On Charlie Rose last night, President Obama gave his most detailed defense of the NSA surveillance programs since a FISA court order demanding that Verizon hand over phone records information on all its US customers leaked to the Guardian two weeks ago. In a key portion of the interview, he talked about the secret FISA court that, under the auspices of the PATRIOT Act and FISA Amendments Act, has been approving the NSA’s sweeping surveillance requests. Curiously, President Obama referred to these secret courts as “transparent”:

Charlie Rose: But has FISA court turned down any request?

Barack Obama: The — because — the — first of all, Charlie, the number of requests are surprisingly small… number one. Number two, folks don’t go with a query unless they’ve got a pretty good suspicion.

Charlie Rose: Should this be transparent in some way?

Barack Obama: It is transparent. That’s why we set up the FISA court….

The FISA court, by its nature, is the opposite of transparent. In fact, it’s hard to imagine how the FISA court could be more secretive.

Let’s start with the court building itself. After the FISA Amendments Act passed in 2008, which greatly expanded the government abilities to make broad surveillance requests, the court was remodeled. The Washington Post reported at the time about secrecy measures in place to make sure the public did not find out what the court was up to:

First, the workers encased the room in reinforced concrete. Then came the thick wood-and-metal doors that seal into the walls. Behind those walls they labored in secret for two years, building a courtroom, judge's chambers and clerk's offices. The only sign that they were done came recently, when biometric hand scanners and green "Restricted Access" placards were placed at the entrances.

What workers have finally completed—or perhaps not; few really know, and none would say—is the nation's most secure courtroom for its most secretive court.

The decisions by the court, far from being transparent, are some “of the most highly classified documents inside the U.S. government,” as The Daily Beast reported today.  The Daily Beast described the ultra-secretive process for those companies who receive the orders, and the senators who want to provide oversight to the court.

Those who receive [FISA orders]—the first of its kind to be publicly disclosed—are not allowed “to disclose to any other person” except to carry out its terms or receive legal advice about it, and any person seeing it for those reasons is also legally bound not to disclose the order. The officials say phone companies like Verizon are not allowed to store a digital copy of the [FISA orders]...

Even lawmakers and staff lawyers on the House and Senate intelligence committees can only view the [FISA orders] in the presence of Justice Department attorneys, and are prohibited from taking notes on the documents.

For years now, EFF has been trying to get one of these FISA opinions declassified. Last year, the Director for National Intelligence publicly admitted that “on at least one occasion” the FISA court has ruled the NSA’s collection of domestic communications violated the Fourth Amendment, yet refused to release any other information about it.

We’ve filed a Freedom of Information Act lawsuit to have the opinion released, but as EFF’s Mark Rumold described in detail, it was extremely difficult for EFF to even file a brief in the FISA court. The government’s Kafkaesque secrecy arguments, which they used in an attempt to prevent the opinion’s release, really have to be read to be believed.

Thankfully, the FISA court ruled last week that there was nothing barring the decision from being subject to the Freedom of Information Act, and the district court will now rule on how much of the opinion should be released to the public. To give one an idea about how secretive the court is, EFF’s motion was the first to be placed on the court’s online public docket and the first (known) win by a non-government party in the court’s history.

Today, Google commendably filed a challenge to FISA gag orders in the FISA court  as well, citing their First Amendment right to tell the public a general number of how many users are affected by FISA court orders. We hope other companies follow suit. In Google’s motion to the court, they wrote, "Transparency is critical to advancing public debate in a thoughtful and democratic manner."

We couldn’t agree more. Once upon a time, the President did too. Twice, once in 2010 and again in 2011, the Obama administration promised to declassify significant FISA court rulings. They still have not done so. If President Obama wants the FISA courts to be more transparent, he can act today.    

Related Issues: NSA Spying
Share this:   ||  Join EFF

In the week since we launched, the stopwatching.us campaign has gathered over 215,000 signatures from individuals opposed to NSA surveillance. And we’ve made huge waves in the media with a coalition of companies and organization that the Atlantic called "perhaps the most diverse collection of groups in the modern history of American politics."

But we’re not done yet. Today, we’re launching a campaign to call members of Congress. We're asking everyone concerned about their privacy to call Congress today and throughout the rest of the week.

We need you to make a quick call to ask your elected officials to investigate surveillance practices of the NSA and stop the illegal spying. A call will take you from 2 to 4 minutes— and it can send a huge message to Congress.

We’re teaming up with our friends from Fight for the Future to make it easy for you to demand reform. Here are two ways you can speak out (note, if you are outside of the United States you should go here to take our international alert).

1. Dial 1-STOP-323-NSA (1-786-732-3672). The automated system will connect you to your legislators. Urge them to provide public transparency about NSA spying and stop warrantless wiretapping on the communications of millions of ordinary Americans. Visit CallDay.org for more info.
2. Visit the EFF action center. We will look up the phone number of your elected officials. Call them and tell them you oppose NSA’s spying programs.

Phone calls can make a huge difference in Washington: we saw scores of lawmakers change positions in response to the call-in campaigns we organized during the SOPA fight. Let’s repeat that victory by driving tons of phone calls to Congress today to stop NSA spying.

Thanks for helping us fight back against NSA spying. If you’d like to support our efforts to beat back invasive government surveillance, please become a member of EFF. We wouldn’t exist without members like you.

Important notes about your privacy: we’ve required that the automated tools above promise to protect your privacy by insisting that your phone number be used for this campaign and nothing else unless you request additional contact. If you don’t want your information processed by the automatic calling tools, use the EFF page to get a phone number and call directly. Learn more by visiting the privacy policies of Fight for the Future and Twilio.

Related Issues: NSA Spying
Share this:   ||  Join EFF

In a letter sent today to the United States Congress, an international coalition of non-profit organizations called upon the U.S. government to protect the privacy and freedoms of not only its citizens, but of people everywhere. As news of the alarmingly broad reach and scope of America’s surveillance program reverberates around the globe, now is the  time for the United States to pass formal privacy safeguards to protect the billions of foreign Internet users whose communications are stored in U.S. servers or whose data travels across U.S. networks.

EFF joined more than 50 NGOs—including European Digital Rights, Association For Progressive Communications, Access Now, WebWeWant Foundation, Center for Technology and Society (Brazil) and Thai Netizen Network—in signing the letter, which was organized through Best Bits, a global network of civil society organizations.  In its letter, the coalition also expressed grave concern over information-sharing between U.S. authorities and the United Kingdom, the Netherlands, Canada, Belgium and New Zealand.

If the United States is allowing its security services to collect vast amounts of data on the citizens of its allies, and is handing over that data freely over to their allies’ security services, any privacy protection foreigners might have under their own domestic surveillance law is completely undermined. And we still don't know what information the U.S. government might receive in return. “The extension of surveillance powers beyond territorial borders" is an alarming global trend that would increase the “risk of cooperative agreements between State law enforcement and security agencies to enable the evasion of domestic legal restrictions,” wrote the UN Special Rapporteur on Freedom of Expression and Opinion, Frank La Rue, in a recent report to the UN Human Rights Council.

As we have previously noted, while the U.S. government has long maintained that foreigners who use U.S.-based internet services are fair game for surveillance, these dragnet measures present unprecedented privacy risks to international web users who rely on cloud services.  The group calls for the U.S. government to allow companies to release further and more specific information about Foreign Intelligence Surveillance Act (FISA) requests, establish stronger whistleblower protections and create an investigative panel with subpoena power to investigate the current state of surveillance in the U.S.

Human rights include the right to privacy, and those rights are universal and inalienable, indivisible, interdependent and interrelated. Everyone is entitled to them, regardless of where they live, gender, race or religion. The universality of human rights is encompassed in Article 1 of the Universal Declaration of Human Rights: “All human beings are born free and equal in dignity and rights.” The pervasiveness of U.S. surveillance on people who are not “U.S. persons” makes standing up for these rights more important than ever. Read the coalition letter here.

Related Issues: InternationalState Surveillance & Human RightsPrivacyNSA Spying
Share this:   ||  Join EFF

As news websites around the globe are publishing story after story about dragnet surveillance, these news sites all have one thing in common: when you visit these websites, your personal information is broadcast to dozens of companies, many of which have the ability to track your surfing habits, and many of which are subject to government data requests.

How Does This Happen?

When you load a webpage in your browser, the page normally includes many elements that get loaded separately, like images, fonts, CSS files, and javascript files. These files can be, and often are, loaded from different domain names hosted by different companies. For example, if a website has a Facebook Like button on it, your browser loads javascript and images from Facebook's server to display that Like button, even if the website you're visiting has nothing to do with Facebook.

Why Does This Matter?

Each time your browser makes a request it sends the following information with it:

• Your IP address and the exact time of the request
• User-Agent string: which normally contains the web browser you're using, your browser's version, your operating system, processor information (32-bit, 64-bit), language settings, and other data
• Referrer: the URL of the website you're coming from—in the case of the Facebook Like button example, your browser tells Facebook which website you're viewing
• Other HTTP headers which contain potentially identifying information
• Sometimes tracking cookies

Every company has different practices, but they generally log some or all of this information, perhaps indefinitely.

It takes very little information about your web browser to build a unique fingerprint of it. See EFF's Panopticlick website to see how unique and trackable your web browser is even without the use of tracking cookies. You can read more in our Primer on Information Theory and Privacy.

Who is Using Third Party Resources?

Here are some examples of prominent news websites that have been reporting on surveillance issues and which domain names they load third party resources from as of June 2013:

The Guardian, which is hosted at guardian.co.uk and was the first to publish about the recent NSA spying leaks, loads scripts from:

guim.co.uk ajax.googleapis.com criteo.com amazonaws.com optimizely.com facebook.com twitter.com google.com quantserve.com wunderloop.net outbrain.com chartbeat.com

The Washington Post, which is hosted at www.washingtonpost.com and was published the first story about PRISM alongside the Guardian, loads scripts from:

troveread.com wpdigital.net doubleclick.net criteo.com omtrdc.net theroot.com slate.com expressnightout.com trove.com ooyala.com adsonar.com mathtag.com spotxchange.com bloomberg.com revsci.net scorecardresearch.com chartbeat.com twitter.com cloudfront.net

The New York Times, which is hosted at nytimes.com, loads scripts from:

nyt.com doubleclick.net krxd.net moatads.com googlesyndication.com typekit.com revsci.net scorecardresearch.com imrworldwide.com chartbeat.com

The Wall Street Journal, which is hosted at online.wsj.com, loads scripts from:

wsj.net msn.com axf8.net peer39.net typekit.net llnwd.net imrworldwide.com facebook.net dowjoneson.com akamai.net doubleclick.net chartbeat.com bluekai.com

All of these websites, by loading third party resources from servers controlled by major providers like Facebook, Google, and others, are sending information about their visitors to companies subject to US government data requests. While these news companies themselves could directly recieve requests for this data, the fact that they voluntarily send this data to the same small, centralized group of third parties makes these third parties convenient and attractive targets to collect visitor information from vast swaths of the web. Once a website sends data to a third party, it no longer has the power to stand up for its users against unconstitutional government requests for that data.

These news websites are not alone. Other websites that send information about all of their visitors to large companies that are subject to US government data requests include CNN, Huffington Post, MSNBC, BBC, Al Jazeera, BoingBoing, Slashdot, WordPress.com, Occupy Wall Street, Internet Defense League, and hundreds of thousands of others.

These sites are for the most part not actively attempting to diminish the privacy of their users. Rather, there are several factors that converge that make it commonplace to include third party resources. First, services like Google Analytics are very popular and provide an easy way to do analytics. Second, it's commonly considered a good practice for websites to include jQuery and load webfonts from servers run by Google, since these will load fast and reduce the burden on your servers. Finally, including Facebook Like buttons and other social media widgets on your website is one of the best ways to gain social media traction.

It's time for these "best practices" to change, so we can avoid giving the government a one-stop shop for your data.  In a future blog post we'll discuss ways that web developers and companies can mitigate privacy risks related to third party resources from their websites.

In contrast to the websites listed above, when you visit eff.org, your browser doesn't make any requests to any third parties. We've long been aware of the privacy dangers inherent in loading third party resources, and our privacy policy states:

We do occasionally allow our website to interact with other services, like social networking, mapping, and video hosting websites. It is our policy not to include third-party resources when users initially load our web pages, but we may dynamically include them later after giving the user a chance to opt-in. If you believe a third-party resource is automatically loading, please let us know so we can address it.

The Importance of a Strong Do Not Track Standard

Given the proliferation of information flowing to third parties, it is critical that we develop a strong Do Not Track (DNT) standard that forbids third parties from collecting and retaining information derived from a user's visit to a website once that user has enabled DNT in her browser. Unfortunately, the W3C Tracking Protection Working Group is working on a standard that is far too watered down, and hence unlikely to offer real privacy protections to users. This leaves users exposed to data collection not only by the companies themselves, but also by the NSA and other agencies who might seek to obtain the information from these third parties. We very much hope that in the next month or so before the working group winds down, we arrive at a strong Do Not Track standard that helps to protect users from this type of abuse.

What Can Users Do?

But users need not wait for Do Not Track or any standard. A good start to protecting yourself from ubiquitous web tracking is to do these 4 Simple Changes to Stop Online Tracking.

If you really want to be in control of exactly which third party requests your browser makes, use RequestPolicy for Firefox. It's a browser extension that blocks all third party resources by default, and then lets you choose which resources you want your browser to load for which websites. But be warned, the problem with third party resources is so prevalent that RequestPolicy will break the layout and functionality of almost every single site until you allow specific third party requests for those sites.

It's unfortunate that protecting privacy on the web requires determined users that are willing to be inconvenienced for privacy. We need to work towards a long-term technical ecosystem that will better protect the privacy of who visits what websites. We also need strong privacy laws that protect user data from unconstitutional surveillance, and the transparency necessary to ensure these laws cannot be bypassed in secret.

Please join our fight against NSA spying.

Related Issues: Mass Surveillance TechnologiesPrivacyDo Not TrackNSA Spying
Share this:   ||  Join EFF

It's time to rethink copyright law, say the U.S. Register of Copyrights and the chairman of the U.S. House Judiciary Committee. Hearings, speeches, and lots of quiet maneuvering have begun to shape "the next great copyright act."  Last week, Motion Picture Association of America president, former senator Chris Dodd, laid out his vision for copyright in a speech to the L.A. Copyright Society and an op-ed in the Huffington Post. Invoking the U.S. Constitution and the Founders as allies for Hollywood's cause, he dropped some hints about the positions that MPAA might take in the upcoming months and years.  If those statements are any guide, we’re going to have some misinformation to sort through.  Here’s a reality check.

Don't Be So Sure You've Got The Founders On Your Side

Dodd claims that copyright as we know it is what "the founders of this republic intended." Hardly. The first copyright act in the U.S, passed in 1790 by some of the same people who helped write the Constitution and the Bill of Rights, was very limited. It covered only books, maps, and charts - not music, theater, pamphlets, newspapers, sculpture, or any other 18th-century creative medium.  The Founders' copyrights lasted 14 years, with an option to renew for another 14.  Today, of course, copyright covers nearly all written, visual, sculptural, architectural, and performing art, not to mention computer software and games, and it lasts for the author's life plus 70 years.  We suspect that if anyone had described today’s copyright system to, say, Thomas Jefferson, he would have been shocked.  By all means, let’s look at how the Founders thought copyright should work, as one guidepost for fixing today’s law.

Sometimes Copyright Hinders Free Speech, And Denying the Conflict Doesn't Make It Go Away

Dodd told a gathering of entertainment industry lawyers "it bears repeating that copyright encourages free expression – it does not hinder it."  He seems to believe that because copyright helps some artists and authors earn income from their expression, copyright and free expression are never in conflict. Of course that's ridiculous. Practically weekly, people use copyright law, and laws like the Digital Millennium Copyright Act, to suppress and chill free speech. They silence critics with copyright takedowns. They make blogs disappear from the Internet based on nothing more than allegations of infringement. They threaten university researchers with crippling lawsuits for delivering papers on computer security.  That’s why any discussion about copyright reform should start by recognizing the importance of balance between the rights of copyright holders and other values we hold dear, like free speech and due process of law.

Copyright Should Accommodate Innovation - Not Just The Innovation That Hollywood Approves

Dodd notes that "technology and the marketplace are evolving faster than the law" and suggests that copyright  "should be broad enough to apply to new technologies that might develop in the future."  We agree, but we suspect Dodd has a different understanding of “apply.” We’ve seen decades of scorched-earth lawsuits against new technologies, most recently targeting Internet video technologies like Cablevision's remote DVR, Aereo's mini-antenna system, and DISH's Ad Hopper. Content industry lawyers seem to think that copyright owners should have veto power and a cut of the profits from any value created by new technologies and new business models that use copyrighted works. That's not actually what copyright law says - some things, like public performances of creative works, are given to the copyright holder to profit from, while some things, like private transmissions over the Internet from a lawful source, are free for everyone to do. And that is as it should be. 

On the other hand, new technologies sometimes take away the rights of users, consumers, tinkerers, and remixers.  Copyright law may need an update to fix these problems.  For example, we could use some clarity on whether digital works can be resold, lent, given away, etc., just like physical books.  We also need a strong affirmative right to repair and tinker with our devices – even if those devices include software locked down with DRM. 

Democracy Is Messy When You Actually Let The People Participate

Dodd laments that "today, the copyright debate, as we have all learned, is far more polarized," and he worries that "consensus on these issues . . . will not be easy."  This is of course a reference to the defeat of SOPA and PIPA, which were to be Dodd's major legislative victories when he left the Senate for the MPAA in 2011.  But that wasn’t the result of polarization – it was participation. Millions of Americans made their voices heard on SOPA and PIPA, moving the debate out of the smoke-filled room and into the sunlight. Making law with the consensus of just a few industry leaders may be easier, but it’s not better. And after SOPA, copyright law just can't be made that way anymore.

And Now, Down to Business

So what changes will MPAA be pushing for? It's clear that they have not abandoned their efforts to force Internet companies that handle user-generated content to become copyright police. Whether through taking down entire domains (as SOPA would have done), cutting off sources of funding, or being able to threaten Internet companies with massive lawsuits, the entertainment industries still want the power to decide what can be on the Internet and what can't. Expect also an effort to extend the term of copyright yet again - in Mr. Dodd's words, to "promote distribution and enjoyment of America's most beloved stories and characters."

At EFF, we have a different agenda. In the coming months, we will be writing about, and organizing to promote, real copyright reform. Copyright law belongs to all of us, and it can reflect the values we want – if we all stay involved. We hope you’ll stand with us.

 

 

 

Related Issues: Intellectual Property
Share this:   ||  Join EFF

The Church of Scientology International (“CSI”) has often been accused of pulling out all the stops to suppress speech critical of the organization.  Surprisingly, however, they have not yet made it into the EFF Takedown Hall of Shame.

Until now. Last week, CSI demanded that GoDaddy take down a website, cheerupwillsmith.com, that used parody and satire to tweak CSI, its alleged relationship to actor Will Smith, and its reportedly aggressive control over the activities of its members. The site included a letter, purportedly from Scientology leader David Miscavige, ordering CSI members to see After Earth, a new movie starring Will Smith that hasn’t done well at the box office, at least three times.  The site also demanded that CSI members make videos supporting Smith.

Pointing to the presence of CSI logos and a photograph of Mr. Miscavige on the site, CSI told GoDaddy the site violated CSI’s copyright and trademark rights, and asked the company to take it down. GoDaddy promptly complied. CSI also claimed that the creators of the site had violated California Penal Code section 528.5, which forbids the credible impersonation of a human person online. Section 528.5 was intended to be used to combat cyberbullying; as we anticipated, however, it’s now being used to target political speech.

As we explained in a letter to CSI, however, none of these claims holds water. With respect to the copyright allegations, the noncommercial site was obviously designed for purposes of criticism and comment.  It used no more than was necessary for its purpose, and caused no conceivable harm to any market for CSI works. In other words, it's precisely the kind of speech the fair use doctrine is intended to protect.

The trademark allegations are equally silly. The website simply uses parody and satire to comment on CSI, its reputation for controlling its members, and its alleged relationship to Will Smith, star of the film “After Earth.” That kind of speech is protected by a variety of legal doctrines, not to mention the First Amendment.

As one federal court put it, trademark law “regulates only economic, not ideological or political, competition . . . ‘Competition in the marketplace of ideas’ is precisely what the First Amendment is designed to protect.”

Finally, the claim that the site violated the California Penal Code is equally absurd. Section 528.5 applies only to “credible” impersonations. No viewer would think the site offered a credible impersonation of Mr. Miscavige—but perhaps CSI knows something we don’t?

Given the outrageousness of CSI complaint, it’s shocking that GoDaddy would respond without hesitation. Activists of all kinds should take heed and look for service providers with backbone. In the meantime, congratulations to CSI: you made it to the Hall of Shame at last.

Files:  lettertosoter.pdfRelated Issues: Free SpeechNo Downtime for Free SpeechIntellectual Property
Share this:   ||  Join EFF

With a White House directive supporting it and legislation pending at the federal and state levels, the fight to expand open access to taxpayer-funded research is rapidly gaining momentum. But it's not over yet. Major journal publishers are working hard to stop—or at least dilute—open access. That's because it's a threat to the traditional publishing business model, which depends on taking the results of research (i.e., articles) and then selling it back to the scientists and their institutions at a massive profit.

The publishing coalition's leading tactic is a deceptive proposal called the Clearinghouse for the Open Research of the United States, or "CHORUS." According to the publishers, CHORUS would create a set of platforms, housed by the publishers themselves, that would help users easily find and access journal articles resulting from federal funding, facilitate article preservation, and "allow text and data mining tools to be applied across publishers' platforms 'under protocols that protect both the user and the source content.'"  In essence, the proposal encourages the agencies and legislators to just let the publishers handle open access. After all, they're the experts, right?

Wrong. Most traditional academic publishers are experts at just that: traditional models that depend on limited access. Forgive the cliché, but putting them in charge is like letting the fox guard the hen house.

With props to SPARC, which has been battling for open access since 1997, here's the reality:

• CHORUS is all about control: publishers preserve their place as the sole point of access to research, and, by extension, they exert a veto right on innovation and new forms of access;
• CHORUS is cumbersome: The National Institutes of Health (NIH) already houses a wealth of research in its PubMed Central database, which allows easy full-text searching and is interoperable with other publicly-funded databases. Rather than leveraging this existing structure, the publishers want to build their own. Again, it's all about control. While the program promises to allow text and mining tools to apply across publishers' various platforms, those platforms vary widely. Thus, in practice, implementing such tool will be difficult.
• CHORUS forgets about data: Policies such as the White House directive call for open access to articles and data. CHORUS conveniently forgets to provide for linking articles to data.
• CHORUS is not "free": Publishers claim CHORUS will be a "no-cost" solution. But that's just hiding the ball. Publishers receive most of their revenue from subscription fees, which are paid by universities—including many public universities. Publishers will doubtless pass the cost of building CHORUS onto subscribers.

We hope that agencies and legislators who are considering how to implement open access are not fooled by CHORUS. It's time for real open access. Here's how you can help.

Related Issues: Open Access
Share this:   ||  Join EFF

The Open Wireless Movement has come to Tunisia!

When former Tunisian dictator Ben Ali was ousted, the Tunisian Internet Agency (ATI) was quickly transformed from an institution of control to one of openness, reversing the oppressive censorship policies of the Ben Ali era. Similarly, the ATI's building—once a private home of Ben Ali—is now being transformed into a space for citizens to innovate.

Inside the basement of the building is #404Lab, a hackerspace that reclaims the space where censorship was once conducted. On Saturday, June 15, the space was launched in an event attended by both local hackers and allies from around the world, including EFF's Jillian York and Seth Schoen. Moez Chakchouk, chairman of and CEO of the ATI, was present to dedicate the space to innovation, inviting hackers to "occupy" the building.

To help set the tone of openness, the #404Lab is hosting an "openwireless.org" connection. This open Wi-Fi connection will allow anyone in the community—neighbors, travelers, and fellow hackers—to easily get on the Internet. The Open Wireless Movement sets out to spread the availability of free wireless Internet connections in an attempt to promote sharing in a privacy-friendly and secure fashion.

We're hoping #404Lab's and ATI's embracing of open wireless sets the tone for all of Tunisia. Currently, many Internet service providers (ISPs) in the United States forbid their customers from sharing networks outside of their households. And countries like France and Germany have harsh policies—largely because of copyright—that prevent citizens from having an "unsecured" network.

But the benefits of open wireless are plenty: whether it's a future where your wireless device can hop from network to network without having subscribe to heinous, invasive cell network plans; or a future where emergency networks don't have to be spun up because they're already there; or a future where students don't have to go to their local fast food restaurants in order to do homework.

Tunisia has the opportunity to forgo any detrimental policies against open wireless—whether on the level of the ISP or the law—and we're exited to have the Tunisian Internet Agency's support. #404Lab's joining of the Open Wireless Movement will help spread the ideal of a Tunisia—and a world—with ubiquitous wireless Internet, and we hope to see "openwireless.org" networks pop up throughout the country.

var mytubes = new Array(2); mytubes[1] = '%3Ciframe src=%22http://www.youtube.com/embed/jew6KiCZ_wQ?rel=1%26amp;autoplay=1%26amp;wmode=opaque%26?autoplay=1%22 width=%22400%22 height=%22250%22 class=%22video-filter video-youtube vf-jew6kiczwq%22 frameborder=%220%22%3E%3C/iframe%3E'; mytubes[2] = '%3Ciframe src=%22http://www.youtube.com/embed/s91RKbmk-fM?rel=1%26amp;autoplay=1%26amp;wmode=opaque%26?autoplay=1%22 width=%22400%22 height=%22250%22 class=%22video-filter video-youtube vf-s91rkbmkfm%22 frameborder=%220%22%3E%3C/iframe%3E'; Related Issues: Free SpeechInternationalOpen Wireless
Share this:   ||  Join EFF

In the 1950s and 60s, the NSA spied on all telegrams entering and exiting the country. The egregious actions were only uncovered after Congress set up an independent investgation called the Church Committee in the 1970s after Watergate. When the American public learned about NSA's actions, they demanded change. And the Church Committee delivered it by providing more information about the programs and by curtailing the spying.

Just like the American public in the 1970s, Americans in the 2010s know that when the government amasses dossiers on citizens, it's neither good for security nor for privacy. And a wide range of polls this week show widespread concern among the American people over the new revelations about NSA domestic spying.

Yesterday, the Guardian released a comprehensive poll showing widespread concern about NSA spying. Two-thirds of Americans think the NSA's role should be reviewed. The poll also showed Americans demanding accountability and more information from public officials—two key points of our recently launched stopwatching.us campaign.

But there's more. So far, Gallup has one of the better-worded questions, finding that 53% of Americans disapprove of the NSA spying. A CBS poll also showed that a majority—at 58%—of Americans disapprove of the government "collecting phone records of ordinary Americans." And Rasmussen—though sometimes known for push polling—also recently conducted a poll showing that 59% of Americans are opposed to the current NSA spying.

The only poll showing less than a majority on the side of government overreach was Pew Research Center, which asked Americans whether it was acceptable that the NSA obtained "secret court orders to track the calls of millions of Americans to investigate terrorism." Pew reported that 56% of Americans said it was "acceptable." But the question is poorly worded. It doesn't mention the widespread, dragnet nature of the spying. It also neglects to describe the "information" being given—metadata, which is far more sensitive and can provide far more information than just the ability to "track the calls" of Americans. And it was conducted early on in the scandal, before it was revealed that the NSA doesn't even have to obtain court orders to search already collected information.

Despite the aggregate numbers, many of the polls took place at the same time Americans were finding out new facts about the program. More questions must be asked. And if history is any indication, the American people will be finding out much more. Indeed, just today the Guardian reported that its working on a whole new series with even more NSA revelations about spying.

One thing is definitely clear: the American public is demanding answers and needs more information. That's why Congress must create a special investigatory committee to reveal the full extent of the programs. Democracy demands it. Go here to take action. 

Related Issues: NSA Spying
Share this:   ||  Join EFF

Spies Without Borders III

This is the third article of our Spies Without Borders series. It has been co-authored by Tamir Israel, Staff Lawyer at CIPPIC,  Katitza Rodriguez, EFF International Rights Director and Mark Rumold, EFF Staff Attorney.  The Spies Without Borders series are looking into how the information disclosed in the NSA leaks affect Internet users around the world whose private information is stored in U.S. servers, or whose data travels across U.S. networks. This article has been crossposted on the website of OpenMedia.ca.

Introduction

In our previous post, we examined how FISA arose from a historical backlash against the excessive use of foreign intelligence powers to surveil the activities of U.S. persons. We examined how two of FISA’s controversial powers, the business records power (section 215 of the USA PATRIOT Act, codified as 50 USC §1861) and the general acquisition power (section 702 of FISA, codified as 50 USC §1881a) and how their internal safeguards are primarily designed to limit protection to U.S. persons from being excessively spied upon. Now, we will examine what protections, if any, FISA offers to Internet users around the world whose private information is stored in U.S. servers, or whose data travels across U.S. networks. 

In brief, these safeguards are few and to make matters worse, FISA’s powers are interpreted secretly and generally isolated from any form of effective adversarial review. This makes it unlikely that Internet users outside the United States will even have the opportunity to take advantage of the few protections it offers. All this has led Privacy Researcher, Caspar Bowden, to go so far as to conclude that U.S. foreign intelligence powers “offer[] zero protection to foreigners’ data in U.S. Clouds.”

Secret Courts and Lack of Standing: Will FISA ever face adversarial review?

While FISA provides a secret court, the Foreign Intelligence Surveillance Court (“FISC”), with authority to review some aspects of the government’s surveillance, this role is greatly circumscribed.

FISC and the acquisition power (section 702 of FISA, codified as 50 USC §1881a)

With respect to the acquisition power, FISC’s authority is limited to substantively reviewing the minimization and targeting criteria (designed primarily to limit exposure of U.S. persons). Even in this regard, its review is ex parte, and the approved procedures are never made public.

FISA then obligates FISC to approve a government request, as long as the minimization and targeting criteria are consistent with FISA requirements and the Fourth Amendment (§1881a (i)(3)(A)) and the Government has self-certified that a “significant purpose of the acquisition is to obtain foreign intelligence information” (§1881a (g)(2)(A)(vi). This does not appear to leave FISC with much authority to reject excessively broad surveillance orders targeting Internet users around the world whose private information is stored in U.S. servers, or whose data travels across U.S. networks.

FISC and the business records powers (section 215 of the USA PATRIOT Act, codified as 50 USC §1861)

The business records power, in theory, grants the FISC judge somewhat more discretion to reject a government application than the acquisition power. Rather than simply accept government assertions, the judge must, with respect to applications investigating non-U.S. persons, find that the government's factual showing provides "reasonable grounds to believe" that the "tangible things" sought are "relevant" to an authorized investigation for foreign intelligence information or to protect against international terrorism or covert intelligence activities. If investigating U.S. persons, the judge must also be convinced that the investigation is not based "solely" on First Amendment activities such as speech or association. But both "reasonable grounds" and "relevance" are weak standards. Even worse, the judge must "presume" relevance in some cases, such as when the facts pertain to a foreign power or agent of a foreign power.

FiSC: Asserting a legal challenge appears dim

Additionally, it is notable that even asserting a legal challenge may be difficult as, before permitting a person to substantively challenge FISA, U.S. courts have required a significant degree of proof that the specific person’s communications have been surveiled as a pre-cursor to allowing a substantive challenge. All in all, the prospect of a rigorous, adversarial challenge to the application of these provisions to Internet users abroad appears dim. And even if such a challenge could be mounted, judicial review in this context can be characterized as “de facto an arbitrary approval.” It is perhaps not surprising, then, that of the 33,900 surveillance requests the U.S. government has submitted to FISC in its 33 years of operation, only 11 have been declined.

Fourth Amendment and Foreign Intelligence: Substantive Safeguards that Protect Little

The key substantive impediments to any order that effectively limits exposure of U.S.-persons is the need for a foreign intelligence objective to be engaged, and respect for the Fourth Amendment. Under FISA, neither the business records power nor the general acquisition power can be employed in the absence of a foreign intelligence objective. However, this requirement is so weak as to offer little protection.

Frank La Rue, a U.N. Special Rapporteur, recently pointed out that:

“Vague and unspecified notions of ‘national security’ have become an acceptable justification for the interception of and access to communications in many countries.”

FISA is no different. FISA defines the term “foreign intelligence” quite broadly to include any information relating to (but, when applied to non-U.S. persons, not necessary for) the ability of the United States to protect against actual or potential attacks, terrorism or clandestine intelligence activities (§1801 (e)). It additionally includes information with respect to a foreign power or territory that relates to (but, again, is not necessary for) the conduct of foreign affairs – an extremely vague concept in itself.

The Government can issue an order under the general acquisition power (§1881a) as long as FISC is convinced that a “significant purpose” of the proposed surveillance is to acquire foreign intelligence. This potentially opens the door to more far reaching investigations, as foreign intelligence need not be the primary purpose of the investigation. Additionally, the business records power can only be used  to seek records that are “relevant” to an “authorized investigation” conducted in order to “obtain” foreign intelligence. ‘Relevancy’, it should be noted, does not apply very stringent restrictions in terms of ensuring that the information sought is likely to contribute to the ultimate objective of obtaining foreign intelligence. This only exacerbates the loose definition of ‘foreign intelligence’, which in itself only requires information of Internet users abroad obtained to be generally relevant to national security activities.

In short, when directed at Internet users abroad, FISA combines a broad definition of foreign intelligence, with a minimal requirement for there to be a nexus between the use of its extra-ordinary powers and the possibility that this use will yield information necessary for the protection of the country.

Constitutional protections to Internet users abroad

As to Constitutional protections, it is not at all clear that the Fourth Amendment even applies to Internet users abroad based outside the United States, nor is it clear whether other statutory protections designed to protect the private communications and data of U.S. persons, such as the Wiretap Act and the Stored Communications Act, can be relied upon extra-territorially. Even assuming Internet users abroad can claim protection under the Fourth Amendment at all, this protection is likely to be highly attenuated and does not appear to include the need for individualized suspicion, meaning Internet users abroad can rely on few constitutional checks to mass surveillance.

Limited and Secret Congressional Oversight is Not Reassuring

Nor is Congressional oversight a reassuring safeguard. While it is notable that of the few senators tasked with overseeing FISA (and, hence, of the few who have historically had knowledge of NSA activities under FISA), a number have publicly stated concerns over the immense scope and nature of the NSA’s surveillance. Senators Ron Wyden and Mark Udall have, for example, made voiced numerous public warnings in past years about the governments “secret legal interpretations” of the act. Regardless, Congressional oversight is limited because of the executive branch's strict secrecy rules, which prevent an informed public debate on FISA powers.

In this regard, it is worth noting that while the recent leaks have helped to expose facets of the U.S. governments’ foreign intelligence activities, a complete picture of NSA electronic surveillance activities is still forming. In fact, following a briefing on these matters conducted in response to the public outcry that followed last week’s revelations, one congresswoman ominously noted that what has been leaked today is only the “tip of the iceberg” in terms of the scope and parameters of NSA surveillance.

Following the leaks, Congress may be ready to more closely scrutinize current foreign intelligence surveillance activities. If the Church Committee serves as a historical precedent, this examination may, in fact, lead to more safeguards. However, given the historical development of FISA as a foreign intelligence power, Internet users abroad may not want to hold their breath!

Next in our Spies Without Borders series, we will examine what implications the Government’s use of these FISA powers has for Internet users abroad, with an eye to other jurisdictions and the requirements of international law.

Related Issues: InternationalState Surveillance & Human RightsPrivacyNSA Spying
Share this:   ||  Join EFF

Spies Without Borders II

This is the second article of our  Spies Without Borders series. This article has been co-authored by Tamir Israel, Staff Lawyer at CIPPIC,  Katitza Rodriguez, EFF International Rights Director and Mark Rumold, EFF Staff Attorney.  The Spies Without Borders series are looking into how the information disclosed in the NSA leaks affect Internet users around the world whose private information is stored in U.S. servers, or whose data travels across U.S. networks. This article has been crossposted on the website of OpenMedia.ca.

Overview

In order to fully appreciate how the revelations of this past week will impact Internet users around the world whose private information is stored in U.S. servers, or whose data travels across U.S. networks, a little background on the U.S. legal framework is helpful. The centerpiece of this framework is the Foreign Intelligence Surveillance Act (FISA), enacted in the late 70s. Historically, relying on a national security exception contained in the Wiretap Act, the United States government considered it had no obligation to obtain authorization from a court before intercepting communications for the purpose of national security. This changed in 1972, when the Supreme Court of the United States first held that the Fourth Amendment warrant requirement does apply to surveillance carried out in the name of national security – at least with respect to domestic threats:

Security surveillances are especially sensitive because of the inherent vagueness of the domestic security concept, the necessarily broad and continuing nature of intelligence gathering, and the temptation to utilize such surveillances to oversee political dissent. We recognize, as we have before, the constitutional basis of the President's domestic security role, but we think it must be exercised in a manner compatible with the Fourth Amendment. In this case we hold that this requires an appropriate prior warrant procedure.

These words of caution rang true when it was later revealed that the Government’s unauthorized intelligence-gathering activities had included extensive surveillance of journalists, anti-war protestors, dissident groups and even political opponents. The congressional hearings that followed, called the Church Committee, led to what was perhaps the first comprehensive public look at the activities of the National Security Agency–a clandestine intelligence entity that had been colloquially dubbed “No Such Agency” to reflect its unique ability to defy any attempt to document or oversee its activities. Against this backdrop, FISA was passed specifically for the purpose of limiting foreign intelligence activities from being directed at U.S. persons.

While FISA was always generous in the powers it granted U.S. government agencies with respect to the surveillance of foreign agents, a series of amendments beginning with the USA PATRIOT Act and culminating with the FISA Amendment Act, 2008, transformed FISA into the vehicle for mass surveillance it is today. Notably, these amendments, as the U.S. government ultimately interpreted them:

• (a) provided a broader set of powers under which various digital service providers were compelled to assist U.S. foreign intelligence agencies in their activities;
• (b) removed the need for intelligence agencies to direct their activities at ‘foreign powers’ or ‘agents of foreign powers’ by making any Internet users abroad the legitimate focus of surveillance; and
• (c) applied these extra-ordinary powers to a broader set of circumstances by removing the obligation to ensure ‘foreign intelligence’ is a primary objective for their use.

These amendments furnished the United States government with at least two powerful secret legal surveillance powers that have apparently been used by the NSA to conduct broad surveillance of both U.S. and Internet users abroad:

Business records power (section 215 of the USA PATRIOT Act, codified as 50 USC §1861):

• Under the business records power, the U.S. Government can compel production of ‘any tangible thing’ reasonably believed to be relevant to an authorized investigation conducted for the purpose of obtaining foreign intelligence. The government has now confirmed that it has secretly interpreted ‘any tangible thing’ to include ”all call detail records”, and its telephone metadata surveillance program is based on this power; and

General acquisition and interception power (section 702 of FISA, codified as 50 USC §1881a):

• This general acquisition and interception power allows U.S. government agencies to compel access –possibly in real-time – to information from a diverse range of communications and data processing services. This second power has played a central role in populating the PRISM program.

Lots of problems surround the breadth of these powers and the secretive manner by which they have been interpreted. Very few substantive limits are placed on these powers. To make matters worse, these powers are interpreted secretly and are highly and effectively insulated from any adversarial challenge. This permits the government to adopt the most favourable interpretations it can devise, as has been shown in other contexts. The secret and non-adversarial context in which these interpretations are occurring is particularly problematic given the challenges inherent in applying privacy protections to technologically advanced state surveillance techniques.

Of the few existing internal limits FISA places on its powers, most relate to the need to limit exposure of U.S. persons. The only substantive protections that do not relate to this objective include a loose obligation that the powers be employed for foreign intelligence purposes, compatibility with the Fourth Amendment and the fact that both powers are subject to some limited, but highly secretive Judicial and Congressional review. None of these safeguards is highly reassuring, particularly to Internet users abroad whose private information is stored in U.S. servers, or whose data travels across U.S. networks.

Safeguards primarily designed to limit exposure of U.S. persons

To the extent there are limitations placed on these two FISA powers, they are primarily designed to limit the exposure of U.S. persons. The business records power, for example, cannot be directed at U.S. persons solely on the basis of activities protected by the First Amendment. The general acquisition power can only be directed at persons reasonably believed to be located outside the United States and reasonably believed to be Internet users abroad. A recent leak, however, suggests that the United States Government has secretly interpreted this to require only 51% assurance of foreignness.

The general acquisition power is also subject to general minimization (§1801 (h)) and targeting (§1881a (i)(2)(B)) procedures, which must be approved by FISC. The sole objective of these requirements is to minimize the targeting, collection and retention of private information of U.S. persons. Of course, it remains secret how the specific techniques adopted seek to achieve this. The business records power also includes minimization procedures, but these only relate to minimizing the retention and dissemination of non-public information concerning U.S. persons, not, apparently, its collection (§1861 (g)(2)).

It has become clear over the past several days that the Government and FISC have secretly interpreted these various safeguards in a woefully inadequate manner that fails to achieve even the basic requirement of insulating U.S. persons from their reach. The rest of the world, however, will probably be most concerned by the fact that nothing in FISA or elsewhere in U.S. law seems to effectively limit the extent to which their own online activities are being surveiled.

Next in our Spies Without Borders series, we will examine how the few protections FISA offers to individuals outside the United States provide little or no protection under US law.

Related Issues: InternationalState Surveillance & Human RightsPrivacyNSA Spying
Share this:   ||  Join EFF

This post has been updated and adapted to reflect the developing situation in Sacramento. Thanks to Californians Aware and the First Amendment Coalition for staying on it.

Update 2: AB 76 was passed by the legislature Friday evening, unbeknownst to many journalists and open-government advocates attempting to follow the vote. This explains why EFF's post predicted a vote on Saturday.   

The California legislature is close to suspending important provisions of the state’s public records act, giving local agencies the authority to unilaterally ignore procedures designed to ensure government transparency.

Senate Bill 71 and AB 76, which could be passed and sent to the governor's offiice on Saturday, would allow government bodies on the local level—such as cities, counties, sheriff’s departments and education systems—to choose whether or not to follow certain requirements under the California Public Records Act. These provisions would be downgraded from law to mere “best practices.”  Gone would be the deadlines for determining whether records are disclosable and notifying the member of the public who requested the records. Gone would be the requirement that agencies assist members of the public in identifying which records would answer their questions. Gone would be the mandate that agencies turn over documents in an electronic format if the records have already been digitized.

A local government wouldn’t even have to publicly disclose its records-disclosure policy in writing. The bills only say an agency must “announce orally” once a year if it decides not to follow the new “best practices.”

The impact on government watchdogs, journalists and the public—including EFF—would be profound. The legislation would create long waits for access to records, allow agencies to interpret requests narrowly (say, rejecting requests unless the citizen asks for a specific document), and leave the requesters waiting in limbo indefinitely as government agencies will have no incentive to be helpful. 

Further, it would create massive inconsistencies in policies across the state, making it difficult for members of the public to know what their rights are under the law. Because the opt-out announcement could be made orally, people may have to go back and listen to audio recordings of meetings to even find out if local officials decided to ignore the recommendations.

The state senate and assembly each passed separate versions of the legislation in May under the auspices that it would save the government money. So far no dollar figure has appeared in any public legislative analysis (meanwhile, the state's revenue has exceeded expectations by $4.5 billion).

Even if the change in law would save money on the front end (if anything, a drop in the bucket), taxpayers would pay a heavy price for it in the long haul: It could mark the end of the public’s ability to uncover wasteful spending, ineffective social and educational programs, foolish development projects, abusive practices by law enforcement, and political graft.  The agencies most likely to opt out of the best practices won’t be the ones with the tightest budgets, but the ones with the most to hide.

California has long had a strong commitment to government transparency. The California Public Records Act became law in 1968, just one year after the federal Freedom of Information Act, and recognizes that:

access to information concerning the conduct of the people's business is a fundamental and necessary right of every person in this state.

Californians even incorporated a right to government transparency into the state constitution by overwhelming majority vote in 2004. However, this proposed legislation would strongly undermine this important right.

As is it now, California’s public-records laws are inadequate. The State Integrity Project—a report-card-style study by the Center for Public Integrity, Global Integrity and Public Radio International—gave the state a D- in the terms of public access to information. The grade was based on a 75-percent mark for the legal right to access and a 47-percent for actual effectiveness.

If this measure is passed, we predict that failing grade will drop even lower.

This legislation runs in exactly the opposite direction that the government should be moving in terms of open government. Public access to records should be included as a standard part of the overhead of any government activity. EFF urges the state legislature to stand up for accountability and remove the public-records provisions from SB 71/AB 76 now or vote it down altogether. And if this land on his desk, Governor Jerry Brown should not hesitate to veto the anti-transparency measure buried in this budget.

Related Issues: Transparency
Share this:   ||  Join EFF

After a leaked FISA court document revealed that the National Security Agency (NSA) is vacuuming up private data on millions of innocent Americans by collecting all the phone records of Verizon customers, President Obama responded by saying "let's have a debate" about the scope of US surveillance powers.

At EFF, we couldn't agree more. It turns out, President Obama's most formative debate partner over the invasiveness of NSA domestic surveillance could be his Vice President Joe Biden. Back in 2006, when the NSA surveillance program was first revealed by the New York Times, then-Senator Biden was one of the program's most articulate critics. As the FISA court order shows, the scope of NSA surveillance program has not changed much since 2006, except for the occupant in the White House.

Watch this video, as Senator Biden from 2006 directly refutes each point President Obama made about the NSA surveillance program at his news conference last week.

Privacy info. This embed will serve content from youtube-nocookie.com
var mytubes = new Array(1); mytubes[1] = '%3Ciframe src=%22https://www.youtube-nocookie.com/embed/m4SRCOouw5I?rel=0?autoplay=1%22 allowfullscreen=%22%22 frameborder=%220%22 height=%22315%22 width=%22560%22%3E%3C/iframe%3E';
Share this:   ||  Join EFF

"It's time to end the delay, not extend it."

EFF yesterday filed an opposition to the government's request last week for an indefinite "abeyance" in Jewel v. NSA, our lawsuit filed in 2008 to try to stop the NSA spying that is currently pending in federal court in San Francisco. The government's request came after the President, the Director of National Intelligence and many others publicly confirmed that the NSA collects Americans' phone records on a massive scale, and new evidence in leaked NSA slides substantiated the evidence from AT&T whistleblower Mark Klein that the NSA is conducting "upstream" collection of communications content. 

In December, 2012, the court in San Francisco heard two motions—one by EFF asking the court to recognize that a statute called 50 U.S.C. section 1806(f) effectively overrides the state secrets privilege in cases arising from electronic surveillance and another by the government to have the case dismissed under the state secrets doctrine. EFF's opposition argued:

The Court should decisively reject the government defendants’ gambit to plunge plaintiffs’ motion, and the entire lawsuit, into a state of suspended animation simply because their motion now lies in tatters. For the past five years, this lawsuit has inched forward at less than a snail’s pace. Defendants have yet to answer plaintiffs’ complaint. Meanwhile, the abuses and illegal invasions of the privacy of plaintiffs and millions of other Americans continue unabated and unadjudicated.

Noting that EFF has been trying to get these claims decided by true judicial review in one form or another since 2005, EFF urged the court not to allow the government to continue its tactic of infinite delay:

Plaintiffs are entitled to their day in court to pursue the judicial remedies Congress has created for unlawful surveillance and to challenge the shifting secret legal theories, untested by any adversary proceedings, used over the past 12 years to justify the dragnet surveillance program within the echo chamber of the Executive Branch.

A similar opposition has been filed by the companion case, Shubert v. Obama.

Files:  jewel_opp_6.13.13.pdf shubert_stay_opposition.pdfRelated Issues: NSA SpyingRelated Cases: Shubert v ObamaJewel v. NSA
Share this:   ||  Join EFF

The long-running patent battle between Versata and SAP saw a lot of action this week. Back in 2007, Versata filed a lawsuit claiming SAP infringed a patent on a method “for pricing products in multi-level product and organizational groups.” This dispute – which raises important issues about patents and software – is proceeding both in the courts and at the Patent Office. Yesterday, EFF joined an amicus brief supporting SAP at the Federal Circuit, where SAP is arguing that it does not infringe. Meanwhile, at the Patent Office, SAP won a landmark ruling finding that the invention was not patentable because it merely covers an abstract idea.

The action at the Federal Circuit

A programmable computer can compute an infinite number of functions. So imagine if patent law allowed a seller to be held liable for anything its customers did with the computers they buy—the scope of potential liability would be infinite. Literally.

This is why the law places limits on the extent a company can be held liable for the actions of its customers. Indeed, the standard for inducement or contributory infringement in patent law is a strict one: it requires active steps to specifically encourage infringement.

A recent decision from the Federal Circuit threatens to upset this balance. At a trial in the Eastern District of Texas, Versata’s expert testified that, after several hours of effort, he was able to re-configure SAP’s software to practice the invention. But Versata was unable to show that any of SAP’s customers had ever done this. Nevertheless, SAP was found directly liable for patent infringement. On appeal, the Federal Circuit affirmed liability (and upheld a $345 million damages award).

Yesterday, EFF joined the Application Developers Alliance and a diverse group of companies, such as Microsoft, in an amicus brief asking the Federal Circuit for en banc review of this decision. We argue that binding Supreme Court authority does not allow a company to be held directly liable when a customer (let alone a paid expert) reconfigures a product to infringe a patent. This bright-line rule is needed to provide clear guidance for designers of customizable software and programmable hardware.

A landmark ruling at the Patent Office

While the case continued in the courts, SAP challenged Versata's patent at the Patent Office. It brought its challenge under a new procedure: the America Invents Act’s Transitional Covered Business Methods review program (CBM review). This week’s ruling is the first final written decision from the Patent Trial and Appeal Board (PTAB) under CBM review.

The PTAB found the challenged claims unpatentable because they merely cover abstract ideas and lack meaningful limitations. The PTAB explained that the method of determining price was an abstract calculation. The patent did add some “routine, conventional activity” (such as performing the calculations on a computer) but these were insufficient to transform this abstract idea into patentable subject matter. The PTAB explained that the “mere recitation of computer implementation or hardware in combination with an abstract idea, however, is not itself a significant, meaningful limitation on the scope of the claims.”

Versata can appeal this decision to the Federal Circuit (this means there could be two appeals regarding the same patent – it’s unclear how the PTAB ruling will impact the underlying litigation). So the PTAB’s decision is unlikely to be the final word. But it is still an encouraging ruling and a great first step for CBM review. We join others who are calling for CBM review to be made available for all software-related patents and for the program to be made permanent. And we hope that the Supreme Court will soon step in soon and set the record straight on dangerous patents that impermissibly tie up abstract ideas.

Files:  versata_v_sap_amici_brief_for_microsoft_et_al.pdf sap_cbm_decision.pdfRelated Issues: InnovationPatents
Share this:   ||  Join EFF

Spies Without Borders I

This is the first article of our  Spy Without Borders series. This article has been co-authored by Tamir Israel, Staff Lawyer at CIPPIC and Katitza Rodriguez, EFF International Rights Director.  The Spy Without Borders series are looking into how the information disclosed in the NSA leaks affect the international community and how they highlight one part of an international system of surveillance that dissolves what national privacy protections any of us have, whereever we live. You can follow the Spy Without Borders here.

Introductions

Much of the U.S. media coverage of last week’s NSA revelations has concentrated on its impact on the constitutional rights of U.S.-based Internet users. But what about the billions of Internet users around the world whose private information is stored on U.S. servers, or whose data travels across U.S. networks or is otherwise accessible through them?

While the details are still emerging, what is clear is that many of the newly exposed surveillance activities have been shaped by U.S. foreign intelligence surveillance laws. The secret court that rubberstamped the collection of phone records from Verizon came from the Foreign Intelligence Surveillance Court (FISC), a secret court established under the Foreign Intelligence Surveillance Act (FISA); the PRISM requests, the U.S. government has said, were FISA orders intended to target non-American persons outside of the United States.

As U.S. officials have repeated, FISA is designed to protect the rights of “U.S. persons” (citizens, permanent residents, and others on U.S. soil) in the face of operations targeting foreigners. But regardless of their effectiveness (or lack thereof) in achieving this objective, these slim protections offer nothing to the vast majority of Internet users around the world. Privacy expert, Caspar Bowden, has gone so far as to say that U.S. foreign intelligence powers “offer[] zero protection to foreigners’ data in U.S. Clouds.”

In this article, we will look into how the NSA leaks may affect the rest of the world, and how they highlight one part of an international system of surveillance that dissolves what national privacy protections any of us have, where ever we live.

Global Communications Networks & Trans-border Surveillance

Before looking at the specifics of the NSA’s surveillance program, it is worth noting that these programs are part of a broader trend: as greater use of cloud computing and other web-based services entails more global data routing and storage, many states gain the practical ability to capture, access and in many cases spy on data passing through their territory or accessible remotely through terminals based in their territory. While not an entirely new problem, states have met this increase in practical capacity to conduct sweeping extra-territorial surveillance has not been matched with an increase in extra-territorial protections. This is especially true with foreign intelligence activities, where agencies have historically been granted close to carte blanche legal capacity to surveill foreigners, while incentives to adopt a “capture everything” approach to information gathering have been high. Now, even as it becomes feasible for foreign intelligence agencies to capture all data on all individuals everywhere, states are moving to impose this troubling carte blanche foreign intelligence paradigm to digital networks. The United States government’s FISA powers represent just such a move.

There are many indications of states’ increasing capacity to conduct sweeping and invasive extra-territorial surveillance from domestic soil. In 2009, security researchers uncovered a broad network of infiltrated computer systems, which included a significant proportion of high value targets including foreign ministries, news media, NGOs and political dissidents around the world. Infiltration was likely used to extract sensitive documents and even to surreptitiously hijack audio and video-recording capabilities on many affected computers and transmit it to IP addresses found to be based in China. While there is no direct evidence that this was a state-sponsored attack, it demonstrates the potential for vast and targeted malware-based extra-territorial surveillance. When the lid was finally blown off Gadhafi’s surveillance regime, dissidents in the United Kingdom, foreign activists, casual callers and foreign political adversaries discovered they were caught in its expansive web. Bahreini activists abroad have found malware on their machines, presumably from state-connected actors. An Angolan journalist working from Oslo discovered his Skype conversations being recorded, almost certainly to be relayed back to his government watchers at home. The German government has leveraged the ability to remotely compromise computer systems in order to spy on them by its acquisition of commercial malware and is reportedly in the process of developing its own custom state-owned malware. While there has been no confirmation that Germany is deploying these investigative techniques against persons outside German territories, infection occurs by email and information transmission is over the Internet, so extra-territorial use is certainly feasible.

Far from reigning in this growing technical capacity, domestic laws are increasingly removing all remaining barriers to extra-territorial spying. Surveying a long and growing list of legal frameworks designed to take advantage of this new-found global reach, the United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, recently concluded in a report that:

These developments suggest an alarming trend towards the extension of surveillance powers beyond territorial borders, increasing the risk of cooperative agreements between State law enforcement and security agencies to enable the evasion of domestic legal restrictions.

Exacerbating this problem is an aura of secrecy that pervades trans-border electronic surveillance. The secrecy provisions inherent in U.S. foreign intelligence legislation have, for example, prevented companies like Google and Microsoft from revealing any raw statistics regarding these activities in the Transparency reports these companies publish in their efforts to ensure the public is aware of the true scope and nature of government surveillance activities on their services, although many have now called on the U.S. government to let them do so.

The NSA Leaks: Rare Glimpses into a Vast & Unfettered International Monitoring Program

In the past week or so, new details on the scope of NSA and FBI surveillance were revealed in a series of leaks released primarily by The Guardian (one co-leaked by the Washington Post). In response to these leaks, the Director of National Intelligence has released some additional information on the parameters of the program. Collectively, these releases paint a picture of two specific aspects of surveillance programs that seem designed to leverage the trans-global nature of modern communications in order to empower U.S. foreign intelligence.

The first component targets a huge amount of metadata from telephone calls originating and/or terminating within the United States. The leaked documents reveal that at least one company – Verizon – was ordered to hand over all metadata associated with all telephone communications originating or terminating within the United States (as well as calls wholly within the United States). It has been reported that this program has been operating for about 7 years, meaning the U.S. Government could potentially have a historical database of all calls since 2008.

Metadata is defined quite broadly, to include all ‘routing’ information, as well as unique mobile phone identifiers such as International Mobile Subscriber Identity (IMSI) numbers. The enhanced capacity to generate, store and analyze metadata has transformed what may once have been innocuous data points – who spoke to who, when, for how long, from where – into a highly valuable intelligence capable of revealing people’s most intimate and private affairs. Metadata, for example, played an instrumental role in the forced former CIA Director David Petraeus to resign. Even in its most basic form – who did you call – metadata can be extremely revealing. This invasive capacity is greatly exacerbated by the pervasiveness and scope of the NSA’s collection program.

A second revealed component of these surveillance programs is called PRISM. The full parameters and capacities of PRISM remain unclear. Initially suspected to provide back-door access to the networks of a number of Internet companies, giving the NSA direct access to search service providers networks unilaterally, more recent reports paint a picture of a more narrowly curtailed, but still potentially troubling interface. At its most innocuous, PRISM appears to be a database capable of interacting directly with the networks of participating Internet companies through a series of portals whose specific features and capacities are negotiated and developed with each participating company. Acquisition orders are issued under FISA and sent to the respective companies, who then review them and make use of the portal to respond to the orders electronically. This provides responses in a quicker and more efficient manner than could be otherwise achieved. Portals of this nature have reportedly been set up in other jurisdictions, albeit for law enforcement purposes. It is possible, but not confirmed, that some of the portals in question also facilitate qualitatively different levels of data acquisition. For example, citing a lawyer representing one of the companies in question, the New York Times reports that Internet companies do have the technical capacity to digitally transmit data in real-time to the NSA where a valid FISA order requires this. It is not clear whether this real-time transmission capacity is mediated through the PRISM interface directly. While a U.S. law requires carriers and managed VoIP providers (potentially including Skype) to build real-time interception capabilities into their services, these obligations have not yet been applied to Internet services such as Gmail and Facebook, so real-time access capacity would signal a meaningful qualitative shift in access capability.

Even without the addition of real-time acquisition capacities, however, the PRISM leaks still reveal a program that leverages the domestic presence of remote computing services in order to collect significant amounts of personal data that many individuals around the world would consider highly sensitive. Various reports describe PRISM as providing access to emails, online chats (video and voice), photos, file transfers, search queries, online social networking details and more. The leaks point to this social media, email and cloud data as growing not only in scope, but also in frequency of use. Reports suggest that PRISM information collection interfaces are designed to limit exposure of U.S.-based targets on a balance of probabilities: “designed to produce at least 51 percent confidence in a target’s foreigness.”

An additional leak provided further insight into the staggering size of the NSA’s overall communications surveillance activities. While there have always been hints of the breadth of these activities – earlier this year it was reported the NSA was building a data centre the size of a small village just to store (and analyze) all the data it was collecting – this leak provided specific details on the immense amount of data sets collected by the NSA on a monthly basis. For example, in March 2013 alone, it seems the NSA collected 97 billion pieces of intelligence from computer networks worldwide, bringing new meaning to the term ‘big data’. As explained below, given the questionable legality of NSA domestic surveillance, a lot of the attention from this final revelation will be focused on the close to 3 billion data points marked as ‘United States’. However, the rest of the world should be more concerned with the remaining 94 billion data points particularly in light of the highly dim prospects of a domestic legal remedy to this collection given that such collection occurs under powers intended to facilitate broad surveillance of foreigners outside the U.S.

One more element of the PRISM system is worth examining in light of its implications for non-U.S. persons. According to the Guardian, the United Kingdom’s NSA counterpart, the Government Communications Headquarters, apparently has had access to the PRISM database, generating 197 intelligence reports in 2012 – far less than the 2,000 reports per month issued by the NSA, but still not an insubstantial amount. This raises concerns as the PRISM database is populated through extra-ordinary NSA foreign intelligence powers that far exceed what most democratic governments would be allowed to accomplish under their own laws. It is not clear, for example, that GCHQ would have the legal ability to set up its own PRISM system. If the United States is allowing its security services to collect vast amounts of data on the citizens of its allies, then freely hands that data over to their security services, what protections they might have under domestic surveillance law is completely undermined. And we still don't know what information the U.S. government might receive in return.

In our next Spies Without Borders post, we'll take a closer look at the US laws at the heart of these programs, and why it leaves non-US citizens out in the cold.

Share this:   ||  Join EFF

On Tuesday night, over 100 attorneys and friends participated in the Sixth Annual EFF Cyberlaw Pub Trivia Night, testing their knowledge of the trivial details that arise where the law meets technology.  Teams included representatives from a host of major technology law firms and and Internet companies, representing the best and the brightest luminaries of cyberlaw.  The seven rounds of questions were written by EFF's attorneys, technologists and activists, pulling trivial details from the rich canon of privacy, free speech, and intellectual property law.

First Place Winners: The Clappers

Please join us in congratulating the winners:

1st Place: The Clappers (Fenwick & West)

2d Place: Wikigeeks (Durie Tangri; Ridder, Costa, and Johnstone LLP; Cathy Gellis, et al)

3d Place: One-Way Ticket to Hong Kong (Wilson Sonsini Goodrich & Rosati)

EFF’s Cyberlaw Pub Trivia Night is an important opportunity for us to thank our friends in the legal community who help protect online freedom in the courts. Among the many firms that dedicate their time, talent and resources to the cause, we would especially like to thank Ridder, Costa, and Johnstone LLP for sponsoring this year’s Trivia Night.

Extra special thanks to Chief Judge Alex Kozinski for his wonderful contribution of quotes from his own rich canon of written opinions for the Kozinski Round, which was easily the most popular round of the evening. 

Share this:   ||  Join EFF

UPDATE: Just hours after the Supreme Court ruled today, at least one company announced it would be offering genetic testing on the BRCA genes for $995—barely one quarter of the approximately $4000 Myriad charges for the same tests. 

For the second time in just over a year, the Supreme Court has unanimously weighed in on what is and isn't patentable. And in this case—Association for Molecular Pathology v. Myriad—the high court got it right again.

At issue in this case were the infamous "breast cancer genes," BRCA1 and BRCA2, mutations in which signify increased risk of both breast and ovarian cancers. Myriad isolated these genes and proceeded to use patents to limit who could administer the genetic tests that signal presence of the genes. This raised several concerns, such as the inherent problem with only having one entity administer the tests and the resulting costs—making it nearly impossible for many to afford—and limiting availability of second opinions.

And, more importantly for patent law: these genes exist in nature. Myriad didn't invent or create them, it merely found them, using methods that were well-known among geneticists at the time of discovery. As the Court said

In this case, ... Myriad did not create anything. To be sure, it found an important and useful gene, but separating that gene from its surrounding genetic material is not an act of invention.

Patenting genes had been happening for some time, despite long-standing Supreme Court precedent that, in order to be eligible for a patent, an invention must have a "new or distinctive form, quality or property" and may not be a product of nature. The district court in this case agreed and sided with plaintiffs—geneticists, pathologists, laboratory professionals, and individual breast cancer patients, represented by the ACLU and the Public Patent Foundation— finding that isolated breast cancer genes did not meet this standard and invalidating Myriad's two patents. The Federal Circuit reversed, holding that the isolated genes contained molecules that were "markedly different" than those that occur in nature.

In the interim, the Supreme Court issued another unanimous decision in Mayo v. Prometheus, striking down a patent covering a medical diagnostic test. The Court there found the patent invalid because it took laws of nature and merely included “well-understood, routine, conventional activity previously engaged in by researchers in [the] field.”

We were encouraged by Mayo's strong language that "the basic tools of scientific and technological work" are not patentable. Today, the Court went even further, reversing the Federal Circuit and stating that

As the Court has explained, without this exception, there would be considerable danger that the grant of patents would "tie up'" the use of such tools and thereby "inhibit future innovation premised upon them." This would be at odds with the very point of patents, which exist to promote creation.

We couldn't agree more. The Supreme Court went on to say that "patent protection strikes a delicate balance between creating 'incentives that lead to creation, invention, and discovery' and 'imped[ing] the flow of information that might permit, indeed spur, invention.'"

We're glad to see some sanity in the world of gene patents and diagnostic testing—specifically, more direction from the Supreme Court as to what is an unpatentable "law of nature". (The Court did uphold patents that cover cDNA—genetic material that is developed in a lab and does not naturally exist.) But the so-called "delicate balance" is completely out of whack when it comes to patents that cover software and many other inventions that we believe are similarly unpatentable "abstract ideas". The good news is that this question might end up in front of the Supreme Court soon, and if recent Supreme Court trends hold true, we could see some scaling back of a broken system full of overbroad, vague, and frankly stupid patents.

Files:  amp_v_myriad_scotus.pdfRelated Issues: InnovationPatentsRelated Cases: Abstract Patent Litigation
Share this:   ||  Join EFF

The world was provided confirmation last week of widespread, unconstitutional domestic surveillance of innocent Americans' call records and online activity. But, starting this week, congressional staffers will be briefed in private, newspapers will be forced to report second-hand on what occurred in those briefings, and the public will, once again, be left out of discussions vital to our representative democracy. These discussions should be occurring in public, in an open forum, and for all to hear. Secret briefings, identical to those going on now, were carried out in 2006, after the first disclosure of the NSA's domestic spying program occurred. Seven years later, the program has only grown bigger and more dangerous. This is why we encourage you to call your Senator now and demand that public hearings occur.

Politicians must take an aggressive approach during the upcoming briefings, hearings, and investigations. First, they must determine the true scope of the two different programs—the business records program (Section 215 of the PATRIOT Act) and the PRISM surveillance program based on Section 702 of the Foreign Intelligence Surveillance Act. Then, elected officials must push for disclosure of the full domestic surveillance apparatus operated by the NSA. Politicians need to be careful that officials do not play word games or offer "the least untruthful"—also known as misleading—answers.

Some hearings have touched on the issue, like the recent Senate Apropriations Committee (video) hearing. But the first hearing that must touch on some of these questions will take place this Thursday. The House Judiciary Committee will hold a hearing on the Oversight of the Federal Bureau of Investigation (FBI). The FBI, along with the NSA, is at the center of the spying storm, and FBI Director Robert Mueller has been involved with the NSA's program nearly from its inception.  

With that, here are some questions politicians must ask at the hearing:

General

1) What are the names, capabilities, and purposes of surveillance programs that rely on Foreign Intelligence Surveillance Act authorities, other electronic surveillance statutes, or voluntary cooperation of service providers to acquire or collect widespread information—whether by computer or human—of American communications (defined to include both “metadata” and “content”)?

2) The business records program and the PRISM program have been confirmed by statements of the Director of National Intelligence. It has also been reported that the NSA intercepts information from upstream providers through operations codenamed “Fairview” and “Blarney.” How do "BLARNEY" and "FAIRVIEW" operate, what information is obtained through the programs, and what is their purpose?

3) It has been widely reported that the intelligence community relies on uncommon definitions of common terms. Can you define the terms "collect," "acquire," "intercept," and "content"? If a computer or other device obtains, scans or processes Americans' communications or communications records (on behalf of the government), has the government collected the data? Or must a human being actually perceive the data before you deem that the government collected it?

4) The Washington Post noted that under the NSA's domestic spying program, quarterly reports describing the number of accidental collections of U.S. person content is retained and disseminated to officials. When are you releasing these reports? 

5) How long does the intelligence community retain the information obtained under these authorities? Under what circumstances, if any, are acquired communications (or communications records) deleted?

Section 215

6) Section 215 of the PATRIOT Act authorizes the FBI to collect any "tangible things" relevant to an investigation. According to the Wall Street Journal, dragnet orders relying on Section 215 were also issued to AT&T, Sprint, Internet service providers (ISPs), and credit card providers. What companies, other than Verizon, have received a Section 215 order similar in scope to the one disclosed last week? Has any recipient ever challenged receiving such an order?

7) Can other authorities be used to supplement this search in lieu of Section 215? Has the government ever used National Security Letters or other investigative tools to obtain business records en masse?

8) The “tangible things” sought by the Verizon court order was "telephony metadata." Are there any limits to the type of “things” the FBI can obtain under Section 215? Could the FBI obtain millions of emails with a Section 215 order? Why not? What are the exact components of "telephony metadata" and how is that term defined? Could "metadata" include subject lines of emails, search terms, URLs, and/or location data?

9) The order sought Verizon's "telephony metadata" for its subscribers on an "ongoing daily basis." Has the FBI or another member of the intelligence community used Section 215 to acquire information other than "telephony metadata" in bulk? Has the FBI used Section 215 of the PATRIOT Act only for presently existing records, or has the FBI or any other agency used Section 215 to apply for an order authorizing prospective collection of any relevant tangible record?

10) How do you define "relevant" for Section 215 purposes? Is anything "irrelevant" under that definition? The FISC's order also relied on the definition of "content" contained within the Wiretap Act, 18 U.S.C 2510. Why does the order use the definition of “content” contained in another statute when FISA, itself, defines the term?

11) The Fourth Amendment was created, in part, to protect against "general warrants." Why is a court order compelling Verizon to provide millions of subscribers calling information to the government not a general warrant? Why do these orders not violate the Fourth Amendment? Who do these orders not violate the First Amendment's free speech protections or rights of association?

Section 702

12) Section 702 of the FISA Amendments Act provides broad authority for the government to target persons reasonably believed to be outside the United States. According to reports, Microsoft, Google, Yahoo, Facebook, and other companies have been required to comply with targeting orders under Section 702. What companies, other than those listed, have received directives or orders to comply with Section 702 surveillance or any similar broad collection authority under FISA? Have any recipients ever challenged receiving such an order? How many directives or orders have been issued under Section 702? How many individuals are typically affected by a single order? If you are unable to provide an estimate, why are you not able to?

13) The New York Times reported that some orders issued under Section 702 can be "broad sweep[s] for intelligence, like logs of certain search term.” How many Internet users' communications (including metadata and content) have been made accessible to the intelligence community to or through PRISM?  How many Internet users' communications (including metadata and content) have been algorithmically inspected in the course of completing queries generated with, from, or by PRISM? If you cannot give an estimate, why are you not able to?

14) According to reports, NSA analysts make targeting decisions based on a 51% confidence level that a target is "foreign." How do you ensure that your targets are not Americans? What are the metrics, procedures, and policies for arriving at such determination? How do you determine if there is a "valid foreign intelligence purpose" for the targeting? What are the minimization procedures for targeting under Section 702?

15) In a letter written to Senator Wyden on July 20, 2012, the Director of National Intelligence admitted that "on at least one occasion" the Foreign Intelligence Surveillance Court determined the minimization/collection performed under Section 702 violated "the spirit of the law" and the Fourth Amendment. In what ways did the surveillance violate the Fourth Amendment and the “spirit of the law”? What has been done to correct the unconstitutional surveillance identified by the FISC? Why has this opinion not been made public?

16) The FISA Amendments Act provides the government with extraordinarily broad authority to obtain intelligence information without identifying particular targets, facilities, or locations to be monitored, and the statute gags service providers from ever disclosing having received the order. Why do these orders not violate the Fourth Amendment? The First Amendment?

 

 

Related Issues: NSA SpyingTransparency
Share this:   ||  Join EFF

The United States Chamber of Commerce has come to its senses at last and withdrawn its lawsuit against political activists the Yes Men. In the lawsuit, the Chamber had claimed that a 2009 press conference—in which a Yes Man posing as a Chamber of Commerce spokesperson announced the Chamber was reversing its long held position and endorsing climate change legislation—infringed the Chamber's trademark rights. Before the press conference was even completed, a Chamber of Commerce representative rushed into the room and announced that the Chamber's position on climate change legislation had not in fact changed.  The result: widespread media coverage of the event and the Chamber's humorless response. The Yes Men tell the story best.

Did the Chamber of Commerce finally get a sense of humor? Or did it just realize the lawsuit was doomed?

At that point, things took a dangerous turn.  Rather than letting matters lie, the Chamber pulled out all the stops to try to punish the activists. First, it sent an improper copyright takedown notice to the Yes Men's upstream provider demanding that a parody website posted in support of the action be removed immediately and resulting in the temporary shutdown of not only the spoof site but hundreds of other sites hosted by the Yes Men's web host.  Next, the Chamber filed suit against the activists in federal court.

With help from EFF and Davis Wright Tremaine LLP, the Yes Men fought back, moving to dismiss the claims on First Amendment grounds.  As we explained, you can’t use trademark law to punish free speech just because the speaker happens to use your trademarks as a necessary part of its activism.

Did the Chamber of Commerce finally get a sense of humor? Or did they just realize their lawsuit was doomed? Either way, it’s a long-overdue victory for the Yes Men and their increasingly popular brand of political parody and satire.

The Yes Men are holding a new press conference responding to the Chamber’s decision to drop the case. Watch this space for more on their response.

UPDATE: There is apparently no such thing as a free lunch for the Yes Men — at least not one from the U.S. Chamber of Commerce. Still, they've posted highlights from their press conference on the steps of the Chamber, which we've embedded below.

Privacy info. This embed will serve content from youtube.com
var mytubes = new Array(1); mytubes[1] = '%3Ciframe src=%22http://www.youtube.com/embed/jew6KiCZ_wQ?rel=1%26amp;autoplay=1%26amp;wmode=opaque%26?autoplay=1%22 width=%22400%22 height=%22250%22 class=%22video-filter video-youtube vf-jew6kiczwq%22 frameborder=%220%22%3E%3C/iframe%3E'; Related Issues: Free SpeechNo Downtime for Free SpeechIntellectual PropertyRelated Cases: Chamber of Commerce v. Servin
Share this:   ||  Join EFF