As promised, here’s the first installment of our closer review of the massive piece of job-killing Internet regulation that is the Stop Online Piracy Act. We’ll start with how it could impact Twitter, Tumblr, and the next innovative social network, cloud computing, or web hosting service that some smart kid is designing in her garage right now.
Let’s make one thing clear from the get-go: despite all the talk about this bill being directed only toward “rogue” foreign sites, there is no question that it targets US companies as well. The bill sets up a system to punish sites allegedly “dedicated to the theft of US property.”How do you get that label?Doesn’t take much: Some portion of your site (evena single page) must
be directed toward the US, and either
allegedly “engage in, enable or facilitate” infringement or
allegedly be taking or have taken steps to “avoid confirming a high probability” of infringement.
If an IP rightsholder (vaguely defined – could be Justin Bieber worried about his publicity rights) thinks you meet the criteria and that it is in some way harmed, it can send a notice claiming as much to the payment processors (Visa, Mastercard, Paypal etc.) and ad services you rely on.
Once they get it, they have 5 days to choke off your financial support.Of course, the payment processors and ad networks won’t be able to fine-tune their response so that only the allegedly infringing portion of your site is affected, which means your whole site will be under assault.And, it makes no difference that no judge has found you guilty of anything or that the DMCA safe harbors would shelter your conduct if the matter ever went to court.Indeed, services that have been specifically found legal, like Rapidshare, could be economically strangled via SOPA. You can file a counter-notice, but you’ve only got 5 days to do it (good luck getting solid legal advice in time) and the payment processors and ad networks have no obligation to respect it in any event.That’s because there are vigilante provisions that grant them immunity for choking off a site if they have a “reasonable belief” that some portion of the site enables infringement.
At a minimum, this means that any service that hosts user generated content is going to be under enormous pressure to actively monitor and filter that content.That’s a huge burden, and worse for services that are just getting started – the YouTubes of tomorrow that are generating jobs today.And no matter what they do, we’re going to see a flurry of notices anyway – as we’ve learned from the DMCA takedown process, content owners are more than happy to send bogus complaints. What happened to Wikileaks via voluntary censorship will now be systematized and streamlined – as long as someone, somewhere, thinks they’ve got an IP right that’s being harmed.
In essence, Hollywood is tired of those pesky laws that help protect innovation, economic growth, and creativity rather than outmoded business models.So they are trying to rewrite the rules, regulate the Internet, and damn the consequences for the rest of us.
Watch this space for more analysis, but don’t wait to act. This bill cannot be fixed; it must be killed. The bill’s sponsors (and their corporate backers) want to push this thing through quickly, before ordinary citizens get wind of the harm it is going to cause.If you don’t want to let big media control the future of innovation and online expression, act now, and urge everyone you know to do the same.
Americans have a long history of using parodies and satire in their political and social debates. Whether it’s the Daily Show, the Onion, or books like The Wind Done Gone, humor and poking fun can have a powerful political impact and are plainly protected by law. So what’s with Justin Bieber trying to take down the website freebieber.org?
In case you missed this one: Fight For the Future is worried that some pending legislation commonly called the "illegal streaming bill" (which EFF is also concerned about) might impose criminal penalties for the types of public performances that Justin Bieber used to make his name - posting videos of himself doing cover songs. To raise public awareness about the bill, freebieber.org hilariously posts images of Justin Bieber where he looks like he’s in prison, although it’s obvious that these are just his very famous head superimposed on the bodies of actual prisoners. The website urges viewers to help set Justin Bieber free by opposing the law. The campaign has sparked renewed media interest in the bill, which had been largely under the public radar. Mission accomplished!
Apparently, Justin Bieber (or his lawyers) don’t think the campaign is funny. They issued a cease and desist letter, claiming the site violates Bieber's intellectual property rights – a tactic we’ve seen all too often. EFF jumped in to help and, as explained in more detail in a letter we sent back to Bieber’s lawyers today, explained that those claims hold no water. Freebieber.org makes an obviously transformative use of Bieber’s image and engages in political (aka core First Amendment) speech.
What’s a little unusual here is that Bieber is also complaining that the campaign violates his publicity rights. The right of publicity usually prohibits the unauthorized use of a person’s name, likeness, voice, or other identifiable characteristic for a commercial purposes. However, the law is clear that an individual’s right to control uses of his or her name and likeness must be weighed against important free speech rights. The First Amendment protects transformative uses (like the ones at freebieber.org), especially those that do not intrude on a celebrity’s market for her own identifiable characteristics. So it’s hard to believe that Bieber’s lawyers really think he can prohibit this lawful (and effective) use of his image. More likely they, like so many others, were just hoping to scare Fight for the Future out of exercising its free speech rights.
The kind of important political speech that is the core of the Free Bieber campaign deserves the most protection of all, and we are glad that the folks behind it are willing to stand up and defend their right to Free Justin Bieber – whether he likes it or not.
One of the most grave threats to free expression in many countries these days is the intimidation and persecution of bloggers and online journalists. The effects are often far-reaching as bloggers are scared into silence. While the Arab Spring has brought about many positive changes throughout the region, several Middle Eastern countries continue to take measures to silence bloggers. This issue is not, of course, limited to the Middle East. In Thailand, web editor Jiew still faces up to fifteen years in prison, while US-Thai citizen Joe Wichai Commart Gordon pleaded guilty on charges of lèse majesté--a charge that can result in a prison sentence of up to fifteen years--and faces sentencing on November 9. In Mexico, bloggers and online activists may face an even worse fate.
Blogger in UAE Boycotting Trial in Protest
Blogger Ahmed Mansoor was arrested in April after signing a petition calling for democratic reforms in the United Arab Emirates (UAE). According to Reporters Without Borders, more than ten police officers took part in Mansoor's arrest, seizing two laptops and several documents. Prior to Mansoor's arrest, he was the target of a smear campaign on social networks.
Mansoor, as well as four other democracy activists, has refused to appear in court following a closed-door hearing in September. All five men face charges of threatening state security, undermining public order and insulting the president, the vice president and the crown prince of Abu Dhabi. Reporters Without Borders has suggested that the trial is intentionally being dragged out over a period of several months in order to keep the four defendants in prison.
We join Reporters Without Borders in urging the judicial authorities to drop the charges against Mansoor--as well as activists Farhad Salem, Nasser bin Ghaith, Hassan Ali Al-Khamis and Ahmed Abdul Khaleq--and to respect the right to free expression.
Egyptian Blogger Faces Military Prosecutor
Egyptian blogger and activist, Alaa Abd El Fattah (photo by personaldemocracy, CC BY-SA 2.0)
Under the interim rule of Egypt's Supreme Council of Armed Forces (SCAF), free expression is apparently not a right. In August, we reported on the interrogation of Asmaa Mahfouz, and we have repeatedly called for the release of blogger Maikel Nabil Sanad. On Monday, we learned that Alaa Abd El Fattah, a well-known blogger and activist who was imprisoned in 2006 under the Mubarak regime, will face a military prosecutor on Sunday for unknown reasons. Abd El Fattah spoke Tuesday at the Silicon Valley Human Rights Conference and used his platform to draw attention to the extraordinary injustice taking place in Egypt, mentioning Sanad's case.
According toAl Masry Al Youm, a video blogger has claimed to have video evidence against Abd El Fattah that shows him throwing stones on October 9 and alleges that the blogger incited violence during the massacre of Coptic Christians that took place that day. In contrast, the newspaper states that it witnessed Abd El Fattah assisting the wounded following protests on October 9.
EFF has grave concerns about SCAF's use of military trials to silence speech. We will be following Abd El Fattah's case closely.
Syria Arrests Another Blogger
Syrian blogger Hussein Ghrer, missing since October 24, 2011
Syrians face not only the threat of arrest, but the additional threat of intimidation and hacking by the Syrian Electronic Army, a cabal of pro-regime hacktivists that has in recent months defaced the website of Harvard University and attacked numerous public figures on Facebook for their support of the Syrian opposition.
In addition to the Facebook campaign for Ghrer, activists have put together a blog (in Arabic), in which they call for Syrian authorities to disclose information about Ghrer and "release those detained in violation of the law and human rights."
As we stated previously, the intimidation and persecution of bloggers poses a grave threat to free expression globally.
In light of that fact, EFF is currently working on adding a new component to our international work highlighting these threats. Though there are already many excellent voices in this space--among them Reporters Without Borders, the Committee to Protect Journalists, and Global Voices' Threatened Voices project--as long as governments continue to threaten and persecute bloggers, the call for justice can never be too loud to garner attention to these gross violations of human rights.
This summer, decision-makers at Bay Area Rapid Transit (BART) garnered considerable criticism -- not to mention the ire of Anonymous and days of protests -- after they chose to shut down cell phone access to four BART stations in downtown San Francisco based on rumors of an upcoming protest. Now BART’s Board Directors has drafted a Cell Phone Interruption Policy, which they will consider at an upcoming meeting on October 27th.
EFF applauds the BART for taking the time to develop a policy whose intent is to clarify the circumstances under which BART may shut down cell phone communications, but the proposed policy, which was made public last week, raises some profound concerns about procedure and accountability that we believe should be directly addressed.
BART should not assert their right to shut down cell phone access without a court hearing of any kind. Free speech is a right granted by the Constitution, not BART.
BART should explicitly state that the 8/11 shutdown would violate the cell phone shutdown policy.
BART should clarify what it means by“strong evidence of imminent unlawful activity.” Who will review the evidence? Who decides if it is strong?
The draft policy acknowledges the existence of state and federal regulations. BART should explicitly acknowledge their applicability to cell phone shutdowns.
BART should include a method of ensuring transparency and accountability for future shutdowns. EFF suggests that in the event that BART considers a shutdown, it should make a written record of the Board’s discussions available to the public, to facilitate transparency and accountability after the fact.
We hope that the BART will incorporate this feedback into the final draft of their Cell Phone Interruption Policy, ensuring clarity and accountability in the cell phone shutdown process.
We've reported hereoften on efforts to ram through Congress legislation that would authorize massive interference with the Internet, all in the name of a fruitless quest to stamp out all infringement online. Today Representative Lamar Smith upped the ante, introducing legislation, called the Stop Online Piracy Act, or "SOPA," that would not only sabotage the domain name system but would also threaten to effectively eliminate the DMCA safe harbors that, while imperfect, have spurred much economic growth and online creativity.
As with its Senate-side evil sister, PROTECT-IP, SOPA would require service providers to “disappear” certain websites, endangering Internet security and sending a troubling message to the world: it’s okay to interfere with the Internet, even effectively blacklisting entire domains, as long as you do it in the name of IP enforcement. Of course blacklisting entire domains can mean turning off thousands of underlying websites that may have done nothing wrong. And in what has to be an ironic touch, the very first clause of SOPA states that it shall not be “construed to impose a prior restraint on free speech.” As if that little recitation could prevent the obvious constitutional problem in what the statute actually does.
But it gets worse. Under this bill, service providers (including hosting services) would be under new pressure to monitor and police their users’ activities. Websites that simply don’t do enough to police infringement (and it is not at all clear what would qualify as “enough”) are now under threat, even though the DMCA expressly does not require affirmative policing. It creates new enforcement tools against folks who dare to help users access sites that may have been “blacklisted,” even without any kind of court hearing. The bill also requires that search engines, payment providers (such as credit card companies and PayPal), and advertising services join in the fun in shutting down entire websites. In fact, the bill seems mainly aimed at creating an end-run around the DMCA safe harbors. Instead of complying with the DMCA, a copyright owner may now be able to use these new provisions to effectively shut down a site by cutting off access to its domain name, its search engine hits, its ads, and its other financing even if the safe harbors would apply.
And that’s only the beginning: we haven’t even started on the streaming provisions.
We’ll have more details on the bill in the next several days but suffice it to say, this is the worst piece of IP legislation we’ve seen in the last decade — and that’s saying something. This would be a good time to contact your Congressional representative and tell them to oppose this bill!
Ten years ago today, in the name of protecting national security and guarding against terrorism, President George W. Bush signed into law some of the most sweeping changes to search and surveillance law in modern American history. Unfortunately known as the USA PATRIOT Act, many of its provisions incorporate decidedly unpatriotic principles barred by the First and Fourth Amendments of the Constitution. Provisions of the PATRIOT Act have been used to target innocent Americans and are widely used in investigations that have nothing to do with national security.
Much of the PATRIOT Act was a wish list of changes to surveillance law that Congress had previously rejected because of civil liberties concerns. When reintroduced as the PATRIOT Act after September 11th, those changes -- and others -- passed with only limited congressional debate.
Just what sort of powers does the PATRIOT Act grant law enforcement when it comes to surveillance and sidestepping due process? Here are three provisions of the PATRIOT Act that were sold to the American public as necessary anti-terrorism measures, but are now used in ways that infringe on ordinary citizens’ rights:
1. SECTION 215 – “ANY TANGIBLE THING”
Under this provision, the FBI can obtain secret court orders for business records and other “tangible things” so long as the FBI says that the records are sought "for an authorized investigation . . . to protect against international terrorism or clandestine intelligence activities." The Foreign Intelligence Surveillance Court must issue the order if the FBI so certifies, even when there are no facts to back it up. These “things” can include basically anything—driver’s license records, hotel records, car-rental records, apartment-leasing records, credit card records, books, documents, Internet history, and more. Adding insult to injury, Section 215 orders come with a "gag " prohibiting the recipient from telling anyone, ever, that they received one.
As the New York Times reported, the government may now be using Section 215 orders to obtain “private information about people who have no link to a terrorism or espionage case.” The Justice Department has refused to disclose how they are interpreting the provision, but we do have some indication of how they are using Section 215. While not going into detail, Senator Mark Udall indicated the FBI believes it to allows them “unfettered” access to innocent Americans’ private data, like “a cellphone company’s phone records” in bulk form. The government’s use of these secret orders is sharply increasing -- from 21 orders in 2009 to 96 orders in 2010, an increase of over 400% -- and according to a brand new report from the Washington Post, 80% of those requests are for Internet records.
Today, EFF sued the Justice Department to turn over records related to the government’s secret interpretation and use of Section 215, regarding which Senator Ron Wyden, like Senator Udall, has offered ominous warnings: "When the American people find out about how their government has secretly interpreted the Patriot Act,” said Wyden on the Senate floor in May, “they are going to be stunned and they are going to be angry.”
2. NATIONAL SECURITY LETTERS
Among the most used -- and outright frightening -- provisions in the PATRIOT Act are those that enhanced so-called National Security Letters (NSLs). The FBI can issue NSLs itself, without a court order, and demand a variety of records, from phone records to bank account information to Internet activity. As with 215 orders, recipients are gagged from revealing the orders to anyone.
While NSLs existed prior to 2001, they were infrequently used. The PATRIOT Act lowered the standard making it easier for the FBI to use NSLs to obtain the records of innocent people with no direct link to terrorists or spies, and their use skyrocketed. According to the ACLU’s report on PATRIOT Act abuses, there were 8,500 NSLs issued in 2000 but approximately 192,000 issued between 2003-2006. All of these NSL’s led to one terror conviction, and in that case, the NSL wasn’t even needed.
Not surprisingly, EFF FOIA requests have found abuse of their NSL authority: “mistakes” that led to getting information on the wrong people, ISPs handing over extra or wrong information, and dozens of “exigent letters” that “circumvented the law and violated FBI guidelines and policies.” EFF has successfully challenged the NSL gag orders in multiple cases as unconstitutional under the First Amendment, but the overall scheme still survives to this day.
3. SNEAK AND PEEK WARRANTS
Section 213 of the PATRIOT Act normalized “sneak-and-peek” warrants. These allow law enforcement to raid a suspect’s house without notifying the recipient of the seizure for months. These orders usually don't authorize the government to actually seize any property — but that won't stop them from poking around your computers. Again, sneak-and-peek warrants could be used for any investigation, even if the crime was only a misdemeanor.
From 2006-2009, sneak-and-peek warrants were used a total of 1,755 times. Only fifteen of those cases—a microscopic 0.8%—involved terrorism. The rest were used in cases involving drugs or fraud.
After ten years, it’s crystal clear that the “emergency” measure sold as a necessary step in the fight against terrorism is being used routinely to violate the privacy of regular people in non-terrorism cases, threatening the Constitutional rights of every one of us. And after ten years, EFF is even more dedicated to fighting against PATRIOT overreach, both in Congress and the courts. Help us in that fight by becoming an EFF member, so that we can work together in making the next ten years better for civil liberties than the last.
These practices are in direct contrast to language in agency materials EFF received from the FBI yesterday in response to a FOIA request. EFF sought information on how the agency uses geospatial and data visualization tools to investigate criminal, terrorist, and foreign intelligence threats and specifically sought information about the Bureau's use of enterprise software called iDX3. According to the FBI’s website, the Bureau has been using iDX3 to conduct real-time tracking of suspects and situations since at least 2009. The tool, originally developed by the National Geospatial-Intelligence Agency, helps the FBI to “analyze, visualize, and disseminate FBI surveillance data, maps, diagrams, charts, 2D/3D views of cities, and other associated datasets”—in effect it appears to be the meta map to the individual maps the ACLU received in response to its FOIA requests.
So far the FBI has only released 35 pages to EFF, and none of those pages explains iDX3’s capabilities or the specific types and kinds of data the FBI might be using iDX3 to map. However, the documents do show that at least someone at the Bureau was concerned that agents understand that “the most important thing to keep in mind is [data] collection must always start with a threat.”
In a “State of the NSB” (National Security Branch) column (pdf) included in the released documents, FBI Executive Assistant Director Arthur Cummings goes on to say, “Put another way, you need to draw on intelligence requirements to articulate what the threat is before you start mapping it” and “if you want to map just a specific category in the city’s population, you need to do it because intelligence indicates the threat can be found from within that defined community.”
Despite the clear subtext of this column—a concern that the FBI is using these tools in ways that violate Americans’ civil liberties—there is no indication that the Bureau has conducted any privacy impact assessments (PIAs) or produced a System of Records Notice (SORN), as they are required to do under the Privacy Act with any new type of data collection. In fact, one slide in an FBI presentation (pdf) on “GEOINT” (geospatial intelligence) mapping tools notes that the bureau still needs to “[d]evelop and implement Imagery Policy for the FBI.” Further, the FBI outright denied EFF’s request for copies of any PIAs or SORNs the Bureau might have developed on the tools, claiming these, if they exist, are protected by the deliberative process privilege.
From the Wired story and the records released to the ACLU, it appears the FBI has not been complying with the basic tenets in Mr. Cummings’ column. We hope to learn more —and write about more here—when the FBI releases the remaining documents in response to our FOIA request.
This is part 1 of a series on the security of HTTPS and TLS/SSL
HTTPS is a lot more secure than HTTP! If a site uses accounts, or publishes material that people might prefer to read in private, the site should be protected with HTTPS.
Unfortunately, is still feasible for some attackers to break HTTPS. Leaving aside cryptographic protocol vulnerabilities, there are structural ways for its authentication mechanism to be fooled for any domain, including mail.google.com, www.citibank.com, www.eff.org, addons.mozilla.org, or any other incredibly sensitive service:
Compromise a router near any Certificate Authority, so that you can read the CA's outgoing email or alter incoming DNS packets, breaking domain validation. Or similarly, compromise a router near the victim site to read incoming email or outgoing DNS responses. Note that SMTPS email encryption does not help because STARTTLS is vulnerable to downgrade attacks.
Compromise a recursive DNS server that is used by a Certificate Authority, or forge a DNS entry for a victim domain (which has sometimes been quite easy). Again, this defeats domain validation.
Attack some other network protocol, such as TCP or BGP, in a way that grants access to emails to the victim domain.
A government could order a Certificate Authority to produce a malicious certificate for any domain. There is circumstantial evidence that this may happen. And because CAs are located in 52+ countries, there are lots of governments that can do this, including some deeply authoritarian ones. Also, governments could easily perform any of the above network attacks against CAs in other countries.
In short: there are a lot of ways to break HTTPS/TLS/SSL today, even when websites do everything right. As currently implemented, the Web's security protocols may be good enough to protect against attackers with limited time and motivation, but they are inadequate for a world in which geopolitical and business contests are increasingly being played out through attacks against the security of computer systems.
How often are these attacks occurring?
[Update 10/27/2011: there was an error in our manual de-duplication of CA organizations. Rather than 15 total compromised organizations and 5 since June, the CRLs indicate 14 total and 4 since June]
One interesting feature of X.509 Certificate Revocation Lists is that they contain fields explaining the reason for revocations. As of last week, a scan of all the CRLs seen previously by the Observatory showed the following tallies:
The most interesting entry in that table is the "CA compromise" one, because those are incidents that could affect any or every secure web or email server on the Internet. In at least 248 cases, a CA chose to indicate that it had been compromised as a reason for revoking a cert. Such statements have been issued by 14 distinct CA organizations. A previous scan, conducted in June this year, showed different numbers:
Those "CA Compromise" CRL entries as of June were published by 10 distinct CAs. So, from this data, we can observe that at least 4 CAs have experienced or discovered compromise incidents in the past four months. Again, each of these incidents could have broken the security of any HTTPS website.
It is also interesting to examine revocations by reason as a function of time:
Generally, this plot reflects enormous growth in HTTPS/TLS deployment, as well as the growing strain that its being placed on its authentication mechanisms. The problems with the CA system and TLS authentication are urgent and structural, but they can be fixed. In this series of posts, we will set out an EFF proposal for reinforcing the CA system, which would allow security-critical websites and email systems to protect themselves from being compromised via an attack on any CA in the world.