EFF | Decrypted Matrix

NSA Spy Program So Secret Judge Can’t Explain Why It Can’t Be Challenged

Feb 13, 2015 | 2020 Relevant, Government Agenda, News

NSA Spy Program A federal judge ruled in favor of the National Security Agency NSA Spy Program in a key surveillance case on Tuesday, dismissing a challenge which claimed the government’s spying operations were groundless and unconstitutional.

Filed in 2008 by the Electronic Frontier Foundation, the lawsuit, Jewel v. NSA, aimed to end the agency’s unwarranted surveillance of U.S. citizens, which the consumer advocacy group said violated the 4th Amendment.

The lawsuit also implicated AT&T in the operations, alleging that the phone company “routed copies of Internet traffic to a secret room in San Francisco controlled by the NSA.” That charge was based off of a 2006 document leak by former AT&T technician and whistleblower Mark Klein, who disclosed a collection program between the company and the NSA that sent AT&T user metadata to the intelligence agency.

US District Judge Jeffrey White on Tuesday denied a partial summary judgment motion to the EFF and granted a cross-motion to the government, dismissing the case without a trial. In his order, White said the plaintiff, Carolyn Jewel, an AT&T customer, was unable to prove she was being targeted for surveillance—and that if she could, “any possible defenses would require impermissible disclosure of state secret information.” NSA Spy Program

Offering his interpretation of the decision, EFF senior staff attorney David Greene explained in a blog post:

Agreeing with the government, the court found that the plaintiffs lacked “standing” to challenge the constitutionality of the program because they could not prove that the surveillance occurred as plaintiffs’ alleged. Despite the judge’s finding that he could not adjudicate the standing issue without “risking exceptionally grave damage to national security,” he expressed frustration that he could not fully explain his analysis and reasoning because of the state secrets issue.

The EFF later Tweeted:

NSA Internet surveillance is so secret, the court refused to even consider whether it’s constitutional.

— EFF (@EFF) February 10, 2015

Calling the ruling “frustrating,” Greene said the EFF “disagree[s] with the court’s decision and it will not be the last word on the constitutionality of the government’s mass surveillance of the communications of ordinary Americans.”Jewel v. NSA is the EFF’s longest-running case. Despite the decision, the EFF said it would not back down from its pursuit of justice and was careful to note that the ruling did not mean that the NSA’s operations were legal.

“Judge White’s ruling does not end our case. The judge’s ruling only concerned Upstream Internet surveillance, not the telephone records collection nor other mass surveillance processes that are also at issue in Jewel,” said Kurt Opsahl, deputy legal council at EFF. “We will continue to fight to end NSA mass surveillance.”

The issue is similar to the 2013 Supreme Court decision in Clapper v. Amnesty International, which found that plaintiffs who had reason to believe they were being spied on could not provide substantial proof of surveillance, and thus could not bring their case. NSA Spy Program

Jewel v. NSA stems from the EFF’s 2006 case, Hepting v. AT&T, which was dismissed in 2009 after Congress, including then-Senator Barack Obama, voted to give telecommunications companies immunity from such lawsuits.

“It would be a travesty of justice if our clients are denied their day in court over the ‘secrecy’ of a program that has been front-page news for nearly a decade,” Opsahl added.

via MintPressNews

Newly Released Drone Records Reveal Extensive Military Flights in U.S.

Jul 9, 2013 | Black Technology

Via: Electronic Frontier Foundation:

Today EFF posted several thousand pages of new drone license records and a new map that tracks the location of drone flights across the United States.

These records, received as a result of EFF’s Freedom of Information Act (FOIA) lawsuit against the Federal Aviation Administration (FAA), come from state and local law enforcement agencies, universities and—for the first time—three branches of the U.S. military: the Air Force, Marine Corps, and DARPA (Defense Advanced Research Projects Agency).

While the U.S. military doesn’t need an FAA license to fly drones over its own military bases (these are considered “restricted airspace”), it does need a license to fly in the national airspace (which is almost everywhere else in the US). And, as we’ve learned from these records, the Air Force and Marine Corps regularly fly both large and small drones in the national airspace all around the country. This is problematic, given a recent New York Times report that the Air Force’s drone operators sometimes practice surveillance missions by tracking civilian cars along the highway adjacent to the base.

The records show that the Air Force has been testing out a bunch of different drone types, from the smaller, hand-launched Raven, Puma and Wasp drones designed by Aerovironment in Southern California, to the much larger Predator and Reaper drones responsible for civilian and foreign military deaths abroad. The Marine Corps is also testing drones, though it chose to redact so much of the text from its records that we still don’t know much about its programs.

via Cryptogon

Stingrays: The Biggest Technological Threat to Cell Phone Privacy You Don’t Know About

Oct 28, 2012 | Black Technology

On Friday, EFF and the ACLU submitted an amicus brief in United States v. Rigmaiden, a closely-followed case that has enormous consequences for individuals’ Fourth Amendment rights in their home and on their cell phone. As the Wall Street Journal explained today, the technology at the heart of the case invades the privacy of countless innocent people that have never even been suspected of a crime.

Rigmaiden centers around a secretive device that federal law enforcement and local police have been using with increased frequency: an International Mobile Subscriber Identity locator, or “IMSI catcher.” These devices allows the government to electronically search large areas for a particular cell phone’s signal—sucking down data on potentially thousands of innocent people along the way—while attempting to avoid many of the traditional limitations set forth in the Constitution.

How Stingrays Work

The Stingray is a brand name of an IMSI catcher targeted and sold to law enforcement. A Stingray works by masquerading as a cell phone tower—to which your mobile phone sends signals to every 7 to 15 seconds whether you are on a call or not— and tricks your phone into connecting to it. As a result, the government can figure out who, when and to where you are calling, the precise location of every device within the range, and with some devices, even capture the content of your conversations. (Read the Wall Street Journal’s detailed explanation for more.)

Given the breadth of information that it can stealthily obtain, the government prefers the public and judges alike not know exactly how Stingrays work and they have even argued in court that it should be able to keep its use of the technology secret. The Electronic Privacy Information Center has filed a FOIA request for more information on Stingrays, but the FBI is dragging its feet and is sitting on 25,000 pages of documents explaining the device.

The Rigmaiden Case: An Illusory Warrant

In Rigmaiden, the government asked a federal judge in Northern California to order Verizon to assist in locating the defendant, who was a suspect in a tax fraud scheme. But after they received an order telling Verizon to provide the location information of an Aircard they thought to be the defendant’s, the government took matters into their own hands: they claimed this authorization somehow permitted its own use of a Stingray.

Not only did the Stringray find the suspect, Rigmaiden, but it also got the records of every other innocent cell phone user nearby.

The government now concedes that the use of the device was a “search” under the Fourth Amendment and claims it had a warrant, despite the fact that, as we explain in our brief, “the Order directs Verizon to provide the government with information and assistance, but nowhere authorizes the government to search or seize anything.”

In fact, the government’s application made no mention of an IMSI catcher or a Stingray, and only has a brief sentence about its plans buried at the end of an 18-page declaration: “the mobile tracking equipment ultimately generate[s] a signal that fixes the geographic position of the Target Broadband Access Card/Cellular Telephone.”

A judge initially signed off on this order, but clearly, the government did not accurately and adequately explain what it was really up to.

General Warrants: Unconstitutional, All You Can Eat Data Buffets

Beyond the government’s conduct in this specific case, there is an even broader danger in law enforcement using these devices to locate suspects regardless of whether they explain the technology to judges: these devices allow the government to conduct broad searches amounting to “general warrants,” the exact type of search the Fourth Amendment was written to prevent.

A Stingray—which could potentially be beamed into all the houses in one neighborhood looking for a particular signal—is the digital version of the pre-Revolutionary war practice of British soldiers going door-to-door, searching Americans’ homes without rationale or suspicion, let alone judicial approval. The Fourth Amendment was enacted to prevent these general fishing expeditions. As the Supreme Court has explained, a warrant requires probable cause for all places searched, and is supposed to detail the scope of the search to ensure “nothing is left to the discretion of the officer executing the warrant”.

But if uninformed courts approve the unregulated use of Stingrays, they are essentially allowing the government to enter into the home via a cellular signal at law enforcement’s discretion and rummage at will without any supervision. The government can’t simply use technology to upend centuries of Constitutional law to conduct a search they would be prevented from doing physically.

Stingrays Collect Data on Hundreds of Innocent People

And when police use a Stingray, it’s not just the suspects’ phone information the device sucks up, but all the innocent people around such suspect as well. Some devices have a range of “several kilometers,” meaning potentially thousands of people could have their privacy violated despite not being suspected of any crime. This is another fact the government didn’t fully explain to the magistrate judge in Rigmaiden.

The government now claims it protected privacy by deleting all third-party data on its own after it collected it. But the government’s unilateral decision to binge and purge comes with its own consequences. Now there’s no way to know what exactly the government obtained when it used the device.

Had the government told the court what it really was planning on doing and the amount of information it would obtain, the court may have exercised its constitutional role of ensuring the government narrowed its search. After all, it was for the court, not the government, to decide how best to balance the government’s need for information with third-party privacy, and any suspect’s future interest in access to potentially exculpatory information.

Enough Warrantless Excursions

Unfortunately, US government excuses for conducting warrantless searches are becoming all too familiar. Whether it’s the hundreds of thousands of searches for cell phone location information, the skyrocketing of warrantless surveillance of who and when you’re calling, or the NSA’s still-active warrantless wiretapping program, Americans are seeing their Fourth Amendment privacy rights under attack from all angles. We hope in this case and others like it, the court will prevent such violations of privacy from occuring again.

via EFF.org

Pwn The Drones: Investigative Research into Drone Technology, Vulnerabilities, Exploits, Future

Aug 14, 2012 | Activism, Video

EFF activists Trevor Timm and Parker Higgins explain how widespread drones are becoming, how they’ve already been hacked, and how the situation may get a lot worse before it gets better.

STOP CISPA: Come Togeter – Take Action

Apr 27, 2012 | Abuses of Power, News

COME TOGETHER TO STOP CISPA!

WHAT IS CISPA?

The Cyber Intelligence Sharing and Protection Act (H.R. 3523) is a bill introduced in the United States House of Representatives by Reps. Mike Rogers (D-MI) and C.A. “Dutch” Ruppersberger (D-MD) in late 2011. It amends the National Security Act of 1947 to allow private companies and US government intelligence agencies to share information regarding perceived cyber threats.

WHAT IS WRONG WITH CISPA?

1. CISPA’s language, particularly in reference to how it defines “cyber threat,” is far too broad.

The bill’s definition of a “cyber threat” is so vague that it may potentially allow CISPA to encompass a far broader range of targets and data than initially contemplated by its authors. “Cyber threat” is a critical term in the bill, and is defined therein as:

…information directly pertaining to a vulnerability of, or threat to a system of network of a government or private entity, including information pertaining to the protection of a system or network from —

(A) efforts to degrade, disrupt, or destroy such system or network; or

(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

Under this overly broad, vague definition, whistleblowers and leakers such as Wikileaks, tech blogs carrying the latest rumours and gossip from companies, news and media sites publishing investigations, security researchers and whitehat pen testers, torrent sites (including our beloved Pirate Bay), and of course, yours truly, Anonymous, would all be ripe targets.

Additionally, as the Electronic Frontier Foundation (EFF) notes, CISPA’s broad definition of “cybersecurity” is so vague that it leaves open the door “to censor any speech that a company believes would ‘degrade the network.’” Going one step further, the bill’s inclusion of “intellectual property” provides for the strong possibility that both private companies and the federal government will likely be granted “new powers to monitor and censor communications for copyright infringement.” (Full EFF letter here)

2. CISPA demonstrates a complete disregard for reasonable expectations of privacy protection and essential liberties by providing for unaccountable sharing of user data.

As laid out, CISPA allows a large, nearly unchecked quantity of any and all information on a target to be obtained and shared between private companies and government agencies. The bill’s text states, “Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes…share such cyber threat information with any other entity, including the Federal Government.”

Why is this problematic? As it stands, CISPA’s text allows for a slippery slope of information and data that could be shared amongst private companies and the federal government without any regard for a target’s personal privacy protections. Such information could very well include account names and passwords, histories, message content, and other information not currently available to agencies under federal wiretap laws.

In a position letter addressed to Congress on 17 April 2012, CISPA critics point out:

CISPA creates an exception to all privacy laws to permit companies to share our information with each other and with the government in the name of cybersecurity. Although a carefully-‐crafted information sharing program that strictly limits the information to be shared and includes robust privacy safeguards could be an effective approach to cybersecurity, CISPA lacks such protections for individual rights. CISPA’s ‘information sharing’ regime allows the transfer of vast amounts of data, including sensitive information like internet use history or the content of emails, to any agency in the government including military and intelligence agencies like the National Security Agency or the Department of Defense Cyber Command.

3. The broad language in CISPA provides for the uncertain future expansion of federal government powers and a slippery slope of cybersecurity warrantless wiretapping.

Of particular concern is the word “notwithstanding,” which is a dangerously broad word when included in legislation. The use of “notwithstanding” will allow CISPA to apply far beyond the stated intentions of its authors. It is clear that the word was purposefully included (and kept throughout rewrites) by the bill’s authors to allow CISPA to supersede and trump all existing federal and state civil and criminal laws, including laws that safeguard privacy and personal rights.

The fact that the sponsors and authors of CISPA claim that they have no intentions to use the overly broad language of the bill to obtain unprecedented amounts of information on citizens should be of little comfort to a concerned onlooker. As it stands, if CISPA passes in Congress and is signed into law by the President, its broad language WILL be law of the land and WILL be available for use by agencies and companies as desired. Why should our only protection against rampant cyber-spying be us trusting the government or companies NOT to take CISPA over the line of acceptable (if any) data collection?

WOW, CISPA SUCKS! HOW CAN I HELP STOP IT?

Below are some various ways that YOU can get involved in the online and real world struggles against CISPA. It will take all of us to stop this bill, but we did it before with SOPA, PIPA, and [hopefully] ACTA, and we’re confident that it can be done once more with CISPA. The voice of the People WILL be heard loud and clear, and you can help because your voice matters. It’s time to stand up for your rights because, in the end, who else will? Internet, unite!

Educate a Congressman about the Internet and pitfalls of CISPA – here
Call a Congressman directly about the bill – here
Email a Congressman directly about the bill – here
Sign and pass around online petitions – here || here || here
Spread awareness. Tweet, blog and post about CISPA. Use the hashtags #StopCISPA and #CISPA so everyone can follow. Change your profile picture to an anti-CISPA image or add a STOP CISPA banner.
Tweet to CISPA’s proponents, @HouseIntelComm and @RepMikeRogers and let them know about the pitfalls of CISPA.
Let CISPA’s sponsor, Rep. MikeRogers, know how much his bill fails – here
Check out Fight For The Future’s #CongressTMI movement in regard to CISPA – here
Join the Twitter Campaign and Contact a Representative about CISPA – here
Protest. Organise in front of Congress and let them know what happens when they try to govern the Internet and strip our liberties in the name of national security. If you organise an IRL protest, please contact us@YourAnonNews so we can facilitate spreading the word on it and helping boost attendance.

I WANT TO LEARN EVEN MORE ABOUT CISPA! TELL ME MORE!

Ok…clearly you like reading and knowing the issues thoroughly. We’re proud of your dedication and passion to better educating yourself and others about this concerning bill. Below are additional helpful resources that you can check out to get an even better understanding of CISPA and how it will affect the world of tomorrow should it pass and become law.

Full text of CISPA, including recent rewrites and Amendments – here
Full list of CISPA co-sponsors – here
Full list of companies and groups that explicitly support CISPA – here
INFOGRAPHIC on CISPA – here
Center for Democracy & Technology’s CISPA Resource Page – here
Electronic Frontier Foundation’s Statement on CISPA and its Intellectual Property Implications
Video news report from RT, ‘CISPA is a US cyber-security loophole’ – watch
CNET In-Depth: Even an attempted rewrite of CISPA failed to safeguard civil liberties and privacy – read
CISPA is pushed by a for-profit cyber-spying lobby that stands to profit immensely from the bill becoming law in the US – read
Why CISPA Sucks – read
A brilliant series of TechDirt articles on CISPA shed some light on the bill and point out exactly where its flaws are found — CISPA is a Really Bad Bill, and Here’s Why – read
– Did Congress Really Not Pay Attention to What Happened with SOPA? CISPA Ignorance is Astounding –read
– Forget SOPA, You Should Be Worried About This Cybersecurity Bill – read

NOTE: Even Obama seems to dislike CISPA — On 17 April 2012, the White House issued a statement criticising CISPA for lacking strong privacy protections and failing to set forth basic security standards.

Source: http://youranonnews.tumblr.com/post/21314689010/come-together-to-stop-cispa-what-is-cispa-the

The Right to Anonymity is a Matter of Privacy

Feb 23, 2012 | Anonymous

This January 28marks International Privacy Day. Different countries around theworld are celebrating this day with their own events. This year, we are honoring the day by calling attention to recent international privacy threats and interviewing data protection authorities, government officials, and activists to gain insight into various aspects of privacy rights and related legislation in their own respective countries.

—

Throughout history, there have been a number of reasons why individuals have taken to writing or producing art under a pseudonym. In the 18th century, James Madison, Alexander Hamilton, and John Jay took on the pseudonym Publius to publish The Federalist Papers. In 19th century England, pseudonyms allowed women–like the Brontë sisters, who initially published under Currer, Ellis, and Acton Bell–to be taken seriously as writers.

Today, pseudonyms continue to serve a range of individuals, and for a variety of reasons. At EFF, we view anonymity as both a matter of free speech and privacy, but in light of International Privacy Day, January 28, this piece will focus mainly on the latter, looking at the ways in which the right to anonymity–or pseudonymity–is truly a matter of privacy.

Privacy from employers

Human beings are complex creatures with multiple interests. As such, many professionals use pseudonyms online to keep their employment separate from their personal life. One example of this is the Guardian columnist GrrlScientist who, upon discovering her Google+ account had been deleted for violating their “common name” policy, penned a piece explaining her need for privacy. Another example is prominent Moroccan blogger Hisham Khribchi, who has explained his use of a pseudonym, stating:

When I first started blogging I wanted my identity to remain secret because I didn’t want my online activity to interfere with my professional life. I wanted to keep both as separate as possible. I also wanted to use a fake name because I wrote about politics and I was critical of my own government. A pseudonym would shield me and my family from personal attacks. I wanted to have a comfortable space to express myself freely without having to worry about the police when I visit my family back in Morocco.

Though Khribchi’s reasoning is two-fold, his primary concern–even stronger than his need for protection from his government–was keeping his online life separate from his employment.

Even Wael Ghonim–the now-famous Egyptian who helped launch a revolution–conducted his activism under a pseudonym…not to protect himself from the Egyptian government, but rather because he was an employee of Google and wanted to maintain an air of neutrality.

Privacy from the political scene

In 2008, an Alaskan blogger known as “Alaska Muckraker” (or AKM) rose to fame for her vocal criticism of fellow Alaskan and then-McCain-running-mate Sarah Palin. Later, after inveighing against a rude email sent to constituents by Alaska State Representative Mike Doogan, AKM was outed–by Doogan–who wrote that his “own theory about the public process is you can say what you want, as long as you are willing to stand behind it using your real name.”

AKM, a blogger decidedly committing an act of journalism, could have had any number of reasons to remain anonymous. As she later wrote:

I might be a state employee. I might not want my children to get grief at school. I might be fleeing from an ex-partner who was abusive and would rather he not know where I am. My family might not want to talk to me anymore. I might alienate my best friend. Maybe I don’t feel like having a brick thrown through my window. My spouse might work for the Palin administration. Maybe I’d just rather people not know where I live or where I work. Or none of those things may be true. None of my readers, nor Mike Doogan had any idea what my personal circumstances might be.

Though Doogan claimed that AKM gave up her right to anonymity when her blog began influencing public policy, he’s wrong. In the United States, the right to anonymity is protected by the First Amendment and must remain so, to ensure both the free expression and privacy rights of citizens.

Similarly, in 2009, Ed Whelans, a former official with the Department of Justice, outed anonymous blogger John Blevins–a professor at the South Texas College of Law–in the National Review, calling him “irresponsible”, and a “coward.” Blevins took the fall gracefully, later explaining why he had chosen to blog under a pseudonym. Like Khribchi, Blevins’ reasons were numerous: He feared losing tenure and legal clients, but he also feared putting the jobs of family members in the political space at risk.

Privacy from the public eye

A friend of mine–let’s call him Joe–is the sibling of a famous celebrity. But while he’s very proud of his sibling, Joe learned early on that not everyone has his best interests at heart. Therefore, Joe devised a pseudonym to use online in order to protect the privacy of himself and his family.

In Joe’s case, the threat is very real: celebrities are regularly stalked, their houses broken into. His pseudonym keeps him feeling “normal” in his online interactions, while simultaneously protecting his sibling and the rest of his family from invasions of privacy.

Achieving anonymity online

Anonymity and pseudonymity may seem increasingly difficult to achieve online. Not only do companies like Facebook restrict your right to use a pseudonym, but even when you do think you’re anonymous, you might not be–as blogger Rosemary Port found out in 2009 after Google turned over her name in response to a court order.

While we should continue to fight for our privacy under the law, the best thing we can do as users to who value our right to anonymity is to use tools like Tor. Anonymous bloggers can use Global Voices Advocacy’s online guide to blogging anonymously with WordPress and Tor. And all Internet users should educate themselves about what is–and isn’t–private on their online accounts and profiles.

SOURCE: https://www.eff.org/deeplinks/2012/01/right-anonymity-matter-privacy

Know Your Rights! Quiz

Jan 25, 2012 | Abuses of Power, Activism

Do you know what to do when the police try to seize your server, computer, or phone? Take our quiz to see how well you know your rights when law enforcement threatens your digital data.

1) The cops have a warrant to search my computer. They’re demanding my encryption key. Do I have to give it to them?

No, there are no circumstances under which you can be forced to give up an encryption key because it violates your constitutional right to due process.

No, you don’t have to give the encryption key to the police as they seize the computer, but it’s possible a court could make you do it later.

Yes, if the police have a warrant for your computer, it includes your encryption key. If you don’t tell them, you could be charged with obstructing justice.

Yes, in fact you should always give your encryption key to the police, even if they don’t have a warrant. It could help them in an investigation.