Tag Archives: Electronic Frontier Foundation

The Illusion of Privacy: CISPA

medical records

When a coalition of internet activists and web companies scuppered the Hollywood-sponsored Stop Online Piracy Act (SOPA) last year, they warned Congress that future attempts to push through legislation that threatened digital freedoms would be met with a similar response. Now some of them are up in virtual arms again, this time against the Cyber Intelligence Sharing and Protection Act (CISPA)….

Its fans, which include companies such as IBM and Intel, say the bill’s provisions will help America defend itself against attempts by hackers to penetrate vital infrastructure and pinch companies’ intellectual property. CISPA’s critics, which include the Electronic Frontier Foundation, a digital-rights group, and Mozilla, the maker of the Firefox web browser, argue that it could achieve that goal without riding roughshod over privacy laws designed to prevent the government getting its hands on citizens’ private data without proper judicial oversight.

CISPA aims to encourage intelligence-sharing…  [CISPA requires of companies] to be more forthcoming by offering them an exemption from civil and criminal liability when gathering and sharing data about cyber-threats…[T]he bill is vague about what sort of information on cyber-threats can be shared. So in theory everything from e-mails to medical records could end up being shipped to intelligence agencies, even if it is not needed. Harvey Anderson of Mozilla says CISPA “creates a black hole” through which all kinds of data could be sucked in by the government.

The bill does forbid the use by officials of personal information from medical records, tax returns and a list of other documents. But its critics say it would be far better if companies had to excise such data before sharing what is left. They also note that the broad legal protection CISPA offers to firms could be abused by companies keen to cover up mishaps in their handling of customer data. A more carefully worded legal indemnity would stop that happening.

All this has exposed a rift in the internet world. Whereas Mozilla and other firms want CISPA to be overhauled or scrapped, some web firms that helped sink SOPA seem ambivalent. Google claims it has taken no formal position on the draft legislation and is “watching the process closely”. But TechNet, an industry group whose members include the web giant and Facebook, has written to the House Intelligence Committee expressing support for CISPA. If Google and other web companies do have doubts about some of the bill’s provisions, now would be the time for them to sound the alarm.

Cyber-Security, From SOPA to CISPA, Economist, Apr. 20, 2013, at 32

Web Mining and Beyond: FBI against Internet Freedom

Google-Says-the-FBI-Is-Secretly-Spying-on-Some-of-Its-Customers

National Security Letters [NSLs] are written demands from the FBI that compel internet service providers, credit companies, financial institutions and others to hand over confidential records about their customers, such as subscriber information, phone numbers and e-mail addresses, websites visited and more.  NSLs are a powerful tool because they do not require court approval, and they come with a built-in gag order, preventing recipients from disclosing to anyone that they have even received an NSL. An FBI agent looking into a possible anti-terrorism case can self-issue an NSL to a credit bureau, ISP or phone company with only the sign-off of the Special Agent in Charge of their office. The FBI has to merely assert that the information is “relevant” to an investigation into international terrorism or clandestine intelligence activities.

The lack of court oversight raises the possibility for extensive abuse of NSLs under the cover of secrecy, which the gag order only exacerbates. In 2007 a Justice Department Inspector General audit found that the FBI had indeed abused its authority and misused NSLs on many occasions. After 9/11, for example, the FBI paid multimillion-dollar contracts to AT&T and Verizon requiring the companies to station employees inside the FBI and to give these employees access to the telecom databases so they could immediately service FBI requests for telephone records. The IG found that the employees let FBI agents illegally look at customer records without paperwork and even wrote NSLs for the FBI.

The first challenge to NSLs occurred around an NSL that was sent in 2005 to Library Connection, a consolidated back office system for several libraries in Connecticut. The gag order was challenged and found to be unconstitutional because it was a blanket order and was automatic. As a result of that case, the government revised the statute to allow recipients to challenge the gag order. .  Now companies can simply notify the FBI in writing that they oppose the gag order, leaving the burden on the FBI to prove in court that disclosure of an NSL would harm a national security case. The case also led to changes in Justice Department procedures. Since Feb. 2009, NSLs must include express notification to recipients that they have a right to challenge the built-in gag order that prevents them from disclosing to anyone that the government is seeking customer records.

Few recipients, however, have ever used this right to challenge the letters or gag orders.

When recipients have challenged NSLs, the proceedings have occurred mostly in secret, with court documents either sealed or redacted heavily to cover the name of the recipient and other identifying details about the case.

On March 2013  U.S. District Judge Susan Illston (California) ordered the government to stop issuing so-called NSLs across the board, in a stunning defeat for the Obama administration’s surveillance practices. She also ordered the government to cease enforcing the gag provision in any other cases. However, she stayed her order for 90 days to give the government a chance to appeal to the Ninth Circuit Court of Appeals.

“We are very pleased that the Court recognized the fatal constitutional shortcomings of the NSL statute,” said Matt Zimmerman, senior staff attorney for the Electronic Frontier Foundation, which filed a challenge to NSLs on behalf of an unknown telecom that received an NSL in 2011. “The government’s gags have truncated the public debate on these controversial surveillance tools. Our client looks forward to the day when it can publicly discuss its experience.”  The telecommunications company received the ultra-secret demand letter in 2011 from the FBI seeking information about a customer or customers. The company took the extraordinary and rare step of challenging the underlying authority of the National Security Letter, as well as the legitimacy of the gag order that came with it.

After the telecom challenged the NSL, the Justice Department took its own extraordinary measure and sued the company, arguing in court documents that the company was violating the law by challenging its authority.

In her ruling, Judge Illston agreed with EFF, saying that the NSL nondisclosure provisions “significantly infringe on speech regarding controversial government powers.”  She noted that the telecom had been “adamant about its desire to speak publicly about the fact that it received the NSL at issue to further inform the ongoing public debate” on the government’s use of the letters.  She also said that the review process for challenging an order violated the separation of powers. Because the gag order provisions cannot be separated from the rest of the statute, Illston ruled that the entire statute was unconstitutional.

Illston found that although the government made a strong argument for prohibiting the recipients of NSLs from disclosing to the target of an investigation or the public the specific information being sought by an NSL, the government did not provide compelling argument that the mere fact of disclosing that an NSL was received harmed national security interests.  A blanket prohibition on disclosure, she found, was overly broad and “creates too large a danger that speech is being unnecessarily restricted.” She noted that 97 percent of the more than 200,000 NSLs that have been issued by the government were issued with nondisclosure orders.

——

Number of NSLs Issued by FBI

2003——-39,346

2004——56,507

2005—–47,221

2006—-49,425

2007—-16,804

2008—-24,744

2009—14,788

2010—24,287

2011—16,511

(Source: DoJ reports)

She also noted that since the gag order on NSL’s is indefinite — unless a recipient files a petition with the court asking it to modify or set aside the nondisclosure order — it amount to a “permanent ban on speech absent the rare recipient who has the resources and motivation to hire counsel and affirmatively seek review by a district court.”

This case is remarkable for a number of reasons, among them the fact that a telecom challenged the NSL in the first place, and that EFF got the government to agree to release some of the documents to the public, though the telecom was not identified in them. The Wall Street Journal, however, used details left in the court records, and narrowed the likely plaintiffs down to one, a small San-Francisco-based telecom named Credo. The company’s CEO, Michael Kieschnick, didn’t confirm or deny that his company is the unidentified recipient of the NSL, but did release a statement following Illston’s ruling.

“This ruling is the most significant court victory for our constitutional rights since the dark day when George W. Bush signed the Patriot Act,” Kieschnick said. “This decision is notable for its clarity and depth. From this day forward, the U.S. government’s unconstitutional practice of using National Security Letters to obtain private information without court oversight and its denial of the First Amendment rights of National Security Letter recipients have finally been stopped by our courts.”

The case began sometime in 2011, when Credo or another telecom received the NSL from the FBI.EFF filed a challenge on behalf of the telecom.   In May that year on First Amendment grounds, asserting first that the gag order amounted to unconstitutional prior restraint and, second, that the NSL statute itself “violates the anonymous speech and associational rights of Americans” by forcing companies to hand over data about their customers.

The redacted documents don’t indicate the exact information the government was seeking from the telecom, and EFF won’t disclose the details. But by way of general explanation, Zimmerman said that the NSL statute allows the government to compel an ISP or web site to hand over information about someone who posted anonymously to a message board or to compel a phone company to hand over “calling circle” information, that is, information about who has communicated with someone by phone.

An FBI agent could give a telecom a name or a phone number, for example, and ask for the numbers and identities of anyone who has communicated with that person. “They’re asking for association information – who do you hang out with, who do you communicate with, [in order] to get information about previously unknown people.

“That’s the fatal flaw with this [law],” Zimmerman told Wired last year. “Once the FBI is able to do this snooping, to find out who Americans are communicating with and associating with, there’s no remedy that makes them whole after the fact. So there needs to be some process in place so the court has the ability ahead of time to step in on behalf of Americans

Excerpts, Kim Zetter, Federal Judge Finds National Security Letters: Unconstitutional, Bans Them, Wired,  Mar. 15, 2013

Chevron, 50 Activists and their Email Accounts

The Electronic Frontier Foundation (EFF) and EarthRights International (ERI) asked judges in California and New York today to quash subpoenas issued by Chevron Corporation to three email providers demanding identifying information about the users of more than 100 email accounts, including environmental activists, journalists, and attorneys. The information Chevron wants could be used to create a detailed map of the individuals’ locations and associations over nearly a decade.

The subpoenas are the latest salvo in the long-running battle over damage caused by oil drilling in Ecuador. After years of litigation, an Ecuadorian court last year imposed a judgment of over $17 billion on Chevron for dumping toxic waste into Amazon waterways and causing massive harm to the rainforest. Instead of paying, Chevron sued more than 50 people who were involved in the Ecuador lawsuit, claiming they were part of a conspiracy to defraud the oil giant. None of the individuals represented by EFF and ERI has been sued by Chevron or accused of wrongdoing.

“Environmental advocates have the right to speak anonymously and travel without their every move and association being exposed to Chevron,” said Marcia Hofmann, EFF Senior Staff Attorney. “These sweeping subpoenas create a chilling effect among those who have spoken out against the oil giant’s activities in Ecuador.”

The motions to quash filed today asked the courts to reject the subpoenas, pointing out that anonymous speakers who are not parties in a lawsuit receive particularly strong First Amendment protections. EFF first won court recognition of this protection in Doe v. 2theMart.com in 2001. Chevron’s subpoenas also violate the legal protections for the right of association for political action that were developed during the civil rights era.

“The courts have long recognized that forcing activists to reveal their names and political associations will chill First Amendment rights and can only be done in the most extreme situations,” added Marco Simons, Legal Director of ERI, which has provided legal assistance to third parties affected by the Chevron litigation in two international proceedings. “We look forward to having those longstanding principles applied in this case so that people can engage in journalism and political activism and assist in litigation against environmental destruction without fear that their identities and personal email information will be put at risk.”

EFF and ERI are challenging the subpoenas to Google and Yahoo! in the U.S. District Court for the Northern District of California and the subpoena to Microsoft in the U.S. District Court for the Northern District of New York. .

EFF and ERI Fight to Quash Speech-Chilling Subpoenas from Chevron, Press Release of Electronic Frontier Foundation, Oct. 22, 2012

See also Chevron and Amazon