Unlike some government initiatives, NGI has not been a secret program. The FBI brags about it on its website (describing NGI as “bigger, faster, and better”), and both DHS and FBI have, over the past 10+ years, slowly and carefully laid the groundwork for extensive data sharing and database interoperability through publicly-available privacy impact assessments and other records. However, the fact that NGI is not secret does not make it OK. Currently, the FBI and DHS have separate databases (called IAFIS and IDENT, respectively) that each have the capacity to store an extensive amount of information—including names, addresses, social security numbers, telephone numbers, e-mail addresses, fingerprints, booking photos, unique identifying numbers, gender, race, and date of birth. Within the last few years, DHS and FBI have made their data easily searchable between the agencies. However, both databases remained independent, and were only “unimodal,” meaning they only had one biometric means of identifying someone—usually a fingerprint.
In contrast, as CCR’s FOIA documents reveal, FBI’s NGI database will be populated with data from both FBI and DHS records. Further, NGI will be “multimodal.” This means NGI is designed to allow the collection and storage of the now-standard 10-print fingerprint scan in addition to iris scans, palm prints, and voice data. It is also designed to expand to include other biometric identifiers in the future. NGI will also allow much greater storage of photos, including crime scene security camera photos, and, with its facial recognition and sophisticated search capabilities, it will have the “increased ability to locate potentially related photos (and other records associated with the photos) that might not otherwise be discovered as quickly or efficiently, or might never be discovered at all.”
The FBI does not just collect and store data from people caught up in the criminal justice system; about 1/3 of the data collected and reviewed in IAFIS is from civil sources such as attorney bar applications, federal and state employees, and people who work with children or the elderly. In the past, the FBI has not allowed these records to include photos and has segregated civil records from criminal data. Civil records were also not included in bulk checks for criminal investigative purposes. NGI may take down these barriers, however. There is someevidence to show the FBI is considering including this data in future NGI database searches and, according to the CCR FOIA documents, has already begun to include civil records from DHS and State Department database files such as visa applications, immigration records, and border entries and exits.
So why should we be worried about a program like NGI, which the FBI argues will “reduce terrorist and criminal activities”? Well, the first reason is the sheer size of the database. Both DHS and FBI claim that their current biometrics databases (IDENT and IAFIS, respectively) are each the “largest biometric database in the world.” IAFIS contains 66 million criminal records and 25 million civil records, while IDENT has over 91 million individual fingerprint records.
Once these records are combined into one database and once that database becomes multimodal, as we discussed in our 2003 white paper on biometrics, there are several additional reasons for concern. Three of the biggest are the expanded linking and tracking capabilities associated with robust and standardized biometrics collection systems and the potential for data compromise.
Already, the National Institute for Standards and Technology, along with other standards setting bodies, has developed standards for the exchange of biometric data. FBI, DHS and DoD’s current fingerprint databases are interoperable, indicating their systems have been designed (or re-designed) to read each others’ data. NGI will most certainly improve on this standardization. While this is good if you want to check to see if someone applying for a visa is a criminal, it has the potential to be very bad for society. Once data is standardized, it becomes much easier to use as a linking identifier, not just in interactions with the government but also across disparate databases and throughout society. This could mean that instead of being asked for your social security number the next time you apply for insurance, see your doctor, or fill out an apartment rental application, you could be asked for your thumbprint or your iris scan.
This is a big problem if your records are ever compromised because you can’t change your biometric information like you can a unique identifying number such as an SSN. And the many recent security breaches show that we can never fully protect against these kinds of data losses.
The third reason for concern is at the heart of much of our work at EFF. Once the collection of biometrics becomes standardized, it becomes much easier to locate and track someone across all aspects of their life. As we said in 2003, “EFF believes that perfect tracking is inimical to a free society. A society in which everyone's actions are tracked is not, in principle, free. It may be a livable society, but would not be our society.”
Unfortunately, biometric data collection is not limited to NGI or even to the legacy DHS, FBI and DoD fingerprint collection programs. The federal government and states have been steadily expanding their DNA collection efforts over the last 10 years as well. Currently all 50 states, the federal government and the District of Columbia collect and share DNA records through the FBI’s CODIS database. At least 15 of those states, as of 2010, collect DNA from defendants convicted of misdemeanor offenses. And as of 2009, under the federal DNA Fingerprint Act of 2005 and several recently-expanded state statutes, at least 21 states and the federal government collect DNA samples from any adult arrested for (not just convicted of) a crime. This has led to an exponential increase in the amount of DNA collected in the United States on an annual basis, with nearly 1.7 million samples processed (pdf, p. 8) in 2009, alone. As of 2011, the National DNA Index or NDIS (the federal level of CODIS) contains over 9,748,870 offender profiles, and the states’ individual databases are each expanding as well.
Currently, it doesn’t appear the FBI plans to incorporate the DNA data held by CODIS into NGI. However, NGI has been designed to be flexible and to be able to incorporate additional biometric identifiers as the need arises in the future. This means that we can’t rule anything out. FBI claims NGI “doesn’t threaten individual privacy,” but the government’s continuing efforts to collect, store and track the biometric data for so many Americans and foreigners cannot bode well for a society that values privacy.
This week saw two disappointing decisions by two major American companies, Microsoft and Cisco, that appear to be choosing to become little tech helpers to China's repressive regime rather than choosing to be a force for good. For Cisco, it's more of the same. For Microsoft, it's a disappointing turn.
China’s Internet censorship is perhaps the most pervasive and its filtering system most sophisticated. The Chinese government requires all companies operating there, whether Western or Chinese, to engage in an opaque self-censorship practice limiting access to any content that could potentially undermine state control, including but not at all limited to political content, information about minority groups, and a vast array of proxies and circumvention tools. Google’s 2006 entry into the country ended four years later when, following a series of cyberattacks originating from China, the search giant decided to stop self-censoring results, effectively ending their business there.
China also uses its technological systems to monitor and target individuals that the regime dislikes, most prominently democracy advocates and the "Falun Gong evil religion" which ended up in a Cisco presentation that surfaced in 2008.
Since Google yanked its search services from China in 2010, the market has been left entirely to Chinese companies, with Baidu dominating with 83 percent of the market share. This week, it was reported that Microsoft has struck a deal with Baidu to offer its Bing web search services in English. Like other online platforms that do business with China, Microsoft will be required to self-censor its search results.
Microsoft Bing currently offers search for a number of countries, including China. Interestingly, the Bing censored SafeSearch option, which can reasonably allow parents to limit their children's access to inappropriate material and other similar things, but becomes unreasonable as an country-wide content censorship tool, is enforced for China, as well as for a number of other country-specific Bing instances, including India, Taiwan, and Singapore. The site also enforces SafeSearch for the Arabic-language version of its page, despite the fact that several of the more than twenty Arabic-speaking countries don’t censor the Internet at all.
Just as we applauded Google's decision to cease censorship in China, we have grave concerns about Microsoft’s choice to enter the Chinese market, as it inevitably will result in censorship of search results, and will prevent the Chinese people from accessing their full rights to freedom of expression, including their freedom to access information of interest and use to them. Microsoft should seriously consider whether it wants this role in the world.
As noted above, Cisco's actions have raised concerns about its role as the helper of Chinese oppression for a long time now. It previously came under fire and was the subject of congressional hearings in 2006 and 2008 after a PowerPoint presentation that indicated Cisco had helped create China’s “Great Firewall,” and specifically marketed it to China for use in targeting religious minority Falun Gong surfaced (see page 57). As a result of these slides and likely other information, Cisco faces two lawsuits that accuse the company of complicity in helping China censor the Internet and track down members of a religious minority.
This week, it was reported that Cisco will help the Chinese government build a massive camera surveillance network in the city of Chongqing. Though Cisco stated that they will not be providing the specific camera equipment, The Wall Street Journal’s report alleges that the company will provide the networking equipment required to administer a large-scale surveillance system.
Whether the equipment provided is the cameras or the backend network infrastructure, Cisco appears to have made the choice to help the Chinese government surveil its citizens and, inevitably, target dissidents and disfavored minorities.
In 2006, we suggested in a letter to the House Subcommittee on Africa, Global Human Rights, and International Operations a code of conduct for Internet companies in authoritarian regimes. Those standards remain just as relevant today. Under them, the choice by both Cisco and Microsoft to favor the Chinese government over its own people is a wrong choice. We urge both companies to reconsider.
A coalition of content industry players and ISPs today announced an anticipated collaborative effort to “curb online content theft,” described in more detail on a dedicated website for the initiative. The PR materials put out by the group are more telling for what they don’t say than what they do.
The framework provides for a series of progressive “copyright alerts”—up to six—that ISPs will send their users based on notifications they receive from content owners of alleged infringement on those users’ Internet access accounts. Initial alerts will include “education” resources, further ones will require users to confirm receipt of the alert. Later alerts will provide for “mitigation measures” such as reduced Internet speed and inability to surf the web until the user takes some action, for example, discussing with the ISP or responding to “educational information about copyright.”
What happens after six alerts? The materials emphatically state that ISPs are not required to terminate subscriber accounts as a condition of the agreement with the content industry and that the collaboration does not amount to a “three strikes” regime. But the materials also take pains to assert that the DMCA “requires that the ISPs have in place a termination policy for repeat copyright infringers as a condition of availing themselves of the Act’s ‘safe harbor’ provision.” Translation: The content industry is staking its position that ISPs that don’t terminate subscribers after 5 or 6 alerts will lose their DMCA protection. There are plenty of arguments for why that position is wrong; given that an alert represents nothing more than an allegation untried by a court, we think loss of Internet access would be a draconian measure that Congress did not intend. Nonetheless, it may take an ISP willing to litigate the issue to make the argument.
Next, what opportunities does a user have to respond? The materials state that users can, for $35, request an “independent review” on several grounds before a “mitigation measure” is put in place. (It’s unclear whether users have a vehicle to flag errors in response to earlier alerts in hopes of averting later ones.) The grounds for review include a basis to believe that the user was not engaging in infringement, that the account was incorrectly identified, or that “the alleged activity was the result of the unauthorized use of the Subscriber’s account of which the Subscriber was unaware and that the Subscriber could not have reasonably prevented.” (My emphasis.) Notably, the review process specifically states that failure to secure a wireless router will only be accepted once as a defense, a provision with serious consequences for small businesses such as cafes that provide wireless access to customers and individuals with open wifi. Also notable is the fact that users who wish to raise some defenses including fair use authorization must be willing to have their personal information sent to the content owner who provided the underlying report of infringement.
Finally, copyright “education.” Users will be directed to the “Center for Copyright Information,” which is already replete with big-media rhetoric. Educating users about copyright is a worthy endeavor, but such education must be balanced and objective.
We’re still working through the details of the actual agreement—more thoughts to come.
EFF and five news organizations recently filed an amicus brief (pdf) urging an Indiana appeals court to block a subpoena seeking to expose the identity of an anonymous speaker who posted a comment on the Indianapolis Star's website. This is a case of first impression in Indiana.
The subpoena stems from an underlying lawsuit filed by the former head of Junior Achievement of Central Indiana, a non-profit whose mission is to teach children about business management and finance. Among other things, Jeffrey Miller alleges that Junior Achievement and two of its high-level officers defamed him by claiming that he misappropriated money from the organization.
After the Indianapolis Star published the article Junior Achievement Faces Questions, Audit on indystar.com, a reader anonymously posted a comment suggesting that the leaders of the organization might have mismanaged its finances. Miller fired off a subpoena to the Star seeking to unmask the poster. The newspaper is fighting the demand (pdf) to protect the poster's anonymity.
EFF regularly urges courts (as counsel or amicus) to apply heightened constitutional standards to protect anonymous online expression. While litigants with valid claims against anonymous speakers can normally satisfy those protections, the First Amendment bars attempts to out anonymous critics through the misuse of the subpoena process.
The coalition's amicus brief encourages the court to adopt strong protections for online anonymity. It also explains Indiana's long tradition of anonymous commentary on public affairs and highlights the state's strong constitutional protections for free expression.
EFF and other privacy and consumer groups like Privacy Rights Clearinghouse and Consumer Action have publicly responded to industry allegations that effective privacy regulations would harm the economy and innovation. A letter by sixteen trade groups—including the American Advertising Federation and the U.S. Chamber of Commerce—addressed to party heads of the U.S. Senate Committee on Commerce, Science, and Transportation, urged senators to ignore needed changes in privacy laws. The privacy coalition took issue with these claims, pointing to the very real privacy harms suffered by consumers online. Currently, most users are unaware of the pervasive nature of online tracking—and have no way to stop it. Helping consumers feel confident in their privacy will encourage innovation in the digital environment, spurring a robust online economy.
Americans’ privacy is under siege in the current online ecosystem. Companies with large troves of sensitive information have suffered data breaches left and right, putting consumers at risk of identity theft. Because much of what we do online is protected First Amendment activity—reading, speaking, writing, associating—we must expect significant government interest in that data as well. Yet users cannot easily block unwanted tracking programs—assuming they know about them in the first place. The letter that EFF signed onto explains the lack of proper privacy protection in current law, the innovative opportunities of pro-privacy technologies, and the importance of updating privacy law to address new trends in technology—supercookies and browser fingerprinting, location-based services, and behavioral tracking, to name a few.
For example, EFF has supported Do Not Track technologies and policies that would protect consumers from hidden third parties who track users. The proposed technology is simple: a machine-readable header that tells websites that you do not want to be tracked. On the policy end, EFF has supported a regulatory framework whereby companies respect a consumer's wishes not to be tracked by third-party sites. Do Not Track is a response to the failure of self-regulatory mechanisms to protect consumers from invasive tracking programs by third-party sites.
The pro-privacy letter to the Senate Committee says:
The industry groups that wrote to you hope that you will be satisfied with the status quo, that you will ignore the mounting evidence of identity theft and data breaches, and that you will simply allow things to continue as they have. We urge you to reject that view. We are firmly committed to innovation and economic growth and we share the enthusiasm that new technologies and new businesses generate. But it is clear that there must be stronger safeguards in place to protect the interests of consumers and Internet users. The self-regulatory 'notice and choice' approach has simply failed.
EFF would like to thank the contest entrants and the numerous team supporters for making our second annual DEF CON Getaway Contest a success! Together, we've surpassed last year's competition with a participant total of $7,542.04 for online rights defense — great work! This year, the battle for supremacy continued to the very end. Without further ado, here are this year's top contest fundraisers:
Grand Prize Winner: Team ISD Podcast!
Congratulations! You've won a standard suite at the Rio Hotel and Casino, two DEF CON 19 Human badges, two tickets to Vegas 2.0's (in)famous kickoff party theSummit, two badges for the ultra-exclusive Ninja Networks Party, two passes to the iSEC Partners party, AND an EFF Swag Super Pack!
Second Place Winner: Team ArtC!
Well done! Art will receive two DEF CON 19 Human badges, two tickets to the Vegas 2.0 Party, two passes to the iSEC Partners party, and an EFF Swag Super Pack!
Third Place Winner: Team Holy Handgrenades!
WOOT! HH will receive one DEF CON 19 Human badge, one ticket to the Vegas 2.0 Party, two passes to the iSEC Partners party, and an EFF Swag Super Pack!
And that's not all! We will award an exclusive EFF DEF CON 19 t-shirt to ALL fundraising captains who raised more than $300! This limited run of 325 shirts will only be available to DEF CON 19 Getaway Contest participants, and on site in Las Vegas this summer! Specially designed for DEF CON by Joe Alterio of the very creative charity, Robots & Monsters, this year's shirt plays with the plain text truth that encryption saves lives. All prize winners will be contacted via email.
Longtime readers will remember the WIPO Broadcasting Treaty, which EFF has opposed since 2004 because it would harm consumers, citizen journalists, the free flow of information on the Internet, and innovation. Since 2006, EFF and a broad coalition [PDF] of public interest groups, libraries, creative industry members, telecommunications and technology companies have been explaining how granting broadcasters and cablecasters the intellectual property rights envisaged by the draft Treaty would wreak havoc on the Internet community.
After much debate and little agreement about key aspects of the Treaty, such as its objectives, specific scope, and object of protection, negotiations stalled in 2007. But it now seems to have come back from the dead in a little-noticed but highly-coordinated effort to grant broadcasters exclusive, 50-year intellectual property rights over Internet transmissions. WIPO member states agreed on June 24 [PDF] to meet for two days before the next Copyright committee meeting in November specifically to try to reach agreement on a new treaty proposal, with the goal of asking WIPO member states in 2012 to schedule an intergovernmental Diplomatic Conference at which the revised Treaty could be adopted.
The renewed interest in the Broadcasting Treaty has been spurred both by complaints from incumbent broadcasting organizations, and a campaign from the WIPO Secretariat to conclude the Treaty after more than 12 years of negotiations with no consensus. The Secretariat commissioned three studies, organized several regional seminars, and in April held an informal consultation which led to the creation of a new document with "elements" for a treaty. Meanwhile South Africa submitted a new treaty proposal of its own, and sports broadcasters have been lobbying hard for a treaty at both the April and June meetings in Geneva. All of this was aimed at kick-starting the stalled negotiations and finalizing a Broadcasting Treaty. For now, it appears to have worked.
Why should we be worried about this? Broadcasters claim that a treaty is needed to protect against signal piracy, and that the Broadcasting Treaty is simply "updating" their rights for the digital age. But what's really at stake here is something more far-reaching. This Treaty will set the legal rules that will govern the distribution of information on the Internet. The current draft Treaty would grant exclusive, 50-year intellectual property rights to distributors of information that apply in parallel with copyright protections, even when transmitters have had no role in creating the content being transmitted. Although it's not entirely clear, the new South African proposal [PDF] and the "Non-Paper" [PDF] on elements for a new treaty also seem to contemplate intellectual property rights for broadcasters and cablecasters. This move raises the same set of public policy concerns brought up by the existing draft Treaty, which threatens to stifle innovation and the creative freedom of anyone working with audio or visual content in the Internet environment.
Granting broadcasters and cablecasters intellectual property rights that apply independently of copyright in the programs being broadcast, together with legally enforceable technological protection measures, raises concerns for access to public domain works. These measures would add complexity to copyright clearance regimes for creators of podcasts and documentary films, and interfere with consumers’ ability to make home recordings permitted under national copyright laws. Granting broadcasters and cablecasters exclusive rights to authorize retransmissions of broadcasts over the Internet will harm competition and innovation by allowing broadcasters and cablecasters to control the types of devices that can receive transmissions. It will also create new liability risks for Internet intermediaries that retransmit information on the Internet.
On top of the problems posed by the current draft Treaty, there’s now a move to expand the scope of the Treaty to webcasting. The recent South African proposal [PDF] and the new Non-Paper [PDF] both advocate the need to account for "technological developments" and propose a "technology-neutral" approach. This sounds innocuous, but should be understood in the context of the history of the WIPO negotiations. "Technology-neutral" is code for extending new rights to transmissions via the Internet. This is a brazen effort to re-open a long-standing agreement that the Treaty would only give rights to "traditional" broadcasters and cablecasters. Many countries objected to expanding the Treaty to Internet broadcasters because of the harm it could cause to other Internet communications. This move is also inconsistent with the 2007 mandate given by the WIPO General Assembly—to finalize a treaty for broadcasting "in the traditional sense."
The key issue here is the scope of the treaty. Broadcasters claim that they need a new treaty to deal with "signal piracy." No one disputes that signal piracy is a serious issue that needs to be addressed. The disagreement is how to address this problem in a way that does not cause significant harm to citizens’ freedom of expression, and all the other stakeholders in the Internet economy. No empirical evidence has been presented that demonstrates what exact harm is not already being addressed by the existing copyright regime and remedies in national laws, and why broadcasters need intellectual property rights to deal with signal theft.
We continue to believe the preferable model for addressing these issues is the narrower signal-based approach in the Brussels Satellite Convention. But broadcasters continue to push for intellectual property rights that would overlap with copyright. This would trigger unintended consequences for freedom of expression and stakeholders in the Internet economy at a time when the future of broadcasting is already unclear.
Giving broadcasters an unprecedented set of legal privileges is a sure-fire way to damage speech and innovation on the global Internet. If "signal piracy" is the concern, then a narrow, signal-focused approach is what is called for, not a global replication of the existing copyright regime.
With protests raging throughout the country, the Syrian government is responding with deadly force. Citizens seeking freedom are relying on digital tools to organize and communicate -- so much so that the government temporarily shut off Internet access. The parallels to the Iranian uprising in 2009 are striking, and they are not lost on the Obama Administration. In fact, President Obama explicitly linked the current Syrian situation with the Iranian uprisings of 2009, noting that “Syria has followed its Iranian ally” in violently responding to peaceful protests. “The image of a young woman dying in the streets is still seared in our memory,” he recalled, referring to the YouTube video of 26-year-old Neda Agha-Soltan dying from a gunshot wound in Tehran.
Yet while the U.S. Treasury Department formally recognized the need for personal communications tools in the case of Iran (and Sudan and Cuba) in March 2010, it remains silent about Syria. This must change.
In March 2010, the U.S. Treasury Department announced that it was amending its trade restrictions for Iran, Sudan, and Cuba to allow the export of "certain services and software incident to the exchange of personal communications over the Internet,” such as social networking, instant messenger, photo sharing, and e-mail products. EFF applauded this action, which cleared the way for American companies to distribute important free speech tools to individuals who would otherwise struggle to make their voices heard. However, even at that time EFF noted the continued ambiguity over regulations for other countries, including Syria. We encouraged the Obama administration to continue proactively reviewing export rules and to clear any ambiguity for Internet companies who want to offer their services in otherwise-restricted countries.
For Syria, the time for such clarification is now. Exports to Syria are controlled by the Export Administration Regulations (administered by the Commerce Department), the Syria Sanctions Regulations (administered by the Treasury Department), and the Syria Accountability Act (signed by President Bush in 2004). Among these regulations are complicated rules and exceptions for certain technologies, software, and information, and it is anything but clear how they all interact. In the midst of such complexity, and severe penalties for violations, who can blame companies for playing it conservative and restricting all Syrian users from their products?
And it seems that the companies are in fact being conservative. We have indications that Google Chrome and Earth and Code are not available in Syria, nor are some Microsoft downloads and iTunes with its access to podcasts from around the world, all due to concerns about U.S. government export restrictions. There are likely others.
In fact, there is reason to believe that U.S. law does permit web companies to make certain services available to Syrian citizens. First, the Treasury Department’s embargos for Syria specifically exempt from regulation “any postal, telegraphic, telephonic, or other personal communication that does not involve the transfer of anything of value.” Certainly instant messengers, e-mail programs, or social networks can be considered “personal communication.” Furthermore, the Export Administration Regulations specifically exempt the export of publicly available, mass market encryption software that is published for free and anonymous download.
More broadly, however, the 1988 Berman Amendment (specifically, these amendments added section 5(b)(4) to the Trading with the Enemy Act and section 1702(b)(2) to the International Emergency Economic Powers Act), strips the President of his power to “directly or indirectly” regulate the export of “information and informational materials” – a definition expanded by the 1994 Free Trade in Ideas Amendment to include all such materials “whether commercial or otherwise, regardless of format or medium of transmission.” Regrettably, and without any apparent basis for doing so, the Treasury Department has narrowly construed these amendments when implementing them in export regulations. For example, the Treasury Department continues to regulate export transactions related to the “substantive or artistic alteration or enhancement of informational materials” as well as the “provision of services to market, produce or co-produce, create or assist in the creation of information and informational materials.”
Yet even if there are ways to thread through the restrictions, the lack of clarity is plainly having an effect. And Syrians should not have to wait. The Obama Administration should proactively and definitively make clear that providing digital communications and information tools to citizens of otherwise-restricted countries like Syria is not only legal, but encouraged.
Such a declaration would fall in line with the administration’s recent statements regarding both Syria and broader Internet freedom, and would also be consistent with the Administration’s rationale for previously amending export controls for other countries. When the Treasury Department deregulated exports of Internet products to Iran, for example, it believed it would “foster and support the free flow of information – a basic human right – for all Iranians." The State Department also concluded that the free flow of information in Iran was “essential to the national interest of the United States.” The same should be true for Syrians and Syria.
Without the availability of U.S.-based digital communication and information tools, the video of the young Neda’s death would likely never have been shared at all. It’s time for the Obama administration to make clear to the people of Syria, and of other repressive regimes around the world, that the U.S. government will not block their access to the digital communication and information tools they need to help them build a more free society.
Special thanks to EFF intern Jarred Taylor for assisting with legal analysis