Are you an undergraduate or graduate student who is interested in protecting civil liberties online and fighting for a free and open Internet? Do you have strong writing and research skills? Do you love delving into the latest issues in technology, privacy, intellectual property, and transparency? Apply for EFF’s Summer Activism Internship!
The Activism Intern will work closely with EFF’s activism team to create new campaigns, action alerts, and issue pages, research new issues in digital civil liberties, and update existing web pages on EFF’s sprawling website.
EF is seeking candidates with the following qualifications:
Familiar with EFF’s core issues: privacy, transparency, intellectual property, and freedom of expression.
Available to work from June through August at EFF’s office in San Francisco, CA.
Have strong writing and research skills.
Comfortable updating blogs and social media. Experience maintaining a website preferred.
Candidates should email a cover letter and resume to firstname.lastname@example.org by April 22nd. Please include 2-4 links to online writing samples. Replies will be sent by May 9th. This internship is an unpaid position.
Internet certification authorities (CAs) are charged with the task of
vouching for the identities of secure web servers. When you browse to
https://www.wellsfargo.com/, your browser knows it’s the real wellsfargo.com
because VeriSign, a CA, says it is.
However, if CAs don’t validate the identities of the sites they vouch
for, the whole system breaks down. In this post, I’ll discuss one way in
which CAs frequently fail.
Using data in EFF's SSL Observatory, we have
been able to quantify the extent to which CAs engage in the insecure
practice of signing certificates for unqualified names. That they do so in
large numbers indicates that they do not even minimally validate the
certificates they sign. This significantly undermines CAs’ claim to be
trustworthy authorities for internet names. It also puts internet users at
increased risk of network attack.
Normally, a public CA like Verisign or Comodo should sign only public
names. On the internet, only fully-qualified
domain names are public and routable. For example, “www.eff.org.” is a
fully-qualified name. By contrast, the name “www” is unqualified or
not fully-qualified. This name is not globally unique, and may
refer to a different computer on my network than it does on your network.
(On some networks, it may not refer to any computer at all.)
As a convenience for users, the administrators of local networks will
often configure their networks to use unqualified names for internal
services. This is why, at many companies, you can simply type “mail” or
“wiki” or “intranet” into your browser, and get to your company’s internal
web resources. But these names have — or should have — no meaning on the
In the Observatory we have discovered many examples of CA-signed
certificates unqualified domain names. In fact, the most common unqualified
name is “localhost”, which always refers to your own computer! It
simply makes no sense for a public CA to sign a certificate for this private
name. Some CAs have signed many, many certificates for this name, which
indicates that they do not even keep track of which names they have signed.
Some other CAs do make sure to sign “localhost” only once. Cold comfort!
Although signing “localhost” is humorous, CAs create real risk when they
sign other unqualified names. What if an attacker were able to receive a
CA-signed certificate for names like “mail” or “webmail”? Such an attacker
would be able to perfectly forge the identity of your organization’s webmail
server in a “man-in-the-middle”
attack! Everything would look normal: your browser would use HTTPS, it
would show a the lock icon that indicates HTTPS is working properly, it
would show that a real CA validated the HTTPS certificate, and it would
raise no security warnings. And yet, you would be giving your password and
your email contents to the attacker.
To test the prevalence of the validated, unqualified names problem, I
queried the Observatory database for unqualified names similar to
“exchange”. (Microsoft Exchange is an extremely popular email server, and
servers that run it commonly have “exchange” or “exch” in their names.
Likely examples include “exchange.example.net” and “exch-01.example.com”.)
My results show that unqualified “exchange”-like names are the most popular
type of name, overall, that CAs are happy to sign.
Unqualified Name Pattern
Valid Certificates Observed
“exchange” with characters on either side, e.g. “exchange01” or
“exch” with characters on either side, e.g. “exch01” or “01srvexch”
It is far too easy for an attacker to perform a very convincing MITM
attack against private exchange servers. The bad behavior of CAs helps
Users should avoid using unqualified names to access internal resources.
Instead, create a bookmark to the URL with the fully-qualified name, e.g.
“https://mail.example.com/”. Users should also alert their network
administrators to the problem.
Browsers (and other TLS clients, like email readers and web service
applications) should stop treating certificates for unqualified names and
for IP addresses as valid.
Organizations relying on certificates for unqualified names should use
their own private CA for their private namespace. For example, all those
Exchange shops can use Microsoft's CA software.
Certifcate authorities should stop signing unqualified names, and should
revoke existing certificates for unqualified names. They should also stop
signing IP addresses — especially private, non-routable addresses — and
should revoke existing IP address certificates, too.
The Federal Circuit Court of Appeals in Washington, D.C. heard oral argument yesterday in the closely watched “breast cancer gene” patent case. At issue are two patents covering naturally occurring human genes that, when present, signal an increased likelihood of developing breast cancer. The ACLU and the Public Patent Foundation filed the lawsuit in May 2009, representing 150,000 geneticists, pathologists, and laboratory professionals; in March 2010, the district court found in the plaintiffs’ favor and invalidated the patents.
Because Myriad owned the patents, testing on these two genes could only take place in Myriad’s own labs – meaning that others could not develop tests on those genes, depriving women from alternative (and cheaper) tests. This is the result of a troubling trend of patenting genes, despite long-standing Supreme Court precedent that, in order to be eligible for a patent, an invention must have a "new or distinctive form, quality or property" and may not be a product of nature. The district court agreed with plaintiffs that isolated breast cancer genes – genes that naturally exist in some women – did not meet this standard and invalidated the two patents.
Defendants appealed that ruling and the Federal Circuit heard argument yesterday. It is unclear which way the Court will go (it’s also possible that the Federal Circuit could decide that plaintiffs lacked standing to even bring the suit), but there were some encouraging moments during oral argument. For example, Judge Kimberly A. Moore asked Myriad’s attorney:
Why isn't the ingenuity the process, as opposed to the resultant DNA which is in your body? Why isn't the ingenuity the process of extracting it, the process of figuring out what it's useful for? Why is the ingenuity the thing? I mean, God made it, man didn't make it.
The U.S. government weighed in on behalf of plaintiffs, pointing out that recognizing patents covering genes like the breast cancer gene could lead to efforts to patent other naturally occurring materials, such as lithium and uranium.
EFF will continue to follow this case closely. Like the patents EFF has challenged, the breast cancer gene patents are symptoms of a broken patent system that too often stifles innovation rather than fostering it. What is worse, these patents limit access to potentially life-saving testing and treatment. We hope the Federal Circuit does its part to put the system back on track by affirming the district court's decision...
In written comments, EFF urged the Council of Europe to revise its recommendation and guidelines to ensure that they promote transparency on search records requests, protect privacy vis-à-vis the government, and preserve freedom of expression rights, including readers’ rights to read information online. EFF also commented favorably on language that acknowledges that search engines play a central role as intermediaries by enabling the public to seek, impart and receive information and ideas worldwide.
Because search engines play a central role as intermediaries, search engine records contain sensitive information about a person's intellectual, political, cultural, religious, psychological, and physical (health) beliefs, conditions and actions that can be of interest to state actors and civil litigants. These search records pose the most obvious privacy threat, since they represent some of the most sensitive data about individuals. Other potential threats to personal data come in the form of subpoenas, unauthorized access, civil litigants’ requests, computer hackers, and compelled disclosure of search records to law enforcement and national security investigators.
EFF has asked the Council of Europe to:
• Recommend Member States adopt strong legal safeguards and due process before disclosure of individuals’ search records to governmental entities. Government should allow search engines to notify the person whose search record is sought.
• Ensure that search engines adopt reasonable efforts to notify the person whose search records are sought, unless search engines are prohibited from doing so by law or court order. If possible, agree to a timetable for disclosure to the party requesting data in order to provide a reasonable opportunity for the individual to file an objection with a court before disclosure.
• Ensure that transparency about the disclosure of citizens' search records pursuant to a governmental request applies to search engines. For instance, the guidelines should encourage search engines to publicly disclose an accounting of the nature and frequency of governmental requests for access to search records.
• Encourage search engine providers to offer users the option of searching anonymously on the Internet, and that search engines should enable site-wide SSL to protect users’ information and communications from eavesdropping.
In order to ensure individuals' freedom of expression rights -- especially readers' rights to read information available on the web -- EFF has asked Council of Europe to strengthen the guidelines to say:
• A search engine is not required to conduct any kind of ex ante filtering or blocking and will not be penalized for failure to do so.
• A search engine will not be held liable for failure to remove content upon an extra-judicial request, and that Member States establish processes in their national laws for timely, preliminary judicial review of challenged content.
• A search engine is permitted to clearly disclose to individuals whenever search results have been limited or affected by an action of law and/or by a self-regulatory action of the search engine, and to disclose an accounting of the nature and frequency of governmental orders for content removal, blocking, or filtering.
• A search engine does not need to conduct any kind of filtering or blocking that would constitute monitoring of its service, or affirmatively seek facts indicating illegal activity. Moreover, investigation and monitoring is likely to lead search engines to over-block in order to avoid any possibility of litigation, which means lawful content will inevitably be taken down.
• Self-regulation mechanisms should not include a requirement for a search engine to monitor and police their customers. Self-regulatory guidelines should not curtail individuals’ freedom of expression rights, as well as readers’ rights to access information free from surveillance.
We look forward to hearing back from the Council of Europe after the current meeting in Strasbourg, and hope to see these values upheld.
In yesterday's Senate Judiciary Hearing, "Oversight of the Federal Bureau of Investigation," FBI Director Robert Mueller testified about the Bureau's desire to extend three expiring provisions of the USA PATRIOT Act -- PATRIOT Section 215, authorizing secret court orders for the Internet and financial records of innocent Americans; the "lone wolf" wiretapping provision, which unconstitutionally allows foreign intelligence investigators to bypass traditional wiretapping protections and spy on people inside the U.S. who have no link to any foreign organization; and the "John Doe" roving wiretap provision, which allows blank-check wiretapping orders that don't identify the suspect or the particular phone or Internet connections to be tapped.
During the question and answer portion of Mueller's testimony, Senator Grassley asked the FBI Director: have "any of these three provisions been subject to any negative reports of finding abuse?" Mueller responded, "I'm not aware of any." Well, Director Mueller -- EFF is aware of some.
As part of EFF's FLAG Project, we issued a FOIA request for records of intelligence violations stemming from the FBI's use of the expiring provisions of the PATRIOT Act. In the FBI's response to our request, we uncovered evidence of multiple reports of potential violations (pdf); however, in typical FBI fashion, the reports are almost entirely redacted. As a result, the details of most of the violations remain secret. Nevertheless, by comparing the FBI's response to our PATRIOT Act request with the Bureau's response to another EFF FOIA request, the murky details of at least one potential violation involving PATRIOT provisions became more clear: the FBI, in a case where use of a "John Doe" roving wiretap was authorized, monitored the conversations of "young children" for "approximately" five days.
In documents obtained through EFF's PATRIOT Act request, an email with the subject "IOB database -- Roving Authority" references "Potential IOB Matter 2005-160," yet all details of the report were redacted.
FBI Email suggests that IOB 2005-160 occurred under the roving wiretap authority
By cross-checking the referenced IOB matter-number with documents from our request for the FBI's Intelligence Oversight Board reports, we were able to locate the full report of the FBI's improper conduct. The report describes the FBI's monitoring of young children for five days, despite the fact that none of the voices being monitored matched the voice or language of the target.
IOB Report 2005-160 describes FBI misconduct in case utilizing "John Doe" roving wiretap
The report concludes that the violation occurred as a result of the FBI's faulty drafting and inadequate review of the wiretap renewal application. The entire IOB report is available here (pdf).
In order to shed light on these violations before Congress rubber-stamps another extension of the expiring PATRIOT Act provisions, EFF has contacted Senators Grassley and Leahy (pdf) and provided the Senators with the redacted versions of these reports. While the FBI may not feel compelled to be forthcoming with EFF and the American public, hopefully the Bureau will feel differently about withholding information from elected officials.
And, while EFF is doing our part, we need your help, too. As Congress debates PATRIOT renewal, politicians need to hear from you. Please take a stand for civil liberties by:
When the FBI is monitoring children's phone calls, it's definitely time to rein in the PATRIOT Act.
UPDATE: As security researcher Chris Soghoian reminds us, former Senator Feingold believed that the expiring Section 215 of the PATRIOT Act had also been subject to abuse, based on information he received in classified briefings. At a hearing in 2009, Senator Feingold stated: "I recall during the debate in 2005 that proponents of Section 215 argued that these authorities had never been misused. They cannot make that statement now. They have been misused. I cannot elaborate here. But I recommend that my colleagues seek more information in a classified setting." (at 105).
SECOND UPDATE: Along with Senator Feingold's statements and the FBI's internal reports of possible PATRIOT violations disclosed by EFF, the Department of Justice, Office of Inspector General's 2007 report on the FBI's use of Section 215 Orders found at least two instances of improper use (pgs 41 - 46 of the document). While the details of the potential violations described by Senator Feingold and EFF remain unclear, the OIG report constitutes clear evidence that expiring provisions of the PATRIOT Act have been improperly used.
The numbers confirm the anecdotal evidence: Immigrations and Customs Enforcement (ICE), a division of the Department of Homeland Security (DHS), is stepping up intellectual propertyrelated enforcement, launching almost half as many cases in the past two months as it had in total in 2010. That’s according to ICE's own statistics, summarized in a larger presentation recently delivered by DHS Assistant Deputy Director Erik Barnett to the U.S. Chamber of Commerce's Coalition Against Counterfeiting and Piracy (CACP). That's the Chamber of Commerce of HBGary notoriety, a private trade association that lobbies hard for IP enforcement.
The presentation discusses "Operation in Our Sites," ICE’s no-longer-new domain name seizure strategy for "Taking Aim to Stop the Sale of Counterfeit and Pirated Items." We’ve written about this program before and its questionable tactics for trying to counter online infringement. What's more, DHS seems to have read our posts! We refer you to slide 23 of the presentation.
Given that ICE's "primary mission is to protect national security, public safety and the integrity of our borders through the criminal and civil enforcement of federal law governing border control, customs, trade and immigration," we continue to be surprised by its focus on IP issues that don't have a nexus with public health and safety. Moreover, it's hard to believe that going after those kinds of targets is the best use of ICE's limited resources. Citing EFF, the presentation asks: "What investigations didn't occur while the DHS spent its time and energy pursuing the agenda of large media companies?" Good question.
Today the House Oversight Committee held a hearing titled, “Why Isn't the Department of Homeland Security Meeting the President’s Standard on FOIA?” As we wrote last October, redacted DHS emails revealed the agency was targeting certain Freedom of Information Act (FOIA) requests and certain FOIA requesters—such as activist groups, watchdog organizations, and journalists—for an extra layer of review by politically-appointed officials within and outside the agency. The emails further revealed EFF was one of the organizations explicitly targeted, and three of our FOIA requests are mentioned specifically. Given the delay between when we filed these FOIA requests and when we finally received records, we assume our requests and the documents produced in response to them went through this extra vetting.
The Oversight Committee has now released a report (pdf) discussing the delays due to DHS's political review process, as well as efforts by agency lawyers to obstruct the Committee's investigation. While these are serious problems, we now think the issue may be much larger than the report finds and we first thought. Since we wrote our blog post, we have learned through litigation in our social networking FOIA case that not only did DHS drag its feet on producing documents, the agency also failed to release all documents it had that were responsive to our request. In conversations with the DOJ attorney representing the government, we have recently learned that DHS likely has a “voluminous production” of additional documents concerning how the agency uses social networking sites that it has yet to produce to us.
We have also learned that DHS is not the only agency where this seems to be occurring. In another of our FOIA cases concerning intelligence agencies' misconduct reports we recently learned that two agencies, Department of Defense and Department of State, similarly failed to produce all the documents they had responsive to our FOIA requests when we first requested them. This has led to significant delays in both cases.
We are grateful to the government attorneys on these cases for telling us about these missing documents. Perhaps the DOJ is finally implementing Attorney General Holder’s directive that DOJ attorneys will “defend a denial of a FOIA request only if (1) the agency reasonably foresees that disclosure would harm an interest protected by one of the statutory exemptions, or (2) disclosure is prohibited by law.” If so, however, this could indicate a troubling situation—did the agencies fail to release the documents initially due to a political review process?
Uncensored versions of DHS emails recently received by AP may confirm this is true. AP notes the emails “included allegations that Napolitano’s senior political advisers might have hidden embarrassing or sensitive emails that journalists and watchdog groups had requested.” However, without seeing the documents withheld in our cases, we have no way of knowing.
The emails AP received also show DHS officials were just as frustrated about the political vetting process as members of Congress and the public. Chief Privacy Officer Mary Ellen Callahan wrote in an email to her then-deputy, Catherine Papoi, “This level of attention is CRAZY.” Papoi called the political reviews “meddling” and said that, together with “constant stonewalling” by the department’s top lawyers, they caused delays in the agency’s open records department. Yet neither official seemed able to change the process. In fact, Callahan said she hoped someone would “FOIA this whole damn process” to discover details of the political reviews.
We are just as frustrated as Callahan and Papoi by the agencies’ responses and the significant delays in our cases. These FOIA requests concern important issues the American public has the right to know about, yet in both cases we will have waited a year and a half to two years before we finally get all the documents. Even more frustrating, though, is that we were only able to find out about the agencies’ failures to produce all documents by litigating the FOIA requests. Many FOIA requesters deal only with FOIA officials within the agency itself and rarely are able to resort to litigation to force the agency to comply with the FOIA. These requesters are subject to the whims of the administrative appeal process and may never see all the documents they are entitled to under FOIA.
We urge the Oversight Committee to dig deep into the DHS FOIA mess and investigate the FOIA review process at other agencies as well. Agencies should not be allowed to withhold documents or delay the FOIA process for political reasons.
UPDATE: The Court in OpenMind Solutions v. Does 1 – 2925 heard oral argument on April 11, 2011. At the end of the hearing — during which the judge expressed some initial concerns with OpenMind's attempt to lump the defendants into a class action — the judge requested that OpenMind and EFF submit briefs on the merits of the class action lawsuit. Those briefs will be due in two weeks; we will then wait for a ruling from the Court. In the meantime (as reported below), discovery remains stayed.
As we've been reporting for some time, a series of lawsuits has been filed across the U.S. against thousands of individuals accused of having illegally uploaded and downloaded copyrighted works in violation of copyright law. One of the latest of those suits is a case called OpenMind Solutions v. Does 1 – 2925, a case in which EFF filed an amicus brief asking the judge to quash the subpoenas seeking the identities of the nearly 3,000 anonymous defendants.
We are glad to report that the judge has decided to stay discovery pending a hearing on the issues EFF raised in its brief, which means that (at least temporarily), ISPs need not comply with the subpoenas sent out by OpenMind’s attorney John Steele.
The hearing in this case is scheduled for April 11. In the meantime, if you are an ISP or an anonymous Doe defendant, you should make sure your attorney is aware of the judge’s order. For more information, or if you have further questions, consult EFF’s Subpoena Defense Resources page.