In April we launched "Who Has Your Back", a campaign calling on major Internet companies like Google, Amazon and Microsoft to stand with their users when it comes to government demands for users’ data. Today, we’re pleased to see that two of the thirteen companies highlighted in our petition, Apple and Dropbox, have agreed to one of our requests: that they stand up for user privacy in Congress by joining the Digital Due Process coalition.
ECPA was passed by Congress in 1986, before the World Wide Web was even invented and when cell phones were still a rarity. Yet to this day, ECPA is the primary law governing how and when law enforcement can access personal information and private communications stored by communications providers like Google, Facebook, your cell phone company or your ISP.
Unfortunately, ECPA is weak, confusing, and outdated. For example, it doesn’t specifically address location information at all, which has led to years of fighting in the courts about whether or not the government needs a search warrant to track your cell phone. Meanwhile, whether or not ECPA requires the government to get a warrant before seizing private communications content like your emails and IM chats turns on absurd factors like how old the messages are and, according to the Justice Department, whether or not you’ve read them yet. Frighteningly, the government also seems to think that the privacy of your search history stored with Google or Yahoo! or Microsoft’s Bing isn’t protected by ECPA at all.
It’s past time that Congress gave ECPA a much-needed digital upgrade so that it better fits the always-on, location-enabled technological landscape of the 21st century. That’s why DDP is pushing for amendments to ECPA to ensure that the government can’t track your cell phone or obtain your online content—like your private emails, social network messages, photos, search history, word processing documents and backup files—without first going to court to get a search warrant based on probable cause.
Since DDP launched last Spring, our efforts have prompted serious discussion in Washington, D.C. about the need to reform ECPA, withCongressholdingfivehearings on the issue and introducing severalbills that address some of the coalition’s recommendations. That was the first stage in the process of baking stronger and clearer privacy protections into the law. Now comes the harder part: actually getting a good bill passed by Congress and signed by the President.
As we enter that next phase in the fight for electronic privacy reform, it’s good to know that we’ll have Apple and Dropbox on our side. We’re especially pleased to have these new allies as we approach the 25th anniversary of ECPA’s passage on October 21st, which will be a focal point in our campaign to get a 21st century upgrade to our electronic privacy laws.
We’re updating our "Who Has Your Back" chart and awarding a gold star to both Apple and Dropbox for joining us in this effort.
Part one in a short series on EFF’s Open Source Security Audit
By Dan Auerbach and Chris Palmer
We recently did a security audit in which we uncovered and helped to fix vulnerabilities in the popular open source messaging clients Pidgin and Adium. We were motivated by our desire to bolster the security of cryptographic software that we often recommend to individuals and organizations as a defense against surveillance. In particular, one tool that we are enthusiastic about is the widely-used Off-The-Record (OTR) plugin for Pidgin and Adium.
Not to be confused with Google’s similarly named “Off The Record” chat, the plugin can be used with any popular instant messaging services enabled in Pidgin or Adium, including MSN, AIM, Yahoo!, and Google talk itself. OTR is an anti-surveillance tool used by people around the world, from activists in authoritarian regimes to business folk looking to communicate securely with clients to families who want a private conversation with a distant loved one. If you are using Pidgin to talk from a Google account and have the OTR plugin enabled, then nobody---including Google---is in a position to read your encrypted communications en route to the other party. Though there are other options available for encrypted messaging, we especially like OTR because it has many desirable features, and unlike other encryption, it's easy to use.
However, there is little value in having a nicely-conceived encryption tool if the implementations that people actually use are filled with security bugs! Therefore, we decided to do an audit to find and fix some of those bugs. We chose to focus our efforts on the libpurple messaging client library used by both Adium and Pidgin and some of the software that it depends on (notably GnuTLS and libxml2). Strengthening the security of these libraries is vital to ensuring that people have the option of truly private, encrypted communication at their fingertips. We found and fixed quite a few bugs, which you might be able to see now and in the coming weeks and months by looking for security updates (for example, look under the "libpurple" section here) within the various code bases. As always, we recommend immediately downloading any security updates for your software, especially if that software is being used to combat surveillance.
While we hope that the software libraries that we looked at are more secure now that potential vulnerabilities have been patched, ensuring effective security is an ongoing process. Given the crucial role played by this software as a platform for OTR and other encrypted messaging solutions, we hope that it will get the security attention that it deserves and continue to be reviewed regularly by the developers actively working on the projects as well as the community of users with an interest in encrypted communication. If you use Pidgin or Adium and would like to download OTR to protect yourself against surveillance, you can do so here.
There's been a lot of action on consumer privacy in DC over the past year, and while some of that action seems to have stalled (more on that in another post), there's still movement in the private sector—mainly around "Do Not Track (DNT) and Tracking Protection Lists (TPLs).
Follow the W3C Discussion!
W3C is an open process that invites participation from many different stakeholders. Even if you can't make it to Boston, you can follow along by visiting:
In April, DNT and TPL were subjects of a W3C workshop on Web Tracking and User Privacy in Princeton, New Jersey. The workshop report and presentations are available here. Since then, Mozilla—the first major browser to support DNT—has released its "field guide" to DNT for developers.
These issues are now being tackled in the W3C's Tracking Protection Working Group (TPWG), co-chaired by Aleecia McDonald of Mozilla and Matthias Schunter of IBM Research-Zurich, which aims to develop consensus standards around DNT and TPLs.
EFF is participating in the W3C process to advocate for user privacy. EFF Technology Projects Director Peter Eckersley is attending the first face-to-face workshop in Cambridge, Massachusetts this week, as is Stanford's Jonathan Mayer, whose work on DNT is available at DoNotTrack.Us. A second face-to-face workshop is planned for the beginning of November in Santa Clara, California.
EFF just received documents that reveal additional post-9/11 Defense Department misconduct, including attempts by the Army to investigate participants at a conference on Islamic law at the University of Texas Law School and Army-issued National Security Letters (NSLs) to telecommunications providers in violation of the law.
EFF received these documents in response to a 2009 Freedom of Information Act (FOIA) lawsuit that we filed against the DoD and a half-dozen other federal agencies involved in intelligence gathering. In the lawsuit, we demanded the immediate release of reports about potential and actual agency misconduct, and the agencies have since released thousands of heavily-redacted pages, some of which we have discussed here, here, here and here.
Now, thanks to a recent Supreme Court case, we have more. In March 2011, after the DoD released most of its records to EFF, the Supreme Court decided an important FOIA case called Milner v. Department of Navy, 131 S.Ct. 1259 (2011). The case involved one of the exemptions to FOIA, 5 U.S.C. §552(b)(2), that allows agencies to withhold information “related solely to the internal personnel rules and practices of an agency.” A 1981 case from the DC Circuit Court of Appeals interpreted this exemption broadly to cover “predominantly internal” materials whose disclosure would “significantly ris[k] circumvention of agency regulation or statutes,” and since that time agencies, including and especially the DoD, have relied on this broad interpretation of (b)(2) to withhold a ton of important information. In March, the Supreme Court overturned this reading of the exemption and held (b)(2) is limited solely to records relating to employee relations and human resources issues.
The Milner decision is important for our case because the DoD and other agencies withheld a significant amount of information under the broader interpretation of (b)(2). As our case is still in litigation, the agencies are now required to release that previously-withheld information to us (or determine it can be exempted under another section of the FOIA).
The small amount of re-released documents we’ve received so far fills in some of the holes in the picture of the federal government’s post-9/11 intelligence violations, just as it raises more questions. Here’s what the records reveal, with the graphics comparing the first government disclosures with the newly released records (move the slider back and forth to see the different versions):
In 2004, an Army Special Agent issued three NSLs (pdf) for customer phone records directly to a communications company. The NSL statute, 18 U.S.C. §2709, only authorizes the FBI to issue NSLs, and specifically prohibits NSL recipients from telling anyone, including the customer, about the request. As the Army does not have the authority to issue NSLs, this Special Agent clearly violated the law. The Army did not discover the illegal requests until after the Agent received customer records from the communications company. Perhaps the most amazing thing about the story is that, according to the report,
neither the Army unit nor the FBI Field Offices [with which the Army agent was working] were aware that these requests had to be made by the FBI.
If we can’t rely on our government employees to know and understand the law, how can we rely on them to apply it appropriately?
Investigation of University of Texas Conference Attendees
A 2004 Army intelligence violation report (pdf) noted that two Army lawyers attended a conference on Islamic law at the University of Texas Law School without disclosing their military affiliation. Some conference participants discovered who they were and challenged why they were there. The Army lawyers, believing that the conference participants had asked “inappropriate questions,” decided to investigate them. Without any investigative authority or jurisdiction (the military’s authority to investigate civilians in the United States is very limited), two Army Special Agents went to UT to ask about three conference attendees. The Army’s internal investigation into the matter concluded that the Special Agents had,
improperly conducted investigative activity directed against three civilians within the U.S., who were outside Army counterintelligence investigative jurisdiction and failed to refer the matter to the FBI as they were required to do.
This report confirms once again that the US government has been improperly targeting Muslims in the United States. As we reported previously, records we received from the Department of Homeland Security (DHS) noted that in 2008, DHS's Office of Intelligence and Analysis improperly collected intelligence (pdf) about a non-violent Muslim conference in Georgia, including details about conference speakers who were Americans, and in 2007, DHS I&A improperly investigated (pdf) the U.S.-based religious organization the Nation of Islam. And just last week, Wired reported that the FBI "is teaching its counterterrorism agents that “main stream” [sic] American Muslims are likely to be terrorist sympathizers."
Joint FBI/DoD Surveillance Operations
Finally, several pages (pdf) refer to joint missions between the FBI and DoD, including a Joint FBI/National Criminal Investigations Service (NCIS) counterespionage operation in which an NCIS “asset” apparently went undercover into a US organization. This violates a DoD regulation that severely limits the ability of DoD employees to participate in US organizations’ activities without disclosing “their affiliation with the intelligence component . . . to an appropriate official of the organization.” Based on earlier releases, we already knew that several components of the DoD conducted surveillance on US organizations, including Planned Parenthood and anti-war groups, and we already knew the DoD worked together with the FBI on investigations, so it’s unclear why the DoD felt it was so important originally to redact this information.
The release of these documents shows just how broadly the DoD was applying the (b)(2) FOIA exemption to prevent the public from knowing what went on in post-9/11 America. None of the information above should have been redacted under even the broadest, pre-Milner interpretation of (b)(2), and we can only assume these redactions are representative of how the DoD has applied other FOIA exemptions to its records as well. The DoD and other agencies should proactively release the rest of the records withheld under (b)(2). If they don't, we will address this along with other exemption issues as we move forward with litigation in our FOIA case this fall.
Nominations are now open for EFF’s 20th Annual Pioneer Awards, to be presented at Zeum (soon to be known as the Children's Creativity Museum) on November 15th in San Francisco. EFF established the Pioneer Awards in 1992 to recognize leaders on the electronic frontier who are extending freedom and innovation in the realm of information technology. Nominations will be open until Monday, October 17th.
What does it take to be a Pioneer? There are no specific categories, but nominees must have contributed substantially to the health, growth, accessibility, or freedom of computer-based communications. Their contributions may be technical, social, legal, academic, economic or cultural. This year’s pioneers will join an esteemed group of past award winners that includes World Wide Web inventor Tim Berners-Lee, security expert Bruce Schneier, open source advocate Mozilla Foundation, and privacy rights activist Beth Givens.
Learn about how you or your company can help sponsor the awards ceremony here.
Remember, nominations are due no later than midnight on Monday, October 17th! And after you nominate your favorites, we hope you will join us on November 15th to celebrate the work of this year’s winners. Tickets are available now.
In the wake of the Google+ Nymwars, the events of the Arab Spring, and discussion surrounding the Computer Fraud and Abuse Act (CFAA), there is a growing need for both companies and users to have a better understanding of how terms of service (ToS) and community policing methods affect online speech. Social networking platforms like Facebook, Twitter, and Google+--as well as video and photo-sharing sites--are increasingly playing the role of the public sphere, and policies around content removal and account deactivation can have chilling effects on free expression.
The paper puts forth two sets of recommendations, one for companies and one for users.
The authors suggest that companies:
Offer clear, consistent guidelines
Provide clear methods of contact with support teams
Develop robust appeals processes
Embed human rights considerations into their platform design
To users, the authors recommend:
A better understanding of platform rules
Increased engagement with companies
The use of tags and other cues to provide context to content
Backing up content stored on any social platform or cloud service
The importance of each point becomes apparent in recent incidents during the Arab Spring. Take, for instance, the case of Hossam Hamalawy, an Egyptian activist who uploaded a set of photos to Flickr, only for the company to remove them on the basis that the photos were not his. The photos had been retrieved by activists from Egyptian state security offices, and Hamalawy had been explicit about their origins, prompting Flickr to enforce their guidelines, which advise users to upload only content which they've created. While Hamalawy argued that "Flickr is full of accounts with photos that people did not take themselves," Flickr responded by sharing their own struggles with enforcing the rules evenly. In this case, both company and user could have benefited from the recommendations put forth in the paper.
As privately-owned online social spaces increasingly play the role of the public sphere, companies must take into account the various ways in which users are employing their platforms. And while Facebook and Google+ may be reluctant to identify as "activist platforms," the events of the Arab Spring have made it apparent that this is exactly what they are, whether they like it or not.
At the same time, users have a responsibility to understand the rules and regulations of these online spaces; research indicates that most users don't read license agreements. Users should also feel empowered to stand up to companies when they deem rules or processes to be unfair; or as Rebecca MacKinnon advocated in her recent TED talk, users must "take back the Internet" and become more engaged in policy, be it at the government or corporate level.
Ultimately, however, the power resides with companies, and it is incumbent upon them to implement rules and processes that take human rights into account. As CDT put it in their announcement of the paper today, "By giving greater thought and attention to these issues, these companies can have a significant impact on user rights and user satisfaction." We couldn't agree more.
Cotterman was coming into the United States from Mexico at the Lukeville Port of Entry in Arizona. Without suspecting he was carrying anything illegal, customs officers detained him at the border for 8 hours before letting him enter the country. The agents confiscated two laptops and a digital camera, and took them 170 miles away to Tucson for forensic examination. The next day, without a warrant or any suspicion that the electronic devices contained anything illegal, agents imaged three hard drives on the computers and reviewed pictures on the digital camera. After two days of forensic examination, the agents ultimately found child pornography on the computers.
The appellate court found the three-day search and seizure reasonable under the Fourth Amendment, despite the absence of any individual suspicion of wrongdoing or a search warrant. A dissenting judge warned that the decision “gives the Government a free pass to copy, review, categorize, and even read all of that information in the hope that it will find some evidence of any crime.”
In our amicus brief, written by Michael Price and Malia Brink of the NACDL, we urge the court to reconsider its decision, which we caution leads to a border where government officials – not the Constitution – dictate the legal boundaries of a search. The Fourth Amendment, while relaxed at the border, demands more than just a free pass for the government to search whatever it wants for no reason at all.
Update: Jiew's trial will resume on February 14, 2012.
Chiranuch Premchaiporn, more commonly known by her pseudonym, “Jiew,” is the director of one of Thailand’s most popular alternative news sites, Prachatai. EFF has been following Jiew’s work--and her commitment to free expression--for quite some time. In October 2010, following a conference on Internet freedom, Jiew was arrested upon re-entering Thailand. EFF conducted an interview with her shortly afterward.
Jiew was charged under the intermediary liability section of Thailand’s 2007 Computer Crime Act, as well as for the crime of “Lèse Majesté,” which has often been used in Thailand to enforce censorship. For the two crimes, Jiew faces a combined sentence of 82 years. In February, at the start of her trial, we expressed our grave concerns; Now, after a recess of nearly eight months, Jiew’s trial resumed on September 1 and remains ongoing, with September 20 marking the first day of the defense. Each day of the trial has attracted international observers from both foreign governments and NGOs, including Freedom Against Censorship in Thailand (FACT), which has blogged several days of the trial.
What is most alarming about this case is that, under the Computer Crime Act, Jiew--as the director of Prachatai--is being held responsible for comments left by users on the site. Whereas in the United States, site hosts are largely protected under Section 230 of the Communications Decency Act, in Thailand (and in numerous other countries), there are no such protections. Therefore, any content host can be held liable for comments left by others; this often has the effect of self-censorship, in that content hosts will moderate or turn off comments to avoid potential liability.
The risks are not for bloggers alone; major Internet companies--like Facebook or Twitter--could also be held responsible for content produced by their users. This presents a real challenge for companies wishing to operate in Thailand, and may have deleterious effects on business there. Earlier this week, the Asia Internet Coalition--which includes members such as eBay, Google, and Yahoo!--issued a statement expressing concern for the effects of Thailand’s intermediary liability laws on business in the country:
By holding an intermediary liable for the actions of its users, this case could set a dangerous precedent and have a significant long-term impact on Thailand's economy. It could also end up denying Thai Internet users access to many of the online services they use everyday. Intermediaries, basically any online platform that allows users around the world to connect, such as social networks, online marketplaces and web forums, are a critical component of the Internet today
The Asia Internet Coalition believes that responsible intermediaries should be protected from prosecution over the actions of users and that clear notice and takedown policies must be in place.
EFF agrees with the Asia Internet Coalition. Jiew is facing a decades in prison for the act of being an editor and, if convicted, her case could set a precedent that could have chilling effects on both innovation and free expression in Thailand.
We also express our support for Jiew during this time, and applaud Human Rights Watch for awarding Jiew (along with 47 other writers facing persecution) with the 2011 Hellman/Hammett grant for her commitment to free expression. Upon receiving the award, Jiew said:
Even though this award gives me support, and encourages me to face the threats on the rights & freedoms of expression--which makes me grateful--at the same time it also makes me feel sad. We cannot deny that the significance of me being the first Thai who receives this award. It means that this is an indicator that the freedom of expression in this country has drastically declined since the 19 September 2006 coup.