Group items tagged

2014 in Review Series Net Neutrality Takes a Wild Ride 8 Stellar Surveillance Scoops Web Encryption Gets Stronger and More Widespread Big Patent Reform Wins in Court, Defeat (For Now) in Congress International Copyright Law More Time in the Spotlight for NSLs The State of Free Expression Online What We Learned About NSA Spying in 2014—And What We're Fighting to Expose in 2015 "Fair Use Is Working!" Email Encryption Grew Tremendously, but Still Needs Work Spies Vs. Spied, Worldwide The Fight in Congress to End the NSA's Mass Spying Open Access Movement Broadens, Moves Forward Stingrays Go Mainstream Three Vulnerabilities That Rocked the Online Security World Mobile Privacy and Security Takes Two Steps Forward, One Step Back It Was a Pivotal Year in TPP Activism but the Biggest Fight Is Still to Come The Government Spent a Lot of Time in Court Defending NSA Spying Last Year Let's Encrypt (the Entire Web)

This week the Center for Media Justice, ColorOfChange.org, and New America’s Open Technology Institute filed a complaint with the Federal Communications Commission alleging the Baltimore police are violating the federal Communications Act by using cell site simulators, also known as Stingrays, that disrupt cellphone calls and interfere with the cellular network—and are doing so in a way that has a disproportionate impact on communities of color. Stingrays operate by mimicking a cell tower and directing all cellphones in a given area to route communications through the Stingray instead of the nearby tower. They are especially pernicious surveillance tools because they collect information on every single phone in a given area—not just the suspect’s phone—this means they allow the police to conduct indiscriminate, dragnet searches. They are also able to locate people inside traditionally-protected private spaces like homes, doctors’ offices, or places of worship. Stingrays can also be configured to capture the content of communications. Because Stingrays operate on the same spectrum as cellular networks but are not actually transmitting communications the way a cell tower would, they interfere with cell phone communications within as much as a 500 meter radius of the device (Baltimore’s devices may be limited to 200 meters). This means that any important phone call placed or text message sent within that radius may not get through. As the complaint notes, “[d]epending on the nature of an emergency, it may be urgently necessary for a caller to reach, for example, a parent or child, doctor, psychiatrist, school, hospital, poison control center, or suicide prevention hotline.” But these and even 911 calls could be blocked.

The Baltimore Police Department could be among the most prolific users of cell site simulator technology in the country. A Baltimore detective testified last year that the BPD used Stingrays 4,300 times between 2007 and 2015. Like other law enforcement agencies, Baltimore has used its devices for major and minor crimes—everything from trying to locate a man who had kidnapped two small children to trying to find another man who took his wife’s cellphone during an argument (and later returned it). According to logs obtained by USA Today, the Baltimore PD also used its Stingrays to locate witnesses, to investigate unarmed robberies, and for mysterious “other” purposes. And like other law enforcement agencies, the Baltimore PD has regularly withheld information about Stingrays from defense attorneys, judges, and the public. Moreover, according to the FCC complaint, the Baltimore PD’s use of Stingrays disproportionately impacts African American communities. Coming on the heels of a scathing Department of Justice report finding “BPD engages in a pattern or practice of conduct that violates the Constitution or federal law,” this may not be surprising, but it still should be shocking. The DOJ’s investigation found that BPD not only regularly makes unconstitutional stops and arrests and uses excessive force within African-American communities but also retaliates against people for constitutionally protected expression, and uses enforcement strategies that produce “severe and unjustified disparities in the rates of stops, searches and arrests of African Americans.”

Adding Stingrays to this mix means that these same communities are subject to more surveillance that chills speech and are less able to make 911 and other emergency calls than communities where the police aren’t regularly using Stingrays. A map included in the FCC complaint shows exactly how this is impacting Baltimore’s African-American communities. It plots hundreds of addresses where USA Today discovered BPD was using Stingrays over a map of Baltimore’s black population based on 2010 Census data included in the DOJ’s recent report:

Europe’s highest court on Tuesday struck down an international agreement that allowed companies to move digital information like people’s web search histories and social media updates between the European Union and the United States. The decision left the international operations of companies like Google and Facebook in a sort of legal limbo even as their services continued working as usual.The ruling, by the European Court of Justice, said the so-called safe harbor agreement was flawed because it allowed American government authorities to gain routine access to Europeans’ online information. The court said leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy. The court said data protection regulators in each of the European Union’s 28 countries should have oversight over how companies collect and use online information of their countries’ citizens. European countries have widely varying stances towards privacy.

Data protection advocates hailed the ruling. Industry executives and trade groups, though, said the decision left a huge amount of uncertainty for big companies, many of which rely on the easy flow of data for lucrative businesses like online advertising. They called on the European Commission to complete a new safe harbor agreement with the United States, a deal that has been negotiated for more than two years and could limit the fallout from the court’s decision.

Some European officials and many of the big technology companies, including Facebook and Microsoft, tried to play down the impact of the ruling. The companies kept their services running, saying that other agreements with the European Union should provide an adequate legal foundation.But those other agreements are now expected to be examined and questioned by some of Europe’s national privacy watchdogs. The potential inquiries could make it hard for companies to transfer Europeans’ information overseas under the current data arrangements. And the ruling appeared to leave smaller companies with fewer legal resources vulnerable to potential privacy violations.

This was a great year for adoption of HTTPS encryption for secure connections to websites. HTTPS is an essential technology for security and privacy on the Web, and we've long been asking sites to turn it on to protect their users from spying (and from censorship and tampering with site content). This year, lots of factors came together to make it happen, including ongoing news about surveillance, advances in Web server capacity, nudges from industry, government, and Web browsers, and the Let's Encrypt certificate authority. By some measures, more than half of page loads in Firefox and in Chrome are now secured with HTTPS—the first time this has ever happened in the Web's history. That's right: for the first time ever, most pages viewed on the Web were encrypted! (As another year-in-review post will discuss, browsers are also experimenting with and rolling out stronger encryption technologies to better protect those connections.)

Sites large and small took turned on HTTPS in 2016, often using certificates from the Let's Encrypt certificate authority (sometimes with EFF's Certbot software, or a range of other options). In just a single year of broad public availability, Let's Encrypt has now helped enable secure connections for over 21 million websites, most of which never had certificates before.

A sizeable part of the growth in HTTPS came from very large hosting providers that decided to make HTTPS a default for sites that they host, including OVH, Wordpress.com, Shopify, Tumblr, Squarespace, and many others. Sites they host, and visitors to those sites, can get a boost in security without having to do anything. (And we're getting ongoing benefits from providers like CloudFlare who made the switch in previous years.) A single hosting provider's decision can result in enabling encryption for hundreds of thousands or millions of customers; we hope others will take the plunge too! U.S. government sites also made significant progress adopting HTTPS this year, responding to the administration's guidance in support of HTTPS—a clear and practical explanation of why secure connections should be the default. A caveat: data from Google shows that use of HTTPS varies significantly from country to country, remaining especially uncommon in Japan. We've also heard that it's still uncommon across much of East and Southeast Asia. Next year, we'll have to find ways to bridge those gaps.

“On 57 monitors that cover the walls of the center, operators zoomed and panned an array of roughly 200 police cameras perched across the city. They could dial up 800 more feeds from the city’s schools and traffic cameras, and they soon hope to add 400 more streams from cameras worn on officers’ bodies and from thousands from local businesses that have surveillance systems.” Though the intricate surveillance apparatus described above seems straight from a dystopic novel, it is actually the Washington Post’s recent description of the the visual data collection system employed by a local California police department. The police department in Fresno, California, has taken extreme measures to combat high rates of crime in the city. As the Post reports, Fresno’s Real Time Crime Center, buried deep in the police station’s headquarters, has developed as a response to what many police call increasing threats. The system, according to police officials, can “provide critical information that can help uncover terrorists or thwart mass shootings, ensure the safety of officers and the public, find suspects, and crack open cases” — a feature they say is increasingly important in the wake of events like the November terror attack in Paris and the San Bernardino shooting last month.

“Our officers are expected to know the unknown and see the unseen,” Fresno Chief of Police Jerry Dyer said. “They are making split-second decisions based on limited facts. The more you can provide in terms of intelligence and video, the more safely you can respond to calls.” Programs similar to the Real Time Crime Center have launched in New York, Houston, and Seattle over the course of the last decade. Nationwide, the use of Stingrays, data fusion centers, and aerial drone surveillance have broadened the access local police have to private information. In another example, the FBI is continually developing a comprehensive biometric database that local police access every day. “This is something that’s been building since September 11,” says Jennifer Lynch, a senior attorney at the Electronic Frontier Foundation. Like the problem of police militarization, Lynch traces the trend back to the Pentagon: “First funding went to the military to develop this technology, and now it has come back to domestic law enforcement. It’s the perfect storm of cheaper and easier-to-use technologies and money from state and federal governments to purchase it.”

While many of these programs may fail to shock Americans, one new software program takes police scrutiny of private citizens to a new level. Beware, a software tool produced by tech firm Intrado, not only surveils the data of the citizens of Fresno, the first city to test it — it calculates threat levels based on what it discovers. The software scours arrest records, property records, Deep Web searches, commercial databases, and social media postings. By this method, it was able to designate a man with a firearm and gang convictions involved in a real-time domestic violence dispute as the highest of three threat levels: a bright red ranking. Fresno police say the intelligence from Beware aided them, as the man eventually surrendered and officers found he was armed with a gun. Beware scours billions of data points to develop rankings for citizens, and though few recoil at the thought of catching criminals and miscreants, the program provides particular cause for concern because of both its invasiveness and its fallibility.

The National Security Agency has been secretly granted legal authority to operate a massive domestic eavesdropping system that vacuums up Americans' phone calls and Internet communications, newly leaked documents show. A pair of classified government documents (No. 1 and No. 2) signed by Attorney General Eric Holder and posted by the Guardian on Thursday show that NSA analysts are able to listen to Americans' intercepted phone calls without asking a judge for a warrant first. That appears to be at odds with what President Obama said earlier this week in defense of the NSA's surveillance efforts. "I can say unequivocally is that if you are a U.S. person, the NSA cannot listen to your telephone calls and the NSA cannot target your e-mails," Obama said. The new documents indicate, however, that NSA, CIA, and FBI analysts are granted broad access to data vacuumed up by the world's most powerful intelligence agency -- but are supposed to follow certain "targeting" and "minimization" procedures to limit the number of Americans who become individual targets of warrantless surveillance.

Analysts are expected to exercise "reasonable judgment" in determining which data to use, according to the documents, and "inadvertently acquired communications of or concerning a United States person may be retained no longer than five years." The documents also refer to "content repositories" that contain records of devices' "previous Internet activity," and say the NSA keeps records of Americans' "electronic communications accounts/addresses/identifiers" in an apparent effort to avoid targeting them in future eavesdropping efforts. The Holder procedures were blessed in advance by the secret Foreign Intelligence Surveillance Court, the Guardian reported, meaning that the judges would have issued a general order that authorizes the NSA to engage in warrantless surveillance as long as it's primarily aimed at foreign targets, subject to some limited judicial oversight. Today's disclosure jibes with what Edward Snowden, the former NSA contractor who leaked top-secret documents, alleged in an online chat earlier this week. Snowden said, referring to the contents of e-mail and phone calls, that "Americans' communications are collected and viewed on a daily basis on the certification of an analyst rather than a warrant."

On Sunday, Director of National Intelligence James Clapper released a carefully-worded statement in response to a CNET article and other reports questioning when intelligence analysts can listen to domestic phone calls. Clapper said: "The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization is incorrect and was not briefed to Congress." Clapper's statement was viewed as a denial, but it wasn't. Today's disclosures reveal why: Because the Justice Department granted intelligence analysts "proper legal authorization" in advance through the Holder regulations. "The DNI has a history of playing games with wording, using terms with carefully obscured meanings to leave an impression different from the truth," Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation who has litigated domestic surveillance cases, told CNET earlier this week.

Almost 15 years ago, as I was just finishing a book about the relationship between the Net (we called it “cyberspace” then) and civil liberties, a few ideas seemed so obvious as to be banal: First, life would move to the Net. Second, the Net would change as it did so. Gone would be simple privacy, the relatively anonymous default infrastructure for unmonitored communication; in its place would be a perpetually monitored, perfectly traceable system supporting both commerce and the government. That, at least, was the future that then seemed most likely, as business raced to make commerce possible and government scrambled to protect us (or our kids) from pornographers, and then pirates, and now terrorists. But another future was also possible, and this was my third, and only important point: Recognizing these obvious trends, we just might get smart about how code (my shorthand for the technology of the Internet) regulates us, and just possibly might begin thinking smartly about how we could embed in that code the protections that the Constitution guarantees us. Because—and here was the punchline, the single slogan that all 724 people who read that book remember—code is law. And if code is law, then we need to be as smart about how code regulates us as we are about how the law does so.

There is, after all, something hopeful about a future that was smart about encoding our civil liberties. It could, in theory at least, be better. Better at protecting us from future Nixons, better at securing privacy, and better at identifying those keen to commit crime.

But what astonishes me is that today, more than a decade into the 21st century, the world has remained mostly oblivious to these obvious points about the relationship between law and code. That’s the bit in the Edward Snowden interview that is, to me, the most shocking. As he explained to Glenn Greenwald: The NSA specially targets the communications of everyone. It ingests them by default. It collects them in its system, and it filters them and it analyzes them and it measures them and it stores them for periods of time simply because that’s the easiest and the most efficient and most valuable way to achieve these ends ... Not all analysts have the ability to target everything. But I sitting at my desk certainly had the authority to wiretap anyone—from you [the reporter, Glenn Greenwald], to your accountant, to a federal judge, to even the president if I had a personal email. We don’t know yet whether Snowden is telling the truth. Lots of people have denied specifics, and though his interview is compelling, just now, we literally don’t know. But what we do know are the questions that ought to be asked in response to his claims. And specifically, this: Is it really the case that the government has entrusted our privacy to the good judgment of private analysts? Are there really no code-based controls for assuring that specific surveillance is specifically justified? And what is the technology for assuring that rogues paid by our government can’t use data collected by our government for purposes that none within our government would openly and publicly defend?