EFF: European Law Claims to Protect Consumers… By Blocking the Web

European Law Claims to Protect Consumers… By Blocking the Web

Last week the European Parliament passed a new Consumer Protection Regulation [PDF] that allows national consumer authorities to order ISPs, web hosts and domain registries to block or delete websites… all without a court order. The websites targeted are those that allegedly infringe European consumer law. But European consumer law has some perplexing provisions that have drawn ridicule, including a prohibition on children blowing up balloons unsupervised and a ban on excessively curvy bananas. Because of these, the range of websites that could be censored is both vast and uncertain.

The Consumer Protection Regulation provides in Article 8(3)(e) that consumer protection authorities must have the power:

where no other effective means are available to bring about the cessation or the prohibition of the infringement including by requesting a third party or other public authority to implement such measures, in order to prevent the risk of serious harm to the collective interests of consumers:

  • to remove content or restrict access to an online interface or to order the explicit display of a warning to consumers when accessing the online interface;
  • to order a hosting service provider to remove, disable or restrict the access to an online interface; or
  • where appropriate, order domain registries or registrars to delete a fully qualified domain name and allow the competent authority concerned to register it;

The risks of unelected public authorities being given the power to block websites was powerfully demonstrated in 2014, when the Australian company regulator ASIC accidentally blocked 250,000 websites in an attempt to block just a handful of sites alleged to be defrauding Australian consumers. 

This likelihood of unlawful overblocking is just one of the reasons that the United Nations Special Rapporteur for Freedom of Expression and Opinion has underlined how web blocking often contravenes international human rights law. In a 2011 report [PDF], then Special Rapporteur Frank La Rue set out how extremely limited are the circumstances in which blocking of websites can be justified, noting that where:

the specific conditions that justify blocking are not established in law, or are provided by law but in an overly broad and vague manner, [this] risks content being blocked arbitrarily and excessively. … [E]ven where justification is provided, blocking measures constitute an unnecessary or disproportionate means to achieve the purported aim, as they are often not sufficiently targeted and render a wide range of content inaccessible beyond that which has been deemed illegal. Lastly, content is frequently blocked without the intervention of or possibility for review by a judicial or independent body.

This describes exactly what the new Consumer Protection Regulation will do. It hands over a power that should only be exercised, if at all, under the careful scrutiny of a judge in the most serious of cases, and allows it to be wielded at the whim of an unelected consumer protection agency. As explained by Member of the European Parliament (MEP) Julia Reda, who voted against the legislation, it sets the stage for the construction of a censorship infrastructure that could be misused for purposes that we cannot even anticipate, ranging from copyright enforcement through to censorship of political protest.

Regrettably, the Regulation is now law—and is required to be enforced by all European states. It is both ironic and tragic that a law intended to protect consumers actually poses such a dire threat to their right to freedom of expression.

Published November 23, 2017 at 01:41AM
Read more on eff.org

Advertisements

EFF: NSA Internet Surveillance Under Section 702 Violates the First Amendment

NSA Internet Surveillance Under Section 702 Violates the First Amendment

The First Amendment is too often overlooked in discussions of the National Security Agency’s vast surveillance authorities. But as Congress considers whether to reauthorize Section 702 of FISA this winter, we must remember that it’s not just our Fourth Amendment rights to privacy that are in the crosshairs, but also our First Amendment rights. These rights to anonymously speak, associate, access information, and engage in political activism are the bedrock of our democracy, and they’re endangered by the NSA’s pervasive surveillance.

The NSA uses Section 702 to justify ongoing programs to siphon off copies of vast amounts of our communications directly from the Internet backbone as well as require system-wide searches across the information collected by major Internet companies like Google, Facebook, and Apple. 

So how does the First Amendment come to apply to mass surveillance? To understand this, we need to begin with a little history of the civil rights movement. 

As part of the backlash to the Supreme Court’s ruling striking down segregation in schools, the Attorney General of Alabama, John Patterson, brought a lawsuit against a leading civil rights organization, the National Association for the Advancement of Colored People (NAACP). The lawsuit alleged that the NAACP violated a state law requiring “foreign corporations” to file certain paperwork and get approval before practicing business in Alabama. The NAACP is a nonprofit membership organization; it didn’t file the paperwork because it believed it was exempt. While the NAACP fought the suit, the state issued a subpoena demanding detailed records from the NAACP, including membership lists and bank records. The NAACP refused to surrender its membership lists, fearing retaliatory consequences for its members. Because of this refusal, the court fined the NAACP $10,000, which after five days was raised to $100,000. The NAACP continued to fight the order for two years until the Supreme Court took up the issue, never surrendering its membership lists.

Ultimately the NAACP was vindicated. The Supreme Court recognized that the First Amendment protected the associational privacy interests of NAACP members. It directly recognized that freely associating for advocacy or other purposes is a fundamental right. It noted that state invasions of privacy could infringe on that right: “It is beyond debate that freedom to engage in association for the advancement of beliefs and ideas is an inseparable aspect of the „liberty“ assured by the Due Process Clause of the Fourteenth Amendment, which embraces freedom of speech… Of course, it is immaterial whether the beliefs sought to be advanced by association pertain to political, economic, religious or cultural matters, and state action which may have the effect of curtailing the freedom to associate is subject to the closest scrutiny.”

The Supreme Court found that the “Inviolability of privacy in group association may in many circumstances be indispensable to preservation of freedom of association, particularly where a group espouses dissident beliefs.”

In short, we all have the right to engage in associate with one another and to join and communicate with political and religious groups free from government surveillance.

As our society has moved online, our associations have become digital in nature. Signing up for a membership or learning about an advocacy group often happens over a website or app. Members of modern political groups coordinate donations, activities, and information over social networks, email, and websites. When the NSA—either by itself or by working with corporate “partners”—collects the digital communications and browsing history of countless individuals, it’s also obtaining records of innocent Americans visiting activism websites, becoming members of advocacy groups, and coordinating social movements. EFF also raised this argument in our case against the mass telephone records collection by the NSA (substantially narrowed in 2015) First Unitarian Church of Los Angeles v NSA. 

The surveillance of our communications systems, and thereby the surveillance of our communications, infringes on the very rights of private assembly upheld by the Supreme Court in 1958. 

So while the Fourth Amendment concerns about 702 and mass surveillance are important, they are not the only problem created by the law. And as Alex Abdo, an attorney at the Knight First Amendment Institute at Columbia University, argues that when it comes to confronting government surveillance, we shouldn’t expect the Fourth Amendment alone to protect our First Amendment interests. He recently wrote that “The Fourth Amendment, unlike the First, is blind to the cumulative effects of invasions of privacy that are small in isolation but substantial in combination.”

Those cumulative effects are especially felt when it comes to the right to publish and access information freely. While the government may be forbidden from censoring online speakers and readers, the cumulative impact of pervasive digital surveillance has a chilling effect on online communities. The specter of government surveillance quells engagement in online forums, social networks, and blogs that discuss controversial, political, or unpopular positions. Knowing that the government is keeping a digital dossier of comments we leave online and articles we digitally share creates an environment in which speakers hesitate to engage in online political advocacy.

Readers also hesitate to visit websites that may be seen as out of favor with the government, whether that’s Al Jazeera or CNN or EFF’s own site, knowing that their visit may be recorded in a government database for years to come. 

The NSA’s digital surveillance of countless law-abiding Americans also indirectly affects another key First Amendment right: our right to assembly. Today’s modern protest movements are often organized and fueled by social media and digital communication, where activists coordinate across a wide range of physical locations. The NSA’s pervasive digital surveillance challenges our values as a society that respects and safeguards the right to plan and participate in protests and other political activity, rights which are themselves baked into the First Amendment.

The pervasive digital surveillance programs of the NSA chip away at the First Amendment protections that underpin our democracy. As Congress considers whether to reauthorize or reform Section 702 surveillance in the coming weeks, we urge them to remember that their choice will not just impact the privacy of Americans, it will have a profound impact on freedom of speech, association, and assembly protected by the First Amendment and ultimately, upon our democracy itself.

Contact Congress today to speak out against NSA surveillance.

Published November 22, 2017 at 09:54PM
Read more on eff.org

EFF: The Safest Conversation You’ll Have This Holiday

The Safest Conversation You’ll Have This Holiday

Do your friends and family rope you into providing tech support when you’re home for the holidays? Use this opportunity to be a digital security hero and rescue your family from tracking cookies, unencrypted disks, insecure chats, and recycled passwords.

Check out EFF’s Security Education Companion for ideas and inspiration. And remember: People learn by doing! Encourage friends and family members to walk through new security concepts and tools with you, and avoid the pitfalls of taking over their devices and doing it yourself.

  • Did a family member or friend get a fancy new phone, tablet, or computer? Are they worried about losing it or someone stealing it? Help give them peace of mind and keep other people out of their device: show them how to turn on full-disk encryption and password protection.

  • Help others find the software update feature on their operating systems and favorite browsers. Explain that it’s best security practice to regularly update their software, rather than dismissing the reminder box.

Keep in mind that security concepts and tools like these might be completely new to your friends and family. Be prepared to walk through the ideas slowly, and don’t be disappointed if someone is not quite ready to change their routine yet. There’s always next Thanksgiving!

Let EFF know how it went! Use the hashtags #TheSafestConversationYoullHaveThisHoliday or #BadgerYourFamily.

Published November 21, 2017 at 07:43PM
Read more on eff.org

EFF: The Senate’s Liberty Act Helps Close the “Backdoor”

The Senate’s Liberty Act Helps Close the “Backdoor”

Take the language of one NSA surveillance reauthorization bill and add a few strong reform proposals from another, and what do you get? A bill that helps protect Americans from the warrantless search of the content of their emails, text messages, and digital communications.

On November 17, Senators Patrick Leahy (D-VT) and Mike Lee (R-UT) introduced the USA Liberty Act (S. 2158) into the Senate. It is based on legislation of the same name introduced in October by House Judiciary Committee Chairman Bob Goodlatte (R-VA) and Ranking Member John Conyers (D-MI).                                                   

EFF supports this legislation and welcomes the additional protections included.

Both the House-side and Senate-side USA Liberty Act seek to reauthorize Section 702 of the FISA Amendments Act, an NSA surveillance tool scheduled to expire at the end of this year. Section 702 permits the NSA to target electronic surveillance at non-U.S. persons located outside the United States. But when the NSA sweeps up emails and text messages of foreign targets, it predictably also collects messages written by U.S. persons. These communications are stored in NSA databases as well as those of other intelligence agencies, such as the FBI and CIA. When FBI agents search through Section 702-collected data in FBI systems—even when data belongs to U.S. persons—they do not obtain a warrant.

These unconstitutional searches of Americans’ communications, which skirt the Fourth Amendment requirement of a warrant, are called “backdoor” searches.

The Senate-side USA Liberty Act restricts these searches by borrowing an approach from a separate amendment made for the FISA Amendments Reauthorization Act of 2017, a second Section 702 reauthorization bill before the Senate. Though not identical in language, both the Senate-side USA Liberty Act and the amendment to the FISA Amendments Reauthorization Act place certain warrant requirements on backdoor searches.

According to the Senate-side USA Liberty Act, if government agents want to read Section 702-collected communications belonging to U.S. persons, they first need to obtain a warrant from the Foreign Intelligence Surveillance Court (FISC), which provides judicial oversight on Section 702 surveillance. The bill requires the FISC to approve warrants based on whether there is probable cause to believe that the requested Section 702-collected communications contain evidence of a crime, or concerns an “agent of a foreign power.”

Importantly, this backdoor search warrant requirement applies even if agents are searching for foreign intelligence information—a requirement not available in the House-side bill. That bill’s exception for foreign intelligence searches seriously undercuts the value of its warrant requirement.                            

Unfortunately, the Senate-side USA Liberty Act’s warrant requirement applies only to the content of communications, and does not also apply to metadata. According to the bill, government agents who want to access Section 702-collected data related to “dialing, routing, addressing, or signaling information” only need to obtain approval from the Attorney General and show the information is relevant to an investigation. While a warrant requirement is preferred, a relevance test and high-level review are significant improvements over current practice.

The Senate-side USA Liberty Act, like its House sibling, also codifies the end of “about” collection, a highly intrusive type of surveillance that the NSA voluntarily ended this year after receiving criticism from the FISC.  But where the House-side bill only ends this practice through 2023, the Senate-side bill ends it permanently.

The Senate-side bill has another improvement: it explicitly grants backdoor search protections to “persons reasonably believed to be located in the United States.” This means that foreign individuals inside the United States will have the same backdoor search protections on their communications and metadata as those offered to U.S. citizens and permanent residents. The Senate-side bill is rare in codifying these protections.

Sen. Ron Wyden (D-OR), the author of a separate, strong surveillance reform bill called the USA Rights Act—which also extends protections to foreigners inside the United States—praised Sens. Leahy and Lee, and their work.

“I applaud Senators Lee and Leahy for their proposal, which will create meaningful new protections for Americans’ rights, in particular by seriously addressing the problem of warrantless backdoor searches of Americans’ communications,” Wyden said. “While I believe the USA Rights Act represents the best solution to reforming Section 702 of FISA, the Lee-Leahy bill deserves full consideration by the U.S. Senate.”

We agree. 

Published November 22, 2017 at 02:36AM
Read more on eff.org

EFF: Today—and Every Day—We Fight to Defend the Open Internet

Today—and Every Day—We Fight to Defend the Open Internet

Today, we heard from the Federal Communications Commission (FCC) about its plans to devastate Network Neutrality.  Instead of responding to the millions of Americans who want to protect the free and open Internet, the FCC instead is ceding to the demands of a handful of massive ISPs, like Comcast, Verizon, and AT&T.

EFF will be analyzing the full plan when it is released.  But based on what we know so far, it’s clear that Chairman Pai is seeking to reverse the 2015 Open Internet Order that established clear but light touch protections for Internet users and Internet innovation. The FCC’s new approach invites a future where only the largest Internet, cable, and telephone companies survive, while every start-up, small business, and new innovator is crowded out—and the voice of nonprofits and ordinarily individuals are suppressed. Costs will go up, as ISPs take advantage of monopoly power to raise rates on edge providers and consumers alike. And the FCC’s proposed plan adds salt to the wound by interfering with state efforts to protect consumer privacy and competition.

The FCC today abdicates a fundamental responsibility—but Internet users won’t. Today, and every day, we will fight to defend net neutrality. Tell Congress that lawmakers must act to defend our open Internet.

Add your voice

Contact Congress now.

Published November 21, 2017 at 09:37PM
Read more on eff.org

EFF: Treasury Department Concludes Fraud Investigation into ComputerCOP „Internet Safety“ Software

Treasury Department Concludes Fraud Investigation into ComputerCOP „Internet Safety“ Software

Three years ago, EFF exposed how hundreds of law enforcement agencies were putting families at risk by distributing free ComputerCOP “Internet safety” software that actually transmitted keystrokes unencrypted to a third-party server. Our report also raised serious questions about whether the company was deceiving government agencies by circulating a bogus letter of endorsement from a top official in the U.S. Treasury Department.

 This month, our suspicions were confirmed. A document obtained through the Freedom of Information Act shows that, in response to EFF’s research, the Treasury Department’s Inspector General launched an investigation into ComputerCOP. The final report concluded that the company had, in fact, doctored a government letter to improperly convince law enforcement agencies to spend asset forfeiture funds to buy the product.

Read the Treasury Department’s investigative report and exhibits

Unfortunately, the report shows that ComputerCOP dodged criminal prosecution because the statute of limitations expired. Nevertheless, the records should serve as the final nail in the coffin for this software. It was bad enough that the software was proven dangerous; it is even worse for law enforcement agencies to do business with a company that federal investigators caught forging documents. 

ComputerCOP is a CD-ROM (now also available on a USB storage stick) that promises to help parents protect their children from Internet predators. More than 240 agencies signed contracts with ComputerCOP, often worth tens of thousands of dollars. But the software was less about safety than it was about self-promotion. Elected law enforcement officials—including sheriffs, mayors and district attorneys—placed their images on the cover and recorded promotional videos about how the software was the “first step” to protecting children online. By and large, the “free” software giveaway was used to generate positive media coverage. In Arizona, for example, the software project was spearheaded by the Maricopa County District Attorney’s press officer, rather than a member of the Internet Crimes Against Children team. Marketing materials proclaimed that the software was a „Perfect Election and Fundraising Tool!“

mytubethumb
play

%3Ciframe%20src%3D%22https%3A%2F%2Fwww.youtube-nocookie.com%2Fembed%2FTUZIooo9jgM%3Frel%3D0%26autoplay%3D1%22%20allowfullscreen%3D%22%22%20width%3D%22560%22%20height%3D%22315%22%20frameborder%3D%220%22%3E%3C%2Fiframe%3E

Privacy info. This embed will serve content from youtube-nocookie.com

EFF technologists dissected the software and discovered that it contained a keylogging feature that monitored everything a computer user typed. Whenever a keyword was entered, the software transmitted the text to a third-party commercial email server, which then sent alerts to the master user (often a parent) in real time. Not only was this feature invasive and easily abused, it also had a major technical vulnerability: the software transmitted communications openly and unencrypted, so that it could be easily intercepted and read by malicious actors. The San Diego County District Attorney, which had distributed the software, issued a warning to families about the keylogging feature after EFF published its findings.

Law enforcement agencies often paid for ComputerCOP with asset forfeiture funds, that is, money seized from suspected criminals during investigations. When agencies assist in federal investigations, they sometimes receive a portion of the money through a process called “equitable sharing.” As part of its marketing materials, ComputerCOP circulated a letter from the director of the Treasury Executive Office for Asset Forfeiture, which oversees equitable sharing spending, that seemed to endorse the product. 

EFF obtained this letter through a state-level public records request, and it immediately struck us as odd. The letterhead seemed off-kilter, some of the text was misaligned, and the letter was undated, unsigned, and did not even include the full name of the person it was addressed to. (EFF separately discovered ComputerCOP had falsely claimed endorsements by the ACLU and National Center for Missing and Exploited Children.)

So, we filed a FOIA request with the Treasury Department to obtain the original letter, if one existed.  Not long after, the Treasury Department issued a fraud alert for the letter, and the Treasury Department Inspector General launched a formal inquest. 

New FOIA documents show that, after a multi-year investigation, the Inspector General concluded that ComputerCOP had indeed “altered the 2001 letter from TEOAF and made it appear to be blanket permission for all law enforcement agencies to use equitable sharing funds to purchase the software.” Indeed, ComputerCOP made this claim on the rate card it provided to agencies. 

As part of its investigation into the letter, Treasury investigators sent questionnaires to 240 agencies that had purchased ComputerCOP. Of the few dozen that responded, three law enforcement agencies—the Peabody Police Department in Massachusetts, the Alaska Department of Public Safety, and the Greene County Sheriff’s Office in Missouri—told Treasury that the fraudulent letter had directly influenced their decision to purchase the product. 

The closed investigative report indicates the Treasury Inspector General was unable to send the case for prosecution “due to the fact that the three year statute of limitations on the offense had lapsed.” Instead, after discussions with the Justice Department and the U.S. Marshal Service, Treasury concluded it was enough for ComputerCOP to cease using the altered letter and to post a disclaimer on their website.

Unfortunately, it may be time for the Treasury Department to re-open the case. While ComputerCOP did once advertise the disclaimer, EFF could no longer find that language anywhere on its website.  

Making matters worse, the company’s website now claims that the keylogging feature “is not intrusive in any way.” This is an outrageous claim considering that this type of technology is more commonly deployed by stalkers and malicious hackers, and, in certain circumstances, its use could violate wiretapping laws.

For the most part, law enforcement purchases of ComputerCOP have significantly declined since we issued our first report. However, the company does continue to find buyers. For example, the Lake County Sheriff’s Office, Florida purchased 1,000 copies for $5,975 in 2017, according to SmartProcure. Meanwhile McGruff the Crime Dog was handing out copies as recently as this summer at a community screening of the film “Elf.”

To law enforcement agencies, here’s some rock-solid advice: before you purchase so-called Internet safety software, spend a few moments on the Internet researching whether the software is actually safe and above board. 

ComputerCOP is neither.

Published November 21, 2017 at 08:46PM
Read more on eff.org

EFF: Court Rules That EFF’s Stupid Patent of the Month Post Is Protected Speech

Court Rules That EFF’s Stupid Patent of the Month Post Is Protected Speech

A federal judge has ruled that EFF need not obey an Australian injunction ordering EFF to take down a “Stupid Patent of the Month” blog post and never speaking of the patent owner’s intellectual property again.

It all started when Global Equity Management (SA) Pty Ltd (GEMSA)’s patent was featured as the June 2016 entry in our Stupid Patent of the Month blog series. GEMSA wrote to EFF accusing us of “false and malicious slander.” It subsequently filed a lawsuit and obtained an injunction from a South Australia court purporting to require EFF to censor itself. We declined and filed a suit in the U.S. District Court for the Northern District of California seeking a declaration that EFF’s post is protected speech.

The court agreed, finding that the South Australian injunction can’t be enforced in the U.S. under a 2010 federal law that took aim against “libel tourism,” a practice by which plaintiffs—often billionaires, celebrities, or oligarchs—sued U.S. writers and academics in countries like England where it was easier to win a defamation case. The Securing the Protection of Our Enduring and Established Constitutional Heritage Act (SPEECH Act) says foreign orders aren’t enforceable in the United States unless they are consistent with the free speech protections provided by the U.S. and state constitutions, as well as state law.

The Court analyzed each of GEMSA’s claims for defamation, and found “[n]one of these claims could give rise to defamation under U.S. and California law, and accordingly “EFF would not have been found liable for defamation under U.S. and California law.” For example, GEMSA’s lead complaint was that EFF had called its patent “stupid.” GEMSA protested that its patent is not “in fact” stupid but the court found that this was clearly protected opinion. Moreover, the Court found “that the Australian court lacked jurisdiction over EFF, and that this constitutes a separate and independent reason that EFF would prevail under the SPEECH Act.”

Furthermore, the Court found that the Australian order was not enforceable under the SPEECH Act because “U.S. and California would provide substantially more First Amendment protection by prohibiting prior restraints on speech in all but the most extreme circumstances, and providing additional procedural protections in the form of California’s anti-SLAPP law.” 

After its thorough analysis, the Court declared “(1) that the Australian Injunction is repugnant to the United States Constitution and the laws of California and the Unites States; and (2) that the Australian injunction cannot be recognized or enforced in the United States.”

The decision was a default judgment. GEMSA, which has three pending patent lawsuits in in the Northern District of California, had until May 23 to respond to our case. That day came and went without a word. While GEMSA knows its way around U.S. courts—having filed dozens of lawsuits against big tech companies claiming patent infringement—it failed to respond to ours.

EFF thanks our counsel from Ballard Spahr LLP and Jassy Vick Carolan LLP.

Published November 20, 2017 at 11:52PM
Read more on eff.org

EFF: EFF’s Newest Case: Why We’re Helping to Unseal Court Records in Washington Federal Court

EFF’s Newest Case: Why We’re Helping to Unseal Court Records in Washington Federal Court

Consider this: Deputy Attorney General Rod Rosenstein has been going around talking about “responsible encryption” for some time now proselytizing for encryption that’s somehow only accessible by the government—something we all know to be unworkable. If the Department of Justice (DOJ) is taking this aggressive public position about what kind of access it should have to user data, it begs the question—what kind of technical assistance from companies and orders for user data is the DOJ demanding in sealed court documents? EFF’s client The Stranger, a Seattle-based newspaper, has filed a petition with one court to find out.

What’s at Stake?

In a democracy, we as citizens deserve to know what our government is up to, especially its interpretation of the law. A major reason we all knew about the government using the All Writs Act—a law originally passed in 1789—to compel Apple to design a backdoor for the iOS operating system is because the court order was public. However, there are many instances where we may not know what the government is asking. For example, could the government be asking Amazon to turn on the mic on its smart assistant product, the Echo, so they can listen in on people? This is not without precedent. In the past, the government has tried to compel automobile manufacturers to turn on mics in cars for surveillance.

Beyond the All Writs Act, we need to know what kind of warrantless surveillance the government is conducting under statutes like the Stored Communications Act (SCA) and the Pen Register Act. For instance, under certain authorities of the SCA, the government can obtain very private details about people’s email records, such as who they communicate with and when, and that in itself can be revealing regardless of the content of the messages.

The privacy problems of these non-warrant orders is compounded by the secrecy associated with them. The government files papers asking for such orders under seal, giving the public no opportunity to scrutinize them or to see how many are actually filed with the court. The people deserve to know and we support The Stranger’s efforts to seek access to these records.

Of course, the government may have good reasons to prevent disclosure of surveillance orders as part of an ongoing investigation, but under the current regime, next to no information is available even for the existence of such requests, including how many are filed each year. There are ways to meet government’s priorities—by redacting the name of the suspect to avoid tipping them off, for instance—without sacrificing transparency and access to court records for the American people under the First Amendment.

The Specifics of the Case

Our client The Stranger is a Pulitzer Prize-winning newspaper with a history of covering stories that focus on law enforcement surveillance capabilities. In 2013, The Stranger was the first local media organization to report on the surveillance devices installed by the Seattle Police Department that were capable of tracking people’s digital devices around the city. Apart from local law enforcement, The Stranger also covers federal surveillance activities in the city of Seattle. For instance, it investigated Alcohol, Tobacco, Firearms and Explosives bureau’s operation of a network of sophisticated surveillance cameras in the city.

To better report on government surveillance capabilities, the newspaper is petitioning the federal court in Seattle—home to companies like Microsoft and Amazon—to unseal government requests for electronic surveillance orders and warrants filed with the Court.

As the petition points out, the current court procedures are inadequate and counter to the widely recognized presumption of public access and openness to U.S. court records. In the Western District of Washington, government applications for electronic surveillance warrants or orders are designated as Magistrate Judge (MJ) matters. But for warrantless surveillance orders, the cases are marked as Grand Jury (GJ) proceedings. By default, anything filed as a Grand Jury case is automatically sealed and completely inaccessible to the public. This is troubling.

Support EFF’s Transparency Work

EFF has a long history of fighting for transparency by representing clients in litigation or filing public records requests for state and federal records. If you’d like to show your support for this lawsuit, please support our work and donate today.

We would like to thank Geoff M. Godfrey, Nathan D. Alexander, and David H. Tseng of Dorsey & Whitney LLP in Seattle for co-counseling with us in representing The Stranger.

Published November 20, 2017 at 09:35PM
Read more on eff.org

EFF: Will Congress Bless Internet Fast Lanes?

Will Congress Bless Internet Fast Lanes?

As the Federal Communications Commission (FCC) gets ready to abandon a decade of progress on net neutrality, some in Congress are considering how new legislation could fill the gap and protect users from unfair ISP practices. Unfortunately, too many lawmakers seem to be embracing the idea that they should allow ISPs to create Internet “fast lanes” — also known as “paid prioritization,” one of the harmful practices that violates net neutrality. They are also looking to re-assign the job of protecting customers from ISP abuses to the Federal Trade Commission.

These are both bad ideas.  Let’s start with paid prioritization. In response to widespread public demand from across the political spectrum, the 2015 Open Internet Order expressly prohibited paid prioritization, along with other unfair practices like blocking and throttling. ISPs have operated under the threat or the reality of these prohibitions for at least a decade, and continue to be immensely profitable. But they’d like to make even more money by double-dipping: charging customers for access to the Internet, and then charging services for (better) access to customers. And some lawmakers seem keen to allow it.

That desire was all too evident in a recent hearing on the role of antitrust in defending net neutrality principles. Subcommittee Chairman Tom Marino gave a baffling defense of prioritization, suggesting that it’s necessary or even beneficial to users for ISPs to give preferential treatment to certain content sources. Rep. Marino said that users should be able to choose between a more expensive Internet experience and a cheaper one that prioritizes the ISPs preferred content sources. He likened Internet service to groceries, implying that by disallowing paid prioritization, the Open Internet Order forced more casual Internet users to waste their money: “Families who just want the basics or are on a limited income aren’t forced to subsidize the preferences of shoppers with higher-end preferences.”

Rep. Darrel Issa took the grocery metaphor a step further, saying that paid prioritization is the modern day equivalent of the practice of grocery stores selling prime placement to manufacturers: “Within Safeway, they’ve decided that each endcap is going to be sold to whoever is going to pay the most – Pepsi, Coke, whoever – that’s certainly a prioritization that’s paid for.”

That’s an absurd analogy. Unlike goods at a physical store, every bit of Internet traffic can get the best placement, and no one on a limited income is “subsidizing” their richer neighbors. When providers choose to slow down certain types of traffic, they’re not doing it because that traffic is somehow more burdensome; they’re doing it to push users toward the content and service the ISP favors (or has been paid to favor)—the very behavior the Open Internet Order was intended to prevent. ISPs become gatekeepers rather than conduit.

As ISPs and content companies have become increasingly intertwined, the dangers of ISPs giving preferential treatment to their own content sources—and locking out alternative sources—have become ever more pronounced. That’s why in 2016 the FCC launched a lengthy investigation into ISPs’ zero-rating practices and whether they violated the Open Internet Order. The FCC focused in particular on cases where an ISP has an obvious economic incentive to slow down competing content providers, as was the case with AT&T prioritizing its own DirecTV services. Some members of Congress fail to see the dangers to users of these “vertical integration” arrangements. Rep. Bob Goodlatte said in the hearing that “Blanket regulation… would deny consumers the potential benefits in cost savings and improved services that would result from vertical agreements.” But if zero-rating arrangements keep new edge providers from getting a fair playing field to compete for users’ attention, services won’t improve at all. Certainly, an entity with a monopoly could choose to turn every advantage into savings for its customers, but we know from history and common sense that monopolies gouge customers instead. It’s telling—and unfortunate—that one of Ajit Pai’s first actions as FCC Chairman was to shelve the Commission’s zero-rating investigation.

The other goal of the hearing was to consider whether to assign net neutrality enforcement power to the Federal Trade Commission instead of the FCC. This is a rehash of long-standing argument that the best way to defend the Internet is to have ISPs publicly promise to behave. If they break that promise or undermine competition, the FTC can go after them.

Federal Trade Commissioner Terrell McSweeny correctly explained why that approach won’t cut it: “a framework that relies solely on backward-looking consumer protection and antitrust enforcement” just cannot “provide the same assurances to innovators and consumers as the forward-looking rules contained in the FCC’s open internet order.”

For example, as McSweeny noted, large ISPs have a huge incentive to unfairly prioritize certain content sources: their own bottom line. Every major ISP also offers streaming media services, and these ISPs naturally will want to direct users to those offerings. Antitrust law alone can’t stop these practices because the threat that paid prioritization poses isn’t to competition between ISPs; it’s to the users themselves.

If the FCC abandons its commitment to net neutrality, Congress can and should step in to put it back on course.  That means enacting real, forward-looking legislation that embraces all of the bright-line rules, not just the ones ISPs don’t mind. And it means forcing the FCC to its job, rather than handing it off to another agency that’s not well-positioned to do the work.

 

 

Published November 20, 2017 at 06:56PM
Read more on eff.org

EFF: The FISA Amendments Reauthorization Act Restricts Congress, Not Surveillance

The FISA Amendments Reauthorization Act Restricts Congress, Not Surveillance

The FISA Amendments Reauthorization Act of 2017—legislation meant to extend government surveillance powers—squanders several opportunities for meaningful reform and, astonishingly, manages to push civil liberties backwards. The bill is a gift to the intelligence community, restricting surveillance reforms, not surveillance itself.

The bill (S. 2010) was introduced October 25 by Senate Select Committee on Intelligence Chairman Richard Burr (R-NC) as an attempt to reauthorize Section 702 of the FISA Amendments Act. That law authorizes surveillance that ensnares the communications of countless Americans, and it is the justification used by agencies like the FBI to search through those collected American communications without first obtaining a warrant. Section 702 will expire at the end of this year unless Congress reauthorizes it.

Other proposed legislation in the House and Senate has used Section 702’s sunset as a moment to move surveillance reform forward, demanding at least minor protections to how 702-collected American communications are accessed. In contrast, Senator Burr’s bill uses Section 702’s sunset as an opportunity codify some of the intelligence community’s more contentious practices while also neglecting the refined conversations on surveillance happening in Congress today. 

Here is a breakdown of the bill.

“About” Collection

Much of the FISA Amendments Reauthorization Act (the “Burr bill” for short) deals with a type of surveillance called “about” collection, a practice in which the NSA searches Internet traffic for any mentions of foreign intelligence surveillance targets. As an example, the NSA could search for mentions of a target’s email address. But the communications being searched do not have to be addressed to or from that email address, the communications would simply need to include the address in their text.  This is not normal for communications surveillance.

Importantly, nothing in Section 702 today mentions or even hints at “about” collection, and it wasn’t until 2013 that we learned about it. A 2011 opinion from the Foreign Intelligence Surveillance Court—which provides judicial review for the Section 702 program—found this practice to be unconstitutional without strict post-collection rules to limit its retention and use.

Indeed, it is a practice the NSA ended in April precisely “to reduce the chance that it would acquire communications of U.S. persons or others who are not in direct contact with a foreign intelligence target.”  Alarmingly, it is a practice the FISA Amendments Reauthorization Act defines expansively and provides guidelines for restarting.

According to the bill, should the Attorney General and the Director of National Intelligence decide that “about” collection needs to start up again, all they need to do is ask specified Congressional committees. Then, a 30-day clock begins ticking. It’s up to Congress to act before the clock stops.

In those 30 days, at least one committee—including the House Judiciary Committee, the House Permanent Select Committee on Intelligence, the Senate Judiciary Committee, and the Senate Select Committee on Intelligence—must draft, vote, and pass legislation that specifically disallows the continuation of “about” collection, working against the requests of the Attorney General and the Director of National Intelligence.

If Congress fails to pass such legislation in 30 days, “about” collection can restart.

The 30-day period has more restrictions. If legislation is referred to any House committee because of the committee’s oversight obligations, that committee must report the legislation to the House of Representatives within 10 legislative days. If the Senate moves legislation forward, “consideration of the qualifying legislation, and all amendments, debatable motions, and appeals in connection therewith, shall be limited to not more than 10 hours,” the bill says.

Limiting discussion on “about” collection to just 10 hours—when members of Congress have struggled with it for years—is reckless. It robs Congress of the ability to accurately debate a practice whose detractors even include the Foreign Intelligence Surveillance Court (FISC)—the judicial body that reviews and approves Section 702 surveillance.

Worse, the Burr bill includes a process to skirt legislative approval of “about” collection in emergencies. If Congress has not already disapproved “about” collection within the 30-day period, and if the Attorney General and the Director of National Intelligence determine that such “about” collection is necessary for an emergency, they can obtain approval from the FISC without Congress.

And if during the FISC approval process, Congress passes legislation preventing “about” collection—effectively creating both approval and disapproval from two separate bodies—the Burr bill provides no clarity on what happens next. Any Congressional efforts to protect American communications could be thrown aside.

These are restrictions on Congress, not surveillance—as well as an open invitation to restart “about” searching.

What Else is Wrong?

The Burr bill includes an 8-year sunset period, the longest period included in current Section 702 reauthorization bills. The USA Liberty Act—introduced in the House—sunsets in six years. The USA Rights Act—introduced in the Senate—sunsets in four.

The Burr bill also allows Section 702-collected data to be used in criminal proceedings against U.S. persons so long as the Attorney General determines that the crime involves a multitude of subjects. Those subjects include death, kidnapping, seriously bodily injury, incapacitation or destruction of critical infrastructure, and human trafficking. The Attorney General can also determine that the crime involves “cybersecurity,” a vague term open to broad abuse.

The Attorney General’s determinations in these situations are not subject to judicial review.

The bill also includes a small number of reporting requirements for the FBI Director and the FISC. These are minor improvements that are greatly outweighed by the bill’s larger problems.

No Protections from Warrantless Searching of American Communications

The Burr bill fails to protect U.S. persons from warrantless searches of their communications by intelligence agencies like the FBI and CIA.

The NSA conducts surveillance on foreign individuals living outside the United States by collecting communications both sent to and from them. Often, U.S. persons are communicating with these individuals, and those communications are swept up by the NSA as well. Those communications are then stored in a massive database that can be searched by outside agencies like the FBI and CIA. These unconstitutional searches do not require a warrant and are called “backdoor” searches because they skirt U.S. persons’ Fourth Amendment rights.

The USA Liberty Act, which we have written extensively about, creates a warrant requirement when government agents look through Section 702-collected data for evidence of a crime, but not for searches for foreign intelligence. The USA Rights Act creates warrant requirements for all searches of American communications within Section 702-collected data, with “emergency situation” exemptions that require judicial oversight.

The Burr bill offers nothing.

No Whistleblower Protections

The Burr bill also fails to extend workplace retaliation protections to intelligence community contractors who report what they believe is illegal behavior within the workforce. This protection, while limited, is offered by the USA Liberty Act. The USA Rights Act takes a different approach, approving new, safe reporting channels for internal government whistleblowers.

What’s Next?

The Burr bill has already gone through markup in the Senate Select Committee on Intelligence. This means that it could be taken up for a floor vote by the Senate.

Your voice is paramount right now. As 2017 ends, Congress is slammed with packages on debt, spending, and disaster relief—all which require votes in less than six weeks. To cut through the log jam, members of Congress could potentially attach the Burr bill to other legislation, robbing surveillance reform of its own vote. It’s a maneuver that Senator Burr himself, according to a Politico report, approves.

Just because this bill is ready, doesn’t mean it’s good. Far from it, actually.

We need your help to stop this surveillance extension bill. Please tell your Senators that the FISA Amendments Reauthorization Act of 2017 is unacceptable.

Tell them surveillance requires reform, not regression.  

Take action today.

Published November 18, 2017 at 12:16AM
Read more on eff.org