How Apple Could Lose By Winning: The DOJ's Next Move Could Be Worse

from the we-can-do-this-the-easy-way-or-the-hard-way dept

Since the conflict over smartphone security, long simmering between Apple and the FBI, burst into the headlines last month, many of us who advocate for strong encryption have watched the competing legal arguments advanced by the parties with a certain queasiness. Many of the arguments on Apple's side—whether offered by the company itself or the myriad groups who have weighed in with friend-of-the-court briefs—have turned critically on the government's unprecedented invocation of the hoary All Writs Act to compel the company to write and authenticate a novel piece of software effectively dragooning Apple engineers into government service.

But there has always been an obvious alternative—a way to achieve the FBI's aim of circumventing iPhone security features without requiring any Apple employees to write a line of new code: the Lavabit Option.

That is, instead of asking Apple to create a hacking tool that would permit the FBI to attempt to brute-force a phone's passcode without triggering escalating delays between guesses or deletion of encrypted data, they could simply demand that Apple turn over the source code and documentation the FBI would need to develop its own custom version of the iOS boot ROM, sans security features. Then, they require Apple to either cryptographically sign that code or provide the government with access to its developer credentials, so that the FBiOS can run on an iPhone.

That hypothetical possibility is raised explicitly by the Justice Department in a footnote to its most recent motion in its ongoing litigation with Apple, which explains that the FBI had not gone that route because it "believed such a request would be less palatable to Apple." Having tried it the easy way, the FBI suggests it's happy to do things the hard way: "If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers."

The government follows up with a citation to the Fourth Circuit's ruling in the now-infamous Lavabit case. Because the secure e-mail service Lavabit maintained minimal logs of user metadata, the government had obtained an order to install a "pen register"—a mechanism for recording metadata in realtime—on the company's systems in order to monitor a particular user, widely believed to be Edward Snowden. In order to make that data intelligible, however, it also demanded the use of the SSL keys used to encrypt all users' traffic. When the Fourth Circuit upheld that demand, CEO Ladar Levinson chose to shutter the site entirely.

Apple's latest reply brief clearly registered the company's dismayed response to this legal shot across the bow:

The catastrophic security implications of that threat only highlight the government's misunderstanding or reckless disregard of the technology at issue and the security risks implicated by its suggestion.

Such a move would signal a race to the bottom of the slippery slope that has haunted privacy advocates: A world where companies can be forced to sign code developed by the government to facilitate surveillance. In this case, that means software to brute force a passcode, but could as easily apply to remote exploits targeting any networked device that relies on developer credentials to authenticate trusted updates. Which is to say, nearly any modern networked device. It entails, quite literally, handing the government the keys to the kingdom.

What's particularly worrying is that, while this approach is massively more troubling from a security perspective than funneling such requests through the company itself on a case-by-case basis, it would likely stand on a less shaky legal foundation.

Apple's arguments throughout this case have stressed the unprecedented nature of the FBI's attempt to conscript the firm's engineers, noting that the All-Writs Act invoked by the government was meant to enable only the particular types of orders familiar from common law, not grant an all-purpose power to "order private parties to do virtually anything the Justice Department and FBI can dream up." The trouble is, an order to turn over information in the "possession custody or control" of a private party is just such a traditional order. Such demands are routinely made, for instance, via a subpoena duces tecum requiring a person or company to produce documents.

It's likely that Apple's developer keys are stored in a Hardware Security Module that would make it difficult or impossible to produce a copy of their firmware signing key directly to the government. But that might not be much legal help. In a separate iPhone unlocking case in New York, magistrate judge James Ornstein recently rejected the government's argument that a previous All-Writs Act case, New York Telephone Co., required Apple's compliance. In that case, Ornstein noted, the government's

agents would normally have been able to install the authorized pen register without the company's assistance but for the fact that the subject telephone's wires were so placed as to prevent the agents from gaining surreptitious access. The agents thus needed the telephone company not to provide technical expertise they lacked, but only to step out of the way and let them perform their authorized surveillance on company property.

But that sounds much closer to what would be involved in a case where Apple is required to authenticate government-written code: Just "step out of the way" and let the FBI access the HSM containing the keys used to sign updates.

Similarly, many of the First Amendment arguments raised by Apple and the Electronic Frontier Foundation—to the effect that "code is speech" and the requirement that Apple create new software amounts to "compelled speech"—would also fall by the wayside. They might still advance such arguments with respect to the "endorsement" implicit in using company credentials to sign software, but a court may not find that as intuitive as the idea that "compelled speech" is involved in requiring engineers to devise wholly novel and potentially complicated software.

Many of Apple's other arguments, of course, would remain untouched: There's the idea that Congress has established a comprehensive statutory framework specifying the means of law enforcement access to digital content via laws like the Communications Assistance for Law Enforcement Act and the Electronic Communications Privacy Act, making the All-Writs Act an inappropriate mechanism to seek authority withheld by Congress. Nor would a "sign our code" approach affect any of Apple's claims about the broader security harms inherent in the creation of developer-authenticated tools to break security. But the long list of legal barriers to the FBI getting its way would surely be significantly reduced.

That means it's not just important that Apple win in this case—it matters how it wins. If the company emerges victorious on grounds fundamentally tied to the mandate to create software rather than the demand to authenticate it, it could prove a pyrrhic victory indeed, opening the door for the government to insist on doing things the "hard way," and inaugurating an era of government scripted malware signed to look like genuine updates.

127 Comments

Credit Where It's Due: DOJ Changes Its Tune On FISA Transparency

from the now-let's-see-what-happens dept

Earlier this week, I complained that the Department of Justice seemed to be stonewalling a Freedom of Information Act request I’d filed seeking copies of mandatory semi-annual reports to Congress on the National Security Agency’s compliance with the procedures and civil liberties safeguards of the FISA Amendments Act--which the House voted yesterday to reauthorize for another five years. After sitting on the request for two months (the statutory deadline is 20 business days), DOJ had finally replied with a letter claiming they could "neither confirm or deny the existence" of reports that were required by federal law. I thought this was a little ridiculous. Fortunately, there were officials at the Justice Department who thought so too.

Having appealed the denial of my request, I got an impressively prompt reply on Tuesday evening from the director of the Office of Information Policy at DOJ, assuring me that she recognized the agency's initial response had been "incorrect," and that a new one would be forthcoming immediately. By Wednesday morning, their stance had changed entirely: They had found the reports I sought, and were forwarding them to the Office of the Director of National Intelligence (ODNI) for review to determine what would need to be redacted before release--with a request that ODNI seek to expedite its analysis to compensate for their own delay.

Now, to be sure, I'd rather have had this response a month ago, and the documents before the House vote, but at this point DOJ appears to be doing exactly what they're supposed to and making a good faith effort to facilitate the redaction and release of these important assessments. So it seemed appropriate to follow up on my initial blog post to acknowledge that--and in particular Office of Information Policy director Melanie Pustay, who straightforwardly acknowledged the error and acted quickly to correct it. We'll see soon enough whether a similar spirit of transparency reigns at ODNI.

Cross-posted from Cato-at-Liberty.

21 Comments

Testing 'The Most Transparent Administration in History'

from the not-so-transparent dept

Barack Obama pledged to preside over the “most transparent administration in history,” drawing an explicit contrast with the extreme secrecy of his predecessor. The Web site of the Department of Justice highlights that pledge, declaring its commitment to faithfully carry out a presidential directive encouraging such transparency, especially with regards to Freedom of Information Act requests, which are a vital tool for public accountability and informed democratic deliberation about government’s activities. Earlier this summer, I decided I’d put that commitment to what should have been an easy test.

When Congress passed the controversial FISA Amendments Act of 2008, granting the NSA broad power to conduct sweeping electronic surveillance of Americans’ international communications without individualized search warrants, it wisely required the Justice Department to issue semi-annual reports to Congress on the government’s implementation of the law, evaluating compliance with the various rules, guidelines, and procedures in place to reduce the risk of civil liberties abuses. While these reports are classified, redacted versions of several previous installments have been released to the public in response to Freedom of Information Act requests. The most recent is from May of 2010, which means that by now there are three or four further reports on the government’s use of its new spying powers which haven’t been seen by the public.

Since the FAA is set to expire at the end of this year, and Congress is rapidly steamrolling toward reauthorizing the law for another five years, it seems like now would be a good time to let the public see the latest versions of these reports—with any specific references to operational details removed, of course. That’s especially true given that we’ve recently learned that at least one ruling by the secretive FISA Court found some surveillance under the FAA had violated the Fourth Amendment. The latest reports, even in redacted form, might give us further insight into the scale and seriousness of this violation of Americans’ constitutional rights. If, on the other hand, we find no mention of this in the official reports, it would be powerful evidence that Congress is getting a whitewashed account, and that internal oversight may not provide adequate protection for our privacy and liberties. Again, the government has already released several previous installments of this report—though the ACLU ultimately had to file a lawsuit before they agreed to do so—so there should be no doubt now as to whether these are documents they’re obligated to release.

On June 26, therefore, I sent a FOIA request to the Justice Department asking for the release of the newer installments of this important report—specifically asking for expedited review, given the importance of informing the public about the use of the law before Congress renews it. On July 6, I got a response acknowledging that my request had been received and forwarded to the FOIA office of the DOJ’s National Security Division. Federal law requires agencies to reply to these requests within 20 business days. I was still waiting when, a few days ago, a bill extending FAA spying authority was scheduled for consideration before the House of Representatives this week. I did, however, have a brief phone conversation with the NSD’s FOIA officer confirming that she was evaluating my request, and that she understood clearly exactly which reports I was requesting.

Yesterday morning, September 10—more than two months after acknowledging receipt of my request for these three or four documents—I finally got a reply (my emphasis added), denying my request with the following unhelpful boilerplate:

The Office of Intelligence (OI) maintains operational files which consist of copies of all FISA applications, as well as requests for approval of various foreign intelligence and counterintelligence collection techniques such as physical searches.  We did not search these records in response to your request because the existence or nonexistence of such records on specific persons or organizations is properly classified under Executive Order 13526.  To confirm or deny the existence of such materials in each case would tend to reveal which persons or organizations are the subjects of such requests.  Accordingly, we can neither confirm nor deny the existence of records in these files responsive to your request pursuant to 5 U.S.C. §552(b) (1).

This is, in a word, ridiculous. The “existence” of the reports I asked for is required by federal law. To the extent they contain passing references to any specific persons or organizations under investigation, these can easily be redacted, and have been redacted for previous public releases of the same documents. No reasonable person could believe that this reply is applicable to my request. If it had been sent immediately, you could at least put it down to sloppiness or inattention, but remember, it took them two months to send out a denial based on the preposterous claim that it is classified information whether a report mandated by federal statute even exists.

I can appeal—and of course, I intend to—but since that’s likely to drag out the process for at least another month or two, the reports are likely to come too late to be relevant to the debate over FAA reauthorization. Try as I might, it’s almost impossible for me to see this as a good faith response to my request. Instead, it looks an awful lot like a stalling tactic calculated to drag out the process until it’s too late for the documents to be relevant to the debate over the FAA. I suppose this shouldn’t be terribly surprising: DOJ’s modus operandi, at least when it comes to anything controversial or potentially embarrassing to the government, seems to be to force FOIA requesters to waste time, energy, and money going to court even when it’s painfully obvious there’s no legitimate legal basis for sustaining a denial. That this is routine enough to be predictable, however, shouldn’t make it any more acceptable in a democracy.

Cross-posted from Cato at Liberty.

32 Comments

How SOPA Will Be (Ab)Used

from the in-case-you-were-wondering dept

Proponents of the Stop Online Privacy Act (SOPA) and its Senate counterpart PROTECT-IP often affect incredulity that anyone would "defend piracy" by describing their valiant attempts to stamp out "rogue sites" as a threat to free speech or innovation. Recording Industry Association of America head Cary Sherman, for instance, recently insisted to The New York Times that the bills are "specifically designed to focus on the worst of the worst sites whose model is predicated on theft." This would be more convincing if the content industries weren't so clearly continuing their long, proud tradition of making aggressive and overbroad copyright claims that would impede speech and innovation.

In the 80s, Universal Studios famously sued Sony to block the sale of Betamax VCRs, which could be used to "facilitate" the infringement of copyrights in shows and movies aired on broadcast television. Blocking VCR sales, of course, might also have strengthened the market position of the DiscoVision laserdisc system being developed by MCA, Universal's parent company. The Supreme Court eventually vindicated Sony, but Universal did manage to persuade one lower court to rule in their favor. If SOPA's blocking provisions could be implemented in the physical world, every VCR (and maybe every Sony product) would have stopped working after that first favorable ruling, until Sony could meet the burden of proving its innocence in a U.S. court. Of course, under a rule like that, consumers might have been wary of buying a VCR in the first place.

And today? It's the Universal Music Group heading to court, after using a dubious copyright claim to take down an embarrassing video in which pop stars sing the praises of the site Megaupload. Megaupload, you see, is a file locker site, and the recording industry has made it crystal clear that it's at the top of the industry's list of "rogue sites" that should be targeted under SOPA. Indeed, when the content industries talk about why SOPA is needed, they invariably cite file lockers generally as the very epitome of a "rogue site." It is, therefore, a little awkward to have their own artists pointing out the obvious: File lockers can be used by pirates to share infringing files, but also host an enormous amount of perfectly legitimate content, uploaded by users who would be effectively silenced (and cut off from their own files) if the entire site were blocked. Similarly, the recording industry thinks copyright gives it the power to veto cloud-based music storage services, which serve as a kind of virtual hard drive from which users can remotely access and play their own legally purchased and uploaded music. It's a great convenience for consumers�but the labels think they can use copyright to stop it unless they're paid a cut.

We might also look to some of the seizures of U.S.-registered sites by Immigration and Customs Enforcement. The sports site Rojadirecta�registered in the U.S. but based in Spain�was seized on the theory that linking to infringing video of sporting events hosted elsewhere on the Internet is enough to trigger forfeiture, even though Spanish courts have repeatedly ruled that such conduct (however shady it might seem) is legal in Spain. As lawyers for the government argued, invoking the very same statute that would provide the basis for SOPA censorship:

"[A]ny property used ... in any manner or part to commit or facilitate the commission of an offense [such as criminal copyright infringement]" is subject to forfeiture.... Moreover, it is "[i]rrelevant whether the property's role in the crime is integral, essential or indispensable,"... and a single incident of facilitating criminal activity is sufficient to trigger forfeiture.

The government further notes that they're not directly charging Rojadirecta with criminal infringement (nor indeed do they ever have to bring such charges), which means no need to meet that pesky "beyond reasonable doubt" standard�or even "probable cause". All the government needs for forfeiture, they assert, is a "reasonable belief" that a domain is being used to "facilitate" criminal infringement. This despite the fact that, in the context of obscenity laws, the Supreme Court has held that "Mere probable cause to believe a violation has transpired is not adequate to remove books or film from circulation." Now, Rojadirecta's business model is certainly shady, and maybe they're even guilty of criminal infringement. But are we really comfortable with an entire domain, including vibrant discussion forums that clearly enable protected, non-infringing speech, being blocked pursuant to a "reasonable belief" standard, forcing the company to hire U.S. lawyers and prove their innocence to win the right to speak to U.S. users?

Then there's the case of Dajaz1.com, a hip hop blog seized for over a year by the government for hosting infringing music files. Except it turned out that those files had actually been provided by PR firms, working for the music labels, who hoped blogs like Dajaz1 would circulate them to create buzz for up-and-coming artists. Oops!

As legal scholar Jason Mazzone has amply documented, the use of dubious copyright claims to chill legitimate speech is depressingly common. The voting machine manufacturer Diebold has tried to use copyright to shut down whistleblower sites that published internal e-mails highlighting security vulnerabilities in software that could determine the outcome of elections. The Church of Scientology has similarly invoked copyright to stifle criticism. In Russia, political opposition groups are routinely raided under the pretext of searching for copyrighted software. Research suggests that most copyright takedown claims to search engines like Google are issued by companies targeting their competitors, and that nearly a third of takedown notices under the Digital Millennium Copyright Act lack a clear basis.

I could easily fill a dozen long blog posts with examples, but let's cut to the chase. Major movie studios and music labels draw a lot of water in D.C.: the fact that a bill as massively unpopular as SOPA is even being seriously considered, let alone likely to pass, is proof of that. They will effectively control which foreign domains the Justice Department chooses to block directly, and shop around for friendly judges amenable to rubber-stamping orders in civil litigation that require payment providers and ad networks to cut off disfavored sites. The likely targets are their competitors, whether the copyright claims are valid or not. Sites like YouTube that provide entertaining user-generated videos are one less reason to pony up for the next lackluster Adam Sandler movie. Sites that give musicians a way to gain exposure to fans and market their albums without giving a cut to the increasingly redundant middleman threaten to make the labels obsolete. And if open platforms invariably end up hosting some infringing content uploaded by users? Well, that's as good a pretext as any for shutting down the competition.

Why do critics of SOPA worry that the bill will threaten legitimate speech and innovation? Because its supporters have spent three decades providing overwhelming justification for that fear at every opportunity. If I may end by making a bit of "fair use" of the genius of former Smiths' front-man Morrisey:

He was a sweet and tender hooligan, hooligan

He said that he'd never, never do it again

And of course he won't, oh, not until the next time

Empowered with the ability to threaten blocking of entire domains, I'd rather not see what the copyright hooligans do "next time."

58 Comments

Perhaps SOPA Should Be Called The Stop Online PRIVACY Act

from the unintended-consequences? dept

From piracy to privacy

Critics of the Stop Online Piracy Act and its Chinese Firewall approach to combatting Internet piracy have hammered the ill-advised legislation for the predictable damage it would inflict on cybersecurity, innovation, and above all, free speech. More than a hundred eminent law professors�including such renowned constitutional scholars as Harvard's Lawrence Tribe�have blasted blocking provisions in SOPA (and its Senate counterpart PROTECT-IP) as a form of "prior restraint" of speech prohibited by the First Amendment. Yet SOPA also poses less obvious risks to the privacy of Internet users�risks which have received far less attention.

"We tend to treat freedom of speech issues on the Internet as matters of censorship," former White House technology advisor Andrew McLaughlin recently explained to The Wall Street Journal, "but the real threat is surveillance." Censorship and surveillance are natural partners: Monitoring alone often chills speech as effectively as blocking, and content prohibitions naturally give rise to monitoring designed to identify prohibited content. So it is likely to be with SOPA.

Under the notice-and-takedown approach to copyright infringement embedded in the Digital Millenium Copyright Act, Web platforms aren't expected to actively police the content uploaded by their users: They're only expected to comply with requests to remove specific identifying files identified by rightsholders. Under SOPA, however, a site can be branded as "dedicated to theft of U.S. property" if, in the statute's bizarre wording, its owner "is taking, or has taken deliberate actions to avoid confirming a high probability" of infringement. Sites merely accused of insufficient diligence risk being starved of revenue from ad networks or payment providers.

These dire consequences provide a powerful incentive for legitimate sites to implement some form of automated monitoring of user uploaded content, lest they be accused of "deliberately avoiding" awareness of infringement. Sites that do so can be expected to modify their terms of service�lengthy blocks of legalese, which users seldom read closely�to authorize such scans. As many analysts have pointed out, the friction and overhead costs involved in implementing such filters burden both innovation and legitimate "fair uses" of copyrighted content. But such scanning may also have unanticipated knock-on effects on the level of legal privacy protection to which user communications are entitled.

Much infringing content is posted on the public Internet for all to see. But infringement can just as easily occur in more limited, private forums. A pirated file can also be sent as an e-mail attachment, shared exclusively with a circle of friends on a social network, or uploaded to a cloud storage site behind a password wall. A comprehensive scan would have to include these as well�potentially affecting how content is treated under both federal statute and the Constitution. In short, SOPA incentivizes private cloud providers to change their practices in ways that may lower legal barriers to government acquisition of private communications�even for investigations having nothing to do with copyright.

Enter the Fourth Amendment

Courts have only depressingly recently begun recognizing that some forms of cloud-stored data are entitled to the protection of the Fourth Amendment. But Fourth Amendment analysis focuses on whether an individual enjoys a "reasonable expectation of privacy" in the information a government agent seeks to obtain. If files or messages are routinely scanned for infringing content by skittish cloud providers, courts may be more likely to find that the user's expectation of privacy�and any Fourth Amendment protection that accompanies it�has been waived. Even the lesser privacy protection afforded by the Electronic Communications Privacy Act depends in part on the provider having limited access to user files and messages, which means more scans that are not obviously a necessary part of providing a particular cloud service could provide a basis for questioning the statute's applicability.

Let's be optimistic, though, and assume that the law will be interpreted to preserve the privacy protection of user-uploaded content, even if it has been scanned in this way. That protection is still less likely to extend to any logs generated by a provider's scans. Insofar as these logs indicate which users have been flagged for uploading suspect files, or for sending links to suspect sites, they would reveal information about user content, but could easily be treated as ordinary business records accessible to government via a mere subpoena or other lesser process, rather than a full Fourth Amendment search warrant.

Would DNS redirection violate wiretap laws?

Finally, it's worth considering some potential effects of falsifying DNS records to redirect traffic bound for foreign sites deemed verboten by the Department of Justice. While SOPA leaves open what happens when someone attempts to reach a blocked site, PROTECT-IP explicitly suggests that a blocking notice chosen by the Attorney General should be shown to users seeking to reach those sites. That suggests that PROTECT-IP could be implemented using a scheme similar to that used by the Department of Homeland Security for seizing U.S. sites, which are pointed to a notice of seizure at 74.81.170.110.

Much here depends on the details of implementation, but such redirection creates a possible backdoor mechanism for the collection of information that normally requires a court order. Ordinarily, when the government wants to acquire communications metadata in realtime�to find out who is communicating to or from a particular phone, e-mail account, or IP address�it must get what's known as a "pen register" (for outgoing information) or "trap and trace" order (for incoming information) authorized by a judge. The standard for these orders is far lower than the "probable cause" needed for a full-blown wiretap, but they do still require some showing of relevance to an ongoing investigation of a specific crime that the government believes has been or is about to be committed.

If requests for pages hosted at InfringingContent.com, CheapViagraPills.net, or SexyMidgetVideos.org are instead sent to a blocking notification page on a government-controlled server, that server's logs will effectively capture the IP address of every user who has attempted to initiate a communication with a blocked domain (unless they're using a proxy or other anonymizing tool). This is especially worrisome in cases where the site in question might host content that is controversial for reasons beyond copyright status.

Potentially still more problematic�and again, depending heavily on the implementation details�such redirection could cause communications intended for one domain to be redirected to the government's notification server, which would technically constitute an illegal "interception" under federal wiretap law even if the notification server were not configured to accept or record any of that data. The simplest way this might happen is if a DNS server operator interpreted the law as requiring modification of a blocked domain's mail server (or MX) record. But even an ordinary HTTP page request will often contain some forms of "content": search queries, login credentials, a user agent string, or cookies placed by the blocked site during previous visits. And of course, DNS is not only used by web browsers, but by other clients operating on other communication protocols. The host currently used by DHS to provide seizure notification only appears to keep port 80 (HTTP), 443 (SSL), and 3389 (terminal services) open, but those settings can be easily changed at any time, before or after redirection begins. In effect, DNS hijacking puts the government on the honor system with respect to communications directed at or through a seized domain. The alternative�failure to resolve without redirection�results in censorship without transparency, as government blocks become indistinguishable from technical or other sources of connection failure.

From worries about its impact on DNSSEC to fears of providing cover for repressive regimes abroad, it's hard to keep track of all the different reasons to oppose domain censorship as an anti-piracy strategy, but there are strong grounds for adding its effect on privacy to the long, growing list.

21 Comments

House Dems Release Draft of 'Compromise' Surveillance Bill

from the just-say-no-to-telecom-immunity dept

Democrats in the House of Representatives have finally released a preliminary draft of compromise legislation to amend the Foreign Intelligence Surveillance Act. For civil libertarians who had resigned themselves to one more capitulation to White House demands, the bill will come as a relief: There is not a lot of compromise in this "compromise bill." Unsurprisingly, that means that administration officials, and the House Republican leadership, regard the bill as unacceptable.

On the hot-button question of retroactive immunity for telecoms alleged to have participated in warrantless National Security Agency wiretaps, the draft bill would shunt suits against the companies to a federal court empowered to hear classified evidence. This may come as welcome news to the telecoms, which had complained that the exculpatory evidence they need to defend themselves consists largely of state secrets. It will probably be less appealing to the Bush administration, which has resisted outside scrutiny of the surveillance activities authorized by the president after 9/11. For similar reasons, the White House is likely to oppose a provision in the draft bill creating a bipartisan commission, endowed with subpoena powers, to investigate government wiretaps from 2001–2007.

The bill's approach to executive branch wiretaps is in many respects similar to that of the RESTORE Act passed by the House last year, as a side-by-side comparison chart makes clear. The administration is thrown a few bones: Unlike the RESTORE Act, this legislation covers surveillance serving any foreign intelligence purpose, rather than only those related to terrorism or national security. It also expands, from 72 hours to one week, the time allowed for "emergency" wiretaps implemented in advance of court authorization. But on the whole, it embeds significantly more stringent civil liberties safeguards than the White House–approved legislation passed by the Senate. Instead of changing the definition legal of "foreign intelligence" -- an important term appearing in a variety of complex statutes -- the bill carves out a special exemption, allowing intelligence agencies to acquire communications between specific overseas targets and person in the United States. The bill also requires the development of guidelines to prevent "reverse targeting" of Americans, to ensure that lenient FISA procedures cannot be used to circumvent the more stringent requirements that apply to ordinary criminal investigations. The FISA court must approve surveillance procedures in advance, and both the procedures and agencies' compliance with "minimization" guidelines designed to limit the unnecessary retention of Americans' communications are subject to review by the court and a independent Inspector General. It also incorporate's the Senate bill's "Wyden Amendment," providing protection for Americans abroad. Finally, the law is scheduled to sunset in two years, rather than the Senate bill's six.

Whether House Democrats will be able to succeed in pushing this legislation through is unclear. Senate Intelligence Committee Chair Jay Rockefeller (D-WV), whose support will be critical in getting any law passed, has said that "considerable work remains" before he will be prepared to support proposed reforms. Despite its similarity to the stalled RESTORE Act, though, House leaders may have pulled off a bit of clever political jujitsu by offering new legislation. Republicans had fought hard to frame the debate as a question of inaction, on the one hand, or passage of the Senate bill, on the other. The burden, Democrats presumably hope, will now shift to Republicans to explain why they cannot countenance the passage of "vital" legislation with a few extra safeguards and checks.

8 Comments

Businesses Prefer Not to Be Sued, Film at 11

from the public-private-'partnerships' dept

There's nothing up on its website about this yet, but the U.S. Chamber of Commerce has thrown its ample weight into the warrantless wiretapping fight, with a letter to the House of Representatives urging legislators to approve retroactive immunity for cooperative telecoms as part of changes to the Foreign Intelligence Surveillance Act. The letter, from the organization's VP for government affairs, R. Bruce Josten, argues:

The Chamber represents companies across various industries which own or operate vital components of the nation’s critical physical, virtual, and economic infrastructures. The federal government continually depends upon such industries for cooperation and assistance in national security matters, including homeland security programs and activities. The government also turns to these companies in times of crisis, when the speed, agility, and creativity of the private sector can be critical to averting a terrorist attack.

Therefore, the Chamber urges the House to consider S. 2248 and pass this bipartisan compromise legislation. The Chamber firmly believes that the immunity provisions in S. 2248 are imperative to preserving the self-sustaining “public-private partnership” that both Congress and the Executive Branch have sought to protect the United States in the post-September 11 world. The Chamber encourages you consider the effects on the nation’s security should private sector involvement be muted and relegated to the sidelines in instances when industries can help the government protect this nation.

In the 2006 election cycle, the Chamber gave $19,000 to Democratic candidates for the House and $76,500 to Republicans. Its contributions have been more evenly split in this cycle to date: $15,076 for Democrats and $16,500 to Republicans. Members in close races will therefore likely find the "urges" of the Chamber hard to ignore.

7 Comments

Lessig Decides Against Congressional Bid

from the House-is-not-a-home dept

Law professor and copyright critic Lawrence Lessig has decided against a run for Congress, citing polling showing "no possible way" of overtaking popular California State Senator Jackie Speier before the April 8 election to fill the seat left empty by the death of Democratic Rep. Tom Lantos. Lessig had been mulling a bid on the urging of a burgeoning netroots campaign to draft him for public office, but decided that the likelihood that he would "lose big" would do more to harm than help his broader nascent effort to "Change Congress."

That effort will now see a sudden cash influx, as almost $28,000 raised at the Lessig '08 page on the progressive Web site ActBlue flow into the newborn non-profit's coffers. Under an arrangement with ActBlue, some $8,600 raised on two other Lessig-related pages will be donated to Creative Commons, an organization founded by Lessig to provide simple legal licenses for creators who wish to enable the sharing and remixing of their works.

6 Comments

Buildup To A Discharge: How Some Representatives Are Looking To Force A Vote On FISA

from the dont-follow-the-leader dept

Sources on the Hill report that, in the wake of last week's dust-up over surveillance reform in the House of Representatives, House Republicans are preparing to circulate a discharge petition, a mechanism that can be used to circumvent House leadership and move a bill directly to the floor to force a vote.

The Senate has already passed White House-supported legislation amending the Foreign Intelligence Surveillance Act to expand the government's power to eavesdrop on conversations with overseas parties without a warrant -- legislation that also includes a controversial provision providing retroactive immunity against civil suits to telecoms that gave the National Security Agency access to customer data without a court order. But House Speaker Nancy Pelosi (D-CA) has refused to schedule a vote on the House version of the Senate's bill.

Since, under House rules, that legislation is not subject to a discharge petition as currently engrossed, Reps. Vito Fossella (R-NY), Peter King (R-NY), and Pete Hoekstra (R-MI) have introduced their own version. They are currently gathering informal commitments from legislators while waiting out the 30-day time limit before a petition can be formally circulated.

Since discharge petitions are seen as a direct affront to leadership's control of the agenda, legislators are generally extremely reticent about signing them: The last time one was used successfully was in 2002, when it forced a vote on Shays-Meehan, the House version of the McCain-Feingold campaign reform law. Some members even have blanket policies against signing such petitions. And since they require a simple majority to become effective, Republicans would need to win over many of the conservative Blue Dog Democrats who have urged Pelosi to move forward with the Senate's version of the FISA bill. And even those willing to break with Pelosi on this issue may have qualms about slapping her in the face quite so overtly.

Instead of being directly used to force a vote, then, a source in the office of a Republican representative projects that the petition will be used to bring pressure directly to bear on Democratic members, and indirectly on the Democratic leadership. The latest assault in that pressure campaign came today in the form of a 24-style scare ad put out by the House Republican Conference, warning of impending terror attacks unless Democrats act quickly to reauthorize warrantless wiretaps.

14 Comments

House Republicans Take Their Ball, Go Home In FISA Fight

from the so-THAT'S-what-a-spine-looks-like dept

It now appears all but certain that the stopgap Protect America Act, which Congress passed in August, will expire this weekend, despite dark warnings from the White House that this would create a parlous "intelligence gap" and stymie intelligence community efforts to track terrorists. House Republicans, led by Minority Leader John Boehner of Ohio, staged a walkout to protest Democrats' refusal to schedule an immediate vote on a bill approved in the Senate earlier this week enacting more permanent changes to the Foreign Intelligence Surveillance Act. Unlike the RESTORE Act passed in the House back in October, the Senate bill establishes only limited checks on warrantless surveillance of communications between Americans and foreigners, and includes a provision granting retroactive amnesty to telecoms charged with illegally providing customer data to the government without a court order.

Democrats are, for a change of pace, fighting back against charges that they are soft on security issues. Contra predictions of imminent doom, many are now pointing out that the practical effect of the PAA's lapsing is likely to be quite limited, as any surveillance authorized under the law can continue unabated for another six months. And for all the administration's dire forecasts, Democrats note that it was House Republicans who voted down a further temporary extension of the PAA in the shadow of a presidential veto threat, and the Republican leader in the Senate who blocked a bicameral conference on the bill, in hopes of forcing the immediate approval of the White House–endorsed Senate bill. In a letter to President Bush today, Senate Majority Leader Harry Reid, who had drawn the ire of progressives for his perceived compliance with White House demands, blasted what he characterized as the administration's "reckless attempt to manufacture a crisis over the reauthorization of foreign surveillance laws."

32 Comments

Senate Approves Intelligence Reform And, With It, Telecom Amnesty

from the oversight-is-for-your-phone-calls dept

The Senate has just approved controversial legislation reforming the Foreign Intelligence Surveillance Act, by a vote of 68–29. The bill, sponsored by Sens. Kit Bond (R-MO) and Jay Rockefeller (D-WV), empowers the Director of National Intelligence and the Attorney General to authorize warrantless surveillance of foreign parties whose communications pass through U.S. switches, even when they are communicating with Americans. It also grants retroactive amnesty to telecom firms alleged to have illegally provided the government with access to their customers' data without a court order -- a provision some Democrats tried and failed to have stripped from the legislation earlier today.

Several other amendments that would have provided additional checks on surveillance also failed in the Senate, including language reasserting FISA's status as the "exclusive means" by which intelligence surveillance may be conducted, a provision barring indiscriminate "bulk collection" of telecom traffic, and a compromise measure that would have allowed civil suits against the telecoms to continue, but substituted the federal government as the defendant. The one victory for civil libertarians was the approval of an amendment offered by Sen. Sheldon Whitehouse (D-RI) permitting the secret FISA court to review intelligence agencies' compliance with "minimization" rules meant to limit the retention of communications involving innocent Americans. Following a vote to invoke cloture, bringing debate on the bill to a halt and foreclosing any attempt to mount a filibuster, Sens. Patrick Leahy (D-VT), Maria Cantwell (D-WA), Chris Dodd (D-CT) and Russ Feingold (D-WI) delivered impassioned speeches condemning the legislation as an affront to both privacy and the rule of law.

The Senate bill must now be reconciled in conference with the House version, known as the RESTORE Act, which lacks the controversial immunity provision and provides for greater judicial oversight of surveillance. Majority Leader Harry Reid (D-NV) is seeking to further extend the stopgap Protect America Act, which this reform bill is meant to supplant, in order to provide time to reach agreement between the two chambers.

28 Comments

White House Opposes Surveillance... Of Its Own Surveillance Policy

from the nobody's-watching dept

Since it was formed in 2004, on the recommendation of the 9/11 Commission, The Privacy and Civil Liberties Oversight Board has been blasted by civil libertarians as a tool of the administration, more interested in whitewashing War on Terror–related privacy violations than serving as a genuine check on government intrusion. One of the board's five members even resigned in protest, citing among other things "the vast array of alphabet soup agencies and bureaucracies in the national security apparatus" that sought "to control and modify the Board's public utterances." So last year, Congress sought to give the board greater autonomy by moving it out from under the aegis of the White House and reconstituting itself as an independent boad within the executive branch. The response of the White House, Wired reports, has been to drag its feet in appointing a new board -- meaning there is no one on the board as of January 30th -- prompting bipartisan criticism from top members of the Senate's Homeland Security Committee.

The board's second annual report (pdf), released late last month, does not exactly inspire confidence in its assiduousness as a privacy watchdog -- even when staffed. After touting its excellent working relationship with the White House, it moves to a "nothing to see here" review of the post-9/11 use of the material witness statute (MWS) as a detention tool. Aside from one "terrible mistake," the report asserts the board "was not made aware of specific problems with the use of the MWS in the anti-terrorism context" and cites a claim by the Justice Department that "on only nine occasions since the attacks of September 11, 2001 has the MWS been used in terrorist-related investigations." That is hard to square with the findings of a joint report by Human Rights Watch and the American Civil Liberties Union, which found some 70 instances of 9/11-related detention, though the discrepancy may be explained by the frequent use of immigration violations as a pretext for detentions that were actually related to terror investigations. The board's analysis of the Protect America Act, passed last August, similarly reads like a compilation of White House talking points.

This should not be all that surprising given the composition of the old board, which consisted of such Republican stalwarts as President Bush's former solicitor general, Ted Olson. With debate over reforms to the Foreign Intelligence Surveillance Act raging in the Senate, the White House appears less than eager to have a less-friendly set of eyes reviewing its surveillance policies.

13 Comments

Democratic Parties: An Interview With UCLA Computer Scientist Kevin Eustice

from the the-lowest-common-denominator-dj dept

If the ecstatic attention techblogs showered on the nascent Smart Party system last week is any indication, there are thousands of geeks out there who, like me, got their first peek at an iPhone and immediately began fantasizing about a spontaneous, democratic, distributed jukebox that would emerge anywhere friends with shiny gadgets gathered. Smart Party polls all WiFi-enabled music players in the vicinity to figure out what's on user playlists, and then plays music off a central system (even pulling tunes directly from each user's device) tailored to the taste of the group. It's like a DJ who automatically knows what will most please the crowd. But as far as UCLA computer science grad student and Smart Party co-creator Kevin Eustice is concerned, plebiscitary soundtrack software is just a tiny part of a broader project, aimed at crafting an open architecture that will enable a whole range of mobile, location-sensitive social networking applications. Below the fold, my interview with Eustice on music, math, and the future of ubiquitous computing. If you're reading via RSS or from the front page, click on "Read More" to get the full interview.

Read More | 5 Comments

French Researchers Want HAL To Write Fatwas

from the God-of-the-machine dept

The Arabic Daily Asharq Al-Awsat reports that a team of French researchers are hoping to create an "Electronic Mufti" -- an artificial intelligence capable of processing the opinions of historical clerics and generating a fatwa, or religious edict, that answers novel problems as the human template would have. The goal is supposedly to generate "more accurate" opinions, not subject to... human... error.

This has the whiff of a prank about it, but if it's for real, it seems to raise intriguing theological no less than technological questions. Islam tends to frown on pictorial representations of Allah's handiwork, and in particular -- as the Danish Cartoon Fiasco reminded us -- of the Prophet Muhammad, a likely candidate for simulation. Would a simulacrum of the Prophet's thought processes run afoul of the prohibition on representation? One member of the French team, Dr. Anas Fawzi, assures us that Islamic scholars have declared that his project is not "haram," or unlawful. But something tells me controversy is inevitable. Either way, I find I can't help but think of the confessional CyberJesus from the George Lucas classic THX 1138.

11 Comments

Is There A Conflict Between Open Social Graphs And Your Privacy?

from the what-about-your-friends? dept

Techblogger Robert Scoble has apparently been barred from Facebook for running a script from Plaxo to export his relationship information (or "social graph," as the kids say), in violation of the site's terms of service. On one read, this makes him a martyr to the cause of open social graphs. I'm a bit more ambivalent.

Intuitively, it makes sense for users to be able to make whatever use they please of information about their own social networks. But in a social network, "your" information is someone else's as well. And on a site like Facebook, much of that information will have been provided in the context of a set of individually calibrated privacy controls, by people who expected it to be used in that context by a limited audience. Exporting that information without permission, then, raises important privacy questions.

Within Facebook, users have a fair amount of control over who can access what information about them. I can choose to block particular users on Facebook, rendering myself wholly invisible to them, as though I weren't even on the network. I can decide how much of my profile information will be visible to friends, to people who live in my region, to the general Facebook membership, and to the Internet at large. I can even decide how aggressively public, so to speak, such information will be. Lots of Facebook users are happy to let friends view their relationship status, but disable those status notifications in their news feeds, to prevent everyone they know from being simultaneously blasted with the news that "Bob has gone from being in a relationship to being single." Automated data collection "liberates" information from those constraints, possibly against the wishes of the people who provided it.

It's true that a script can only sweep up information that would already have been visible to a particular user anyway. But privacy is not just a function of the publicity of your personal information, but of the searchability and aggregability of that information. Public closed-circuit surveillance cameras, for instance, typically capture the same information that a casual observer on the street is already privy to. But we recognize that being spotted by diverse random pedestrians, or even being captured on diffuse and disconnected private security cameras, is not intrusive in the same way as being captured on a citywide surveillance system that is searchable from a centralized location. By the same token, I may be unhappy with the possibility of someone forming an external public database full of data I've freely shared with more narrow communities—personal, regional, or whatever.

None of this is to deny the initial intuition that it's desirable for users' social graphs to be portable to some extent. But as with all forms of intimacy, openness and privacy complement each other: We feel free to share information about ourselves to the extent that we have some assurances about how that information will be used. So while it's one thing to argue that Facebook should enable greater openness or portability in some particular way, subject to user control, it seems like quite another to criticize them for enforcing a rule about indiscriminate automated data collection.

4 Comments

Crowdsourcing Law Enforcement

from the first-10-callers-to-identify-this-fugitive... dept

In a move that seems calculated to evoke the film adaptation of 1984, the FBI has announced a plan to begin using some 150 Clear Channel digital billboards in major American cities to show national security alerts, information about recent crimes, and photographs of fugitive criminals and missing persons, all with real-time updates.

A pilot billboard in Philadelphia has already helped to capture several wanted criminals, and a spokesman for the outdoor advertising industry suggests that these kinds of publicity tactics can be as useful at demoralizing criminals as they are at generating tips:

"What law enforcement tells us is it contributes to an environment where the criminal feels they have no where to go. A lot of times they end up just giving up."

In a way, the surprising thing is that law enforcement officials hadn't previously taken such visible steps to make use of the distributed eyes and ears of ordinary citizens. The problem, of course, is that publicity can also generate lots of time-consuming false leads. An advertisement currently ubiquitous on New York subways applauds the thousands of New Yorkers who phoned in reports of suspicious packages in the past year. But since we haven't heard reports of thousands of bombs recovered on the A train, it seems safe to surmise that the noise-to-signal ratio on such tips is quite high. As for national security alerts, our experience with color-coded national security warnings, and the attendant spectacle of panicked citizens mobbing Home Depot for plastic sheeting and duct tape, suggest that the Bureau might be well advised to exercise a bit of circumspection about those real-time updates.

24 Comments

FBI Apparently Believes That Court Orders Are For Suckers

from the data-mining-the-FBI dept

Wired's invaluable Ryan Singel has been panning for gold in the muddy stream of FBI e-mails and other documents recently obtained by the Electronic Frontier Foundation under a Freedom of Information Act request, and has already hit a couple of intriguing nuggets, such as overeager agents' willingness to bypass court-order requirements when seeking cell phone records. The documents reveal how this caused tension and dispute even within the Bureau.

One e-mail, from a tech specialist in the FBI's Minneapolis office, complained that other agents would even pose as that specialist when calling telecom carriers, hoping to persuade them to turn over cell records without a judge's order. The cell information would apparently then be used as part of a high-tech tracking program that allowed agents to pinpoint a cell user's location.

Equally intriguing is the report that the Bureau's national-security wiretapping software recorded almost 28 million "session" intercepts in 2006. While it's not clear precisely what counts as a "session," this is obviously vastly more than the 2,176 FISA warrants (pdf) obtained by the government that year, at least some of which only covered physical searches. Unless terror suspects talk on the phone far more than the average teenager, the discrepancy hints that each warrant may have covered a very large number of individuals.

13 Comments

Watching FISA Fizzle

from the the-political-circus dept

Sen. Chris Dodd (D-CT) appears to be the blogosphere's favorite son this week, with calls for him to replace Harry Reid (D-NV) as Majority Leader in the wake of his successful attempt to block passage of the White House–approved version of reforms to the Foreign Intelligence Surveillance Act. While perhaps most controversial for a provision granting retroactive immunity from civil suit to telecom providers who participated in the National Security Agency's program of extrajudicial wiretaps, the legislation was also loathed by civil libertarians for granting the Attorney General broad, minimally supervised power to eavesdrop on Americans' communications with foreign intelligence targets. Dodd, for his part, returns the love, thanking the netroots for making it all possible on—where else?—YouTube.

Reid, meanwhile, has said he'll move to extend the stopgap Protect America Act passed in August rather than attempt to reach a vote on a more permanent replacement in the brief time between the start of the next Senate session in mid-January and the law's scheduled sunset on February 1. This holds out at least some hope that the next serious overhaul of American intel law will, for once, not be rushed through Congress in a quasi-panic.

Major media reactions have been more or less predictable across the board, and yet I still managed to be a bit surprised by an utterly unsurprising Wall Street Journal editorial, just for the sheer chutzpah displayed in recycling talking points so far past their sell-by date:

FISA allows the government to tap communications outside the U.S. without judicial approval. But these days, many international calls pass through America en route from one international point to another. Unless Congress acts by February 1, when a temporary law expires, intelligence agents will be unable to monitor these calls without asking a judge for permission.

That may be fine with some Democrats, who have always been more comfortable treating terrorism as a law-enforcement problem rather than a real war. But it's a tough political sell to say that America should respect the "civil liberties" of al Qaeda terrorists overseas.

As I need not tell Techdirt readers, this is either clueless or disingenuous. First, and most obviously, because all of the proposed amendments to FISA allow surveillance of foreign-to-foreign traffic routed through U.S. switches, and none of them evince the slightest concern for "the 'civil liberties of al Qaeda terrorists overseas." Second (and only slightly less obviously if you're moderately familiar with FISA), because the now-familiar narrative about why reform is needed has been transparently bollocks from the get go. The probability that the FISA Court handed down a ruling simply applying a warrant requirement to domestically intercepted foreign wire traffic is, to a first approximation, zero. If you've got a few minutes and a healthy sense of Schadenfreude, watch the contortions this poor Congressional Research Service attorney goes through (pdf) trying to find some way some such implication could conceivably be read into the statute's language. Then contemplate that the administration does not appear to have sought an appeal of this putatively crippling ruling. We can't know the real substance of the Court's problems with the way wiretaps were being handled, but we can be relatively certain of two things: They are more complicated than has been publicly suggested, and they provided a convenient means of persuading a cowed Congress to loose the judicial fetters entirely.

8 Comments

Can Someone Explain The Rationale For Capping Cable Growth?

from the capping-cable dept

FCC Chairman Kevin Martin is looking to reinstate a national cap on cable ownership, which would bar any one firm from serving more than 30 percent of the U.S. subscriber base. (A similar rule was thrown out by the courts back in 2001.)

The rationale for a national cap has always been a bit opaque to me. Because cable is geographically constrained, from a consumer perspective, all that matters is the market power my provider can exercise locally. If I've got three regional cable providers to choose from, it makes no difference whether two of them each hold a 40 percent national share. If I've got only one serving my area, the fact that it only controls 3 percent of the national market is similarly irrelevant. And if I'm in the latter boat, declaring that the largest firms with the most resources are forbidden to expand their operations into my neighborhood scarcely seems calculated to increase my access to alternatives. The FCC cites regional consolidation as a motive for the cap, but if cable providers are gunning for such regional monopolies, then won't they divest first in the regions where they do face competition, and hold on to the areas where they're the lone option?

It also seems a little perverse to introduce such limits just as consumers are finally starting to experience more robust choice in premium video. According to The Wall Street Journal, satellite now holds 30 percent of the pay-TV market. And despite some rocky first steps, phone companies are ramping up to aggressively expand IPTV over the next few years. Racing in to rescue viewers from monopoly now is, if not technically "ironic," then at least close enough to meet the Alanis Morissette definition.

10 Comments

If You're A Telco Lobbyist Convincing The Gov't To Grant Immunity, What Would You Say?

from the immune-response dept

Thanks to a court ruling issued Wednesday [PDF], the Director of National Intelligence now has less than two weeks to turn over to the Electronic Frontier Foundation some 300 pages worth of documents concerning the lobbying efforts of the telecom industry, which is seeking immunity from suits related to its role in extralegal surveillance. (EFF has itself brought just such a lawsuit.) The ruling found that the government has not provided any compelling explanation for its foot-dragging response to EFF's Freedom of Information Act request for the documents, and that "the public interest will be served by expedited release of the requested records" before the passage of legislation that could provide retroactive immunity. Since an industry lobbying to protect itself from potentially costly lawsuits is hardly surprising, the attempt to delay disclosure here actually leaves me more curious than I otherwise might be about the contents of the documents. Less interesting than the mere facts about who spoke with whom may be the rationale for amnesty offered by the telecoms: Since they should prevail on the merits if they acted within the law, it may be instructive to see precisely what they are worried about.

6 Comments