Remember over-the-air broadcast television? The kind that you can receive on a variety of devices, without scrambling or monthly fees? For decades, the principle that the public airwaves are just that – public property – has been an obstacle to TV studios’ efforts to control when, where, and how we watch their programs – and at what price-point. But that hasn’t stopped them from trying. The latest target is Aereo, a New York City startup that lets users stream local broadcast TV from a dime-sized antenna on a Brooklyn rooftop to their personal devices.
Supported by some of the same organizations that supported the SOPA and PIPA Internet blacklist bills, the TV networks complain that Aereo is "retransmitting" New York TV stations without a license. They insist that while Joe Citizen can put an antenna on his roof and run a wire to his TV, he can't rent an antenna from Aereo and replace the wire with (oh, no!) the Internet. We’ve seen this before: a new user-empowering television technology emerges, and, almost on auto-pilot, the studios send their lawyers to try to shut it down. Their basic theory? If a new technology creates a new way to access the TV programming that we already have a legal right to view, the studios are entitled to control and profit from that technology.
But as the courts have said time and time again, that's just not how the law works. A quintessential example: the VCR. Movie studios sued to keep home video recorders off the market, arguing that the ability to tape TV programs to watch later would destroy their industry. (Former Motion Picture Association of America head Jack Valenti famously compared the VCR to the Boston Strangler.) The Supreme Court rejected the studios' arguments, saying that people have a right to tape from the public airwaves, and VCR manufacturers didn't need to pay royalties to the studios.
Fast forward to 2008, when a group of TV networks tried to shut down Cablevision’s "remote DVR" service. That service allowed cable subscribers to record shows to which they had already bought access and save them to a hard drive at the cable company's facility, instead of on a DVR in the subscriber's living room. Again, the TV networks insisted they should have a right to profit from and control – or stop – this new technology. Again, the court said no, because a customer’s personal recording and viewing of the cable shows she had already paid for doesn’t trespass on any of the rights that the law gives to copyright owners.
The familiar arguments are re-surfacing in the Aereo dispute. Just as they once claimed the right to charge a toll for recording a TV show to watch later, the studios claim that they, and no one else, should control the ability to receive free broadcasts and stream them to Internet-connected devices. Essentially, the networks are saying that simply because Aereo's technology is valuable to TV watchers, copyright owners have a right to capture that value. The Institute for Policy Innovation repeated that argument in an e-mail blast denouncing Aereo this week, insisting that Aereo is not a "legal business" because "one must pay for the raw materials that go into a product." – meaning, the television shows being broadcast on the public airwaves.
I guess no one told that to TV manufacturers like Samsung and LG. They don't pay for the shows that go into their TVs. Radio Shack doesn't pay ABC for the right to sell TV antennas, even though ABC’s shows make those antennas valuable. Movie theaters that sell popcorn don't owe a cut of those sales to the studios, even though popcorn enhances the movie-going experience. We understand, intuitively, that just because a product or service adds to the experience of watching TV and movies, or makes it possible in more places and times, doesn't mean that copyright owners should have control, or charge a toll.
The TV networks are hoping to squash Aereo before it can expand beyond New York City. Hopefully, the court hearing the suits against Aereo will focus on what the law says, not what the networks wish it to be.Related Issues: Digital Video
According to a report from Ma’an News published today, the Palestinian Authority has ordered the blocking of websites belonging to eight news outlets critical of President Mahmoud Abbas. The report states that technicians at PalTel—the largest ISP in the West Bank—tweaked their proxy server and web cache daemon to block the sites, while other ISPs are using similar setups. The blocking is inconsistent across ISPs, with at least one failing to block certain sites on the list.
The blocked sites—which Ma’an discovered with the help of a new project, the Open Observatory of Network Interference, founded by Jacob Appelbaum and Arturo Filasto—include the following sites:
Prior to these latest developments, Internet under the Palestinian Authority (PA) has been relatively unfettered, with only one site—Dounia Al Watan, a news site that was reporting on corruption within the PA—ever reported as blocked in the West Bank. Gaza’s Internet is considerably more restricted, with sexually explicit websites blocked. A diplomatic cable released by Wikileaks showed evidence that Hamas had exerted pressure over telecom company PalTel to implement the censorship, among other things. Israel also retains significant control over communications infrastructure in both Gaza and the West Bank.
Despite a relatively unfettered Internet, however, both Hamas in Gaza and the PA in the West Bank have found ways to crack down on Internet users. In 2010, security services in the West Bank arrested a 26-year-old self-proclaimed atheist for posts he had made on Facebook that angered both Christians and Muslims. A year later, the director of Radio Bethlehem, George Canawati, was charged with libel and slander for comments he made on Facebook criticizing Bethlehem’s health directorate. In February of this year, security forces arrested the editor of official news agency Wafa, Rami Samara, for online criticism of PLO leadership. A Palestinian social media conference hosted in Ramallah in December was prohibited from being livestreamed in Gaza by Hamas authorities that claimed that a proper license hadn’t been procured. And most recently, two journalists and a lecturer were arrested for comments posted on Facebook deemed to be critical of the PA.
The latest news, then, is merely further evidence of a crackdown by the Palestinian Authority against any speech they deem “threatening.” Still, as Ma’an claims, sources have blamed the PA’s attorney general, Ahmad Al-Mughni, for the censorship, quoting PA communications minister Mashour Abu Daka as stating that “the attorney general is responsible” and that the bans may even be illegal.
Abu Daka added: “Blocking websites is against the public interest. I oppose it without exception.” We couldn’t agree more, and urge the PA to immediately unblock the affected sites and ensure a free and open Internet in Palestine.
Related Issues: Free SpeechContent BlockingInternational
Yesterday, EFF participated in a panel discussion about CISPA moderated by CNET's Declan McCullagh and put on by Hackers and Founders. We were happy to have the opportunity to do so, and although we disagreed quite a bit with a key proponent of the bill, House Permanent Select Intelligence Committee staffer Jamil Jaffer, one area where we agreed is that more people should read the text of the bill. Let's not let this legislation rush through right when people are starting to question it—if Jamil and other staffers stand behind the bill, why not give it another week or two to let the public debate mature?
The fundamental problems with the bill are numerous. The language of the bill is too broad, and it's hard to know what information will actually be shared by private entities as a result of the bill, or what “cybersecurity systems” will do once they are enabled (if indeed they are different than what companies are doing already, an unknown). CISPA also grants sweeping immunity to companies to share information “notwithstanding any other provision of law,” and unsurprisingly has a fair amount of industry support as a result. McCullagh rightly called this a “wildcard" clause; it is a lazy way to encourage information sharing that does not adequately protect the civil liberties of Internet users in the United States.
The panel also highlighted a ubiquitous issue with technology legislation—Congress just doesn't know enough to meddle intelligently with technology. The audience questions demonstrated this point quite sharply, and language which Jamil believed to be crystal clear was still completely opaque to people in the tech sector. Many people asking questions were unhappy with the vague definitions, but technologist Jonathan Nelson perhaps said it best during the Q & A:
I read the bill for 5 or 6 hours. I'm an engineer. I don't understand what is defined as a "cybersecurity threat." I've never heard that discussed amongst engineers here in silicon valley. I don't know what a "cybersystem" is. Is it a system on a chip? Is it a LAN? Is it a WAN? Is it the Internet? And I don't understand exactly what information is going to be shared. If it's just malware signatures, put that in the bill.1
This highlights the rift between the tech community and Congress. Unless we as technologists are incredibly vigilant and vocal, the powerful intelligence lobby—rooted in our deep-seated military-industrial complex—will surreptitiously force their surveillance-oriented agenda and Congress won't check them. We hope that as more people become aware of this bill, they will realize that we have to push back. To get good security legislation, we need to demand a better and more detailed explication of the security problems we are facing so that we can narrowly tailor the bill and the private-sector immunities that it grants to those particular problems.
To his credit, Jamil seems sincere that he wants to engage in this debate and talk to the civil liberties community. After all, it's not good when your bill is opposed by dozens of well-respected civil liberties organizations, like the ACLU. But we need to let that debate happen. It's crazy to let Congress vote on the bill only hours after seeing the final text and before they have a chance to consult with technology experts, and there should be no problem with the sponsors of the bill waiting a couple of weeks and letting the public hear the issue and read the bill themselves. If Jamil wants people to read the bill, he has to give them more than a few days to do so.
Take action to help us fight this bad bill.
- 1. Jonathan Nelson, at the Hackers and Founders CISPA panel. Quote paraphrased slightly.
Iran: Authorities Seeking Information on Censorship Tools
The Islamic Republic of Iran has recently become notorious for its efforts to create a “halal” Internet. This week, a security researcher found that Iranian authorities published a “Request for Information” (RFI) seeking details on new types of censorship tools that are available in the market. Ars Technica reported that the Persian language RFI calls for “proper conditions for domestic experts in order to build a healthy Web and organize the current filtering situation.” The deadline for response was yesterday, April 19.
The existence of the RFI suggests that Iran is seeking to nationally expand its scope of online content blocking and filtering. The RFI states:
The creation of a comprehensive Internet purifying system that works based on analysis of Web content is considered among the most important activities in this area and efforts must be made to cultivate domestic technologies…In addition to creating a domestic industry, among other goals of the institute are the purchase and acquisition of foreign technical knowledge and leveraging of the latest technology alongside domestic ones.
What’s clear is that the Iranian government is seeking a more sophisticated system to block content, beyond its current mandate of blacklisting entire sites and banning words. EFF will continue to monitor this initiative and the Iranian government's efforts to facilitate online censorship.
India: Professor arrested over a political cartoon; CIS urges Parliament to overturn 2011 censorship legislation
A chemistry professor in the state of West Bengal was arrested on Friday for posting political cartoons about the state’s Chief Minister, Mamata Banerjee. Ambikesh Mahapatra’s arrest follows increasing public discontent with Minister Banerjee and her style of governance. The local police charged Mahapatra with cyber crime offenses, claiming he had spread “derogatory messages against respectable persons.”
Following the arrest last week, there has been a massive backlash and an online campaign to condemn the charges. The highest trending Twitter hashtag in India is currently #arrestmenow, which has been adopted by users to tweet critical, often humorous, opposition to the police action. It echoed a similar situation in December, when the Indian blogosphere and Twitterverse was aflame with criticism against Minister of Communications and IT, Kapil Sibal after he demanded that websites such as Google and Facebook filter content deemed offensive. Indian netizens' increasing use of social media to fight back against state-mandated efforts to censor online speech is a welcome sight.
In related news, a Member of the Indian Parliament made a motion to overturn an Internet censorship law that was introduced last year. Information Technology (Intermediary Guideline) Rules 2011 require sites such as Google and Facebook to respond to requests to take down “disparaging” or “harassing” content within 36 hours upon finding that the claim is “valid” — though the terms by which they would confirm this is unclear. Center for Internet and Society has launched an action campaign to help bolster public support for the MP’s motion.
Vietnam: Authorities release a decree to enact mass censorship while more bloggers are arrested
On Friday, Vietnamese authorities released a draft decree that would force websites to censor content that is deemed unfit for the public. Called “Decree on the Management, Provision, Use of Internet Services and Information Content Online,” it would also outlaw the use of pseudonyms, forcing individuals with personal blogs to publicly list their real name and address. The main aim of the decree is to privatize censorship by placing the burden of the task onto tech companies, and to silence dissident voices that are not in line with the Vietnamese Communist Party.
In order to avoid having to comply with national censorship laws, companies such as Google, Facebook, and Yahoo! have not placed data centers in Vietnam. This new decree would force all foreign companies to do so in order to require compliance with the local laws. In addition, any website that hosted news would be subject to government approval of their content.
Today, the state arrested three more bloggers, according to news reports. They could face up to 20 years in prison for blogging criticism against the government. Reporters Without Borders has listed Vietnam as the third worst country on their list of “Enemies of the Internet,” following China and Iran.
China: Ai Weiwei Publishes Op-Ed on Internet Censorship
China is notorious for its methodical, pervasive, and real-time national online censorship scheme. From blocking platforms entirely to enabling controlled Internet blackouts, they have the single most powerful infrastructure to censor content in their country.
One of the most vocal opponents to their censorship initiative is artist and activist, Ai Weiwei, who published an Op-Ed on the topic in the Guardian last Sunday. As someone who has encountered his fair share of direct state censorship, he had some optimistic words about the role of Internet in the public sphere.
…people are learning how to exercise their own rights. It is a unique, treasured moment. People have started to feel the breeze. The internet is a wild land with its own games, languages and gestures through which we are starting to share common feelings…
He went on,
…In the long run, [state] leaders must understand it's not possible for them to control the internet unless they shut it off – and they can't live with the consequences of that. The internet is uncontrollable. And if the internet is uncontrollable, freedom will win. It's as simple as that.
There’s plenty of evidence to show that in reality, it’s much more complicated than that. However, without the bravery of individuals such as Weiwei, who are willing to risk everything to stand up for their beliefs and opinions, the Internet would be a much different space.Related Issues: Free SpeechBloggers Under FireInternational
This Week in Transparency: New Documents Posted to EFF's Site, DOJ's Transparency Promises Unfulfilled, and the Secrecy of Dissent
EFF Releases New Government Documents on Drones and Law Enforcement Training
EFF recently posted three new sets of documents obtained through FOI requests. Yesterday, as reported in the Wall Street Journal, EFF released the lists of private and public entities that have been granted authorization by the Federal Aviation Administration (FAA) to fly drones in the United States. The lists were obtained through EFF’s lawsuit against the FAA, which seeks a variety of information on domestic drone authorization and use. The lists provide the public with the most thorough accounting to date of the organizations operating drones within our borders. Yesterday, along with EFF’s disclosure, Congressmen Ed Markey and Joe Barton sent the FAA a letter (pdf) asking the agency to disclose information similar to that sought in EFF’s FOIA suit.
A second, related release, which we blogged about previously, was obtained through a public records request to the Miami-Dade Police Department for information on it’s drone program. In response, the Miami PD released its Certificate of Authorization (COA) for its drone – the first time a COA has been made publicly available.
Finally, EFF also posted over 2,000 pages of records released in response to a FOIA request to DHS’ Federal Law Enforcement Training Center (FLETC). EFF sought information on FLETC’s Mobile Device Investigation Program, which teaches federal officials how to conduct investigations based on information obtained from cell phones and other electronic devices.
EFF Attorney Weighs in on DOJ's Unfulfilled Promise of Transparency
Earlier this week, EFF Senior Counsel David Sobel co-authored an article in the National Law Journal documenting – yet again – the Obama administration’s failure to live up to its promise of openness and transparency.
While the Obama administration continues to tout its transparency accomplishments, the authors noted that, “[a]s attorneys who each have more than 30 years' experience litigating FOIA cases in the federal courts, our assessment is decidedly less rosy.” In particular, the article faulted the Department of Justice (DOJ) for the “breadth of situations in which DOJ will fight to maintain official secrecy,” even in spite of a clear promise from Attorney General Holder to only defend FOIA withholdings when disclosure was clearly prohibited or would produce actual harm.
The article concludes:
Three years ago, we rejoiced when President Obama re-established important open-government tenets, and his new attorney general promised DOJ would vigorously enforce the law's public disclosure requirements. Unfortunately, we are still waiting to see that promise fulfilled.
You can read the full article here.
The Secrecy of Dissent Within the Government
Two items this week demonstrated the troubling issue of government secrecy ocurring at the intersection of questionable governmental policies and internal disagreement between individuals and agencies within the federal government.
The first, reported by Spencer Ackerman at Wired, concerns a secret memo written in February 2006 by a top adviser to the State Department. The memo warned that the Bush administration’s use of “cruel, inhuman or degrading” interrogation techniques amounted to a “felony war crime.” However, not only was the memo secret until this week (after a three-year wait for the State Department to respond to a FOIA request), but, according to the memo’s author, Bush administration officials determined the “memo was not considered appropriate for further discussion and that copies of [the] memo should be collected and destroyed.” Luckily a copy survived and you can read Wired’s full report, and the released memo, here.
In a second, strikingly similar example, a recently released memoir, Traitor: The Whistleblower and the American Taliban, describes the story of a Justice Department attorney who blew the whistle after her legal advice was disregarded. A book review from Secrecy News provides the background: Following the apprehension of Jon Walker Lindh—an American citizen arrested in Afghanistan for fighting American forces alongside the Taliban—Jesselyn Radack, a DOJ attorney and specialist in legal ethics, advised that Lindh not be interrogated without an attorney present. Not only was Lindh not provided an attorney during interrogation, but the DOJ “publicly denied having received any such legal advice, and even destroyed evidence to the contrary.” Steven Aftergood of Secrecy News writes:
Ms. Radack was not looking for a fight, but only to do the right thing. For her trouble, she was forced out of her Justice Department position, put under criminal investigation, fired from her subsequent job, reported to the state bar, and put on the “no fly” list.
You can read the full review here.
Some secrecy is inevitably needed so that officials within the federal government feel free to air viewpoints internally and without inhibition. Ultimately – and at least in theory – this allows lower level employees to provide candid opinions, and permits officials with decision-making authority to choose the best legal or policy analysis from the many. This, in turn, ensures sound government policies are ultimately chosen.
Secrecy in the name of honest debate is one thing, but the government’s action in both these cases demonstrates something far more troubling: the destruction of dissent. Not only does the destruction of these memos likely run afoul of government record-keeping regulations, but the suppression and destruction of the evidence of dissenting viewpoints undermines the integrity of the government’s final policy position. The need to silence dissent is a hallmark of flimsy ideas.Related Issues: PrivacyCell TrackingSearch Incident to ArrestTransparencyFOIA
At first blush, it seems obvious that a picture could reveal your location. A picture of you standing in front of the Golden Gate Bridge sensibly leads to the conclusion you're in the San Francisco Bay Area when the photo was taken. But now that smartphones are quickly supplanting traditional digital cameras, and even traditional cameras now have wifi built in, many more pictures are finding their way onto the web, in places like Twitter, Flickr, Google+ and Tumblr. In a span of 10 days, popular photo social network Instagram added 10 million new users as a result of the release of its Android app and its acquisition by Facebook. And the location data hidden in these quick and candid pictures -- even when your location isn't as obvious as "standing in front of the Golden Gate Bridge" -- is becoming another easy way for anyone, including law enforcement, to figure out where you are.
Take the case of "w0rmer," a member of an Anonymous offshoot called "CabinCr3w," for example. According to the federal government (PDF), "w0rmer" broke into a number of different law enforcement databases and obtained a wealth of sensitive information. In a Twitter post, "w0rmer" provided a link to a website that contained the sensitive information as well as a picture of a woman (NSFW) posing with a sign taunting the authorities. Because the picture was taken with an iPhone 4, which contains a GPS device built in, the GPS coordinates of where the picture was taken was embedded into the picture's EXIF metadata. The FBI was able to use the EXIF data to determine that the picture was taken at a house in Wantirna South, Australia.
The FBI tracked down other online references to "w0rmer," with one website containing the name Higinio Ochoa. The feds took a look at Ochoa's Facebook account, which detailed that his girlfriend was Australian. Combined with the EXIF metadata, the government believed they had corroborated the identity of "w0rmer" as Ochoa, and in turn arrested him.
Even for photos not taken with a smartphone and not embedded with GPS coordinates (for example, point and shoot or SLR cameras that do not geotag), it's still possible for the police to get location information through EXIF metadata. You can upload a picture here and see the metadata stored in a picture for yourself. Contained within that metadata is the camera's serial number. Armed with that information, the police can easily scour the internet for other pictures tagged with the same serial number. In Australia, a man whose camera was stolen was able to track it down using stolencamerafinder.com because the thief had taken a picture with the camera and uploaded it to Flickr, where had had listed his address. But even if the thief's Flickr site didn't contain his address, police could have subpoenaed Flickr - like law enforcement have attempted to do with Twitter - for information concerning a user's temporarily assigned IP address, as well as session times and logs, to eventually determine where a person uploaded a picture from. All of which can be used to piece together a snapshot of not only your movements, but as in the case of "w0rmer," potentially your identity. In the United States, police are being trained about the broader investigative (PDF) potential of this information.
It might be tempting to say the problem is overblown, because some social media sites, including Facebook and Twitter, strip the metadata out of photos uploaded by their members. But not all do. Twitpic's default is to use a picture's location tag unless you opt out. Flickr gives you the option to hide a photo's EXIF data, but many casual photographers tempted by the rapid growth of photo sharing may not understand what EXIF data is, and the implication of making it publicly available.
The bigger problem is that courts have been expanding the police's right to search digital devices without a warrant under the "search incident to arrest" exception of the Fourth Amendment. While many of the cases involve warrantless searches of cell phones, there has been at least one case in California (PDF) where the police used the "search incident to arrest" exception to search a juvenile's digital camera. And there are other reported incidents of photojournalists having their cameras confiscated and searched when covering political protests and rallies. If the cops have the physical camera (and thus the memory cards that store the photos), whatever scrubbing that happens when a photo is uploaded to the web is no obstacle.
So if you value your privacy, you should take steps to ensure the EXIF metadata in your pictures isn't an easy way for anyone on the Internet to figure out your location. If you're using a smartphone to take pictures, disable geotagging from your pictures. If you're uploading your pictures to a website like Flickr or Twitpic that defaults to automatically include EXIF data and location information, take the steps to turn it off. And if you're using a traditional SLR or point and shoot camera that doesn't geotag, but does contain a breadth of EXIF data, the make sure you scrub its metadata before you upload it on the Internet. There are free online tools that will help you do precisely that. These simple steps will help ensure that the thousand words a picture describes doesn't include your location.Related Issues: PrivacyCell TrackingLocational PrivacySearch Incident to ArrestSocial Networks
View Map of Domestic Drone Authorizations in a larger map
This week the Federal Aviation Administration (FAA) finally released its first round of records in response to EFF’s Freedom of Information Act (FOIA) lawsuit for information on the agency's drone authorization program. The agency says the two lists it released include the names of all public and private entities that have applied for authorizations to fly drones domestically. These lists—which include the Certificates of Authorizations (COAs), issued to public entities like police departments, and the Special Airworthiness Certificates (SACs), issued to private drone manufacturers—show for the first time who is authorized to fly drones in the United States.
Some of the entities on the COA list are unsurprising. For example, journalists have reported that Customs and Border Protection uses Predator drones to patrol the borders. It is also well known that DARPA and other branches of the military are authorized to fly drones in the US. However, this is the first time we have seen the broad and varied list of other authorized organizations, including universities, police departments, and small towns and counties across the United States. The COA list includes universities and colleges like Cornell, the University of Colorado, Georgia Tech, and Eastern Gateway Community College, as well as police departments in North Little Rock, Arkansas; Arlington, Texas; Seattle, Washington; Gadsden, Alabama; and Ogden, Utah, to name just a few. The COA list also includes small cities and counties like Otter Tail, Minnesota and Herington, Kansas. The Google map linked above plots out the locations we were able to determine from the lists, and is color coded by whether the authorizations are active, expired or disapproved.
The second list we received includes all the manufacturers that have applied for authorizations to test-fly their drones. This list is less surprising and includes manufacturers like Honeywell, the maker of Miami-Dade's T-Hawk drone; the huge defense contractor Raytheon; and General Atomics, the manufacturer of the Predator drone. This list also includes registration or "N" numbers," serial numbers and model names, so it could be useful for determining when and where these drones are flying.
Unfortunately, these lists leave many questions unanswered. For example, the COA list does not include any information on which model of drone or how many drones each entity flies. In a meeting with the FAA today, the agency confirmed that there were about 300 active COAs and that the agency has issued about 700-750 authorizations since the program began in 2006. As there are only about 60 entities on the COA list, this means that many of the entities, if not all of them, have multiple COAs (for example, an FAA representative today said that University of Colorado may have had as many as 100 different COAs over the last six years). The list also does not explain why certain COA applications were "disapproved" and when other authorizations expired.
We raised these questions in our meeting with the FAA today and were assured the agency will release additional records with this important information soon. As we have written before and as Congressmen Markey and Barton (pdf) stated in their letter to the FAA today, drones pose serious implications for privacy, and the public should have all the information necessary to engage in informed debate over the incorporation of these devices into our daily lives. However, while we wait for additional information, these lists help to flesh out the picture of domestic drone use in the United States.PrivacyTransparencyFOIA
By Patrick Steele, EFF Activist Intern
CISPA, the Cyber Intelligence Sharing and Protection Act of 2011 (HR 3523), is the new bill threatening civil liberties moving quickly through the House. In the past, we've documented the numerous problems with the bill and with other cybersecurity legislation.
Here is a list of organizations and influential people that expressed concerns about the dangerous civil liberties implications of the bill. Though each organization or person may differ in their terminology, they all reach the same conclusion—CISPA is not a "sharing of information bill only." It is an expansive bill that enables spying on users and allows for unaccountable companies and government agencies that can skirt privacy laws.
To add your organization to this list, please email firstname.lastname@example.org.
“Rogers (the bill’s author) says that the bill aims to 'help the private sector defend itself from advanced cyber threats,' but what it does is allow unlimited sharing of personally identifiable data amongst and between private companies and the government, without a single safeguard for privacy or civil liberty.”
Access Now's petition for companies to withdraw support of CISPA can be found here.
American Civil Liberties Union in Kicking off "Stop Cyber Spying Week"
“Keeping our computer systems secure is a real concern, but CISPA is absolutely the wrong answer. The bill would create a loophole in all existing privacy laws, allowing companies to share Internet users' data with the National Security Agency, part of the Department of Defense, and the biggest spy agency in the world—without any legal oversight."
Avaaz.org in Stop CISPA Contact Form
“The US Congress is sneaking in a new law that gives them big brother spy powers over the entire web—and they're hoping the world won't notice. We helped stop their Net attack last time, let's do it again.”
The Cato Institute
The Cato Institute has published a series of articles analyzing cybercrime, its truth, its myths, and the hard math behind legislation such as CISPA and the inherit problems with cyber security bills such as this.
"The cybercrime surveys we have examined exhibit [a] pattern of enormous, unverified outliers dominating the data. In some, 90 percent of the estimate appears to come from the answers of one or two individuals. In a 2006 survey of identity theft by the Federal Trade Commission, two respondents gave answers that would have added $37 billion to the estimate, dwarfing that of all other respondents combined. This is not simply a failure to achieve perfection or a matter of a few percentage points; it is the rule, rather than the exception. Among dozens of surveys, from security vendors, industry analysts and government agencies, we have not found one that appears free of this upward bias."
The Center for Democracy and Technology in Cyber Intelligence Bill Threatens Privacy and Civilian Control
“If the bill merely extended to other companies the opportunity to receive classified attack signatures from the NSA so they could better defend their networks, CDT would actively support the legislation. However, the bill goes much further, permitting ISPs to funnel private communications and related information back to the government without adequate privacy protections and controls."
Demand Progress in CISPA Is The New SOPA: Help Kill It
“CISPA demolishes existing barriers between the government and the private sector -- and between government agencies -- that restrict data sharing without cause, effectively allowing information about Americans' use of the Internet to slosh back and forth uninhibited.”
Fight for the Future in its newly launched webpage focused on CISPA
"A cybersecurity bill that lets any company share your info with all of government, with no limits. In short, CISPA is the end of meaningful privacy for anyone with personal data on US-based services."
“As it stands, CISPA could lead all too easily to governmental and corporate violations of our privacy and attacks on our right to speak freely via the Internet. While there is a need to protect vital national interests, we can’t do it at the expense of our freedoms."
Reporters Without Borders in Internet Advocacy Coalition Announces Twitter Campaign to Fight Privacy-Invasive Bill (CISPA)
“In the name of the war on cyber crime, it would allow the government and private companies to deploy draconian measures to monitor, even censor, the Web. It might even be used to close down sites that publish classified files or information.”
Sunlight Foundation in CISPA is Terrible for Transparency
“The FOIA is, in many ways, the fundamental safeguard for public oversight of government's activities. CISPA dismisses it entirely, for the core activities of the newly proposed powers under the bill. If this level of disregard for public accountability exists throughout the other provisions, then CISPA is a mess. Even if it isn't, creating a whole new FOIA exemption for information that is poorly defined and doesn't even exist yet is irresponsible, and should be opposed.”
Tim Berners-Lee - Inventor of the World Wide Web Speaks Out Against CISPA
“[It] is threatening the rights of people in America, and effectively rights everywhere, because what happens in America tends to affect people all over the world. Even though the Sopa and Pipa acts were stopped by huge public outcry, it’s staggering how quickly the US government has come back with a new, different, threat to the rights of its citizens.”
The White House’s Statement on Cyber Security in The Hill
“Any cybersecurity bill with information sharing provisions "must include robust safeguards to preserve the privacy and civil liberties of our citizens." The White House declared they would not support a bill that would "sacrifice the privacy of our citizens in the name of security."
As we have seen in a previous EFF blog post these privacy sacrifices are numerous and extensive.
Other Organizations Voicing Concerns About CISPA's Impact on Civil Liberties
Advocacy for Principled Action in Government
American Association of Law Libraries
American Association of University Professors
American Booksellers Foundation for Free Expression
American Society of News Editors
American Policy Center
Association of Research Libraries
Bill of Rights Defense Committee
Center for Media and Democracy Citizens for Responsibility and Ethics in Washington –CREW-
Cyber Privacy Project
Center for Media and Democracy
Center for National Security Studies
Center for Rights
Canadian Internet Policy and Public Interest Clinic
The Constitution Project
Consumer Federation of America
Council on American-Islamic Relations
Cyber Privacy Project
Defending Dissent Foundation
Entertainment Consumers Association
Feminists for Free Expression
Freedom of Information Center at the Missouri School of Journalism
Government Accountability Project
Hon. Bob Barr
James Madison Project
National Freedom of Information Coalition
National Coalition Against Censorship
National Association of Criminal Defense Lawyers
National Whistleblower Center
Patient Privacy Rights
Privacy Rights Clearinghouse
Project On Government Oversight - POGO
PEN American Center
Personal Democracy Media
Public Employees for Environmental Responsibility – PEER
The Pullins Report
Republican Liberty Caucus
The Rutherford Institute
Society of American Archivists
Society of Professional Journalists
Special Libraries Association
Utah Foundation for Open Government
US Bill of Rights Foundation
Washington Coalition for Open GovernmentRelated Issues: PrivacyCyber Security LegislationSecurity
On Monday, EFF launched our Stop Cyber Spying platform featuring our new Congressional Twitter Handle Detection Tool. Users can enter a zip code in order to find their Representative’s Twitter account. Folks are then urged to tweet messages to their Representatives highlighting the invasive nature of the CISPA cyber spying bill, a vaguely written piece of legislation that would let companies bypass privacy law and share private user information with the government.
And now, you can have our Congressional Twitter Handle Detection Tool for yourself!
Here's some code we cooked up to create an embeddable iframe version of the tool. We urge anyone who has a website to embed their own copy by pasting this code into their site, so more users will learn about CISPA and tweet at Congress to oppose it.
<div style="text-align:center;"><iframe style="border:0;width:720px;height:570px;overflow:hidden;" src="https://cyberspying.eff.org/embed.php?next_url=https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=8444"></iframe></div>
Want to customize it? Just replace https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=8444 with whatever URL you want to use as a next step. If you don't include a URL it will default to EFF's action alert against CISPA.
The tool relies on data from the Sunlight Foundation's Sunlight Congress API, which is a freely available API that programmers can use to look up legislators, districts, and committees in Congress. The data returned about each legislator not only includes address, phone numbers, faxes, websites, etc., but also Twitter handle, Facebook username, and YouTube channel. We are helping them improve their data set. Sunlight Labs also offers other services to write apps that deal with government data, including Transparency Data API, Open States API, Real Time Congress API, and Capital Words API.
The source code for our Stop Cyber Spying tool is available in this git repository. You can clone it with this command:
git clone https://git.eff.org/public/cyberspying.eff.org.git/PrivacyCyber Security Legislation
Thai journalist Chiranuch Premchaiporn, better know by her pen name Jiew, is awaiting an April 30th court verdict that could sentence her to years in prison for violating Thailand’s draconian crackdown against free speech. Jiew’s case has focused international attention on Thailand’s lèse majesté laws, which have been used to block websites and suppress political dissent. The ruling will help clarify liability for Internet intermediaries such as Jiew, who is the director of the popular Prachatai news site.
Jiew is charged with violating Thailand’s 2007 Computer Crime Act and paragraph 112 of the Thai Penal Code, which prohibits lèse majesté or offending the monarchy. She faces a 20-year prison sentence for not being sufficiently prompt in deleting comments posted to a Prachatai online forum deemed insulting to the Thai royal family. Thai authorities have used lèse majesté to impose long prison sentences on bloggers, texters, and website administrators and create a climate of fear and self-censorship in Thailand.
“In my case, we have intermediary liability. We are self-censoring. There are no clear boundaries, no protection from law enforcement, no safe harbor,” said Jiew during a conversation in Bangkok last month. “We have a problem with law enforcement and their understanding of how the Internet works."
An arrest warrant was first issued for Jiew in March 2009. Authorities added nine additional charges and a second warrant was issued in September 2010. Jiew was arrested at Bangkok International Airport as she was returning from speaking at the Internet at Liberty conference in Budapest, Hungary and the United Nations Internet Governance Forum in Vilnius, Lithuania. Her second arrest was prompted by pseudonymous comments published on Prachatai’s online forum in 2008 sparked by an interview with political activist Chotisak Onsoong. By the time she was detained at the airport, Jiew had already shut down the Prachatai forum to protect users. According to Jiew, visitors posting comments to the site were targeted for surveillance and police asked for log files that exceeded Thailand’s 90-day limit. Breaches of lèse majesté are considered threats to national security and Thai ISPs turn over the IP addresses of suspects to authorities without requesting warrants.
Using Intermediary Liability to Stifle Dissent
Thailand’s use of lèse majesté illustrates how intermediary liability can be used for unchecked suppression of the open Internet. During her trial, Jiew’s attorneys presented witnesses to clarify the impact of the law including Prachatai website moderator Kittiphum Juthasmit, who testified that the nonprofit news service was forced to recruit 12 volunteer moderators to remove unlawful content. But when the number of postings dramatically increased after Thailand’s September 2006 coup d’etat, it wasn’t possible for the site to review every comment. Wanchat Padungrat, the owner and administrator of Thailand’s largest web portal pantip.com, testified that his site used key-word filtering and five or six full-time employees to moderate comments. But Wanchat noted that the volume of postings and their ambiguity made it impossible to verify all comments - and doing so would prohibitively expensive for any Thai website.
“This will destroy the Thai Internet industry because we cannot compete with foreign companies,” said Jiew. “People will provide services from international companies and that will be the consequence of the chilling effect of this case.”
Under lèse majesté, even those with enhanced access to a website can be prosecuted. In March 2011, Thantawut Thaweewarodomkul, a web designer for Nor Por Chor USA was sentenced to 13 years in prison for three comments posted to the website. A Thai ISP revealed that an IP address belonging to Thaweewarodomkul connected to the website via an FTP site he used for uploading images. The court found Thaweewarodomkul guilty even though his traffic was sent on a different time and date than the messages. The judge in the case declined to examine the logs. “If you are a webmaster, administrator or moderator and you have higher access to an area of the site, then you can be held liable if you have more privileges,” said Arthit Suriyawongkul of the Thai Netizen Network.
Despite increasing prosecution under lèse majesté, Jiew is still optimistic that she can win her case. She says her judge understands that the verdict will have consequences for the Thai economy and has been open to evidence about international standards for the moderation of online forums. “Once we see clarity in the law, we can comply with the law,” said Jiew. “We didn’t intend to violate the law, but when the law is not clear, it provides an opportunity for officials and authorities to abuse it.”
Fabrication of Digital Evidence
Wason Liwlompaisarn, founder and webmaster of blognone.com, the Thai equivalent of Slashdot, believes that Jiew’s case could help set standards to help protect intermediaries from liability. But Liwlompaisarn is worried about misuse of digital evidence in lèse majesté cases. He points to the prosecution of 62-year-old truck driver Ampon Tangnoppakul who was sentenced to 20 years in prison for allegedly sending four text messages defaming the monarchy. Known in Thailand as “Uncle SMS,” Tangnoppakul denied the charges and told the judge he didn’t know how to text. Liwlompaisarn said the case has raised alarm in Thailand about the forging of IMEI phone identification numbers and a judiciary that declines to authenticate the source of digital evidence. He said the judge in the case refused to review the SMS logs which showed the texts in question were inbound, not outbound.
“With a mobile phone, you can craft evidence and send it to the police which they can use to prosecute. It’s easy to fabricate,” said Liwlompaisarn. “I don’t expect the judge to be highly technical, but they should have a basic knowledge to understand what’s happening.”
David Streckfuss, a scholar who monitors lèse majesté, told Reuters that 478 known cases had been submitted to the Thai Criminal Court since 2006. A recent report from Reporters Without Borders noted that 112 lèse-majesté cases were reviewed by Thai courts between January and October of 2011 alone. Deputy Prime Minister Chalerm Yubamrung announced in December that the government would expand online surveillance to enforce lèse majesté and invest $13 million dollars in a “lawful interception” system.
During the inauguration of Thailand’s new Cyber Security Operations Center the Minister of Information and Communications Technology (MICT) Anudith Nakornthap he said he no longer sought court orders to close or block offending web sites. Nakarnthap stated that his ministry blocked more than 60,000 websites from September to November of 2011 compared to 70,000 in the preceding three years. Freedom Against Censorship Thailand (FACT) reports that 839,556 Thai websites are now blocked, including all of YouTube which is inaccessible for the first time since 2007. According to FACT, MICT spends billions of baht (equivalent to tens millions of US dollars) to censor offending websites.
MICT demanded last year that Facebook delete 10,000 pages for violating lèse majesté. Thai Facebook users who click on the “like” or “share” buttons linked to content that violates lèse majesté continue to be prosecuted. Wipas Raksakulthai, the first Thai Facebook user arrested in April 2010, was declared a prisoner of conscience by Amnesty International.
When Twitter announced in January that it would introduce geolocated censorship based on the users country location, MICT permanent secretary Jeerawan Boonperm said he would work with Twitter to make sure that tweets in Thailand complied with local law. Jeerawan noted that MICT already had "good cooperation" from Google and Facebook.
Even those who violate lèse-majesté outside of Thailand are prosecuted by Thai authorities. Thai-born American citizen Joe Gordon was sentenced in December 2011 to two and a half years in prison for posting links on his blog to translated portions of The King Never Smiles, an unauthorized biography of Thai King Bhumibol Adulyadej. The infractions were committed while Gordon lived in the U.S. raising alarm about the reach of Thai law and its impact on foreigners.
“The Thai government has established judicial power over the entire world and they enforce it in Thai territory,” said Suriyawongkul of the Thai Netizen Network. “The U.S. counselor gave an interview to the media about the Gordon case and said she was disappointed in the judicial system. Right after that, the Embassy Facebook page was attacked and they locked the page.”
Denial of Bail for Defendants
Human Rights Watch reports that Thai courts often deny bail for those accused of lèse majesté. This is especially true for supporters of the opposition party United Front for Democracy against Dictatorship, also known as the Red Shirts. In February, a coalition of international human rights groups spoke out against denial of bail in lèse majesté cases. One of the “Red Shirts” denied bail is former editor Somyos Prueksakasemsuk who is facing 30 years in prison for refusing to reveal the name of one of his reporters. After being refused bail a seventh time in February, Somyos’s son went on a hunger strike to demand his father’s release.
Prachatai reports that veteran activist Surachai Danwattananusorn, denied bail and sentenced to seven years in prison under lèse majesté, intends to seek a royal pardon for all political prisoners, including those jailed for lèse majesté. In addition to Surachai, the letter will be signed by eight other prominent lèse majesté convicts and defendants including Somyos Prueksakasemsuk, Joe Gordon, Sathian Rattanawong, Wanchai Saetan, Nat Sattayapornpisut, Suchart Nakbangsai and Darunee Charnchoensilpakul. Thai free speech activists say the letter could help pressure the government to reconsider their efforts to undermine democracy and punish dissent. Amphon Tangnoppakul has withdrawn an appeal in his case and will also seek a royal pardon as will Thanthawut Thaweewarodomkul, once he knows the outcome of his bail request.
EFF condemns the Thai government’s ongoing efforts to silence political speech on the Internet. We join with the Thai Netizen Network, Human Rights Watch, Amnesty International, Reporters Without Borders, Committee To Protect Journalists, #freejiew, and Free Jiew in opposing the use of lèse majesté to censor the Internet. Jiew urges netizens to write the Thai government asking for an end to intermediary liability, the right to bail in lèse-majesté cases and IT education for judges.Related Issues: Free SpeechBloggers Under FireInternational
San Francisco - It's time for technology companies that sell surveillance and filtering equipment to step up and ensure they aren't helping governments in committing human rights violations. In a white paper released today entitled "Human Rights and Technology Sales," EFF outlines how corporations can avoid assisting repressive regimes.
The paper calls on companies to increase transparency of their dealings with potentially repressive regimes and to implement "Know Your Customer" standards for auditing technology sales, including review of the purchasing government's technical questions and customization requests. If the review indicates that the technologies or transactions may be used to facilitate human rights violations, the company should refrain from participating.
"Authoritarian governments around the world often rely on technologies built in North America and Europe to spy on their citizens – including listening in to cell phone calls, scanning crowd photographs with facial recognition tools, and monitoring mobile networks with voice recognition technology. These can have deadly ramifications for activists and others in repressive regimes," said EFF Director for International Freedom of Expression Jillian York. "We're asking companies to take responsibility for the uses that governments make of their products, instead of acting like 'repression's little helper.'"
There is ample evidence that sophisticated technology facilitates human rights abuses, and dozens of corporations are implicated. For example, Narus – a subsidiary of The Boeing Company – was revealed to have sold sophisticated surveillance equipment to Egypt, and California's Blue Coat Systems' equipment was being used in Syria. On the other hand, companies such as Websense have implemented programs to prevent their tools from being complicit in human rights abuses.
In the meantime, Congress has taken note of the problem. A House subcommittee has passed the Global Online Freedom Act (GOFA), which would require disclosure from companies about their human rights practices and limit the export of technologies that "serve the primary purpose of" facilitating government surveillance or censorship to countries designated as "Internet-restricting."
"GOFA is far from perfect, but it's an important step in protecting human rights and freedom of expression around the world," said EFF Activist Trevor Timm. "Tools available today can allow governments to track and spy every person in a country. Other software can block entire categories of websites, preventing citizens from accessing vital information. Technology companies have a responsibility to try to prevent their services from being used in this way."
For the full white paper "Human Rights and Technology Sales":
For more on the Global Online Freedom Act:
Electronic Frontier Foundation
Electronic Frontier Foundation
Over the past decade, and particularly in the past year, media and civil society have had success through naming and shaming companies acting as “repression’s little helper”: U.S. and E.U. companies who have helped authoritarian countries censor the Internet and surveil their citizens with sophisticated technology. Today, EFF published a whitepaper outlining our suggestions for how companies selling surveillance and filtering technologies can avoid assisting repressive regimes.
In that vein, the newly-amended Global Online Freedom Act (GOFA), just passed by a House Sub-Committee, while far from perfect, is an important step toward protecting human rights and free expression online.
This is not the first time that GOFA has been proposed, nor is it even the first time the bill has been approved by the House sub-committee; a 2007 version, which literally named the countries to which filtering technology would be restricted (Belarus, Cuba, Ethiopia, Iran, Laos, North Korea, the People’s Republic of China, Tunisia, and Vietnam), was also approved by the House but never came to the floor for a vote.
In the past, EFF has had extreme reservations about GOFA in part because it sought to add more items to the U.S. export restrictions, which could easily mean that activists and people seeking to secure their own networks would lose out more than repressive governments. But in many respects, GOFA has come a long way, thanks in large part to the efforts of its authors in seeking feedback from the tech community and civil society. The bill still needs more definitions and clearer definitions of key terms, and we are not yet ready to support it, but we'll be watching it closely. The current version of GOFA would:
- Require government assessments of “ freedom of expression with respect to electronic information in each foreign country.”
- Require disclosure from companies about their human rights practices, to be evaluated by an independent third party.
- Limit the export of technologies that “serve the primary purpose of” facilitating government surveillance or censorship to governments in countries designated as “Internet-restricting.”
But let’s take a deeper look…
The bill contains a number of excellent measures that would ultimately encourage more transparency amongst software and hardware companies, as well as online service providers. The companies involved have been notoriously secretive and have often refused comment to reporters when their products have been found in authoritarian regimes.
Section 103 of the bill would require that the human rights reports already written for each country by the State Department include assessments of country’s Internet freedom, including the availability of Internet access, and government attempts to filter or censor nonviolent, political, or religious expression. Section 103 would also require assessments about the extent to which authorities in a given country have sought information on an individual or group relevant to their nonviolent activities, as well as the electronic surveillance practices of a given country.
These assessments--undertaken by US diplomatic personnel--would also include the input of human rights organizations, technology and Internet companies, and other “appropriate nongovernmental organizations.” The inclusion of NGOs is an important addition, since we are concerned that the State Department process could be vulnerable to politicization. Because of this, we'd like to see the role of non-governmental organizations increase as the bill develops further. Additionally, since the most robust research on Internet censorship and surveillance has come from the academic community and independent researchers, these must be added too.
Importantly, the bill should also be extended to require transparency from all companies providing tools and services that can be used for surveillance and censorship, and not just companies providing Internet communications services. Transparency from technology vendors and providers of other services is as important as transparency from Internet service providers. In fact, the transparency sections also can and should reach a broader range of technologies and companies than the export restrictions, which should remain narrow if they are to exist at all. As a result, we recommend decoupling the transparency and export restrictions.
Human Rights Standards for Companies
We also commend Sec. 201, which sets up a good framework for human rights due dillgence procedures for companies operating “in any Internet-restricting country” (a designation upon which we will comment below). It requires reports that must be approved by the most senior level of a company, and independently assessed by a third party. These reports would be made either to the Securities Exchange Commission or to a multi-stakeholder initiative that conducts independent third-party audits. Unfortunately, only the SEC reports are to be made publicly available online (with an exception for classified information). This should be fixed, but otherwise, the human rights due diligence standards are similar to those in the Human Rights and Technology Sales standards EFF has published today.
All of the aforementioned reports are to be constructed on the basis of Article 19 of the International Covenant on Civil and Political Rights, which states that everyone should have the right to: hold opinions without interference, freedom of expression (including the freedom to seek, receive, and impart information and ideas of all kinds, regardless of frontiers and through the media of his/her choice).
Internet Restricting Countries
While there is much to like in GOFA, we still have extreme reservations about giving the Secretary of State sole authority to determine that a country is an "internet-restricting country." The Secretary is to determine, based on the review of evidence, whether the government of the country is “directly or indirectly” responsible for a systematic pattern of substantial restrictions on Internet freedom during any part of the preceding 1-year period. As we noted above, one way to help mediate that is to increase the role of non-governmental organizations, academic institutions and independent researchers.
More transparency should also be injected into this process. Already a description of evidence used by the Secretary of State to make the determination, as well as all unclassified portions of the report must be posted online, which is good. Unfortunately, this only applies to countries placed on the “internet-restricting countries” list. The Secretary of State should include information about countries left off the list: Politics and diplomatic pressure can cut both ways. To better ward of claims of politicization, the public should be able to see the evidence for why a country has or has not been included.
We also have concerns about the “Safe Harbor” provision of the bill, in Sec. 201(a)(3), which would allow companies to circumvent reporting requirements by joining the Global Network Initiative (GNI) or another multi-stakeholder group (defined in the bill as a group made up of civil society, human rights organizations, and companies, and committed to promoting the rule of law, free expression, and privacy). While as members of the GNI, we believe that membership in it or similar initiatives should be encouraged, companies should not be given a pass for reporting to the public or fulfilling any other requirements merely for joining such groups. The Safe Harbor could still allow the companies to avoid reporting to the SEC, but it must not allow them to avoid public reporting. Moreover, companies should have to participate in a Multi-Stakeholder group as defined in the bill under section 201(a)(3)(B), including having an independent body provide honest analysis of a company’s exports laid out in the bill. The GNI could be one such group, of course, but it shouldn't have special status.
We also continue to be concerned about the export restrictions, although the bill is now much less worrisome than it once was. The authors smartly now propose only a very limited export restriction that reaches only sales to government end users in Internet restricting countries. As an organization with a long history of fighting the overbroad application of export restrictions, we’re still concerned, but the limited scope here can at least minimize the chances that these regulations could hinder activists in foreign countries from getting, for instance, technologies that can help them monitor their own communications for security vulnerabilities and backdoors. We will need to watch this process carefully, though. At a minimum, the bill should create a very clear and simple process for those seeking to provide technologies to people overseas to challenge any agency action that oversteps this narrow category.
We’re also concerned about the broad waiver provision. It allows the President on a case-by-case basis to certify to Congress that “it is in the national interests of the United States to” issue an exemption. We think the President should have to justify any waiver publicly, to the extent that any part of the analysis is not classified. Also, the standard should be more robust than just the recitation of “national interests.” That is too easily abused.
It’s not hard to see that much of the technology that was misused by governments during the “Arab Spring” was originally sold to countries that were “allies” of the US at the time. Yet, most of these technologies were easily and quickly used to suppress dissent of citizens. A prime example is Egypt, which likely was an ally of the U.S. when it purchased the Narus surveillance technologies used against democracy activists. Similarly, Libya bought technology from France under the guise of fighting terrorism, but used the technology to surveil activists, human rights campaigners, and journalists. Would such a waiver provision be used for Bahrain—still a staunch ally of the US—where several cases have emerged in which activists were tortured while being read transcripts of their text messages and phone calls?
Finally, for no good reason the bill now references intellectual property: “No provision under this Act shall be construed to affect a country’s ability to adopt measures designed to combat infringement of intellectual property.” This provision appears to have no substantive impact, but instead appears to have been included to appease Congressional offices (and their content industry patrons) that seemingly require that intellectual property be mentioned in any law that also mentions the Internet. Frankly, the inclusion of this provision makes Congress look unserious. It simply has no place in a legislative proposal aimed at curbing the use of technology to aid in torture, summary execution and other deadly serious human rights abuses. It should be removed.Related Issues: Free SpeechContent BlockingInternationalMass Surveillance Technologies
EFF, OpenMedia.ca, CIPPIC and a number of civil society organizations have declared this to be ‘Stop Cyber Spying Week’ in protest of several controversial U.S. cybersecurity legislative proposals, including the bill currently before Congress and the Senate called CISPA, the Cyber Intelligence Sharing & Protection Act of 2011. While ‘Stop Cyber Spying Week’ is focused on U.S. initiatives, Canadians should be concerned as well as the adoption of a privacy-invasive U.S. cybersecurity strategy is likely to have serious implications for Canadian civil liberties. For this reason, Canadian civil society groups have joined the protest. In general, Canadians would do well to remain vigilant.
Using the guise of ‘cybersecurity’, CISPA aims to mobilize Internet intermediaries to institute a sweeping, privacy-invasive, voluntary information-sharing regime with few safeguards. The U.S. cybersecurity strategy, embodied in CISPA and other legislative proposals, also seeks to empower Internet companies to deploy ill-defined ‘countermeasures’ in order to combat these threats. Use of these powers is purportedly limited to situations addressing ‘cybersecurity’ threats, yet this term is so loosely defined that it can encompass almost anything – even, potentially, to investigate potential breaches of intellectual property rights!
The cornerstone of the privacy-invasive CISPA component is the establishment of private-public partnerships for information sharing. This creates a two-tiered regime that, on the one hand, facilitates the collection of personal Internet data by private Internet companies as well as the sharing of that information with the government and, on the other, allows government agencies to share information with private companies.
To enable information flows from Internet companies to government agencies, CISPA will grant Internet companies immunity from civil or criminal liability for any monitoring or sharing of user activity—as long as it is done in ‘good faith.’ Specifically, CISPA authorizes companies to “use cybersecurity systems to identify and obtain cyber threat information.” Aggrieved users who sue Internet companies for wrongfully handing over their data to the government will have to meet the incredibly high bar of proving the decision comprised ‘willful misconduct.’
The U.S. cybersecurity strategy will also permit Internet companies to employ dubiously defined ‘countermeasures,’ provided they are justified with equally vague and undefined ‘defensive intent.’ Internet companies will be permitted to deploy ‘cybersecurity systems’ – products designed to ‘safeguard...a network from efforts to degrade, disrupt, or destroy’. While it is unclear exactly what this would permit an Internet company to do, it could allow blocking of specific websites or individuals or even a much broader range of filtering. Given the potentially all-encompassing and inclusive definition of ‘cybersecurity’, it would not be surprising if these ‘countermeasures’ were ultimately used to block online entities such as Wikileaks or sites accused of copyright infringement. The inclusion of ‘degrade’ in the definition of permissible ‘cybersecurity systems’ could even raise net neutrality concerns, as ISPs have, in the past, claimed ‘network degradation’ as justification for the throttling of downstream services such as peer-to-peer applications. Indeed, U.S. cybersecurity laws have a history of being employed by private Internet companies to stifle downstream competition.
In sum, the U.S. cybersecurity strategy envisions a voluntary cooperative regime where Internet companies are given broad-ranging immunities to surveil Internet users and downstream online services. This amounts to an erosion of personal privacy safeguards currently in place. Under this regime, an online company need only to assert a vague ‘cybersecurity objective’ and it will have carte blanche to bypass domestic laws and protections against privacy invasion.
This legislation is likely to have direct implications for Canadians. Canada and the United States have agreed to a joint ‘Beyond the Borders Initiative’ [pdf] aimed at establishing a ‘secure perimeter’ around the two countries. Somewhat ironically given the borderless nature of the Internet, the Initiative envisions a secure cyber perimeter in addition to the secure physical perimeter it seeks to put in place. While the cybersecurity segment of this Initiative remains vague, it includes a commitment to:
- Develop joint Canadian and U.S. programs, and analytic or communications products, aimed at enhancing the cross-border protection of critical infrastructure;
- Enhance the two countries’ ability to ‘respond jointly and effectively’ to cyber incidents, including joint engagement with private sector entities as well as ‘real-time information sharing’ between cybersecurity operation centres across both countries;
- Harmonize best practices and objectives on cybersecurity between Canada and the U.S., and actively advance these objectives in international Internet governance forums and bi-lateral interactions with third countries; and
- Take steps to generally “make cyberspace safer for all our citizens.”
While lacking in specifics, the emphasis on joint information flows, references to bi-national cooperation with private sector entities, and a commitment to jointly advance cybersecurity and best practices all hint at a consolidation of laws and practices. Moreover, reference to joint cybersecurity ‘products’ is reminiscent of the ‘cybersecurity systems’ invoked by CISPA.
If CISPA passes in the U.S., Canadians could expect great political pressure to adopt similar measures in Canada. As Canada’s Federal and Provincial Privacy Commissioners recently noted in a Joint Resolution, there is currently nothing in the Initiative to guarantee Canadian privacy standards are maintained in this harmonization effort. Suggestions that programs subject to the a ‘shared vision’ [see p. 15] between Canada and the United States on privacy emphasize this.
In fact, two current legislative proposals in Canada, if passed, will remove any legal barriers to the type of public-private information sharing that is at the heart of CISPA. First, there is Bill C-12, which will amend Canada’s federal privacy protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA legally restricts the conditions under which private organizations such as telecommunications companies can disclose personal information about their customers to third parties, such as the government. Bill C-12 will significantly expand the conditions under which companies can share information without having to seek customer consent. It will permit telecommunications companies to hand over customer information to any organization seeking it for the purpose of performing ‘policing services’, a term that is increasingly being applied to public-private cybersecurity partnerships.
More concerning is a provision included in Bill C-30, the Canadian Government’s latest attempt to update its capacity to surveil the online activities of its citizens. Among the numerous privacy-invasive elements found in Bill C-30 is a provision granting organizations – including telecommunications companies – immunity from “any criminal or civil liability” if they voluntarily decide to preserve customers’ information or share it with law enforcement. This is evocative of the civil and criminal immunity CISPA offers U.S. companies for handing over their users’ data to the United States Government. While the scope of monitoring permitted under C-30 may not go as far as that in CISPA, the C-30 immunities for voluntary sharing of customer information to the Government are arguably broader.
Canadians would do well to take note of developments on CISPA in the United States. While the immunities granted in Bill C-30 may not have been included specifically with a cybersecurity purpose in mind, Canada is now tied to United States cybersecurity strategies through commitments in the joint perimeter security Initiative. If the CISPA vision is adopted in the United States, Canadians can expect similar strategies to appear soon after. If Bill C-30 passes, many of the legal tools for this unaccountable sharing regime will already be in place, ready for exploitation.Related Issues: InternationalInternational Privacy StandardsPrivacyCyber Security Legislation
Rep. Rogers is adamant that CISPA, the Cybersecurity Intelligence Sharing and Protection Act, is cybersecurity legislation intended to help protect critical infrastructure intrusions and private and government information. But as we've written in the past, CISPA is a bill that allows for companies to spy on users, pass along the information to government agencies like the NSA, and potentially filter or block Internet traffic, which could serve as justification for action against sites like Wikileaks. That's why we're calling on users to contact Congress to speak out against this bill.
One of the scariest parts of CISPA is that the bill goes above and beyond information sharing. Its definitions allow for countermeasures to be taken by private entities, and we think these provisions are ripe for abuse. Indeed, the bill defines "cybersecurity purpose" as any threat related to safeguarding or protecting a network. As long as companies act in "good faith" to combat such a cybersecurity threat, they have leeway to protect against “efforts to degrade, disrupt, or destroy [a] system or network.” This opens the door for ISPs and other companies to perform aggressive countermeasures like dropping or altering packets, so long as this is used as part of a scheme to identify cybersecurity threats. These countermeasures could put free speech in peril, and jeopardize the ordinary functioning of the Internet. This could also mean blocking websites, or disrupting privacy-enhancing technologies such as Tor. These countermeasures could even serve as a back door to enact policies unrelated to cybersecurity, such as disrupting p2p traffic.
The Cato Institute warned that one could imagine: "a sysadmin with a vigilante streak reading ['cybersecurity systems'] to include aggressive countermeasures, like spyware targeting suspected attackers." Their analysis continued, "After all, 'notwithstanding any other provision of law' includes provisions of (say) the Computer Fraud and Abuse Act that would place such tactics out of bounds." We think that a rogue sysadmin is not the only concern—no matter what the intention of the bill is now, as political realities change this language can be used to justify the sort of aggressive countermeasures that we've described, or more. This could happen not just in unusual circumstances, but as a matter of policy.
The defense of networks is one reason why the Heritage Foundation is backing the bills. In a letter of support (PDF), Heritage discussed how CISPA gives private entities "clear legal authority to defend their own networks." While we think private entities should be able to defend their networks, they should not be able to do without accountability in a manner that threatens free speech or disrupts the Internet.
CISPA is intended to protect against catastrophic cyberattacks and economic espionage, but the broad definitions of CISPA unfortunately allow for much more. Contrary to what Rep. Rogers says, CISPA is not "a sharing of threat information bill only." CISPA's language is so vaguely defined that it could allow private companies to take a wide range of actions in order to defend their networks. While some of these actions might be perfectly appropriate, others could have disastrous consequences for our civil liberties.
Related Issues: Cyber Security LegislationPolicy Analysis
by Patrick Steele, EFF Activism intern
Yesterday EFF and a coalition of digital civil liberties organizations launched Stop Cyber Spying Week. The week focuses on CISPA, dangerously vague cybersecurity legislation that would allow companies to spy on our online communications and share sensitive user data with the government. The goal of the week of action is simple: to get as many folks as possible contacting Congress to express concern about the civil liberties implications of this cyber spying bill. We've created a new Congressional Representative Twitter Handle Detection Tool, which lets users find their Representatitves on Twitter and send them directed tweets. We're encouraging individuals to tweet about the (often sensitive) way we use the Internet to communicate. The tweets will showcase how much unnecessary personal data could be collected under this bill. Twitter users should use the hashtags #CongressTMI and #CISPA.
Since we launched, there's been an explosion of news coverage around the web. Here's a quick roundup of some of the important news coverage about "Stop Cyber Spying Week."
- Politico's CISPA Bill Targeted by Activists
- PC Magazine's Internet Groups Launch Anti-CISPA Protest
- The Global Post's CISPA: The Internet Finds a New Enemy
- US News and World Reports' Expert: New CISPA Bill Isn't SOPA, but Still Attacks Constitutional Rights
- CNET's Say Hello to CISPA It Will Remind You of SOPA
- The Hill's Under Pressure, House Committee Changes Cybersecurity Bill
- CNET's CISPA Gets a Rewrite, But Still Threatens American's Privacy
- The LA Times' CISPA Protests Begin Amid Key Changes to Legislation
- The Chicago Tribune's CISPA Legislation Seen by Many as SOPA 2.0
- The BBC's Facebook Supports CISPA Cybersecurity Bill
Continuing our campaign against the cyberspying bill better known as CISPA, EFF has signed on to two coalition letters urging legislators to drop their support for the Rogers cybersecurity bill (HR 3523). One coalition is focused on the disastrous privacy implications of the bill, while the other identifies major government accountability issues it would introduce.
The coalition behind the privacy letter represents dozens of groups, including the ACLU, the American Library Association, the American Policy Center, the Center for Democracy and Technology, the Privacy Rights Clearinghouse, and many others. In the letter, the groups explain how CISPA as written would be devastating to our privacy rights:
CISPA creates an exception to all privacy laws to permit companies to share our information with each other and with the government in the name of cybersecurity. ... CISPA’s ‘information sharing’ regime allows the transfer of vast amounts of data, including sensitive information like internet use history or the content of emails, to any agency in the government including military and intelligence agencies like the National Security Agency or the Department of Defense Cyber Command. Once in government hands, this information can be used for any non-regulatory purpose so long as one significant purpose is for cybersecurity or to protect national security.
The second letter — sent by a coalition including OpenTheGovernment.org, Mucrock, James Madison Project, the Sunlight Foundation, and many more — took aim at the ways in which CISPA would decrease government accountability.
[T]he bill unwisely and unnecessarily cuts off all public access to cyber threat information before the public and Congress have the chance to understand the types of information that are withheld under the bill. ... Other information that may be shared could be critical for the public to ensure its safety. The public needs access to some information to be able to assess whether the government is adequately combating cybersecurity threats and, when necessary, hold officials accountable.
These letters should prove to be a valuable addition to the cybersecurity discussion taking place in Washington right now. It's not too late for your voice to be a part of that discussion, either: #CongressTMI, our social media campaign to contact your Congressional representatives is running now, and we've also made an action alert for you to e-mail Congress about your opposition. Take action today against this privacy-invasive attack on public access to governmental information.
Today, Twitter announced the Innovator’s Patent Agreement (“IPA”), an important tool in the fight to improve a broken patent system. They've posted the agreement to the collaborative development platform GitHub and are looking for feedback. It's become clear that traditional patent approaches just don’t make sense when we’re talking about software, so we’re encouraged to see Twitter’s efforts to let people take matters into their own hands.
The IPA is simple: if you assign your patent to Twitter, Twitter promises it won’t use that patent to sue anyone, except for defensive purposes. So, for example , unless a party sues Twitter first, Twitter won't use the patent in a lawsuit. The IPA also provides the inventor who assigns her patent with tools to ensure that the patent is not used offensively in a suit even if a totally different party owns it down the line.
To be clear, what we really need are fundamental changes to the patent system. Unfortunately, Congress and the courts have failed to make that happen. In the meantime, Twitter’s IPA gives companies and inventors the means to take control of their own fate by ensuring that their patents will not end up in the hands of a troll. We hope that other companies will follow Twitter’s example, and find creative ways to engage with the patent system.
The IPA is not the only exciting development in this space. We’re also watching plans for a defensive patent licensing scheme, and we'll be reporting more about that soon. What’s most exciting, though, isthat folks are starting to realize that if we want the system to work for us, we’ll have to do it ourselves. We look forward to helping these plans become realities and getting bad software patents out of the way of innovation.Related Issues: InnovationPatents
Yesterday, EFF and other civil liberties organizations launched a campaign to change the public discussion around the Cyber Intelligence Sharing and Protection Act (CISPA), a cybersecurity bill introduced by Rep. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) (H.R. 3523). The bill would carve out huge exemptions to bedrock privacy law and allow companies to share private user data with the government without any judicial oversight. The result? Untold and unfettered personal data flowing from online service providers like AT&T and Google to government agencies like the NSA.
Not surprisingly, we think this is a terrible idea. We're huge proponents of network security—but we know that sacrificing the civil liberties of Internet users is an unnecessary and unwanted tradeoff.
We called on the Internet community to use our new Congressional Twitter Handle Detection Tool to find their members of Congress and tweet to them in protest of CISPA. We asked the Internet to showcase the types of unnecessary private data that could be swept up under CISPA. If companies could spy on your online interactions and share it with the government, what would the government receive?
Twitter users began using the hashtags #CongressTMI and #CISPA to showcase the details of their online communications with insightful and often humorous results. Here's a few of the tweets from this morning.PrivacyCyber Security LegislationSecurity