Today, Senator Patrick Leahy introduced much-needed legislation to update the Electronic Communication Privacy Act of 1986, a critically important but woefully outdated federal privacy law in desperate need of a 21st century upgrade. This ECPA Amendments Act of 2011 (S. 1011) would implement several of the reform principles advocated by EFF as part of the Digital Due Process (DDP) coalition, and is a welcome first step in the process of providing stronger and clearer privacy protections for our Internet communications and location data. Here is the bill text, along with a summary of the bill.
The upshot? If the government wants to track your cell phone or seize your email or read your private IMs or social network messages, the bill would require that it first go to court and get a search warrant based on probable cause. This is consistent with DDP's principles, builds on EFF's hard-won court victories on how the Fourth Amendment applies to your email and your cell phone location data, and would represent a great step forward for online and mobile privacy protections.
The bill isn't absolutely free of problems: although it clearly would require a warrant for ongoing tracking of your cell phone, it would also and unfortunately preserve the current statutory rule allowing the government to get historical records of your location without probable cause. It also expands the government's authority to use National Security Letters to obtain rich transactional data about who you communicate with online and when, without probable cause or court oversight. You can count on EFF to press for these problems to be fixed, and for all of the DDP principles to be addressed, as the bill proceeds through Congress.
However, as the start of the process of updating ECPA for the always-on, location-enabled technology of the 21st century, Senator Leahy's bill represents an incredibly important step in the right direction, and we at EFF look forward to working with Senator Leahy and others in Congress as they work to create new laws to better protect your online and mobile privacy. In the meantime, stay tuned for more commentary and analysis from EFF as the ECPA reform process moves forward.
Join EFF on Friday to learn the inside story on social media and the Arab Spring!
How important are social networking tools like Twitter and Facebook for international activists fighting for their liberty? Are these networks forging a new international power structure? Tunisian activist Sami Ben Gharbia will join us for a special Geek Gathering to recount the role of social media in the Tunisian revolution. Sami's presentation and community dialogue will be hosted by Jillian York, EFF's new Director for International Freedom of Expression, with special guest Sachin Agarwal, founder of Posterous, the information sharing website Sami used extensively during the revolution.
This all ages event will be held at EFF's future headquarters in the heart of San Francisco's Mission District nightlife. Come see our new home for online rights!
Friday, May 20, 2011, 7-9 PM
EFF's Future Headquarters
2567 Mission Street
San Francisco, CA 94110
We ask for a $25 contribution, but no one will be turned away for lack of funds. EFF member admission is $20 online or at the door with your Member Card. Contact firstname.lastname@example.org for the Members-Only link!
About Sami Ben Gharbia
Sami is a Tunisian anti-censorship activist and blogger based in the Netherlands. He is the co-founder of nawaat.org, a Tunisian award-winning collective blog about news and politics. Sami serves as Advocacy Director for Global Voices, where he also works on Threatened Voices, a recently developed initiative of the Global Voices Advocacy project. He is the author of a French-language book titled Journey in a Hostile World, which documents his escape from Tunisia.
In towns across Turkey this Sunday, thousands of citizens took to the streets to protest proposed new Internet filters. Beginning in August, Turkey’s Information and Communication Technologies Authority, or BTK, has proposed a selection of opt-in filters that Internet subscribers could choose from. Additionally, BTK has proposed a list of banned words for use in domain names.
This isn’t Turkey’s first foray into online censorship: the Law on the Internet (or the Regulation of Broadcasts via Internet and Prevention of Crimes Committed Through such Broadcasts) No. 5651, enacted in 2007, allows a large variety of actors, including the government, to petition the court or the Telecommunications Authority to filter certain online content (for more details, see Access Controlled, Turkey Country Profile, 2009).
As a result of the law, popular video-sharing site YouTube has been blocked on and off since 2007 in response to complaints about specific videos (most of which were deemed to "insult Turkishness," a criminal offense), while blogging platforms WordPress and Blogspot have also experienced bans at times. The law has also resulted in the blocking of a number of sites on the grounds of defamation, including the site of famed evolutionary biologist Richard Dawkins.
Current law provides the opportunity for site owners to exercise their right of reply against a content ban; however, this right is usually given after a site has already been blocked.
Tunisia: More Filtering, More Transparency
Prior to the January 2011 uprising that led to the ousting of President Zine El Abidine Ben Ali, Tunisia maintained one of the most extensive Internet filters in the world, blocking opposition websites, video-sharing sites, proxies, and nearly any human rights organization that criticized the Tunisian regime.
With the fall of Ben Ali came the fall of the country’s web censors, nicknamed "Ammar 404." In a concessions speech given on January 13--just one day before fleeing the country--Ben Ali promised the removal of Internet censorship. That promise became reality almost immediately, with an official decision allowing the blocking of sites only by court order.
The Agence Tunisienne d'Internet (Tunisian Agency for the Internet or ATI) is the body in charge of implementing filtering; last week, it was reported that the agency had publicized the list of currently banned sites in an effort toward further transparency. The current list of blocked sites includes just four individual Facebook pages, all ordered blocked by the Military Tribunal of Tunis. At least one of the pages belongs to a known Tunisian activist.
Moez Chakchouk, CEO of the ATI, stated during a May 11 Q&A that "this is a filter and not censorship," noting that there are "a thousand and one ways to access, especially by proxy or by typing a different URL syntax."
It is worth noting that blocking an individual Facebook page (or an individual page on any site) is ineffective when users utilize HTTPS to visit a site, because network operators usually cannot determine which page a user is attempting to access. Facebook users can enable HTTPS by going to their account settings, or to enable HTTPS on all sites using Firefox, download EFF and Tor’s HTTPS Everywhere add-on.
Pakistan: No Facebook Ban (Yet)
Last week, we reported on a proposition in Pakistan to permanently ban social networking site Facebook. On May 16, a judgment made on February 28, 2011 was released to the public.
The initial petition, filed in May 2010, was in response to an "Everybody Draw Muhammad Day" competition created as a Facebook page. Section 2 of the judgment explains:
The said move on the website in question sent a wave of resentment amongst the Muslims of the world in general and that of Pakistan in particular. As a result people from different walks of life protested against the act at different levels. Being Muslims by faith and having anguish pain in their heart due to said grisly act of the management of the said despicable website, the petitioners have filed these petitions seeking permanent ban on the said website
The judgment, made by the Lahore High Court in response to Writ Petition No. 10392 of 2010 (Islamic Lawyers Movement vs. Federation of Pakistan and three others), notes similar bans of Facebook in Saudi Arabia, Iran, the UAE, and China as a means of justifying a ban on the site (note that Facebook is not currently blocked in Saudi Arabia or the UAE), but does not ban Facebook outright, instead making several provisions for dealing in the future with websites that contain insults to Islam, including encouragement for the government to strive for legislation such as that "adopted by other Islamic countries in addition to China."
A new petition against Facebook will be heard on May 19, just one day before the anniversary of the "Everybody Draw Muhammad Day" competition.
Network censorship and surveillance is a booming business. Censorship schemes continue to fragment the Internet and new censorship proposals are constantly introduced around the world, including in liberal democracies. (Lately governments have gotten fascinated by the idea of forcing ISPs to censor particular sites from the DNS, so users can't find them even though the sites are still there.) Censors usually assume that most Internet users don't know how to bypass the censorship (or, often, that many users won't even realize the censorship is going on!).
Unfortunately, the censors are often right, at least in broad strokes: many Internet users get used to censorship and rarely or never try to bypass it. And censorship doesn't always take the form of simply blocking sites and services. But there are still major efforts to beat technical censorship by technical means, and motivated users can generally take advantage of them. Millions of people are at least occasional users of censorship circumvention services, but it's a perennial challenge to broaden this pool and give people the tools to maintain uncensored access over time.
Earlier this spring, I took part in a week-long book sprint event in Germany to create a second edition of How to Bypass Internet Censorship. The outcome of the sprint is a 240-page book, available by print-on-demand, for HTML browsing, and as a PDF or ePub download. This book gives details on a wide range of tools for a wide range of audiences, with information on the risks and limitations of particular approaches. It also suggests ways for people on uncensored or less-censored networks to help out.
There are also video interviews with me and other sprint participants discussing Internet censorship and circumvention. A book sprint is a collaborative process where a team produces or revises a book in a short, intense period, typically a single week. (This sprint was convened by FLOSS Manuals, an organization that uses book sprints and Internet collaboration to create open documentation for free and open source software and related technical topics. Their previous sprints have produced some great material in astonishingly short times.)
The manual is now being translated into several languages; if you'd like to help translate all or part of it into some language, please let FLOSS Manuals know!
One of the themes that we gave stronger emphasis in the second edition is the increasingly intimate connection between censorship and surveillance, and, conversely, between privacy and free speech. (One reason for this is that network devices that block particular words and phrases, or access to particular services, are thwarted when they can't see what people are communicating. For example, it's very easy for a firewall to block particular Wikipedia articles or Google search terms, but trickier when users use the secure version of Wikipedia or of Google Search.) This means that EFF's HTTPS Everywhere software and the Tor project, both first conceived as privacy technologies, have significant anti-censorship applications (which are described in the book). It also means that censors are increasingly interested in blocking or subverting HTTPS encryption so that they can continue keeping an eye on the substance of people's communications.
It's also great to see that a subsequent book sprint has produced a manual on computer security and was able to re-use some of our material, which is licensed under a Creative Commons license.
There's always more work to be done to document these topics clearly and completely. FLOSS Manuals has a wiki-like interface; if you have improvements to make, create an account and start editing!
In an ongoing battle in the Southern District of New York about whether the government must disclose metadata when it releases documents under the Freedom of Information Act, it now appears Immigration and Customs Enforcement (ICE) may have lied in a declaration it filed with the court. This comes on the heels of our earlier report about the FBI lying in a FOIA case in California and does not instill confidence that the government is acting honestly or ethically in FOIA litigation.
As part of the case, the plaintiffs requested the government produce metadata with the FOIA records released in the case. The court agreed and issued a strong order in February to that effect.1 The government appealed the order almost immediately and moved for a stay with the district court. As part of the government’s stay motion, it argued that it would be too costly to produce metadata in response to a FOIA request. ICE submitted a declaration from Catrina Pavlik-Keenan, director of the ICE FOIA Office, who stated ICE had tried to use a software application made by a company called Clearwell to produce records in a format requested by the plaintiffs but “encountered numerous technical difficulties.” These difficulties resulted in:
an enormous expenditure of manpower and financial resources . . . OPLA [ICE] estimates that it was forced to expend more than $270,000.00 in upgrades, including the acquisition of a new $32,000.00 server, . . . to have access to and run the application. Further, OCIO [ICE] was forced to suspend many of the agency’s security protocols in order to allow the Clearwell application, which is a web-based application, to run properly.
(PK Decl. ¶ 11.) Well, according to Clearwell, this is not correct. As part of a long post on its website debunking Ms. Pavlik-Keenan’s declaration, Clearwell stated the following:
Neither OPLA nor any other part of ICE paid a dime for upgrades or a new server. In reality, its use of the product for this matter is covered under ICE’s existing license, and we provided an extra server and services for free to help them meet a tight deadline. . . .
In 16 working days, Clearwell was used to process a large volume of information and produce nearly 15,000 pages of Opt-Out Records . . . To help ICE meet its deadline, two Clearwell consultants worked onsite during this period – at absolutely no cost to ICE.
It appears Clearwell complained to ICE about this and other inaccuracies in the declaration (Clearwell’s competitors were using it to trash Clearwell in the eDiscovery software market), and this prompted ICE to submit a supplemental declaration to “clarify a few statements made in two prior ICE declarations.” The supplemental declaration of Ryan Law recanted several statements from Ms. Pavlik-Keenan’s declaration, including the ones above. Mr. Law stated:
the $270,000.00, which includes $32,000.00 for acquisition of a new server, has not yet been spent. . . . Clearwell loaned a new server to ICE for the duration of the January 17, 2011 production.
(Law Decl. ¶ 6.)
Mr. Law asserts that “none of [the inaccurate statements from ICE’s first declaration are] material to ICE's ability to produce the metadata at issue,” and Clearwell implies that it doesn't really matter if declarants tell the truth. (Clearwell describes a declaration as “an advocacy document, not a ruling from a judge.”) However, all declarations, including Ms. Pavlik-Keenan’s, are signed under penalty of perjury and all assertions within a declaration are required to be facts within the declarant’s personal knowledge that would be admissible as evidence in the case. SeeFed. R. Civ. P. 56(c)(4). And in fact, the government relied on Ms. Pavlik-Keenan’s statements to support its argument to the court that it would be “irreparably injured” if it were forced to comply with the court’s order to produce metadata. (SeeDef. Motion for Stay, p. 22, 24.)
As noted above, it’s troubling that we now have evidence that the government has lied in two FOIA cases—both of which raise important questions about how the government is surveilling and collecting information on people in the United States. As the court stated in Islamic Shura Council v. FBI, the court cannot perform its important task “of defending the Constitution and ensuring that the Government does not falsely accuse people, needlessly invade their privacy or wrongfully deprive them of their liberty . . . if the Government lies to it.” Case No. 07-1088 (C.D. Cal. April 27, 2011).
Clearwell implies that there are other inaccuracies in Ms. Pavilk-Keenan’s declaration. Clearwell says:
There is still a lot that we cannot say publicly about the PK Declaration, out of respect for ICE (our customer) who’s engaged in active litigation. But we would be happy to provide further information to concerned parties under NDA.
Let’s hope those inaccuracies aren’t also factual statements the court relies on in deciding the government’s motion for a stay in the case.
1. This case raises the very important questions of whether the government must produce records in the format they are kept by the government (for example, produce a document as an actual excel file, rather than as a paper print out of that excel file) and in a format that is useful for FOIA requesters and the general public. It's the first federal case in the country where a court has determined metadata should be produced under FOIA. We’ll be following this case closely because it affects our own FOIA requests and our ability to analyze the documents we receive.
Peabody Energy is at it again, trying to stifle critical speech intended to call attention to the company's practices. Last year, Peabody tried to intimidate a website that spoofed the Peabody-sponsored "Consortium for Clean Coal Utilization (CCCU)." This week, Peabody targeted a website that focused on concerns about the impact of Peabody's activities on children's health. The site ostensibly had Peabody offer a free inhaler to any family living within 200 miles of a coal plant, stating:
Why Free Inhalers? Because COAL CARES. Coal Cares™ is a brand-new initiative from Peabody Coal, one of America's proud family of coal companies, to reach out to American youngsters with asthma and to help them keep their heads high in the face of those who would treat them with less than full dignity. For kids who have no choice but to use an inhaler, Coal Cares™ lets them inhale with pride.
It's a brilliant bit of identity correction but Peabody, once again, was unable to take a joke. On Wednesday, Peabody's lawyers sent a letter demanding that its name be removed from the website. And that meant that EFF, once again, was forced to explain that this kind of biting, funny political activism is also legally protected free speech. The legal analysis is not hard: the trademark fair use doctrine and the First Amendment both protect the use of Peabody's trademarks as a necessary part of political commentary. Moreover, the site was entirely noncommercial and several courts have held that noncommercial uses are exempt from federal trademark infringement claims (and for you law geeks, they are also statutorily exempt from dilution claims). As one court recently held in a similar "identity correction" case:
The Lanham Act regulates only economic, not ideological or political, competition . . . “Competition in the marketplace of ideas” is precisely what the First Amendment is designed to protect.
But these activists aren't about to be intimidated by a scary lawyer letter. Instead, they provided an additional response that noted that Peabody had a point, just not the censorship one it had tried to make. As they said in a statement today:
Your threat, although entirely baseless (see this response, and the EFF's blog post later today), did make us realize one thing: that Peabody, despite being our country's largest coal producer, and one of the largest lobbyists against common-sense policy, accounts for a mere 17% of U.S. coal production. . . .
As even you may agree, the root of the problem is not Peabody, but rather our system of subsidies, regulations, and lobbying that lets your whole industry continue its lethal work. To make this clear, we have changed every instance of the word “Peabody” on www.coalcares.org to a rotating selection of the names of other large U.S. coal producers who, like Peabody, also need to be stopped from killing kids.
We'll see if Peabody's industry partners appreciate the humor, and the political criticism, better than Peabody did. Even if they don't, the lesson is clear: the best response to critical speech is more speech, not legal threats.
When governments and companies assemble on an international level to discuss "Internet freedom," EFF's policy experts go on alert. All too frequently, government-level discussions about Internet freedom turn into opportunities to discuss tangential issues, many of which have negative implications on online freedom: laws and policies promoting censorship and surveillance on the Internet. With that in mind, EFF attended the Council of Europe (CoE) meeting on Internet Freedom: From Principles to Global Treaty Law? to ensure that European countries’ fundamental values--human rights, democracy and the rule of law--are upheld. EFF went in prepared to fight any attempt to promote pervasive spying proposals or government attempts to control the Internet. The Council of Europe largely succeeded in fostering a positive, rights-centered tone at the meeting. However, EFF remains concerned about the demonstrated support for a dangerous "cybercrime" initiative that invites online surveillance abuses.
Over 150 participants attended the meeting, including representatives from governments, companies and civil society. The Council of Europe’s expert group on cross-border Internet proposed a set of draft principles--ten ideas intended to guide countries' national and international Internet-related policies, norms, and rules. At the moment, the draft principles state that Internet governance arrangements must ensure the protection of user rights and freedoms in accordance with international human rights standards and the rule of law. Moreover, the draft states that the European Convention on Human Rights, one of the leading international legal instruments protecting human rights, “[applies] to the Internet and, more generally, to the information society as a whole in the same way as [it applies] to offline activities.” Notably, the expert group's decisive stand in favor of human rights principles did not inspire the kind of heated arguments that typically accompany the inclusion of human rights language in international policy documents in othervenues. The draft included no references to abusive surveillance measures, and, overall, EFF is looking forward to hearing more discussion about how this set of principles will be applied in the real world.
Amidst the discussion of human rights and public interest Internet policy principles came an inspiring real-world example from Birgitta Jonsdottir, an Icelandic member of parliament who is fighting to transform Iceland into a free-speech haven. She is currently battling a US government attempt to collect her Twitter records as part of an investigation into Wikileaks. Flanked by US government representatives on her panel, Jonsdottir gave a stirring presentation on the Icelandic Modern Media Initiative (IMMI) and its promise to protect free expression for journalists and whistle-blowers from all over the world. IMMI is promoting an Icelandic law that will create a supportive jurisdiction for the publication of investigative journalism and other threatened online media. The Initiative is garnering increasing support: the European Parliament passed a resolution “to position [Iceland and the EU] strongly as regards to legal protection on freedom of expression and information,” a position that will surely bolster IMMI’s work.
The meeting did, however, play host to the kind of dangerous surveillance rhetoric we worry about when countries gather to discuss Internet freedom. Speaking to the conference via pre-recorded web video, the CoE Secretary General issued a troubling statement referring to the Convention on Cybercrime as “the only convention in the world to protect people on the Internet.” "Cybercrime" is a buzzword typically used in combination with plans to give law enforcement entities more power to surveil users online, a policy package that can also endanger citizen privacy in developing countries where weak judicial powers and low legal safeguards make it easy for democratically elected leaders to abuse online surveillance capabilities.
We were equally uncomfortable when the US government representative referenced Hillary Clinton’s February 2011 speech on "Net freedom"; a speech that, for all of its laudable commitment to a free and open Internet, regrettably endorsed the Budapest Cybercrime Convention’s overbroad surveillance powers and lack of legal safeguards and more broadly pledged to support efforts of other nations to bolster their "cybercrime" law enforcement capacity. The pitfalls in these initiatives to help others nations' law surveillance capabilities are only beginning to be made apparent; we have recently seen how the Paraguayan government sought US government assistance in spying on its political enemies.
The CoE is not yet looking at a global treaty and has made clear on its website that these principles can be formalized into a "soft law" framework of voluntary practices. Governments, businesses and civil society groups should reflect deeply about the CoE draft principles that might guide the development of national and international policy. In addition, policymakers and NGOs should compare all of the various proposals that are being hatched in other governmental and intergovernmental organizations to determine which have the most powerful and unequivocal language for protecting human rights. The Dynamic Coalition on Internet Rights and Principles at the United Nations Internet Governance Forum (IGF) could be a productive locus for this work; they are an open network of individuals and organizations that have shown a robust commitment to upholding human rights on the Internet and upholding the right to anonymity.
Safeguarding users’ rights is easier said than done, particularly when governments' complex demands are debated at an international scale. But EFF in Europe (working with fellow travelers, like EDRi) will continue to demand that governments protect Internet rights online and preserve an open and free Internet for all, and we will continue to keep the public informed on how this discussion evolves.
Update: An official Senate version of the draft PROTECT IP Act has been released and is available here. This version changes the “interactive computer services” language mentioned in our post below to “information location tools,” a term that points back to section 512(d) of the Digital Millennium Copyright Act. In that context it’s been generally understood to refer to search engines, though there’s no guarantee we wouldn’t see efforts to expand the definition in actions under this bill. But in any case, requiring search engines to remove links to an entire website raises serious First Amendment concerns considering the lawful expression that may be hosted on the same domain.
- - - - - - - - - - - - -
Last year’s rogue website legislation is back on the table, with a new name: the "Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011"or (wink, wink) "PROTECT IP". The draft language is available here.
The earlier bill, which failed to pass thanks largely to a hold on the legislation placed by Senator Ron Wyden of Oregon, would have given the government dramatic new copyright enforcement powers targeted at websites "dedicated to infringing activities," even where those websites were not based in the United States. Despite some salient differences (described below) in the new version, we are no less dismayed by this most recent incarnation than we were with last year’s draft.
First, the legislation now includes a private right of action for intellectual property owners. This means that IP owners as well as the government can seek injunctions against websites "dedicated to infringing activities" in addition to court orders against third parties providing services to those sites. (Notably, IP owners can also bring actions to enforce the court orders.) Consider whether Viacom would have bothered to bring a copyright infringement action against YouTubewith the attendant challenges of arguing around the DMCA safe harborshad it had this cause of action in its arsenal. The act includes language that says it's not intended to "enlarge or diminish" the DMCA's safe harbor limitations on liability, but make no mistake: rights holders will argue that safe harbor qualification is simply immaterial if a site is deemed to be dedicated to infringement.
Second, the scope of the language has been expanded to include additional categories of third-party providers that can be subject to court orders. Under the new act, "interactive computer services" and "servers of sponsored links" can be required to cease linking to particular websites. We'd heard about a potential "search engine provision," but these additions arguably go much further. An interactive computer service (the term, and its definition, are borrowed from the Communications Decency Act) could include not only Bing but also sites like Facebook, Twitter, and potentially any service or web page where a URL might turn up.
Court orders against interactive computer services don't apply in every context, though. The new version of the bill includes what appear to be some redundant and some alternative remedies where "nondomestic" domains are involved, remedies that are available in actions by the Attorney General but not private actors. (In the language of the bill, a "nondomestic" domain is one "for which the domain name registry that issued the domain name and operates the relevant top level domain, and the domain name registrar for the domain name, are not located in the United States.") The main distinction seems to be that interactive computer services can be ordered to stop linking only in actions brought by the Attorney General against nondomestic domains, but not in actions brought by the Attorney General against domains that are not nondomestic, nor in any actions brought by private plaintiffs.
Also, the new language no longer requires explicit action on the part of domain name registries and registrars, although it still reaches operators of nonauthoritative domain name system servers. Because of Immigration and Customs Enforcement’s ongoing practice of seizing domain names by prevailing on registries and registrars, however, the revision doesn’t seem all that meaningful. EFF denounced the earlier bill for its potential dangerous effects on the Internet's domain name system, and we’ll discuss the implications of the current legislation for DNS in more detail in a future post.
Finally, the bill now requires any potential plaintiffwhether it's the government or an IP ownerto make some attempt to identify a person or entity in connection with the infringement before proceeding against the domain name itself. The effort to inject a little due process into the mix is a good step, but it falls far short of the mark given the potential implications of these actions for online speech.
We’re still chewing through the issues, but on balance, it's clear PROTECT IP is no improvement on COICA.