Group items tagged

Despite the post-Snowden spotlight on mass surveillance, the intelligence community’s easiest end-run around the Fourth Amendment since 2001 has been something called a National Security Letter. FBI agents can demand that an Internet service provider, telephone company or financial institution turn over its records on any number of people — without any judicial review whatsoever — simply by writing a letter that says the information is needed for national security purposes. The FBI at one point was cranking out over 50,000 such letters a year; by the latest count, it still issues about 60 a day. The letters look like this:

Recipients are legally required to comply — but it doesn’t stop there. They also aren’t allowed to mention the order to anyone, least of all the person whose data is being searched. Ever. That’s because National Security Letters almost always come with eternal gag orders. Here’s that part:

That means the NSL process utterly disregards the First Amendment as well. More than a year ago, President Obama announced that he was ordering the Justice Department to terminate gag orders “within a fixed time unless the government demonstrates a real need for further secrecy.” And on Feb. 3, when the Office of the Director of National Intelligence announced a handful of baby steps resulting from its “comprehensive effort to examine and enhance [its] privacy and civil liberty protections” one of the most concrete was — finally — to cap the gag orders: In response to the President’s new direction, the FBI will now presumptively terminate National Security Letter nondisclosure orders at the earlier of three years after the opening of a fully predicated investigation or the investigation’s close. Continued nondisclosures orders beyond this period are permitted only if a Special Agent in Charge or a Deputy Assistant Director determines that the statutory standards for nondisclosure continue to be satisfied and that the case agent has justified, in writing, why continued nondisclosure is appropriate.

Over five hundred thousand people have signed onto the Stop Watching Us campaign, a nonpartisan, grassroots campaign opposing the dragnet surveillance programs of the National Security Agency (NSA).  Galvanized by newly surfaced evidence confirming the NSA’s surveillance of the phone records and Internet activity of individuals in the United States and abroad, the Stop Watching Us coalition is seeking public accountability and tangible reform to rein in unconstitutional surveillance. 

Yesterday, Sir Tim Berners-Lee, the inventor of the World Wide Web, also added his support to the campaign.  He was joined by internationally renowned artist Ai Weiwei. Other prominent supporters include Icelandic Parliamentarian Birgitta Jónsdóttir, author Cory Doctorow, Pentagon Papers whistleblower Daniel Ellsberg, and actor John Cusack.

"This campaign has been lightening-fast. Hundreds of thousands of people have now called on Congress to provide a full accounting of the National Security Agency’s powerful and frankly unsettling spying practices," said EFF Staff Attorney Mark Rumold, "Now all eyes are turned on Congress to see if they’ll do the right thing and be responsive to the will of the people." Every time a person signs onto the stopwatching.us site, emails opposing dragnet surveillance are sent to that individual’s elected officials or to the president. These emails call for a full investigation and public accounting of the National Security Agency’s spying practices, reform to the law to prevent such surveillance, and holding public officials accountable for the role they played. In addition to signing onto Stop Watching Us, individuals who oppose NSA spying can call their members of Congress using the dedicated call line 1-STOP-323-NSA (1-786-732-3672). Read more about contacting Congress, including more privacy-friendly ways of calling Congress. You can also visit stopwatching.us to add your name to the campaign.

New documents released by the FBI show that the Bureau is well on its way toward its goal of a fully operational face recognition database by this summer. The EFF received these records in response to our Freedom of Information Act lawsuit for information on Next Generation Identification (NGI)—the FBI’s massive biometric database that may hold records on as much as one-third of the US population. The facial recognition component of this database poses real threats to privacy for all Americans.

Today, the US House of Representatives passed an amendment to the Defense Appropriations bill designed to cut funding for NSA backdoors. The amendment passed overwhelmingly with strong bipartisan support: 293 ayes, 123 nays, and 1 present. Currently, the NSA collects emails, browsing and chat history under Section 702 of the FISA Amendments Act, and searches this information without a warrant for the communications of Americans—a practice known as "backdoor searches." The amendment would block the NSA from using any of its funding from this Defense Appropriations Bill to conduct such warrantless searches. In addition, the amendment would prohibit the NSA from using its budget to mandate or request that private companies and organizations add backdoors to the encryption standards that are meant to keep you safe on the web. Mark Rumold, staff attorney for the Electronic Frontier Foundation, stated:

Tonight, the House of Representatives took an important first step in reining in the NSA. The House voted overwhelmingly to cut funding for two of the NSA's invasive surveillance practices: the warrantless searching of Americans' international communications, and the practice of requiring companies to install vulnerabilities in communications products or services. We applaud the House for taking this important first step, and we look forward to other elected officials standing up for our right to privacy. Digital rights organizations, including EFF, strongly supported the amendment. We and other organizations—including Free Press, Fight for the Future, Demand Progress, and Taskforce.is—helped to organize a grassroots campaign to promote the amendment. The day before the vote, we urged friends and members to call their members of Congress through the website ShuttheBackDoor.net. Thousands responded to the call to action. We extend our heartfelt thanks to everyone who spoke out on this issue. This is a great day in the fight to rein in NSA surveillance abuses, and we hope Congress will work to ensure this amendment is in the final version of the appropriations bill that is enacted.

The Intercept published an expose on the NSA's XKeyscore program. Along with information on the breadth and scale of the NSA's metadata collection, The Intercept revealed how the NSA relies on unencrypted cookie data to identify users. As The Intercept says: "The NSA’s ability to piggyback off of private companies’ tracking of their own users is a vital instrument that allows the agency to trace the data it collects to individual users. It makes no difference if visitors switch to public Wi-Fi networks or connect to VPNs to change their IP addresses: the tracking cookie will follow them around as long as they are using the same web browser and fail to clear their cookies." The NSA slides released by The Intercept give detailed guides to understanding the data transmitted by these cookies, as well as how to find unique machine identifiers that analysts can use to differentiate between multiple machines using the same IP address. We've written before about how spy agencies piggyback on social media account data to find Internet users' names or other identifying info, and these slides drive home the point that HTTP cookies leave users vulnerable to government surveillance, since any intermediary (or spy agency) can read the sensitive data they contain.

Worse yet, most of the time these identifying cookies come from third-party sources on webpages, and users have no meaningful way to opt out of receiving them (short of blocking all third party cookies) since advertisers (the main server of these types of cookies) refuse to honor the Do Not Track header.  Browser makers could help address this sort of non-consensual tracking by both advertisers and the NSA with some simple technical changes—changes that have been shown to reduce the number of third party cookies received by 67%. So far, though, they've been unwilling to build privacy protecting features in by default. Until they do, the best way for users to protect themselves is by installing a privacy protecting app like Privacy Badger, which is designed to block these types of uniquely identifying tracking cookies, or HTTPS Everywhere to block the transmission of HTTP cookies.

The Senate Intelligence Committee recently introduced the Cybersecurity Information Sharing Act of 2014. It’s the fourth time in four years that Congress has tried to pass "cybersecurity" legislation. Unfortunately, the newest Senate bill is one of the worst yet. Cybersecurity bills aim to facilitate information sharing between companies and the government, but they always seem to come with broad immunity clauses for companies, vague definitions, and aggressive spying powers. Given such calculated violence to users' privacy rights, it’s no surprise that these bills fail every year. What is a surprise is that the bills keep coming back from the dead. Last year, President Obama signed Executive Order 13636 (EO 13636) directing the Department of Homeland Security (DHS) to expand current information sharing programs that are far more privacy protective than anything seen in recent cybersecurity bills. Despite this, members of Congress like Rep. Mike Rogers and Senator Dianne Feinstein keep on introducing bills that would destroy these privacy protections and grant new spying powers to companies.

Aside from its redundancy, the Senate's bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures for a "cybersecurity purpose" against a "cybersecurity threat." "Cybersecurity purpose" is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a "cybersecurity threat," which includes anything that "may result" in an unauthorized effort to impact the availability of the information system. Combined, the two definitions could be read by companies to permit attacks on machines that unwittingly contribute to network congestion. The countermeasures clause will increasingly militarize the Internet—a prospect that may appeal to some "active defense" (aka offensive) cybersecurity companies, but does not favor the everyday user. Second, the bill adds a new authority for companies to monitor information systems to protect an entity's rights or property. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called “cyber threat indicators,” freely with government agencies like the NSA.

Such sharing will occur because under this bill, DHS would no longer be the lead agency making decisions about the cybersecurity information received, retained, or shared to companies or within the government. Its new role in the bill mandates DHS send information to agencies like the NSA—"in real-time and simultaneous[ly]." DHS is even barred from "delay[ing]" or "interfer[ing]" with the information, which ensures that DHS's current privacy protections won’t be applied to the information. The provision is ripe for improper and over-expansive information sharing. This leads to a question: What stops your sensitive personal information from being shared by companies to the government? Almost nothing. Companies must only remove personally identifiable information if the information is known to be US person information and not directly related to the threat. Such a willful blindness approach is inappropriate. Further, the bill does not even impose this weak minimization requirement on information shared by, and within, the government (including federal, state, local, and tribal governments) thereby allowing the government to share information containing personally identifiable information. The bill should require deletion of all information not directly related to a threat.

We all know justice is blind. But that is supposed to mean that everyone before it is treated equally, not that the justice system must close its eyes and refuse to look at important legal issues facing Americans.  Yet the government continues to convince courts that they cannot consider the constitutionality of its behavior in national security cases and, last week, in an important case for anyone who has ever used Wikipedia, another judge agreed with that position.  A federal district judge in Maryland dismissed Wikimedia v. NSA, a case challenging the legality of the NSA’s “upstream” surveillance—mass surveillance of Internet communications as they flow through the Internet backbone. The case was brought by our friends at the ACLU on behalf of nine plaintiffs, including human rights organizations, members of the media, and the Wikimedia Foundation.1 We filed a brief in the case, too, in support of Wikimedia and the other plaintiffs. The judge dismissed the case based on a legal principle called standing. Standing is supposed to ensure, among other things, that the party bringing the lawsuit has suffered a concrete harm, caused by the party being sued, and that the court can resolve the harm with a favorable ruling.

But the U.S. government has taken this doctrine, which was intended to limit the cases federal courts hear to actual live controversies, and turned it into a perverse shell game in surveillance cases—essentially arguing that because aspects of the surveillance program are secret, plaintiffs cannot prove that their communications were actually, in fact, intercepted and surveilled. And without that proof, the government argues, there’s no standing, because plaintiffs can’t show that they’ve suffered harm. Sadly, like several other courts before it, the judge agreed to this shell game and decided that it couldn’t decide whether the constitutional rights of Wikimedia and the other plaintiffs were violated.  This game is mighty familiar to us at EFF, but that doesn’t make it any less troubling. In our system, the courts have a fundamental obligation to conclusively determine the legality of government action that affects individuals’ constitutional rights. For years now, plaintiffs have tried to get the courts to simply issue a ruling on the merits of NSA surveillance programs. And for years, the government has successfully persuaded the courts to rely on standing and related doctrines to avoid doing so. That is essentially what happened here. The court labeled as “speculative” Wikimedia’s claim that, at a minimum, even one of its approximately one trillion Internet communications had been swept up in the NSA’s upstream surveillance program. Remember, this is a program that, by the government’s own admission, involves the searching and scanning of vast amounts of Internet traffic at key Internet junctures on the Internet’s backbone. Yet in court’s view, Wikimedia’s allegations describing upstream—based on concrete facts, taken from government documents— coupled with a plaintiff that engages in a large volume of internet communications were not enough to state a “plausible” claim that Wikimedia had been surveilled.

On the way to reaching that conclusion, and putting on its blindfold, the court made a number of mistakes. The Government’s Automated Eyes Are Still Government Eyes First, it appears the court fundamentally misunderstood Wikimedia’s claim about upstream surveillance and, in particular, “about surveillance.” As Wikimedia alleged, “about surveillance” (a specific aspect of upstream surveillance that searches the content of communications for references to particular email addresses or other identifiers) amounts to “the digital analogue of having a government agent open every piece of mail that comes through the post to determine whether it mentions a particular word or phrase.” The court held, however, that this type of “about” surveillance was “targeted insofar as it makes use of only those communications that contain information matching the tasked selectors,” like email addresses. But what the government "makes use of" is entirely beside the point—it is the scanning of the communications for the tasked selectors in the first place that is the problem.  To put it into a different context, the government conducts a search when it enters into your house and starts rifling through your files—not just when it finds something it wants to keep. The government's ultimate decision to “make use of” the communications it finds interesting is irrelevant. It is the search of the communications that matters.

A House Democrat said information revealed about the National Security Agency's secret surveillance programs are "the tip of the iceberg," Daniel Strauss of The Hill reports. "I think it's just broader than most people even realize, and I think that's, in one way, what astounded most of us, too," Rep. Loretta Sanchez (D-Calif.) told C-SPAN's "Washington Journal" after a classified briefing with national security officials. Rep. Joe Barton (R-Texas), who also attended the meeting, said that the NSA "violated the spirit of the law when it started collecting data from everyone in the country just because technology now makes that possible.” Barton added that "in America ... You don’t target everyone and violate their 4th Amendment rights just because of a handful of threats. But that is exactly what is happening at the NSA ... it is wrong and it needs to stop now.” More from Sanchez: "I don't know if there are other leaks, if there's more information somewhere, if somebody else is going to step up, but I will tell you that I believe it's the tip of the iceberg."

A House Democrat said information revealed about the National Security Agency's secret surveillance programs are "the tip of the iceberg," Daniel Strauss of The Hill reports. "I think it's just broader than most people even realize, and I think that's, in one way, what astounded most of us, too," Rep. Loretta Sanchez (D-Calif.) told C-SPAN's "Washington Journal" after a classified briefing with national security officials. Rep. Joe Barton (R-Texas), who also attended the meeting, said that the NSA "violated the spirit of the law when it started collecting data from everyone in the country just because technology now makes that possible.” Barton added that "in America ... You don’t target everyone and violate their 4th Amendment rights just because of a handful of threats. But that is exactly what is happening at the NSA ... it is wrong and it needs to stop now.”

Glenn Greenwald of the Guardian, who has served as a conduit for Snowden's leaks, recently said that there will me many more "significant revelations that have not yet been heard." Greenwald told The New York Times that he received “thousands” of classified documents — “dozens” of which are newsworthy — from the the 29-year-old ex-Booz Allen employee who was contracted by the NSA. Sanchez said that what lawmakers learned "is significantly more than what is out in the media today," which is interesting when considering previous reports by journalists and whistleblowers.

Update: In response to EFF's FOIA lawsuit, the government has released the 2011 FISA court opinion ruling some NSA surveillance unconstitutional.

It’s been one year since the Guardian first published the Foreign Intelligence Surveillance Court order, leaked by former NSA contractor Edward Snowden, that demonstrated that the NSA was conducting dragnet surveillance on millions of innocent people. Since then, the onslaught of disturbing revelations, from disclosures, admissions from government officials, Freedom of Information Act requests, and lawsuits, has been nonstop. On the anniversary of that first leak, here are 65 things we know about NSA spying that we did not know a year ago

here’s no question that the international relationships Obama pledged to repair, as well as the confidence of the American people in their privacy and constitutional rights, have been damaged by the NSAs dragnet surveillance. But one year later, both the United States and international governments have not taken the steps necessary to ensure that this surveillance ends. That’s why everyone must take action— contact your elected representative, join Reset the Net, and learn about how international law applies to U.S. surveillance today. 

Europe’s highest court on Tuesday struck down an international agreement that allowed companies to move digital information like people’s web search histories and social media updates between the European Union and the United States. The decision left the international operations of companies like Google and Facebook in a sort of legal limbo even as their services continued working as usual.The ruling, by the European Court of Justice, said the so-called safe harbor agreement was flawed because it allowed American government authorities to gain routine access to Europeans’ online information. The court said leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy. The court said data protection regulators in each of the European Union’s 28 countries should have oversight over how companies collect and use online information of their countries’ citizens. European countries have widely varying stances towards privacy.

Data protection advocates hailed the ruling. Industry executives and trade groups, though, said the decision left a huge amount of uncertainty for big companies, many of which rely on the easy flow of data for lucrative businesses like online advertising. They called on the European Commission to complete a new safe harbor agreement with the United States, a deal that has been negotiated for more than two years and could limit the fallout from the court’s decision.

Some European officials and many of the big technology companies, including Facebook and Microsoft, tried to play down the impact of the ruling. The companies kept their services running, saying that other agreements with the European Union should provide an adequate legal foundation.But those other agreements are now expected to be examined and questioned by some of Europe’s national privacy watchdogs. The potential inquiries could make it hard for companies to transfer Europeans’ information overseas under the current data arrangements. And the ruling appeared to leave smaller companies with fewer legal resources vulnerable to potential privacy violations.

Human Rights Watch and the ACLU today published a terrific report documenting the chilling effect on journalists and lawyers from the NSA's surveillance programs entitled: "With Liberty to Monitor All: How Large-Scale US Surveillance is Harming Journalism, Law and American Democracy." The report, which is chock full of evidence about the very real harms caused by the NSA's surveillance programs, is the result of interviews of 92 lawyers and journalists, plus several senior government officials.  This report adds to the growing body of evidence that the NSA's surveillance programs are causing real harm.  It also links these harms to key parts of both U.S. constitutional and international law, including the right to counsel, the right of access to information, the right of association and the free press. It is a welcome addition to the PEN report detailing the effects on authors, called Chilling Effects: How NSA Surveillance Drives US Writers to Self-Censor and the declarations of 22 of EFF's clients in our First Unitarian Church of Los Angeles v. NSA case. 

The HRW and ACLU report documents the increasing treatment of journalists and lawyers as legitimate surveillance targets and surveys how they are responding. Brian Ross of ABC says: There’s something about using elaborate evasion and security techniques that’s offensive to me—that I should have to operate as like a criminal, like a spy. The report also notes that the government increasingly likens journalists to criminals. As Scott Shane of the New York Times explains: To compare the exchange of information about sensitive programs between officials and the media, which has gone on for decades, to burglary seems to miss the point. Burglary is not part of a larger set of activities protected by the Constitution, and at the heart of our democracy. Unfortunately, that mindset is sort of the problem. Especially striking in the report is the disconnect between the real stories of chilling effects from reporters and lawyers and the skeptical, but undocumented, rejections from senior government officials.  The reporters explain difficulties in building trust with their sources and the attorneys echo that with stories about the difficulties building client trust.  The senior government officials, in contrast, just say that they don't believe the journalists and appear to have thought little, if at all about the issues facing lawyers.  

We have a problem when it comes to stopping mass surveillance.  The entity that’s conducting the most extreme and far-reaching surveillance against most of the world’s communications—the National Security Agency—is bound by United States law.  That’s good news for Americans. U.S. law and the Constitution protect American citizens and legal residents from warrantless surveillance. That means we have a very strong legal case to challenge mass surveillance conducted domestically or that sweeps in Americans’ communications.  Similarly, the United States Congress is elected by American voters. That means Congressional representatives are beholden to the American people for their jobs, so public pressure from constituents can help influence future laws that might check some of the NSA’s most egregious practices. But what about everyone else? What about the 96% of the world’s population who are citizens of other countries, living outside U.S. borders. They don't get a vote in Congress. And current American legal protections generally only protect citizens, legal residents, or those physically located within the United States. So what can EFF do to protect the billions of people outside the United States who are victims of the NSA’s spying?

For years, we’ve been working on a strategy to end mass surveillance of digital communications of innocent people worldwide. Today we’re laying out the plan, so you can understand how all the pieces fit together—that is, how U.S. advocacy and policy efforts connect to the international fight and vice versa. Decide for yourself where you can get involved to make the biggest difference. This plan isn’t for the next two weeks or three months. It’s a multi-year battle that may need to be revised many times as we better understand the tools and authorities of entities engaged in mass surveillance and as more disclosures by whistleblowers help shine light on surveillance abuses.

More than a month after Sen. Ron Wyden (D-Ore.) requested information about US Customs and Border Protection's practice of searching cell phones at US borders and airports, he's still waiting for answers—but he's not waiting to introduce legislation to end the practice. "It's very concerning that [the Department of Homeland Security] hasn't managed to answer my questions about the number of digital searches at the border, five weeks after I requested that basic information," Wyden, a leading congressional advocate for civil liberties and privacy, told Mother Jones on Tuesday through a spokesman. "If CBP were to undertake a system of indiscriminate digital searches, that would distract CBP from its core mission, dragging time and attention away from catching the bad guys." Wyden's request to DHS and CBP came on the heels of a February 18 report from the Associated Press of a "fivefold increase" in electronic media searches in fiscal year 2016 over the previous year, from fewer than 5,000 to nearly 24,000. It also followed Homeland Security Secretary John Kelly's suggestion that visitors from a select group of countries, mainly Muslim, might be required to hand over passwords to their social media accounts as a condition of entry. (That comment came a week after President Donald Trump first unveiled his executive order⁠ banning travel from seven majority-Muslim countries.) The Knight First Amendment Institute, which advocates for freedom of speech, sued DHS on Monday for records relating to the seizure of electronic devices at border checkpoints. Wyden requested similar data on CBP device searches and demands for travelers' passwords. "There are well-established legal rules governing how law enforcement agencies may obtain data from social media companies and email providers," Wyden wrote in the February 20 letter to DHS and CBP. "By requesting a traveler's credentials and then directly accessing their data, CBP would be short-circuiting the vital checks and balances that exist in our current system." The senator wrote that the searches not only violate civil liberties but could reduce international business travel or force companies to outfit employees with "burner" laptops and mobile devices, "which some firms already use when employees visit nations like China."

"Folks are going to be less likely to travel freely to the US with the devices they need if they don't feel their sensitive business information is going to be safe at the border," Wyden said Tuesday, noting that CBP can copy the information it views on a device. "Then they can store that information and search it without a warrant." Wyden will soon introduce legislation to force law enforcement to obtain warrants before searching devices at the border. His bill would also prevent CBP from compelling travelers to reveal passwords to their accounts. A DHS spokesman said in a statement that "all travelers arriving to the US are subject to CBP inspection," which includes inspection of any electronic devices they may be carrying. Access to these devices, the spokesman said, helps CBP agents ascertain the identity and admissibility of people from other countries and "deter the entry of possible terrorists, terrorist weapons, controlled substances," and other prohibited items. "CBP electronic media searches," the spokesman said, "have resulted in arrests for child pornography, evidence helpful in combating terrorist activity, violations of export controls, convictions for intellectual property rights violations, and visa fraud discoveries." In a March 27 USA Today op-ed, Joseph B. Maher, DHS acting general counsel, compared device searches to searching luggage. "Just as Customs is charged with inspecting luggage, vehicles and cargo containers upon arrival to the USA, there are circumstances in this digital age when we must inspect an electronic device for violations of the law," Maher wrote.

But in a unanimous 2014 ruling, the Supreme Court found that police need warrants to search cell phones. Chief Justice John Roberts wrote in the opinion that cell phones are "such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy." In response to a Justice Department argument that cell phones were akin to wallets, purses, and address books, Roberts wrote: "That is like saying a ride on horseback is materially indistinguishable from a flight to the moon." The law, however, applies differently at the border because of the "border search doctrine," which has traditionally given law enforcement wider latitude under the Fourth Amendment to perform searches at borders and international airports. CBP says it keeps tight controls on its searches and is sensitive to personal privacy. Wyden isn't convinced. "Given Trump's worrying track record so far, and the ease with which CBP could change its guidelines, it's important we create common-sense statutory protections for Americans' liberty and security," he says.

This was a great year for adoption of HTTPS encryption for secure connections to websites. HTTPS is an essential technology for security and privacy on the Web, and we've long been asking sites to turn it on to protect their users from spying (and from censorship and tampering with site content). This year, lots of factors came together to make it happen, including ongoing news about surveillance, advances in Web server capacity, nudges from industry, government, and Web browsers, and the Let's Encrypt certificate authority. By some measures, more than half of page loads in Firefox and in Chrome are now secured with HTTPS—the first time this has ever happened in the Web's history. That's right: for the first time ever, most pages viewed on the Web were encrypted! (As another year-in-review post will discuss, browsers are also experimenting with and rolling out stronger encryption technologies to better protect those connections.)

Sites large and small took turned on HTTPS in 2016, often using certificates from the Let's Encrypt certificate authority (sometimes with EFF's Certbot software, or a range of other options). In just a single year of broad public availability, Let's Encrypt has now helped enable secure connections for over 21 million websites, most of which never had certificates before.

A sizeable part of the growth in HTTPS came from very large hosting providers that decided to make HTTPS a default for sites that they host, including OVH, Wordpress.com, Shopify, Tumblr, Squarespace, and many others. Sites they host, and visitors to those sites, can get a boost in security without having to do anything. (And we're getting ongoing benefits from providers like CloudFlare who made the switch in previous years.) A single hosting provider's decision can result in enabling encryption for hundreds of thousands or millions of customers; we hope others will take the plunge too! U.S. government sites also made significant progress adopting HTTPS this year, responding to the administration's guidance in support of HTTPS—a clear and practical explanation of why secure connections should be the default. A caveat: data from Google shows that use of HTTPS varies significantly from country to country, remaining especially uncommon in Japan. We've also heard that it's still uncommon across much of East and Southeast Asia. Next year, we'll have to find ways to bridge those gaps.

Today the federal Government Accountability Office (GAO) finally published its exhaustive report on the FBI’s face recognition capabilities. The takeaway: FBI has access to hundreds of millions more photos than we ever thought. And the Bureau has been hiding this fact from the public—in flagrant violation of federal law and agency policy—for years. According to the GAO Report, FBI’s Facial Analysis, Comparison, and Evaluation (FACE) Services unit not only has access to FBI’s Next Generation Identification (NGI) face recognition database of nearly 30 million civil and criminal mug shot photos, it also has access to the State Department’s Visa and Passport databases, the Defense Department’s biometric database, and the drivers license databases of at least 16 states. Totaling 411.9 million images, this is an unprecedented number of photographs, most of which are of Americans and foreigners who have committed no crimes. The FBI has done little to make sure that its search results (which the Bureau calls “investigative leads”) do not include photos of innocent people, according to the report. The FBI has conducted only very limited testing to ensure the accuracy of NGI's face recognition capabilities. And it has not taken any steps to determine whether the face recognition systems of its external partners—states and other federal agencies—are sufficiently accurate to prevent innocent people from being identified as criminal suspects. As we know from previous research, face recognition is notoriously inaccurate across the board and may also misidentify African Americans and ethnic minorities, young people, and women at higher rates than whites, older people, and men, respectively.

The GAO’s findings are especially shocking, given the timing. Just over a month ago the FBI demanded its face recognition capabilities be exempt from several key provisions of the federal Privacy Act—and provided the public with only 30 days to respond.

This morning, the US Senate defeated the Cybersecurity Act of 2012, a bill that would have given companies new rights to monitor our private communications and pass that data to the government. The bill sponsors were 8 votes short of the 60 votes necessary to end debate on the bill (vote breakdown here). This is a victory for Internet freedom advocates everywhere. Hundreds of thousands of individuals emailed, tweeted, called, and sent Facebook messages to Senators asking them to defend privacy in the cybersecurity debate. Those voices were heard loud and clear in the halls of Congress today. EFF extends our heartfelt thanks to everyone who fought with us on this issue. We can all be proud today that there was no law enacted on our watch that would have compromised the online privacy rights of Internet users in the name of cybersecurity.  

Internet users also found they had powerful friends in the Senate. Senators Al Franken, Richard Durbin, Chris Coons, Bernie Sanders, Daniel Akaka, Ron Wyden and Richard Blumenthal championed civil liberties fixes to the bill. Senator Wyden, in particular, opposed the bill on privacy grounds, stating:  Today’s vote was one in which Senators were asked to sacrifice Internet users’ privacy and civil liberties for weak proposals to improve cyber security; I voted no. And Senators Al Franken and Rand Paul sponsored an amendment that would have removed the most privacy-invasive provisions of the bill. These champions of online rights helped us in the cybersecurity fight – and will hopefully stand with us again in defending civil liberties the next time this issue arises.

Earlier today, President Obama announced a series of reforms to address abuses by the National Security Agency. We were heartened to see Obama recognized that the NSA has gone too far in trampling the privacy rights of people worldwide. In his speech, the President ensured that National Security Letters would not come with perpetual gag orders, brought new levels of transparency and fairness to the FISA court, and ended bulk collection of telephone records by the NSA. However, there is still much more to be done. We’ve put together a scorecard showing how Obama’s announcements stack up against 12 common sense fixes that should be a minimum for reforming NSA surveillance. Each necessary reform was worth 1 point, and we were willing to award partial credit for steps in the right direction. On that scale, President Obama racked up 3.5 points out of a possible 12.

The National Security Agency has been secretly granted legal authority to operate a massive domestic eavesdropping system that vacuums up Americans' phone calls and Internet communications, newly leaked documents show. A pair of classified government documents (No. 1 and No. 2) signed by Attorney General Eric Holder and posted by the Guardian on Thursday show that NSA analysts are able to listen to Americans' intercepted phone calls without asking a judge for a warrant first. That appears to be at odds with what President Obama said earlier this week in defense of the NSA's surveillance efforts. "I can say unequivocally is that if you are a U.S. person, the NSA cannot listen to your telephone calls and the NSA cannot target your e-mails," Obama said. The new documents indicate, however, that NSA, CIA, and FBI analysts are granted broad access to data vacuumed up by the world's most powerful intelligence agency -- but are supposed to follow certain "targeting" and "minimization" procedures to limit the number of Americans who become individual targets of warrantless surveillance.

Analysts are expected to exercise "reasonable judgment" in determining which data to use, according to the documents, and "inadvertently acquired communications of or concerning a United States person may be retained no longer than five years." The documents also refer to "content repositories" that contain records of devices' "previous Internet activity," and say the NSA keeps records of Americans' "electronic communications accounts/addresses/identifiers" in an apparent effort to avoid targeting them in future eavesdropping efforts. The Holder procedures were blessed in advance by the secret Foreign Intelligence Surveillance Court, the Guardian reported, meaning that the judges would have issued a general order that authorizes the NSA to engage in warrantless surveillance as long as it's primarily aimed at foreign targets, subject to some limited judicial oversight. Today's disclosure jibes with what Edward Snowden, the former NSA contractor who leaked top-secret documents, alleged in an online chat earlier this week. Snowden said, referring to the contents of e-mail and phone calls, that "Americans' communications are collected and viewed on a daily basis on the certification of an analyst rather than a warrant."

On Sunday, Director of National Intelligence James Clapper released a carefully-worded statement in response to a CNET article and other reports questioning when intelligence analysts can listen to domestic phone calls. Clapper said: "The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization is incorrect and was not briefed to Congress." Clapper's statement was viewed as a denial, but it wasn't. Today's disclosures reveal why: Because the Justice Department granted intelligence analysts "proper legal authorization" in advance through the Holder regulations. "The DNI has a history of playing games with wording, using terms with carefully obscured meanings to leave an impression different from the truth," Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation who has litigated domestic surveillance cases, told CNET earlier this week.

The Patriot Act continues to wreak its havoc on civil liberties. Section 213 was included in the Patriot Act over the protests of privacy advocates and granted law enforcement the power to conduct a search while delaying notice to the suspect of the search. Known as a “sneak and peek” warrant, law enforcement was adamant Section 213 was needed to protect against terrorism. But the latest government report detailing the numbers of “sneak and peek” warrants reveals that out of a total of over 11,000 sneak and peek requests, only 51 were used for terrorism. Yet again, terrorism concerns appear to be trampling our civil liberties. Throughout the Patriot Act debate the Department of Justice urged Congress to pass Section 213 because it needed the sneak and peak power to help investigate and prosecute terrorism crimes “without tipping off terrorists.” In 2005, FBI Director Robert Mueller continued the same exact talking point, emphasizing sneak and peek warrants were “an invaluable tool in the war on terror and our efforts to combat serious criminal conduct.”

What do the reports reveal? Two things: 1) there has been an enormous increase in the use of sneak and peek warrants and 2) they are rarely used for terrorism cases. First, the numbers: Law enforcement made 47 sneak-and-peek searches nationwide from September 2001 to April 2003. The 2010 report reveals 3,970 total requests were processed. Within three years that number jumped to 11,129. That's an increase of over 7,000 requests. Exactly what privacy advocates argued in 2001 is happening: sneak and peak warrants are not just being used in exceptional circumstances—which was their original intent—but as an everyday investigative tool.

Second, the uses: Out of the 3,970 total requests from October 1, 2009 to September 30, 2010, 3,034 were for narcotics cases and only 37 for terrorism cases (about .9%). Since then, the numbers get worse. The 2011 report reveals a total of 6,775 requests. 5,093 were used for drugs, while only 31 (or .5%) were used for terrorism cases. The 2012 report follows a similar pattern: Only .6%, or 58 requests, dealt with terrorism cases. The 2013 report confirms the incredibly low numbers. Out of 11,129 reports only 51, or .5%, of requests were used for terrorism. The majority of requests were overwhelmingly for narcotics cases, which tapped out at 9,401 requests.