily comply with to make sure their technology does not fall into the wrong hands. But those same questions can be asked by lawmakers, regulators, and the press right now, starting with: What governments or government agents are buying or licensing these technologies?
Remember, “Government” here includes formal, recognized governments, governing or government-like entities, such as the Chinese Communist Party or the Taliban that effectively exercise governing powers over a country or a portion of a country. It also importantly includes indirect sales through a broker, contractor, or other intermediary or multiple intermediaries if the Company is aware or should know that the final recipient of the Technology is a Government, something the Commerce Department already gives guidance on in their “know your customer” standards.
Then once the purchasers are identified, we need to determine whether their technology is being sold to directly or indirectly facilitate human rights violations.
Questions should include:
Has any portion of a transaction that the company is involved in, or the specific technology provided, included building, customizing, configuring or integrating into a system that is known or is reasonably foreseen to be used for human rights violations, whether done by the Company or by others?
Has the portion of the government that is engaging in the transaction or overseeing the technologies has been recognized as committing gross human rights abuses using or relying on similar technologies, either directly or indirectly.
Has the government's overall record on human rights generally raised credible concerns that the technology or transaction will be used to facilitate human rights abuse?
Has the government refused to incorporate contractual terms confirming the intended use or uses of the technologies by the government and to require the auditing of their use by the government purchasers in sales of surveillance technologies?
If the answer to one or more of these questions is yes, then the pressure should be on for the company to withdraw. The time is now. Even those who have previously studied the problem have been surprised at how fast the market for mass surveillance has grown. As former deputy technology officer under the Obama Administration Andrew McLaughlin explained, “The Arab Spring countries all had more sophisticated surveillance capabilities than I would have guessed.” Mass surveillance is a freedom of speech issue, McLaughlin emphasized, and “[i]t’s exceedingly easy for governments to conduct online and mobile surveillance” for stifling dissent.
We have the names of the companies and we know what they do. Now we need to know exactly who their customers are and turn up the heat.
In 2011, we have witnessed the incredible power of bloggers and social media users capturing the world’s attention through their activism. At the same time, regimes appear to be quickening the pace of their cat-and-mouse game with netizens, cracking down on speech through the use of surveillance, censorship, and the persecution and detention of bloggers. The increasingly the tech-savvy Syrian regime has been reported to demand login credentials from detainees, for example, while the use of torture in some of the region’s prisons continues.Aware of the threats to their safety, bloggers often devise contingency plans in the event they are detained. Syrian blogger Razan Ghazzawi was on her way to a conference in Jordan several weeks ago when she was arrested (she has since been released). In a premeditated effort to protect her contacts, she shared her passwords with trusted friends outside the country with instructions to change them in the event of an arrest. This way, she would not be able to give up the login credentials to her accounts since she would no longer know them. Other bloggers inform their close contacts of their wished contingency plans, determining in advance whether they would want a campaign for their release. A number of the bloggers arrested this year, in Egypt, Syria, and elsewhere, have connections to international activist networks that have experience creating global campaigns and can easily contact government officials, companies, and human rights organizations.
Assessing individual risk is neither easy nor straightforward. Therefore, all bloggers--whether well-connected or just starting out--should consider creating a plan in the unfortunate event they are detained. That said, there are numerous resources bloggers can use to stay informed when other bloggers in their country are detained, harassed, or surveilled; when their government is monitoring phone conversations or Internet activity; and when detainees are being compelled to give up information, such as passwords, to authorities.With that in mind, EFF together with Global Voices Advocacy have created a set of questions to consider. This list is by no means exhaustive, but should offer a starting point from which bloggers can develop their own contingency plans.All bloggers should:
Consider providing someone outside the country with the following information:
Login credentials to your social media, email, and blog accounts
Contact information of family members
Information about any health conditions
Regularly back up their blog, Facebook, email, and other accounts
Encrypt sensitive files and consider hiding them on a separate drive
Consider using tools like Identity Sweeper (for Android users) to secure/erase your mobile data
Consider preparing a statement for release in case of arrest-- This can be helpful for international news outlets and human rights organizations
Consider recording a short video identifying yourself (biographical info, scope of work) and the risks that you face and share with trusted contacts
Develop contacts with human rights and free expression organizations*
Think about a strategy/contingency plan for what to do if you're detained (see below)
If you are arrested or detained:
Is there a trusted person(s) that you would like to authorize to make major decisions on your behalf--such as whether to conduct a public campaign? If yes, please make sure to discuss your preferences with that person. The following are among the topics you could talk about:
What are your preferences for public campaigns? Is there a particular message that you feel strongly represents you and your views?
What are the organizations you feel closest to in terms of potentially leading campaigns for your release and/or better treatment?
Are there any particular attorney(s) who you know and would like to solicit for your case?
Do you have a preference about what to do about your accounts? (i.e. Change the passwords, turn them into campaign accounts or shut them down) Do you trust someone else to make crucial decisions about your accounts if your situation changes?
Is there any specific information about you or relevant to your case that you prefer not be made public?
Do you have acute or chronic illnesses which require medication or treatment? If yes, what are they? (Asthma, diabetes, heart conditions, etc.)
Are there family members that one can contact to sign off on important decisions or speak to the media? If yes, who? Are there family members who you absolutely do not want to speak on your behalf?
When having these conversations, keep in mind that it may be hard for you to foresee every future development. The best course of action may be to have in-depth conversations with trusted friends and family members so that they clearly understand your preferences--and then authorize them to make decisions as they best see fit under evolving conditions. In other words, “delegate with guidance” so that your trusted relations can look out for your best interests and your wishes under evolving circumstances. *There are numerous organizations out there and we could not possibly name them all. EFF and Global Voices Advocacy are great starts, but we also recommend international organizations Human Rights Watch, Amnesty International, FrontLine Defenders, Reporters Without Borders, the Committee to Protect Journalists and Access. If you need assistance finding a local organization in your country, please contact us and we will try to help.
This post was co-authored by EFF and Global Voices Advocacy, with special thanks to Zeynep Tufekci.
As we explained in our post on Carrier IQ's architecture, one of the main factors in determining what the Carrier IQ stack does on a particular phone is the "Profile" that is running on that device. Profiles are files that are typically written by Carrier IQ Inc. to the specifications of a phone company or other client, and pushed to the phone by Carrier IQ Inc. using its own command and control infrastructure. Profiles contain instructions about what data to collect, how to aggregate it, and where to send it.
To create transparency for the public that has been monitored by the more intrusive variants of this software, we will need a comprehensive library of these Profiles, and to know which ones were pushed to which phones at what times. Profiles are stored in different locations in different versions of the Carrier IQ software, and in many cases, a phone may need to be jailbroken or rooted before the profile can be extracted.
If you have a rooted/jailbroken phone, and can find a Profile on it, please send us 1) a copy of the Profile, 2) which phone and network it was from, and 3) where on the phone's file system you found it. You can send us this information in an email at email@example.com or in a git remote we can pull from. [UPDATE: there is a thread at xda-developers.org discussing possible methods for finding profiles on phones]
How to read a Carrier IQ Profile
On casual inspection, Carrier IQ Profiles are a mixture of binary data and legible code (example). EFF volunteer Jered Wierzbicki reverse engineered the file format and has written a program for parsing it called IQIQ, which we are presenting for the first time here. The binary file format is WBXML with a custom DTD. The code in the Profiles is written in Forth (if you would like a quick reference on the language, this one is good).
IQIQ transforms Carrier IQ Profiles from WBXML to human-readable XML. You can browse the source code to it online, or fetch it with git:
git clone https://git.eff.org/public/iqiq.git
There are also some examples of default Profiles from some Android-derived smartphones,1 and an example of a commented version of the Forth code in one portion of the default T-Mobile Profile. That code appears to determine when Carrier IQ is active on those phones; it may also be buggy — if that is the case, it would have led to Carrier IQ being active when phones with T-Mobile SIMs were operating on non-T-Mobile US networks.
[Update 2011-12-21: The bug would only trigger if the phone's APN was also set to epc.tmobile.com, which should not happen on non-T-mobile networks. So this bug would only cause transmissions on unintended T-Mobile networks, of which there may be none].
1. Of course we hope people can also send us Profiles from Windows Mobile, BlackBerry, iPhone and "feature phone" ports of Carrier IQ.
We’ve compiled a list of notable books from the past year that stuck out to us. Even if we don’t necessarily endorse the arguments being made in them, we’ve included them for adding some valuable insight on conversations surrounding our issues and the work that we do.
We're looking forward to the imminent release of Rebecca MacKinnon's Consent of the Networked, previewed through her 2011 TED Talk. MacKinnon's first book promises to provide user-oriented solutions to taking back the Internet...from governments, from corporations, and from anyone seeking to repress!
Much has been written about the expansive creep of intellectual property through new legislation; These are serious problems, but not the only ones in the world of IP. In Copyfraud, Brooklyn Law professor Jason Mazzone takes a different tack, addressing the problem of rightsholders diminishing fair use and the public domain by claiming exclusive rights outside of those granted to them by law.
Official book description: The benefits of living in a digital, globalized society are enormous;so too are the dangers. The world has become a law enforcer’s nightmare and every criminal’s dream. We bank online; shop online; date, learn, work and live online. But have the institutions that keep us safe on the streets learned to protect us in the burgeoning digital world? Have we become complacent about our personal security—sharing our thoughts, beliefs and the details of our daily lives with anyone who might care to relieve us of them?
Official book description: In December 2009, Google began customizing its search results for each user. Instead of giving you the most broadly popular result, Google now tries to predict what you are most likely to click on. According to MoveOn.org board president Eli Pariser, Google's change in policy is symptomatic of the most significant shift to take place on the Web in recent years-the rise of personalization. In this groundbreaking investigation of the new hidden Web, Pariser uncovers how this growing trend threatens to control how we consume and share information as a society-and reveals what we can do about it.
Official book description: Kevin Mitnick was the most elusive computer break-in artist in history. He accessed computers and networks at the world's biggest companies--and however fast the authorities were, Mitnick was faster, sprinting through phone switches, computer systems, and cellular networks. He spent years skipping through cyberspace, always three steps ahead and labeled unstoppable. But for Kevin, hacking wasn't just about technological feats-it was an old fashioned confidence game that required guile and deception to trick the unwitting out of valuable information.
Ghost in the Wires is a thrilling true story of intrigue, suspense, and unbelievable escape, and a portrait of a visionary whose creativity, skills, and persistence forced the authorities to rethink the way they pursued him, inspiring ripples that brought permanent changes in the way people and companies protect their most sensitive information.
Official book description: In the beginning, the World Wide Web was exciting and open to the point of anarchy, a vast and intimidating repository of unindexed confusion. Into this creative chaos came Google with its dazzling mission--"To organize the world's information and make it universally accessible"--and its much-quoted motto, "Don't be Evil." In this provocative book, Siva Vaidhyanathan examines the ways we have used and embraced Google--and the growing resistance to its expansion across the globe. He exposes the dark side of our Google fantasies, raising red flags about issues of intellectual property and the much-touted Google Book Search. He assesses Google's global impact, particularly in China, and explains the insidious effect of Googlization on the way we think. Finally, Vaidhyanathan proposes the construction of an Internet ecosystem designed to benefit the whole world and keep one brilliant and powerful company from falling into the "evil" it pledged to avoid.
William Patry, Senior Copyright Counsel at Google and author of the exhaustive seven-volume Patry on Copyright, is a prominent thinker and scholar in that community. With How to Fix Copyright, he provides facts on the state of copyright today and argues for a course correction towards more evidence-based policies.
James Gleick, a science journalist who's previously covered chaos theory, goes long in "The Information" on the history and theory of that field. Beginning with African tribal drums and running through computer science to the present-day Internet, Gleick points to a common thread of information as a fundamental element of the world we live in.
Official book description: Former hacker Kevin Poulsen has, over the past decade, built a reputation as one of the top investigative reporters on the cybercrime beat. In Kingpin, he pours his unmatched access and expertise into book form for the first time, delivering a gripping cat-and-mouse narrative—and an unprecedented view into the twenty-first century’s signature form of organized crime.
The title of Tim Wu's The Master Switch comes from a quote attributed to a 1950s CBS executive, referring to the near-monopolies that appear at one stage in the cycle that all new communications technologies seem to go through. Wu outlines the history of some of these important modern technologies, and explores the question: is the same fate inevitable for the Internet?
Though 2011 has in many ways been a year of triumphs for activists using digital tools, it has also been a year of increased repression, from crackdowns in China to shutdowns in Egypt and elsewhere. Morozov's book details the various ways in which authoritarian regimes control the Internet; though often posited as pessimistic, The Net Delusion contains lessons for all would-be digital activists.
Aouragh's book takes a look at the history of the Internet in the Palestinian territories and diaspora, showcasing examples of early online activism and highlighting the issues faced by Palestinians, from Israeli control of the Internet to communicating across borders. Palestine Online is the first book of its kind, and in light of the digital activism that pushed the Arab Spring forward, is a must-read for anyone hoping to understand the intricate usage of online networks in the Middle East.
Lawrence Lessig is best known for his work on copyright reform, but in the past few years he has embarked on the new challenge of "hacking at the root" of the problem with policy: money and its corrupting effects on government. Republic, Lost represents his first book on the new topic, and it presents both compelling descriptions of the deeper problem and some creative — if sometimes far-fetched — solutions.
Official book description: The top-secret world that the government created in response to the 9/11 terrorist attacks has become so enormous, so unwieldy, and so secretive that no one knows how much money it costs, how many people it employs or exactly how many agencies duplicate work being done elsewhere. The result is that the system put in place to keep the United States safe may be putting us in greater danger. In TOP SECRET AMERICA, award-winning reporters Dana Priest and William Arkin uncover the enormous size, shape, mission, and consequences of this invisible universe of over 1,300 government facilities in every state in America; nearly 2,000 outside companies used as contractors; and more than 850,000 people granted "Top Secret" security clearance.
Rather than focus on the controversies and internal strife surrounding Wikileaks, Sifry's book takes a broader focus, taking a cautious look at the age of transparency and positing that, if we have reached a point of no return, then we must consider the benefits of open governance and how to achieve them.
Threats to freedom are global, and EFF works internationally to defend your digital rights. Here are some things EFF achieved this year with the help of our global partners and supporters like you:
Protecting Freedom of Expression Worldwide EFF supported activists around the world as they used the Internet to organize democratic protests against authoritarian regimes. EFF ran a very successful campaign to expand the Tor network, providing much-needed bandwidth services and anonymity to those activists and all Internet users.
Fighting Against Copyright Abuse Consumer privacy, civil liberties, innovation, and the free flow of information on the Internet are all under attack by ill-conceived international intellectual property proposals. EFF released Global Chokepoints, a website that documents attempts in key countries to turn Internet intermediaries into copyright police, to help Internet activists worldwide combat similar proposals in their own nations.
Securing Privacy Rights and Civil Liberties of Internet Users EFF is one of the strongest voices for Internet users’ rights at the OECD, the United Nations, the annual privacy commissioners' meeting and the Council of Europe. This year, we worked to secure privacy rights and civil liberties protections during the legislative implementation of the Council of Europe’s Cybercrime Convention, and we fought proposals that would have compromised anonymity, free expression and association.
Ensuring Corporate Responsibility In the wake of news that American companies are involved in the sale of surveillance equipment to authoritarian regimes like Syria's, EFF ramped up our efforts to ensure that technology companies take human rights into account. EFF works with the Global Network Initiative and other organizations to encourage companies to resist pressure from international government censors and to advance freedom of expression in their products and services.
With the winter holidays fast approaching, now is the time to make our wish lists. There are plenty of presents EFF would like to receive for the holidays — the defeat of the Internet blacklist bills SOPA and PIPA would make a great start — but here are just a few of the things that companies could do to protect digital civil liberties this season:
AOL and Google should stop referring to the "no message logging" options in AIM and GChat as "off the record," in order to avoid confusion with OTR.
Adium should introduce a prompt when users first create or import messaging accounts that asks users to decide whether or not they want to log their OTR chats.
Apple, Amazon, HTC, and other makers of mobile computing devices should give customers an officially documented way to get root access on every device they sell.
Phone carriers should either commit to giving users regular, prompt mobile OS security updates, or stop controlling the software on the user's phone, so that software developers and handset manufacturers can do it themselves.
Facebook, Microsoft, Yahoo, Twitter, and the phone companies should follow Google's lead in regularly disclosing the number of requests they get from government agencies on a regular basis.
Skype should allow end-to-end verification of users' encryption key fingerprints. Unlike other encryption software, Skype doesn't give users any way to verify that the person on the other end of the conversation is using the right encryption key. Instead, users just have to trust that the Skype network has told the software the right key. This makes the Skype network into a centralized certification authority, with no transparency in its actions and there is no way to double-check its assertions.
Google should make sorry.google.com render in HTTPS whenever users are redirected to it by an HTTPS URL. When people searching Google over HTTPS trigger Google's bot-detectors, the page where Google sends users to prove they're human includes the users' search terms—in the clear, with no HTTPS protection, violating users' trust that these terms would be encrypted.
All software downloads should be provided only over HTTPS. When software is downloaded over unprotected HTTP, an ISP or local network operator can tamper with it and invisibly add spyware or vulnerabilities.
Craigslist, eBay, Amazon, Yahoo, and Bing should turn on HTTPS for ordinary use of their sites.
Akamai should make HTTPS support a standard feature for all Akamai customers, so that web sites that rely on Akamai have an easy path to turning on HTTPS for all users.
Social media sites should not track Internet users who load pages with embedded "Like" buttons but who don't click on the buttons.
Google, Facebook, and Twitter should stop tracking clicks on outbound links or give users a clear, easy way to copy and paste outbound link URLs without tracking.
Cloud backup services should urge users to pre-encrypt data before uploading it, so that the backup services can't snoop through or leak the contents of users' backups. As secure backup provider Tarsnap puts it, "[b]ackups are supposed to be a tool for mitigating damage — not a potential vulnerability to worry about!"
Cloud backup services should prominently provide users with information about how to do this and provide easy integration with tools that make it straightforward to do so. If cloud backup services provide their own software for accessing the service, the software should include functionality to do strong client-side encryption and decryption.