• Tag Archives EFF
  • Border Security Overreach Continues: DHS Wants Social Media Login Information

    Now more than ever, it is apparent that U.S. Customs and Border Protection (CBP) and its parent agency, the Department of Homeland Security (DHS), are embarking on a broad campaign to invade the digital lives of innocent individuals.

    The new DHS secretary, John Kelly, told a congressional committee this week that the department may soon demand login information (usernames and passwords) for social media accounts from foreign visa applicants—at least those subject to the controversial executive order on terrorism and immigration—and those who don’t comply will be denied entry into the United States. This effort to access both public and private communications and associations is the latest move by a department that is overreaching its border security authority.

    In December 2016, DHS began asking another subset of foreign visitors, those from Visa Waiver Countries, for their social media handles. DHS defended itself by stating that not only would compliance be voluntary, the government only wanted to access publicly viewable social media posts: “If an applicant chooses to answer this question, DHS will have timely visibility of the publicly available information on those platforms, consistent with the privacy settings the applicant has set on the platforms.”

    As we wrote last fall in comments to DHS, even seeking the ability to view the public social media posts of international travelers implicates the universal human rights of free speech and privacy, and—importantly—the comparable constitutional rights of their American associates. Our objections are still salient given that DHS may soon mandate access to both public and private social media content and contacts of another group of foreigners visitors.

    Moreover, as a practical matter, such vetting is unlikely to weed out terrorists as they would surely scrub their social media accounts prior to seeking entry into the U.S.

    Such border security overreach doesn’t stop there.

    There have been several reports recently of CBP agents demanding access to social media information and digital devices of both American citizens and legal permanent residents. Most disturbing are the invasive searches of Americans’ cell phones, where CBP has been accessing social media apps that may reveal private posts and relationships, as well as emails, texts messages, browsing history, contact lists, photos—whatever is accessible via the phone.

    Such border searches of Americans’ digital devices and cloud content are unconstitutional absent individualized suspicion, specifically, a probable cause warrant. In light of the DHS secretary’s statements this week, we fear that DHS may soon take the next step down this invasive path and demand the login information for American travelers’ online accounts so that the government can peruse private, highly personal information without relying on access to a mobile device.

    Source: Border Security Overreach Continues: DHS Wants Social Media Login Information | Electronic Frontier Foundation


  • FBI Search Warrant That Fueled Massive Government Hacking Was Unconstitutional

    Appeals Court Should Find Warrant Violated Fourth Amendment Protections

    Boston—An FBI search warrant used to hack into thousands of computers around the world was unconstitutional, the Electronic Frontier Foundation (EFF) told a federal appeals court today in a case about a controversial criminal investigation that resulted in the largest known government hacking campaign in domestic law enforcement history.


    The Constitution requires law enforcement officers seeking a search warrant to show specific evidence of a possible crime, and tie that evidence to specific persons and places they want to search. These fundamental rules protect people from invasions of privacy and police fishing expeditions.

    But the government violated those rules while investigating “Playpen,” a child pornography website operating as a Tor hidden service. During the investigation, the FBI secretly seized servers running the website and, in a controversial decision, continued to operate it for two weeks rather than shut it down, allowing thousands of images to be downloaded. While running the site, the bureau began to hack its visitors, sending malware that it called a “Network Investigative Technique” (NIT) to visitors’ computers. The malware was then used to identify users of the site. Ultimately, the FBI hacked into 8,000 devices located in 120 countries around the world. All of this hacking was done on the basis of a single warrant. The FBI charged hundreds of suspects who visited the website, several of whom are challenging the validity of the warrant.

    In a filing today in one such case, U.S. v. Levin, EFF and the American Civil Liberties Union of Massachusetts urged the U.S. Court of Appeals for the First Circuit to rule that the warrant is invalid and the searches it authorized unconstitutional because the warrant lacked specifics about who was subject to search and what locations and specific devices should be searched. Because it was running the website, the government was already in possession of information about visitors and their computers. Rather than taking the necessary steps to obtain narrow search warrants using that specific information, the FBI instead sought a single, general warrant to authorize its massive hacking operation. The breadth of that warrant violated the Fourth Amendment.

    “No one questions the need for the FBI to investigate serious crimes like child pornography. But even serious crimes can’t justify throwing out our basic constitutional principles. Here, on the basis of a single warrant, the FBI searched 8,000 computers located all over the world. If the FBI tried to get a single warrant to search 8,000 houses, such a request would unquestionably be denied. We can’t let unfamiliar technology and unsavory crimes lead to an erosion of everyone’s Fourth Amendment rights,” said EFF Senior Staff Attorney Mark Rumold.

    EFF filed a brief in January in a similar case in the Eighth Circuit Court of Appeals, and will be filing briefs in Playpen cases in the Third and Tenth Circuits in March. Some trial courts have upheld the FBI’s actions in dangerous decisions that, if ultimately upheld, threaten to undermine individuals’ constitutional privacy protections over information on personal computers. 

    “These cases will be cited for the future expansion of law enforcement hacking in domestic criminal investigations, and the precedent is likely to impact the digital privacy rights of all Internet users for years to come,” said Andrew Crocker, EFF Staff Attorney. “Recent changes to federal rules for issuing warrants may allow the government to hack into thousands of devices at a time. These devices can belong not just to suspected criminals but also to victims of botnets and other hacking crimes. For that reason, courts need to send a very clear message that vague search warrants that lack the required specifics about who and what is to be searched won’t be upheld.”

    Source: FBI Search Warrant That Fueled Massive Government Hacking Was Unconstitutional, EFF Tells Court | Electronic Frontier Foundation


  • EFF to Tech Leaders: Stand With Users and Tell Trump We Need Strong Encryption, Internet Freedom

    Technology company leaders are reportedly meeting with President-elect Donald Trump and members of his transition team tomorrow in New York. Mr. Trump’s relationship with technology companies has been frosty, and his statements during the campaign and recent cabinet picks raise serious concerns about the new administration’s commitment to protecting the digital rights of all Americans and fostering innovation. They also point to the deep need for Mr. Trump and his team to talk to those who represent the users of technologies, not just the companies that build and sell those technologies.

    Mr. Trump has criticized Apple for refusing to attack the security of the iPhone and says that fighting ISIS propaganda could require closing parts of the Internet. Users have a stake in each of these discussions, since they suffer when their technologies are insecure and when legitimate voices are censored. 

    We urge tech leaders in attendance to press Mr. Trump on these topics, and let the president-elect know that they will stand with their users and the core values of privacy, security, freedom of speech, and transparency.

    Encryption

    First up: defend strong encryption. Tech leaders must explain to the transition team that it is technically impossible to design a “backdoor” that allows law enforcement access to devices and communications without compromising everyone’s security. EFF and the overwhelming majority of the tech community supported Apple when it correctly resisted FBI efforts to force its programmers to write and sign software code to bypass the lock screen of a seized iPhone. Not only would that weaken security for all users, it would also violate the Apple’s First Amendment rights by forcing it to endorse a position—favored by the government—that it disagrees with. Tech leaders should make it clear to Mr. Trump’s transition team that talk of building backdoors for law enforcement is a non-starter.

    Mass Surveillance

    Second, we urge tech leaders to voice their opposition to mass surveillance by the NSA. We’re deeply troubled by Mr. Trump’s cabinet picks, such as Senator Jeff  Sessions and Representative Mike Pompeo, who have advocated the restoration of the expensive and useless mass telephone records surveillance under the Patriot Act. The program eviscerated the privacy rights of hundreds of millions of innocent Americans with no proof of a countervailing gain. This embrace of unconstitutional surveillance is particularly chilling given the historical misuse of domestic spying programs against political opponents.

    Sessions, Trump’s Attorney General pick, has also supported requiring companies to reduce the security they offer to their users to facilitate law enforcement access, and last year floated a proposal to allow federal agents wide access to online personal information without first obtaining a warrant. Meanwhile, Pompeo, Trump’s CIA director nominee, has called for reviving metadata collection and combining that “with publicly available financial and lifestyle information into a comprehensive, searchable database,” presumably including millions of innocent Americans.

    Free Speech

    Third, industry leaders should push back against Mr. Trump’s attacks on free speech and Internet freedom.

    Requring social media companies to act as censors has the very real threat of going too far. Trump called those raising free speech concerns “foolish,” and he shouldn’t get away with that. Any speech-limiting practices and policies must be narrowly applied, transparent, and easily correctable, or they will inevitably be targets for gaming and harassment. Special care should be taken to protect researchers and speech that criticizes the government and its agents.

    Net Neutrality

    Fourth, Trump opposes net neutrality, a key principle for protecting the future of our open Internet. Tech companies should stand with their users and urge the president-elect to preserve the FCC’s open Internet order and rules that prevent companies from using customers’ private information for profit.

    Protecting User Information

    Finally, Trump has also talked about creating a database of some or all Muslims. He says he plans to round up and deport millions of illegal immigrants. Both of these will likely involve combing through databases of information about Americans that have been compiled for other purposes.

    If the Trump administration moves ahead with these plans, it will need Silicon Valley’s cooperation. Tech companies may face unprecedented demands to build such databases, or to search for, analyze, and hand over private data of and about their users. These companies hold our private conversations, thoughts, experiences, locations, photos, and more. All of this is vulnerable to misuse by a hostile administration. Tech companies must tell Trump that they won’t cooperate in building, or providing user information for, systems that enable discrimination, intolerance, or ethnic targeting forbidden by the Constitution.

    Many technology companies have already taken stands against previous government demands for user data, pushed for more transparency, and some have even gone to court to challenge law enforcement efforts to access customer data without a warrant or to fight gag orders. We’ve recommended that companies implement strategies to gather and store as little data as possible about their users so that when the government comes knocking, there’s nothing to give.

    Now’s the time to double down. We urge tech leaders to send a clear message to the Trump transition team that technology companies will not be agents of the government, especially when it comes to programs that defy the Constitution and violate our civil rights. Mr. Trump is famously unabashed in his use of social media to get his thoughts and messages out. He understands the power of technology to speak directly to users and communicate to a willing audience. Tech leaders need to be equally bold. They must stand up for all of the users of these tools and reject efforts to weaken the privacy and security that their users rely on. And users need a seat at this table. Mr. Trump, we’re waiting for your call. Or tweet.

    Source: EFF to Tech Leaders: Stand With Users and Tell Trump We Need Strong Encryption, Internet Freedom | Electronic Frontier Foundation