Press Room

Boston, Massachusetts—The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) sued the Department of Homeland Security (DHS) today on behalf of 11 travelers whose smartphones and laptops were searched without warrants at the U.S. border.

The plaintiffs in the case are 10 U.S. citizens and one lawful permanent resident who hail from seven states and come from a variety of backgrounds. The lawsuit challenges the government’s fast-growing practice of searching travelers’ electronic devices without a warrant. It seeks to establish that the government must have a warrant based on probable cause to suspect a violation of immigration or customs laws before conducting such searches.

The plaintiffs include a military veteran, journalists, students, an artist, a NASA engineer, and a business owner. Several are Muslims or people of color. All were reentering the country from business or personal travel when border officers searched their devices. None were subsequently accused of any wrongdoing. Officers also confiscated and kept the devices of several plaintiffs for weeks or months—DHS has held one plaintiff’s device since January. EFF, ACLU, and the ACLU of Massachusetts are representing the 11 travelers.

“People now store their whole lives, including extremely sensitive personal and business matters, on their phones, tablets, and laptops, and it’s reasonable for them to carry these with them when they travel. It’s high time that the courts require the government to stop treating the border as a place where they can end-run the Constitution,” said EFF Staff Attorney Sophia Cope.

Plaintiff Diane Maye, a college professor and former U.S. Air Force officer, was detained for two hours at Miami International Airport when coming home from a vacation in Europe in June. “I felt humiliated and violated. I worried that border officers would read my email messages and texts, and look at my photos,” she said. “This was my life, and a border officer held it in the palm of his hand. I joined this lawsuit because I strongly believe the government shouldn’t have the unfettered power to invade your privacy.”

Plaintiff Sidd Bikkannavar, an engineer for NASA’s Jet Propulsion Laboratory in California, was detained at the Houston airport on the way home from vacation in Chile. A U.S. Customs and Border Protection (CPB) officer demanded that he reveal the password for his phone. The officer returned the phone a half-hour later, saying that it had been searched using “algorithms.”

Another plaintiff was subjected to violence. Akram Shibly, an independent filmmaker who lives in upstate New York, was crossing the U.S.-Canada border after a social outing in the Toronto area in January when a CBP officer ordered him to hand over his phone. CBP had just searched his phone three days earlier when he was returning from a work trip in Toronto, so Shibly declined. Officers then physically restrained him, with one choking him and another holding his legs, and took his phone from his pocket. They kept the phone, which was already unlocked, for over an hour before giving it back.

“I joined this lawsuit so other people don’t have to have to go through what happened to me,” Shibly said. “Border agents should not be able to coerce people into providing access to their phones, physically or otherwise.”

The number of electronic device searches at the border began increasing in 2016 and has grown even more under the Trump administration. CBP officers conducted nearly 15,000 electronic device searches in the first half of fiscal year 2017, putting CBP on track to conduct more than three times the number of searches than in fiscal year 2015 (8,503) and some 50 percent more than in fiscal year 2016 (19,033). 

“The government cannot use the border as a dragnet to search through our private data,” said ACLU attorney Esha Bhandari. “Our electronic devices contain massive amounts of information that can paint a detailed picture of our personal lives, including emails, texts, contact lists, photos, work documents, and medical or financial records. The Fourth Amendment requires that the government get a warrant before it can search the contents of smartphones and laptops at the border.”

Below is a full list of the plaintiffs:

 ·      Ghassan and Nadia Alasaad are a married couple who live in Massachusetts, where he is a limousine driver and she is a nursing student.

 ·      Suhaib Allababidi, who lives in Texas, owns and operates a business that sells security technology, including to federal government clients.

 ·      Sidd Bikkannavar is an optical engineer for NASA’s Jet Propulsion Laboratory in California.

 ·      Jeremy Dupin is a journalist living in Boston.

 ·      Aaron Gach is an artist living in California.

 ·      Isma’il Kushkush is a journalist living in Virginia.

 ·      Diane Maye is a college professor and former captain in the U. S. Air Force living in Florida.

·      Zainab Merchant, from Florida, is a writer and a graduate student at Harvard University.

·      Akram Shibly is a filmmaker living in New York.

·      Matthew Wright is a computer programmer in Colorado.

The case, Alasaad v. Duke, was filed in the U.S. District Court for the District of Massachusetts.

For the complaint:
https://www.eff.org/document/alasaad-v-duke-complaint

For more on this case and plaintiff profiles:
https://www.eff.org/cases/alasaad-v-duke

For more on digital security at the border:
https://www.eff.org/wp/digital-privacy-us-border-2017

SAN FRANCISCO, CALIFORNIA—The Electronic Frontier Foundation (EFF) announced today that whistleblower and activist Chelsea Manning, Techdirt editor and open internet advocate Mike Masnick, and IFEX executive director and global freedom of expression defender Annie Game are the distinguished winners of the 2017 Pioneer Awards, which recognize leaders who are extending freedom and innovation on the electronic frontier. This year’s honorees—a whistleblower, an editor, and an international freedom of expression activist—all have worked tirelessly to protect the public’s right to know. 

 The award ceremony will be held the evening of September 14 at Delancey Street’s Town Hall Room in San Francisco. The keynote speaker is Emmy-nominated comedy writer Ashley Nicole Black, a correspondent on Full Frontal with Samantha Bee who uses her unique comedic style to take on government surveillance, encryption, and freedom of information. Tickets for the ceremony are $65 for current EFF members, or $75 for non-members.

Chelsea E. Manning is a network security expert, whistleblower, and former U.S. Army intelligence analyst whose disclosure of classified Iraq war documents exposed human rights abuses and corruption the government kept hidden from the public. While serving in Iraq, Chelsea worked to release hundreds of thousands of classified war and State Department files on the Internet, including a video depicting the shooting deaths of Iraqi civilians and two Reuters reporters by U.S. troops. Chelsea’s conscience-driven leaks exposed critical information about U.S. involvement in Iraq and Afghanistan and made it available online to journalists and citizens around the world, greatly contributing to public knowledge, understanding, and discussion of the government’s actions. While serving seven years of an unprecedented 35-year sentence for leaking the documents, she became a prominent and vocal advocate for government transparency and transgender rights, both on Twitter and through her op-ed columns for The Guardian and The New York Times. She currently lives in the Washington, D.C. area, where she writes about technology, artificial intelligence, and human rights.

Mike Masnick is the founder and editor of the popular and respected Techdirt blog and an outspoken activist for digital rights, the First Amendment, and a free and open Internet. For 20 years Mike has explored the intersection of technology, policy, civil liberties, and economics, making Techdirt a must-read for its insightful and unvarnished analysis. He was a powerful voice in the fight against SOPA, and coined the term “The Streisand Effect.” Today Mike is in a fight for Techdirt’s survival—he and the weblog are targets of a $15 million libel lawsuit for publishing articles disputing claims of a man who says he invented email. The case pits Mike and Techdirt against the self-proclaimed email inventor and his lawyer, who, bankrolled by Peter Thiel, brought down Gawker. Mike has vowed to stand up for a free and independent press and fight this attempt to silence—or drive out of business—his blog for publishing First Amendment-protected opinions.

Annie Game is Executive Director of IFEX, a global network of over 115 journalism and civil liberties organizations that defends and promotes freedom of expression as a fundamental human right. IFEX exposes threats to online free expression, focuses on bringing to justice those who harm or kill journalists, and advocates for the rights of media workers, women and LGBT journalists, citizen journalists, and activists. For over 10 years Annie has led IFEX’s efforts to free imprisoned journalists, defend online activists targeted by repressive regimes, provide tools for organizing successful campaigns advocating for free expression, and expose legislation aimed at quelling free speech. Under Annie’s leadership, IFEX has begun pairing more traditional free expression organizations with their more digitized counterparts with a focus on building organizational security capacities. Annie has been activist throughout her career in the NGO sector and is also a published writer and broadcaster of satire and humor.  

“It’s an honor to celebrate this year’s Pioneer Award winners and the work they’ve done to fight for transparency and the rights of all people to freely express their opinions, passions, and beliefs without fear of censorship or retaliation,” said EFF Executive Director Cindy Cohn. “In these turbulent times, it’s essential that the Internet remain free and open and a source of critical information for people around the world. This group of pioneers, often in the face of great personal risk, have stood up courageously and relentlessly for users, for freedom, and for truth. Their work is an inspiration as we continue to defend global digital rights.”

Awarded every year since 1992, EFF’s Pioneer Awards recognize the leaders who are extending freedom and innovation on the electronic frontier. Previous honorees have included Malkia A. Cyril, Aaron Swartz, Laura Poitras, and Citizen Lab.

Special thanks to Airbnb and Ron Reed for supporting EFF and the 2017 Pioneer Awards ceremony. If you or your company are interested in learning more about sponsorship, please contact nicole@eff.org.

Buy Tickets

Join us for the 2017 Pioneer Awards

WASHINGTON, D.C.—The Electronic Frontier Foundation (EFF) asked the Supreme Court to review and overturn an unprecedented ruling allowing the government to intercept, collect, and store—without a warrant—millions of Americans’ electronic  communications, including emails, texts, phone calls, and online chats.

This warrantless surveillance is conducted by U.S. intelligence agencies under Section 702 of the Foreign Intelligence Surveillance Act. The law is exceedingly broad—Section 702 allows the government to conduct surveillance of any foreigner abroad­—and the law fails to protect the constitutional rights of Americans whose texts or emails are “incidentally” collected when communicating with those people.

This warrantless surveillance of Americans is unconstitutional and should be struck down.

Yet the U.S. Court of Appeals for the Ninth Circuit, ruling in U.S. v. Mohamud, decided that the Fourth Amendment doesn’t apply to Americans whose communications were intercepted incidentally and searched without a warrant. The case centered on Mohammed Mohamud, an American citizen who in 2012 was charged with plotting to bomb a Christmas tree lighting ceremony in Oregon. After he had already been convicted, Mohamud was told for the first time that information used in his prosecution was obtained using Section 702. Further disclosures clarified that the government used the surveillance program known as PRISM, which gives U.S. intelligence agencies access to communications in the possession of Internet service providers such as Google, Yahoo, or Facebook, to obtain the emails at issue in the case. Mohamud sought to suppress evidence gathered through the warrantless spying, arguing that Section 702 was unconstitutional.

In a dangerous and unprecedented ruling, the Ninth Circuit upheld the warrantless search and seizure of Mohamud’s emails. EFF, the Center for Democracy & Technology, and New America’s Open Technology Institute filed an amicus brief today asking the Supreme Court to review that decision.

“The ruling provides an end-run around the Fourth Amendment, converting sweeping warrantless surveillance directed at foreigners into a tool for spying on Americans,” said EFF Senior Staff Attorney Mark Rumold. “Section 702 is unlike any surveillance law in our country’s history, it is unconstitutional, and the Supreme Court should take this case to put a stop to this surveillance.”

Section 702, which is set to expire in December unless Congress reauthorizes it, provides the government with broad authority to collect, retain, and search Americans’ international communications, even if they don’t contain any foreign intelligence or evidence of a crime.

“We urge the Supreme Court to review this case and Section 702, which subjects Americans to warrantless surveillance on an unknown scale,” said EFF Staff Attorney Andrew Crocker. “We have long advocated for reining in NSA mass surveillance, and the ‘incidental’ collection of Americans’ private communications under Section 702 should be held unconstitutional once and for all.”

 For the amicus brief:
https://www.eff.org/document/mohamud-eff-cert-petition

For more on Section 702:
https://www.eff.org/document/702-one-pager-adv

For more on NSA spying:
https://www.eff.org/nsa-spying

San Francisco, California—The Electronic Frontier Foundation (EFF) won a court ruling today affirming that an infamous podcasting patent used by a patent troll to threaten podcasters big and small was properly held invalid by the U.S. Patent and Trademark Office (USPTO).

A unanimous decision by a three-judge panel of the U.S. Court of Appeals for the Federal Circuit will, for now, keep podcasting safe from this patent.

In October 2013, EFF filed a petition at the USPTO challenging the so-called podcasting patent owned by Personal Audio and asking the court to use an expedited process for taking a second look at the patent. More than one thousand people donated to our Save Podcasting campaign to support our efforts.

EFF's petition showed that Personal Audio did not invent anything new and, in fact, other people were podcasting years before Personal Audio first applied for a patent. In preparation for this filing, EFF solicited help from the public to find prior art or earlier examples of podcasting.

In April 2015, the Patent Office invalidated all the challenged claims of the podcasting patent, finding that the patent should not have been issued in light of two earlier public disclosures, one relating to CNN news clips and one relating to CBC online radio broadcasting.

Personal Audio challenged the Patent Office decision, but the Court of Appeals for the Federal Circuit agreed with us that the patent did not represent an invention, and podcasting was known before Personal Audio’s patent was applied for.

“We’re pleased that the Federal Circuit agreed that the podcasting patent is invalid,” said Daniel Nazer, Staff Attorney at EFF and the Mark Cuban Chair to Eliminate Stupid Patents. “We appreciate all the support the podcasting community gave in fighting this bad patent.”

“Although we’re happy that this patent is still invalid, Personal Audio could seek review at the Supreme Court,” said Vera Ranieri, Staff Attorney at EFF. “We’ll be there if they do.”

For the ruling:
https://www.eff.org/document/opinion-personal-audio-v-efffederal-circuit

For more on this case:
https://www.eff.org/cases/eff-v-personal-audio-llc

San Francisco—The Electronic Frontier Foundation (EFF) and a broad coalition of user advocacy groups and major technology companies and organizations joined forces today to protest the FCC’s plan to toss out net neutrality rules that preserve Internet freedom and prevent cable and telecommunications companies from controlling what we can see and do online.

Without net neutrality, Internet service providers (ISPs) can block your favorite content, throttle or slow down Internet speeds to disadvantage competitors’ content, or make you pay more than you already do to access movies and other online entertainment.

To show just how important net neutrality is to free choice on the Internet, EFF and a host of other organizations are temporarily halting full access to their website homepages today with a prominent message that they’re “blocked.” Only upgrading to “premium” (read: more expensive) service plans will allow users access to blocked sites and services, the message says. (Don’t worry, the sites aren’t really blocked. Clicking on the message will take you to a link for DearFCC, our tool for submitting comments to the FCC and making your voice heard.)

“We’re giving subscribers a preview of their Internet experience if the FCC dismantles the current net neutrality rules,” said EFF Legal Director Corynne McSherry. “AT&T, Comcast, and Verizon will be able to block your favorite content or steer you to the content they choose—often without you knowing it. Those without deep pockets—libraries, schools, startups and nonprofits—will be relegated to Internet slow lanes.”

The online community—gig economy site AirBnb, maker site Etsy, file storage provider DropBox, and hundreds more—have joined EFF and other user advocates today to deliver a message to the FCC: we want real net neutrality protections.

“It’s our Internet and we will defend it,” said EFF Senior Staff Attorney Lee Tien. “We won’t allow cable companies and ISPs, which already garner immense profits from customers, to become Internet gatekeepers.”

For EFFs Day Of Action page:
https://www.eff.org/deeplinks/2017/07/todays-day-lets-save-net-neutrality

For more about net neutrality:
https://www.eff.org/issues/net-neutrality

Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the U.S. Supreme Court to review a troubling ruling that allows police to obtain—without a warrant—location data from people’s cell phones to track them in real time.

EFF, joined by the Center for Democracy & Technology and the Constitution Project, filed a brief today asking the nation’s highest court to review the decision in U.S. v. Rios, a drug trafficking case. The court should accept the case for review and make clear that the Fourth Amendment requires a warrant for real-time location tracking—whether the tracking occurs via a GPS device on your car or the collection of location data generated by cell phones or other Internet-connected devices.

Protecting the highly personal location data stored on or generated by digital devices is one of the 21^st century’s most important privacy issues. We carry our cell phones everywhere, and the location data they generate can be used to create a precise and comprehensive record of our everyday movements, such as when we visit the doctor, attend a protest, take a trip, meet with friends, or return home. Law enforcement officials are increasingly requesting cell phone location data from telecommunications providers to track down suspects, and courts have issued conflicting opinions about whether those demands require a warrant.

“The government should not be allowed to turn a cell phone into a real-time tracking device without complying with the Fourth Amendment,” said EFF Staff Attorney Andrew Crocker. “The Supreme Court has already ruled that Fourth Amendment protections apply when law enforcement secretly places a GPS device on a car. Tracking cell phones is even more invasive because people carry their phones with them at all times, revealing information about their whereabouts that couldn’t be learned by following their cars. We’re asking the Supreme Court to clarify that tracking people as they move from public spaces into private areas, such as their homes or the homes of others, is an invasion of privacy that, at a minimum, requires a warrant.”

In Rios, the police did get a warrant to track the defendant’s cell phone in real time, but last year the U.S. Circuit Court of Appeals for the Sixth Circuit said a warrant wasn't needed. The appeals court based its ruling on a flawed 2012 decision it reached in an unrelated drug trafficking case, in which it found that there’s no privacy protections for this data because people “voluntarily” carry cell phones with them. In both cases, the court ignored the privacy expectations of millions of innocent people for whom using a cell phone is not “voluntary,” but rather a necessity.

These decisions also contradict a Florida Supreme Court ruling—in a case that also involved tracking a suspect’s phone in public—that people have an expectation of privacy under the Fourth Amendment in cell phone location records.

“The Sixth Circuit got it wrong in 2012, and it was wrong to import that faulty ruling to the Rios case. But in the meantime, the Florida Supreme Court got it right. That means that depending on where you are in the country, you may or may not have constitutional protection against warrantless cell phone tracking. It’s time for the Supreme Court to step in and clarify that the Fourth Amendment prohibits warrantless real-time cell phone tracking,” said EFF Senior Staff Attorney Jennifer Lynch.

For the brief:
https://www.eff.org/document/rios-v-united-states-eff-brief

Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the U.S. Supreme Court to review a ruling that threatens to transform a law against computer break-ins into a mechanism for criminalizing password sharing and policing Internet use.

In an amicus brief filed with today, EFF urged the court to weigh in on a case in which an individual was charged with violating the Computer Fraud and Abuse Act (CFAA), a law intended to criminalize breaking into computers to access or alter data. Under the CFAA, it’s illegal to intentionally access a “protected computer”—which includes any computer connected to the Internet—“without authorization” or in excess of authorization. But the law doesn’t tell us what “without authorization” means. 

Some courts have recognized that the CFAA must be interpreted narrowly to stay true to Congress’s intent of targeting crooks breaking into and stealing data from computers. These courts agreed that the CFAA mustn’t be used against, say, employees checking sports scores at work in violation of rules restricting Internet use at work to company business, or against people who shared their Facebook passwords, in violation of Facebook’s terms of service rules.

But other courts—including the U.S. Court of Appeals for the Ninth Circuit in its 2016 U.S. v. Nosal decision—have broadly interpreted the statute to cover using a computer in a way that violates corporate policies, preferences, and expectations. In the case, David Nosal, an ex-employee of the Korn/Ferry executive recruiting firm, was charged with violating the CFAA after other ex-employees acting on his behalf accessed Korn/Ferry’s proprietary database using legitimate credentials of a current company employee. The current employee knew of and authorized the use of her credentials, which was against Korn/Ferry’s computer policies. The Ninth Circuit found that in using the shared password, Nosal accessed the database “without authorization.” The court said that implicit in the definition of “authorization” is the proposition that authorization can come only from a computer owner—here, Korn/Ferry—not an employee with legitimate access credentials.

 There is nothing in the CFAA, or even in the dictionary, that defines “authorization” to mean only permission from a computer owner. The Ninth Circuit imported a corporate ban on password sharing into its definition of “without authorization.” 

“This ruling threatens to turn millions of ordinary computer users into criminals,” said EFF Staff Attorney Jamie Williams. “Innocuous conduct such as logging into a friend’s social media account or logging into a spouse’s bank account, with their permission but in violation of a corporate prohibition on password sharing, could result in a CFAA prosecution. This takes the CFAA far beyond the law’s original purpose of putting individuals who break into computers behind bars.”

“EFF has long advocated for reforming the CFAA, which overzealous prosecutors have exploited in troubling ways,” said Williams. “The Supreme Court can do its part by reviewing the Ninth Circuit’s troubling decision and giving “authorization” an appropriately narrow definition, specifically clarifying that password sharing is not—and was never intended to be—a crime.”

For EFF’s brief:
https://www.eff.org/document/nosal-v-us-cert-petition

For more on this case:
https://www.eff.org/cases/u-s-v-nosal 

Washington, D.C.—The Electronic Frontier Foundation (EFF) filed a Freedom of Information Act (FOIA) lawsuit against the Justice Department to obtain records about the FBI’s training and use of Best Buy Geek Squad employees to conduct warrantless searches of customers’ computers.

The records request aims to shed light on how the FBI co-opts Best Buy repair technicians in criminal investigations, and whether the computer searches they conducted were in effect government searches. The U.S. Constitution generally requires federal agents, or those acting on their behalf, to first obtain a warrant before searching someone’s computer. If the Best Buy informants were acting as government agents, the warrantless computer searches they conducted would be illegal.

Court records in a child pornography case against a California man who sent his computer to Best Buy for repair showed a long, close relationship between company technicians and the FBI, according to media reports. Informants at Best Buy’s “Geek Squad City” repair facility in Kentucky received $500 and $1,000 payments from the FBI, and agency documents said the Best Buy informants were “under the control and direction of the FBI,” media stories revealed. FBI agents were seeking training of the Geek Squad technicians to help them identify what type of files and images should be reported to the FBI. 

“Informants who are trained, directed, and paid by the FBI to conduct searches for the agency are acting as government agents,” said David Greene, EFF Civil Liberties Director. “The FBI cannot bypass the Constitution’s warrant requirement by having its informants search people’s computers at its direction and command.”

EFF sent a FOIA request to the FBI in February seeking agency records about the use of informants, training of Best Buy personnel in the detection and location of child pornography on computers, and policy statements about using informants at computer repair facilities. The FBI denied the request, saying it doesn’t confirm or deny that it has records that would reveal whether a person or organization is under investigation.

“The public has a right to know how the FBI uses computer repair technicians to carry out searches the agents themselves cannot do without a warrant,” said David Sobel, EFF Senior Counsel. “People authorize Best Buy employees to fix their computers, not conduct unconstitutional searches on the FBI’s behalf.”

For EFF's complaint:
https://www.eff.org/document/eff-v-doj-best-buy-foia

Boston – On Wednesday, May 3, at 9:30 am, the Electronic Frontier Foundation (EFF) will argue that an FBI search warrant used to hack thousands of computers around the world was unconstitutional.

The hearing in U.S. v. Levin at the United States Court of Appeals for the First Circuit stems from one of the many cases arising from a controversial investigation into “Playpen,” a child pornography website. The precedent set by the Playpen prosecutions is likely to impact the digital privacy rights of Internet users for years to come.

During the investigation, the FBI secretly seized the servers running the Playpen site and continued to operate them for two weeks. The bureau allowed thousands of images to be downloaded while distributing malware to website visitors. With that malware, the FBI hacked into over 8,000 devices in hundreds of countries across the globe—all on the basis of a single warrant.

However, because the government was running the Playpen site, it was already in possession of information about visitors and their computers. Rather than taking the necessary steps to obtain narrow search warrants, the FBI instead sought a single, general warrant to authorize its massive hacking operation, violating the Fourth Amendment. In Wednesday’s hearing, EFF Senior Staff Attorney Mark Rumold will argue as amicus, urging the court to send a clear message that a vague search warrant is not enough to satisfy the privacy protections enshrined in the Constitution.

WHAT:
U.S. v. Levin

WHEN:
Wednesday, May 3
9:30 am

WHERE:
United States Court of Appeals for the First Circuit
John Joseph Moakley U.S. Courthouse
1 Courthouse Way
Boston, MA 02210

For more information on this case:
https://www.eff.org/cases/playpen-cases-mass-hacking-us-law-enforcement

San Francisco—School children are being spied on by tech companies through devices and software used in classrooms that often collect and store kids’ names, birth dates, browsing histories, location data, and much more—often without adequate privacy protections or the awareness and consent of parents, according to a new report from Electronic Frontier Foundation (EFF).

EFF’s “Spying on Students: School-Issued Devices and Student Privacy” shows that state and federal law, as well as industry self-regulation, has failed to keep up with a growing educational technology industry.  At the same time, schools are eager to incorporate technology in the classroom to engage students and assist teachers, but may unwittingly help tech companies surveil and track students. Ultimately, students and their data are caught in the middle without sufficient privacy protections.

One-third of all K-12 students in the U.S. use school-issued devices running software and apps that collect far more information on kids than is necessary, the report says. Resource-strapped school district can receive these tools at steeply-reduced prices or for free as tech companies seek a slice of the $8 billion dollar education technology, or ed tech, industry. But there’s a real, devastating cost—the tracking, cataloguing, and exploitation of data about children as young as five years old.

Ed tech providers know privacy is important to parents, students, and schools. Of the 152 ed tech services reported to us, 118 had published privacy policies. But far fewer addressed such important privacy issues as data retention, encryption, de-identification, and aggregation. And privacy pledges don’t stop companies from mining students’ browsing data and other information and using it for their own purposes.

“Our report shows that the surveillance culture begins in grade school, which threatens to normalize the next generation to a digital world in which users hand over data without question in return for free services—a world that is less private not just by default, but by design,” said EFF Researcher Gennie Gebhart, an author of the report.

EFF surveyed over 1,000 stakeholders across the country, including students, parents, teachers, and school administrators, and reviewed 152 ed tech privacy policies in a year-long effort to determine whether and how ed tech companies are protecting students’ privacy and their data.

“Parents, teachers, and other stakeholders feel helpless in dealing with student privacy issues in their community. In some cases students are required to use the tools and can’t opt out, but they and their families are given little to no information about if or how their kids’ data is being protected and collected,” said EFF Analyst Amul Kalia, a co-author of the report. “With this whitepaper, we lay out specific strategies that they can employ to gather allies, and push their schools and districts in the right direction."

“Spying on Students” provides comprehensive recommendations for parents, teachers, school administrators, and tech companies to improve the protection of student privacy. Asking the right questions, negotiating for contracts that limit or ban data collection, offering families the right to opt out, and making digital literacy and digital privacy part of school curriculum are just a few of the more than 70 recommendations for protecting student privacy contained in the report.

“The data we collected on the experiences, perceptions, and concerns of stakeholders across the country sends a loud and clear message to ed tech companies and lawmakers: families are concerned about student privacy and want an end to spying on students,” said Gebhart.

For the report:
https://www.eff.org/wp/school-issued-devices-and-student-privacy

For more on EFF's student privacy campaign:
https://www.eff.org/issues/student-privacy

Washington, D.C. – The Electronic Frontier Foundation (EFF) urged an appeals court today to review a dangerous decision by a three-judge panel that would allow foreign governments to spy on Americans on U.S. soil—just as long as they use technology instead of human agents.

In Kidane v. Ethiopia, an American living in Maryland had his family computer infiltrated by the Ethiopian government. Agents sent an infected email that made its way to Mr. Kidane, and the attached Microsoft Word document carried a malicious computer program called FinSpy that’s sold only to governments. The spyware took control of the machine, making copies of every keystroke and Skype call, and sending them back to Ethiopia as part of its crackdown on critics.

But last month, a panel of judges on the U.S. Court of Appeals for the District of Columbia Circuit ruled that Mr. Kidane could not seek justice for this surveillance in an American court because the spying was carried out without a human agent of the Ethiopian government setting foot in the U.S. In essence, this would mean governments around the world have immunity for spying, attacking, and even murdering Americans on American soil, as long as the activity is performed with software, robots, drones, or other digital tools.

“We already know about technology that will let attackers drive your car off the road, turn off your pacemaker, or watch every communication from your computer or your phone. As our lives become even more digital, the risks will only grow,” said EFF Senior Staff Attorney Nate Cardozo. “The law must make it clear to governments around the world that any illegal attack in the United States will be answered in court in the United States.”

In a petition filed today, EFF and our co-counsel Scott Gilmore plus attorneys at the law firms of Jones Day and Robins Kaplan asked the appeals court to rehear this case en banc, arguing that last month’s panel decision puts the U.S. in the absurd situation where the American government must follow strict requirements for wiretapping and surveillance, but foreign governments don’t have the same legal obligations.

“American citizens deserve to feel safe and secure in their own homes using their own computers,” said EFF Executive Director Cindy Cohn. “The appeals court should vacate this decision, and ensure that the use of robots or remote controlled tools doesn’t prevent people who have been harmed by foreign government attacks from seeking justice.”

For the full petition for rehearing:
https://www.eff.org/document/petition-rehearing-1

For more on this case:
https://www.eff.org/cases/kidane-v-ethiopia

Washington, D.C.—On Wednesday, March 22, Electronic Frontier Foundation (EFF) Senior Staff Attorney Jennifer Lynch will testify at a hearing before the House Committee on Oversight and Government Reform about the FBI's efforts to build up and link together massive facial recognition databases that may be used to track innocent people as they go about their daily lives.

The FBI has amassed a facial recognition database of more than 30 million photographs and has access to hundreds of millions more. The databases include photos of people who aren’t suspected of any criminal activity that come from driver’s license and passport and visa photos, even as the underlying identification technology becomes ever more powerful. The government has done little to address the privacy implications of this massive collection of biometric information.

Lynch will testify that the use of facial recognition technology will allow the government to track Americans on an unprecedented level. The technology, like other biometric programs, such as fingerprint and DNA collection, poses critical threats to privacy and civil liberties. Lynch will tell the House committee that Congress has an opportunity to develop legislation that would protect Americans from inappropriate and excessive biometrics collection and use.

What: Full House Committee on Oversight and Government Reform Hearing: Law Enforcement’s Use of Facial Recognition Technology

Who: EFF Senior Staff Attorney Jennifer Lynch

When: Wednesday, March 22, 9:30 a.m.

Where: 2154 Rayburn House Office Building
           Washington. D.C.

For more information on facial recognition:

https://www.eff.org/foia/fbis-next-generation-identification-biometrics-database
https://www.eff.org/foia/fbi-facial-recognition-documents

For more on biometric data collection:
https://www.eff.org/issues/biometrics

San Francisco – The Electronic Frontier Foundation (EFF) will urge an appeals court Wednesday to find that the FBI violates the First Amendment when it unilaterally gags recipients of national security letters (NSLs), and the law should therefore be found unconstitutional. The hearing is set for Wednesday, March 22, at 1:30pm in San Francisco.

EFF represents two communications service providers—CREDO Mobile and Cloudflare—that were restrained for years from speaking about the NSLs they received, including even acknowledging that they had received any NSLs. Early Monday, just days before the hearing, the FBI finally conceded that EFF could reveal that these two companies were fighting a total of five NSLs.

CREDO and Cloudflare have fought for years to publicly disclose their roles in battling NSL gag orders. Both companies won the ability to talk about some of the NSLs they had received several months ago, but Monday’s decision by the FBI allows them to acknowledge all the NSLs at issue in this case.

On Wednesday, EFF Staff Attorney Andrew Crocker will tell the United States Court of Appeals for the Ninth Circuit that these gags are unconstitutional restrictions on CREDO and Cloudflare’s free speech and that the FBI’s belated decision to lift some of the gags only underscores why judicial oversight is needed in every case. The gag orders barred these companies from participating in discussion and debate about government use of NSLs—even as Congress was debating changes to the NSL statute in 2015.

What:
In re National Security Letters

Who:
EFF Staff Attorney Andrew Crocker

Date:
March 22
1:30 pm

Where:
Courtroom 3, 3rd Floor Room 307
U.S. Court of Appeals for the Ninth Circuit
James R. Browning U.S. Courthouse
95 Seventh Street
San Francisco, CA 94103

For the FBI notice allowing the companies to identify themselves:
https://www.eff.org/document/notice-regarding-public-identification-nsl-recipients

For more on this case:
https://www.eff.org/issues/national-security-letters

Boston—An FBI search warrant used to hack into thousands of computers around the world was unconstitutional, the Electronic Frontier Foundation (EFF) told a federal appeals court today in a case about a controversial criminal investigation that resulted in the largest known government hacking campaign in domestic law enforcement history.

The Constitution requires law enforcement officers seeking a search warrant to show specific evidence of a possible crime, and tie that evidence to specific persons and places they want to search. These fundamental rules protect people from invasions of privacy and police fishing expeditions.

But the government violated those rules while investigating “Playpen,” a child pornography website operating as a Tor hidden service. During the investigation, the FBI secretly seized servers running the website and, in a controversial decision, continued to operate it for two weeks rather than shut it down, allowing thousands of images to be downloaded. While running the site, the bureau began to hack its visitors, sending malware that it called a “Network Investigative Technique” (NIT) to visitors’ computers. The malware was then used to identify users of the site. Ultimately, the FBI hacked into 8,000 devices located in 120 countries around the world. All of this hacking was done on the basis of a single warrant. The FBI charged hundreds of suspects who visited the website, several of whom are challenging the validity of the warrant.

In a filing today in one such case, U.S. v. Levin, EFF and the American Civil Liberties Union of Massachusetts urged the U.S. Court of Appeals for the First Circuit to rule that the warrant is invalid and the searches it authorized unconstitutional because the warrant lacked specifics about who was subject to search and what locations and specific devices should be searched. Because it was running the website, the government was already in possession of information about visitors and their computers. Rather than taking the necessary steps to obtain narrow search warrants using that specific information, the FBI instead sought a single, general warrant to authorize its massive hacking operation. The breadth of that warrant violated the Fourth Amendment.

“No one questions the need for the FBI to investigate serious crimes like child pornography. But even serious crimes can’t justify throwing out our basic constitutional principles. Here, on the basis of a single warrant, the FBI searched 8,000 computers located all over the world. If the FBI tried to get a single warrant to search 8,000 houses, such a request would unquestionably be denied. We can’t let unfamiliar technology and unsavory crimes lead to an erosion of everyone’s Fourth Amendment rights,” said EFF Senior Staff Attorney Mark Rumold.

EFF filed a brief in January in a similar case in the Eighth Circuit Court of Appeals, and will be filing briefs in Playpen cases in the Third and Tenth Circuits in March. Some trial courts have upheld the FBI’s actions in dangerous decisions that, if ultimately upheld, threaten to undermine individuals’ constitutional privacy protections over information on personal computers. 

“These cases will be cited for the future expansion of law enforcement hacking in domestic criminal investigations, and the precedent is likely to impact the digital privacy rights of all Internet users for years to come,” said Andrew Crocker, EFF Staff Attorney. “Recent changes to federal rules for issuing warrants may allow the government to hack into thousands of devices at a time. These devices can belong not just to suspected criminals but also to victims of botnets and other hacking crimes. For that reason, courts need to send a very clear message that vague search warrants that lack the required specifics about who and what is to be searched won’t be upheld.”

For the brief:
https://www.eff.org/document/us-v-levin-eff-amicus-brief

Washington, D.C. – On Thursday, February 2, at 9:30 am, the Electronic Frontier Foundation (EFF) and the law firms of Jones Day and Robins Kaplan will urge an appeals court to let an American continue his suit against the Ethiopian government for infecting his computer with custom spyware and monitoring his communications for weeks on end.

With the help of EFF and the Citizen Lab, the plaintiff in this case found Ethiopian government spyware on his personal computer in Maryland several years ago. Our investigation concluded that it was part of a systemic campaign by the Ethiopian government to spy on perceived opponents.

The plaintiff uses the pseudonym of Mr. Kidane in order to protect the safety and wellbeing of his family both in the United States and in Ethiopia. Kidane is a critic of the Ethiopian government, and came to the U.S. over 20 years ago, obtaining asylum and eventually citizenship. He currently lives with his family in Maryland.

Kidane first brought suit against Ethiopia in 2014, but the federal court held that no foreign government could be held accountable for wiretapping an American citizen in his own home, so Kidane appealed to the U.S Court of Appeals for the District of Columbia Circuit. Jones Day partner Richard Martinez will argue Thursday that foreign governments should not be allowed to spy on Americans in America with impunity.  

WHAT:
Kidane v. Ethiopia

WHEN:
Thursday, February 2
9:30 am

WHERE:
E. Barrett Prettyman U.S. Courthouse
333 Constitution Ave., NW
Washington, D.C.  20001
D.C. Circuit Courtroom 31

For more on Kidane v. Ethiopia:
https://www.eff.org/cases/kidane-v-ethiopia

Cincinnati—The Electronic Frontier Foundation (EFF) urged a federal appeals court to uphold a judge’s ruling that the identity of an anonymous blogger found to have infringed copyright should remain secret, arguing that courts must balance litigants’ needs to unmask online speakers against the First Amendment protections afforded to those relying on anonymity.

Maintaining one’s anonymity online may be warranted even in cases—like this one—where a court ruled that a blogger infringed a copyright, EFF said in an amicus brief filed with the U.S. Court of Appeal for the Sixth Circuit. The balancing test required by the First Amendment to protect speakers who choose to mask their identity must be applied at every stage of a lawsuit, including after a court finds an anonymous speaker violated the law, EFF said.

EFF believes Signature Management Team LLC v. John Doe marks the first case to consider whether speakers can remain anonymous even after a court rules that they broke the law.

“Plaintiffs don’t get to unmask anonymous bloggers just because they prove liability. The First Amendment requires that judges balance the need for anonymity against the needs of litigants at every stage of a lawsuit,” said Aaron Mackey, EFF Frank Stanton Legal Fellow. “Being able to speak online anonymously allows citizens to air dissenting views without fear of retaliation. Unmasking anonymous bloggers without proper justification can discourage people from speaking out or commenting online, which chills the free speech rights of all Americans.”

The plaintiff is a multi-level marketing (MLM) company that won a judgment against the owner of Amthrax.com, a website and blog that criticizes Amway and other MLM companies. The owner is a former Amway marketer who blogs anonymously. Signature Management sued John Doe for infringing the copyright of its book, which was posted on Amthrax.com.

After a judge ruled its copyright had been infringed, Signature Management sought a court order revealing the identity of John Doe, who feared he would face a slew of abusive comments and threats once his identity was known. The trial judge refused. In doing so, the judge correctly balanced the needs of the plaintiff with the First Amendment protections of the blogger.

For the brief:

https://www.eff.org/document/smt-v-doe-amicus-brief

San Francisco - The Electronic Frontier Foundation (EFF) today released Privacy Badger 2.0—a free browser extension for Chrome, Firefox, and Opera with new upgrades to help protect shoppers from online tracking.

“If you or your family does holiday shopping on the Internet, it’s likely that advertisers and other data collectors are learning a lot about you and the things you are interested in buying,” said EFF Staff Technologist Cooper Quintin, lead developer of Privacy Badger. “Privacy Badger 2.0 gives you more control over this data collection, spotting many of the sneaky trackers that follow you without your knowledge, and blocking them from transmitting information about you.”

Online trackers are embedded in images, scripts, or advertising on many webpages. Just visiting a page with a tracker can allow it collect a record of the page you are visiting and merge it with a database of what you visited before and after. One of the results of this tracking are the ads that seem to follow you around the web, reflecting your past browsing history. If Privacy Badger spots a tracker following you without your permission, it blocks all content from the tracker or screens out the tracking scripts or cookies.

Hundreds of thousands of users have already installed earlier releases of Privacy Badger. The new version allows you to import and export your data and preferences across browsers, allows for incognito mode, and has an improved experience with many more websites, along with many other upgrades.

“Neither you nor your loved ones should have to sacrifice your privacy to data miners in order to use the Internet,” said Quintin. “Installing Privacy Badger on your family’s computers is a practical and effective way to fight abuses in the online advertising industry, and make your family’s online experience safer and more secure.”

Privacy Badger works in tandem with the Do Not Track (DNT) policy. Users set the DNT flag in their browser settings or by installing Privacy Badger. Privacy Badger won’t block ads or third-party services that promise to honor all DNT requests.

For your free download of Privacy Badger:
https://www.eff.org/privacybadger

The Internet Archive published a formerly secret national security letter (NSL) today that includes misinformation about how to contest the accompanying gag order that demanded total secrecy about the request. As a result of the Archive’s challenge to the letter, the FBI has agreed to send clarifications about the law to potentially thousands of communications providers who have received NSLs in the last year and a half.

The NSL issued to the Archive said the library had the right to “make an annual challenge to the nondisclosure requirement.” But in 2015, Congress updated the law to allow for more than one request a year, so that communications providers could speak out about their experience without unneeded delay. Represented by the Electronic Frontier Foundation (EFF), the Archive informed the FBI that it did not have the information the agency was seeking and pointed out the legal error. The FBI agreed to drop the gag order in this case and allow the publication of the NSL.

“The free flow of information is at the heart of the Internet Archive’s work, but by using national security letters in conjunction with unconstitutional gag orders, the FBI is trying to keep us all in the dark,” said Brewster Kahle, founder and digital librarian of the Internet Archive. “Here, it’s even worse: that secrecy helped conceal that the FBI was giving all NSL recipients bad information about their rights. So we especially wanted to make this NSL public to give libraries and other institutions more information and help them protect their users from any improper FBI requests.”

The Archive received this NSL in August, more than a year after Congress changed the law to allow more gag order challenges. In its letter removing the gag order, the FBI acknowledged that it issued other NSLs that included the error, and stated that it will inform all recipients about the mistake. Given that the FBI has said that it issued about 13,000 NSLs last year, thousands of communications providers likely received the false information, and potentially delayed petitioning the court for the right to go public.

“The opaque NSL process—including the lack of oversight by a court—makes it very vulnerable to errors of law.  Add to that the routine use of gags and enforced secrecy, and those errors become difficult to find and correct,” said EFF Staff Attorney Andrew Crocker. “We are grateful to the Internet Archive for standing up to the FBI and shining some light on this error. We hope that others who receive the correction will also step forward to have their gags lifted and shine more light on these unconstitutional data collection tools.”

This is the second NSL that the Internet Archive has published after battling with the FBI. In 2007, the Archive received an NSL that exceeded the FBI’s authority to issue demands to libraries. With help from EFF and the American Civil Liberties Union (ACLU), the FBI withdrew the letter and agreed to let the Archive go public in May of 2008.

But many gag orders are still in place. Yesterday, CREDO Mobile confirmed it was at the center of EFF's long-running fight against NSLs after a three-year-old gag order was finally revoked. Along with CREDO's case, EFF is litigating two other challenges to NSL gag orders on behalf of communications providers who are still gagged.

For the national security letter published by the Internet Archive:
https://www.eff.org/document/national-security-letter-sent-internet-archive

For more on the fight against NSLs:
https://www.eff.org/deeplinks/2016/12/fighting-nsl-gag-orders-help-our-friends-credo-and-internet-archive

San Francisco - User reports of censorship of social media posts show a deep frustration with companies’ content moderation policies, according to an analysis by Onlinecensorship.org, a project of the Electronic Frontier Foundation (EFF) and Visualizing Impact.

In “Censorship in Context: Insights from Crowdsourced Data on Social Media Censorship,” researchers analyzed reports of content takedowns received from users of Facebook, Google+, Instagram, Twitter, and YouTube from April to November of 2016. At a time when many are asking for more content moderation—like calls for Facebook to crack down on “fake news”—election-related censorship complaints focused on the desire of users to speak their minds and share information about a tight election without worrying that their posts will disappear.

“Social media is where we receive news, debate, and organize. These companies have enormous impact on the public sphere, yet they are still private entities with the ability to curate the information we see and the information we don’t see at their sole discretion,” said Jillian C. York, EFF Director for International Freedom of Expression and co-founder of Onlinecensorship.org. “The user base is what powers these social media tools, yet users are feeling like they don’t have any control or understanding of the system.”

“Censorship in Context” recommends best practices for social media content moderation, including transparency in how company policies are enforced and any available remedies. The researchers also urge strengthening systems of redress when content is removed in error, and doing a better job of educating users about what is acceptable on a given platform and what isn’t.

“Many people depend on Facebook to talk to friends, family, clients, and fans, and to debate the issues of the day,” said Project Strategist Sarah Myers West. “While these companies have the right to set their own rules, the least they can do is to tell everyone how they’re enforced.”

Onlinecensorship.org was launched in November of 2015 to spot trends in content removals and learn how these takedowns impact different communities. The site also includes a guide to appealing a content takedown and hosts a collection of news reports on content moderation practices.

For the full whitepaper:
https://onlinecensorship.org/news-and-analysis/onlinecensorship-org-launches-second-report-censorship-in-context-pdf

Washington, D.C.—Cell phone location data, which can provide an incredibly detailed picture of people’s private lives, implicates our Fourth Amendment rights against unreasonable searches, requiring police to obtain a warrant to gain access, the Electronic Frontier Foundation (EFF) told the Supreme Court today.

Weighing in on separate cases where two courts have applied 1970s-era law to digital communications in the information age, EFF urged the nation’s highest court to step in and establish that Americans have the right to expect location data generated from their cell phones is private and protected by the Constitution against unreasonable searches and seizures.

Cell phones constantly connect to cell towers and antennas—which number in the hundreds of thousands—that handle traffic from an estimated 378 million U.S. cell phone accounts. The data generated about these connections, known as cell-site location information (CSLI), create a highly detailed picture of people’s private lives. We carry our cell phones when we leave our homes each day, when we walk into a therapist or lawyer’s office, visit a gun shop, attend a political meeting or sleep at a friend’s. Location information about these private activities is tracked and stored, for years, by cell service providers.

Defendants in U.S. v. Carpenter and U.S. v. Graham were convicted after police obtained, without warrants, hundreds of days of location data produced by their phones to connect them to crimes. The defendants maintained that the use of CSLI violated their Fourth Amendment rights. But the appeals courts in both cases followed Smith v. Maryland, a Supreme Court decision from 1979, when many Americans used rotary-dial land-line phones. In Smith, the Court said that people who voluntarily give certain information to third-parties—such as banks or the phone company—have no expectation of privacy in this information, and thus the government does not need a warrant to access it.

“Cell phone users don’t voluntarily provide location data to their providers—it happens automatically without their control and is generated whether or not the phone is being used,” said EFF Senior Staff Attorney Jennifer Lynch. “Other federal courts and judges in several states have recognized that the so-called ‘third party doctrine’ doesn’t apply to CSLI. It’s time for the Supreme Court to consider whether a decision it made before the existence of commercial cell phones, which are now ubiquitous and reveal our every move, can still be used to override Fourth Amendment protections.”

In 2014, the high court recognized in a unanimous ruling that the astounding amount of sensitive data stored on modern cell phones requires police to obtain a warrant before accessing data on an arrestee’s device. And in a landmark 2012 decision, the court held that GPS tracking is a search under the Fourth Amendment. Yet police are obtaining extensive historic cell-site information without warrants.

“CLSI can give law enforcement far more information about a person’s movement than GPS tracking—cell phones go everywhere their owners go,” said EFF Staff Attorney Andrew Crocker. “If GPS tracking implicates Americans’ Fourth Amendment rights, prolonged cell-site data collection—which provides sensitive details about where we went, who we met with, and what we did—should also be protected against warrantless searches. We’re asking the court to grant review of these important cases and address the Fourth Amendment privacy implications of CSLI.”

EFF filed identical petitions in U.S. v. Carpenter and U.S. v. Graham.

For the brief:
https://www.eff.org/document/eff-petition-graham-v-us

For more on these cases:
https://www.eff.org/cases/united-states-v-graham

Washington, D.C.—Ethiopia must be held accountable in the United States for an illegal malware and digital spying attack on an American citizen, the Electronic Frontier Foundation (EFF) told a federal appeals court today in a case where a foreign government claims it is immune from liability for wiretapping a man’s Skype calls.

Malicious digital surveillance and malware attacks against perceived political opponents, dissidents, and journalists have become all-too-common tactics used by governments with poor human rights records, such as Ethiopia, Kazakhstan, and Vietnam. When foreign governments carry out these digital attacks on Americans in their homes, violating our wiretapping and privacy laws, their victims must be allowed to take them to court, EFF and its co-counsels said in a filing at the U.S. Court of Appeals for the District of Columbia Circuit.

EFF, Robins Kaplan LLP, and Guernica 37: International Justice Chambers represent a Maryland man whose home computer was infected by state-sponsored malware known as FinSpy. The program recorded his private Skype calls, monitored his web searches and emails, and tracked his family’s use of the computer for weeks. Forensic analysis showed the information was surreptitiously sent to a secret server located in Ethiopia and controlled by the Ethiopian government. EFF’s client is an Ethiopian by birth who is a U.S. citizen and has worked with other members of the Ethiopian diaspora. The courts have allowed him to use the pseudonym Mr. Kidane to protect himself and his family from retaliation.

The spying program unleashed on Mr. Kidane was contained in an attachment to a Microsoft Word document that Mr. Kidane inadvertently opened. A government agent in Ethiopia planted the malware on the Word document, but the program to wiretap his conversations resided on his computer in Maryland and automatically began recording, with no one in Ethiopia having to pull the trigger.

The Ethiopian government, which hasn’t denied it wiretapped Mr. Kidane, won dismissal of a 2014 lawsuit after claiming it has immunity because the malware attack was initiated in Ethiopia and thus outside the reach of U.S. courts. It has made the absurd assertion that spyware—marketed to repressive regimes by companies like Gamma International and Hacking Team—gives countries the ability to invade Americans’ homes, wiretap their conversations, violate their privacy, and face no consequences.

“The court’s decision is out of step with the times and completely ignores how other laws treat computer attacks, allowing a prosecution or lawsuit to be brought where the attacked computer is. The appeals court should overturn this ruling and let Mr. Kidane have his day in court,” said EFF Executive Director Cindy Cohn, “Cybersecurity is one of the most important issues of our time, and when foreign governments invade Americans’ privacy, just as with foreign-based criminals, our laws must let victims like Mr. Kidane go to court to hold them accountable.”

If a foreign state’s agent had placed a recording device in Mr. Kidane’s home or on his telephone line, Mr. Kidane could indisputably sue the government in U.S. courts, said EFF Senior Staff Attorney Nate Cardozo. The fact that Ethiopia used software instead of a person to launch a wiretap attack against Kidane in no way allows the country to evade legal liability.

“Today, all governments have to do to illegally spy on people is purchase the right software,’’ said Cardozo. “The D.C. Circuit should recognize that the malware in this case took the place of a human spy, and reinstate Mr. Kidane’s lawsuit.”

“Giving Ethiopia immunity for state-sponsored hacking would strip away one of the few protections Americans have against cyberattacks by foreign powers,” said Scott Gilmore, counsel at Guernica 37. “The invasion of our client’s home, through his computer, could happen to any of us. We all should have the right to seek justice.”

For the brief:
https://www.eff.org/document/opening-brief-appellant-kidane-v-ethiopia

For more on Kidane v. Ethiopia:
https://www.eff.org/cases/kidane-v-ethiopia

San Francisco - An appeals court published redacted briefing by the Electronic Frontier Foundation (EFF) today arguing that national security letters (NSLs) and their accompanying gag orders violate the free speech rights of companies who want to keep their users informed about government surveillance.

EFF represents two service providers in challenging the NSL statutes in front of the United States Court of Appeals for the Ninth Circuit. Most of the proceedings have been sealed since the case began five years ago, but some redacted documents have been released after government approval.

“Just this week we’ve seen Open Whisper Systems—the company behind the Signal messaging service—successfully fight a government gag order attached to a subpoena for customer information. Meanwhile, Yahoo is facing criticism for allowing the government wide-ranging access to its users’ communications,” said EFF Staff Attorney Andrew Crocker. “Our clients want to join this conversation, using their own experiences as a basis to talk about what kind of government surveillance is appropriate and what reform is needed—but NSL gags prevent them from doing so. We’re asking the court to strike down this unconstitutional statute so we can have the robust and inclusive debate that this issue deserves.”

The NSL statutes have been highly controversial since their use was expanded under the USA PATRIOT Act. With an NSL, the FBI—on its own, and without court approval—can issue a secret letter to a communications provider, demanding information about its customers. In this case and nearly all others, the NSL is issued in conjunction with a gag order, preventing the companies from notifying users of the demand or discussing the letter at all. Congress changed some parts of the statute in 2015, but retained the basic elements of the gags. In fact, EFF’s clients still cannot identify themselves publicly or share their experiences as part of the debate over government surveillance of technology services.

“Our clients want to be able to issue accurate transparency reports and talk to their customers about how they try to defend users from overreaching government investigations,” Crocker said. “But instead, the FBI instituted indefinite gag orders to shield its demands for information. This is an unconstitutional restriction of our clients’ First Amendment rights.”

For the full redacted brief:
https://www.eff.org/document/16-16067-opening-brief-redacted

For more on national security letters:
https://www.eff.org/issues/national-security-letters

Washington, D.C.—The Electronic Frontier Foundation (EFF) asked a court Thursday for an order that would prevent the government from prosecuting its client, security researcher Matthew Green, for publishing a book about making computer systems more secure.  

Green is writing a book about methods of security research to recognize vulnerabilities in computer systems. This important work helps keep everyone safer by finding weaknesses in computer code running devices critical to our lives—electronic devices, cars, medical record systems, credit card processing, and ATM transactions. Green’s aim is to publish research that can be used to build more secure software.

But publishing the book, tentatively entitled Practical Cryptographic Engineering, could land Green in jail under an onerous and unconstitutional provision of copyright law. To identify security vulnerabilities in a device he has purchased, Green must work directly with copyrighted computer code, bypassing control measures meant to prevent the code from being accessed. Even though this kind of research is traditionally a “fair use” permitted by copyright law, Digital Millennium Copyright Act  (DMCA) Section 1201 threatens criminal and civil penalties— including jail time—for performing it or publishing information about the methods of security research. The exemptions Congress included in the 1998 DMCA to protect security researchers from prosecution are vague, limited, and provide inadequate assurance against the serious legal ramifications of Section 1201 lawsuits—something the government itself has acknowledged.

“Under Section 1201, computer researchers can face serious penalties just for selling a book that would help people build better, more secure computer systems,” said EFF Legal Director Corynne McSherry. “As we explained when we filed a legal challenge to the law in July, such penalties violate the First Amendment and threaten ordinary people for publishing research or even talking about circumventing computer code that’s embedded in nearly everything we own. With the lawsuit underway, we’re asking the court to bar the government from prosecuting Dr. Green so he can publish a book that’s clearly in the public interest.”

“If we want our communications and devices to be secure, we need to protect independent security researchers like Dr. Green,” said EFF Staff Attorney Kit Walsh. “Researchers should be encouraged to educate the public and the next generation of computer scientists. Instead, they are threatened by an unconstitutional law that has come unmoored from its original purpose of addressing copyright infringement. We’re going to court to protect everyone whose speech is squelched by this law, starting with Dr. Green and his book.”

EFF filed the Section 1201 lawsuit and Thursday's request for a court order with co-counsel Brian Willen, Stephen Gikow, and Lauren Gallo White of Wilson Sonsini Goodrich & Rosati.

For the motion for preliminary injunction:
https://www.eff.org/document/green-v-doj-motion-preliminary-injunction

For more about this case:
https://www.eff.org/cases/green-v-us-department-justice

Seattle, Washington—The Electronic Frontier Foundation (EFF) told a federal court today that the government is violating the U.S. Constitution when it fails to notify people that it has accessed or examined their private communications stored by Internet providers in the cloud. 

EFF is supporting Microsoft in its lawsuit challenging portions of the Electronic Communications Privacy Act (ECPA) that allow the Department of Justice (DOJ) to serve a warrant on the company to get access to customers’ emails and other information stored on remote servers—all without telling users their data is being searched or seized. In a brief filed in Microsoft v. Department of Justice in U.S. District Court in Seattle, EFF, joined by Access Now, New America’s Open Technology Institute, and legal scholar Jennifer Granick, said Fourth Amendment protections against unreasonable searches and seizures by the government apply to all of our information—no matter what the format or where it’s located.

“Whether the government has a warrant to rifle through our mail, safety deposit boxes, or emails stored in the cloud, it must notify people about the searches,” said EFF Senior Staff Attorney Lee Tien. “When electronic searches are done in secret, we lose our right to challenge the legality of law enforcement invasions of privacy. The Fourth Amendment doesn’t allow that, and it’s time for the government to step up and respect the Constitution.”

Microsoft sued DOJ earlier this year challenging ECPA provisions enacted 30 years ago, long before the emergence of ubiquitous cloud computing that now plays a vital role in the storage of private communications. The government has used the transition to cloud computing as an opening to conduct secret electronic investigations by serving search warrants on Internet service providers seeking users’ emails, the lawsuit says. The government, which wants the case thrown out, doesn’t let account holders know their data is being accessed because of the unconstitutional ECPA provision, while service providers like Microsoft are gagged from telling customers about the searches.

“When people kept personal letters in a desk drawer at home, they knew if that information was about to be searched because the police had to knock on their door and show a warrant,” said EFF Staff Attorney Sophia Cope. “The fact that today our private emails are kept on a server maintained by an Internet company doesn’t change the government’s obligations under the Fourth Amendment. The Constitution requires law enforcement to tell people they are the target of a search, which enables them to vindicate their rights and provides a free society with a crucial means of government accountability.” 

EFF thanks Seattle attorney Venkat Balasubramani of FocalLaw P.C. for his assistance as local counsel. 

For the brief:
https://www.eff.org/document/microsoft-v-justice-department-amicus-brief

About this case:
https://www.eff.org/cases/microsoft-v-department-justice