Deeplinks
The Council on American-Islamic Relations (CAIR) recently filed complaints against U.S Customs and Border Protection (CBP) for, in part, demanding social media information from Muslim American citizens returning home from traveling abroad. According to CAIR, CBP accessed public posts by demanding social media handles, and potentially accessed private posts by demanding cell phone passcodes and perusing social media apps. And border agents allegedly physically abused one man who refused to hand over his unlocked phone.
CBP recently began asking foreign visitors to the U.S. from Visa Waiver Countries for their social media identifiers. Last fall we filed our own comments opposing the policy, and joined two sets of coalition comments, one by the Center for Democracy & Technology and the other by the Brennan Center for Justice. Notably, CBP explained that it was only seeking publicly available social media data, “consistent with the privacy settings the applicant has set on the platforms.”
We raised concerns that the policy would be extended to cover Americans and private data. It appears our fears have come true far faster than we expected. Specifically, we wrote:
It would be a series of small steps for CBP to require all those seeking to enter the U.S.—both foreign visitors and U.S. citizens and residents returning home—to disclose their social media handles to investigate whether they might have become a threat to homeland security while abroad. Or CBP could subject both foreign visitors and U.S. persons to invasive device searches at ports of entry with the intent of easily accessing any and all cloud data; CBP could then access both public and private online data—not just social media content and contacts that may or may not be public (e.g., by perusing a smartphone’s Facebook app), but also other private communications and sensitive information such as health or financial status.
We believe that the CBP practices against U.S. citizens alleged by CAIR violate the Constitution. Searching through Americans’ social media data and personal devices intrudes upon both First and Fourth Amendment rights.
CBP’s 2009 policy on border searches of electronic devices is woefully out of date. It does not contemplate how accessing social media posts and other communications—whether public or private—creates chilling effects on freedom of speech, including the First Amendment right to speak anonymously, and the freedom of association.
Nor does the policy recognize the significant privacy invasions of accessing private social media data and other cloud content that is not publicly viewable. In claiming that its program of screening the social media accounts of Visa Waiver Program visitors does not bypass privacy settings, CBP is paying more heed to the rights of foreigners than American citizens.
Finally, the CBP policy does not address recent court decisions that limit the border search exception, which permits border agents to conduct “routine” searches without a warrant or individualized suspicion (contrary to the general Fourth Amendment rule requiring a warrant based on probable cause for government searches and seizures). These new legal rulings place greater Fourth Amendment restrictions on border searches of digital devices that contain highly personal information.
As we recently explained:
The U.S. Court of Appeals for the Ninth Circuit in U.S. v. Cotterman (2013) held that border agents needed to have reasonable suspicion—somewhere between no suspicion and probable cause—before they could conduct a “forensic” search, aided by sophisticated software, of the defendant’s laptop….
The Supreme Court held in Riley v. California (2014) that the police may not invoke another exception to the warrant requirement, the search-incident-to-arrest exception, to search a cell phone possessed by an arrestee—instead, the government needs a probable cause warrant. The Court stated, “Our holding, of course, is not that the information on a cell phone is immune from search; it is instead that a warrant is generally required before such a search, even when a cell phone is seized incident to arrest.”
Although Riley was not a border search case, the Riley rule should apply at the border, too. Thus, CBP agents should be required to obtain a probable cause warrant before searching a cell phone or similar digital device.
Both Riley and Cotterman recognized that the weighty privacy interests in digital devices are even weightier when law enforcement officials use these devices to search cloud content. A digital device is not an ordinary “effect” akin to a piece of luggage or wallet, but rather is a portal into an individual’s entire life, much of which is online.
The Ninth Circuit wrote:
With the ubiquity of cloud computing, the government’s reach into private data becomes even more problematic. In the “cloud,” a user’s data, including the same kind of highly sensitive data one would have in “papers” at home, is held on remote servers rather than on the device itself. The digital device is a conduit to retrieving information from the cloud, akin to the key to a safe deposit box. Notably, although the virtual “safe deposit box” does not itself cross the border, it may appear as a seamless part of the digital device when presented at the border.
And the Supreme Court wrote:
To further complicate the scope of the privacy interests at stake, the data a user views on many modern cell phones may not in fact be stored on the device itself. Treating a cell phone as a container whose contents may be searched incident to an arrest is a bit strained as an initial matter…. But the analogy crumbles entirely when a cell phone is used to access data located elsewhere, at the tap of a screen. That is what cell phones, with increasing frequency, are designed to do by taking advantage of “cloud computing.” Cloud computing is the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself. Cell phone users often may not know whether particular information is stored on the device or in the cloud, and it generally makes little difference.
The Riley Court went on to state:
The United States concedes that the search incident to arrest exception may not be stretched to cover a search of files accessed remotely—that is, a search of files stored in the cloud…. Such a search would be like finding a key in a suspect’s pocket and arguing that it allowed law enforcement to unlock and search a house.
Thus, the border search exception also should not be “stretched to cover” social media or other cloud data, particularly that which is protected by privacy settings and thus not publicly viewable. In other words, a border search of a traveler’s cloud content is not “routine” and thus should not be allowed in the absence of individualized suspicion. Indeed, border agents should heed the final words of the unanimous Riley decision: “get a warrant.”
We hope CBP will fully and fairly investigate CAIR’s grave allegations and provide a public explanation. We also urge the agency to change its outdated policy on border searches of electronic devices to comport with recent developments in case law. Americans should not fear having their entire digital lives unreasonably exposed to the scrutiny of the federal government simply because they travel abroad.
EFF is one of the three non-profits featured in CREDO's giving pool this month. If you're a CREDO customer or member of its action network, vote for EFF before the end of the month to help direct as much as $150,000 to support the defense of digital civil liberties!
Since its founding, CREDO members have raised more than $81 million for different charities. Each month, CREDO selects three groups to receive a portion of donations that the selected nonprofits then use to drive positive change. CREDO customers generate funds as they use paid services—like making phone calls or using credit cards—and members can vote on how to distribute donations among the selected charities. The more votes a group receives, the higher its share of that month's donations.
EFF is proud to stand alongside organizations that defend users' rights. Last fall, CREDO revealed that EFF had been representing them in a long legal battle over the constitutionality of national security letters (NSLs). The FBI has issued unknown numbers of NSL demands for companies' customer information without a warrant or court supervision; NSLs are typically accompanied by a gag order, making it difficult for the recipients to complain or resist. Until recently, such a gag prevented CREDO from disclosing it had received two NSLs in 2013. However, in March, a district court found that the FBI had failed to demonstrate the need for this particular gag, allowing CREDO to explain why the legal challenge is important to the company and its customers.
We are honored to be one of January's charities, and we hope you will vote for us. You can also support our work by spreading the word on Twitter and Facebook or just becoming an EFF member!
EFF is happy to welcome our newest Staff Technologist Erica Portnoy. Erica is joining EFF's technology projects team, a group of technologists and computer scientists engineering responses to the problems of third-party tracking, inconsistent encryption, and other threats to users' privacy and security online. Erica earned her BSE in computer science at Princeton, and comes to EFF with experience in messaging privacy, searchable encryption, and tech policy and civil rights.
I asked Erica a few questions about her background and what she'll be working on at EFF.
What are you most excited about working on this year?
I'm excited to be working on Certbot, EFF's Let's Encrypt client. We're gradually working towards stability and the long tail of usage cases. I'm hoping to get it so that it just works for as many people as possible, so they can get and install their certificates 100% painlessly.
What drew you to EFF?
EFF's tech projects team is doing the uncommon work of making direct, concrete, technical contributions to improving people's safety online. Plus, everyone who works here is the nicest person you'll ever meet, which I promise is not logically inconsistent.
What kind of research did you do before coming to EFF?
My previous work involved experimenting with cryptographically-enforced privacy for cloud services. So I've worked with ORAM and encrypted search and SGX, to drop some jargon.
What advice would you have for users trying to secure their communications?
If you are only going to do one thing, use a password manager and diceware. I use the one built into Chrome, with a sync passphrase set up. No one's going to bother exploiting a million-dollar bug if your password is the same as the one you used for a service that was recently breached.
But more broadly, this is a hard issue, and the best thing to do is different for every individual. Definitely look at our Surveillance Self-Defense guide for more in-depth recommendations.
On another side of that, what should tech companies be doing to protect their users? How can users hold them accountable?
Especially now, companies can't absolve themselves of the responsibility for their users by claiming, "Well, high-risk users shouldn't be using our product." If a company makes a product that is used by people in high-risk situations, it is their duty to protect their users by offering the ability to turn on security features.
But that's the bare minimum. A system should neither compute nor retain information that could harm its users, and organizations that might have this data must also fight to protect people on a legal front.
As for users, making your voice heard will inform design decisions. Leave a one-star review on an application distrubution platform, like the Play Store or App Store, and include specific details of how the design decision in the product is harmful to your safety or the safety of those you care about. Do the same thing on Twitter. It's hard to prioritize features without knowing what people want to see.
How much are you loving EFF's dog-friendly offices?
90% of why I'm not a TGIF person is because Neko doesn't come in on Fridays. The other 10% is because Neko won't be there on the weekend, either.
EFF has submitted comments to the Patent Office urging it not to support efforts to undermine the Supreme Court’s recent decision in Alice v. CLS Bank. The Patent Office had called for public submissions regarding whether “legislative changes are desirable” in response to recent court decisions, including Alice. We explain that, far from harming the software industry, Alice has helped it thrive.
When the Supreme Court issued its ruling in Alice, it was a shock to a patent system that had been churning out software patents by the tens of thousands every year. Back in the 1990s, the Federal Circuit had opened the software patent floodgate with its ruling in State Street and In re Alappat. That decision held that any general purpose computer could be eligible for a patent so long as it is programmed to perform a particular function. In Alice, the Supreme Court substantially moderated that holding by ruling that a generic computer is not eligible for a patent simply because it is programed to implement an abstract idea.
Courts have applied Alice to throw out many of the worst software patents. Alice is particularly valuable because, in some cases, courts have applied it early in litigation thereby preventing patent trolls from using the high expense of litigation to pressure defendants into settlements. While we think that the Federal Circuit could do more to diligently apply Alice, it has at least been a step forward.
As the Alice case made its way to the Supreme Court, defenders of software patents predicted disaster would befall the software industry if the courts invalidated the patent. For example, Judge Moore of the Federal Circuit suggested that a ruling for the defendant “would decimate the electronics and software industries.” This prediction turned out be entirely inaccurate.
In our comments, we explain that the software industry has thrived in the wake of Alice. For example, while R&D spending on software and Internet development went up an impressive 16.5% in the 12 months prior to the Alice decision, it increased by an even more dramatic 27% in the year following Alice. Similarly, employment growth for software developers remains very strong, as anyone who has tried to rent an apartment in the Bay Area can attest.
We also express concern that the Patent Office’s guidance puts the thumb on the scale in favor of patent eligibility. For example, the Patent Office’s call for comments asked how it can make certain decisions better known to examiners. But it focused only on decisions finding patent claims eligible. During the same period, even more decisions were issued by the Federal Circuit finding software-related claims ineligible, but those decisions were left off the list.
Some commentators have suggested that the Patent Office takes an “intentionally narrow” view of Alice. But it is not the Patent Office’s job to narrow Supreme Court holdings, its job is to apply them. Ultimately, the patent system does not exist to create jobs for patent prosecutors, examiners, or litigators. It exists for the constitutional purpose of “promot[ing] the Progress of Science and useful Arts.” With no evidence that Alice is harming software development, the Patent Office should not focus on pushing more patenting on the industry.
Many other non-profits and companies submitted comments in favor of the changes brought by the Alice decision. These include comments from Public Knowledge, Engine, and Mozilla. We hope the Patent Office listens to this feedback from outside the patent world before making any legislative recommendations.
Public comment periods are an important check on concentrated interests pushing regulations that hurt the public interest. EFF regularly submits comments to the Patent Office where rules are proposed that would harm the public. For example, EFF and Public Knowledge recently submitted comments to the Patent Office regarding applicants' duties of disclosure. This is the duty to tell the Patent Office about material (such as existing inventions) relevant to whether the application is patentable. The Patent Office has proposed a new rule that would require patent applicants to submit material only if it the material would actually lead to a rejection of a pending claim. That is, the Patent Office proposed adopting the standard set out in a case called Therasense, which was a decision from the Court of Appeals for the Federal Circuit regarding the standards for finding a patent invalid for inequitable conduct. The Patent Office justified its proposed change as being simpler for applicants and would lessen the incentives to submit only marginally relevant material.
In our comments, we urged the Patent Office to maintain its current standards. We explain that the change would lead to no reduction in a charge of inequitable conduct. In addition, we suggested that a better incentive to reducing the amount of marginally relevant material would be if the Patent Office more frequently enforce procedures requiring patent applicants to explain the relevance of materials submitted to the office.
After a postponed hearing in October, final arguments in Diego Gomez’s case are scheduled for Wednesday, January 25. This marks the potential conclusion of a court case that has gone on for more than two and a half years. Regardless of the verdict, Diego’s case is an urgent, global reminder to advocates of open research: open access must become the default in academic publishing, and we need global reforms to get there.
When Diego Gomez, a biology master’s student at the University of Quindio in Colombia, shared a colleague’s thesis with other scientists over the Internet, he was doing what any other science grad student would do: sharing research he found useful so others could benefit from it and build on it. But the author of the paper filed a lawsuit over the “violation of [his] economic and related rights,” putting this master’s graduate in his late 20s at risk of being sentenced to four to eight years in prison with crippling monetary fines. (Colombian digital rights organization Fundación Karisma, in addition to providing Diego with legal assistance, has documented Diego’s story in detail here.)
Diego’s case would not exist if open access were the default in academic publishing. “Open access” refers to the free, immediate, online availability of scholarly research, in contrast to the current status quo of expensive subscription journals and paywalled databases. Open access policies are critical to education, innovation, and global progress.
We need major reform of our laws, both internationally and domestically, to make open access the norm and ensure that sharing, promoting scientific progress, and exercising creative expression are not crimes.
As we await the final verdict in Diego’s trial, it is more important than ever to join EFF and open access allies all over the world in standing with Diego. Sign this petition before Diego’s trial and make your voice heard.
Support open access worldwide.Along with several other advocacy groups, EFF signed on to an amicus brief this week in the case of the Commonwealth of Massachusetts v. James Keown, in support of requiring courts to set pre-search limits on the method of digital searches by law enforcement pursuant to judicially authorized warrants.
Keown was charged with murdering his wife after she died of an apparent poisoning. The evidence against him included a forensic search of his laptop, which revealed web searches for homemade poison. Although the police got a warrant to do this forensic examination, it allowed them to conduct a nearly unfettered search of the computer.
Searches of digital devices—in this case, a laptop—are different from searches of physical spaces, both in the scale of information at issue and the way in which that information is stored. The unique features of digital devices and the enormous amount of information stored on them make Fourth Amendment protections all the more important to uphold, especially with respect to the “particularity” requirement. In order to avoid general searches, the Fourth Amendment requires that in addition to demonstrating probable cause, a warrant must “particularly describ[e] the places to be searched and the persons or things to be seized.” In the brief, EFF asks the Court to set explicit limits on the scope of digital searches by outlining concrete categories of relevant information prior to the warrant’s execution – a series of ex-ante search protocols – to ensure that the government does not exceed its authority when executing a search warrant on digital devices and information.
Ex-ante search protocols—such as limits based on date, time, recipient or sender identities, types and sizes of files, etc.—tailored to the law enforcement inquiry for which probable cause has been established, can assure magistrate judges that a search will be limited as much as possible to only the relevant information sought and justified in the warrant application.
Massachusetts should join the courts that have begun to move toward ex-ante protocols to bolster Fourth Amendment protections. The issuance of a search warrant for a specific file or piece of evidence should not give law enforcement carte blanch to generally search all of the digital information stored on your device. Because such ex-ante search protocols were needed in Keown’s case, but were not used, we argue the evidence seized from his laptop should be suppressed.
You can read our amicus brief in full below.
The U.S. Senate confirmed Kansas Republican Rep. Mike Pompeo to be the Director of the CIA late on Monday over concerns from several congressional Democrats, who warned that putting Pompeo at the head of the intelligence agency would threaten civil liberties.
In an impassioned floor speech, Sen. Bernie Sanders called it “vital to have a head of the CIA who will stand up for our constitution, stand up for privacy rights.” He continued, “Unfortunately, in my view, Mr. Pompeo is not that individual.”
As we said late last year, we have concerns that many of President Donald Trump’s nominees, including Pompeo, will undermine digital rights and civil liberties, and those concerns persist.
Specifically, Pompeo sponsored legislation that would have reinstated the National Security Agency’s bulk collection of Americans’ telephone metadata—an invasive program that civil liberties and privacy advocates fought to curtail by enacting the USA FREEDOM Act.
We also noted troubling op-eds written by Pompeo. In one piece in late 2015, Pompeo criticized Republican presidential candidates who were supposedly “weak” on national security and intelligence collection. “Less intelligence capacity equals less safety,” he wrote.
In another op-ed a few weeks later, Pompeo criticized lawmakers for “blunting [the intelligence community’s] surveillance powers” and called for “a fundamental upgrade to America’s surveillance capabilities.”
Critics on the Senate floor—including Sens. Ron Wyden, Patrick Leahy and Bernie Sanders—honed in on the latter op-ed, which also recommended restarting the metadata collection that was curtailed under USA FREEDOM Act and “combining it with publicly available financial and lifestyle information into a comprehensive, searchable database.” Pompeo continued, “Legal and bureaucratic impediments to surveillance should be removed.”
While Pompeo’s defenders argued that an effective intelligence agency should be utilizing publicly available information posted to social media, Wyden—who fought for delay to give the Senate more time to consider Pompeo’s nomination—drew a sharp distinction between seeking out social media information related to a known intelligence target and creating the database Pompeo has envisioned.
“It is something else entirely to create a giant government database of everyone’s social media postings and to match that up with everyone’s phone records,” Wyden said, calling the idea “a vast database on innocent Americans.”
Wyden also criticized Pompeo for skirting questions from lawmakers about what kinds of information would end up in the database, including whether the database would include information held by data brokers, the third-party companies that build profiles of internet users. He criticized Pompeo for being unwilling to “articulate the boundaries of what is a very extreme proposal.”
EFF thanks all 32 Senators who voted against Pompeo and his expansive vision of government surveillance. We were especially pleased by the “no” vote from our new home-state Sen. Kamala Harris of California.
EFF and other civil liberties advocates will work hard to hold Pompeo accountable as CIA Director and block any attempts by him or anyone else to broaden the intrusive government surveillance powers that threaten our basic privacy rights.
EFF sent a letter to the Santa Clara County Board suggesting ways to improve the proposed policy of that county’s Sheriff for use of body-worn cameras (BWCs). We did so with our allies the ACLU of California and the Bay Area chapter of the Council on American-Islamic Relations.
BWCs may help protect civil liberties, but only if they are adopted with robust community input and are subject to strong policies that ensure they promote police transparency and accountability. Without appropriate policies, BWCs may instead become another police tool of street-level surveillance.
Our letter addresses, among other issues, limits on when deputies may record at protests; discipline for deputies who fail to record their law enforcement activities, such as arrests or use of force; when deputies may review their BWC footage; when the Sheriff’s Office must release BWC footage to the public; and when BWC footage should be deleted.
We made our BWC suggestions pursuant to Santa Clara County’s Surveillance Technology Ordinance. This salutary law, enacted in June 2016, ensures community control of whether county government will adopt spying tools, and if so, what privacy safeguards are needed. Specifically, only the Santa Clara County Board of Supervisors can approve new surveillance technologies, and it can only do so after giving the public notice and an opportunity to be heard. EFF supported this Santa Clara ordinance, and we support adoption of similar laws for BART, Oakland, and Palo Alto. In October 2016, EFF used this Santa Clara ordinance to seek changes to the Sheriff’s proposed policy for an Integrated Helicopter Mapping System.
EFF has opposed BWC rules that fail to protect privacy and advance police accountability. For example, EFF in September 2015 opposed the LAPD’s policies for BWCs. And last year, EFF opposed several California bills regarding BWCs.
Proposed BWC guidelines have been published by the ACLU, the Constitution Project, and the Leadership Conference on Civil and Human Rights.
Pages
Deeplinks
No posts found
Subscribe to EFF Updates
Deeplinks Archives
Deeplinks Topics
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- Innovation
- UK Investigatory Powers Bill
- International
- Know Your Rights
- Privacy
- Trade Agreements and Digital Rights
- Security
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anonymity
- Anti-Counterfeiting Trade Agreement
- Artificial Intelligence & Machine Learning
- Biometrics
- Bloggers' Rights
- Border Searches
- Broadcast Flag
- Broadcasting Treaty
- CALEA
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- CyberSLAPP
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA
- DMCA Rulemaking
- Do Not Track
- DRM
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- FTAA
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- ICANN
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- OECD
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- Patents
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Printers
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Reclaim Invention
- RFID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Shadow Regulation
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trans-Pacific Partnership Agreement
- Travel Screening
- TRIPS
- Trusted Computing
- Video Games
- Wikileaks
- WIPO
- Transparency
- Uncategorized
eff.org/nsa-spying
