Group items tagged

2014 in Review Series Net Neutrality Takes a Wild Ride 8 Stellar Surveillance Scoops Web Encryption Gets Stronger and More Widespread Big Patent Reform Wins in Court, Defeat (For Now) in Congress International Copyright Law More Time in the Spotlight for NSLs The State of Free Expression Online What We Learned About NSA Spying in 2014—And What We're Fighting to Expose in 2015 "Fair Use Is Working!" Email Encryption Grew Tremendously, but Still Needs Work Spies Vs. Spied, Worldwide The Fight in Congress to End the NSA's Mass Spying Open Access Movement Broadens, Moves Forward Stingrays Go Mainstream Three Vulnerabilities That Rocked the Online Security World Mobile Privacy and Security Takes Two Steps Forward, One Step Back It Was a Pivotal Year in TPP Activism but the Biggest Fight Is Still to Come The Government Spent a Lot of Time in Court Defending NSA Spying Last Year Let's Encrypt (the Entire Web)

The new rules for exemptions to copyright's DRM-circumvention laws were issued today, and the Librarian of Congress has granted much of what EFF asked for over the course of months of extensive briefs and hearings. The exemptions we requested—ripping DVDs and Blurays for making fair use remixes and analysis; preserving video games and running multiplayer servers after publishers have abandoned them; jailbreaking cell phones, tablets, and other portable computing devices to run third party software; and security research and modification and repairs on cars—have each been accepted, subject to some important caveats.

The exemptions are needed thanks to a fundamentally flawed law that forbids users from breaking DRM, even if the purpose is a clearly lawful fair use. As software has become ubiquitous, so has DRM.  Users often have to circumvent that DRM to make full use of their devices, from DVDs to games to smartphones and cars. The law allows users to request exemptions for such lawful uses—but it doesn’t make it easy. Exemptions are granted through an elaborate rulemaking process that takes place every three years and places a heavy burden on EFF and the many other requesters who take part. Every exemption must be argued anew, even if it was previously granted, and even if there is no opposition. The exemptions that emerge are limited in scope. What is worse, they only apply to end users—the people who are actually doing the ripping, tinkering, jailbreaking, or research—and not to the people who make the tools that facilitate those lawful activities. The section of the law that creates these restrictions—the Digital Millennium Copyright Act's Section 1201—is fundamentally flawed, has resulted in myriad unintended consequences, and is long past due for reform or removal altogether from the statute books. Still, as long as its rulemaking process exists, we're pleased to have secured the following exemptions.

The new rules are long and complicated, and we'll be posting more details about each as we get a chance to analyze them. In the meantime, we hope each of these exemptions enable more exciting fair uses that educate, entertain, improve the underlying technology, and keep us safer. A better long-terms solution, though, is to eliminate the need for this onerous rulemaking process. We encourage lawmakers to support efforts like the Unlocking Technology Act, which would limit the scope of Section 1201 to copyright infringements—not fair uses. And as the White House looks for the next Librarian of Congress, who is ultimately responsible for issuing the exemptions, we hope to get a candidate who acts—as a librarian should—in the interest of the public's access to information.

Until just last week, the U.S. government kept up the charade that its use of a stockpile of security vulnerabilities for hacking was a closely held secret.1 In fact, in response to EFF’s FOIA suit to get access to the official U.S. policy on zero days, the government redacted every single reference to “offensive” use of vulnerabilities. To add insult to injury, the government’s claim was that even admitting to offensive use would cause damage to national security. Now, in the face of EFF’s brief marshaling overwhelming evidence to the contrary, the charade is over. In response to EFF’s motion for summary judgment, the government has disclosed a new version of the Vulnerabilities Equities Process, minus many of the worst redactions. First and foremost, it now admits that the “discovery of vulnerabilities in commercial information technology may present competing ‘equities’ for the [government’s] offensive and defensive mission.” That might seem painfully obvious—a flaw or backdoor in a Juniper router is dangerous for anyone running a network, whether that network is in the U.S. or Iran. But the government’s failure to adequately weigh these “competing equities” was so severe that in 2013 a group of experts appointed by President Obama recommended that the policy favor disclosure “in almost all instances for widely used code.” [.pdf].

The newly disclosed version of the Vulnerabilities Equities Process (VEP) also officially confirms what everyone already knew: the use of zero days isn’t confined to the spies. Rather, the policy states that the “law enforcement community may want to use information pertaining to a vulnerability for similar offensive or defensive purposes but for the ultimate end of law enforcement.” Similarly it explains that “counterintelligence equities can be defensive, offensive, and/or law enforcement-related” and may “also have prosecutorial responsibilities.” Given that the government is currently prosecuting users for committing crimes over Tor hidden services, and that it identified these individuals using vulnerabilities called a “Network Investigative Technique”, this too doesn’t exactly come as a shocker. Just a few weeks ago, the government swore that even acknowledging the mere fact that it uses vulnerabilities offensively “could be expected to cause serious damage to the national security.” That’s a standard move in FOIA cases involving classified information, even though the government unnecessarily classifies documents at an astounding rate. In this case, the government relented only after nearly a year and a half of litigation by EFF. The government would be well advised to stop relying on such weak secrecy claims—it only risks undermining its own credibility.

The new version of the VEP also reveals significantly more information about the general process the government follows when a vulnerability is identified. In a nutshell, an agency that discovers a zero day is responsible for invoking the VEP, which then provides for centralized coordination and weighing of equities among all affected agencies. Along with a declaration from an official at the Office of the Director of National Intelligence, this new information provides more background on the reasons why the government decided to develop an overarching zero day policy in the first place: it “recognized that not all organizations see the entire picture of vulnerabilities, and each organization may have its own equities and concerns regarding the prioritization of patches and fixes, as well as its own distinct mission obligations.” We now know the VEP was finalized in February 2010, but the government apparently failed to implement it in any substantial way, prompting the presidential review group’s recommendation to prioritize disclosure over offensive hacking. We’re glad to have forced a little more transparency on this important issue, but the government is still foolishly holding on to a few last redactions, including refusing to name which agencies participate in the VEP. That’s just not supportable, and we’ll be in court next month to argue that the names of these agencies must be disclosed. 

The Senate passed the USA Freedom Act today by 67-32, marking the first time in over thirty years that both houses of Congress have approved a bill placing real restrictions and oversight on the National Security Agency’s surveillance powers. The weakening amendments to the legislation proposed by NSA defender Senate Majority Mitch McConnell were defeated, and we have every reason to believe that President Obama will sign USA Freedom into law. Technology users everywhere should celebrate, knowing that the NSA will be a little more hampered in its surveillance overreach, and both the NSA and the FISA court will be more transparent and accountable than it was before the USA Freedom Act. It’s no secret that we wanted more. In the wake of the damning evidence of surveillance abuses disclosed by Edward Snowden, Congress had an opportunity to champion comprehensive surveillance reform and undertake a thorough investigation, like it did with the Church Committee. Congress could have tried to completely end mass surveillance and taken numerous other steps to rein in the NSA and FBI. This bill was the result of compromise and strong leadership by Sens. Patrick Leahy and Mike Lee and Reps. Robert Goodlatte, Jim Sensenbrenner, and John Conyers. It’s not the bill EFF would have written, and in light of the Second Circuit's thoughtful opinion, we withdrew our support from the bill in an effort to spur Congress to strengthen some of its privacy protections and out of concern about language added to the bill at the behest of the intelligence community. Even so, we’re celebrating. We’re celebrating because, however small, this bill marks a day that some said could never happen—a day when the NSA saw its surveillance power reduced by Congress. And we’re hoping that this could be a turning point in the fight to rein in the NSA.

This week the Center for Media Justice, ColorOfChange.org, and New America’s Open Technology Institute filed a complaint with the Federal Communications Commission alleging the Baltimore police are violating the federal Communications Act by using cell site simulators, also known as Stingrays, that disrupt cellphone calls and interfere with the cellular network—and are doing so in a way that has a disproportionate impact on communities of color. Stingrays operate by mimicking a cell tower and directing all cellphones in a given area to route communications through the Stingray instead of the nearby tower. They are especially pernicious surveillance tools because they collect information on every single phone in a given area—not just the suspect’s phone—this means they allow the police to conduct indiscriminate, dragnet searches. They are also able to locate people inside traditionally-protected private spaces like homes, doctors’ offices, or places of worship. Stingrays can also be configured to capture the content of communications. Because Stingrays operate on the same spectrum as cellular networks but are not actually transmitting communications the way a cell tower would, they interfere with cell phone communications within as much as a 500 meter radius of the device (Baltimore’s devices may be limited to 200 meters). This means that any important phone call placed or text message sent within that radius may not get through. As the complaint notes, “[d]epending on the nature of an emergency, it may be urgently necessary for a caller to reach, for example, a parent or child, doctor, psychiatrist, school, hospital, poison control center, or suicide prevention hotline.” But these and even 911 calls could be blocked.

The Baltimore Police Department could be among the most prolific users of cell site simulator technology in the country. A Baltimore detective testified last year that the BPD used Stingrays 4,300 times between 2007 and 2015. Like other law enforcement agencies, Baltimore has used its devices for major and minor crimes—everything from trying to locate a man who had kidnapped two small children to trying to find another man who took his wife’s cellphone during an argument (and later returned it). According to logs obtained by USA Today, the Baltimore PD also used its Stingrays to locate witnesses, to investigate unarmed robberies, and for mysterious “other” purposes. And like other law enforcement agencies, the Baltimore PD has regularly withheld information about Stingrays from defense attorneys, judges, and the public. Moreover, according to the FCC complaint, the Baltimore PD’s use of Stingrays disproportionately impacts African American communities. Coming on the heels of a scathing Department of Justice report finding “BPD engages in a pattern or practice of conduct that violates the Constitution or federal law,” this may not be surprising, but it still should be shocking. The DOJ’s investigation found that BPD not only regularly makes unconstitutional stops and arrests and uses excessive force within African-American communities but also retaliates against people for constitutionally protected expression, and uses enforcement strategies that produce “severe and unjustified disparities in the rates of stops, searches and arrests of African Americans.”

Adding Stingrays to this mix means that these same communities are subject to more surveillance that chills speech and are less able to make 911 and other emergency calls than communities where the police aren’t regularly using Stingrays. A map included in the FCC complaint shows exactly how this is impacting Baltimore’s African-American communities. It plots hundreds of addresses where USA Today discovered BPD was using Stingrays over a map of Baltimore’s black population based on 2010 Census data included in the DOJ’s recent report:

Twenty-two organizations including Unitarian church groups, gun ownership advocates, and a broad coalition of membership and political advocacy organizations filed suit against the National Security Agency for violating their First Amendment right of association by illegally collecting their call records. The coalition is represented by EFF. At the heart of First Unitarian Church of Los Angeles v. NSA is the bulk telephone records collection program that was confirmed by the publication of an order from the Foreign Intelligence Surveillance Court (FISC) in June of 2013. The Director of National Intelligence (DNI) further confirmed that this formerly secret document was authentic, and part of a broader program to collect all major telecommunications customers’ call history. The order demands wholesale collection of every call made, the location of the phone, the time of the call, the duration of the call, and other “identifying information” for every phone and call for all customers of Verizon for a period of three months. Government officials further confirmed that this was just one of series of orders issued on a rolling basis since at least 2006. First Unitarian v. NSA argues that this spying violates the First Amendment, which protects the freedom to associate and express political views as a group.

Twenty-two organizations including Unitarian church groups, gun ownership advocates, and a broad coalition of membership and political advocacy organizations filed suit against the National Security Agency for violating their First Amendment right of association by illegally collecting their call records. The coalition is represented by EFF. At the heart of First Unitarian Church of Los Angeles v. NSA is the bulk telephone records collection program that was confirmed by the publication of an order from the Foreign Intelligence Surveillance Court (FISC) in June of 2013. The Director of National Intelligence (DNI) further confirmed that this formerly secret document was authentic, and part of a broader program to collect all major telecommunications customers’ call history. The order demands wholesale collection of every call made, the location of the phone, the time of the call, the duration of the call, and other “identifying information” for every phone and call for all customers of Verizon for a period of three months. Government officials further confirmed that this was just one of series of orders issued on a rolling basis since at least 2006. First Unitarian v. NSA argues that this spying violates the First Amendment, which protects the freedom to associate and express political views as a group.

The case challenges the mass telephone records collection that was confirmed by the FISA Order that was published on June 5, 2013 and confirmed by the Director of National Intelligence (DNI) on June 6, 2013. The DNI confirmed that the collection was “broad in scope” and conducted under the “business records” provision of the Foreign Intelligence Surveillance Act, also known as section 215 of the Patriot Act and 50 U.S.C. section 1861. The facts have long been part of EFF’s Jewel v. NSA case. The case does not include section 702 programs, which includes the recently made public and called the PRISM program or the fiber optic splitter program that is included (along with the telephone records program) in the Jewel v. NSA case. 

The Electronic Frontier Foundation (EFF) has urged a federal court to block a U.S. search warrant ordering Microsoft to turn over a customer's emails held in an overseas server, arguing that the case has dangerous privacy implications for Internet users everywhere. The case started in December of last year, when a magistrate judge in New York signed a search warrant seeking records and emails from a Microsoft account in connection with a criminal investigation. However, Microsoft determined that the emails the government sought were on a Microsoft server in Dublin, Ireland. Because a U.S. judge has no authority to issue warrants to search and seize property or data abroad, Microsoft refused to turn over the emails and asked the magistrate to quash the warrant. But the magistrate denied Microsoft's request, ruling there was no foreign search because the data would be reviewed by law enforcement agents in the U.S.

Microsoft appealed the decision. In an amicus brief in support of Microsoft, EFF argues the magistrate's rationale ignores the fact that copying the emails is a "seizure" that takes place in Ireland. "The Fourth Amendment protects from unreasonable search and seizure. You can't ignore the 'seizure' part just because the property is digital and not physical," said EFF Staff Attorney Hanni Fakhoury. "Ignoring this basic point has dangerous implications – it could open the door to unfounded law enforcement access to and collection of data stored around the world."

For the full brief in this case:https://www.eff.org/document/eff-amicus-brief-support-microsoft

Government Claims EFF's Lawsuits Don't Cover Ongoing Surveillance – Raising Fears Key Documents May Have Been DestroyedUPDATE: Judge White today continued his temporary restraining order in these two cases until a more permanent order could be put in place. The question of whether the government improperly destroyed evidence so far will be briefed over the next several weeks.

Government Claims EFF's Lawsuits Don't Cover Ongoing Surveillance – Raising Fears Key Documents May Have Been DestroyedUPDATE: Judge White today continued his temporary restraining order in these two cases until a more permanent order could be put in place. The question of whether the government improperly destroyed evidence so far will be briefed over the next several weeks.

San Francisco - The Electronic Frontier Foundation (EFF) will fight disturbing new government claims in an emergency court hearing Wednesday – claims that may imply records documenting ongoing government surveillance have been destroyed despite a judge's order. Over the last several weeks, EFF has been battling to ensure that evidence of the NSA surveillance program will be preserved as part of its two cases challenging the illegal government spying: Jewel v. NSA and First Unitarian Church of Los Angeles v. NSA. But in a court filing late Monday, the government made shocking new assertions, arguing that its obligation to preserve evidence was limited to aspects of the original Bush-era spying program, which the government contends ended eight years ago with a transition to FISA court orders.

Today we’re publishing—for the first time—the FBI’s drone licenses and supporting records for the last several years. Unfortunately, to say that the FBI has been less than forthcoming with these records would be a gross understatement. Just yesterday, Wired broke the story that the FBI has been using drones to surveil Americans. Wired noted that, during an FBI oversight hearing before the Senate Judiciary Committee, FBI Director Robert Mueller let slip that the FBI flies surveillance drones on American soil. Mueller tried to reassure the senators that FBI’s drone program “is very narrowly focused on particularized cases and particularized leads.” However, there’s no way to check the Director on these statements, given the Bureau’s extreme lack of transparency about its program.

EFF received these records as a result of our Freedom of Information lawsuit against the Federal Aviation Administration (FAA) for the licenses the FAA issues to all public entities wishing to fly drones in the national airspace. As detailed in prior posts and on our drone map, we have already received tens of thousands of pages of valuable information about local, state and federal agencies’ drone flights. However, unlike other federal agencies, including the US Air Force, the Bureau has withheld almost all information within its documents—even including the dates the FAA’s Certificates of Authorization (COAs) were issued. As you can see from the two examples linked below—the first from the Air Force and the second from the FBI—the FBI is withholding information, including something as basic as the city and state of the Bureau’s point of contact, that could in no way be expected to risk circumvention of the law (the applicable test under FOIA, 5 U.S.C. § 552 (b)(7)(E)).

The FBI has even withheld information from standard documents that all agencies file with the FAA to support their COA applications, many of which come directly from the drone manufacturer. (Compare, for example, the Air Force’s “LOST_LINK_MISSION” or “AIRCRAFT_SYSTEM” documents with the FBI’s versions of the same documents.) One interesting fact is that the Bureau has withheld most of the records under several statutes and regulations related to the arms exports and the International Traffic in Arms Regulations (ITAR) (see statutes and regulations here, here, and here.) This is surprising because, although ITAR does apply explicitly to drones, not even the US Military has claimed these statutes in withholding information from its drone records. Given the FBI’s past abuses and the information recently revealed about how the Bureau exploits specious interpretations of federal law to help out the NSA’s spying program, we have good reason to be concerned about the FBI’s lack of transparency here. We hope Senator Feinstein will follow up on her concerns about the FBI’s apparent lack of “strictures” in place to protect Americans’ privacy in connection to FBI drone use and demand a full accounting of how, when, where and why the Bureau has been using drones to monitor the public. Download the zip files of the documents here, here, and here.

NSA has collected cell records from all major mobile networks.

Yesterday, the Guardian released two previously-classified documents describing the internal "minimization" and "targeting" procedures used by the NSA to conduct surveillance under Section 702. These procedures are approved by the Foreign Intelligence Surveillance Court (FISC) on an annual basis and are supposed to serve as the bulwark between the NSA's vast surveillance capabilities and the private communications of Americans. As we noted earlier today, the procedures, themselves, aren't reassuring: far too much discretion is retained by NSA analysts, the procedures frequently resolve doubt in favor of collection, and information is obtained that could otherwise never be obtained without a warrant. Which would be bad enough, if it were the end of the story. But it's not.

Unless the government substantially changed the procedures between August 2010 and October 2011, these are the very procedures that the FISC eventually found resulted in illegal and unconstitutional surveillance. In October 2011, the FISC issued an 86-page opinion finding that collection carried out under the NSA's classified minimization procedures was unconstitutional. The opinion remains secret, but it is very likely that yesterday's leaked NSA documents show the very minimization procedures the Director of National Intelligence admitted the FISC had found resulted in surveillance that was “unreasonable under the Fourth Amendment" and "circumvented the spirit of the law." And for good reason: the procedures are unconstitutional. They allow for the government to obtain and keep huge amounts of information it could never Constitutionally get without a warrant based on probable cause. As we explained, the procedures are designed such that the NSA will routinely fail to exclude or remove United States persons' communications, and the removal of those communications are wholly entrusted to the "reasonable discretion" of an analyst.  

Yesterday, the Guardian released two previously-classified documents describing the internal "minimization" and "targeting" procedures used by the NSA to conduct surveillance under Section 702. These procedures are approved by the Foreign Intelligence Surveillance Court (FISC) on an annual basis and are supposed to serve as the bulwark between the NSA's vast surveillance capabilities and the private communications of Americans. As we noted earlier today, the procedures, themselves, aren't reassuring: far too much discretion is retained by NSA analysts, the procedures frequently resolve doubt in favor of collection, and information is obtained that could otherwise never be obtained without a warrant. Which would be bad enough, if it were the end of the story. But it's not. The targeting and minimization documents released yesterday are dated a few months after the first publicly known scandal over the new FAA procedures: In April 2009, the New York Times reported that Section 702 surveillance had “intercepted the private e-mail messages and phone calls of Americans . . . on a scale that went beyond the broad legal limits established by Congress." In June 2009, the Times reported that members of Congress were saying NSA's "recent intercepts of the private telephone calls and e-mail messages of Americans are broader than previously acknowledged." Rep. Rush Holt described the problems as "so flagrant that they can't be accidental."

All of the evidence found in this timeline can also be found in the Summary of Evidence we submitted to the court in Jewel v. National Security Agency (NSA). It is intended to recall all the credible accounts and information of the NSA's domestic spying program found in the media, congressional testimony, books, and court actions. The timeline also includes documents leaked by the Guardian in June 2013 that confirmed the domestic spying by the NSA. The documents range from a Top Secret Court Order by the secret court overseeing the spying, the Foreign Intelligence Surveillance Court (FISA Court), to a working draft of an NSA Inspector General report detailing the history of the program. The "NSA Inspectors General Reports" tab consists of one of three documents: a July 10, 2009 report written by Inspectors General of the Department of Justice (DOJ), NSA, Department of Defense (DOD), Central Intelligence Agency (CIA), and the Office of the Director of National Intelligence; an internal working draft NSA Inspector General report leaked by the Guardian on June 27, 2013; and, an "End to End Review" of the Section 215 program conducted by the NSA for the FISA Court. For a short description of the people involved in the spying you can look at our Profiles page, which includes many of the key characters from the NSA Domestic Spying program.

A few weeks ago we fought a battle for transparency in our flagship NSA spying case, Jewel v. NSA. But, ironically, we weren't able to tell you anything about it until now. On June 6, the court held a long hearing in Jewel in a crowded, open courtroom, widely covered by the press. We were even on the local TV news on two stations. At the end, the Judge ordered both sides to request a transcript since he ordered us to do additional briefing. But when it was over, the government secretly, and surprisingly sought permission to “remove” classified information from the transcript, and even indicated that it wanted to do so secretly, so the public could never even know that they had done so. We rightly considered this an outrageous request and vigorously opposed it. The public has a First Amendment right not only to attend the hearing but to have an accurate transcript of it. Moreover, the federal law governing court reporting requires that “each session of the court” be “recorded verbatim” and that the transcript be certified by the court reporter as “a correct statement of the testimony taken and the proceedings had.” 28 U.S.C. § 753(b).

The Court allowed the government a first look at the transcript and indicated that it was going to hold the government to a very high standard and would not allow the government to manufacture a misleading transcript by hiding the fact of any redactions. Ultimately, the government said that it had *not* revealed classified information at the hearing and removed its request. But the incident speaks volumes about the dangers of allowing the government free rein to claim secrecy in court proceedings and otherwise. We couldn't tell you anything about that fight because the government's request, our opposition to it, and the court's order regarding it were all sealed. But with today's order by Judge White, the transcript and the arguments over the government's request to revise it are finally public documents. Here's how the events transpired:

Over the past few years, Internet users have found their voice in the halls of power. Through legal challenges, speaking to legislators, and effective online organizing, we've beat back many attempts to create mechanisms of censorship and strip speakers of their privacy. We defeated the SOPA/PIPA Internet blacklist bills, and the ACTA and TPP agreements, and stood up for net neutrality as a free speech principle. But these victories had a side effect: corporate and government interests who seek to edit the Internet and regulate others' speech have turned to private agreements. These agreements can create restrictions that are as effective as any law, but without the need for approval by a court or parliament. Sometimes they are even initiated by government officials, who offer companies the Hobson's choice of coming up with a "voluntary" solution or submitting to government regulation. This year, we've begun to shine a spotlight on these Shadow Regulations, and hold them to the same high standards as we do for laws.

In a landmark decision issued today in the criminal appeal of U.S. v. Warshak, the Sixth Circuit Court of Appeals has ruled that the government must have a search warrant before it can secretly seize and search emails stored by email service providers. Closely tracking arguments made by EFF in its amicus brief, the court found that email users have the same reasonable expectation of privacy in their stored email as they do in their phone calls and postal mail.

Today EFF is pleased to announce Let’s Encrypt, a new certificate authority (CA) initiative that we have put together with Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan that aims to clear the remaining roadblocks to transition the Web from HTTP to HTTPS.Although the HTTP protocol has been hugely successful, it is inherently insecure. Whenever you use an HTTP website, you are always vulnerable to problems, including account hijacking and identity theft; surveillance and tracking by governments, companies, and both in concert; injection of malicious scripts into pages; and censorship that targets specific keywords or specific pages on sites. The HTTPS protocol, though it is not yet flawless, is a vast improvement on all of these fronts, and we need to move to a future where every website is HTTPS by default.With a launch scheduled for summer 2015, the Let’s Encrypt CA will automatically issue and manage free certificates for any website that needs them. Switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.

The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS requires. We’re all familiar with the warnings and error messages produced by misconfigured certificates. These warnings are a hint that HTTPS (and other uses of TLS/SSL) is dependent on a horrifyingly complex and often structurally dysfunctional bureaucracy for authentication.

The need to obtain, install, and manage certificates from that bureaucracy is the largest reason that sites keep using HTTP instead of HTTPS. In our tests, it typically takes a web developer 1-3 hours to enable encryption for the first time. The Let’s Encrypt project is aiming to fix that by reducing setup time to 20-30 seconds. You can help test and hack on the developer preview of our Let's Encrypt agent software or watch a video of it in action here:

The USA PATRIOT Act granted the government powerful new spying capabilities that have grown out of control—but the provision that the FBI and NSA have been using to collect the phone records of millions of innocent people expires on June 1. Tell Congress: it’s time to rethink out-of-control spying. A vote to reauthorize Section 215 is a vote against the Constitution.

On June 5, 2013, the Guardian published a secret court order showing that the NSA has interpreted Section 215 to mean that, with the help of the FBI, it can collect the private calling records of millions of innocent people. The government could even try to use Section 215 for bulk collection of financial records. The NSA’s defenders argue that invading our privacy is the only way to keep us safe. But the White House itself, along with the President’s Review Board has said that the government can accomplish its goals without bulk telephone records collection. And the Privacy and Civil Liberties Oversight Board said, “We have not identified a single instance involving a threat to the United States in which [bulk collection under Section 215 of the PATRIOT Act] made a concrete difference in the outcome of a counterterrorism investigation.” Since June of 2013, we’ve continued to learn more about how out of control the NSA is. But what has not happened since June is legislative reform of the NSA. There have been myriad bipartisan proposals in Congress—some authentic and some not—but lawmakers didn’t pass anything. We need comprehensive reform that addresses all the ways the NSA has overstepped its authority and provides the NSA with appropriate and constitutional tools to keep America safe. In the meantime, tell Congress to take a stand. A vote against reauthorization of Section 215 is a vote for the Constitution.

Yesterday, the Guardian released a comprehensive poll showing widespread concern about NSA spying. Two-thirds of Americans think the NSA's role should be reviewed. The poll also showed Americans demanding accountability and more information from public officials—two key points of our recently launched stopwatching.us campaign. But there's more. So far, Gallup has one of the better-worded questions, finding that 53% of Americans disapprove of the NSA spying. A CBS poll also showed that a majority—at 58%—of Americans disapprove of the government "collecting phone records of ordinary Americans." And Rasmussen—though sometimes known for push polling—also recently conducted a poll showing that 59% of Americans are opposed to the current NSA spying.

The only poll showing less than a majority on the side of government overreach was Pew Research Center, which asked Americans whether it was acceptable that the NSA obtained "secret court orders to track the calls of millions of Americans to investigate terrorism." Pew reported that 56% of Americans said it was "acceptable." But the question is poorly worded. It doesn't mention the widespread, dragnet nature of the spying. It also neglects to describe the "information" being given—metadata, which is far more sensitive and can provide far more information than just the ability to "track the calls" of Americans. And it was conducted early on in the scandal, before it was revealed that the NSA doesn't even have to obtain court orders to search already collected information. Despite the aggregate numbers, many of the polls took place at the same time Americans were finding out new facts about the program. More questions must be asked. And if history is any indication, the American people will be finding out much more. Indeed, just today the Guardian reported that its working on a whole new series with even more NSA revelations about spying. One thing is definitely clear: the American public is demanding answers and needs more information. That's why Congress must create a special investigatory committee to reveal the full extent of the programs. Democracy demands it. Go here to take action. 

Lawmakers have headed back to their home district for the Memorial Day recess, so there's a chance you, as a constituent, can meet with them. Absent that, you can visit their district staff who can receive and forward on your concerns to your representative even after lawmakers go back to the Capitol. They will be receptive to the concerns of smart, tech-savvy constituents who care enough to arrange a meeting. We know there's a big difference between calling and writing to your congressperson, and actually talking to them face-to-face. But this is a vital moment, and there's a fighting chance that your decision to meet with your representative's office could make all the difference.