This week marks the 25th anniversary of the Electronic Communications Privacy Act (ECPA), the main federal law setting standards for government access to electronic communications like email.As we’ve been saying for years, ECPA is woefully outdated, putting Americans’ privacy at risk.
That’s why EFF is a co-sponsor of Tuesday’s press conference about updating privacy law for the 21st Century.Senator’s Ron Wyden (D-OR) and Mark Kirk (R-IL) will discuss the changes needed to ensure privacy rights as technology continues to advance.
But the 1980s weren’t all bad news.If you are in Washington, D.C., you should Party Like it’s 1986 on the evening of Oct. 20.It will be a chance to celebrate what was great about the 80s while showing support for improved privacy law.And remember to sign the petition calling on Congress to update the law to safeguard our digital privacy.Americans deserve more than yesterday’s laws when using today’s technology.
Two years ago, civil society organizations met in Madrid to draft a Declaration that reaffirmed international standards for Internet privacy. On October 31, civil society groups will meet again in Mexico City to review the Madrid Privacy Declaration and examine privacy laws and policies in Latin America and around the world. This gathering is being organized by The Public Voice, a coalition of global civil society groups that promotes privacy and free expression on the Internet. EFF is part of this coalition and will be presenting at the conference. The event will be held in conjunction with the 33rd Data Protection and Privacy Commissioners Conference.
The Public Voice conference will review the protection of privacy rights outlined in the Madrid Privacy Declaration and consider strategies to expand these protections. It will also look at larger questions such as whether privacy and data protection is really dependent on cultural and generational differences as is often claimed.
Is it true that some countries and communities are more tolerant of privacy invasions and data sharing? How can policy analysts determine what people around the world really think about their right to privacy? How do governments make use of this information as they develop privacy policies and legislative measures? The Public Voice conference will look at whether legislation and implementation of national privacy laws actually reflect the needs of civil society.
Other panels at the Public Voice will examine specific issues such as how social media can be used to help safeguard freedom of expression without undermining norms and laws protecting privacy. Evolving data protection legislation will be discussed, such as the complex Droit d' Oubli or “right to forget” concept that was first debated in France and is now being promoted by Viviane Redding, European Commissioner responsible for justice, fundamental rights and citizenship. Can digital communications technology support a right that prevents individuals from being held accountable for unguarded actions of their past?
In addition to policy issues, the Public Voice conference will help raise public awareness of emerging surveillance technologies such as facial recognition applications, employment verification programs, automobile black boxes, Internet identification systems and emerging technologies like smart meters that track electricity usage. Panels will consider how the public can access different forms of tracking technology for private use. How do these new forms of technology threaten privacy? What happens when collecting intimate details about a person’s life is valued above all else? Can technology, policy and innovation work together to support both privacy and security?
These questions are particularly pressing in Latin America where many democratically elected governments still fail to respect human rights, including the right to privacy. There have been multiple scandals involving government officials and intelligence agencies engaged in illegal surveillance and misuse of interception technologies to spy on politicians, dissidents, judges, human rights organizations and activists. Disclosed data gathering programs have provided a glimpse of concealed surveillance architectures that are used as political tools to identify, control and stifle dissent.
Members of civil society deprived of their privacy must fight back! Show the world how surveillance technology impacts human rights and freedom of expression. Help pressure governments in Latin America and throughout the world to pass meaningful privacy protections. Registration for the Public Voice event is free. Come and join us. Blog and tweet the discussions at #tpv11. Fight for everyone’s right to privacy!
Before the Public Voice conference, EFF will visit evolving hackerspaces in Mexico. Join us for the HackLab event HACKMITIN 2011 from October 28 – 30. Learn more about hacklabs in Mexico. See you there.
Occupy Wall Street has called for a global day of action on October 15, and protesters are mobilizing all over the world. In the United States, the Occupy Wall Street movement has already spawned sizeable protests in New York, Washington DC, Boston, Seattle, San Francisco, Oakland, Austin, and other cities. Several of these movements have faced opposition from their local police departments, including mass arrests.
Protesters of all political persuasions are increasingly documenting their protests -- and encounters with the police -- using electronic devices like cameras and cell phones. The following tips apply to protesters in the United States who are concerned about protecting their electronic devices when questioned, detained, or arrested by police. These are general guidelines; individuals with specific concerns should talk to an attorney.
1. Protect your phone before you protest
Think carefully about what’s on your phone before bringing it to a protest. Your phone contains a wealth of private data, which can include your list of contacts, the people you have recently called, your text messages, photos and video, GPS location data, your web browsing history and passwords, and the contents of your social media accounts. We believe that the police are required to get a warrant to obtain this information, but the government sometimes asserts a right to search a phone incident to arrest -- without a warrant. (And in some states, including California, courts have said this is OK.) To protect your rights, you may want to harden your existing phone against searches. You should also consider bringing a throwaway or alternate phone to the protest that does not contain sensitive data and which you would not mind losing or parting with for a while. If you have a lot of sensitive or personal information on your phone, the latter might be a better option.
Password-protect your phone - and consider encryption options. To ensure the password is effective, set the “password required” time to zero, and restart phone before you leave your house. Be aware that merely password-protecting or locking your phone is not an effective barrier to expert forensic analysis. Some phones also have encryption options. Whispercore is a full-disk encryption application for Android, and Blackberry also has encryption tools that might potentially be useful. Note that EFF has not tested these tools and does not endorse them, but they are worth checking into.
Back up the data on your phone. Once the police have your phone, you might not get it back for a while. Also, something could happen, whether intentional or not, to delete information on your phone. While we believe it would be improper for the police to delete your information, it may happen anyway.
2. You’re at the protest – now what?
Maintain control over your phone. That might mean keeping the phone on you at all times, or handing it over to a trusted friend if you are engaging in action that you think might lead to your arrest.
Consider taking pictures and video. Just knowing that there are cameras watching can be enough to discourage police misconduct during a protest. EFF believes that you have the First Amendment right to document public protests, including police action. However, please understand that the police may disagree, citing various local and state laws. If you plan to record audio, you should review the Reporter’s Committee for Freedom of the Press helpful guide Can We Tape?.
3. Help! Help! I’m being arrested
Remember that you have a right to remain silent -- about your phone and anything else. If questioned by police, you can politely but firmly ask to speak to your attorney.
If the police ask to see your phone, you can tell them you do not consent to the search of your device. They might still legally be able to search your phone without a warrant when they arrest you, but at least it’s clear that you did not give them permission to do so.
If the police ask for the password to your electronic device, you can politely refuse to provide it and ask to speak to your lawyer. Every arrest situation is different, and you will need an attorney to help you sort through your particular circumstance. Note that just because the police cannot compel you to give up your password, that doesn’t mean that they can’t pressure you. The police may detain you and you may go to jail rather than being immediately released if they think you’re refusing to be cooperative. You will need to decide whether to comply.
4. The police have my phone, how do I get it back?
If your phone or electronic device was illegally seized, and is not promptly returned when you are released, you can file a motion with the court to have your property returned. If the police believe that evidence of a crime was found on your electronic device, including in your photos or videos, the police can keep it as evidence. They may also attempt to make you forfeit your electronic device, but you can challenge that in court.
Cell phone and other electronic devices are an essential component of 21st century protests. Whether at Occupy Wall Street or elsewhere, all Americans can and should exercise their First Amendment right to free speech and assembly, while intelligently managing the risks to their property and privacy.
The saga of the lost iPhone prototype -- the 2010 incident at least, not the most recent one -- has finally concluded. On Tuesday, Brian Hogan (who allegedly found the iPhone 4 prototype in a Redwood City bar) and Sage Wallower (who allegedly helped Hogan contact various web sites about the find) pleaded no contest to misdemeanor theft and were sentenced to probation, 40 hours of community service, and $250 each in restitution payments to Apple.
As part of the criminal investigation surrounding the incident last year, agents with the Rapid Enforcement Allied Computer Team (REACT), a "partnership of 17 local, state, and federal agencies" focused on computer-related crime in the Bay Area, executed a warrant and raided the home of Gizmodo editor Jason Chen, searching for evidence related to Gizmodo's scoop about the lost phone. As we repeatedlypointed out at the time, regardless of whether Chen or Gizmodo could have been charged with any crime related to obtaining and discussing the phone, state and federal law plainly barred the issuance and execution of the search warrant directed at journalist-held information "obtained or prepared in gathering, receiving or processing of information for communication to the public." While never discussing the matter directly, the San Mateo D.A.'s office tacitly conceded as much three months later when they petitioned the court to withdraw the warrant.
It turns out that prosecutors concluded that neither Chen nor Gizmodo did anything wrong after all. Legally, that is. Speaking to CNET.com earlier this week, San Mateo County District Attorney Steven Wagstaffe said that there was not sufficient evidence to charge anyone associated with the tech site with "possession of stolen property" or "extortion." Nevertheless, Wagstaffe took it upon himself to deride the quality of the improperly-seized, unpublished correspondence between the Gizmodo editors, describing it as "juvenile."
"It was obvious that they were angry with the company about not being invited to some press conference or some big Apple event. We expected to see a certain amount of professionalism--this is like 15-year-old children talking," Wagstaffe said. "There was so much animosity, and they were very critical of Apple. They talked about having Apple right where they wanted them and they were really going to show them."
San Mateo law enforcement officers are in no position to comment on professionalism in this matter. Illegally breaking into the home of a journalist and seizing his property is profoundly troubling, especially as law enforcement shows no apparent sign of remorse or of learning from their mistake. Indeed, one cannot avoid feeling a sense of deja vu upon hearing the recent news of the questionable police-escorted search of a San Francisco home by Apple employees apparently looking for another lost iPhone prototype. As it was their agents who did not comply with the law, Wagstaffe and the San Mateo County Sheriff's Office owe Chen and Gizmodo an apology, not snide commentary, now that the matter has concluded.
Just three months ago, we at EFF expressed our disappointment with Australia's two largest Internet service providers (ISPs), Telstra and Optus, for agreeing to implement a filtering scheme after a filtering bill from the Australian government failed to pass.
The blocked sites were to include "the appropriate subsection of the Australian Communications and Media Authority (ACMA) blacklist as well as child abuse URLs that are provided by reputable international organisations," according to News.com.au. Now, in conjunction with the Christian organization Mothers' Union, UK Prime Minister David Cameron has decided to take similar measures, enacting a plan with four of Britain's major ISPs—BT, TalkTalk, Virgin, and Sky—to block access to pornography, gambling, self-harm, and other blacklisted websites. The "good news" is that the filtering isn't mandatory: New customers will be required to select between a filtered and unfiltered connection, while existing customers will be offered the same choice via email. The bad news, on the other hand, is extensive.
First, the plan lacks transparency. The blocked categories are vague in nature, and the list's origins unknown. Not only do the categories contain legal content in some cases, but there is significant room for overblocking. For example, one filtering tool used by several Middle Eastern governments categorizes Tumblr.com as pornography, because several pornographic blogs are hosted on the platform.
Second, customers of ISP TalkTalk who opt out are still monitored, says University of Cambridge security research Richard Clayton, who in May noted a series of privacy concerns relating to TalkTalk's use of the HomeSafe system, the same system the ISP intends to use for filtering. According to Clayton, "the company scans all web addresses that its customers visit regardless of whether they have opted-in to the service."
Third, opt-in services create privacy concerns. Users who choose to opt out of the "bad" content filter are then on one list. The plan does not in include privacy protections for the people who choose to opt out. The list could potentially be made public, shaming users who would prefer their Internet with its pornography, gambling, and self-harm websites intact.
Lastly, as ZDNet's Violet Blue points out, the decision by PM Cameron and Mother's Union is based on the Bailey Report [PDF], a UK Department for Education report that relied heavily upon phone surveys with parents, input from Christian organizations, and a Murdoch-funded Australia Institute report entitled Youth, Sex, and the Internet.
Time and time again, filtering based on blacklists has proven to be overbroad, blocking access to some offensive websites at the cost of many legitimate ones. Parents have plenty of Internet filtering options which they can implement by installing software on their computers at home without having to resort to filtering at the ISP level, especially given the potential privacy risks this plan may pose for Internet users throughout the UK.
For the past six months, EFF has strongly supported SB 914, a bill recently passed by the California state legislature that would require police officers to get a warrant before searching through an arrested suspect’s cell phone.
Last month, the bill received overwhelming support from both Democrats and Republicans, passing the California State Assembly 70-0 and then the State Senate, 32-4. Despite such strong bipartisan support, Governor Brown disappointingly vetoed the bill (PDF) yesterday.
SB 914, written in response to the California Supreme Court decision in People v. Diaz, upheld basic constitutional principles. It just maintained Fourth Amendment protection to the contents of cell phones, requiring officers to show a judge there is probable cause that the phone has evidence of a crime before it is searched incident to arrest.
The bill was strongly opposed by law enforcement groups, yet SB 914’s effect on the police’s ability to do its job would be almost non-existent. As we pointed out in May, “cell phones pose no danger to the police, the threat of destruction of evidence can be easily remedied through simple preservation methods, and many arrests do not result in criminal prosecution at all.”
Privacy rights, however, will now take a major hit thanks to Gov. Brown’s veto.
As we warned when the bill was up for a vote, “Without SB 914, officers can use a pretextual arrest to casually browse the data on a person's cell phone for any reason, even if that person is never charged with a crime.” Smart phones, of course, contain a wealth of personal information, far beyond just call logs and address books. They store text messages, emails, photo albums, Internet browsing history and GPS location technology – and police will have unfettered access to all of it, even if they don’t suspect there is any evidence of a crime on the device.
This should be especially concerning for Californians involved in large protests and rallies. As we've seen in the recent Occupy Wall Street protests in New York, Seattle, Boston, and now San Francisco, the police have arrested protestors under a variety of pretenses. With Governor Brown’s veto, law enforcement will now be free to search through the cell phone of any arrested protestor and use its contents as evidence for alleged crimes that may have nothing to do with protesting. Because individuals in such circumstances don't have court or legislative protection in California, they should be aware of just what kinds of information are stored in their mobile devices. Where possible, they should also consider taking technical steps, such as disk encryption, to protect their data.
Despite the obvious privacy concerns, Governor Brown’s statement noted “Courts are better suited to resolve the complex and case specific issues relating to constitutional search-and-seizures protections.”
But as law professor Orin Kerr explained, Governor Brown actually has it backwards: a temporary legislative fix is much preferable to waiting for the courts.
It is very difficult for courts to decide Fourth Amendment cases involving developing technologies like cell phones. Changing technology is a moving target, and courts move slowly: They are at a major institutional disadvantage in striking the balance properly when technology is in flux…In contrast, legislatures have a major institutional advantage over courts in this setting. They can better assess facts, more easily amend the law to reflect the latest technology, are not stuck following precedents, can adopt more creative regulatory solutions, and can act without a case or controversy.
In fact, just last week, the United States Supreme Court declined to hear an appeal of California v. Diaz, ensuring the ultimate issue would remain unresolved by the nation’s highest court in the near future.
SB 914 was a much-needed fix for privacy violations happening now. Two cases, both decided in the last few weeks, are stark examples of where the Diaz decision is rapidly taking us. The routine privacy violations that EFF predicted would happen are now real and dangerous and we need legislative action to correct them.
In In re Alfredo C(PDF), police arrested a juvenile suspected of vandalism for spray painting graffiti in an alley. Despite being caught literally red handed, with spray paint on his hands and clothing, officers searched the juvenile, found a digital camera, and searched it without a warrant. The search was found reasonable on the basis of Diaz.
Similarly, in People v. Nottoli, (PDF) the defendant was pulled over for speeding. While talking with the defendant, officers suspected he was under the influence of drugs and placed him under arrest. Despite finding plenty of evidence of drug use in the defendant’s car, officers decided to nonetheless search his cell phone without a warrant. Again, the court found that the opinion in Diaz justified the search.
While Governor Brown’s veto of SB 914 is a setback for cell phone privacy, we will continue to fight for your rights. With strong support from both parties in the California state legislature, as soon as the bill can be brought up again, EFF will make sure Governor Brown reconsiders his extremely disappointing decision.
Canada is a popular destination for those who like to fish, but the Canadian government is attempting to spark what may be the country’s largest-ever fishing expedition into its citizens’ private online data.
Supporters of Canada’s “lawful access” legislation were foiled on September 20th when they were pressured to withdraw proposed warrantless digital surveillance measures from an omnibus crime bill. While this is certainly a step in the right direction, Canadian Justice officials say they are “committed to reintroducing” the bills. We must halt this assault on civil liberties in Canada.
The legislative proposals, expected to reincarnate former bills C-50, C-51 and C-52, would allow Canadian authorities to force Internet service providers to disclose private customer data without a warrant. This information included the name, address, phone number, IP address, email address, and other records about subscribers that could provide a detailed profile of online activity. In past iterations, the cluster of bills that make up “lawful access” also mandated surveillance technologies for Internet service providers, broadened police powers, and gave online service providers carte blanche immunity to spy on their customers on behalf of the police.
These measures would give authorities backdoors through which they can access data generated during the creation, transmission, or reception of a communication, including its origin and destination. The proposed Canadian “lawful access” legislation would in some circumstances even ban online service providers from even telling subscribers that their private data has been disclosed - undermining opportunities to challenge basic violations of privacy.
Your IP address can tell authorities what websites you visit and who you communicate with. It could reveal otherwise anonymous online identities, your social networking contacts, and even at times your physical location via GPS. Just this amount of data linked to your real identity could be used to create a nicely detailed police profile – all without any suspicious activity or legal justification. Oh Canada!
Canada’s provincial and federal Privacy Commissioners, who take Canadians’ personal privacy seriously, have sent an unprecedented joint letterto the Government expressing their concerns about this legislation. Careful Canadians, who rightly believe that their personal data is worth protecting, are fighting against the creation of a freewheeling surveillance state. Even Canada’s own police association seems wary of gaining access to personal data without first asking a judge.
If you are not alarmed by this legislation, you should be. “Lawful access” is the misshapen offspring of the Cybercrime Convention. Countries have been using this treaty as an excuse to invade citizens’ privacy for a decade since it was first enacted. Canada’s surveillance initiative is akin to Australia’s, where citizens are fighting their own overbroad online surveillance laws.Many of these new surveillance powers go far beyond the Convention’s intended levels of intrusiveness. Of course, our personal data is even more vulnerable now that we store so much of it in the cloud with third party service providers.
Canadians have so often been a voice of calm reason during international debates; now we must come to their defense before the right to privacy and anonymous free expression in Canada is gutted like – well, a fish.
The word is certainly out that the Canadian government is trying to push through fishy “lawful access” legislation. A petitionhas been launched by Canadian civil society groups, hosted by OpenMedia.ca, and has already been signed by more than 70,000 people. You should sign it too. And speak out against this proposed legislation in your blogs and social networks.
Tell your Canadian friends that putting their fellow citizens under digital surveillance should require a warrant and notification to subscribers. Insist that the Canadian Parliament thoroughly vets this reckless legislation and ensures that any “lawful access” scheme includes robust oversight and effective audit and reporting requirements. As the Canadian national anthem says: "The True North strong and free!”
On Saturday October 1st, eight countries (the United States, Australia, Canada, Japan, Morocco, New Zealand, Singapore, and South Korea) signed the Anti-Counterfeiting Trade Agreement (ACTA) in Tokyo, Japan. Three of the participating countries (the European Union, Mexico, and Switzerland) have not yet signed the treaty, but have issued a joint statement affirming their intentions to sign it “as soon as practicable.” ACTA will remain open for signature until May 2013. While the treaty’s title might suggest that it deals only with counterfeit physical goods such as medicines, it is in fact far broader in scope. ACTA contains new potential obligations for Internet intermediaries, requiring them to police the Internet and their users, which in turn pose significant concerns for citizens’ privacy, freedom of expression, and fair use rights.
EFF was one of the first groups to raise the alarm about ACTA, when negotiations were first announced by the U.S. Trade Ambassador, the European Union, and Japan in October of 2007. From the beginning, we were deeply concerned about the lack of transparency in the negotiating process. The U.S. Trade Representative (USTR) drafted a confidentiality agreement, signed by all parties, which purported to prohibit negotiating countries from disclosing any information about ACTA. Nevertheless, several versions of the trade agreement text and accompanying negotiating documents were leaked to the public, which allowed legal scholars from the participating countries to effectively analyze the impact of ACTA on many different countries with differing legal regimes and regulatory policies. The combination of scholarly analysis and pressure from civil society has helped to rein in the treaty. Many of the most concerning specific provisions that were present in preliminary versions of ACTA, such as requirements for ISPs to adopt Three Strikes Internet disconnection policies, were eliminated from the "final" version released by the USTR in May 2011.
Controversy over ACTA in the United States is far from over. Senator Ron Wyden has sent a letter to President Obama asking why the administration believes that ACTA does not require formal approval from Congress. Wyden goes on to point out that legal scholars have repeatedly raised concerns that ACTA is not consistent with US law and if the USTR ratifies ACTA without Congressional consent, it may be circumventing Congress' Constitutional authority to regulate international commerce. The letter goes on to say:
The executive branch lacks Constitutional authority to enter a binding international agreement covering issues delegated by the Constitution to Congresses' authority, absent Congressional approval.
Meanwhile, Brazil's parliament is debating proposed "Anti-ACTA" legislation, with provisions for the protection of net neutrality and the privacy and personal data of individuals, in direct opposition to language in ACTA which gives copyright holders carte blanche to demand trafic logs from ISPs to identify alleged offenders.
Unfortunately, rightholders' efforts to use multi-lateral treaties to enforce their intellectual property rights across the world may not end with ACTA. A leaked version of the IP chapter of the Trans Pacific Partnership Agreement (TPP), which is currently being negotiated by nine countries (U.S., Australia, Peru, Malaysia, Vietnam, New Zealand, Chile, Singapore, and Brunei) indicates that U.S. negotiators are pushing for the adoption of copyright measures far more restrictive than ACTA. Like ACTA, TPP is being negotiated rapidly and with little transparency. Negotiating countries hope to complete the agreement by November 2011. If you are in the U.S., now is the time to contact your lawmakers and demand transparency around TPP.