• Tag Archives privacy

  • Law Enforcement Uses Border Search Exception as Fourth Amendment Loophole

    Posted on by Azrael Comment

    In recent months, U.S. Customs and Border Protection agents have sought access to private data on the cell phones of two journalists. Such incidents are offensive because they threaten the independence of the press and pose specific risks to confidential sources. This government overreach also highlights how weak legal protections at the border for digital devices threatens the privacy of all travelers to and from the U.S., including Americans.

    In October 2016, CBP airport agents denied Canadian photojournalist Ed Ou entry into the country, after detaining him for over six hours and seizing his three cell phones. According to Mr. Ou’s ACLU attorney, “When the officers returned the phones to him several hours later, it was evident that their SIM cards had been temporarily removed because tamper tape covering the cards had been destroyed or altered.” Similarly, in July, CBP airport agents detained U.S. citizen and Wall Street Journal reporter Maria Abi-Habib for an hour and a half. When they asked for her cell phones, she refused and referred them to the newspaper’s lawyers. Fortunately, the agents eventually released her without seizing or searching her devices.

    Regular travelers are also at risk. We wrote an amicus brief in the case of Ali Saboonchi, a dual citizen of the U.S. and Iran whose cell phones and flash drive were seized at the U.S.-Canadian border after returning from a vacation to Niagara Falls. Mr. Saboonchi had been under investigation for violating the trade embargo with Iran and federal agents took advantage of his presence at the border to invoke the border search exception to the Fourth Amendment.

    The Fourth Amendment generally requires the government to obtain a warrant from a judge, based on probable cause that evidence of a crime will be found, before seizing and searching personal property. Thus, if federal agents had wanted to confiscate and rifle through Mr. Saboonchi’s digital devices while he was at home in Maryland, they would have needed to obtain a probable cause warrant to do so.

    Decades ago, as we discussed in our brief, the Supreme Court created the border search exception to the Fourth Amendment’s warrant requirement, permitting government agents to search travelers’ luggage, vehicles or persons without a warrant and almost always without any individualized suspicion of wrongdoing.

    The Supreme Court made clear, however, that a warrantless and suspicionless search must be for a discrete public interest purpose. Should a search instead be for the purpose of ordinary law enforcement, the government must first secure a probable cause warrant. For example, the government may set up a warrantless and suspicionless vehicle checkpoint to find drunk drivers for the narrow purpose of roadway safety (notwithstanding the fact that drunk drivers may be arrested and prosecuted)—but the government may not set up a warrantless and suspicionless vehicle checkpoint to find illegal narcotics, which amounts to uncovering “evidence of ordinary criminal wrongdoing.”

    Thus the Supreme Court created the border search exception only for the narrow purposes of enforcing the immigration and customs laws, including ensuring that duties are paid on imported goods and that harmful people (e.g., terrorists) and harmful goods such as weapons, drugs, and infested agricultural products do not enter the country.

    As we discussed in our Saboonchi brief, there is serious doubt as to whether searches generally of cell phones and similar digital devices meaningfully advance the narrow purposes of the border search exception so as to justify the categorical rule that no warrant or suspicion is required, especially in light of the significant privacy interests at stake.

    The seizure and search of Mr. Saboonchi’s digital devices specifically was egregious because CBP agents used the border search exception as a loophole around the general Fourth Amendment rule. CBP agents were not acting to enforce the immigration and customs laws—but instead used Mr. Saboonchi’s presence at the U.S.-Canadian border as an excuse to conduct a warrantless search for the purpose of advancing a preexisting law enforcement investigation. Similarly, CBP agents seemed to use the journalists’ presence at international airports as an excuse to gather intelligence. CBP agents interrogated Mr. Ou about the “extremists” he had come into contact with as a journalist. And as Ms. Abi-Habib recounted, the CBP agent who asked for her cell phones stated, “We want to collect information,” presumably related to her foreign reporting.

    Warrantless and suspicionless searches of digital devices at the border (or the functional equivalent of the border, such as international airports and other ports of entry) are particularly invasive given the vast amounts of personal information they can store or connect to in the “cloud”—beyond what any piece of traditional luggage can hold.

    Courts have recognized the significant privacy interests in today’s digital devices, placing the law related to the border search exception in flux.

    The U.S. Court of Appeals for the Ninth Circuit in U.S. v. Cotterman (2013) held that border agents needed to have reasonable suspicion—somewhere between no suspicion and probable cause—before they could conduct a “forensic” search, aided by sophisticated software, of the defendant’s laptop. Unfortunately, the court held that a manual search of a digital device is “routine” and so the standard border search rule applies (i.e., no warrant or suspicion is needed)—even though the privacy interests in any given device do not change.

    The Supreme Court held in Riley v. California (2014) that the police may not invoke another exception to the warrant requirement, the search-incident-to-arrest exception, to search a cell phone possessed by an arrestee—instead, the government needs a probable cause warrant. The Court stated, “Our holding, of course, is not that the information on a cell phone is immune from search; it is instead that a warrant is generally required before such a search, even when a cell phone is seized incident to arrest.” The Riley Court focused on the vast amount of personal information stored on or accessible via modern devices: “The United States asserts that a search of all data stored on a cell phone is ‘materially indistinguishable’ from searches of these sorts of physical items. That is like saying a ride on horseback is materially indistinguishable from a flight to the moon… Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse.”

    While Riley was not a border search case, the Court’s ruling was reasonably broad, thus we argued in our Saboonchi brief that the border search exception should not apply to cell phones and similar digital devices.

    In light of these decisions, CBP’s 2009 policy related to searching digital devices at the border is woefully out of date and should be updated.

    However, we are eager to further the law in this area—to make it clear that the Riley decision applies at the border. So we are interested in hearing about instances where CBP agents search cell phones, laptops, tablets, or similar digital devices without consent (including whether they access “cloud” content such as social media profiles), either manually or with the aid of software, either at the land borders or following international flights and cruises.

    In the meantime, to protect your data when traveling consider some of our quick tech tips, our longer border search whitepaper, our more recent set of tech tips related to encountering the police during protests, and our very comprehensive guide to Surveillance Self-Defense.

    Source: Law Enforcement Uses Border Search Exception as Fourth Amendment Loophole | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged

  • The Problem of Our Surveillance Laws: Report Exposes Deeply Rooted Governmental Secrecy

    Posted on by Azrael Comment

    Kafka wrote in his parable The Problem of Our Laws, “It is an extremely painful thing to be ruled by laws that one does not know.”

    By this standard, America has long been in pain. Secret law runs rampant in the United States, particularly when national security is concerned. It may be legitimate for the government to keep some information secret, like targets of investigations and specific intelligence strategies, but this should be a relatively short list. And it should not, except in the most extreme circumstance, extend to the law itself. A recent report by the Brennan Center for Justice’s Liza Goitein, however, exposes just how deep the problem of keeping even the law secret runs—with over-classification fostering constitutionally suspect legal reasoning and the rapid erosion of any meaningful check on governmental power.

    The Brennan Center report also confirms something we’ve been arguing for years—it’s time for some transparency and accountability in our laws. With only 48 days left in Obama’s presidency, the call to shed some light on the law purportedly supporting the government’s secret surveillance programs is all the more urgent. Opening the blinds is a practical step for protecting the democratic principles this country was founded on—especially as the power to invoke secrecy and surveil Americans is posed to pass into new and untested hands. President Obama, the time is now.

    The Report: The New Era of Secret Law

    The Brennan Center report, entitled “The New Era of Secret Law,” defines “secret law” as “any law withheld from the public.” It outlines the dramatic post-9/11 expansion of the national security establishment’s web of secret court decisions, regulations, and policies. The expansion of secret law implicates all three branches of government: the legislative branch, with secret legislative histories and classified committee reports incorporated by reference into bills and therefore vested with the force of law; the executive branch, with its classified presidential directives and secret binding legal interpretations by the Justice Department’s Office of Legal Counsel (OLC); and the judicial branch, with the United States Foreign Intelligence Surveillance Court (FISC or FISA Court) issuing dozens of secret “ground-breaking” legal interpretations approving unprecedented mass surveillance programs—most of which opinions remain undisclosed to this day.

    The report highlights that, while over-classification long been a problem, the national security establishment’s intense, purposeful secrecy around the law post-9/11 is unprecedented in American history—representing a “significant departure from the commitment to openness and transparency that marked this country’s first two centuries[.]” And it’s a problem because secret law “interferes with the normal process by which law and legal interpretations are corrected or improved.” It is impossible for citizens to challenge laws they are not aware of. Secrecy permits government actors “to develop unfair laws and to apply them [in] an unfair manner, safe in the knowledge that there will be no repercussions.”

    And it’s true: as a result of pervasive, purposeful secrecy, the government’s interpretation of our surveillance laws has grown increasingly distorted and unfair over time—now relied upon to justify mass spying programs that sweep up communications records of millions of innocent people.

    What the American Public Deserves to Know—Now

    President Obama has the opportunity to shed some light on secret surveillance law. EFF recently joined other civil liberties organizations in urging him to seize that opportunity—by taking a few concrete and important steps before he leaves office to release information about the relationship between the law and government spying. These are steps that will empower the American public and ensure that our government continues to function as the democracy our founding fathers intended.

    Specifically, Obama should declassify and release to the public all of the following before January 20, 2017, redacting only information truly necessary to protect national security:

    • All FISA Court opinions with a significant construction or interpretation of law, regardless of whether they were issued before the passage of the USA FREEDOM Act in 2015. As the Brennan Center report notes, there is “a backlog of significant FISA Court opinions that have yet to be declassified and released.” These opinions are critical for understanding how the government’s legal justification for mass spying has evolved over time—and where it has gone wrong.
    • Office of Legal Counsel opinions related to national security and civil liberties. As noted above, OLC opinions contain binding legal interpretation, just as court decisions; that’s why the OLC is sometimes referred to as having a “quasi-judicial” function. But per the Brennan Center’s analysis of records provided pursuant to the Freedom of Information Act (FOIA), at least 74 OLC opinions, memoranda, or letters from 2002 to 2009 on some of the most important legal issues arising after 9/11—“including intelligence gathering and the detention and interrogation of suspected terrorists”—remain classified and thus unavailable for public scrutiny. The Brennan Center also reports that between 1998 and 2003, at least one out of every five OLC opinions was classified. In some cases, OLC reports are not just withheld from the public; they’re also withheld from Congress, including even the very Congressional committees with jurisdiction over the subject matter of the opinions. This practice—“unknown before the Reagan administration” and “rare before 9/11,” according to the report—not only strips Congress of its oversight function, but also prevents Congress from stepping in when the executive branch misinterprets a law or decides that a law doesn’t bind it.
    • Information about the scope of government surveillance of U.S. persons under Section 702 of the 2008 FISA Amendments Act (FAA). The U.S. government relies upon Section 702 as the statutory basis for its PRISM and Upstream mass surveillance programs. These programs sweep up data on hundreds of millions of people who have no connection to terrorist investigations, including countless Americans. Indeed, a hearing last May confirmed that Congress has no idea how many Americans have been impacted by Section 702. That’s not reassuring. This information should be disclosed to the public—and to Congress—since the proportionality of the government’s activities is an important part of assessing their legality.
    • Office of Inspector General reports related to national security and civil liberties. Various federal agencies have an Office of the Inspector General (OIG), designed to serve in an oversight capacity and reporting to both Congress and the agency head. These offices also issue reports relating to national security and civil liberties issues, but not all of these reports have been disclosed or released to the public. The public needs to know how federal agencies are interpreting and applying the law.

    These are just a few of the discrete, practical actions we’ve specifically called for in our joint letter to the President. Obama should also brief both Congress and the Privacy and Civil Liberties Oversight Board (PCLOB) to help inform their oversight. He should direct a government-wide review of whether and how agencies are disposing of information about U.S. persons collected through surveillance. And he should release guidance on how the government considers constitutional concerns surrounding “parallel construction,” the law enforcement practice of laundering evidence to avoid disclosing the true source, such as a warrantless search conducted as part of a secret surveillance program.

    Obama, It’s Time

    Although some sunlight has been shed on the government’s telephone and Internet mass surveillance programs—thanks to the leaks of whistleblowers, including Edward Snowden, the work of investigative journalists, and statements by public officials—we are still largely in the dark regarding not only how these programs impact innocent people, but also about the constitutionally suspect legal analysis the government has relied upon to justify its warrantless collection of our communications records.

    This pervasive secrecy is undermining our status as a truly democratic nation. As the Brennan Center notes, “[j]ust as secret law is not truly law, a democracy that relies on it is not truly a democracy.” Obama has the opportunity to stand up for democratic principles by shedding light on how these programs operate—and he should take it.

     Related Cases
    Jewel v. NSA

    Source: The Problem of Our Surveillance Laws: Report Exposes Deeply Rooted Governmental Secrecy—Underscoring Why Obama Should Act Now | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged

  • Librarians, Act Now to Protect Your Users (Before It’s Too Late)

    Posted on by Azrael Comment

    Books checked out from a library and terms searched on library computers can reveal a teenager’s questions about sexual orientation, a neighbor’s religious leanings, or a student’s political interests. Libraries across the country, particularly public libraries, make it part of their mission to serve the most vulnerable and underserved user groups, including users who are homeless, unemployed, or recent migrants or refugees. And when government agents come looking, these library users need librarians to have their back.

    Libraries and librarians have long been stalwart guardians of the rights of free expression and inquiry. As part of their profession, librarians protect their users’ ability to access even the most controversial information and ideas free from government scrutiny. Since the passage of the Patriot Act in particular, librarians have purged user records when necessary to fight against unconstitutional government demands and pushed back against (unconstitutional) National Security Letters (NSLs). Librarians also stood with EFF and the ACLU when we worked to pass the California Reader Privacy Act in 2011.

    With the recent election of President-elect Donald Trump, many libraries are rightfully worried about a renewed threat to their users’ privacy. If the incoming administration sticks to its promises to identify and deport millions of people, monitor individuals based on their religious beliefs, and expand libel laws, for example, libraries could receive unprecedented government requests for information on their users.

    To that end, we recommend libraries ensure they’re taking the following steps as soon as possible to protect their users’ intellectual privacy. In addition, libraries have to think beyond their own actions and take steps to ensure that all of their third-party vendors provide the same level of protections to users that libraries themselves do.

    1. Limit collection and retention of user information

    The less information you collect about your users, the less you have to surrender. The best policy is to collect the minimum amount of information necessary to provide a particular service, and don’t retain that information any longer than necessary. For example, delete check-out information as soon as a book is returned. Further, make a regular habit of purging your logs (including circulation records, event attendance records, computer use and activity logs, search records, Wi-Fi connection logs, database searches, etc.) using a secure deletion utility. If you do need to retain certain records—for example, usage records for resource allocation or funding advocacy—then follow best practices to de-identify and anonymize them to the greatest extent possible.

    When you do collect user information, make sure your users are notified about that information collection and offered the option to affirmatively opt in. Further limit data collection by allowing pseudonymous or anonymous use of library services wherever possible. For example, allow people to use library computers without a personalized login, and don’t require logins on library web services unless it’s necessary to access a user account. Similarly, leave the library Wi-Fi network open, don’t keep logs of IP addresses, and ensure your network deletes connection logs immediately after log-off.

    Make sure library operated websites and services aren’t logging user IP addresses, and if so, purge them quickly and regularly. Educate users about any differences between services provided in the library versus those services accessed remotely—for example, services accessed via library computers will only see the library’s IP address, while remotely accessing services can expose a user’s own IP address.

    2. Maintain policies and procedures for responding to government requests and for notifying users of requests received

    Communicate with users about how you will respond to requests for their information. Government requests for information may come in a variety of forms, from simple requests without a warrant or court order, to subpoenas, warrants, and NSLs. Policies must clearly dictate how library staff should respond to each of these requests. Make sure your staff knows how to handle requests for user information.

    Note that, without a warrant, court order, or NSL, libraries are generally not required to provide user information, and may refuse to comply. While search warrants may be carried out immediately, all government requests for information may be examined by library counsel for legal defects. If you receive a request for patron information you should contact an attorney. EFF stands ready to help libraries sort through their options when they receive suspect legal process.

    Policies should also address how and when users will be notified of government requests for information. In response to government requests accompanied by a gag order, some libraries, like the Internet Archive and the Library Connection, have fought to lift the gag. Again, EFF stands ready to assist.

    3. Maintain accurate, accessible privacy policies, and notify users when they change

    A library’s privacy policy should, at a minimum, tell users what types of information are collected, how long that information is stored, how it may be used, and who may access it under what conditions. Users should be immediately notified of any changes to library privacy policies, and should have an opportunity to opt in to continued use of affected services.

    But the library’s privacy policy alone may not cover all of the catalogs, databases, e-books, checkout systems, and other third-party services a user may encounter in the library. At a minimum, users should be alerted when they are interacting with a third-party vendor, and should be notified of those vendors’ privacy policies. Libraries should also allow users the opportunity to affirmatively opt in to services that do not allow the same privacy protections as the library—or, even better, wherever possible libraries should require third-party vendors to match their privacy practices. (See EFF’s privacy policy as an example.)

    4. Use HTTPS for your whole website at all times, and push your vendors to do the same

    While many libraries already use HTTPS on parts of their websites, this strategy is ineffective at securing user information. Use a service like Certbot to migrate your entire website to HTTPS, and push your third-party vendors—including e-book vendors—to do the same. Without such protections, your users’ information may be at risk in-transit and vulnerable to anyone logged onto the same network.

    In addition, you should limit the use of cookies used to track users’ preferences and activities. If your website does use cookies, allow users to affirmatively opt in to accept the cookie. Don’t condition access to your site on acceptance.

    5. Secure library computer browsers

    Unsecure browsers can leak information about what users are doing online—including the searches they run and websites they visit—providing a detailed picture of their online activity. Library computers should default to browsers with built-in privacy protections, like Mozilla Firefox or Google Chrome. Enable privacy-protective tools and extensions like EFF’s Privacy Badger and HTTPS Everywhere, and update both the browsers and extensions whenever an update becomes available.

    6.  Require third-party vendors to match library privacy practices for patron data

    As noted above, libraries today use an increasing number of third-party vendors who have access to user data. Libraries must work to ensure that their third-party vendors adopt practices and policies in line with libraries’ own privacy policies. Third-party services can track, collect data about, and analyze user behavior—and that information can in turn be demanded by law enforcement. This can include highly sensitive user information, like name and account identifiers, IP addresses, demographic information, search history, and reading history.

    Librarians can also take control of how they use and present third-party services, including configuring default settings in as privacy-protective a manner as possible and conducting regular reviews of privacy practices and options.

    In addition, analytical and behavioral profiling services can pose particular risks for users—producing detailed records of users’ identities, reading habits, and behaviors. Avoid allowing these services to access user information without obtaining users’ explicit, opt-in consent.

    Looking to libraries

    As the new administration takes office in January, we will need librarians more than ever. We need them to safeguard our access to information and our intellectual privacy. We need them to limit the amount and specificity of data available about users. We need them to fight back against government requests for user information.

    And now it’s essential that all librarians go beyond these crucial steps to consider the full range of threats to their users’ privacy, and act to protect that privacy in a changing environment. We applaud libraries for the work they’re already doing, and urge the entire library community to take additional action before it’s too late.

    Source: Librarians, Act Now to Protect Your Users (Before It’s Too Late) | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged