Earlier this week, EFF recognized the accomplishments of U.S. Senator Ron Wyden, encryption expert Ian Goldberg (pictured left), and influential Tunisian blog Nawaat.org at the 20th annual Pioneer Awards Ceremony in San Francisco. EFF established the Pioneer Awards in 1992 to recognize leaders on the electronic frontier who are extending freedom and innovation in the realm of information technology. We were glad to welcome back to this year's ceremony a number of previous Pioneer Award winners, including Peter Neumann, Patrick Ball, Mark Klein, Whitfield Diffie, and Harvey Anderson and Tom Lowenthal on behalf of the Mozilla Foundation. Needless to say, this year's winners join an esteemed group.
Keynote speaker Evan Williams and EFF Activism Director Rainey Reitman kicked off the program with a conversation about how Blogger and Twitter have changed the way we communicate online. As Evan put it, tools for publishing personal observations about the world revealed untapped potential for creativity and social change. He believes entrepreneurs have a responsibility to develop technology that enhances civil liberties online and to participate in political debates where free speech, privacy, and innovation might be at stake.
EFF Senior Staff Attorney Kevin Bankston described the political landscape in which U.S. Senator Ron Wyden (D-Ore.) has stood out as the defender of online freedom in Congress. His first year in office, Senator Wyden wrote Section 230 of the Communications Decency Act, an extremely important piece of legislation that shields online service providers from liability for content published by their users that has enabled 15 years of unparalleled innovation in communications technologies. Senator Wyden has been the clear leader in a push to update electronic privacy law for the 21st century through his introduction of the Geolocation Privacy and Surveillance, or “GPS,” Act. Senator Wyden was unable to attend the Pioneer Awards in person, so he sent us the following acceptance speech:
EFF Senior Staff Technologist Seth Schoen introduced our second Pioneer Award winner, technologist Ian Goldberg. As Seth explained, Ian has spent his entire career trying to ensure that cryptography's promise for enhancing privacy is really delivered -- both by showing how popular systems are insecure so they can be fixed, and by developing innovative new systems to protect users. After accepting his award, Ian described how and why he created the widely used instant message encryption program Off-The-Record Messaging and how he continues to dedicate his time to creating privacy-enhancing technologies.
EFF Director of International Freedom of Expression Jillian York introduced the co-founders of Nawaat.org. The audience welcomed Sami Ben Gharbia, Malek Khadhraoui and Riadh Guerfali (pictured right) to the stage with resounding applause. Taking tremendous risks to advocate for democracy under a repressive regime in Tunisia, the Nawaat team demonstrates the potential benefit to society when online communications remain free. Riadh exhorted the audience to think about what we want the Internet to look like for future generations and to do everything in our power to make that a reality.
Each year, EFF Pioneer Award winners are nominated by members of the public. We invite you to keep an eye out for potential nominees and share their accomplishments with us next year at https://www.eff.org/awards/pioneer. Thank you to photographers Chris Rasch and Leez Wright.
This is part 2 of a series on the security of HTTPS and TLS/SSL. [Part 1]
In a previous post, we discussed some structural insecurities in HTTPS and TLS/SSL, and how those are beginning to pose serious problems for the security of the Web.
In this post I will introduce a new proposal called "Sovereign Keys", which is intended to systematically fix these weaknesses in the way that encrypted Internet protocols perform authentication. The proposal should be considered "draft" and "experimental". It will take at least a couple of years to build and test implementations of the idea to a sufficient degree for large-scale deployment, and so even if the Sovereign Keys design is successful, we are going to need some band-aids for HTTPS insecurity in the mean time (what band-aids are available is a subject for a future post). A draft design document for the Sovereign Key project is now online; this post attempts to give a high-level and less technical summary of the design's objectives and features. We are also working on a prototype implementation, and fundraising to support the project — we will publish code as soon as it's good enough to hack on and experiment with.
The Sovereign Keys design would allow clients and servers to use cryptographic protocols without having to depend on any third parties after the moment the server creates a Sovereign Key. But the design also aims to do a couple of things that other proposals for fixing the problems with CA proliferation and domain validation do not. The biggest is to remove certificate warnings altogether, and to replace them with automatic circumvention of attacks.
What's wrong with certificate warnings? How can we abolish them?
Research has shown that human beings don't understand certificate warnings and often click through them. That's not surprising: X.509 certificates are an extremely complicated and obscure infrastructure. Usually, when we get error messages about them, the errors have innocent causes, and the rational response is to click through the warning to get to the site you're trying to visit.1 But what this means is that certificate warnings don't offer much protection when they are trying to tell people about a real, serious attack.
An example of this problem is the man-in-the-middle attack that was observed by Syrian Facebook users in May of this year. That attack was conducted with an arbitrary certificate, not one signed by a trusted CA — so every target would have seen a warning message like this one:
However, research from the Usable Privacy and Security Lab at CMU indicates that a large proportion of those targets probably clicked through and logged into their Facebook accounts anyway. The warning would only have protected a fraction of them.
Browser developers have realized this problem exists, and have been continually changing the way certificate warnings work, to make them nastier-looking and harder to click through. That helps slightly, but is also quite absurd, because it doesn't change the underlying fact that certificate warnings most often occur for unhelpful bureaucratic reasons, and many users learn to click around them out of necessity or rational pragmatism.
In the Sovereign Key design, certificate warnings are unnecessary. For websites that chose to publish a Sovereign Key (more on how you do that below and in the design docs), the web browser or email client will never show a certificate warning. Instead, if an attempt to connect over TLS results in a session that isn't cross-signed by the Sovereign Key, the browser can automatically circumvent the attack. The strongest way to do this is to compute a hash of the Sovereign Key, and use that as the .onion address of a Tor hidden service. It is also possible to use proxies or VPNs for weaker versions of this protection (in a later post we'll talk about why it's better to use Tor hidden services for this purpose). Because these methods may be slow, the user can be shown a message along the lines of "Experiencing difficulty establishing a secure connection to this site. Give us a moment while we try harder...", with a nice friendly spinning hourglass or beachball, or better, a realtime depiction of the progress of attack circumvention process.
If, after an attempt at circumventing attacks, the browser still cannot establish a verified connection to the server, it reports an error indicating that the server is unreachable.
Technical Overview: How is a Sovereign Key created? How do clients learn about them?
In the design, Sovereign Keys are created by writing to a semi-centralized, verifiably append-only data structure. The main requirement for being able to do this is that the requesting party controls a CA-signed certificate for the relevant domain, or uses a DNSSEC-signed key to show that they control that domain.2
Master copies of the append-only data structure are kept on machines called "timeline servers". There is a small number, around 10-20, of these. The level of trust that must be placed in them is very low, because the Sovereign Key protocol is able to cryptographically verify the important functions they perform. Sovereign Keys are preserved so long as at least one server has remained good. For scalability, verification, and privacy purposes, lots of copies of the entire append-only timeline structure are stored on machines called "mirrors". The timeline data structure might grow to be hundreds of gigabytes in size, but that is presently a small portion of a $100 disk drive.
Clients learn about Sovereign Keys by sending (encrypted) queries to mirrors. Once a client knows a Sovereign Key for a domain, that fact can be cached for a very long time, with only occasional queries to check for revocations. This arrangement has some nice properties in terms of making the protocol quite robust even if mirrors are malicious, blocked, or just unreliable. Clients can keep using the protocol for long periods under very hostile network conditions (like those you might find in Syria, Iran or Burma), although eventually, if they are unable to find good mirrors for weeks at a time, they will fail safe altogether.
How Strong is the Security Provided by Sovereign Keys?
In the existing TLS authentication system, there are lots of ways for attackers to obtain certificates perfidiously. In the Sovereign Key design, the attacker needs to not only perform one of those attacks, but must also possess a time machine to travel back before the target's Sovereign Key was written into the append-only data structure.
This means that websites can choose not to depend on any third parties for the security of their encryption, if they wish to. In practice, we expect many domains to use a third-party service provider for Sovereign Key management,3 but the domain holders can choose exactly which if any such parties they wish to trust. That is in stark contrast to the present situation, where every HTTPS website is vulnerable to security incidents or malfeasance in an uncontrollably large number of places.
The basic Sovereign Key idea is quite simple, but the addition of real-world requirements (revocation, renewal and transfer of keys; scalability; resistance to denial-of-service attacks; good tools to make all of this simple for systems administrators) makes the project somewhat ambitious.
We are working on an experimental prototype implementation, and fundraising to support this project. We'll have more to say when there's code ready for people to play with. In the mean time, we'll follow up with more posts comparing the Sovereign Key design to other proposals for addressing the insecurities in the existing Public Key Infrastructure, including DNSSEC and Perspectives/Convergence.
1. Causes of false-positive warnings about certificates include certificate expiry, certificates that cover fewer variants of a domain name than the webserver they're used on, the strange phenomenon we have been calling transvalidity, where some certificates are only valid if your browser has cached the right intermediate CA certificates before hand (the SSL Observatory found about 100,000 servers using transvalid certificates that sometimes cause these mysterious warnings), use of a CA that is trusted by some browsers but not others, and a choice by a webserver operator to use a self-signed cert rather than paying a CA for one.
2. In the current draft, there are additional requirements, including that an OCSP check for the CA certificate is successful, that the domain has been redirecting all HTTP traffic to HTTPS and publishing an HSTS header with this domain for the past two weeks.
3. Because Sovereign Keys are so strong, they need to be backed up redundantly and revocation and re-issuance need to be managed well. Anyone can do this, but specialized service providers will be the lowest-effort way to do it.
This week the House of Representatives opens hearings on the Stop Online Piracy Act (SOPA), a bill that EFF--along with a number of prominent organizations and other actors--has opposed loudly and vigorously.
"...by institutionalizing the use of internet censorship tools to enforce domestic law in the United States creates a paradox that undermines its moral authority to criticize repressive regimes. We urge the United States to uphold its proclaimed responsibility as a leader in internet freedom and reject bills that will censor or fragment the web."
UAE Blogger Begins Hunger Strike
Emirati blogger Ahmed Mansour, along with the five activists with whom he was arrested--Nasser bin Gaith, Fahid Salim Dalk, Hassan Ali Khamis and Ahmed Abdul Khaleq--started a hunger strike on Tuesday. In a statement published by Human Rights Watch, the activists state:
The charges against us involve merely a few lines written in October 2010, using aliases, on a website that the state authorities blocked in February 2010. These lines contained words that the Public Prosecution, in April 2011, deemed a misdemeanor punishable under Articles 176 and 8 of the Penal Code, which mandates a penalty of no more than five years imprisonment for any person who publicly insults the President, a member of the Supreme Council, a Crown Prince, or the national flag or motto. As some of us have actively expressed our opinions demanding some political, economic, and cultural reforms in the country, State Security alleged six months after the publication of these lines that we were the ones who had written the lines in question using pseudonyms. As a result, we were arrested on April 8 and 9, after which we endured numerous flagrant injustices that have nearly transformed our country from an oasis of safety and stability to something like a police state. Our attorneys refuted the charges and explained in their briefs that the allegations against us were false, unfounded, and legally unsound as the elements of the crime did not exist. Moreover, the prime witness in the case used an inaccurate surveillance system that repeatedly erred, and he gave a testimony that was replete with errors, lies, confusion, and falsification. The evidences presented in the case were weak and dubious, and raises questions about the timing of the arrest and charges.
The detained activists also highlight the abuses they've endured during their seven months of detention, and call for an independent investigation of their case. The verdict in their case is slated for November 27.
EFF reiterates our condemnation of the proceedings and demands the immediate and unconditional release of all five activists.
Chilean News Sites Suffer Cyber-Attacks
Amidst ongoing student-led protests in Chile, several Chilean news sites suffered attacks earlier this month. According to a report from Reporters Without Borders, alternative news site Sitiocero experienced an attack that resulted in the loss of the site's records since June and required the site to go offline for 24 hours. Two other news sites suffered lesser attacks.
In light of other recent attacks, such as the minor bombing of a building that houses Chilean daily La Tercera, EFF has concerns for the safety of bloggers and online journalists in Chile. We suggest a multi-faceted approach to online safety by utilizing tools like HTTPS Everywhere and Tor. At the same time, website owners can mitigate the effects of online attacks by mirroring their site and regularly backing up its content.
This morning, EFF’s staff and concerned netizens across the country tuned into the live webcast of the House Judiciary Committee’s hearing on the Stop Online Piracy Act (H.R. 3261). At least we tried to. Unfortunately, we were confronted with an incredibly poor webcast stream for much of the hearing. We find it ironic and deeply concerning that Congress is unable to successfully stream video of an event this important to all Internet users, even as they are debating a dangerous plan to change the Internet in fundamental ways and deputize Internet intermediaries to act like content police.
Many of the online watchers took to Twitter to voice their concerns about being shut out of the hearing by the poor quality webcast. But the Internet community was shut out of the hearing in a more fundamental way: of the six witnesses called to testify on Congress’ plan to heavily regulate the Internet, there was only one representative of the technology sector. As Public Knowledge’s Martyn Griffen tweeted: “#SOPA Hearing internet still fading in and out. It'd be great if an internet engineer could fix the website issue in return for testifying.”
We couldn’t agree more. Congressman Lamar Smith’s office noted the poor quality webcast, telling journalist Declan McCullagh: "Our tech folks are trying to fix it, so please be patient." While the issue wasn’t resolved in time for concerned citizens across the nation to watch the testimonies, it was restored in time for the questions and answers at the end.
Recorded video from the hearing should be posted online in the next few hours. Once it’s up, we’ll post the link here and provide you with our analysis. In the meantime, we urge individuals concerned about the bill to contact their members of Congress today and take part in the American Censorship Day online actions.
The House Judiciary Committee will meet today for a hearing on the controversial Stop Online Piracy Act (SOPA). What could have been an opportunity for the committee to hear from a variety of stakeholders has devolved into a parade of pro-SOPA partisans. Scheduled to testify are representatives from the Register of Copyrights, Pfizer Global Security, the Motion Picture Association of America, the AFL-CIO, and Mastercard Worldwide—many of which helped to draft this legislation in the first place, and didn’t let anyone else into the room. The only scheduled witness in opposition to the bill is Katherine Oyama, policy counsel on copyright and trademark law for Google.
Whether you support or oppose the bill, there’s no question that it will affect a broad range of activities, which is one reason we’ve seen an extraordinary outcry of opposition since the bill was introduced.
In case you are wondering who the Committee should be hearing from today, here is a small sampling of the stakeholders that deserve a seat at the negotiating table:
Public interest organizations
EFF, Public Knowledge, the Center for Democracy and Technology, TechFreedom, the Competitive Enterprise Institute, Demand Progress and many others have all raised strong objections to SOPA, including concerns that the language in the bill is so broad that it could be used to shut down access to almost any website.
Consumer groups have also raised concerns that SOPA could be used to close off online exchanges that provide lower prices for consumers and allow for anti-consumer practices by online service providers. And that’s only the beginning – if made law, this bill would give overreaching rightholders any easy way to threaten innovation, including social media and cloud computing, that consumers count on.
Independent filmmakers and musicians
Independent artists are often innovators, trying out new technologies and business models in order to distribute and profit from their work. Independent producers of content have expressedconcern that SOPA will shut down the innovative technologies they rely on, or prevent them from being built in the first place.
The engineers who helped to build the Internet have warned that SOPA will break the Internet by meddling with the Domain Name System, which links IP addresses to domain names.
Aside from Google, no technology company has a seat at the table. Google has joined a coalition of companies, including Facebook, eBay and Zynga, in opposing SOPA on the grounds that it will stifle innovation and cost the US tech-sector jobs. But surely the Committee needs to hear from some of the numerous job-creating companies in the tech sector – as well as the innovators of tomorrow – who might be affected by this bill?
This legislation is full of holes – and it appears its sponsors don’t want them exposed. Tell Congress to stop this bill now!
On the eve of the House Judiciary Committee's hearing on the Stop Internet Piracy Act—where five witnesses will appear in favor of the bill to just one against—a broad group of tech companies, lawmakers, experts, professors, and rights groups have come out against the bill.
The statements, written by people from a variety of backgrounds and political persuasions, incorporate many of the same broad themes: SOPA will threaten perfectly legal websites, stifle innovation, kill jobs, and substantially disrupt the infrastructure of the Internet. Here is a small sample of what they had to say:
A veritable Who's Who of tech giants—including Facebook, Google, Twitter, eBay, Yahoo, AOL and Mozilla—explicitly came out against both SOPA and PROTECT-IP in a letter to the ranking members of the House and Senate Judiciary committees:
Unfortunately, the bills as drafted would expose law-abiding U.S. Internet and technology companies to new uncertain liabilities, private rights of action, and technology mandates that would require monitoring of web sites. We are concerned that these measures pose a serious risk to our industry’s continued track record of innovation and job-creation, as well as to our Nation’s cybersecurity. We cannot support these bills as written…
A bipartisan group of ten Congress members, including Republican Presidential candidate Rep. Ron Paul and Democrat Rep. Zoe Lofgren, signed a letter expressing their opposition to the bill:
The impact on new businesses and startups, particularly small businesses, will be…detrimental. For example, venture capitalists will be hesitant to invest in new Internet-based businesses if they fear their money will be tied up in litigation…At a time of continued economic uncertainty, this legislation will result in fewer new businesses, few new investments, and fewer new jobs.”
A group of over 100 distinguished Intellectual Property law professors updated their original letter from earlier this year about PROTECT-IP and expressed that the SOPA would not only hurt the economy, but is unconstitutional:
SOPA is a dangerous bill. It threatens the most vibrant sector of our economy—Internet commerce. It is directly at odds with the United States’ foreign policy of Internet openness, a fact that repressive regimes will seize upon to justify their censorship of the Internet. And it violates the First Amendment.
The American Civil Liberties Union wrote a detailed letter to the Judiciary Committee outlining their objections to each provision of SOPA and expressing the significant free speech concerns. They concluded:
[T]he bill is severely flawed and will result in the takedown of large amounts of non- infringing content from the internet in contravention of the First Amendment of the U. S. Constitution…. SOPA enables law enforcement to target all sites that contain some infringing content – no matter how trivial – and those who “facilitate” infringing content. The potential for impact on non-infringing content is exponentially greater under SOPA than under other versions of this bill.
Through SOPA, the United States is attempting to dominate a shared global resource. Building a nationwide firewall and creating barriers for international website and service operators makes a powerful statement that the United States is not interested in participating in a global information infrastructure. Instead, the United States would be creating the very barriers that restrict the freeflow of information that it has vigorously challenged abroad.
The Global Network Initiative, a diverse coalition of organizations ranging from human rights groups to academics, investors, and technologists, urged Congress to re-examine the bill with an eye towards balancing infringement prevention against surveillance and censorship concerns:
It is critically important that Congress avoid measures that could erode free expression norms in a way that would set dangerous precedent for other countries considering similar measures, and make it more difficult for companies everywhere to resist surveillance and censorship demands that infringe upon individual rights.
The Consumer Electronics Association, which comprises over 2,000 American technology companies, delivered a straightforward message about the disastrous consequences of failing to properly tailor the scope of the bill:
Our message today is simple: Don’t kill the Internet with SOPA. We strongly oppose counterfeiting and piracy. But solutions must be smart and targeted to get the bad guys without ensnaring legitimate innovators.
Another letter, signed by many public interest groups including EFF, Public Knowledge, and New America, notes that SOPA represents a major step backwards, from the perspective of user privacy and security:
Current enforcement mechanisms were designed to avoid the countervailing harms of conscripting intermediaries into being points of control on the Internet and deciding what is and what is not copyright-infringing expression. As drafted, SOPA radically alters digital copyright policy in ways that will be detrimental to online expression, innovation, and security.
Proponents of the latest disastrous IP bill , the “Stop Online Piracy Act” (SOPA) insist it only targets the “worst of the worst”: so-called “rogue” foreign websites that profit from pirating U.S. intellectual property. But the broad definitions and vague language in the bill could place dangerous tools into the hands of IP rightsholders, with little opportunity for judicial oversight. One very possible outcome: many of the lawful sites you know and love will face new legal threats.
As we’ve explained Section 103 of the bill sets up a so-called “market-based system” which would allow individuals and companies to cut off financial support from websites — both foreign and domestic — simply by sending a notice to their payment providers or ad networks. In many cases, these sites are dependent on the revenue from those payments and ad networks for day-to-day operation.
Here’s a look at how some real, popular, and important sites could be affected by this legislation if it passes. We’ve even included a sample notice showing how IP rightsholders might target regular sites. To be clear: we don’t believe that the way these websites operate is or should be subject to legal threat — that’s one reason it’s so important to block SOPA from becoming law.
Etsy is an online marketplace for handmade goods, where users can set up a storefront and create listings for things they’ve made. There are over 800,000 active “shops” filled with these handmade goods — far too many for Etsy to monitor manually. Further, because of the eclectic nature of goods listed, it’s difficult to technically filter through the objects listed.
All that means that it’s not feasible for Etsy to proactively prevent listings that may be perceived to violate US copyright or trademark law. That’s a problem, because under SOPA, anybody who is a “holder of an intellectual property right harmed by the activities” of even a portion of the site, could serve Etsy’s payment processors with a notice that would require them to suspend Etsy’s service within 5 days. That means that a trademark violation in one of the storefronts could lead to payment suspension across the entire site. Unlike DMCA notices, which should be targeted to specific infringements, payment provider suspensions will likely target entire accounts. And even if Etsy protests, the bill's vigilante provisions, which grant them immunity for choking off a site if they have a "reasonable" belief that a portion of a site enable infringement, give the payment processors a strong incentive to cut them off anyway.
Like Etsy, Flickr takes copyright issues seriously, and complies with DMCA safe harbor requirements by taking down photos when it gets a valid complaint, establishing a repeat infringer policy, etc.. But it doesn’t proactively monitor its user-generated content for copyright infringement. The language of SOPA is vague enough that an individual or corporate rightsholder could claim this lack of monitoring as “taking … deliberate actions to avoid confirming a high probability of the use of the … site to carry out acts that constitute a violation.” Flickr uses an ad network to place advertisements, and accepts payments for premium accounts. Both of those revenue streams could be suspended in a matter of days by a single complaint, and the process of reactivating them could be long and complex.
Vimeo is a video hosting site that focuses on original content by filmmakers and video creators. Although it’s not the most popular video site on the web, it’s been the first to release some widely emulated features, and has an engaged community.
One element of having a creative and engaged community, though, is that some videos are likely to rely on fair use claims. That category includes the “lip dub”-style videos that Vimeo popularized, and for which Capitol Records sued the company two years ago. One section of that lawsuit claims that Vimeo “actively promotes and induces that infringement” — under SOPA, that accusation alone would be grounds to cut them off from their payment provider.
Some rightsholders would prefer that all user-generated content sites implement content identification systems like YouTube’s Content ID. However, those sorts of systems come with problems of their own, and are expensive to develop and put in place.
Here’s worse news: SOPA could hurt the sites you count on now, but many of these sites will at least have the budgets to hire lawyers to fight back. But what about the small sites of today and innovators of tomorrow? Under SOPA, they may never get off the ground – and the Internet will be a less interesting place as a result. Act now so Internet innovation and expression doesn’t become collateral damage in Big Media’s losing battle against online infringement!
Here's how a notice to a payment processor might look:
Dear designated SOPA agent for PayPal:
Pursuant to the Stop Online Privacy Act, please immediately cease processing payments in connection with www.MySpaceBook.com <http://www.MySpaceBook.com/>.
MySpacebook.com <http://MySpacebook.com> is a U.S. directed site, as defined in Section 102, because there is evidence that a portion of MySpaceBook.com <http://MySpaceBook.com> is intended to offer services to users located in the United States. MySpaceBook.com <http://MySpaceBook.com> is a site dedicated to the theft of U.S. property, as defined in Section 103(a)(1), for the following reasons:
it has taken deliberate steps to avoid confirming infringement by adopting and following a copyright policy that places the burden on rightsholders to identify infringement, even though it knows infringing activity takes place on its site;
it fails to deploy filtering technology that screens for infringement;
a portion of its site, www.MySpaceBook.com/bigmedia <http://www.MySpacebook.com/bigmedia>, infringes Big Media's trademark rights in the term "Big Media."
In addition, MySpaceBook.com <http://MySpaceBook.com> is dedicated to the theft of U.S. property because is marketed by one or more other persons acting in concert with the operator for use in facilitating infringement. For example, Joe User posted a link on his MySpaceBook "wall" to the Free Justin Bieber campaign, and encouraged others users to click on and share this link.
As a result of this activity, Big Media faces immediate and irreparable injury.
When Hosni Mubarak was ousted from the Egyptian presidency in February, Egypt's revolutionaries saw a new beginning: an Egypt in which individual rights--including the right to free expression--would be respected. Just nine months later, with several prominent bloggers languishing in prison and countless other civilians tried by military courts for protesting, the future looks bleak.
In terms of numbers, Egypt ranks third--behind only China and Iran--for threatened and jailed bloggers. Throughout the past decade numerous well-known bloggers were imprisoned, sometimes without trial, and in many cases subjected to torture, for the crime of speaking out. Despite hopes that Mubarak's ouster would put a stop to restrictions on free expression, under military rule, the crackdown continues.
On October 27, Ayman Youssef Mansour became the second blogger in post-Mubarak Egypt (after Maikel Nabil Sanad) to be sentenced to three years solely for expressing himself online. His alleged crime? Joking about Islam on Facebook. Unlike Sanad, Mansour was tried by a civilian court and found to be "in contempt of religion," a crime under article 98(f) of the Penal Code. The Facebook page, which Mansour wrote on under a pseudonym, has since been scrubbed clean and no longer contains the allegedly insulting material. While it is unclear how authorities tracked Mansour down, he reportedly confessed to owning the account.
Sanad, whose release EFF unconditionally supports, was transferred in late October to a psychiatric hospital for evaluation to determine whether he was responsible for his actions, and his initial conviction overturned. Now back in prison, Sanad awaits a November 27 retrial by a military court.
Sanad and blogger Alaa Abd El Fattah (whose initial 15 day detention was extended by another 15 days) have both refused to recognize the military court's legitimacy. They are joined by a growing international movement calling for an end to military trials for civilians.
Just as the Mubarak regime utilized emergency law to silence voices, the military--once hailed as guardians of the revolution--is shutting up bloggers at whim.
EFF calls on Egypt's Supreme Council of Armed Forces to immediately and unconditionally release anyone detained for the peaceful exercise of their right to freedom of expression.