Privacy

With Windows 10, Microsoft Blatantly Disregards User Choice and Privacy: A Deep Dive

Deep Links - Wed, 08/17/2016 - 10:12

Microsoft had an ambitious goal with the launch of Windows 10: a billion devices running the software by the end of 2018. In its quest to reach that goal, the company aggressively pushed Windows 10 on its users and went so far as to offer free upgrades for a whole year. However, the company’s strategy for user adoption has trampled on essential aspects of modern computing: user choice and privacy. We think that’s wrong.

You don’t need to search long to come across stories of people who are horrified and amazed at just how far Microsoft has gone in order to increase Windows 10’s install base. Sure, there is some misinformation and hyperbole, but there are also some real concerns that current and future users of Windows 10 should be aware of. As the company is currently rolling out its “Anniversary Update” to Windows 10, we think it’s an appropriate time to focus on and examine the company’s strategy behind deploying Windows 10.

Disregarding User Choice

The tactics Microsoft employed to get users of earlier versions of Windows to upgrade to Windows 10 went from annoying to downright malicious. Some highlights: Microsoft installed an app in users’ system trays advertising the free upgrade to Windows 10. The app couldn’t be easily hidden or removed, but some enterprising users figured out a way. Then, the company kept changing the app and bundling it into various security patches, creating a cat-and-mouse game to uninstall it.

Eventually, Microsoft started pushing Windows 10 via its Windows Update system. It started off by pre-selecting the download for users and downloading it on their machines. Not satisfied, the company eventually made Windows 10 a recommended update so users receiving critical security updates were now also downloading an entirely new operating system onto their machines without their knowledge. Microsoft even rolled in the Windows 10 ad as part of an Internet Explorer security patch. Suffice to say, this is not the standard when it comes to security updates, and isn’t how most users expect them to work. When installing security updates, users expect to patch their existing operating system, and not see an advertisement or find out that they have downloaded an entirely new operating system in the process.

In May 2016, in an action designed in a way we think was highly deceptive, Microsoft actually changed the expected behavior of a dialog window, a user interface element that’s been around and acted the same way since the birth of the modern desktop. Specifically, when prompted with a Windows 10 update, if the user chose to decline it by hitting the ‘X’ in the upper right hand corner, Microsoft interpreted that as consent to download Windows 10. 

Time after time, with each update, Microsoft chose to employ questionable tactics to cause users to download a piece of software that many didn’t want. What users actually wanted didn’t seem to matter. In an extreme case, members of a wildlife conservation group in the African jungle felt that the automatic download of Windows 10 on a limited bandwidth connection could have endangered their lives if a forced upgrade had begun during a mission.

Disregarding User Privacy

The trouble with Windows 10 doesn’t end with forcing users to download the operating system. Windows 10 sends an unprecedented amount of usage data back to Microsoft, particularly if users opt in to “personalize” the software using the OS assistant called Cortana. Here’s a non-exhaustive list of data sent back: location data, text input, voice input, touch input, webpages you visit, and telemetry data regarding your general usage of your computer, including which programs you run and for how long.

While we understand that many users find features like Cortana useful, and that such features would be difficult (though not necessarily impossible) to implement in a way that doesn’t send data back to the cloud, the fact remains that many users would much prefer not to use these features in exchange for maintaining their privacy.

And while users can disable some of these settings, it is not a guarantee that your computer will stop talking to Microsoft’s servers. A significant issue is the telemetry data the company receives. While Microsoft insists that it aggregates and anonymizes this data, it hasn’t explained just how it does so. Microsoft also won’t say how long this data is retained, instead providing only general timeframes. Worse yet, unless you’re an enterprise user, no matter what, you have to share at least some of this telemetry data with Microsoft and there’s no way to opt-out of it.

Microsoft has tried to explain this lack of choice by saying that Windows Update won’t function properly on copies of the operating system with telemetry reporting turned to its lowest level. In other words, Microsoft is claiming that giving ordinary users more privacy by letting them turn telemetry reporting down to its lowest level would risk their security since they would no longer get security updates1. (Notably, this is not something many articles about Windows 10 have touched on.)

But this is a false choice that is entirely of Microsoft’s own creation. There’s no good reason why the types of data Microsoft collects at each telemetry level couldn’t be adjusted so that even at the lowest level of telemetry collection, users could still benefit from Windows Update and secure their machines from vulnerabilities, without having to send back things like app usage data or unique IDs like an IMEI number.

And if this wasn’t bad enough, Microsoft’s questionable upgrade tactics of bundling Windows 10 into various levels of security updates have also managed to lower users’ trust in the necessity of security updates. Sadly, this has led some people to forego security updates entirely, meaning that there are users whose machines are at risk of being attacked.

There’s no doubt that Windows 10 has some great security improvements over previous versions of the operating system. But it’s a shame that Microsoft made users choose between having privacy and security.

The Way Forward

Microsoft should come clean with its user community. The company needs to acknowledge its missteps and offer real, meaningful opt-outs to the users who want them, preferably in a single unified screen. It also needs to be straightforward in separating security updates from operating system upgrades going forward, and not try to bypass user choice and privacy expectations.

Otherwise it will face backlash in the form of individual lawsuits, state attorney general investigations, and government investigations.

We at EFF have heard from many users who have asked us to take action, and we urge Microsoft to listen to these concerns and incorporate this feedback into the next release of its operating system. Otherwise, Microsoft may find that it has inadvertently discovered just how far it can push its users before they abandon a once-trusted company for a better, more privacy-protective solution.

       

Correction: an earlier version of the blogpost implied that data collection related to Cortana was opt-out, when in fact the service is opt in.

  • 1. Confusingly, Microsoft calls the lowest level of telemetry reporting (which is not available on Home or Professional editions of Windows 10) the “security” level—even though it prevents security patches from being delivered via Windows Update.

Share this: Join EFF
Categories: Privacy

Malware That Fakes Bank Login Screens Found In Google Ads

Your rights online - Tue, 08/16/2016 - 21:05
tedlistens quotes a report from Fast Company: For years, security firms have warned of keystroke logging malware that surreptitiously steals usernames and passwords on desktop and laptop computers. In the past year, a similar threat has begun to emerge on mobile devices: So-called overlay malware that impersonates login pages from popular apps and websites as users launch the apps, enticing them to enter their credentials to banking, social networking, and other services, which are then sent on to attackers. Such malware has even found its way onto Google's AdSense network, according to a report on Monday from Kaspersky Lab. The weapon would automatically download when users visited certain Russian news sites, without requiring users to click on the malicious advertisements. It then prompts users for administrative rights, which makes it harder for antivirus software or the user to remove it, and proceeds to steal credentials through fake login screens, and by intercepting, deleting, and sending text messages. The Kaspersky researchers call it "a gratuitous act of violence against Android users." "By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q," according to the company. "There you are, minding your own business, reading the news and BOOM! -- no additional clicks or following links required." The good news is that the issue has since been resolved, according to a Google spokeswoman. Fast Company provides more details about these types of attacks and how to stay safe in its report.

Read more of this story at Slashdot.

Categories: Privacy

Univision To Buy Gawker Media For $135 Million

Your rights online - Tue, 08/16/2016 - 20:20
An anonymous reader quotes a report from Recode: Univision has won the auction for Gawker Media. The TV network and digital publisher has agreed to pay $135 million for the bankrupt blog network, according to a person familiar with the deal. Univision's offer will encompass all seven of Gawker Media's sites, including Gawker.com. Ziff Davis and Univision were the only two bidders for Gawker, which filed for bankruptcy after Hulk Hogan and Peter Thiel won a $140 million judgment in a privacy case. Ziff Davis had originally offered $90 million for Gawker Media. Here's a statement from Gawker Media owner Nick Denton: "Gawker Media Group has agreed this evening to sell our business and popular brands to Univision, one of America's largest media companies that is rapidly assembling the leading digital media group for millennial and multicultural audiences. I am pleased that our employees are protected and will continue their work under new ownership -- disentangled from the legal campaign against the company. We could not have picked an acquirer more devoted to vibrant journalism." The deal won't be official for a bit. For starters, a U.S. bankruptcy court judge needs to sign off on the transaction. When it is final, the judgment funds will be set aside while Gawker appeals its court case; eventually the money will go to the side that wins.

Read more of this story at Slashdot.

Categories: Privacy

FCC Complaint: Baltimore Police Breaking Law With Use of Stingray Phone Trackers

Your rights online - Tue, 08/16/2016 - 19:00
An anonymous reader writes from a report via Baltimore Sun: Civil rights groups have complained to the FCC over the Baltimore Police Department's use of stingray phone tracking devices. They claim that "the way police use it interferes with emergency calls and is racially discriminatory." Baltimore Sun reports: "The complaint argues that the police department doesn't have a proper license to use the devices and is in violation of federal law. It calls on regulators at the Federal Communications Commission to step in and formally remind law enforcement agencies of the rules. 'The public is relying on the Commission to carry out its statutory obligation to do so, to fulfill its public commitment to do so, and to put an end to widespread network interference caused by rampant unlicensed transmissions made by BPD and other departments around the country,' the groups say in the complaint. Police in Baltimore acknowledged in court last year that they had used the devices thousands of times to investigate crimes ranging from violent attacks to the theft of cellphones. Investigators had been concealing the technology from judges and defense lawyers and after the revelations Maryland's second highest court ruled that police should get a warrant before using a Stingray. The groups argue that surveillance using the devices also undermines people's free speech rights and describe the use of Stingrays as an electronic form of the intrusive police practices described in the scathing Justice Department report on the police department's pattern of civil rights violations."

Read more of this story at Slashdot.

Categories: Privacy

Snowden Speculates Leak of NSA Spying Tools Is Tied To Russian DNC Hack

Your rights online - Tue, 08/16/2016 - 18:10
An anonymous reader quotes a report from Ars Technica: Two former employees of the National Security Agency -- including exiled whistleblower Edward Snowden -- are speculating that Monday's leak of what are now confirmed to be advanced hacking tools belonging to the U.S. government is connected to the separate high-profile hacks and subsequent leaks of two Democratic groups. Private security firms brought in to investigate the breach of the Democratic National Committee and a separate hack of the Democratic Congressional Campaign Committee have said that the software left behind implicates hackers tied to the Russian government. U.S. intelligence officials have privately said they, too, have high confidence of Russian government involvement. Both Snowden and Dave Aitel, an offensive security expert who spent six years as an NSA security scientist, are speculating that Monday's leak by a group calling itself Shadow Brokers is in response to growing tensions between the U.S. and Russia over the hacks on the Democratic groups. As this post was being prepared, researchers with Kaspersky Lab confirmed that the tools belong to Equation Group, one of the most sophisticated hacking groups they've ever investigated. "Why did they do it?" Snowden wrote in a series of tweets early Tuesday morning. "No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack." In a brief post of his own, Aitel agreed that Russia is the most likely suspect behind both the Democratic hacks and the leaking of the NSA spying tools. He also said the NSA data was likely obtained by someone with physical access to an NSA secure area who managed to walk out with a USB stick loaded with secrets.

Read more of this story at Slashdot.

Categories: Privacy

Windows UAC Bypass Permits Code Execution

Your rights online - Tue, 08/16/2016 - 17:30
msm1267 writes from a report via Threatpost: A Windows UAC bypass has been publicly disclosed that not only bypasses the security feature meant to prevent unauthorized installs, but can be used to run code on compromised machines without leaving a trace on the hard disk. The bypass relies on Event Viewer (eventvwr.exe), a native Windows feature used to view event logs locally or remotely. Researcher Matt Nelson said he figured out a way to use eventvwr to hijack a registry process, start Powershell and execute commands on Windows machines; he collaborated with fellow researcher Matt Graeber on a proof-of-concept exploit, which was tested against Windows 7 and 10. A report published today by Nelson said it would work against any version of the OS that implements UAC. An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up. Microsoft, the researcher said, does not consider UAC bypasses a security boundary worthy of a bulletin and patch. It's unclear how Microsoft will address this issue.

Read more of this story at Slashdot.

Categories: Privacy

Canada's Police Chiefs Want New Law To Compel People To Reveal Passwords

Your rights online - Tue, 08/16/2016 - 15:31
Reader DaveyJJ writes: CBC is reporting that the Canadian Association of Chiefs of Police, has passed a resolution calling for a legal measure to unlock digital evidence, saying criminals increasingly use encryption to hide illicit activities. The chiefs are recommending new legislation that would force people to hand over their electronic passwords with a judge's consent. RCMP Assistant Commissioner Joe Oliver is using the usual scare tactics "child-molesters and mobsters live in the 'dark web'" in his statement today to drum up public support in his poorly rationalized privacy-stripping recommendation. A few years ago, Canada's Supreme Court ruled that police must have a judge's order to request subscriber and customer information from ISPs, banks and others who have online data about Canadians. I guess that ruling isn't sitting too well with law enforcement and Canada's domestic spy agencies.

Read more of this story at Slashdot.

Categories: Privacy

Demand California Fix CalGang, A Deeply Flawed Gang Database

Deep Links - Tue, 08/16/2016 - 13:56

CalGang is a joke.

California’s gang database contains data on more than 150,000 people that police believe are associated with gangs, often based on the flimsiest of evidence. Law enforcement officials would have you believe that it’s crucial to their jobs, that they use it ever so responsibly, and that it would never, ever result in unequal treatment of people of color.

But you shouldn’t take their word for it. And you don’t have to take ours either, or the dozens of other civil rights organizations calling for a CalGang overhaul. But you should absolutely listen to the California State Auditor’s investigation.

The state’s top CPA, Elaine Howle, cracked open the books and crunched the numbers as part of an audit:

This report concludes that CalGang’s current oversight structure does not ensure that law enforcement agencies (user agencies) collect and maintain criminal intelligence in a manner that preserves individuals’ privacy rights.

Brutal.  But then there was more. 

She wrote that CalGang receives “no state oversight” and operates “without transparency or meaningful opportunities for public input.”

She found that agencies couldn’t legitimize 23 percent of CalGang entries she reviewed. Thirteen out of 100 people had no substantiated reason for being in the database.

She found that law enforcement had ignored a five-year purging policy for more than 600 people, often extending the purge date to more than 100 years. They also frequently disregarded a law requiring police to notify the parents of minors before adding them to CalGang. 

She found that there was “little evidence” that CalGang had met standards for protecting privacy and other constitutional rights.

As a result, user agencies are tracking some people in CalGang without adequate justification, potentially violating their privacy rights.

And then the other shoe dropped:

Further, by not reviewing information as required, CalGang’s governance and user agencies have diminished the system’s crime-fighting value.

To recap the audit: CalGang violates people’s rights, operates with no oversight, is chockfull of unsubstantiated information and data that should have been purged, and has diminished value in protecting public safety.

Assemblymember Shirley Weber has the start of a solution: A.B. 2298.  

This bill would write into law all new transparency and accountability measures for the controversial CalGang database and at least 11 other gang databases managed by local law enforcement agencies in California.

For example:

  • Law enforcement would be required to notify you if they intend to add you to the database.
  • You would have the opportunity to challenge your inclusion in a gang database.
  • Law enforcement agencies would have to produce transparency reports for anyone to look at with statistics on CalGang additions, removals, and demographics.

EFF has joined dozens of civil rights groups like the Youth Justice Coalition to support this bill. If you live in California, please join us by emailing your elected officials today to put this bill on the governor’s desk.

Support Reform of California's Gang Databases

Here are some other things you should know about CalGang.

What is CalGang?

CalGang is a data collection system used by law enforcement agencies to house information on suspected gang members. At last count, CalGang contained data on more than 150,000 people. As of 2016, the CalGang database is accessible by more than 6,000 law enforcement officers across the state from the laptops in their patrol vehicles.

As the official A.B. 2298 legislative analysis explains:

The CalGang system database, which is housed by the [California Department of Justice, is accessed by law enforcement officers in 58 counties and includes 200 data fields containing personal, identifying information such as age, race, photographs, tattoos, criminal associates, addresses, vehicles, criminal histories, and activities.

Something as simple as living on a certain block can label you as a possible Crip or Hell’s Angel, subjecting you to increased surveillance, police harassment, and gang injunctions. Police use the information in the database to justify an arrest, and prosecutors use it to support their request for maximum penalties.

Many of the Californians included in the CalGang database don’t know they’re on it. What’s worse: If you’re an adult on the list, you have no right to know you’re on it or to challenge your inclusion. Law enforcement agencies have lobbied aggressively to block legislation that would make the CalGang data more accessible to the public.

How Does CalGang Work?

In use for almost 20 years, CalGang holds information collected by beat officers during traffic stops and community patrols. The officers fill out Field Identification Cards with details supporting their suspicions, which can include pictures of the person’s tattoos and clothing. They can collect this information from any person at any time, no arrest necessary. The cards are then uploaded to CalGang at the discretion of the officer. Detectives also add to the database while mapping out connections and associations to the suspects they investigate. Any officer can access the information remotely at any time. So if, during the course of writing a fix-it ticket, an officer runs the driver’s name through the database and sees an entry, that officer can potentially formulate a bias against the driver.

Ali Winston’s Reveal News article about the horrors of CalGang shows how Facebook photos with friends can lead to criminal charges.

Aaron Harvey, a 26-year-old club promoter in Las Vegas at the time, was arrested and taken back to his native city of San Diego. He was charged with nine counts of gang conspiracy to commit a felony due to the fact that a couple of his Facebook friends from the Lincoln Park neighborhood where he grew up were believed to be in a street gang. Police further suspected that those friends took part in nine shootings, all of which occurred after Harvey had moved to Nevada. Even though no suspects were ever charged in connection to the actual shootings, Harvey still spent eight months in jail before a judge dismissed the gang conspiracy charges against him as baseless. As a direct result of his unjust incarceration, he lost his job and his apartment in Las Vegas and had to move in with family in San Diego.

Asked about his experience of gang classification systems, Harvey said,  “It’s like a virus that you have, that you don’t know you have… (Someone) infected me with this disease; now I have it, and there’s no telling how many other people I have infected.”

It’s Based on Subjective Observations

The criteria used for determining gang affiliation are laughably broad. Much of the information that is considered to be evidence of gang activity is open to personal interpretation: being seen with suspected gang members, wearing “gang dress”, making certain hand signs, or simply being called a gang member by, as the CalGang procedural manual states, an “untested informant”. The presence of two of these criteria is considered enough evidence for people to be included in the database for at least 5 years and subject to a possible gang injunction (a court order that restricts where you can go and with whom you can interact). 

A.B. 2298’s legislative analysis explains the flaw in this system.  

[A]s a practical matter, it may be difficult for a minor, or a young-adult, living in a gang-heavy community to avoid qualifying criteria when the list of behaviors includes items such as “is in a photograph with known gang members,” “name is on a gang document, hit list or gang-related graffiti” or “corresponds with known gang members or writes and/or receives correspondence.” In a media-heavy environment, replete with camera phones and social network comments, it may be challenging for a teenager aware of the exact parameters to avoid such criteria, let alone a teenager unaware he or she is being held to such standards.

As we saw with Aaron Harvey, meeting three of the criteria can get you a gang conspiracy charge.

It’s Racially Biased

 Patrol officers, because they directly engage the public during their daily beat, make many of the entries. The problem is that communities of color tend to be heavily policed in the first place. In a state that is 45% black and brown, Hispanic and African-American individuals make up 85% of the CalGang database. In a country where people of color are already targeted and criminally prosecuted at disproportionately higher rates, having a database that intensifies racial bias and penalizes thousands of Californians based on the neighborhood and community in which they live, their friends and other personal connections, what they wear, and the way that they pose in pictures is unconstitutional. 

That being said, false gang ties can be attributed to anyone (with all the negative ramifications that go along with them) regardless of race. The database also includes people with tenuous ties to Asian gangs, white nationalist groups, and motorcycle clubs.

Lack of Transparency

Even though S.B. 458 was passed in 2013 requiring that the state of California notify parents of juveniles who are listed on the database (because some registrants are as young as 9 years old), a 2014 proposition that would have extended the notification to adults was heavily resisted by law enforcement agencies. That bill ultimately failed. As it stands today, if an adult Californian wanted to know if they are listed in CalGang, they would have absolutely no recourse. There is no way to challenge incorrect assertions of gang affiliation. Most of the adults who are listed as potential gang members won’t find out until after an arrest. 

In terms of governance, the State Auditor noted that because CalGang wasn’t created by a statute, there is no formal state oversight. Instead, it’s managed by two secretive committees, the CalGang Executive Board and the CalGang Node Advisory Committee. She writes:

Generally, CalGang’s current operations are outside of public view… we found that the CalGang users self‑administer the committee’s audits and that they do not meaningfully report the results to the board, the committee, or the public. Further, CalGang’s governance does not meet in public, and neither the board nor the committee invites public participation by posting meeting dates, agendas, or reports about CalGang.

The last report from the California Department of Justice explaining the data in CalGang was published way back in 2010.

Tell your elected representative to support A.B. 2298 today.

Correction: The figure regarding the number of individuals in the CalGang database has been adjusted from 200,000 to 150,000 based on updated numbers from the auditor's report.  


Share this: Join EFF
Categories: Privacy

Rock Against the TPP heads to Portland, Seattle, and San Francisco

Deep Links - Tue, 08/16/2016 - 12:07

As the Rock Against the TPP tour continues its way around the country, word is spreading that it's not too late for us to stop the undemocratic Trans-Pacific Partnership (TPP) in its tracks. The tour kicked off in Denver on July 23 with a line-up that included Tom Morello, Evangeline Lilly, and Anti-Flag, before hitting San Diego the following week where Jolie Holland headlined. You can check out the powerful vibe of the kick-off show below.

Privacy info. This embed will serve content from youtube.com

And the tour isn't even half done yet! This weekend, Rock Against the TPP heads to Seattle on August 19 and Portland on August 20, featuring a number of new artists including Danbert Nobacon of Chumbawamba in Seattle, and hip-hop star Talib Kweli in Portland. The latest tour date to be announced is a stop in EFF's home city of San Francisco on September 9, featuring punk legend Jello Biafra.

EFF will be on stage for each of the three remaining dates to deliver a short message about the threats that the TPP poses to Internet freedom, creativity, and innovation both here in the United States, and across eleven other Pacific Rim countries. These threats include:

  • Doubling down on U.S. law that makes it easy for copyright owners to have content removed from the Internet without a court order, and hard for users whose content is wrongly removed.
  • Forcing six other countries to go along with our ridiculously long copyright term—life of the author plus another 70 years—which stops artists and fans from using music and art from a century ago.
  • Imposing prison terms for those who disclose corporate secrets, break copyright locks, or share files, even if they are journalists, whistleblowers, or security researchers, and even if they're not making any money from it.

In addition, the TPP completely misses the opportunity to include meaningful protections for users. It fails to require other countries to adopt an equivalent to the fair use right in U.S. copyright law, it includes only weak and unenforceable language about the importance of a free and open Internet and net neutrality, and its provisions on encryption technology and software source code fail to offer any protection against crypto backdoors.

Rock Against the TPP is an opportunity to spread the word about these problems and to stand up to the corporate lobbyists and their captive trade negotiators who have spent years pushing the TPP against the people's will. First and foremost it's also a celebration of the creativity, passion, and energy of the artists and fans who are going to help to stop this flawed agreement.

If you can make it to Portland, Seattle, or San Francisco, please join us! Did we mention that the concerts are absolutely free? Reserve your tickets now, and spread the word to all your family and friends. With your help, the TPP will soon be nothing but a footnote in history.

var mytubes = new Array(1); mytubes[1] = '%3Ciframe src=%22https://www.youtube.com/embed/OuhYIeX7OqY??autoplay=1%22 allowfullscreen=%22%22 frameborder=%220%22 height=%22315%22 width=%22560%22%3E%3C/iframe%3E';
Share this: Join EFF
Categories: Privacy

Google Duo Video Chat App Arrives On iOS and Android With End-to-end Encryption

Your rights online - Tue, 08/16/2016 - 11:20
An anonymous reader writes: Video chat should be simple, but it is not. The biggest issue is fragmentation. On iOS, for instance, Facetime is a wonderfully easy solution, but there is no Android client. While there are plenty of cross-platform third-party options to solve this, they aren't always elegant. Skype is a good example of an app that should bridge the gap, but ends up being buggy and clunky. Google is aiming to solve this dilemma with its 'Duo' video chat app. With it, the search giant is putting a heavy focus on ease of use. The offering is available for both Android and iOS -- the only two mobile platforms that matter (sorry, Windows 10 Mobile). Announced three months ago, it finally sees release today. There is no news about the Allo chat sister-app, sadly.

Read more of this story at Slashdot.

Categories: Privacy

White House Source Code Policy Should Go Further

Deep Links - Mon, 08/15/2016 - 18:21

A new federal government policy will result in the government releasing more of the software that it creates under free and open source software licenses. That’s great news, but doesn’t go far enough in its goals or in enabling public oversight.

A few months ago, we wrote about a proposed White House policy regarding how the government handles source code written by or for government agencies. The White House Office of Management and Budget (OMB) has now officially enacted the policy with a few changes. While the new policy is a step forward for government transparency and open access, a few of the changes in it are flat-out baffling.

As originally proposed (PDF), the policy would have required that code written by employees of federal agencies be released to the public. For code written by third-party developers, agencies would have been required to release at least 20% of it under a license approved by the Open Source Initiative—prioritizing “code that it considers potentially useful to the broader community.”

At the time, EFF recommended that OMB consider scrapping the 20% rule; it would be more useful for agencies to release everything, regardless of whether it was written by employees or third parties. Exceptions could be made in instances in which making code public would be prohibitively expensive or dangerous.

Instead, OMB went in the opposite direction: the official policy treats code written by government employees and contractors the same and puts code in both categories under the 20% rule. OMB was right the first time: code written by government employees is, by law, in the public domain and should be available to the public.

More importantly, though, a policy that emphasizes “potentially useful” code misses the point. While it’s certainly the case that people and businesses should be able to reuse and build on government code in innovative ways, that’s not the only reason to require that the government open it. It’s also about public oversight.

Giving the public access to government source code gives it visibility into government programs. With access to government source code—and permission to use it—the public can learn how government software works or even identify security problems. The 20% rule could have the unfortunate effect of making exactly the wrong code public. Agencies can easily sweep the code in most need of public oversight into the 80%. In fairness, OMB does encourage agencies to release as much code as they can “to further the Federal Government's commitment to transparency, participation, and collaboration.” But the best way to see those intentions through is to make them the rule.

Open government policy is at its best when its mandates are broad and its exceptions are narrow. Rather than trust government officials’ judgment about what materials to make public or keep private, policies like OMB’s should set the default to open. Some exceptions are unavoidable, but they should be limited and clearly defined. And when they’re invoked, the public should know what was exempted and why.

OMB has implemented the 20% rule as a three-year pilot. The office says that it will “evaluate pilot results and consider whether to allow the pilot program to expire or to issue a subsequent policy to continue, modify, or increase the minimum requirements of the pilot program.” During the next three years, we’ll be very interested to see how much code agencies release and what stays obscured.

var mytubes = new Array(1); mytubes[1] = '%3Ciframe src=%22https://www.youtube.com/embed/OuhYIeX7OqY??autoplay=1%22 allowfullscreen=%22%22 frameborder=%220%22 height=%22315%22 width=%22560%22%3E%3C/iframe%3E';
Share this: Join EFF
Categories: Privacy

The FCC Can't Save Community Broadband -- But We Can

Deep Links - Sat, 08/13/2016 - 10:39

Last year, while most of us were focused on the FCC’s Open Internet Order to protect net neutrality, the FCC quietly did one more thing: it voted to override certain state regulations that inhibit the development and expansion of community broadband projects. The net neutrality rules have since been upheld, but last week a federal appeals court rejected FCC’s separate effort to preempt state law.

The FCC’s goals were laudable. Municipalities and local communities have been experimenting with ways to foster alternatives to big broadband providers like Comcast and Time/Warner. Done right, community fiber experiments have the potential to create options that empower Internet subscribers and make Internet access more affordable. For example, Chattanooga, Tennessee, is home to one of the nation’s least expensive, most robust municipally-owned broadband networks. The city decided to build a high-speed network initially to meet the needs of the city’s electric company. Then, the local government learned that the cable companies would not be upgrading their Internet service fast enough to meet the city's needs. So the electric utility also became an ISP, and the residents of Chattanooga now have access to a gigabit (1,000 megabits) per second Internet connection. That’s far ahead of the average US connection speed, which typically clocks in at 9.8 megabits per second.

But 19 states have laws designed to inhibit experiments like these, which is why the FCC decided to take action, arguing that its mandate to promote broadband competition gave it the authority to override state laws inhibiting community broadband. The court disagreed, finding that the FCC had overstepped its legal authority to regulate.

While the communities that looked to the FCC for help are understandably disappointed, the ruling should offer some reassurance for those who worry about FCC overreach. Here, as with net neutrality rulings prior to the latest one, we see that the courts can and will rein in the FCC if it goes beyond its mandate.

But there are other lessons to be learned from the decision. One is that we cannot rely on the FCC alone to promote high speed Internet access. If a community wants the chance to take control of its Internet options, it must organize the political will to make it happen – including the will to challenge state regulations that stand in the way. Those regulations were doubtless passed to protect incumbent Internet access providers, but we have seen that a determined public can fight those interests and win. This time, the effort must begin at home. Here are a few ideas:

Light Up the Dark Fiber, Foster Competiiton

In most U.S. cities there is only one option for high-speed broadband access. And this lack of competition means that users can’t vote with their feet when monopoly providers like Comcast or Verizon discriminate among Internet users in harmful ways. On the flipside, a lack of competition leaves these large Internet providers with little incentive to offer better service.

It doesn't have to be that way. Right now, 89 U.S. cities provide residents with high-speed home Internet, but dozens of additional cities across the country have the infrastructure, such as dark fiber, to either offer high-speed broadband Internet to residents or lease out the fiber to new Internet access providers to bring more competition to the marketplace (the option we prefer).

“Dark fiber” refers to unused fiber optic lines already laid in cities around the country, intended to provide high speed, affordable Internet access to residents. In San Francisco, for example, more than 110 miles of fiber optic cable run under the city. Only a fraction of that fiber network is being used.

And San Francisco isn’t alone. Cities across the country have invested in laying fiber to connect nonprofits, schools, and government offices with high-speed Internet. That fiber can be used by Internet service startups to help deliver service to residents, reducing the expensive initial investment it takes to enter this market.

So the infrastructure to provide municipal alternatives is there in many places—we just need the will and savvy to make it a reality that works.

"Dig Once"—A No Brainer

Building the infrastructure for high-speed internet is expensive. One big expense is tearing up the streets to build out an underground network. But cities regularly have to tear up streets for all kinds of reasons, such as upgrading sewer lines. They should take advantage of this work to create a network of conduits, and then let any company that wants to route their cables through that network, cutting the cost of broadband deployment.

Challenge Artificial Political and Legal Barriers

In addition to state regulations, many cities have created their own unnecessary barriers to their efforts to light up dark fiber or extend existing networks. Take Washington, D.C., where the city’s fiber is bound up in a non-compete contract with Comcast, keeping the network from serving businesses and residents. If that's the case in your town, you should demand better from your representatives. In addition, when there's a local meeting to consider new construction, demand that they include a plan for installing conduit.

These are just a few ideas; you can find more here, along with a wealth of resources. It’s going to take a constellation of solutions to keep our Internet open, but we don't need to wait on regulators and legislators in D.C. This is one area where we can all be leaders. We can organize locally and tell our elected officials to invest in protecting our open Internet.

var mytubes = new Array(1); mytubes[1] = '%3Ciframe src=%22https://www.youtube.com/embed/OuhYIeX7OqY??autoplay=1%22 allowfullscreen=%22%22 frameborder=%220%22 height=%22315%22 width=%22560%22%3E%3C/iframe%3E';
Share this: Join EFF
Categories: Privacy

EFF Asks Supreme Court To Review ‘Dancing Baby’ Copyright Case

Deep Links - Fri, 08/12/2016 - 17:45
Copyright Holders Must Be Held Accountable For Baseless Takedown Notices

Washington, D.C.—The Electronic Frontier Foundation (EFF) today filed a petition on behalf of its client Stephanie Lenz asking the U.S. Supreme Court to ensure that copyright holders who make unreasonable infringement claims can be held accountable if those claims force lawful speech offline.

Lenz filed the lawsuit that came to be known as the “Dancing Baby” case after she posted—back in 2007—a short video on YouTube of her toddler son in her kitchen. The 29-second recording, which Lenz wanted to share with family and friends, shows her son bouncing along to the Prince song "Let's Go Crazy," which is heard playing in the background. Universal Music Group, which owns the copyright to the Prince song, sent YouTube a notice under the Digital Millennium Copyright Act (DMCA), claiming that the family video was an infringement of the copyright.

EFF sued Universal on Lenz’s behalf, arguing that the company’s claim of infringement didn’t pass the laugh test and was just the kind of improper, abusive DMCA targeting of lawful material that so often threatens free expression on the Internet. The DMCA includes provisions designed to prevent abuse of the takedown process and allows people like Lenz to sue copyright holders for bogus takedowns.

The San Francisco-based U.S. Court of Appeals for the Ninth Circuit last year sided in part with Lenz, ruling that that copyright holders must consider fair use before sending a takedown notice. But the court also held that copyright holders should be held to a purely subjective standard. In other words, senders of false infringement notices could be excused so long as they subjectively believed that the material they targeted was infringing, no matter how unreasonable that belief. Lenz is asking the Supreme Court to overrule that part of the Ninth Circuit’s decision to ensure that the DMCA provides the protections for fair use that Congress intended.

“Rightsholders who force down videos and other online content for alleged infringement—based on nothing more than an unreasonable hunch, or subjective criteria they simply made up—must be held accountable,” said EFF Legal Director Corynne McSherry. “If left standing, the Ninth Circuit’s ruling gives fair users little real protection against private censorship through abuse of the DMCA process.”

For the brief:
https://www.eff.org/document/petition-writ-lenz-v-universal

For more on Lenz v. Universal:
https://www.eff.org/cases/lenz-v-universal

var mytubes = new Array(1); mytubes[1] = '%3Ciframe src=%22https://www.youtube.com/embed/OuhYIeX7OqY??autoplay=1%22 allowfullscreen=%22%22 frameborder=%220%22 height=%22315%22 width=%22560%22%3E%3C/iframe%3E'; Contact:  CorynneMcSherryLegal Directorcorynne@eff.org
Share this: Join EFF
Categories: Privacy

EFF Asks Supreme Court To Review ‘Dancing Baby’ Copyright Case

EFF Press Releases - Fri, 08/12/2016 - 17:45
Copyright Holders Must Be Held Accountable For Baseless Takedown Notices

Washington, D.C.—The Electronic Frontier Foundation (EFF) today filed a petition on behalf of its client Stephanie Lenz asking the U.S. Supreme Court to ensure that copyright holders who make unreasonable infringement claims can be held accountable if those claims force lawful speech offline.

Lenz filed the lawsuit that came to be known as the “Dancing Baby” case after she posted—back in 2007—a short video on YouTube of her toddler son in her kitchen. The 29-second recording, which Lenz wanted to share with family and friends, shows her son bouncing along to the Prince song "Let's Go Crazy," which is heard playing in the background. Universal Music Group, which owns the copyright to the Prince song, sent YouTube a notice under the Digital Millennium Copyright Act (DMCA), claiming that the family video was an infringement of the copyright.

EFF sued Universal on Lenz’s behalf, arguing that the company’s claim of infringement didn’t pass the laugh test and was just the kind of improper, abusive DMCA targeting of lawful material that so often threatens free expression on the Internet. The DMCA includes provisions designed to prevent abuse of the takedown process and allows people like Lenz to sue copyright holders for bogus takedowns.

The San Francisco-based U.S. Court of Appeals for the Ninth Circuit last year sided in part with Lenz, ruling that that copyright holders must consider fair use before sending a takedown notice. But the court also held that copyright holders should be held to a purely subjective standard. In other words, senders of false infringement notices could be excused so long as they subjectively believed that the material they targeted was infringing, no matter how unreasonable that belief. Lenz is asking the Supreme Court to overrule that part of the Ninth Circuit’s decision to ensure that the DMCA provides the protections for fair use that Congress intended.

“Rightsholders who force down videos and other online content for alleged infringement—based on nothing more than an unreasonable hunch, or subjective criteria they simply made up—must be held accountable,” said EFF Legal Director Corynne McSherry. “If left standing, the Ninth Circuit’s ruling gives fair users little real protection against private censorship through abuse of the DMCA process.”

For the brief:
https://www.eff.org/document/petition-writ-lenz-v-universal

For more on Lenz v. Universal:
https://www.eff.org/cases/lenz-v-universal

Contact:  CorynneMcSherryLegal Directorcorynne@eff.org
Share this: Join EFF
Categories: Privacy

We Shouldn’t Wait Another Fifteen Years for a Conversation About Government Hacking

Deep Links - Fri, 08/12/2016 - 13:46

With high-profile hacks in the headlines and government officials trying to reopen a long-settled debate about encryption, information security has become a mainstream issue. But we feel that one element of digital security hasn’t received enough critical attention: the role of government in acquiring and exploiting vulnerabilities and hacking for law enforcement and intelligence purposes. That’s why EFF recently published some thoughts on a positive agenda for reforming how the government, obtains, creates, and uses vulnerabilities in our systems for a variety of purposes, from overseas espionage and cyberwarfare to domestic law enforcement investigations.

Some influential commentators like Dave Aitel at Lawfare have questioned whether we at EFF should be advocating for these changes, because pursuing any controls on how the government uses exploits would be “getting ahead of the technology.” But anyone who follows our work should know we don’t call for new laws lightly.

To be clear: We are emphatically not calling for regulation of security research or exploit sales. Indeed, it’s hard to imagine how any such regulation would pass constitutional scrutiny. We are calling for a conversation around how the government uses that technology. We’re fans of transparency; we think technology policy should be subject to broad public debate, heavily informed by the views of technical experts. The agenda in the previous post outlined calls for exactly that.

There’s reason to doubt anyone who claims that it’s too soon to get this process started.

Consider the status quo: The FBI and other agencies have been hacking suspects for at least 15 years without real, public, and enforceable limits. Courts have applied an incredible variety of ad hoc rules around law enforcement’s exploitation of vulnerabilities, with some going so far as to claim that no process at all is required. Similarly, the government’s (semi-)formal policy for acquisition and retention of vulnerabilities—the Vulnerabilities Equities Process (VEP)—was apparently motivated in part by public scrutiny of Stuxnet (widely thought to have been developed at least in part by the U.S. government) and the long history of exploiting vulnerabilities in its mission to disrupt Iran's nuclear program. Of course, the VEP sat dormant and unused for years until after the Heartbleed disclosure. Even today, the public has seen the policy in redacted form only thanks to FOIA litigation by EFF.

The status quo is unacceptable.

If the Snowden revelations taught us anything, it’s that the government is in little danger of letting law hamstring its opportunistic use of technology. Nor is the executive branch shy about asking Congress for more leeway when hard-pressed. That’s how we got the Patriot Act and the FISA Amendments Act, not to mention the impending changes to Federal Rule of Criminal Procedure 41 and the endless encryption “debate.” The notable and instructive exception is the USA Freedom Act, the first statute substantively limiting the NSA’s power in decades, born out of public consternation over the agency’s mass surveillance.

So let’s look at some of the arguments for not pursuing limits on the government’s use of particular technologies here.

On vulnerabilities, the question is whether the United States should have any sort of comprehensive, legally mandated policy requiring disclosure in some cases where the government finds, acquires, creates, or uses vulnerabilities affecting the computer networks we all rely on. That is, should we take a position on whether it is beneficial for the government to disclose vulnerabilities to those in the security industry responsible for keeping us safe? 

In one sense, this is a strange question to be asking, since the government says it already has a considered position, as described by White House Cybersecurity Coordinator, Michael Daniel: “[I]n the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.” Other knowledgeable insiders—from former National Security Council Cybersecurity Directors Ari Schwartz and Rob Knake to President Obama’s hand-picked Review Group on Intelligence and Communications Technologies—have also endorsed clear, public rules favoring disclosure.

But Aitel says all those officials are wrong. He argues that we as outsiders have no evidence that disclosure increases security. To the contrary, Aitel says it’s a “fundamental misstatement” and a “falsehood” that vulnerabilities exploited by the government might overlap with vulnerabilities used by bad actors. “In reality,” he writes, “the vulnerabilities used by the U.S. government are almost never discovered or used by anyone else.”

If Aitel has some data to back up his “reality,” he doesn’t share it. And indeed, in the past, Aitel himself has written that “bugs are often related, and the knowledge that a bug exists can lead [attackers] to find different bugs in the same code or similar bugs in other products.” This suggests that coordinated disclosure by the government to affected vendors wouldn’t just patch the particular vulnerabilities being exploited, but rather would help them shore up the security of our systems in new, important, and possibly unexpected ways. We already know, in non-intelligence contexts, that “bug collision,” while perhaps not common, is certainly a reality. We see no reason, and commentators like Aitel have pointed to none, that exploits developed or purchased by the government wouldn’t be subject to the same kinds of collision.

In addition, others with knowledge of the equities process, like Knake and Schwartz, are very much concerned about the risk of these vulnerabilities falling into the hands of groups “working against the national security interest of the United States.” Rather than sit back and wait for that eventuality—which Aitel dismisses without showing his work—we agree with Daniel, Knake and Schwartz and many others that the VEP needs to put defense ahead of offense in most cases.

Democratic oversight won't happen in the shadows

Above all, we can’t have the debate all sides claim to want without a shared set of data. And if outside experts are precluded from participation because they don’t have a TS/SCI clearance, then democratic oversight of the intelligence community doesn’t stand much chance.

On its face, the claim that vulnerabilities used by the U.S. are in no danger of being used by others seems particularly weak when combined with the industry’s opposition to “exclusives,” clauses accompanying exploit purchase agreements giving the U.S. exclusive rights to their use. In a piece last month, Aitel’s Lawfare colleague Susan Hennessey laid out her opposition to any such requirements. But we know for instance that the NSA buys vulnerabilities from the prolific French broker/dealer Vupen. Without any promises of exclusivity from sellers like Vupen, it’s implausible for Aitel to claim that exploits the US purchases will “almost never” fall into others’ hands. 

Suggesting that no one else will happen onto exploits used by the U.S. government seems overconfident at best, given that collisions of vulnerability disclosure are well-documented in the wild. And if disclosing vulnerabilities will truly burn “techniques” and expose “sensitive intelligence operations,” that seems like a good argument for formally weighing the equities on both sides on an individualized basis, as we advocate.

In short, we’re open to data suggesting we’re wrong about the substance of the policy, but we’re not going to let Dave Aitel tell us to “slow our roll.” (No disrespect, Dave.)

Our policy proposal draws on familiar levers—public reports and congressional oversight. Even those who say that the government’s vulnerability disclosure works fine as is, like Hennessey, have to acknowledge that there’s too much secrecy. EFF shouldn’t have had to sue to see the VEP in the first place, and we shouldn’t still be in the dark about certain details of the process. As recently as last year, the DOJ claimed under oath that merely admitting that the U.S. has “offensive” cyber capabilities would endanger national security. Raising the same argument about simply providing insight into that process is just as unpersuasive to us. If the government truly does weigh the equities and disclose the vast majority of vulnerabilities, we should have some way of seeing its criteria and verifying the outcome, even if the actual deliberations over particular bugs remain classified. 

Meanwhile, the arguments against putting limits on government use of exploits and malware—what we referred to as a “Title III for hacking”—bear even less scrutiny.

The FBI’s use of malware raises serious constitutional and legal questions, and the warrant issued in the widely publicized Playpen case arguably violates both the Fourth Amendment and Rule 41. Further problems arose at the trial stage in one Playpen prosecution when the government refused to disclose all evidence material to the defense, because it “derivatively classified" the exploit used by the FBI. The government would apparently prefer dismissal of prosecutions to disclosure, under court-supervised seal, of exploits that would reveal intelligence sources and methods, even indirectly. Thus, even where exploits are widely used for law enforcement, the government’s policy appears to be driven by the Defense Department, not the Justice Department. That ordering of priorities is incompatible with prosecuting serious crimes like child pornography. Hence, those that ask us to slow down should recognize that the alternative to a Title III for hacking is actually a series of court rulings putting a stop to the government’s use of such exploits.

Adapting Title III to hacking is also a case where public debate should inform the legislative process. We’re not worried about law enforcement and the intelligence community advocating for their vision of how technology should be used. But given calls to slow down, however, we are very concerned that there be input from the public, especially technology experts charged with defending our systems—not just exploit developers with Top Secret clearances.

var mytubes = new Array(1); mytubes[1] = '%3Ciframe src=%22https://www.youtube.com/embed/OuhYIeX7OqY??autoplay=1%22 allowfullscreen=%22%22 frameborder=%220%22 height=%22315%22 width=%22560%22%3E%3C/iframe%3E'; Related Cases: The Playpen Cases: Mass Hacking by U.S. Law EnforcementEFF v. NSA, ODNI - Vulnerabilities FOIA
Share this: Join EFF
Categories: Privacy

Illinois Sets New Limits On Cell-Site Simulators

Deep Links - Thu, 08/11/2016 - 19:27

Illinois has joined the growing ranks of states limiting how police may use cell-site simulators, invasive technology devices that masquerade as cell phone towers and turn our mobile phones into surveillance devices. By adopting the Citizen Privacy Protection Act, Illinois last month joined half a dozen other states—as well as the Justice Department and one federal judge—that have reiterated the constitutional requirement for police to obtain a judicial warrant before collecting people's location and other personal information using cell-site simulators.

By going beyond a warrant requirement and prohibiting police from intercepting data and voice transmissions or conducting offensive attacks on personal devices, the Illinois law establishes a new high watermark in the battle to prevent surveillance technology from undermining civil liberties. Illinois also set an example for other states to follow by providing a powerful remedy when police violate the new law by using a cell-site simulator without a warrant: wrongfully collected information is inadmissible in court, whether to support criminal prosecution or any other government proceedings.

Tools to monitor cell phones

Cell-site simulators are sometimes called “IMSI catchers” because they seize from every cell phone within a particular area its unique International Mobile Subscriber Identity, and force those phones to connect to them, instead of real cell towers.

Early versions of the devices—such as the Stingray device used by police in major U.S. cities since at least 2007 after having been used by federal authorities since at least the 1990s—were limited to location tracking, as well as capturing and recording data and voice traffic transmitted by phones. Later versions, however, added further capabilities which policymakers in Illinois have become the first to address.

Cell phone surveillance tools have eroded constitutional rights guaranteed under the Fourth Amendment’s protection from unreasonable searches and seizures in, at minimum, tens of thousands of cases. Stingrays were deployed thousands of times in New York City alone—and even more often in Baltimore—without legislative or judicial oversight, until in 2011 a jailhouse lawyer accused of tax fraud discovered the first known reference to a “Stingray” in court documents relating to the 2008 investigation that led to his arrest and conviction.

Meanwhile, government and corporate secrecy surrounding police uses of Stingrays has undermined Fifth and Sixth Amendment rights to due process, such as the right to challenge evidence used by one’s accusers. Contracts with police departments demanded by corporate device manufacturers imposed secrecy so severe that prosecutors walked away from legitimate cases across the country rather than risk revealing Stingrays to judges by pursuing prosecutions based on Stingray-collected evidence.

Citing the constraint of a corporate non-disclosure agreement, a police officer in Baltimore even risked contempt charges by refusing to answer judicial inquiries about how police used the devices. Baltimore public defender Deborah Levi explains, “They engage in a third-party contract to violate people’s constitutional rights.”

Several states agree: Get a warrant

In one respect, Illinois is walking well-settled ground.

By requiring that state and local police agents first seek and secure a judicial order based on individualized probable cause of criminal misconduct before using a cell-site simulator, Illinois has joined half a dozen other states (including California, Washington, Utah, Minnesota, and Virginia) that have already paved that road.

At the federal level, the Justice Department took action in 2015 to require federal agencies to seek warrants before using the devices. And just two weeks before Illinois enacted its new law, a federal judge in New York ruled for the first time that defendants could exclude from trial evidence collected from an IMSI-catcher device by police who failed to first obtain a judicial order.

These decisions vindicate core constitutional rights, as well as the separation of powers and underscore that warrants are constitutionally crucial.

It's true that warrants are not particularly difficult for police to obtain when based on legitimate reasons for suspicion. When New York Court of Appeals Chief Judge Sol Wachtler observed in 1985 that any prosecutor could persuade a grand jury to “indict a ham sandwich,” he was talking about the ease with which the government can satisfy the limited scrutiny applied in any one-sided process, including that through which police routinely secure search warrants.

But while judicial warrants do not present a burdensome constraint on legitimate police searches, they play an important role in the investigative process. Warrantless searches are conducted essentially by fiat, without independent review, and potentially arbitrarily. Searches conducted pursuant to a warrant, however, bear the stamp of impartial judicial review and approval.

Warrants ensure, for instance, that agencies do not treat their public safety mandate as an excuse to pursue personal vendettas, or the kinds of stalking “LOVEINT” abuses to which NSA agents and contractors have occasionally admitted. Requiring authorization from a neutral magistrate, put simply, maintains civilian control over police.

Despite its importance and ease for authorities to satisfy, the warrant requirement has ironically suffered frequent erosion by the courts—making all the more important efforts by states like Illinois to legislatively reiterate and expand it.

But in two important respects beyond the warrant requirement, the Illinois Citizen Privacy Protection Act breaks new ground. 

Breaking new ground: Allowing an exclusionary remedy

First, the Illinois law is the first policy of its kind in the country that carries a price for law enforcement agencies that violate the warrant requirement. If police use a cell-site simulator to gather information without securing a judicial order, then courts will suppress that information and exclude it from any consideration at trial.

This vindicates the rights of accused individuals by enabling them to exclude illegally collected evidence. It also helps ensure that police use their powerful authorities for only legitimate reasons based on probable cause to suspect criminal activity, rather than fishing expeditions without real proof of misconduct, or for that matter, the personal, racial, or financial biases of police officers.

Like the warrant requirement created to limit the powers of police agencies, the exclusionary rule on which the judiciary relies to enforce the warrant requirement has endured doctrinal erosion over the past generation. Courts have allowed one exception after another, allowing prosecutors to use “fruits of the poisonous tree” in criminal trials despite violations of constitutional rights committed by police when collecting them.

In this context, the new statute in Illinois represents a crucial public policy choice explicitly extending the critical protections of the warrant requirement and exclusionary rule.

Breaking new ground: Prohibiting offensive uses

The new Illinois law also limits the purposes for which cell-site simulators may be used, even pursuant to a judicial order. It flatly prohibits several particularly offensive uses that remain largely overlooked elsewhere.

When Stingrays (and their frequent secret use by local police departments across the country) first attracted attention, most concerns addressed the location tracking capabilities of the device’s first generation, obtained by domestic police departments as early as 2003.

But while Stingrays presented profound constitutional concerns 10 years ago, they present even greater concerns now, because of technology advancements in the past decade enabling stronger surveillance and even militaristic offensive capabilities. Unlike early versions of the devices that could be used only for location monitoring or gathering metadata, later versions, such as the Triggerfish, Hailstorm and Stargrazer series, can be used to intercept voice communications or browsing history in real-time, mount offensive denial of service attacks on a phone, or even plant malware on a device.

Recognizing how invasive the latest versions of IMSI-catchers can be, legislators in Illinois authorized police to use cell-site simulators in only two ways: after obtaining a warrant, police may use the devices to locate or track a known device, or instead to identify an unknown device.

Even if supported by a judicial order, the Citizen Privacy Protection Act affirmatively bans all other uses of these devices. Prohibited activities include intercepting the content or metadata of phone calls or text messages, planting malware on someone’s phone, or blocking a device from communicating with other devices.

The use limitations enshrined in Illinois law are among the first of their kind in the country.

The Illinois statute also requires police to delete any data (within 24 hours after location tracking, or within 72 hours of identifying a device) incidentally obtained from third parties, such as non-targets whose devices are forced to connect to a cell-site simulator. These requirements are similar to those announced by a federal magistrate judge in Illinois who in November 2015 imposed on a federal drug investigation minimization requirements including an order to “immediately destroy all data other than the data identifying the cell phone used by the target. The destruction must occur within forty-eight hours after the data is captured.”

Enhancing security through transparency

Beyond enforcing constitutional limits on the powers of law enforcement agencies, and protecting individual rights at stake, the new law in Illinois also appropriately responds to an era of executive secrecy.

The secrecy surrounding law enforcement uses of IMSI-catchers has also compromised security. As the ACLU’s Chris Soghoian has explained alongside Stephanie Pell from West Point’s Army Cyber Institute and Stanford University, “the general threat that [any particular] technology poses to the security of cellular networks” could outweigh its “increasing general availability at decreasing prices.” With respect to cell-site simulators, in particular:

[C]ellular interception capabilities and technology have become, for better or worse, globalized and democratized, placing Americans’ cellular communications at risk of interception from foreign governments, criminals, the tabloid press and virtually anyone else with sufficient motive to capture cellular content in transmission. Notwithstanding this risk, US government agencies continue to treat practically everything about this cellular interception technology, as a closely guarded, necessarily secret “source and method,” shrouding the technical capabilities and limitations of the equipment from public discussion….

Given the persistent secrecy surrounding IMSI-catchers and the unknown risks they pose to both individual privacy and network security, the statutory model adopted by Illinois represents a milestone not only for civil liberties but also for the security of our technological devices. Khadine Bennett from the ACLU of Illinois explained the new law’s importance in terms of the secrecy pervading how police have used cell-site simulators:

For so long, uses of IMSI-catchers such as Stingrays have been behind the scenes, enabling searches like the pat down of thousands of cell phones at once without the users ever even knowing it happened. It’s exciting to see Illinois adopt a measure to ensure that these devices are used responsibly and appropriately, and I hope to see more like it emerge around the country.

EFF enthusiastically agrees with Ms. Bennett. If you’d like to see the Citizen Privacy Protection Act’s groundbreaking requirements adopted in your state, you can find support through the Electronic Frontier Alliance.

var mytubes = new Array(1); mytubes[1] = '%3Ciframe src=%22https://www.youtube.com/embed/OuhYIeX7OqY??autoplay=1%22 allowfullscreen=%22%22 frameborder=%220%22 height=%22315%22 width=%22560%22%3E%3C/iframe%3E';
Share this: Join EFF
Categories: Privacy

EFF Announces 2016 Pioneer Award Winners: Malkia Cyril of the Center for Media Justice, Data Protection Activist Max Schrems, the Authors of ‘Keys Under Doormats,’ and the Lawmakers Behind CalECPA

Deep Links - Tue, 08/09/2016 - 15:45
Ceremony for Honorees on September 21 in San Francisco

San Francisco - The Electronic Frontier Foundation (EFF) is pleased to announce the distinguished winners of the 2016 Pioneer Awards: Malkia Cyril of the Center for Media Justice, data protection activist Max Schrems, the authors of the “Keys Under Doormats” report that counters calls to break encryption, and the lawmakers behind CalECPA—a groundbreaking computer privacy law for Californians.

The award ceremony will be held the evening of September 21 at Delancey Street’s Town Hall Room in San Francisco. The keynote speaker is award-winning investigative journalist Julia Angwin, whose work on corporate invasions of privacy has uncovered the myriad ways companies collect and control personal information. Her recent articles have sought to hold algorithms accountable for the important decisions they make about our lives. Tickets are $65 for current EFF members, or $75 for non-members.  

Malkia A. Cyril is the founder and executive director of the Center for Media Justice and co-founder of the Media Action Grassroots Network, a national network of community-based organizations working to ensure racial and economic justice in a digital age. Cyril is one of few leaders of color in the movement for digital rights and freedom, and a leader in the Black Lives Matter Network—helping to bring important technical safeguards and surveillance countermeasures to people across the country who are fighting to reform systemic racism and violence in law enforcement. Cyril is also a prolific writer and public speaker on issues ranging from net neutrality to the communication rights of prisoners. Their comments have been featured in publications like Politico, Motherboard, and Essence Magazine, as well as three documentary films. Cyril is a Prime Movers fellow, a recipient of the 2012 Donald H. McGannon Award for work to advance the roles of women and people of color in the media reform movement, and won the 2015 Hugh Hefner 1st Amendment Award for framing net neutrality as a civil rights issue.

Max Schrems is a data protection activist, lawyer, and author whose lawsuits over U.S. companies’ handling of European Union citizens’ personal information have changed the face of international data privacy. Since 2011 he has worked on the enforcement of EU data protection law, arguing that untargeted wholesale spying by the U.S. government on Internet communications undermines the EU’s strict data protection standards. One lawsuit that reached the European Court of Justice led to the invalidation of the “Safe Harbor” agreement between the U.S. and the EU, forcing governments around the world to grapple with the conflict between U.S. government surveillance practices and the privacy rights of citizens around the world. Another legal challenge is a class action lawsuit with more than 25,000 members currently pending at the Austrian Supreme Court. Schrems is also the founder of “Europe v Facebook,” a group that pushes for social media privacy reform at Facebook and other companies, calling for data collection minimization, opt-in policies instead of opt-outs, and transparency in data collection.

The “Keys Under Doormats” report has been central to grounding the current encryption debates in scientific realities. Published in July of 2015, it emerged just as calls to break encryption with “backdoors” or other access points for law enforcement were becoming pervasive in Congress, but before the issue came into the global spotlight with the FBI’s efforts against Apple earlier this year. “Keys Under Doormats” both reviews the underlying technical considerations of the earlier encryption debate of the 1990s and examines the modern systems realities, creating a compelling, comprehensive, and scientifically grounded argument to protect and extend the availability of encrypted digital information and communications. The authors of the report are all security experts, building the case that weakening encryption for surveillance purposes could never allow for any truly secure digital transactions. The “Keys Under Doormats” authors are Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael Specter, and Daniel J. Weitzner. Work on the report was coordinated by the MIT Internet Policy Research Initiative.

CalECPA—the California Electronic Communications Privacy Act—is a landmark law that safeguards privacy and free speech rights. CalECPA requires that a California government entity gets a warrant to search electronic devices or compel access to any electronic information, like email, text messages, documents, metadata, and location information—whether stored on the electronic device itself or online in the “cloud.” CalECPA gave California the strongest digital privacy law in the nation and helps prevent abuses before they happen. In many states without this protection, police routinely claim the authority to search sensitive electronic information about who we are, where we go, and what we do—without a warrant. CalECPA was introduced by California State Senators Mark Leno (D-San Francisco) and Joel Anderson (R-Alpine), who both fought for years to get stronger digital privacy protections for Californians. Leno has been a champion of improved transportation, renewable energy, and equal rights for all, among many other issues. Anderson regularly works across party lines to protect consumer privacy in the digital world.

“We are honored to announce this year’s Pioneer Award winners, and to celebrate the work they have done to make communications private, safe, and secure,” said EFF Executive Director Cindy Cohn. “The Internet is an unprecedented tool for everything from activism to research to commerce, but it will only stay that way if everyone can trust their technology and the systems it relies on. With this group of pioneers, we are building a digital future we can all be proud of.”

Awarded every year since 1992, EFF’s Pioneer Awards recognize the leaders who are extending freedom and innovation on the electronic frontier. Previous honorees have included Aaron Swartz, Citizen Lab, Richard Stallman, and Anita Borg.

Sponsors of the 2016 Pioneer Awards include Adobe, Airbnb, Dropbox, Facebook, and O’Reilly Media.

To buy tickets to the Pioneer Awards:
https://www.eff.org/Pioneer2016

var mytubes = new Array(1); mytubes[1] = '%3Ciframe src=%22https://www.youtube.com/embed/OuhYIeX7OqY??autoplay=1%22 allowfullscreen=%22%22 frameborder=%220%22 height=%22315%22 width=%22560%22%3E%3C/iframe%3E'; Contact:  RebeccaJeschkeMedia Relations Director and Digital Rights Analystpress@eff.org
Share this: Join EFF
Categories: Privacy

EFF Announces 2016 Pioneer Award Winners: Malkia Cyril of the Center for Media Justice, Data Protection Activist Max Schrems, the Authors of ‘Keys Under Doormats,’ and the Lawmakers Behind CalECPA

EFF Press Releases - Tue, 08/09/2016 - 15:45
Ceremony for Honorees on September 21 in San Francisco

San Francisco - The Electronic Frontier Foundation (EFF) is pleased to announce the distinguished winners of the 2016 Pioneer Awards: Malkia Cyril of the Center for Media Justice, data protection activist Max Schrems, the authors of the “Keys Under Doormats” report that counters calls to break encryption, and the lawmakers behind CalECPA—a groundbreaking computer privacy law for Californians.

The award ceremony will be held the evening of September 21 at Delancey Street’s Town Hall Room in San Francisco. The keynote speaker is award-winning investigative journalist Julia Angwin, whose work on corporate invasions of privacy has uncovered the myriad ways companies collect and control personal information. Her recent articles have sought to hold algorithms accountable for the important decisions they make about our lives. Tickets are $65 for current EFF members, or $75 for non-members.  

Malkia A. Cyril is the founder and executive director of the Center for Media Justice and co-founder of the Media Action Grassroots Network, a national network of community-based organizations working to ensure racial and economic justice in a digital age. Cyril is one of few leaders of color in the movement for digital rights and freedom, and a leader in the Black Lives Matter Network—helping to bring important technical safeguards and surveillance countermeasures to people across the country who are fighting to reform systemic racism and violence in law enforcement. Cyril is also a prolific writer and public speaker on issues ranging from net neutrality to the communication rights of prisoners. Their comments have been featured in publications like Politico, Motherboard, and Essence Magazine, as well as three documentary films. Cyril is a Prime Movers fellow, a recipient of the 2012 Donald H. McGannon Award for work to advance the roles of women and people of color in the media reform movement, and won the 2015 Hugh Hefner 1st Amendment Award for framing net neutrality as a civil rights issue.

Max Schrems is a data protection activist, lawyer, and author whose lawsuits over U.S. companies’ handling of European Union citizens’ personal information have changed the face of international data privacy. Since 2011 he has worked on the enforcement of EU data protection law, arguing that untargeted wholesale spying by the U.S. government on Internet communications undermines the EU’s strict data protection standards. One lawsuit that reached the European Court of Justice led to the invalidation of the “Safe Harbor” agreement between the U.S. and the EU, forcing governments around the world to grapple with the conflict between U.S. government surveillance practices and the privacy rights of citizens around the world. Another legal challenge is a class action lawsuit with more than 25,000 members currently pending at the Austrian Supreme Court. Schrems is also the founder of “Europe v Facebook,” a group that pushes for social media privacy reform at Facebook and other companies, calling for data collection minimization, opt-in policies instead of opt-outs, and transparency in data collection.

The “Keys Under Doormats” report has been central to grounding the current encryption debates in scientific realities. Published in July of 2015, it emerged just as calls to break encryption with “backdoors” or other access points for law enforcement were becoming pervasive in Congress, but before the issue came into the global spotlight with the FBI’s efforts against Apple earlier this year. “Keys Under Doormats” both reviews the underlying technical considerations of the earlier encryption debate of the 1990s and examines the modern systems realities, creating a compelling, comprehensive, and scientifically grounded argument to protect and extend the availability of encrypted digital information and communications. The authors of the report are all security experts, building the case that weakening encryption for surveillance purposes could never allow for any truly secure digital transactions. The “Keys Under Doormats” authors are Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael Specter, and Daniel J. Weitzner. Work on the report was coordinated by the MIT Internet Policy Research Initiative.

CalECPA—the California Electronic Communications Privacy Act—is a landmark law that safeguards privacy and free speech rights. CalECPA requires that a California government entity gets a warrant to search electronic devices or compel access to any electronic information, like email, text messages, documents, metadata, and location information—whether stored on the electronic device itself or online in the “cloud.” CalECPA gave California the strongest digital privacy law in the nation and helps prevent abuses before they happen. In many states without this protection, police routinely claim the authority to search sensitive electronic information about who we are, where we go, and what we do—without a warrant. CalECPA was introduced by California State Senators Mark Leno (D-San Francisco) and Joel Anderson (R-Alpine), who both fought for years to get stronger digital privacy protections for Californians. Leno has been a champion of improved transportation, renewable energy, and equal rights for all, among many other issues. Anderson regularly works across party lines to protect consumer privacy in the digital world.

“We are honored to announce this year’s Pioneer Award winners, and to celebrate the work they have done to make communications private, safe, and secure,” said EFF Executive Director Cindy Cohn. “The Internet is an unprecedented tool for everything from activism to research to commerce, but it will only stay that way if everyone can trust their technology and the systems it relies on. With this group of pioneers, we are building a digital future we can all be proud of.”

Awarded every year since 1992, EFF’s Pioneer Awards recognize the leaders who are extending freedom and innovation on the electronic frontier. Previous honorees have included Aaron Swartz, Citizen Lab, Richard Stallman, and Anita Borg.

Sponsors of the 2016 Pioneer Awards include Adobe, Airbnb, Dropbox, Facebook, and O’Reilly Media.

To buy tickets to the Pioneer Awards:
https://www.eff.org/Pioneer2016

Contact:  RebeccaJeschkeMedia Relations Director and Digital Rights Analystpress@eff.org
Share this: Join EFF
Categories: Privacy

Stand Up for Open Access. Stand Up for Diego.

Deep Links - Tue, 08/09/2016 - 14:30

Diego Gomez is a recent biology graduate from the University of Quindío, a small university in Colombia. His research interests are reptiles and amphibians. Since the university where he studied didn’t have a large budget for access to academic databases, he did what any other science grad student would do: he found the resources he needed online. Sometimes he shared the research he discovered, so that others could benefit as well.

In 2011, Diego shared another student’s Master’s thesis with colleagues over the Internet. That simple act—something that many people all over the world do every day—put Diego at risk of spending years in prison. In Colombia, copying and distribution of copyrighted works without permission can lead to criminal charges of up to eight years if the prosecution can show it hurt the commercial rights of the author (derechos patrimoniales).

We’ve been following Diego’s trial over the past year, and closing arguments are scheduled for this week. Today, we join open access allies all over the world in standing with Diego.

Support Open Access Worldwide

EFF believes that extreme criminal penalties for copyright infringement can chill people’s right of free expression, limit the public’s access to knowledge, and quell scientific research. That’s particularly true in countries like Colombia that pay lip service to free speech and access to education (which are expressly recognized as basic rights in Colombia’s Constitution) but don’t have the robust fair use protections that help ensure copyright doesn’t stymie those commitments.

Diego’s case also serves as a wake-up call: it’s time for open access to become the global standard for academic publishing.

The movement for open access is not new, but it seems to be accelerating. Even since we started following Diego’s case in 2014, many parts of the scientific community have begun to fully embrace open access publishing. Dozens of universities have adopted open access policies requiring that university research be made open, either through publishing in open access journals or by archiving papers in institutional repositories. This year’s groundbreaking discovery on gravitational waves—certainly one of the most important scientific discoveries of the decade—was published in an open access journal under a Creative Commons license. Here in the U.S., it’s becoming more and more clear that an open access mandate for federally funded research will be written into law; it’s just a matter of when. The tide is changing, and open access will win.

But for researchers like Diego who face prison time right now, the movement is not accelerating quickly enough. Open access could have saved Diego from the risk of spending years in prison.

Many people reading this remember the tragic story of Aaron Swartz. When Aaron died, he was facing severe penalties for accessing millions of articles via MIT’s computer network without "authorization." Diego’s case differs from Aaron’s in a lot of ways, but in one important way, they’re exactly the same: if all academic research were published openly, neither of them would have been in trouble for anything.

When laws punish intellectual curiosity and scientific research, everyone suffers; not just researchers, but also the people and species who would benefit from their research. Copyright law is supposed to foster innovation, not squash it.

Please join us in standing with Diego. Together, we can fight for a time when everyone can access and share the world’s research.

Support Open Access Worldwide

var mytubes = new Array(1); mytubes[1] = '%3Ciframe src=%22https://www.youtube.com/embed/OuhYIeX7OqY??autoplay=1%22 allowfullscreen=%22%22 frameborder=%220%22 height=%22315%22 width=%22560%22%3E%3C/iframe%3E';
Share this: Join EFF
Categories: Privacy

DRM: You have the right to know what you're buying!

Deep Links - Fri, 08/05/2016 - 15:06

Today, the EFF and a coalition of organizations and individuals asked the US Federal Trade Commission (FTC) to explore fair labeling rules that would require retailers to warn you when the products you buy come locked down by DRM ("Digital Rights Management" or "Digital Restrictions Management"). 

These digital locks train your computerized devices to disobey you when you ask them to do things the manufacturer didn't specifically authorize -- even when those things are perfectly legal. Companies that put digital locks on their products -- ebook, games and music publishers, video companies, companies that make hardware from printers to TVs to cat litter trays -- insist that DRM benefits their customers, by allowing the companies to offer products at a lower price by taking away some of the value -- you can "rent" an ebook or a movie, or get a printer at a price that only makes sense if you also have to buy expensive replacement ink.

We don't buy it. We think that the evidence is that customers don't much care for DRM (when was the last time you woke up and said, "Gosh, I wish there was a way I could do less with my games?"). Studies agree.

The FTC is in charge of making sure that Americans don't get ripped off when they buy things. We've written the Commission a letter, drafted and signed by a diverse coalition of public interest groups, publishers, and rightsholders, calling on the agency to instruct retailers to inform potential customers of the restrictions on the products they're selling. In a separate letter, we detail the stories of 22 EFF supporters who unwittingly purchased DRM-encumbered products and later found themselves unable to enjoy their purchases (a travel guide that required a live internet connection to unlock, making it unreadable on holiday), or locked into an abusive relationship with their vendors (a cat litter box that only worked if resupplied with expensive detergent), or even had other equipment they owned rendered permanently inoperable by the DRM in a new purchase (for example, a game that "bricked" a customer's DVD-RW drive).

Now the FTC has been equipped with evidence that there are real harms, and that rightsholders are willing to have fair labeling practices, the FTC should act. And if the DRM companies are so sure that their customers love their products, why would they object?

EFF is currently suing the US government to invalidate Section 1201 of the DMCA, a law that has been used to threaten research into the security risks of DRM and inhibit the development of products and tools that break digital locks -- again, even if the purpose is otherwise legal (like letting you read your books on an alternate reader, or put a different brand of perfume in your cat litter box). Until we win our lawsuit, people who buy DRM-locked products are unlikely to be rescued from their lock-in by add-ons that restore functionality to their property. That makes labeling especially urgent: it's bad enough to be stuck with product that is defective by design, but far worse if those defects can't be fixed without risking legal retaliation.

For the full letter to the FTC about labeling:
https://www.eff.org/document/eff-letter-ftc-re-drm-labeling

For the full letter to the FTC with the stories of people who've been harmed by DRM they weren't informed of:
https://www.eff.org/files/2016/08/06/eff_request_for_investigation_re_labeling_drm-limited_products.pdf

var mytubes = new Array(1); mytubes[1] = '%3Ciframe src=%22https://www.youtube.com/embed/OuhYIeX7OqY??autoplay=1%22 allowfullscreen=%22%22 frameborder=%220%22 height=%22315%22 width=%22560%22%3E%3C/iframe%3E';
Share this: Join EFF
Categories: Privacy
Syndicate content