The Supreme Court Finally Takes on Law Enforcement Access to Cell Phone Location Data: 2017 in Review

Protecting the highly personal location data stored on or generated by digital devices is one of the 21st century’s most important privacy issues. In 2017, the Supreme Court finally took on the question of how law enforcement can get ahold of this sensitive information.

Whenever you use a cell phone, whether to make calls, send or receive texts, or browse the Internet, your phone automatically generates “cell site location information” (CSLI) through its interactions with cell towers. This means that cell providers like AT&T, Verizon, and T-Mobile have records of everywhere your phone has been, going back months and even years. And since almost everyone has a cell phone, cell providers have these records for nearly everyone.

The government has long argued that it doesn’t need a warrant to obtain CSLI from cell providers because of two 1970’s Supreme Court cases, Smith v. Maryland and United States v. Miller. Smith and Miller are the basis for the Third Party Doctrine, which holds that information you voluntarily share with a “third party”—such as deposit and withdrawal information shared with banks (Miller) or numbers dialed on a phone shared with the phone company (Smith)—isn’t protected by the Fourth Amendment because you can’t expect that third party to keep the information secret.

For years, courts around the country have been deeply divided on whether the Third Party Doctrine should apply to CSLI or whether the invasiveness of long term monitoring it enables should require a more privacy-protective rule. EFF has been involved in almost all of the significant past cases on this issue.

In June, the Supreme Court agreed to consider that question in Carpenter v. United States. In Carpenter, the government obtained 127 days of the defendant’s cell phone records from MetroPCS—without a warrant—to try to place him at the locations of several armed robberies around Detroit. As in other cases, the government argues that Mr. Carpenter had no reasonable expectation of privacy in these records, which it claimed were simultaneously incriminating but not precise enough to reveal his exact location and movements over those 127 days.

EFF filed briefs both encouraging the court to take the case and urging it to reject the Third Party Doctrine. We noted that cell phone usage has exploded in the last 30 years, and with it, the technologies to locate users have gotten ever more precise.

We attended the Supreme Court oral argument in Carpenter in late November. While it is always risky to predict the outcome of a case based on the argument, it appears that a number of the justices are concerned about the scope and invasiveness of tracking individuals using CSLI. Justice Alito agreed that this new technology is raising serious privacy concerns; Justice Roberts recognized that never before has the government had the ability to track every individual; and Justice Sotomayor was concerned that your cell phone could be tracked into the most intimate places like your bedroom or your doctor’s office.

The Supreme Court’s opinion in Carpenter will have important ramifications for the future, especially as our phones generate more—and more precise—location information every year, which is shared with third parties. But its reach could extend far beyond cell phones. Other increasingly popular technologies will force courts to consider these issues as well. For example, “Internet of Things” devices like smart thermostats that track when we’re home and when we’re not, watches that record our heart rates and rhythms, and clothing that tracks our emotions and communicates directly with retail stores may constantly generate and share data about us with little to no volition on our part.

The Supreme Court’s opinion in Carpenter will come out next year. We hope it meets this trend of sophisticated tracking with strong Fourth Amendment protection.

This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2017.



Related Cases: United States v. Graham

Nation-State Hacking: 2017 in Review

If 2016 was the year government hacking went mainstream, 2017 is the year government hacking played the Super Bowl halftime show. It's not Fancy Bear and Cozy Bear making headlines. This week, the Trump administration publicly attributed the WannaCry ransomware attack to the Lazarus Group, which allegedly works on behalf of the North Korean government. As a Presidential candidate, Donald Trump famously dismissed allegations that the Russian government broke into email accounts belonging to John Podesta and the Democratic National Committee, saying it could easily have been the work of a "400 lb hacker" or China. The public calling-out of North Korean hacking appears to signal a very different attitude towards attribution.

Lazarus Group may be hot right now, but Russian hacking has continued to make headlines. Shortly after the release of WannaCry, there came another wave of ransomware infections, Petya/NotPetya (or, this author's favorite name for the ransomware, "NyetYa"). Petya was hidden inside of a legitimate update to accounting software made by MeDoc, a Ukrainian company. For this reason and others, Petya was widely attributed to Russian actors and is thought to have primarily targeted Ukrainian companies, where MeDoc is commonly used. The use of ransomware as a wiper, a tool whose purpose is to render the computer unusable rather than to extort money from its owner, appears to be one of this year's big new innovations in the nation-state actors' playbook.

WannaCry and Petya both owe their effectiveness to a Microsoft Windows security vulnerability that had been found by the NSA and code named EternalBlue, which was stolen and released by a group calling themselves the Shadow Brokers. US agencies losing control of their hacking tools has been a recurring theme in 2017.  First companies, hospitals, and government agencies find themselves targeted by re-purposed NSA exploits that we all rushed to patch, then Wikileaks published Vault 7, a collection of CIA hacking tools that had been leaked to them, following it up with the publication of source code for tools in Vault 8. 

This year also saw developments from perennial bad actor Ethiopia. In December, Citizen Lab published a report documenting the Ethiopian government's ongoing efforts to spy on journalists and dissidents, this time with the help of software provided by Cyberbit, an Israeli company. The report also tracked Cyberbit as their salespeople demonstrated their surveillance product to governments including France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria. Other perennial bad actors also made a splash this year, including Vietnam, whose government was linked to Ocean Lotus, or APT 32 in a report from FireEye. The earliest known samples from this actor were found by EFF in 2014, when they were used to target our activists and researchers.

This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2017.



Keeping Copyright Site-Blocking At Bay: 2017 In Review

In 2017, major entertainment companies continued their quest for power to edit the Internet by blocking entire websites for copyright enforcement—and we’ve continued to push back.

Website blocking is a particularly worrisome form of enforcement because it’s a blunt instrument, always likely to censor more speech than necessary. Co-opting the Internet’s domain name system (DNS) as a tool for website blocking also threatens the stability of the Internet by inviting ever more special interests and governments to use the system for censorship.

This year, we’ve kept pressure on ICANN, the nonprofit body that makes domain name policy, to keep copyright enforcement out of their governing documents. And we’ve called out domain name registry companies who bypassed ICANN policy to create (or propose) their own private copyright enforcement machines. Public Interest Registry (PIR), the organization that manages the .org and .ngo top-level domains, announced in February that it intended to create a system of private arbitrators who would hear complaints of copyright infringement on websites. The arbitrators would wield the power to take away a website’s domain name, and possibly transfer it to the party who complained of infringement. The Domain Name Association (DNA), an industry trade association, also endorsed the plan.

EFF pointed out that this plan was developed in secret, without input from Internet users, and that it would bypass many of the legal protections for website owners and users that U.S. courts have developed over the years. Within weeks, PIR and DNA shelved this plan, apparently for good.

Unfortunately, some domain registries continue to suspend domain names based on accusations from major motion picture distributors (whom they call “trusted notifiers”) in a process that also bypasses the courts. Along with giving special privileges to luxury brands and other major trademark holders, and to U.S. pharmaceutical interests, these policies erode public trust in the domain name system, a key piece of Internet infrastructure.

There are worrisome developments in the courts as well. Major movie studios, record labels, and print publishers have continued to ask U.S. courts for broad injunctions that could force many kinds of intermediaries—all of free speech’s weak links—to help block websites.  They do this by filing lawsuits against a website, typically located outside the U.S., accusing it of copyright infringement. When the website’s owners don’t appear in court, the copyright holder seeks a default injunction written broadly to cover intermediaries like DNS registrars and registries, search engines, and content delivery networks, who can then be compelled to block the website. Several courts have granted these broad orders, including one that targets Sci-Hub, a site that gives access to research papers.

That’s concerning because, like the aborted efforts by domain registries, using default injunctions to block websites bypasses the normal rules created by the courts and Congress that define the role of Internet intermediaries. We hope that Internet companies continue to defend their users against censorship creep by fighting back against these orders. In the coming year, we’ll weigh in to help the courts understand why the current rules are worth sticking to.

This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2017.



A Grim Year for Imprisoned Technologists: 2017 In Review

The world is taking an increasingly dim view of the misuses of technology and those who made their names (and fortunes) from them. In 2017, Silicon Valley companies were caught up in a ongoing trainwreck of scandals: biased algorithms, propaganda botnets, and extremist online organizing have dominated the media's headlines.

But in less-reported-on corners of the world, concerns about technology are being warped to hurt innocent coders, writers and human rights defenders. Since its founding, EFF has highlighted and defended cases of injustice and fearmongering perpetrated against innocent technologists. We advocate for unjustly imprisoned technologists and bloggers with our Offline project. In 2017, we continue to see fear being whipped up against those who oppose oppression with modern tools—as well as those who have done nothing more than teach and share technology so that we can all use and understand it better.

Take Dmitry Bogatov, software developer and math lecturer at Moscow's Finance and Law University. Bogatov ran a volunteer Tor relay, allowing people around the world to protect their identities as they used the Internet. It was one part of his numerous acts of high-tech public service, which include co-maintaining Xmonad and other Haskell software for the Debian project.

For his generosity, Bogatov has now spent over a hundred days in pretrial detention, wrongfully accused of posting extremist materials that were allegedly sent via through Tor server. Law enforcement officials around the world understand that data that appears to originate from a particular Tor machine is, in fact, traffic from its anonymised users. But that didn't stop Bogatov's prosecutors in Russia from accusing him of sending the data himself, under a pseudonym, to foment riots—and added new charges of "inciting terrorism" when a judge suggested the earlier charge was too weak to hold Bogatov in pre-trial detention.

Dmitry is still being denied his freedom, accused of a crime he clearly did not commit. The same is true for Emirati telecommunications engineer, Ahmed Mansoor, of the United Arab Emirates. Mansoor has been a tireless voice for victims of human rights abuses in the United Arab Emirates. In 2011, amidst the Arab uprisings, he was one of five Emirati citizens to be sentenced to prison for his social media postings. That case provoked international condemnation, and the group was soon pardoned. Mansoor was subsequently targeted with sophisticated government spyware on his iPhone; he recognised and passed on the malware link to experts, which led to the discovery of three previously unknown vulnerabilities in Apple's iOS.

In April, Mansoor was seized by the UAE authorities again. On the day of his arrest, the UAE’s official news agency saying that he had been arrested on the orders of the Public Prosecution for Cybercrimes and accused of using social media to promote sectarianism and hate, among other charges. Mansoor’s family did not hear from him for two weeks, and he has been denied access to a lawyer.

Just a year ago, Apple was able to roll out a security fix to their users because of Mansoor's swift, transparent, and selfless actions. Millions of people are safer because of Ahmed's actions, even as his family fears for his own physical and mental safety.

Mansoor's detention is new, but others continue to be jailed for their use of technology, year after year. Alaa abd el-Fattah ran Linux installfests across the Middle-East and was a key online voice in the Egyptian uprising. Since then he has been jailed, in turn, by the democratically elected Islamist President Mohammed Morsi, and then when Morsi was overthrown in a coup, by incoming President Abdel Fattah El-Sisi. Alaa's appeal against a five year prison sentence for protesting—widely seen as a means to silence him on social media—was refused in November of this year. Amnesty and the UN Working Group on Arbitrary Detention have both condemned Alaa's continuing imprisonment.

Another long-term case is that of Saeed Malekpour, who has been in jail in Iran since 2008. Malekpour returned from Canada to visit his sick Iranian father in October of that year, at a time when the Iranian Revolutionary Guard was starting to target technologists and Internet experts. As an open source coder, Malekpour had written a free front-end image management utility for websites. The Guard found this software on a Farsi pornography site, and used it to as a pretext to seize Malekpour from the streets of Tehran, charge him with running the web site, and sentencing him to death.

Malekpour's death sentence has been anulled twice following international pressure, but a change of government in his home country of Canada risked reducing the level of support for Malekpour. A campaign to encourage the new Trudeau administration to continue to advocate for Malekpour, even as Canada seeks to normalize relations with Iran, seems to be working. One of Malekpour’s advocates, former Liberal MP Irwin Cotler, has said that the Canadian government is now working on the case.

The continuing monitoring of Malekpour's life sentence is a small consolation, but better than the alternative. The same is true of the current tentative freedom of Peter Steudtner and Ali Gharavi.

Ali and Peter travel the world, teaching and advising Internet users on how to improve their privacy and digital security online (Ali was an advisor for EFF's Surveillance Self-Defence project). The two were arrested in a raid by Turkish police on a digital security workshop in July in Istanbul, along with Amnesty Turkeys' director, Idil Eser, and eight other human rights defenders.

The two technology consultants have been accused of aiding terrorists, despite the long history of both as peaceful advocates for secure online practices. After months of detention, concentrated diplomatic and public pressure led to both being released to join their families in Germany and Sweden. We're delighted that they are free, but their unjust prosecution—and that of their Turkish colleagues—continues in the Turkish courts.

Peter and Ali have dedicated their careers to sharing their knowledge of digital security with those who need it most. Dmitry Bogdanov voluntarily ran a server than anyone could use to protect their identies. Ahmed Mansoor went public with his high-tech harassment by the authorities, and improved the security of millions by doing so. Alaa encouraged a generation of Egyptians to use free software and social media to express themselves. Saeed Malekpour has spent nearly a decade in prison for giving his software away for free. What they have in common is not just a love of technology, but a wish that its power be used for good, by us all.

Their sacrifices would be recognized by Bassel Khartabil, the Syrian free culture advocate. Before his arrest and torture in 2012, Bassel was the driving force behind countless projects to turn technology for the public good in his country. He founded a hackerspace in Damascus, translated Creative Commons into a Middle Eastern context, and built out Wikipedia and Mozilla for his fellow Syrians. Bassel's generosity brought him notability and respect. His prominence and visibility as a voice outside the divided political power-bases of Syria made him an early target when the Syrian civil war became violent.

We learned this year that Bassel was killed by the Syrian government in 2015, shortly after he was removed from a civilian prison and sent into the invisibility of Syria's hidden security complexes.

The cases we cover in EFF's Offline project are all advocates for openness, transparency and the right to free expression, who have been unjustly imprisoned for their work. But transparency isn't just a noble goal for them: public visibility is what gives them hope and keeps them alive. We hope you'll keep them all your hearts as you enter 2018. Even as we mourn Bassel, we look forward to a better new year that will see our imprisoned colleagues free and safe again.

This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2017.

Like what you're reading? Support digital freedom defense today!donate to EFF 

Protecting Immigrants from High Tech Surveillance: 2017 in Review

In 2017, the federal government surged its high tech snooping on immigrants and foreign visitors, including expanded use of social media surveillance, biometric screening, and data mining. In response, EFF ramped up its advocacy for the digital rights of immigrants. 

Social Media Surveillance 

EFF resisted government programs to collect, store, and analyze the publicly available social media information of immigrants and visitors. These programs threaten the digital expression and privacy of immigrants, and the many U.S. citizens who communicate with them.

Collection. The Department of Homeland Security (DHS) empowered its border officers to screen the social media information of certain visa applicants from China. Likewise, the State Department empowered its consular officials to gather this information from visa applicants worldwide. The DHS Secretary even floated the idea of requiring visitors to share their social media passwords

EFF opposed all of this surveillance.

EFF also advocated against a federal bill (S. 1757) requiring social media screening of visa applicants from so-called “high risk countries,” which would invite religious profiling against visitors from Muslim nations. These new government efforts build on earlier social media surveillance of immigrants and visitors, which EFF also opposed.

Storage. DHS disclosed that it stores the social media information it collects from immigrants and visitors in “Alien Files” (A-Files), a government record system that tracks people as they move through the immigration process. This announcement shows the federal government is holding onto social media information for an indefinite period of time, broadly sharing it, and using it for myriad purposes. EFF advocated against this excessive storage, sharing, and use of social media information.

Analysis. DHS is developing what it calls an “extreme vetting” system to automatically analyze immigrants’ social media information. EFF opposes this new program, which suffers many of the same flaws as algorithm-based predictive policing

Biometric Screening

DHS has long gathered biometric information from foreign citizens as they enter the United States. In 2017, DHS expanded its efforts to collect biometric information from foreign citizens as they exit the United States on certain flights. In a classic case of “mission creep,” DHS has also begun to collect biometric information from U.S. citizens on these flights. EFF advocated against two federal bills (S. 1757 and H.R. 3548) that would entrench and expand this biometric border screening. 

One of these bills (S. 1757) also would require DHS to collect DNA and other biometric information from anyone seeking an immigration benefit, and to share its biometric information about immigrants with federal, state, and local law enforcement agencies. EFF opposed these proposals, too.

Data Mining

DHS gathers and analyzes massive amounts of data in order to locate and deport undocumented immigrants. Sometimes, DHS obtains this data from state and local government agencies that collected it for reasons unrelated to immigration enforcement.

EFF advocated for a provision in a California bill (S.B. 54) that would have prohibited state and local law enforcement agencies from making their databases available for purposes of immigration enforcement. Unfortunately, this “database firewall” was later removed from the bill, at which point EFF pivoted to a position of neutrality.

EFF also supported a coalition effort to persuade corporate data brokers to refrain from making their data and services available to the federal government for purposes of mass deportations.

Other Snooping on Immigrants 

Cell-site simulators (CSSs), often called Stingrays, are police devices that masquerade as cell-phone towers and trick our phones into connecting to them. They are a form of mass surveillance that disrupt phone service and disparately burden communities of color. 

U.S. Immigration and Customs Enforcement has spent $10 million to purchase 59 CSSs, and used one to locate and arrest an undocumented immigrant. EFF opposes government use of CSSs to hunt down people whose only offense is to unlawfully enter or remain the United States. If government is allowed to use CSSs at all, it should only do so only to address serious violent crime. 

E-Verify is a massive federal data system that employers may use to verify the eligibility of job applicants to work in the United States. EFF advocated against a federal bill (H.R. 3711) that would require employers to use it. E-Verify is riddled with errors, and thus blocks many people from lawfully working. Moreover, data systems like E-Verify, which contain sensitive social security and passport numbers, are an attractive target for data thieves. 

DHS authorizes officers, with no suspicion at all, to search the smartphones and other electronic devices of everyone who crosses the U.S. border. Border officers do so tens of thousands of times per year. EFF teamed up with the ACLU to file a new lawsuit arguing that officers need a warrant for such searches. One of our eleven plaintiffs is Jeremy Dupin, a lawful permanent resident from Haiti and an award-winning journalist. The U.S. Constitution protects immigrants as well as U.S. citizens. 

Next Steps

EFF stands up for the digital rights of immigrants and foreign visitors for many reasons. First, digital liberty is a human right that all people should enjoy, including immigrants. Second, EFF opposes discriminatory intrusions on digital liberty, and some high tech surveillance of immigrants may be motivated by anti-immigrant or anti-Muslim animus. Third, government surveillance of immigrants and visitors often sweeps in information about the many U.S. citizens who associate and communicate with them. Fourth, government surveillance programs that begin by targeting immigrants and visitors often expand to target U.S. citizens, too.

These problems did not begin in 2017. EFF has long advocated against biometric and social media surveillance of immigrants, as well as E-Verify. But under President Donald Trump, intrusions on the digital liberty of immigrants are growing in intensity, as part of expanded immigration enforcement

EFF will continue stand with our immigrant friends and neighbors, and work to protect everyone’s digital liberties.

This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2017.

Like what you're reading? Support digital freedom defense today!donate to EFF

Security Education in Uncertain Times: 2017 in Review

From the time Donald Trump became president-elect in November 2016 and through 2017, EFF was flooded by requests for digital security workshops. They poured in from all over the country: educational nonprofits, legal groups, libraries, activist networks, newsrooms, scientist groups, religious organizations. There are a few reasons for this rise in digital security training requests. Certainly, the 2016 election made a lot of communities rethink their relationships with the U.S. government. At the same time, a rise in high-profile stories of groups being hacked, often using increasingly sophisticated methods, left many of those groups feeling vulnerable.

It doesn't work to drop into a roomful of people you've never met before and have no connection to, spend a day teaching them security basics, and then leave, never to interact with them again.

We've also seen a marked increase in technologists hungry for opportunities to share security advice in their communities, with their friends, and with groups they support. We heard from people who'd unwittingly become the de facto source for security education in their communities, but didn't have the right structure to teach effectively. We heard from nonprofit professionals who wanted to start offering security workshops in their spaces but didn't know how. And we heard from people who really wanted to help out but just had no idea where to start. 

When thinking about how we'd respond to this new demand and what value EFF could provide specifically in the security education space, we kept coming back to one point: the solution isn't to fly around the country hosting digital security trainings. It doesn't work to drop into a roomful of people you've never met before and have no connection to, spend a day teaching them security basics, and then leave, never to interact with them again. 

Our conversations repeatedly brought us to the effectiveness of training from within: learning security from a friend will be more effective than learning from an outsider. You can ask more honest questions and have deeper discussions. And when something goes wrong, you won't call an organization in another city across the country for help; you'll call your friend. 

We thought about what an alternative model for teaching digital security might look like, and where EFF and EFF supporters could uniquely add value. Influenced by human-centered design methods, we wanted to make sure that what we created was informed by a thorough understanding of these problems and the space, and that it complemented the many wonderful digital security resources already out there. The Security Education Companion came out of this long journey.

We began by conducting informal interviews at conferences and on calls, where we spoke at length with dozens of US-based and international digital security trainers and practitioners. From late 2016 through July 2017, we asked trainers a loose series of questions, including:

“What is the starting point for a security training?”

"What are the hardest things for participants to learn in a security training? What do participants tend to misunderstand?”

“What is the fundamental knowledge that people should have coming out of a security training?” 

We facilitated two webinars with the Electronic Frontier Alliance and learned more about the digital security training scene in various cities around the US. These conversations with trainers helped us to assess what seasoned digital security trainers are already doing, what kind of resources they are using, what kinds of resources are missing, and where more guidance is needed for newer teachers of digital security. We learned that many trainers use our Surveillance Self-Defense resources to inform their training, and we learned where trainers felt that these existing resources fell short. We shared these comments back with our SSD team, and we have worked hard to address these concerns.

We decided to narrow our audience to new teachers of digital security who would be teaching to their friends and neighbors.

Here at EFF, we were turning those findings into our new approach to security education. We compared and discussed existing resources on pedagogy, educational resources for new teachers, end-user focused digital security resources, and existing methods for teaching digital security. We tested out our draft security education materials and teaching approaches in our own digital security events, reflected on how they could be improved, and iterated on them. We looked through all our incoming training requests, created sixteen personas based on these requesting groups, and used these personas to help inform the beginnings of a curriculum. We also created a tone guide, requirements for our writing (such as striving to meet Simple English constraints), a glossary for our new terms, and guidelines for our graphics and materials to make it easier for end users to remix and localize them. We decided to narrow our audience to new teachers of digital security who would be teaching to their friends and neighbors.

When we had enough data to begin making materials, we used it to create twenty inclusive digital security learner personas and trainer personas. We used these personas to help us organize and prioritize what advice we felt was important to share with new teachers, what materials they might need for a basic digital security workshop, and lesson modules. As we designed the educational materials and the structure of the website, we shared our materials with a group of internal and external digital security trainers to test our materials with learners, collected feedback from their experiences, and made adjustments to our educational materials. We also began sharing our resources with a group of trusted digital security practitioners, and solicited feedback.

The Security Education Companion is growing and improving, and we are excited to share it with beginner teachers of digital security. Through 2018, we will continue to work hard to ensure that the Companion improves on the existing collective body of training knowledge and practice. Read our Security Education 101 articles and try out the lesson modules with your friends: we’d love to hear how they worked out.

This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2017.

Like what you're reading? Support digital freedom defense today!donate to EFF

Beating Back the Rise of Law Enforcement’s Digital Surveillance of Protestors: 2017 in Review

In 2017, we’ve seen a dramatic rise in the number of high-profile cases where law enforcement has deployed digital surveillance techniques against political activists. From the arrest and prosecution of hundreds of January 20, 2017 Inauguration Day (J20) protestors to the systematic targeting, surveilling and infiltration of Water Protectors in Standing Rock, North Dakota, and the Black Lives Matter Movement over social media, law enforcement and private security firms have taken advantage of the wealth of information available online to thwart activists’ credibility and efficacy. 

While government surveillance and investigation of opposition groups may not be anything new, the tools and methods for conducting such surveillance and the sheer scope of information that can be captured about these groups is staggering. The magnitude of information now available in the digital age via platforms like Facebook, Instagram, and Twitter, continues to grow exponentially, documenting your location information, contact networks, calendars, and communications. Independently, consent-less access to these discrete data-points may seem little more than intrusive, but when aggregated together, this information creates a very intimate portrait of our day-to-day lives that law enforcement can and has used against dissenting voices.

When law enforcement comes knocking, it is increasingly up to the social media platforms and their users to stand up and call for help in protecting user rights and privacy. That’s exactly what happened in the J20 cases. This past summer, the U.S. Department of Justice (DOJ) tried to gag Facebook from warning its users about the DOJ’s demand for their information using a court-issued gag order. Rather than capitulate to government pressure, Facebook reached out to the community for help and we answered the call.

EFF and our allies told the court to invalidate the gag order because it infringed upon Facebook’s constitutional rights to free and anonymous speech and association. The First Amendment simply cannot abide the government’s forced silencing of Facebook from informing its users that the DOJ has obtained their data. Such compelled silence would deprive individuals of their right to seek government redress over invasions into their online anonymity and would presumptively restrain online speech, without any binding standards, fixed deadlines, or judicial review.

Fortunately, the DOJ finally came to its senses after EFF and our allies called public attention to the constitutional violations wrought by its gagging of Facebook, and moved to vacate its gag orders with the court rather than face the dressing down that was sure to come if the case had proceeded to argument. While we’re pleased with the result here, the DOJ still routinely uses gag orders that go far beyond the very narrow circumstances allowed by the First Amendment. We must remain vigilant in 2018 to see that the courts rein in such abuse of power. For if experience is any indication, the government will push its boundaries until someone stands up to them. 

For example, in the fall of 2017, the DOJ demanded user information on over 1.3-million visitors to the disruptJ20 website via a search warrant. Thankfully, disruptj20’s webhost, Dreamhost, refused to produce the data and, like Facebook, reached out to the community for support and filed a motion in opposition to the DOJ’s request. 

With the amplified public attention brought to the issue by EFF and other media groups, the DOJ finally backed down and narrowed the scope of its warrant to exclude most visitor logs, set a temporal limit for records, and withdrew its demand for unpublished content, like draft blog posts and photos. While the DOJ didn’t go quite as far as we’d like in reining in its request for protesters’ digital information, this was still a crucial win in the battle for user privacy and freedom of anonymous speech and association.

Despite ever-increasing law enforcement intrusion into protestors’ digital lives, we must stand strong against fear and self-censorship and look to one another to raise and answer the call for robust user privacy practices and protections from our social media platforms.  When we speak together, history has shown that our voices are strong enough to turn the tide back on the government’s digital intrusion into constitutionally protected activity. Join us as we continue the fight in 2018.

The six defendants in the first J20 trial were found not guilty on all counts by a jury on Dec. 21, 2017 . A second trial for a separate group of defendants will be scheduled in the New Year. 

This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2017.Like what you're reading? Support digital freedom defense today!

donate to EFF

Surveillance Battles: 2017 in Review

If you’ve been following EFF’s work, you’ll know that we’ve been fighting against the creeping surveillance state for over 20 years. Often, this means pushing back against the National Security Agency’s dragnet surveillance programs, but as new technology becomes available, new threats emerge.

Here are some of the biggest legislative fights we had in 2017.

FISA Section 702

Section 702 is a surveillance authority that is part of the FISA Amendments Act of 2008. It was created as a way for the intelligence community to collect foreign intelligence from non-Americans located outside of the United States. However, the way the law is currently written allows the NSA to “incidentally” collect communications from an untold number of Americans. We say “untold” because the government has never disclosed how many law-abiding Americans have had their communications vacuumed up by the NSA and other intelligence gathering organizations. In addition to being used to prevent terrorism, Section 702 allows for that collected information to be used in ordinary law enforcement activities. As we have witnessed in several recent Congressional hearings, even members of Congress tasked with overseeing these programs literally don’t know how many Americans have been impacted by this program because the FBI, the DOJ, and the NSA have refused repeated requests share that information.

Section 702 authority was set to expire on December 31, 2017, which means that Congress had a chance to make the many necessary changes needed to protect their constituents from excessive government surveillance. Various members of Congress have introduced some great bills, but other bills do nothing to prevent unwarranted dragnet surveillance.

We are disappointed that Congress hasn’t prioritized having a transparent debate about how law enforcement and intelligence agencies should be using their spying authorities while also respecting Americans’ Fourth Amendment rights. Sadly, as we approached the potential sunset of Section 702 at the end of the year with no consensus in sight, Congressional leadership punted by tacking a three week extension of Section 702 into a must-pass spending bill. The new deadline is January 19, 2017, and we hope that this time, Congress will use this opportunity to end warrantless, unconstitutional surveillance for good.

No matter what happens, we stand ready to continue the fight to rein in sweeping spying programs.

Facial Recognition and other Biometric Screening

In 2004, the U.S. Department of Homeland Security (DHS) began biometric screening of foreign citizens upon their arrival in the U.S. In 2016, DHS launched a pilot program to expand facial recognition screening to U.S. citizens, in addition to foreign travelers, on a daily international flight out of Atlanta. This summer, DHS has gone even further, and has started working to expand the screening to all travelers on certain flights out of certain airports, with the list of airports growing. Customs and Border Protections (CBP) has also announced plans to expand their facial recognition program to land borders in 2018, requiring any person driving into the U.S. to submit to biometric screening. DHS executives have even been quoted as saying that they would like to substitute biometric screenings at every place in the airport where we currently have to show ID.

While Congress did authorize automated tracking of foreign citizens as they enter and exit the U.S. in 1996, they have not authorized this intrusion into the lives of American travelers. DHS expanded these programs on their own, backed by President Trump’s revised travel ban.

Several Members of Congress are scrambling to codify DHS’s increased biometric surveillance, introducing several bills in 2017, such as Sen. Cornyn’s bill S. 1757, Sen. Thune’s bill S. 1872, Rep. McCaul’s bill H.R. 3548, and others. These bills would both authorize these programs, and in some cases, expand them even further. Additionally, it’s possible that expanded biometric screening could be included in upcoming legislation that contains permanent changes to DACA.

As we have written extensively, biometric screening, and especially its implementation as a law enforcement tool, is inherently problematic. Our faces are easy to capture and hard to change. Plus, facial recognition has significant accuracy problems, especially for non-white travelers. One of the biggest problems of this screening is data security. The Equifax database breach was a grave violation of privacy, based just on release of numbers (like dates of birth and Social Security numbers). The risk to privacy posed by breach of biometric databases is even greater. The government must answer questions about how the data will be stored, how long it will be stored, and how they will ensure that data is kept secure.

Our governments should not try to force us to abandon travel in order to protect the privacy of our faces. We will continue to oppose such bills that endanger Americans’ privacy, watch for biometric screening language sneaking into other bills, and work with our allies in Congress to beat back these threats to privacy.

Cell Site Simulators Devices

At the beginning of 2017, we were heartened when the House Oversight and Government Reform Committee (OGR) issued a bipartisan report acknowledging and detailing police abuse of cell-site simulators, also known as stingrays. OGR’s report also called on Congress to pass legislation requiring that this technology only be deployed based on a court-issued probable cause warrant. We agree that Congress should set forth clear guidelines like this on the limits of this authority.

Sadly, Congress has not yet passed this legislation, even as news broke that demonstrated how necessary these limits are. Through a FOIA request, Buzzfeed found that DHS used cell-site simulators 1,885 times from January 2013 through to October 2017 throughout the United States. However, how and why DHS used these devices remains unclear.

Sen. Ron Wyden asked these questions, sending a letter to U.S. Immigration and Customs Enforcement (ICE) requesting information on the agency’s use of the devices. Sen. Wyden asked what policies govern the use of stingrays in law enforcement operations, and what steps ICE takes to limit the interference on innocent Americans. ICE responded by saying that cell site simulators are allowed both under current law and current policy. ICE maintains that there is “virtually” no interference with “non-targeted” devices, though they offer no evidence to that effect. Similarly, ICE claims that their use of cell-site simulators is limited and current policy only allows their use with probable cause warrants.

While we are glad to know that ICE has a policy around these devices, we also know that policies can be easily changed. Given the expansion of cell-site simulator snooping under this Administration, we will continue to work with Congress to create more effective, legislative protections against law enforcement overreach.

Going into 2018

As surveillance technology becomes cheaper and more accessible, law enforcement and intelligence agencies are going to continue to seek access to it, often at great cost to our privacy. Our increasingly digital lives show the growing need for ironclad privacy protections, and EFF plans to continue leading this fight for your rights in 2018 and beyond.

This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2017.

Like what you're reading? Support digital freedom defense today!donate to EFF

Urgent: We Only Have Hours Left to Stop the NSA Expansion Bill

According to reports published Tuesday evening by Politico, a group of surveillance hawks  in the House of Representatives is trying to ram through a bill that would extend mass surveillance by the National Security Agency. We expect a vote to happen on the House floor as early as tomorrow, which means there are only a few hours to rally opposition.  

The backers of this bill are attempting to rush a vote on a bill that we’ve criticized for failing to secure Americans’ privacy. If this bill passes,we will miss the opportunity to prevent the FBI from searching through NSA databases for American communications without a warrant. Worse, nothing will be done to rein in the massive, unconstitutional surveillance of the NSA on Americans or innocent technology users worldwide.

As we wrote, the bill, originally introduced by Chairman Devin Nunes before the House Permanent Select Committee on Intelligence, “allows warrantless search of American communications, expands how collected data can be used, and treats constitutional protections as voluntary.”

The bill would  create an easy path for the NSA to restart an invasive type of surveillance (called "about" searches) that the agency voluntarily ended earlier this year because of criticisms from the FISA court. It would also give FBI agents the power to decide whether or not to seek a warrant to read American communications collected under Section 702.

Backers of this bill are rushing because they know that time is on our side. If we can rally enough voices of opposition, we can delay or defeat this vote, sending a powerful message to Congress. Every day can make a huge difference in this fight because Section 702, originally enacted as part of the FISA Amendments Act—the legal authority the NSA relies on to engage in this mass surveillance—expires in 12 days.

The vote on this is likely to happen today, so there’s no time to make phone calls or send emails. We are asking people to use social media to contact their representatives. We’ve set up a tool to help you tweet at your member of Congress. We also encourage you to find other social media accounts for your representatives (such as an official Facebook account) and post a comment there. 

Tweet Now

Tweet at Congress

How to Talk to Your Family About Digital Security

You and your family are sipping hot cocoa, gathered around the [holiday object of your choice], and your family member suddenly asks: “Can you help me with my [insert device here]?”

They need a question answered about their computer, phone, tablet, video game console, or internet-connected device. Maybe they have related questions about their online accounts.

Or maybe there is a teenager or college student in your family that posts intensely personal information online, and has just realized that they should probably maintain more privacy in their online lives—but isn’t sure how to start.

Or perhaps the conversation of data breaches comes up around the dinner table, and Uncle Navid insists that the only way to protect yourself is to never go online at all.

Congratulations, you are now responsible for threat modeling for the holidays!

This is a good time to take a step back, consider some common concerns and threat models, and talk to your family about digital security. Congratulations, you are now responsible for threat modeling for the holidays!

Before you begin, try to take a harm reduction approach to answering their problems. Take a moment to think about what devices and operating systems they use, what workflows they already have in place, and what kind of advice might they be receptive to.

Then, you can start to narrow down on their concerns. A good way to start is by asking: “What would you like to do, and what are you worried about?”

Threat Modeling for the Holidays

  • Does your family member already have a strong password protecting their encrypted device? Are they interested in bolstering their security further? Determine what their next steps might be. What do they already know? Do they know what they don’t know? Help them level up!

    • Is your family member applying to schools or applying for jobs? Are they worried about prospective administrators and employers finding their social media accounts? Show them how to lock down their social media account settings!

    • Are your friends eager to get the holiday shopping deals, but are they annoyed by being tracked across their purchases? Show them how to install Privacy Badger.

    • Does your family member send sensitive information, like social security numbers or medical information, through text messages? Are they worried about someone accessing this information? Show them how to use an end-to-end encrypted chat app, like Signal.

    As you are teaching your friends and family, you might encounter one of the following attitudes:

    “I have nothing to hide, so why do I need to protect privacy?”

    “I am worried about my digital security to the point of being overwhelmed. I don’t know where to start.”

    “I’m ready to take action, but not until I have a perfect handle on how all of these technical concepts fit together.”

    “There’s no such thing as perfect security, so why even bother? If someone wants to hack me, they’ll figure out a way to do it.”

    If you’re struggling with keeping them motivated to learn, try out some of these ideas.

    Help your friends and family move into the new year with added security. Let us know how these lessons go by submitting feedback to the Security Education Companion, and by using the hashtags #TheSafestConversationYoullHaveThisHoliday or #BadgerYourFamily.


    JavaScript license information