EFF: Victory! Supreme Court Says Fourth Amendment Applies to Cell Phone Tracking

Victory! Supreme Court Says Fourth Amendment Applies to Cell Phone Tracking

The Supreme Court handed down a landmark opinion today in Carpenter v. United States, ruling 5-4 that the Fourth Amendment protects cell phone location information. In an opinion by Chief Justice Roberts, the Court recognized that location information, collected by cell providers like Sprint, AT&T, and Verizon, creates a “detailed chronicle of a person’s physical presence compiled every day, every moment over years.” As a result, police must now get a warrant before obtaining this data.

This is a major victory. Cell phones are essential to modern life, but the way that cell phones operate—by constantly connecting to cell towers to exchange data—makes it possible for cell providers to collect information on everywhere that each phone—and by extension, each phone’s owner—has been for years in the past. As the Court noted, not only does access to this kind of information allow the government to achieve “near perfect surveillance, as if it had attached an ankle monitor to the phone’s user,” but, because phone companies collect it for every device, the “police need not even know in advance whether they want to follow a particular individual, or when.”

For years, the government has argued that the sensitive nature of this data doesn’t matter; the mere fact that it’s collected by phone companies makes it automatically devoid of constitutional protection.

This argument is based on an outdated legal principle called the “Third Party Doctrine,” which was developed by the Supreme Court in two main cases from the 1970s involving records of phone calls and bank transactions. Courts around the country had long been deeply divided on whether the Third Party Doctrine should apply to cell phone location information or whether the invasiveness of the tracking it enables should require a more privacy-protective rule.

…there is a “world of difference between the limited types of personal information addressed in” prior Supreme Court cases and “the exhaustive chronicle of location information casually collected by wireless carriers today.”

EFF has been involved in almost all of the significant past cases, and in Carpenter, EFF filed briefs both encouraging the court to take the case and urging it to reject the Third Party Doctrine. We noted that cell phone usage has exploded in the last 30 years, and with it, the technologies to locate users have gotten and continue to get ever more precise.

Thankfully, in Carpenter, Justice Roberts rejected the government’s reliance on the Third Party Doctrine, writing that there is a “world of difference between the limited types of personal information addressed in” prior Supreme Court cases and “the exhaustive chronicle of location information casually collected by wireless carriers today.” The Court also explained that cell phone location information “is not truly ‘shared’ as one normally understands the term,” particularly because a phone “logs a cell-site record by dint of its operation, without any affirmative act on the part of the user beyond powering up.”

We were pleased that the Court cited our amicus brief in its opinion and agreed with many of the points we raised. In particular, Justice Roberts noted that because cell phones generate a record of location information all the time and “because location information is continually logged for all of the 400 million devices in the United States—not just those belonging to persons who might happen to come under investigation—this newfound tracking capacity runs against everyone.” What’s more, cell phone tracking enables the government to compile an “exhaustive chronicle of location information” so that “unlike the nosy neighbor who keeps an eye on comings and goings, [phone carriers] are ever alert, and their memory is nearly infallible.”

As we pointed out, this means that the government can engage in long-term monitoring. In Carpenter, for example, the government obtained 127 days of the defendant’s cell phone records from MetroPCS—without a warrant—to try to place him at the locations of several armed robberies around Detroit. Other cases have involved even longer periods of time. In a footnote, the Supreme Court declined to reach the question of whether very short periods of tracking, less than the 7 days used at trial in Carpenter, might not be covered by the Fourth Amendment. We think the right rule is to require a warrant for any cell phone tracking, but that will have to wait for another day.

Perhaps the most significant part of today’s ruling for the future is its explicit recognition that individuals can maintain an expectation of privacy in information that they provide to third parties. The Court termed that a “rare” case, but it’s clear that other invasive surveillance technologies, particularly those than can track individuals through physical space, are now ripe for challenge in light of Carpenter. Expect to see much more litigation on this subject from EFF and our friends.

Published June 23, 2018 at 12:40AM
Read more on eff.org

Advertisements

EFF: Illinois Declines to Adopt Proposed Arbitrary Drone Surveillance of Protests

Illinois Declines to Adopt Proposed Arbitrary Drone Surveillance of Protests

Observers often forget that surveillance offends not only privacy, but also the right to dissent. A recently defeated Illinois bill illustrates how First and Fourth Amendment rights intersect, by proposing to undermine the right to dissent not obliquely, but rather directly. That’s why EFF joined the successful fight to defeat this spying proposal.
 
The proposal, promoted by the City of Chicago, was embodied in SB 2562 and its companion bill, HB 4405. Theywould have authorized police to use surveillance drones to monitor peaceful protests without first securing a judicial warrant. Had the measure been adopted, it would have permitted police to use facial recognition technology to identify individual demonstrators photographed by drones even absent any suspicion of wrongdoing.
 
The defeated proposal would have rolled back a well-received state law passed in 2013 that led the country in protecting dissent from drone surveillance, and which enjoyed overwhelming bipartisan support. Illinois’ 2013 law sharply limits law enforcement from using drones, generally requiring agencies to first obtain a judicial warrant based on probable cause to suspect that a crime has been committed.
 
Warrants are important. They serve the crucial function of preventing police fishing expeditions against political dissenters, andthe politicization of public safety measures to pursue personal vendettas. Moreover, they’re not a burden for police to secure. That makes a warrant requirement a reasonable (yet increasingly threatened) way to protect vital (and increasingly threatened) rights on which democracy depends.
 
In sharp contrast, the defeated 2018 measure would have authorized drone surveillance of any gathering of more than 100 people for “legitimate public safety purposes,” which expressly include “assessing public safety vulnerabilities or weaknesses…or identifying possible criminal activity.”
 
As explained by the International Human Rights Clinic at the University of Chicago Law School, “Police already have the power to use drones in response to dangerous situations. What this legislation adds — and which current law explicitly rejects — is the active, continuous, and suspicion-less surveillance by drone of anyone and everyone at an event.”
 
Karen Sheley, Director of the ACLU Police Practices Project, said, “This is too much unchecked power to give to the police – in Chicago or anywhere.” The Chicago Sun-Times agreed, noting: “Unwarranted snooping, as any Chicagoan who knows our city’s history can attest, could become a real danger.”
 
Ultimately, the proposed 2018 measure invited the kind of historically documented abuses and recurring problems that flourish behind a continuing wall of executive secrecy.
 
Incidentally, but of crucial relevance to state policymakers: President Trump is widely known for bearing petty grudges. The propensity of the President to pursue personal piques represents precisely why our Founders required warrants as a precondition to justify any police search: without review by an independent auditor, the executive branch is too prone to act arbitrarily. That’s why due process and access to justice are so important.
 
Beyond President Trump, even federal oversight bodies have been recently implicated in politicizing national security secrets. Closer to home, the Chicago Police Department (CPD) has also spied on political groups not only in the past, but also more recently.
 
Just two years ago, the CPD was caught spying for years on peaceful local dissenters including “union members, anti-Olympics protesters, anarchists, the Occupy movement, NATO demonstrators and critics of the Chinese government. And it has continued to [monitor them], according to…records….which the police department fought to withhold.”
 
Political grudges should not be enough to trigger surveillance by legal authorities.
 
Molly Armour, a Chicago attorney whose clients include grassroots activists facing police investigations based on their speech, explained that “Surveillance stifles dissent. And that’s dangerous for all of us.” And as explained by local activist Claude Walker in his letter to the editor:

“Giving City Hall or cops the right to dispatch drones to protests…without warrant – makes Red Squad tactics seem quaint….This technology has developed faster than our ability to use or regulate it….[L]awmakers should err on the side of privacy in drone laws.”

The “Red Squad” was the Chicago police unit that spied on political dissent for much of the Twentieth Century.
 
Fortunately, advocates of free speech and privacy defeated the 2018 proposal. While the Illinois House and Senate each approved a version of this bill, the state legislative session expired on May 31 without reconciling their conflicting versions.
 
Illinois has retained its leading protections of dissent from drone surveillance for this year, but this struggle will likely recur. Fortunately, local grassroots allies including Lucy Parsons Labs and the Chicago Committee to Defend the Bill of Rights—both of which are members of the Electronic Frontier Alliance—are monitoring the situation. If the City of Chicago persists in trying to undermine constitutional rights by seeking more expansive powers to spy on demonstrators using surveillance drones without any basis for suspicion, we look forward to responding by raising the alarm.

Published June 22, 2018 at 11:48PM
Read more on eff.org

EFF: Journalists and Digital Security: Some Thoughts on the NYT Leak Case

Journalists and Digital Security: Some Thoughts on the NYT Leak Case

The leak investigation involving a Senate staffer and a New York Times reporter raises significant issues about journalists, digital security, and the ability of journalists to protect confidential sources.

The New York Times recently revealed that the FBI had been investigating a former aide to the Senate Intelligence Committee, James Wolfe, for possibly leaking classified information to reporters. So far Wolfe has only been indicted for making false statements to investigators about his contacts with reporters.

The investigation appears to have been focused on how New York Times reporter Ali Watkins, when she worked for Buzzfeed News, learned that Russian spies had attempted to recruit a former advisor to President Trump, Carter Page.

Reading the New York Times article, three things jumped out at us.

First, according to the article, FBI agents “secretly seized years’ worth” of Watkins’ phone and email records. “Among the records seized were those associated with her university email address from her undergraduate years.” However, “Investigators did not obtain the content of the messages themselves.”

We read this to mean that the FBI obtained “metadata” such as to/from and date/time information for each call and email, probably using a subpoena or court order authorized by the Electronic Communications Privacy Act (ECPA)/Stored Communications Act (SCA).

Many digital security resources, including EFF’s own Security Self-Defense (SSD) guide, emphasize using end-to-end encryption. However, it’s important to understand that while encryption protects the contents of communications, encryption does not mask metadata. Thus, without listening to or reading the communications themselves, government agents can see who you talked to and when, and sometimes from what location.

Metadata can be extremely revealing. Just the fact that Wolfe denied talking to reporters, when the metadata showed otherwise, earned him criminal charges.

Unfortunately, completely masking communications metadata is nearly impossible. Creating a temporary email account through an anonymizing tool like Tor can make it more difficult to associate that account with a particular person. Features like Signal’s Disappearing Messages will automatically delete some metadata after a set period of time, making it harder for law enforcement to acquire it after the fact.

Second, the government obtained the contents of communications Wolfe had with reporters over encrypted messaging apps (apparently Signal and WhatsApp).

Our guess is that the FBI got a warrant for Wolfe’s phone and somehow accessed the apps—perhaps his phone wasn’t locked, agents had his password, or they used a forensic tool to bypass the lock screen and any device-based encryption. It’s also possible investigators found backups stored in the cloud or on a hard drive that contained the unencrypted messages. (This issue has also come up in the Mueller investigation.)

If this is what happened, then it’s important to understand that although end-to-end encryption thwarts interception of communications content, if that content is sitting unencrypted at an end point—that is, in an app or a backup—then anyone who has access to the journalist’s or suspected source’s phone or backup may be able see those messages. Therefore, deleting unencrypted messages is an added security precaution. Once again, Signal’s Disappearing Messages feature is an effective way to defend against future device searches.

Third, a non-technical question is: did the Justice Department follow its own news media regulations? These regulations have been around for four decades and were most recently revised in 2014 after the shocking revelation that President Obama’s Justice Department in 2013 seized two months’ worth of phone records for reporters and editors of the Associated Press.

Among other requirements, such as first exhausting other avenues of information, the regulations require Justice Department investigators to provide journalists with prior notice and an opportunity to negotiate before seizing their records. But this is not what happened—as the New York Times article explains, Watkins received a letter from the Justice Department only after her phone and email records had already been obtained.

It wouldn’t be surprising if it came to light that the Justice Department invoked the exception to the prior notice requirement: where “such negotiations would pose a clear and substantial threat to the integrity of the investigation, risk grave harm to national security, or present an imminent risk of death or serious bodily harm.” But these details have not been revealed.

The bottom line is that journalists shouldn’t expect to always be notified ahead of time. Accordingly, they should take as many precautions as possible—digital and otherwise—to protect their confidential sources.

In addition to EFF’s Security Self-Defense (SSD) guide, we published a digital privacy guide to crossing the U.S. border that journalists might find helpful, as journalists have been harassed at airports and border crossings. Other journalism groups have useful digital privacy and security guides, such as those from Freedom of the Press Foundation, the Committee to Protect Journalists, and Reporters Without Borders.

Finally, the seizure of Watkins’ phone and email records has once again highlighted the desperate need for a federal shield law so that the government can’t go after journalists—whether through their service providers or in court—to try to uncover their confidential sources. Vice President Mike Pence was a lead sponsor of the Free Flow of Information Act when he was in the House of Representatives.

We renew our call for Congress to pass a robust federal shield law to protect not only journalists and their confidential sources—but also the public’s right to know.

Published June 22, 2018 at 09:55PM
Read more on eff.org

EFF: Supreme Court Opens Door to Worldwide Patent Damages

Supreme Court Opens Door to Worldwide Patent Damages

The Supreme Court issued a disappointing opinion [PDF] today holding that a company could recover patent damages for lost profits overseas. The court’s reasoning could make overseas damages available in many patent cases. This will disadvantage companies that do research and development in the United States. When patent law discourages domestic innovation, it achieves the opposite of its intended purpose. 

The case, called WesternGeco LLC v. ION Geophysical Corp., involved a patent on a method of conducting marine seismic surveys. ION exported components that, when combined, were used to infringe the patent overseas. Under Section 271(f) of the Patent Act, exporting components of a patented invention for assembly abroad is considered infringement. WesternGeco received damages for the U.S. sales of the components. The court considered whether WesternGeco could also receive damages for lost profits for the use of the invention overseas.

Together with the R Street Institute, EFF filed an amicus brief [PDF] in the case explaining that worldwide damages are not consistent with the domestic focus of the patent act. Our brief, co-written with Professors Bernard Chao and Brian Love, provided an example of how such a ruling could harm U.S. innovation:

[C]onsider how such a regime might impact two hypothetical companies. Two companies, a domestic one A and a foreign one B, design and test semiconductor chips and contract with a foreign manufacturer to produce their designs. A patent owner claims that both companies’ testing processes infringe a patent, and demands damages for the manufactured chips on the theory that those chips’ manufacture and sale are proximately and factually caused by the infringing testing. [If the Court allows worldwide damages then] Company A could be liable for a reasonable royalty on its worldwide sales. In contrast, Company B would likely only be liable for royalties on its U.S. sales. This would effectively punish Company A for conducting research and development in the United States. 

Justices Gorsuch and Breyer broadly agreed with this reasoning. Indeed, Justice Gorsuch’s dissent includes a similar hypothetical and notes that it is a “very odd role for U. S. patent law to play in foreign markets.” Unfortunately, the other seven justices were unpersuaded. 

Most patent cases are brought under Section 271(a) of the Patent Act, which concerns infringement “within the United States.” As noted, today’s case considered a claim under Section 271(f), which concerns the export of components. It is tempting to hope that the court’s ruling will only apply to 271(f) cases. Unfortunately, the Supreme Court’s reasoning might result in patent owners arguing they deserve damages in all patent cases where domestic infringement supposedly causes harm overseas. In our view, that would be a terrible result. 

It may be that courts will apply proximate cause principles to find that overseas damages are not available for sales loosely linked to US research and development. We hope that damages will be not awarded in cases where there was U.S. research and development but the manufacture and sales occur overseas. If that became the norm, it would be a big disincentive to innovate within the United States.

Published June 22, 2018 at 09:37PM
Read more on eff.org

EFF: Happy Birthday Alice: Four Years Busting Software Patents

Happy Birthday Alice: Four Years Busting Software Patents

This week marks the fourth anniversary of the Supreme Court’s decision in Alice v. CLS Bank. In Alice, the court ruled that an abstract idea does not become eligible for a patent simply by being implemented on a generic computer. Now that four years have passed, we know the case’s impact: bad patents went down, and software innovation went up.

Lower courts have applied Alice to throw out a rogues’ gallery of abstract software patents. Counting both federal courts and the Patent Trial and Appeal Board, there are more than 400 decisions finding patent claims invalid under Alice. These include rulings invalidating patents on playing bingo on a computer, computerized meal plans, updating games, and many more. Some of these patents had been asserted by patent trolls dozens or even hundreds of times. A single ruling threw out 168 cases where a troll claimed that companies infringed a patent on the idea of storing and labeling information.

EFF’s Saved By Alice project collects stories of small businesses that used the Alice decision to defend themselves against attacks by entities asserting abstract software patents. Our series includes a photographer sued for running a website where users could vote for their favorite photo. Another post discusses a medical startup accused of infringing an extremely broad patent on telehealth. Without the Alice ruling, many of these small businesses could have been bankrupted by a patent suit.

Meanwhile, software innovation has thrived in the wake of Alice. R&D spending on software and Internet development shot up 27% in the year following the Supreme Court’s decision and has continued to grow at a rapid rate. Employment growth for software developers is also vastly outpacing growth in other sectors. At the end of 2017, PwC concluded that the “computer and software industries still shine in the R&D stakes, outperforming all other organizations in terms of billions spent.” A recent paper found evidence that the increase in software R&D was linked to the Alice decision.

Unfortunately, Alice is under threat both in Congress and the courts. The patent lobby—in the form of the Intellectual Property Owners Association and the American Intellectual Property Law Association—wants Congress to undo Alice through legislation. Two recent decisions from the Federal Circuit, in Berkheimer v. HP and Aatrix Software v. Green Shades Software, may make it more difficult for defendants to assert Alice early in litigation. We filed an amicus brief [PDF] in the Berkheimer case urging the Federal Circuit to reconsider, but the court recently denied that petition. These rulings could help patent trolls use the cost of defending a suit as leverage, even when the trolls are asserting patents that are invalid under Alice.

Opponents of the Alice decision ignore the post-Alice boom in software innovation. Instead, they complain that it has become harder to get certain business method and software patents. But the patent system exists for the constitutional purpose of promoting the progress of the useful arts—not to provide work for patent prosecutors and litigators. With software R&D accelerating ahead of all other sectors, there is no need to return to the pre-Alice world of “do-it-on-a-computer” patents.

Published June 22, 2018 at 06:20PM
Read more on eff.org

EFF: Border Spy Tech Shouldn’t Be a Requirement for a Path to Citizenship

Border Spy Tech Shouldn’t Be a Requirement for a Path to Citizenship

The Border Security and Immigration Reform Act (H.R. 6136), introduced before Congress last week, would offer immigrants a new path to citizenship in exchange for increased high tech government surveillance of citizens and immigrants alike. The bill calls for increased DNA and other biometric screening, updated automatic license plate readers, and expanded social media snooping. It also asks for 24 hours-a-day, five-days-a-week drone surveillance along the southern U.S. border.

This bill would give the U.S. Department of Homeland Security broad authority to spy on millions of individuals who live and work as far as 100 miles away from a U.S. border. It would enforce invasive biometric scans on innocent travelers, regardless of their citizenship or immigration status.

An Upcoming Vote

In mid-June, after months of stalled negotiations and failed legislative proposals, the Republican caucus of the House of Representatives agreed to a plan on immigration reform: Representatives would vote on two immigration bills.

Representatives smartly rejected one of those bills. The Securing America’s Future Act (H.R. 4760), which EFF opposed, failed in a 193-231 vote. That bill took a hardline stance on immigration and proposed the increased use of invasive surveillance technologies including biometric screening, social media monitoring, automatic license plate readers, and drones.

A vote is expected soon on the second bill: the Border Security and Immigration Reform Act. It would give children who came to this country without documentation—known as “Dreamers”—a path to citizenship. Unfortunately, this bill includes nearly the same bad border surveillance provisions as the bill that failed Thursday.

Given the grave impact this bill would have on individual privacy and rights, we urge Congress to vote the same way as it did Thursday and reject the Border Security and Immigration Reform Act.

More Surveillance Technologies and Drone Flights

The Border Security and Immigration Reform Act would fund multiple surveillance technologies across the United States. Near Detroit, for example, the bill calls for “mobile vehicle-mounted and man-portable surveillance capabilities” for U.S. Customers and Border Protection (CBP) agents. In Washington, the bill similarly calls for “advanced unattended surveillance sensors” and “ultralight aircraft detection capabilities.”

The bill also requires that CBP’s Air and Marine operations fly unmanned drones “on the southern border of the United States for not less than 24 hours per day for five days per week.”

This type of increased drone surveillance was proposed in H.R. 4760. As we previously wrote:

“Drones can capture personal information, including faces and license plates, from all of the people on the ground within the range and sightlines of a drone. Drones can do so secretly, thoroughly, inexpensively, and at great distances. Millions of U.S. citizens and immigrants live close to the U.S. border, and deployment of drones at the U.S. border will invariably capture personal information from vast numbers of innocent people.”

Similar to H.R. 4760, the Border Security and Immigration Reform Act includes no meaningful limitations on the drones’ flight paths, or the collection, storage, and sharing of captured data. The bill could lead to deep invasions into innocent bystanders’ lives, revealing their private information and whereabouts.

More Biometric Screening

The Border Security and Immigration Reform Act also proposes the establishment of a “biometric exit data system” that would require everyone leaving the country—immigrant or citizen—to have their biometric data screened against government biometric databases.

Relatedly, the bill would authorize the CBP Commissioner, “to the greatest extent practicable,” to use facial recognition scanning to inspect citizens traveling to the U.S. from nearly 40 visa waiver program countries, which include Japan, New Zealand, Australia, France, Germany, Italy, and Taiwan.

Further, the bill authorizes the Secretary of Homeland Security to “make every effort to collect biometric data using multiple modes of biometrics.” That means that fingerprints, facial recognition data, and iris scans could all be up for grabs in the future, so long as the Secretary of Homeland Security deems it necessary.

These proposals are similar to those included in H.R. 4760. They are worrying for the very same reasons:

“Biometric screening is a unique threat to our privacy: it is easy for other people to capture our biometrics, and once this happens, it is hard for us to do anything about it. Once the government collects our biometrics, data thieves might steal it, government employees might misuse it, and policy makers might deploy it to new government programs. Also, facial recognition has significant accuracy problems, especially for people of color.”

More Social Media Snooping on Visa Applicants

The Border Security and Immigration Reform bill also borrows the same deeply-flawed social media monitoring practices as those included in H.R. 4760.

The Border Security and Immigration Reform bill would authorize the Department of Homeland Security to look through the social media accounts of visa applicants from so-called “high-risk countries.” As we said about the proposal in H.R. 4760:

„This would codify and expand existing DHS and State Department programs of screening the social media of certain visa applicants. EFF opposes these programs. Congress should end them. They threaten the digital privacy and freedom of expression of innocent foreign travelers, and the many U.S. citizens and lawful permanent residents who communicate with them. The government permanently stores this captured social media information in a record system known as ‚Alien Files.'“

And similar to H.R. 4760, the Border Security and Immigration Act authorizes the Secretary of Homeland Security to use literally any criteria they find appropriate to determine what countries classify as “high-risk.” This broad authority would allow the Secretary of Homeland Security to target Muslim-majority nations for social media collection.

No Compromising on Civil Liberties

As Congress weighs different factors in the ongoing immigration debate, we urge them to look closely at the expanded high-tech surveillance provisions in this proposed package. This bill would undermine the privacy of countless law-abiding Americans and visitors, regardless of citizenship. So, we urge a “no” vote.

Published June 22, 2018 at 04:52AM
Read more on eff.org

EFF: This Wednesday, an EU committee voted to break the Internet: this Sunday, Berliners take to the streets to say NO!

This Wednesday, an EU committee voted to break the Internet: this Sunday, Berliners take to the streets to say NO!

On Wednesday, the Legislative Committee of the European Union narrowly voted to keep the two most controversial internet censorship and surveillance proposals in European history in the upcoming revision to the Copyright Directive — as soon as July Fourth, the whole European Parliament could vote to make this the law of 28 EU member-states.

The two proposals were Article 11 (the link tax), which bans linking to news articles without paying for a license from each news-site you want to link to; and Article 13 (the copyright filters), requiring that everything that Europeans post be checked first for potential copyright infringements and censored if an algorithm decides that your expression might breach someone’s copyright.

These proposals were voted through even though experts agree that they will be catastrophic for free speech and competition, raising the table-stakes for new internet companies by hundreds of millions of euros, meaning that the US-based Big Tech giants will enjoy permanent rule over the European internet. Not only did the UN’s special rapporteur on freedom of expression publicly condemn the proposal; so did more than 70 of the internet’s leading luminaries, including the co-creators of the World Wide Web, Wikipedia, and TCP.

We have mere days to head this off: the German Pirate Party has called for protests in Berlin this Sunday, June 24 at 11:45h outside European House Unter den Linden 78, 10117 Berlin. They’ll march on the headquarters of Axel-Springer, a publisher that lobbied relentlessly for these proposals.

If you use the Internet to communicate, organize, and educate it’s time to speak out. Show up, stand up, because the Internet needs you!

Published June 22, 2018 at 01:14AM
Read more on eff.org

EFF: Corruption at the Assembly Committee Gutted California’s Net Neutrality

Corruption at the Assembly Committee Gutted California’s Net Neutrality

In the morning before S.B. 822 was to get its first hearing in front of a California Assembly committee before the cameras were on to catch it, the Chair of the Assembly Committee on Communications and Conveyance introduced and got a vote on amendments that substantially weakened the net neutrality provisions of S.B. 822. EFF received word that was his intent and we were disappointed he would carry out such a bait and switch on behalf of AT&T and Comcast.

Chair Miguel Santiago, along with seven other Assembly members both Republican and Democratic voted for those amendments. Amendments proposed at 10 pm the night before the hearing. And voted on before the bill was heard and before the bill’s author, State Sen. Scott Wiener, could argue against them. Or before the witnesses and Wiener could argue for the bill as written.

This comes after the committee chair refused a move to join S.B. 822 and S.B. 460 so that there was a single net neutrality package rather than two bills. That proposal was rejected in favor of new amendments that stripped net neutrality protections right out including provisions that banned discriminatory zero rating that hurt low income Internet users.

Assemblymembers Quirk-Silva, Kamalger Dove, Holden, and Low were abstained or absent while the remaining Democratic and Republican Assembly Members joined together to vote in hostile amendments that gutted a whole array of consumer protections of the bill.

Here are just some of the things they green-lighted with their amendment:

  • AT&T can continue to violate net neutrality under its zero rating program and will have even more power to discriminate over the internet with its ownership of Time Warner.
  • Comcast can create arbitrary charges on all websites and services simply for the privilege of connecting to Comcast customers. A practice that has been banned under federal law for years.
  • Comcast will be free to engage in past abuses over the interconnection market that resulted in consumer access to video services being slowed down arbitrarily in exchange for extortion fees.

 The result is, no matter what, not net neutrality.

Giant ISPs like AT&T and Comcast have worked overtime to defeat this bill, including donating a lot of money. Between the money, the disingenuous arguments of the telecoms, and the manipulated process that forced the hostile amendments into the bill, what happened this week shows just what giant corporations can accomplish with willing legislators. But that does not mean the net neutrality battle is over in California. Everyone, including Californians, deserves access to a free and open Internet. As the bill moves forward EFF will continue to support the work of Senator Scott Wiener who has vowed to fight on.

Published June 20, 2018 at 10:46PM
Read more on eff.org

EFF: Victory: California Overhauls Police Database Oversight Procedures in Wake of EFF Investigations

Victory: California Overhauls Police Database Oversight Procedures in Wake of EFF Investigations

New Data Shows Law Enforcement Abused Network 143 Times in 2017

San Francisco – Responding to years of investigations and pressure from the Electronic Frontier Foundation (EFF), the California Attorney General’s Office has overhauled and improved its oversight of law enforcement access to a computer network containing the sensitive personal data of millions of state residents, which police abused 143 times in 2017.

The new policies and data will be presented at a regular oversight meeting on Thursday, June 21, 2018 at the Folsom City Council Chambers.

EFF has been investigating abuse of the California Law Enforcement Telecommunication System (CLETS)—the computer network that connects criminal record and DMV data with local and federal agencies across the state—since 2015. Law enforcement personnel access this data more than 2.8 million times daily.

EFF’s research found that misuse of this system was rampant. Examples include officers accessing confidential data for domestic disputes and running background checks on online dates. One particularly egregious case involved an officer who allegedly planned to hand sensitive information on witnesses to the family member of a convicted murderer.

Not only did the Attorney General’s CLETS Advisory Committee fail to hold these agencies accountable, in many cases it failed to enforce requirements that agencies disclose misuse investigations at all. As a result, the Attorney General has not maintained reliable data on misuse.

Earlier this month, the Attorney General’s office began implementing several changes to their oversight of law enforcement agencies, including stiffer penalties when agencies fail to report misuse. The agency also directed a team to bring several hundred delinquent agencies into compliance with misuse disclosure requirements.

“Accountability starts with good data, and so it’s a great start for the Attorney General’s office to give better instructions to law enforcement agencies and to use the enforcement mechanism to ensure disclosure of database abuse,” EFF Senior Investigative Researcher Dave Maass said. “But this should only be the first step. We will be watching closely to see if the Attorney General actually follows through on his threats to sanction agencies who sweep CLETS abuse under the carpet.”

EFF hopes that accurate data on misuse of CLETS will lead to investigations and accountability for any agency that fails to adequately protect people’s privacy. In addition, EFF is calling on the California Attorney General’s office to tighten its scrutiny of federal agencies, including the Department of Homeland Security, to ensure that they not abusing CLETS for immigration enforcement.

“The California Attorney General is finally taking police database abuse seriously,” EFF Staff Attorney Aaron Mackey said. “It’s great that we will finally have good aggregate data on misuse. Now law enforcement needs to follow up on any improper behavior with thorough investigations.”

For deeper analysis and links to the records:
https://www.eff.org/deeplinks/2018/06/clets-misuse-2017

Contact: 
Dave
Maass
Senior Investigative Researcher
Aaron
Mackey
Staff Attorney

Published June 20, 2018 at 09:04PM
Read more on eff.org

EFF: The California Attorney General’s Office Says It’s Finally Taking Database Abuse Seriously—But Time Will Tell

The California Attorney General’s Office Says It’s Finally Taking Database Abuse Seriously—But Time Will Tell

In 2017, 22 law enforcement employees across California lost or left their jobs after abusing the computer network that grants police access to criminal histories and drivers‘ records, according to new data compiled by the California Attorney General’s office. The records obtained by EFF show a total of 143 violations of database rules—the equivalent of an invasion of privacy every two and half days. 

These numbers represent the first comprehensive accounting of misuse of the California Law Enforcement Telecommunications System (CLETS). While the acronym is not well known by the public, everyone with a driver’s license or criminal record has information accessible through CLETS. Police and other public safety employees access this sensitive information approximately 2.8 million times a day during the regular course of business.

For the last three years, EFF has exposed widespread misuse of CLETS, raising alarms about oversight deficiencies in the Attorney General’s office and its CLETS Advisory Committee. Among our findings: the Attorney General had lapsed in enforcing requirements that agencies who subscribe to CLETS report annually how may times they investigated misuse and what the outcomes were of the investigations. 

In response to EFF’s concerns, the Attorney General’s office issued new rules and cracked down on agencies that failed to report their misuse.

“The California Department of Justice, in response to increasingly low submissions of misuse reporting by subscribing agencies, will be instituting changes to reporting to achieve 100 percent reporting of CLETS misuse,” California Justice Information Services Division Chief Joe Dominic wrote in a directive submitted to more than 1,200 law enforcement agencies. “The DOJ considers the failure to report CLETS misuse a serious matter and will proactively enforce this requirement.”

 In 2017, only 704 agencies disclosed these records—approximately 53% compliance. Following an overhaul of the oversight system, in 2018 the Attorney General gathered information from 1,285 agencies—98 percent compliance.

COUNTY (ALL AGENCIES) 2017 MISUSE VIOLATIONS RESIGNATIONS AND TERMINATIONS
LOS ANGELES 28 4
SACRAMENTO 16 3
KINGS 14 0
RIVERSIDE 14 5
SAN DIEGO 11 3
ORANGE 8 4
TULARE 6 1
FRESNO 5 0
SANTA CLARA 5 1
KERN 4 0
SAN BERNARDINO 4 0
NEVADA 3 0
SAN FRANCISCO 3 0
ALAMEDA 2 0
MODOC 2 0
SAN MATEO 2 0
SUTTER 2 0
VENTURA 2 0
YOLO 2 0
BUTTE 1 0
COLUSA 1 0
IMPERIAL 1 0
LAKE 1 0
LASSEN 1 0
NAPA 1 0
SAN JOAQUIN 1 0
SANTA CRUZ 1 0
SHASTA 1 0
SOLANO 1 1

While specific information about the nature of the violations is not recorded, the Attorney General has outlined a variety of behaviors that would qualify as misuse. These include querying the database for personal reasons, searching data on celebrities, sharing passwords or access, providing information to unauthorized third parties, and researching a firearm the officer intends to purchase.

CADOJ also updated its rules around accessing CLETS, known as “Policies, Practices and Procedures” manual, which warns agencies that failure to report misuse will be “subject to sanctions, up to and including, removal of CLETS service.” In addition, CADOJ will now require agencies who initially report the outcome of a misuse investigation as “pending” to update CADOJ when the investigation is completed. The PPP also now clearly states that any violation of CLETS policies will face discipline, including suspension or termination, and potential criminal prosecution.

According to the misuse data, law enforcement agencies reported that the 143 misuse cases resulted in 9 terminations, 13 resignations, and 18 suspensions. Four cases rose to the level of charge for misdemeanors or infractions. Unfortunately, 53 violations resulted in no action being taken at all. 

Notable among the records is the Los Angeles Police Department, which had failed to file misuse reports year after year with impunity. In 2017, LAPD reported three investigations, two of which resulted in no action being taken, while a third resulted in the suspension and resignation of an employee.

The special investigation unit in the Kings County Human Services Agency—which is charged with protecting at-risk families—raked up the most misuses: 13 cases in which the result was not disclosed. The Los Angeles County Sheriff’s Office reported 6 misuses cases, all of which resulted in suspensions. The Riverside County Sheriff’s Department also saw four resignations in the wake of misuse investigations. 

EFF applauds the Attorney General and the California Department of Justice officials who pushed law enforcement agencies to finally report misuse. We appreciate their hard work in ensuring the data is as complete as possible and that agencies are given clear instructions on how to report misuse. 

At the same time, it’s unclear whether the Attorney General or the CLETS Advisory Committee will follow up on the reports of widespread misuse in particular agencies or discipline those involved. Now that they have data, EFF urges these bodies to independently investigate these cases and hold public hearings on their findings. In addition, EFF urges the Attorney General to independently investigate access to CLETS by federal agencies to ensure they are not violating state law by accessing non-criminal records for immigration enforcement.

EFF is releasing the Attorney General’s spreadsheet of misuse and the misuse reporting forms for more than 1,200 agencies. Local news organizations may find untold stories about police misconduct in this data, and we urge reporters to call these law enforcement agencies to find out more about the nature of this misconduct.

CLETS Misuse Reporting Data (XLSX)

CLETS Misuse Reporting Forms (DocumentCloud)

CLETS Misuse Reporting Forms Bookmarked by County (Document-Cloud 150mb PDF)

Note: DocumentCloud links are subject to that organization’s Privacy Policy

Published June 20, 2018 at 09:03PM
Read more on eff.org