Group items tagged

Until just last week, the U.S. government kept up the charade that its use of a stockpile of security vulnerabilities for hacking was a closely held secret.1 In fact, in response to EFF’s FOIA suit to get access to the official U.S. policy on zero days, the government redacted every single reference to “offensive” use of vulnerabilities. To add insult to injury, the government’s claim was that even admitting to offensive use would cause damage to national security. Now, in the face of EFF’s brief marshaling overwhelming evidence to the contrary, the charade is over. In response to EFF’s motion for summary judgment, the government has disclosed a new version of the Vulnerabilities Equities Process, minus many of the worst redactions. First and foremost, it now admits that the “discovery of vulnerabilities in commercial information technology may present competing ‘equities’ for the [government’s] offensive and defensive mission.” That might seem painfully obvious—a flaw or backdoor in a Juniper router is dangerous for anyone running a network, whether that network is in the U.S. or Iran. But the government’s failure to adequately weigh these “competing equities” was so severe that in 2013 a group of experts appointed by President Obama recommended that the policy favor disclosure “in almost all instances for widely used code.” [.pdf].

The newly disclosed version of the Vulnerabilities Equities Process (VEP) also officially confirms what everyone already knew: the use of zero days isn’t confined to the spies. Rather, the policy states that the “law enforcement community may want to use information pertaining to a vulnerability for similar offensive or defensive purposes but for the ultimate end of law enforcement.” Similarly it explains that “counterintelligence equities can be defensive, offensive, and/or law enforcement-related” and may “also have prosecutorial responsibilities.” Given that the government is currently prosecuting users for committing crimes over Tor hidden services, and that it identified these individuals using vulnerabilities called a “Network Investigative Technique”, this too doesn’t exactly come as a shocker. Just a few weeks ago, the government swore that even acknowledging the mere fact that it uses vulnerabilities offensively “could be expected to cause serious damage to the national security.” That’s a standard move in FOIA cases involving classified information, even though the government unnecessarily classifies documents at an astounding rate. In this case, the government relented only after nearly a year and a half of litigation by EFF. The government would be well advised to stop relying on such weak secrecy claims—it only risks undermining its own credibility.

The new version of the VEP also reveals significantly more information about the general process the government follows when a vulnerability is identified. In a nutshell, an agency that discovers a zero day is responsible for invoking the VEP, which then provides for centralized coordination and weighing of equities among all affected agencies. Along with a declaration from an official at the Office of the Director of National Intelligence, this new information provides more background on the reasons why the government decided to develop an overarching zero day policy in the first place: it “recognized that not all organizations see the entire picture of vulnerabilities, and each organization may have its own equities and concerns regarding the prioritization of patches and fixes, as well as its own distinct mission obligations.” We now know the VEP was finalized in February 2010, but the government apparently failed to implement it in any substantial way, prompting the presidential review group’s recommendation to prioritize disclosure over offensive hacking. We’re glad to have forced a little more transparency on this important issue, but the government is still foolishly holding on to a few last redactions, including refusing to name which agencies participate in the VEP. That’s just not supportable, and we’ll be in court next month to argue that the names of these agencies must be disclosed. 

EFF, Human Rights Watch, and Over 70 Civil Society Groups Ask Mark Zuckerberg to Provide All Users with Mechanism to Appeal Content Censorship on Facebook World’s Freedom of Expression Is In Your Hands, Groups Tell CEO San Francisco—The Electronic Frontier Foundation (EFF) and more than 70 human and digital rights groups called on Mark Zuckerberg today to add real transparency and accountability to Facebook’s content removal process. Specifically, the groups demand that Facebook clearly explain how much content it removes, both rightly and wrongly, and provide all users with a fair and timely method to appeal removals and get their content back up. While Facebook is under enormous—and still mounting—pressure to remove material that is truly threatening, without transparency, fairness, and processes to identify and correct mistakes, Facebook’s content takedown policies too often backfire and silence the very people that should have their voices heard on the platform.  Politicians, museums, celebrities, and other high profile groups and individuals whose improperly removed content can garner media attention seem to have little trouble reaching Facebook to have content restored—they sometimes even receive an apology. But the average user? Not so much. Facebook only allows people to appeal content decisions in a limited set of circumstances, and in many cases, users have absolutely no option to appeal. Onlinecensorship.org, an EFF project for users to report takedown notices, has collected reports of hundreds of unjustified takedown incidents where appeals were unavailable. For most users, content Facebook removes is rarely restored, and some are banned from the platform for no good reason. EFF, Article 19, the Center for Democracy and Technology, and Ranking Digital Rights wrote directly to Mark Zuckerberg today demanding that Facebook implement common sense standards so that average users can easily appeal content moderation decisions, receive prompt replies and timely review by a human or humans, and have the opportunity to present evidence during the review process. The letter was co-signed by more than 70 human rights, digital rights, and civil liberties organizations from South America, Europe, the Middle East, Asia, Africa, and the U.S.

he National Security Agency (NSA) collected over 530 million phone records of Americans in 2017—that's three times the amount the spy agency sucked up in 2016. The figures were released Friday in an annual report from the Office of the Director of National Intelligence (ODNI). It shows that the number of "call detail records" the agency collected from telecommunications providers during Trump's first year in office was 534 million, compared to 151 million the year prior. "The intelligence community's transparency has yet to extend to explaining dramatic increases in their collection," said Robyn Greene, policy counsel at the Open Technology Institute. The content of the calls itself is not collected but so-called "metadata," which, as Gizmodo notes, "is supposedly anonymous, but it can easily be used to identify an individual. The information can also be paired with other publicly available information from social media and other sources to paint a surprisingly detailed picture of a person's life." The report also revealed that the agency, using its controversial Section 702 authority, increased the number of foreign targets of warrantless surveillance. It was 129,080 in 2017 compared to 106,469 in 2016. As digital rights group EFF noted earlier this year, Under Section 702, the NSA collects billions of communications, including those belonging to innocent Americans who are not actually targeted. These communications are then placed in databases that other intelligence and law enforcement agencies can access—for purposes unrelated to national security—without a warrant or any judicial review. "Overall," Jake Laperruque, senior counsel at the Project On Government Oversight, said to ZDNet, "the numbers show that the scale of warrantless surveillance is growing at a significant rate, but ODNI still won't tell Americans how much it affects them."

The International Telecommunication Union (ITU) will hold the World Conference on International Telecommunications (WCIT-12) in December in Dubai, an all-important treaty-writing event where ITU Member States will discuss the proposed revisions to the International Telecommunication Regulations (ITR). The ITU is a United Nations agency responsible for international telecom regulation, a bureaucratic, slow-moving, closed regulatory organization that issues treaty-level provisions for international telecommunication networks and services. The ITR, a legally binding international treaty signed by 178 countries, defines the boundaries of ITU’s regulatory authority and provides "general principles" on international telecommunications. However, media reports indicate that some proposed amendments to the ITR—a negotiation that is already well underway—could potentially expand the ITU’s mandate to encompass the Internet.

The International Telecommunication Union (ITU) will hold the World Conference on International Telecommunications (WCIT-12) in December in Dubai, an all-important treaty-writing event where ITU Member States will discuss the proposed revisions to the International Telecommunication Regulations (ITR). The ITU is a United Nations agency responsible for international telecom regulation, a bureaucratic, slow-moving, closed regulatory organization that issues treaty-level provisions for international telecommunication networks and services. The ITR, a legally binding international treaty signed by 178 countries, defines the boundaries of ITU’s regulatory authority and provides "general principles" on international telecommunications. However, media reports indicate that some proposed amendments to the ITR—a negotiation that is already well underway—could potentially expand the ITU’s mandate to encompass the Internet. In similar fashion to the secrecy surrounding ACTA and TPP, the ITR proposals are being negotiated in secret, with high barriers preventing access to any negotiating document. While aspiring to be a venue for Internet policy-making, the ITU Member States do not appear to be very open to the idea of allowing all stakeholders (including civil society) to participate. The framework under which the ITU operates does not allow for any form of open participation. Mere access to documents and decision-makers is sold by the ITU to corporate “associate” members at prohibitively high rates. Indeed, the ITU’s business model appears to depend on revenue generation from those seeking to ‘participate’ in its policy-making processes. This revenue-based principle of policy-making is deeply troubling in and of itself, as the objective of policy making should be to reach the best possible outcome.

EFF, European Digital Rights, CIPPIC and CDT and a coalition of civil society organizations from around the world are demanding that the ITU Secretary General, the  WCIT-12 Council Working Group, and ITU Member States open up the WCIT-12 and the Council working group negotiations, by immediately releasing all the preparatory materials and Treaty proposals. If it affects the digital rights of citizens across the globe, the public needs to know what is going on and deserves to have a say. The Council Working Group is responsible for the preparatory work towards WCIT-12, setting the agenda for and consolidating input from participating governments and Sector Members. We demand full and meaningful participation for civil society in its own right, and without cost, at the Council Working Group meetings and the WCIT on equal footing with all other stakeholders, including participating governments. A transparent, open process that is inclusive of civil society at every stage is crucial to creating sound policy.

Brussels, 18 March 2013 -- More than 35 European and United States civil society organisations insist that a proposed trade agreement between the EU and the US exclude any provisions related to patents, copyright, trademarks, or other forms of so-called "intellectual property". Such provisions could impede citizens' rights to health, culture, and free expression and otherwise affect their daily lives.

The civil society organisations also insist that the EU and US will release the negotiating texts of the trade agreement they intend to negotiate. They believe that secretive "trade" negotiations are absolutely unacceptable forums for devising binding rules that change national non-trade laws.

We, the undersigned, are internet freedom and public health groups, activists, and other public interest leaders dedicated to the rights of all people to access cultural and educational resources and affordable medicines, to enjoy a free and open internet, and to benefit from open and needs-driven innovation. First, we insist that the European Union and United States release, in timely and ongoing fashion, any and all negotiating or pre-negotiation texts. We believe that secretive "trade" negotiations are absolutely unacceptable forums for devising binding rules that change national non-trade laws. Second, we insist that the proposed TAFTA exclude any provisions related to patents, copyright, trademarks, data protection, geographical indications, or other forms of so-called "intellectual property". Such provisions could impede our rights to health, culture, and free expression and otherwise affect our daily lives.

Amid a growing call for new cybersecurity protections in the United States, the US government has issued a report that reconfirms Washington’s interest in shutting down WikiLeaks and other underground information-sharing organizations. In Washington, DC on Wednesday, Attorney General Eric Holder unveiled a new White House report that is meant to address further the growing threats malicious hackers are posing on America’s computer networks and the information stored therein.

The American Civil Liberties Union (ACLU) has filed a motion to reveal the secret court opinions with “novel or significant interpretations” of surveillance law, in a renewed push for government transparency. The motion, filed Wednesday by the ACLU and Yale Law School’s Media Freedom and Information Access Clinic, asks the Foreign Intelligence Surveillance Act (FISA) Court, which rules on intelligence gathering activities in secret, to release 23 classified decisions it made between 9/11 and the passage of the USA Freedom Act in June 2015. As ACLU National Security Project staff attorney Patrick Toomey explains, the opinions are part of a “much larger collection of hidden rulings on all sorts of government surveillance activities that affect the privacy rights of Americans.” Among them is the court order that the government used to direct Yahoo to secretly scanits users’ emails for “a specific set of characters.” Toomey writes: These court rulings are essential for the public to understand how federal laws are being construed and implemented. They also show how constitutional protections for personal privacy and expressive activities are being enforced by the courts. In other words, access to these opinions is necessary for the public to properly oversee their government.

Although the USA Freedom Act requires the release of novel FISA court opinions on surveillance law, the government maintains that the rule does not apply retroactively—thereby protecting the panel from publishing many of its post-9/11 opinions, which helped create an “unprecedented buildup” of secret surveillance laws. Even after National Security Agency (NSA) whistleblower Edward Snowden revealed the scope of mass surveillance in 2013, sparking widespread outcry, dozens of rulings on spying operations remain hidden from the public eye, which stymies efforts to keep the government accountable, civil liberties advocates say. “These rulings are necessary to inform the public about the scope of the government’s surveillance powers today,” the ACLU’s motion states.

Toomey writes that the rulings helped influence a number of novel spying activities, including: The government’s use of malware, which it calls “Network Investigative Techniques” The government’s efforts to compel technology companies to weaken or circumvent their own encryption protocols The government’s efforts to compel technology companies to disclose their source code so that it can identify vulnerabilities The government’s use of “cybersignatures” to search through internet communications for evidence of computer intrusions The government’s use of stingray cell-phone tracking devices under the Foreign Intelligence Surveillance Act (FISA) The government’s warrantless surveillance of Americans under FISA Section 702—a controversial authority scheduled to expire in December 2017 The bulk collection of financial records by the CIA and FBI under Section 215 of the Patriot Act Without these rulings being made public, “it simply isn’t possible to understand the government’s claimed authority to conduct surveillance,” Toomey writes. As he told The Intercept on Wednesday, “The people of this country can’t hold the government accountable for its surveillance activities unless they know what our laws allow. These secret court opinions define the limits of the government’s spying powers. Their disclosure is essential for meaningful public oversight in our democracy.”

A bipartisan pair of lawmakers is expressing alarm at reported changes at the National Security Agency that would allow the intelligence service’s information to be used for policing efforts in the United States.“If media accounts are true, this radical policy shift by the NSA would be unconstitutional, and dangerous,” Reps. Ted Lieu (D-Calif.) and Blake FarentholdBlake FarentholdLawmakers warn of 'radical' move by NSA to share information Overnight Tech: Netflix scores win over Postal Service Lawmakers go green for St. Patrick's Day MORE (R-Texas) wrote in a letter to the spy agency this week. “The proposed shift in the relationship between our intelligence agencies and the American people should not be done in secret.ADVERTISEMENT“NSA’s mission has never been, and should never be, domestic policing or domestic spying.”The NSA has yet to publicly announce the change, but The New York Times reported last month that the administration was poised to expand the agency's ability to share information that it picks up about people’s communications with other intelligence agencies.The modification would open the door for the NSA to give the FBI and other federal agencies uncensored communications of foreigners and Americans picked up incidentally — but without a warrant — during sweeps.  

Robert Litt, the general counsel at the Office of the Director of National Intelligence, told the Times that it was finalizing a 21-page draft of procedures to allow the expanded sharing.  Separately, the Guardian reported earlier this month that the FBI had quietly changed its internal privacy rules to allow direct access to the NSA’s massive storehouse of communication data picked up on Internet service providers and websites.The revelations unnerved civil liberties advocates, who encouraged lawmakers to demand answers of the spy agency.“Under a policy like this, information collected by the NSA would be available to a host of federal agencies that may use it to investigate and prosecute domestic crimes,” said Neema Singh Guliani, legislative counsel and the American Civil Liberties Union. “Making such a change without authorization from Congress or the opportunity for debate would ignore public demands for greater transparency and oversight over intelligence activities.”In their letter this week, Lieu and Farenthold warned that the NSA’s changes would undermine Congress and unconstitutionally violate people’s privacy rights.   

“The executive branch would be violating the separation of powers by unilaterally transferring warrantless data collected under the NSA’s extraordinary authority to domestic agencies, which do not have such authority,” they wrote.“Domestic law enforcement agencies — which need a warrant supported by probable cause to search or seize — cannot do an end run around the Fourth Amendment by searching warrantless information collected by the NSA.”

“WE APPRECIATE THAT there are times when secrecy around a government warrant is needed,” Microsoft President Brad Smith wrote in a blog post on Thursday. “But based on the many secrecy orders we have received, we question whether these orders are grounded in specific facts that truly demand secrecy. To the contrary, it appears that the issuance of secrecy orders has become too routine.” With those words, Smith announced that Microsoft was suing the Department of Justice for the right to inform its customers when the government is reading their emails. The last big fight between the Justice Department and Silicon Valley was started by law enforcement, when the FBI demanded that Apple unlock a phone used by San Bernardino killer Syed Rizwan Farook. This time, Microsoft is going on the offensive. The move is welcomed by privacy activists as a step forward for transparency — though it’s also for business reasons.

Secret government searches are eroding people’s trust in the cloud, Smith wrote — including large and small businesses now keeping massive amounts of records online. “The transition to the cloud does not alter people’s expectations of privacy and should not alter the fundamental constitutional requirement that the government must — with few exceptions — give notice when it searches and seizes private information or communications,” he wrote. According to the complaint, Microsoft received 5,624 federal demands for customer information or data in the past 18 months. Almost half — 2,576 — came with gag orders, and almost half of those — 1,752 — had “no fixed end date” by which Microsoft would no longer be sworn to secrecy. These requests, though signed off on by a judge, qualify as unconstitutional searches, the attorneys argue. It “violates both the Fourth Amendment, which affords people and businesses the right to know if the government searches or seizes their property, and the First Amendment, which enshrines Microsoft’s rights to talk to its customers and to discuss how the government conducts its investigations — subject only to restraints narrowly tailored to serve compelling government interests,” they wrote.

An amendment to the Jumpstart Our Business Startups Act, H.R. 3606, submitted by Sen. Ronald L. Wyden (D-Ore.) March 19 was aimed at preventing the Anti-Counterfeiting Trade Agreement from going into force in the United States without first getting formal approval from Congress.Another amendment would require the Office of the U.S. Trade Representative to disclose its position regarding to the ongoing Trans-Pacific Partnership Agreement negotiations.The amendments were introduced a day before the Senate was scheduled to take a procedural vote on whether it would consider the House's controversial JOBS bill.

As a condition to the United States putting forward any official instrument that accepts ACTA, Wyden asked in his earlier letter that Obama “formally declare that ACTA does not create any international obligations for the U.S.—that ACTA is not binding.” If Obama declined to make such a statement, then Wyden requested a “legal rationale for why ACTA should not be considered by Congress.”

Wyden's first March 19 amendment JOBS Act amendment, S.A. 1868, would prevent the president from accepting, and the United States from entering into, any “legally binding trade agreement that imposes obligations on the United States … including the Anti-Counterfeiting Trade Agreement, without the formal and express approval of Congress.”

The Common Crawl Foundation’s repository of openly and freely accessible web crawl data is about to go live as a Public Data Set on Amazon Web Services.

Elbaz’ goal in developing the repository: “You can’t access, let alone download, the Google or the Bing crawl data. So certainly we’re differentiated in being very open and transparent about what we’re crawling and actually making it available to developers,” he says. “You might ask why is it going to be revolutionary to allow many more engineers and researchers and developers and students access to this data, whereas historically you have to work for one of the big search engines…. The question is, the world has the largest-ever corpus of knowledge out there on the web, and is there more that one can do with it than Google and Microsoft and a handful of other search engines are already doing? And the answer is unquestionably yes. ”

Common Crawl’s data already is stored on Amazon’s S3 service, but now Amazon will be providing the storage space for free through the Public Data Set program. Not only does that remove from Common Crawl the storage burden and costs for hosting its crawl of 5 billion web pages – some 50 or 60 terabytes large – but it should make it easier for users to access the data, and remove the bandwidth-related costs they might incur for downloads. Users won’t have to deal with setting up accounts, being responsible for bandwidth bills incurred, and more complex authentication processes.

This month, the United States District Court for the District of Columbia ruled that the Department of Homeland Security must make its plan to shut off the Internet and cellphone communications available to the American public. You, of course, may now be thinking: What plan?! Though President Barack Obama swiftly disapproved of ousted Egyptian President Hosni Mubarak turning off the Internet in his country (to quell widespread civil disobedience) in 2011, the US government has the authority to do the same sort of thing, under a plan that was devised during the George W. Bush administration. Many details of the government’s controversial “kill switch” authority have been classified, such as the conditions under which it can be implemented and how the switch can be used. But thanks to a Freedom of Information Act lawsuit filed by the Electronic Privacy Information Center (EPIC), DHS has to reveal those details by December 12 — or mount an appeal. (The smart betting is on an appeal, since DHS has fought to release this information so far.) Yet here’s what we do know about the government’s “kill switch” plan:

What are the constitutional problems? Civil liberties advocates argue that kill switches violate the First Amendment and pose a problem because they aren’t subject to rigorous judicial and congressional oversight. “There is no court in the loop at all, at any stage in the SOP 303 process,” according to the Center for Democracy and Technology. ”The executive branch, untethered by the checks and balances of court oversight, clear instruction from Congress, or transparency to the public, is free to act as it will and in secret.” David Jacobs of EPIC says, “Cutting off communications imposes a prior restraint on speech, so the First Amendment imposes the strictest of limitations…We don’t know how DHS thinks [the kill switch] is consistent with the First Amendment.” He adds, “Such a policy, unbounded by clear rules and oversight, just invites abuse.”

Virtually no foreign government is off-limits for the National Security Agency, which has been authorized to intercept information “concerning” all but four countries, according to top-secret documents. The United States has long had broad no-spying arrangements with those four countries — Britain, Canada, Australia and New Zealand — in a group known collectively with the United States as the Five Eyes. But a classified 2010 legal certification and other documents indicate the NSA has been given a far more elastic authority than previously known, one that allows it to intercept through U.S. companies not just the communications of its overseas targets but any communications about its targets as well.

The certification — approved by the Foreign Intelligence Surveillance Court and included among a set of documents leaked by former NSA contractor Edward Snowden — lists 193 countries that would be of valid interest for U.S. intelligence. The certification also permitted the agency to gather intelligence about entities including the World Bank, the International Monetary Fund, the European Union and the International Atomic Energy Agency. The NSA is not necessarily targeting all the countries or organizations identified in the certification, the affidavits and an accompanying exhibit; it has only been given authority to do so. Still, the privacy implications are far-reaching, civil liberties advocates say, because of the wide spectrum of people who might be engaged in communication about foreign governments and entities and whose communications might be of interest to the United States.

That language could allow for surveillance of academics, journalists and human rights researchers. A Swiss academic who has information on the German government’s position in the run-up to an international trade negotiation, for instance, could be targeted if the government has determined there is a foreign-intelligence need for that information. If a U.S. college professor e-mails the Swiss professor’s e-mail address or phone number to a colleague, the American’s e-mail could be collected as well, under the program’s court-approved rules

As fast as it can, Google is sealing up cracks in its systems that Edward J. Snowden revealed the N.S.A. had brilliantly exploited. It is encrypting more data as it moves among its servers and helping customers encode their own emails. Facebook, Microsoft and Yahoo are taking similar steps.

After years of cooperating with the government, the immediate goal now is to thwart Washington — as well as Beijing and Moscow. The strategy is also intended to preserve business overseas in places like Brazil and Germany that have threatened to entrust data only to local providers. Google, for example, is laying its own fiber optic cable under the world’s oceans, a project that began as an effort to cut costs and extend its influence, but now has an added purpose: to assure that the company will have more control over the movement of its customer data.

A year after Mr. Snowden’s revelations, the era of quiet cooperation is over. Telecommunications companies say they are denying requests to volunteer data not covered by existing law. A.T.&T., Verizon and others say that compared with a year ago, they are far more reluctant to cooperate with the United States government in “gray areas” where there is no explicit requirement for a legal warrant.

April 21, 2015 Dear Chairman Goodlatte, Ranking Member Conyers, Chairman Grassley, and Ranking Member Leahy: We urge you to end mass surveillance of Americans. Among us are civil liberties organizations from across the political spectrum that speak for millions of people, businesses, whistleblowers, and experts. The impending expiration of three USA PATRIOT Act provisions on June 1 is a golden opportunity to end mass surveillance and enact additional reforms. Current surveillance practices are virtually limitless. They are unnecessary, counterproductive, and costly. They undermine our economy and the public’s trust in government. And they undercut the proper functioning of government. Meaningful surveillance reform entails congressional repeal of laws and protocols the Executive secretly interprets to permit current mass surveillance practices. Additionally, it requires Congress to appreciably increase transparency, oversight, and accountability of intelligence agencies, especially those that have acted unconstitutionally.

A majority of the House of Representatives already has voted against mass surveillance. The Massie-Lofgren amendment to the National Defense Authorization Act [i] garnered 293 votes in support of defunding “backdoor searches.” Unfortunately, that amendment was not included in the “CRomnibus"[ii] despite overwhelming support.  We urge you to act once again to vindicate our fundamental liberties.