Despite the valiant efforts of liberty-defending congresspersons from both political parties, the House of Representatives has just this evening passed an extension of the three USA PATRIOT Act surveillance powers that were set to "sunset" at the end of February, by a vote of 275 to 144. Now, the Senate is our last hope to stop PATRIOT renewal and obtain meaningful PATRIOT reform. The Senate is expected to vote on a PATRIOT renewal bill this week, so contact your Senators today and urge them to vote NO on the PATRIOT Act!
Of the 144 votes against the House bill, 26 came from Republicans, who argued that the law's broad surveillance powers constitute a big government intrusion into the lives of private citizens. For example, California Republican Dana Rohrabacher said:
I believe the American people have a legitimate fear of out-of-control government. And yes, they have a legitimate fear of out-of-control prosecutors and out-of-control spy networks.
Democratic Representative Bobby Scott of Virginia added:
I do not accept the argument that in order to be safe it's necessary to give up our rights and freedoms.
Republican House Judiciary Committee Chairman Lamar Smith insisted that the House's extension of the expiring PATRIOT provisions until December 8, 2010 was "the only way to provide House members the time to study the law" and consider changes. Of course, that's exactly what Congressional leaders said in February 2010, the last time Congress renewed PATRIOT. Don't let it happen again: contact your Senators now to oppose PATRIOT renewal and demand PATRIOT reform!
Privacy advocates haveobserved for years that countries hosting the Olympic Games introduce increasingly heightened security and surveillance measures for the event, but rarely cut back on public surveillance after the games are finished. Because these expanded surveillance measures are often made permanent, we noted with interest a report released by the whistle-blower website Wikileaks that detailed how the United States lobbied Brazil about security and information-sharing strategies after the latter was chosen to host the 2016 Olympic Games.
Despite lengthy diplomatic cables on this issue, the cables from the U.S. that have been made public did not address the very serious privacy, civil liberties and public accountability implications of the widespread use of surveillance technologies. It remains to be seen what types of security and privacy protocols Brazil will be implement in the coming years. But history shows that the Olympic Games often result in increased security and public surveillance measures that persist long after the games end – to the detriment of privacy.
According to the cables released by Wikileaks, the U.S. Embassy in Brasilia reported on opportunities for the United States Government (USG) to take advantage of the Games to broaden their influence on the government of Brazil and to strengthen cooperation in broader security issues.
“Given the high degree of interest in the Olympics among Brazilians and the high value Brazil places on conducting a successful Game, there are already opportunities for the USG to pursue cooperation toward the Games, and to use such cooperation to further broader USG objectives in Brazil, including increased cooperation and Brazilian expertise on counterterrorism activities. As we look ahead, taking advantage of the Games to work security issues should be a priority, as should cooperation on cybercrime and broader information security (see ref B for additional areas for potential cooperation). We should also look to build in offers for dialogue on preparations for major sporting events as part of all high-level contacts with the Brazilians."
A few weeks before this December 24, 2009 cable, the U.S. Embassy in Brasilia had sent another cable on December 1, 2009 titled, “The Future is Now.” In this cable, the U.S. Embassy encouraged U.S. agencies to use concerns about a power blackout, and infrastructure challenges in the run up to the 2016 Olympics, to make a case for expanded involvement of the United States government with Brazil in critical infrastructure and cybersecurity.
“The newly heightened concerns about Brazil's infrastructure as a result of this blackout, combined with the need to address infrastructure challenges in the run-up to the 2014 World Cup and 2016 Olympics, present the United States opportunities for engagement on infrastructure development as well critical infrastructure protection and possibly cyber security,” reads a December 1, 2009 cable from the U.S Embassy in Brasilia.
In addition cable dated December 24, 2009 shows that the Embassy in Brasilia further anticipates that “the next [Brazilian] Administration may organize preparations differently,” “...or even establish a new agency specifically to coordinate Olympics infrastructure and security planning and logistics.”
The privacy situation in Brazil isn't promising. Brazil does not currently have a privacy law but it is debating one. The draft bill would protect the collection, use and disclosure of personal information of Brazilians. However, privacy advocates in Brazil have criticized the draft bill since it will exempt databases created for the sole purposes of public security, national security, and law enforcement activities. These would be subject to separate legislation.
We are disturbed to see the U.S. lobbying to push the Brazilian government to increase security measures in advance of the 2016 Olympic Games in Brazil. Privacy advocates who have analyzed previous Olympics security plans, noted that Olympic organizers have contributed to a “climate of fear and surveillance” to the “detriment of democracy, transparency, and international and national human rights law.”
For example, as reported in a recent study, Greek law enforcement and intelligence agencies used over 1,000 surveillance cameras in the 2004 Athens games - which continued to be used by the police even after the games. The cameras were employed not only to monitor high traffic roads, which were their stated purpose, but also to surveil public spaces, including demonstrations in those places. After a heated battle with law enforcement officials, the head of the Greek Data Protection Authority and his deputies resigned. The Authority stated that police use of surveillance cameras for secondary purposes “directly breached" the Authority's privacy regulations.” Moreover, the Greek data protection law was amended to exempt surveillance cameras from its privacy provisions.
Similarly, in advance of the 2008 Olympic Games, Chinese authorities installed over 200,000 cameras and other surveillance measures in Beijing. They also ordered foreign-owned hotels to install Internet monitoring equipment to spy on hotel guests during the Games.
Taking security precautions prior to the Olympics should not result in implementing public surveillance without any regard to privacy. Prior to the 2010 Winter Olympics in Vancouver, privacy advocates urged the Canadian government to adopt several measures to protect privacy and security; notably:
“to moderate the escalation of security measures for Vancouver 2010 and to strive to respect the true spirit of the event;
to be as open as possible about the necessary security and surveillance practices;
to conduct a full, independent public assessment of the security and surveillance measures, once the Games are over, addressing their costs (financial and otherwise), their effectiveness, and lessons to be learned for future mega-events;
not to assume a permanent legacy of increased video surveillance and hardened security measures in the Vancouver/Whistler area, and to have full and open public discussion on any such proposed legacy.”
In the run-up to the Games, the Office of the Privacy Commissioner of Canada, in conjunction with the Office of the Information and Privacy Commissioner of British Columbia, issued a series of recommendations seeking to ensure that surveillance and other security measures would not unduly infringe individual’s rights.
“[The] Olympic Games pose unique and difficult challenges from a public security perspective," said Jennifer Stoddart, Privacy Commissioner of Canada. "And yet, the duty of governments to provide for the security of citizens must, in democratic societies, be tempered by the values that underpin our way of life. That is why the right to privacy must be upheld, even during mega-events like the Olympic games, where the threat to security is higher than usual.”
Tamir Israel, of the Canadian Internet Policy and Public Interest Clinic, also expressed concern that the recent increase in public security measures could result in lasting changes to the Canadian security landscape: “It is already clear that the event allowed for new surveillance technologies to gain a foothold in Vancouver that would never otherwise have been accepted.”
The public should carefully monitor security and privacy steps that new Brazilian government might be considering as the 2014 World Cup soccer and 2016 Olympics approach. There must be an informed and open debate about privacy and security. The public must also be told whether enhanced security measures will be reversed after the games. The Olympics are an opportunity for cultural exchange, not an excuse for trampling civil liberties.
The US government is deliberating about how to approach the “cyber” security problem. But the solution the government needs to network security isn’t sweeping authority over the Internet — it’s common-sense security practices they’ve heretofore failed to implement.
As we previously said, it is unfortunate that the government tends toward the dramatic and seeks to broadly expand its powers in the name of security, while continuing to overlook more prosaic issues. Bruce Schneier explains,
GAO reports indicate that government problems include insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and incomplete or ineffective information security programs. These aren't super-secret NSA-level security issues; these are the same managerial problems that every corporate CIO wrestles with.
The best thing the government can do for cybersecurity world-wide is to use its buying power to improve the security of the IT products everyone uses. If it imposes significant security requirements on its IT vendors, those vendors will modify their products to meet those requirements. And those same products, now with improved security, will become available to all of us as the new standard.
We know the market pressure approach can work. Once Microsoft saw that the market would (at least threaten to) make purchasing decisions on the basis of security, we suddenly got the Secure Windows Initiative and Trustworthy Computing. A key security technique is keeping the heat on vendors.
There is also an operational problem. To get a handle on the state of security of important infrastructure, try a Google search for [ scada security ]. It turns up alarming reports of basic security problems in some of our nation’s most important systems. (“SCADA” stands for “supervisory control and data acquisition”, and is used generally to refer to industrial control systems for things like water purification, electricity, manufacturing, and so on.) Here are some examples:
SCADA Security and Terrorism: We're Not Crying Wolf by Maynor and Graham explains that some SCADA systems depend on a long-ago fixed design flaw in Windows, and so can’t be upgraded to safer, more recent versions of Windows. They further note that although it would be easy to hack into many SCADA systems, that is generally not necessary since the systems are completely unprotected by design:
So Microsoft SP2 turned off “anonymous” by default for DCOM
This breaks SCADA systems because they don’t have logins
X-Force research: looks like OPC problem [sic] has lots of buffer-overflows in it, but since everyone uses it with no authentication anyway, it’s pointless researching them.
Go to http://www.opcfoundation.org/, download trial software, test the authentication, binary review their code
21 Steps to Improve Cybersecurity of SCADA Networks, a DOE guidelines document, confirms Maynor and Graham’s assertion that SCADA systems are indeed accidentally connected to the internet. All 21 steps are mundane network management tasks — yet are exciting news in the SCADA world.
It is all too cheap and easy to connect to the internet; to maintain an air gap requires conscious effort and incurs a cost.
Joe St. Sauver’s academic presentation agrees that SCADA security today lags 5 – 10 years behind business security. Of course, we already know that business security tends to lag behind attacker capabilities by some number of years.
The purpose here is not to scare people. As Maynor and Graham note, “There is neither cause to panic nor cause to ignore the issue.” The way out of the security mess is reason, not paranoia. Instead, these examples show that even the most important systems suffer surprisingly basic problems — with basic fixes.
In my own private-sector security industry work, I observed a pattern: the higher the stakes, the worse the security. “Worse” usually means “more easily resolved with known techniques”. I evaluated a wide range of applications and platforms, and almost invariably found that the most important systems — those managing life, health, and money — were poorly engineered. By contrast, small startups doing something interesting but not (yet) critical would sometimes have very well-engineered systems, with entire classes of vulnerability designed away, minimal feature creep, and solid development practices reducing the risk of accidental implementation flaws. I suspect the reason for this pattern is that organizations that handle life, health, and money do not think of themselves as software engineering organizations, and so seek to minimize engineering costs. Additionally, engineering-driven companies tend to be disruptive newbies who have not yet made a big enough impact on the market to control much important information.
Although some members of Congress want to give the president the power to declare a “National Cyber Emergency”, as in S 3480, simple things like keeping systems updated and keeping critical systems air-gapped would provide more day-to-day safety to the nation. The government should use its enormous purchasing power to pressure platform and application vendors to advance their engineering standards.
One of the less-heralded issues in a series of prominent cases (here, here, and here, for example) testing the limits of the Digital Millennium Copyright Act ("DMCA") safe harbor provisions is the question of when and how service providers must terminate the accounts of "repeat infringers." As a condition of safe harbor eligibility, the DMCA requires that service providers "adopt and reasonably implement" a repeat infringer policy that provides for termination of users' accounts "in appropriate circumstances." But what does this requirement mean? How does one “adopt and reasonably implement”? Who are "repeat infringers"? What do service providers need to do to comply with the law and protect their users' rights to post lawful content?
The right answers to these questions are crucial, because while termination may be needed to punish (or at least impede) large-scale infringers, improper termination can have drastic consequences for legitimate users.
Consider, for example, the effect of YouTube's termination policy on animal-rights advocates Showing Animals Respect and Kindness (SHARK). SHARK videotapes rodeos in order to expose animal abuse, injuries, and deaths and posted more than two dozen videos to YouTube to publicize animal mistreatment. In December 2008, the Professional Rodeo Cowboys Association (PRCA) filed baseless DMCA takedown demands for 13 of the videos. YouTube promptly removed the videos and, following its policy, canceled SHARK's entire YouTube account, removing all of SHARK's uploaded videos from the site and leaving SHARK unable to post new videos. SHARK counter-noticed and the account was restored – but not before SHARK had been silenced for weeks in the middle of the end-of-year fundraising season.
To avoid similar events, service providers who care about free speech and their customers should consider the following as they develop their policies.
That said, service providers do have to provide at least a "working notification system, a procedure for dealing with DMCA-compliant notifications, and ... not actively prevent copyright owners from collecting information needed to issue such notifications."
Specifically, courts have found that service providers do not comply with the DMCA’s repeat infringer policy requirement when they:
Encrypt or otherwise program a site making it impossible for a content owner to determine which users were transferring or uploading specific files; and
Fail to respond appropriately when presented with "actual knowledge" of repeated infringement.
Beyond the above, courts have so far provided little guidance. However, we know Congress enacted the DMCA in order to foster the growth of the Internet as a forum for speech and commerce. We also know that Congress understood that not all alleged infringements are equal: when it passed the DMCA, Congress stated "that there are different degrees of on-line infringement, from the inadvertent and noncommercial, to the willful and commercial." Keeping this in mind, along with the goal of combating online infringement, service providers should seek to implement policies that balance the interests of providers, customers, and content owners.
A Fair Repeat Infringer Policy
In order to protect their customers’ rights, service providers should avoid knee-jerk and over-simplified policies such as “three strikes (takedown notices) and you’re out.” Instead, before shutting down an account, service providers should do the following:
Notice: Promptly notify the user or poster about the reports(s) lodged against him, including information on how to challenge the notice and also how to contact the content owner;
Information: Allow users – usually lay people without easy access to legal counsel – a fair opportunity to counter-notice. For example, service providers should offer clear information on those procedures, such as explicit instructions, easy-to-locate email addresses and/or user-friendly web forms;
No Instant Termination: Upon receipt of a notice of infringement that could trigger termination of a user's account, notify the user and provide her with a meaningful opportunity to counter-notice, (at least ten business days) before terminating her account (remember, specific content may still be removed in the meantime). If a counter-notice is received, the “strike” should be removed immediately, unless and until the content is found to be infringing; and
Trust: Create a system of additional protections for “trusted” users, such as users who have not posted any infringing material for a specified amount of time, or for whom noticed content represents only a small percentage of their total posts. Such protections could include additional "strikes" before termination (say, five rather than three), and a fast-tracked appeal procedure, such as a dedicated email address through which users could request immediate review by the service provider and the content owner of content the users reasonably believes was taken down improperly. (Keep in mind that if a service provider does not believe content is infringing, it does not need the safe harbor.) This would provide some recourse when, for example, a political video is taken down two weeks before an election. In addition, trusted users could be provided with a longer window in which to send a counter-notice to prevent termination of their accounts.
These steps won’t eliminate the problem of takedown abuse, but they should help service providers do their part to protect their customers while protecting themselves.
In response to ongoing protests, Egyptian president Hosni Mubarak ordered a shutdown of all Internet access for five whole days, from January 28 to February 2, but social media and news continued to flow in and out of the country thanks to a group of protagonists dedicated to supporting the flow of information.
EFF board member and co-founder John Gilmore once described the technical robustness of the Internet against censorship by saying: "The Internet interprets censorship as damage and routes around it." Egypt's Internet blackout demonstrated an additional dimension to this adage: that the Internet's anti-censorship features are enhanced by, and to some extent may depend upon, the willingness of individuals and companies to stand up for free expression.
Governments throughout the world are coming to know that citizens' ability to get and give information through the Internet is dependent upon "weak links," and that the most effective route to silencing communications is to lean on a weak link. This is how the Egyptian Internet blackout was carried out: Nearly all of the major ISPs in EgyptLink Egypt, Vodafone, Telecom Egypt, Etisalat Misr, and Internet Egypt Networktook their services offline within minutes of each other, ostensibly under some kind of pressure from the Egyptian president, Hosni Mubarak. Vodafone issued a statement claiming that they had acted at the behest of the Egyptian government, and the company would later issue a similarly anemic statement after being forced to send pro-Mubarak SMS messages to their customers.
While corporations can be put in a difficult situation when pressured by governments to take actions that violate the rights of their customers, ISPs should not be let off the metaphorical hook with the lame, dangerous excuse of "just following orders." There is a growing awareness that companies have significant public interest responsibilities and should be held accountable for the impact they have on human rights.
The vulnerability of "weak links" is something Internet freedom advocates have been worried about for a long time; it's baked into the architecture of the Internet and there's no easy answer. However, the Egypt Internet blackout demonstrated a strength of the Internet in terms of circumventing censorship—that the Internet is highly amendable to the establishment of "quick links," the kind of relatively easy, quick-and-dirty solutions that get devices and communications content itself onto the Internet.
For example, France Data Network (FDN) and Telecomix News Agency responded by providing dial-up access to Egyptians during the Internet blackout. In a press release, FDN characterized the blackout as an "open attack from a state against the Internet" and offered its dial-up services to Egyptians with analog phones that could call into France as a way of helping to support freedom of expression. Telecomix News Agency, an organization devoted to informing the public about Internet freedom issues, also provided dial-up access as well as extensive technical support. In spite of the government's autocratic control over Egyptian ISPs, the quick, principled establishment of alternatives was able to keep information flowing.
Another example of a "quick link" is Speak2Tweet, the Google/SpeakNow project which gave Egyptians an alternative way to make their voices heard during the Internet blackout. Within a couple of days, the Speak2Tweet service allowed Egyptians to use telephones to leave voicemail messages, which were then posted to Twitter. Egyptians have used the service to leave thousands of voicemails, some of which have been translated into English.
However, at the core of all of this effort to promote free expression with technology is the bravery and dedication of the Egyptian protesters. Though the Internet blackout impaired Egyptians' ability to coordinate and communicate, protests continued in Cairo, Alexandria, and Suez with record turnout. All of the work to protect and enable free expression in the face of powerful government censorship actions would have been useless if Egyptian protesters had been cowed into staying home. While the role of technology in these revolutions is being hotly debated, what matters the most is people, their safety, and their rights, and that the best communication toolsfor activists or otherswill serve those ends without compromise.
UPDATE (2/9/11): In another move to fast-track PATRIOT Act renewal before three of its most controversial provisions expire at the end of the month, the House is expected to call another vote on a PATRIOT reauthorization bill any day now. Unlike the two-thirds majority that would have been needed to pass the measure on Tuesday, the next vote will only require a majority to pass. Your voice is needed now more than ever.Act now - contact your Representatives and tell them not to rubber-stamp the PATRIOT Act extension!
Today in the U.S. House of Representatives, an unlikely alliance of House Democrats and Republicans stood up for civil liberties and successfully beat back a fast-track attempt to reauthorize the USA PATRIOT Act without the much-needed checks and balances EFF has championed.
The renewal bill voted on today would have extended three dangerous surveillance provisions in the PATRIOT Act until December 2011, provisions that are otherwise set to expire at the end of this month. In order to pass under the fast-track procedure adopted by House leadership to prevent the introduction of any reform-minded amendments, the bill would have had to garner a two/thirds majority--that is, 290 votes. The renewal effort narrowly failed on a final vote of 277 Yeahs to 148 Nays, thanks to the staunch opposition of Democratic leaders and an insurgent movement of freshman Republican Representatives and "Tea Party" conservatives who were unwilling to rubber-stamp the PATRIOT renewal.
Rep. Dennis Kucinich (D-Ohio), one of the most consistent anti-PATRIOT voices, once again voiced his opposition to PATRIOT renewal today, voicing concerns about the civil liberties implications of the proposal:
The Patriot Act is a destructive undermining of the Constitution. How about today we take a stand for the Constitution to say that all Americans should be free from unreasonable search and seizure, and to make certain that the attempt to reauthorize the Patriot Act is beat down.
The House Judiciary Committee's ranking Democrat, John Conyers (D-Michigan), has been just as outspoken, calling the PATRIOT Act "One of the worst laws this body has ever passed."
Meanwhile, some new Republican Representatives refused to vote for the bill both out of concerns about the bill and frustration at the rushed renewal process. Rep. Todd Rokita (R-Ind.), one of the Republican freshman who voted "no", complained that he “didn’t know anything about (the vote) until today.” Rokita continued:
In a free society you have to be very careful as to taking away the civil liberties of the American people.... Even if the bill is well intentioned and the law is well intentioned it can be used against innocent people. So that was my concern.
While today’s vote was a victory for civil liberties, we are not yet free of the expiring surveillance provisions or the PATRIOT Act itself. The White House is advocating for reauthorization of the PATRIOT Act until December 2013, and Congessional leaders in both the House and the Senate are determined to pass some sort of PATRIOT renewal bill before Congress leaves for recess at the end of next week. So please stay tuned to our action center to learn how you can speak out for civil liberties in the crucial weeks ahead--and thank you to everyone who acted to help stop today's PATRIOT Act sneak attack!
One of the major problems with the mass copyright lawsuits we seen over the last year is that the judges hearing the cases often aren’t aware of the full legal and practical context of the litigation. That’s because they are asked to make important decisions (e.g., whether to allow the plaintiffs to send out subpoenas for the Does’ identities) before any of the defendants have had a chance to point out the fundamental flaws in the plaintiff’s case.
Last Friday, Electronic Frontier Foundation and its co-amici Public Citizen, American Civil Liberties Union and ACLU of the Nation’s Capital took one more step toward addressing that problem for one of the cases in the District of Columbia, Call of the Wild v. Does 1-1062. This is actually one of the earlier troll cases: it was originally filed in March of last year, with the U.S. Copyright Group acting as counsel for the plaintiff. In June, EFF submitted an amicus brief noting critical due process and speech problems with the lawsuit. In January, the case (and several other mass copyright cases) was transferred to a new judge, Judge Beryl A. Howell. Shortly thereafter, USCG submitted a response to our brief.
We decided to submit a further brief, because we thought Judge Howell might like to know about various recent developments, such as the fact that federal judges in West Virginia and California have recognized that it is improper to join thousands of people in one lawsuit based solely on the fact that they all allegedly used the same software protocol to share one or more copyrighted works. We urged Judge Howell to take a similar approach and also explained that the plaintiff had failed once again to meet its burden of establishing jurisdiction and to meet the leading test for obtaining a Doe’s identifying information. Finally, we corrected the record regarding measures Judge Rosemary Collyer has taken in similar cases in the District of Columbia to dismiss defendants who had clearly been sued in the wrong court.
We're glad that courts around the country are taking steps to help ensure that the litigation process is fair to both plaintiffs and defendants. We hope Judge Howell will do the same.
Tell your Congressperson to vote NO on the USA PATRIOT Act in tomorrow's vote! The PATRIOT reauthorization bill being fast-tracked to the House floor contains NO reforms to the law, and will be voted upon with NO debate and NO opportunity for amendments to add oversight and accountability. Help stop this sneak attack on your civil liberties: there are only hours left to visit our Action Center and tell your Representative to vote "NO" on H.R. 514, the PATRIOT extension bill.
In late 2009, when PATRIOT reauthorization was originally being considered by Congress, many important PATRIOT reform measures were proposed and debated, and a bill filled with powerful new checks and balances was reported favorably out of the House Judiciary Committee. But, as Congress ran up against the renewal deadline, it decided that there was not enough time to fully consider those reforms. So, in February 2010, Congress instead extended the "sunsetting" sections of the law until the end of this February, with a promise to fully consider the issues before the next deadline.
But Congress is breaking its promise to consider reforms to the PATRIOT Act. In a legislative sneak attack, the new Republican leadership in the House is trying push Representatives to rubber-stamp another PATRIOT renewal. The House leaders just announced on Friday that they’ll be "suspending the rules" so that a bill introduced by Rep. Sensenbrenner to extend the expiring PATRIOT provisions until December 8, 2011 will go to the House floor for a vote TOMORROW, without any debate and without any opportunity for anyone to offer amendments to improve the bill.
In particular, the bill would renew the following dangerously unchecked PATRIOT powers:
• The government’s power under PATRIOT Section 215 to obtain secret court orders for Internet, phone and business records of people who are not suspected of terrorism or spying;
• The government’s "lone wolf wiretapping" power, allowing it to get court orders authorizing secret foreign intelligence wiretaps against individuals who have no connection to any foreign power or terrorist group; and
• The government’s power to obtain blank-check "roving" wiretap orders that can be used to tap any phone number, email account or other communications facility that the government believes is being used by its target.
These provisions should not be renewed, and certainly not without any debate or any new checks and balances to prevent abuse and protect civil liberties. So please act now to tell your Representatives that they should vote NO to the PATRIOT Act in tomorrow's vote!