Deeplinks
As we say goodbye to another summer of computer security conferences, we would like to take a moment to extend our thanks to the countless people who helped bolster the digital freedom movement this year in Las Vegas. Organizers and attendees at Security BSides Las Vegas, Black Hat USA, DEF CON, and the kid-focused r00tz Asylum are all part of the ever-growing movement to defend digital freedom. As "hacking" loses some of its stigma, it serves us well to remember that at its core, hacking is about curiosity, problem-solving, and innovation. These key principles help ensure that technology can work in our favor and remains in our control.
EFF stood up for the users at a record number of talks and events this year. Presentations from our activists, legal team, and technologists delved into topics including encryption export controls, the U.S. government's mass surveillance, taking down DRM, and our game-changing SSL certificate authority Let's Encrypt. Through the Coders' Rights Project, EFF attorneys counseled numerous security researchers1 through the murky waters of tech law in preparation for this year's events. EFF participated officially in many on-site events, from the Crypto & Privacy Village to Mohawkcon's haircuts for charity. We also held our very first—and wildly successful—Badge Hack Pageant which will return next year. You can check out a collection of photos from our adventures on Facebook and Google+. Photo goon @cannibal has some great shots of the Badge Hack Pageant on his Flickr album. Special thanks to AST Cell's HackerPhotos.com!
While it is nigh impossible to name all of the ardent digital freedom supporters we meet at these events, we would like to thank some the groups and individuals who found creative ways to raise awareness and funds for EFF's work:
- Black Hat for designating a portion of Business Hall pass sales to support digital rights.
- Beard & Moustache Contest for including EFF and bringing the silliness.
- EddieTheYeti for creating art with extra purpose.
- Hack Fortress for using their talents to support online freedom.
- Mohawcon for braving electrical outages and more with clippers and a smile.
- Rapid7 for showing that open source really IS magic!
- Wafflecon for using their sweets for good, not evil.
- Wall of Sheep for their fantastic night-time auction.
- The Goons for being helpful and generous with their time.
Thank you to every person who attended an EFF session, stopped to discuss online rights issues, signed up on the mailing list, bought some EFF swag, or renewed their support as a member. Also, I'm pleased to announce that we have a limited number of EFF's special edition DEF CON 23 Crypto Noir member t-shirts available now! You can figure out the puzzle on your own or read ahead if you like spoilers.
Las Vegas' hacker gatherings are an annual reminder that EFF stands alongside a socially conscious community that is ready to face weighty challenges and big questions about technology with stout hearts and nerves of steel.
- 1. If you have legal concerns regarding an upcoming talk or sensitive information security research that you are conducting at any time, please email info@eff.org. Outline the issues and we will do our best to connect you with the resources you need.
EFF has won a battle in its fight to get the government to disclose its policy for deciding whether to tell the public about critical flaws in software when it finds out about them. Last year, we filed suit under the Freedom of Information Act to obtain the so-called Vulnerabilities Equities Process (VEP). At first, the government told us the document was entirely classified, but just weeks before we were set to challenge those claims in court, it relented. We received the VEP late last night, right before the long weekend.
Our interest in the VEP and the core concern over the government’s knowledge and use of “zero-days” and other vulnerabilities is that they often exist in products that are used widely by the general populace. If the government chooses to keep a vulnerability secret for intelligence purposes, for example, it does not notify the developer, which would likely otherwise issue a patch and protect users from online adversaries such as identity thieves or foreign governments who may also be aware of the zero-day. That’s why the US government’s written policy on what to do with zero-days is so important.
It’s worth noting that it took more than a year of litigation to get access to a single document that government officials have publicly talked about on multiple occasions, including in an interview with Wired. What’s more, these officials reassured the public that the policy is intended to strongly favor public disclosure of vulnerabilities, even listing some of the specific considerations that go into those decisions. And yet, when initially faced with our FOIA suit, the government said the process was too secret to release even a word. That’s not transparency.
There are still some important blank spots in the document. Details of the process remain redacted, although the surrounding information sheds more light on which components of the government are involved, and how vulnerabilities make it into review. Notably, the office within the NSA responsible for overseeing the VEP “[m]aintains records of all vulnerabilities that have been identified” and produces an annual report.
We don’t know how this process squares with the government’s claims that in the vast majority of cases it discloses vulnerabilities to the public rather than holding on to them for intelligence or law enforcement purposes. We’re still digesting the document and deciding whether we want to challenge any of the remaining redactions. We’ll have more soon.
At long last, the U.S. Department of Justice (DOJ) has announced a slew of much-needed policy changes regarding the use of cell-site simulators. Most importantly, starting today all federal law enforcement agencies—and all state and local agencies working with the federal government—will be required to obtain a search warrant supported by probable cause before they are allowed to use cell-site simulators. EFF welcomes these policy changes as long overdue.
Colloquially known as “Stingrays” after Harris Corporation’s brand name for a common model, cell-site simulators masquerade as legitimate cell phone towers, tricking phones nearby into connecting to them. This allows agents to learn the unique identifying number for each phone in the area of the device and to track a phone’s location in real time. But Stingrays can get a lot more than just identifying numbers and location data—by virtue of the way they work, all mobile traffic (voice, data, and text) from every phone in the area could be routed through the Stingray, giving the operator the option to do anything from recording entire calls and texts, to selectively denying service to particular phones.
Until recently, law enforcement’s use of Stingrays has been shrouded in an inexplicable and indefensible level of secrecy. At the behest of the FBI, state law enforcement agencies have been bound by non-disclosure agreements intended to shield from public scrutiny all details about the technical capabilities and even model numbers of the devices. Law enforcement has gone to extreme lengths to protect even the most basic information about them, even dropping charges rather than answering judges’ questions about them. Although today’s policy changes don’t directly affect the non-disclosure agreements already in place, the tone of the announcement, along with a clarification from May, gives us hope that more transparency is on the way.
What today’s changes do:
- Federal law enforcement agents will be required to obtain a search warrant supported by probable cause prior to using a cell-site simulator in a law enforcement context. A search warrant requires a showing by the agent, under oath, that meets one of the highest standards in federal law. This incredibly important change is precisely what EFF has been asking for.
- Agents will only be allowed to use Stingrays in “pen register” mode, meaning the devices will collect only the basic location of the phone and the numbers of incoming and outgoing calls and texts. Agents will not be allowed to collect the content of your communications -- like your emails or text messages -- even if the cell-site simulator is capable of such collection.
- Finally, Agencies must delete data on users not targeted in either 24 hours or 30 days, depending on context.
What today’s changes don’t do:
- The new policy isn’t law and doesn’t provide any remedy to people whose data is swept up by Stingrays operated without a warrant. Indeed, it won’t even act to keep evidence collected in violation of the policy out of court (this is known as suppression).
- The policy doesn’t apply to the use of Stingrays outside of the criminal investigation context. For instance, when federal agents use cell-site simulators for “national security” purposes, they won’t be required to obtain a warrant by the terms of this policy.
- There are two enumerated exceptions to the warrant requirement in today’s guidance. The first is the traditional “exigent circumstances” exception, common to all warrant requirements and not particularly worrisome. But the second exception listed in today’s policy for undefined “exceptional circumstances” is potentially problematic. We have no idea what that means, so we’re waiting to see if and how the exception will be used.
What more is needed:
While we’re pleasantly surprised by this long-needed first step to bring Stingrays out of the shadows and into compliance with the Fourth Amendment’s warrant requirement, more is needed.
First and foremost, without a statute or court decision giving this voluntary policy the force of law, there will be no consequences if law enforcement agents flout its terms and continue using Stingrays as they have—without warrants. With only this policy shielding us, there’s nothing keeping warrantless Stingray evidence out of court, and therefore nothing to deter agents from behaving badly.
And finally, we need to extend this warrant requirement to all state and local law enforcement agencies around the country. Some states (such as Washington) already have such laws in place. It’s time to make the message clear to cops in all 50 states: if you want to use a Stingray, get a warrant!
It should be no surprise that libraries and bookstores—the places where you can go pick up a copy of 1984 or Darkness at Noon—are privacy hipsters. They’ve been fighting overbroad government surveillance since before it was cool. That’s why we’re proud to have filed an amicus brief on behalf of a coalition of associations of libraries and booksellers in Wikimedia v. NSA, a case challenging the government’s warrantless surveillance of the Internet backbone.
The case was brought by our colleagues at the ACLU on behalf of Wikimedia—the non-profit that operates Wikipedia—and a broad spectrum of other media, human rights and legal organizations. The case challenges the NSA’s so-called Upstream surveillance, a publicly admitted program that involves copying Internet traffic—including e-mails, chat, web browsing and other communications—as the data traverses the fiber optic backbone of the Internet. Now the government has brought a motion to dismiss the case, arguing that Wikimedia and the other plaintiffs cannot show that their communications are collected. According to the government, Wikimedia can’t assert its own rights or the rights of its users and therefore lacks standing to sue.
That’s where libraries and bookstores come in. EFF’s amicus brief represents of a range of these groups: the American Booksellers Association, the American Library Association, the Association of Research Libraries, the Freedom to Read Foundation, and the International Federation of Library Associations and Institutions.
As the brief explains, the government is dead wrong when it says organizations like Wikimedia can’t represent its users’ First Amendment rights. Upstream surveillance sweeps in readers’ online interactions with libraries and bookstores, including sensitive information like readers’ choice of reading material, which is protected by the First Amendment. As the Supreme Court has explained, the constitutional guarantee of free speech also includes protections for the things that go along with free speech: publishing and receiving information anonymously and associating privately. Reading lists are a prime example—if the government knows what you’re reading, you’re likely to think twice about checking out controversial or embarrassing books.
As providers of the written word, libraries and booksellers are the natural protectors of readers’ First Amendment rights. The brief explains that libraries and bookstores have long stood up for reader privacy—the American Library Association in particular has included a promise of patron confidentiality in its Library Bill of Rights since 1939. In recognition of that important relationship, the Supreme Court has made clear that booksellers and libraries have standing to bring claims based on readers’ First Amendment rights. While most of the cases involving protection for readers’ records have arisen in the brick-and-mortar context, there’s no reason why online interactions between readers and libraries and booksellers should be different. And of course, Internet users’ consultations of Wikipedia articles are similarly entitled to this protection, meaning that Wikimedia should be empowered to raise its users’ First Amendment rights as well as its own. We hope the court agrees.
Special thanks to Jan I. Berlage of Gohn Hankey Stichel & Berlage LLP for acting as our local counsel in filing the brief.
This Labor Day weekend, EFF joins tens of thousands of sci-fi and fantasy fans at Dragon Con in Atlanta, Georgia. Our goal: educate and energize the fandoms about privacy, surveillance, and free speech.
In addition to an epic cosplay activism campaign, our team is sitting on almost a dozen panels covering issues such as domestic surveillance and government transparency. At our table at the Hilton, we’ll be able to give you with practical tips for protecting your privacy using EFF’s Surveillance Self-Defense Project, and help you understand what types of technology police are using in your community, with some help from the Street Level Surveillance Project .
Just as we discussed San Diego’s surveillance camera network boondoggle (Voice of San Diego referred to it as “Bumbling Big Brother”) during Comic-Con 2014, here’s a quick round-up of some of the ways law enforcement in the Atlanta area are keeping an eye on you.
Automated License Plate Readers
Law enforcement agencies around the country have embraced Automated License Plate Readers (ALPRs), surveillance systems made up of network of cameras that capture the license plates of any vehicle that passes within view. Sometimes these cameras are attached to police vehicles, sometimes they’re mounted on telephone poles and traffic lights. While ALPR technology is often used to find stolen or wanted vehicles, it can also be used to identify witnesses, create lists of cars that frequent certain neighborhoods or establishments, and track the patterns of suspected criminal groups. When ALPR data is captured indiscriminately and stored for long periods of time, it can reveal the travel patterns of everyday drivers who aren’t suspected of crimes at all.
According to documents obtained by the ACLU of Georgia [PDF], the Atlanta Police Department invested more than $130,000 in ALPR technology in 2012, including at least 11 mobile cameras and one fixed-location camera. The cameras were purchased from Vigilant Solutions, a company known for its aggressive marketing of the cameras and its immense database of ALPR data to law enforcement agencies around the country.
In nearby Gwinett County, police began using ALPRs in 2011 at a cost of $20,000 per camera. The Atlanta Journal-Constitution further reports that the Georgia State Patrol and the Sandy Springs Police Department also use ALPRs. In Sandy Springs’ case, police told the reporter in 2012 that the agency’s one car-mounted ALPR system captured 11-million “reads” in a single year.
Stingrays
IMSI catchers—which go by brand names like “Stingrays” or “DRTBoxes—are devices that mimic cell phone towers in order to determine a cell phone’s location. These are among the more elusive surveillance tools used by law enforcement, since many agencies have signed non-disclosure agreements with the “Stingray” manufacturer, Harris Corp., which has resulted in evidence being withheld from defense attorneys and in some instances, criminal cases have been dropped for fear that the technology would be revealed.
Writing for TheBlot.com, Matthew Keys found that the Gwinett County Police spent roughly $200,000 on Stingrays, which a police spokesperson said the department uses “in criminal investigations with no restrictions on the type of crime.” The Gwinett County District Attorney further admitted on camera to an NBC investigative reporter that, pursuant to a secrecy provision within the county’s contracts with Harris, prosecutors do not disclose specifically the use of Stingrays to defense attorneys, instead only referring to the devices vaguely as “cellphone location technology.”
As of last year, Fulton County did not own its own Stingrays, but instead borrowed the devices from the U.S. Marshals, according to The Atlanta Voice.
Mobile Biometrics
Last month, EFF and MuckRock launched a campaign to file public-records requests around the country to expose how local law enforcement uses mobile devices during stops to capture biometric information, such as fingerprints, face recognition, and iris scans. So far, we are still waiting on responses from several agencies in Georgia, including the Atlanta Police Department, Auburn Police Department, Bibb County Sheriff’s Office, and Lawrenceville Police Department.
Shockingly, the Georgia Bureau of Investigation (GBI) told us they were “unable to locate any records that are responsive to your request.” Apparently GBI didn’t search hard enough: a simple online search turns up many documents [PDF 1, 2] related to the bureau’s RapidID program, in which the state has funded the purchase of portable fingerprint scanners by local law enforcement. The Georgia Department of Public Safety even has a formal “Mobile Biometrics” policy [PDF]. GBI’s most recent monthly report shows about 14,000 RapidID transactions in July 2015.
Meanwhile, foreign travelers beware: in July 2015, Customs and Border Patrol launched a pilot project using mobile biometric devices at the Atlanta airport to capture thumbprints from foreign travelers as they leave the country.
Hemisphere Project
Atlanta is a central location in the Hemisphere Project, a secret program that allows police to access a massive trove of call records going back decades maintained by AT&T. Funded by the White House’s Office of National Drug Control Policy, AT&T employees are placed in fusion centers to help police search the records.
However, police are told not to reveal the source of this evidence gathered through Hemisphere and instead are instructed to find another explanation for how they obtained the crime tip. The government calls this process “parallel construction.” We call it “intelligence laundering.”
There are Hemisphere hubs in Los Angeles, Houston, and Atlanta, the latter of which is run out of the Atlanta High Intensity Drug Trafficking Area (HIDTA) facilities. According to public records, the Atlanta node processed 617 Hemisphere requests in 2012, representing 22% of all requests filed that year.
EFF has sued the California Department of Justice and the Drug Enforcement Agency under public records laws to obtain more information on the Hemisphere program.
To learn more about local law enforcement technology, visit EFF’s Street Level Surveillance site. EFF Activist Nadia Kayyali and Investigative Researcher Dave Maass will discuss these issues more during the Electronics Frontiers Forum track at Dragon Con. Check out the schedule.
The California Legislature is on the brink of passing S.B. 178, the California Electronic Communications Privacy Act (CalECPA). This bill would bring long overdue reforms to how law enforcement searches our digital records by requiring a warrant to access our emails, locational information, documents, and other files.
This week, we’re happy to report that all of the state’s major law enforcement associations removed their opposition, taking a neutral stance on the legislation. Beyond that, the San Diego Police Officers Association (SDPOA), representing 1,850 sworn officers, now actively supports CalECPA.
As SDPOA President Brian Marvel wrote in a letter to the bill’s author Sen. Mark Leno:
In its current form, SB 178 strengthens community relationships and increases transparency without impeding on law enforcement’s ability to serve the needs of their communities. This bill does so by providing a clear process for government or law enforcement agencies seeking access to electronic information such as data stored on cell phones, electronic devices, emails, and digital documents.
SB 178 modernizes the current law to account for assuring privacy of personal information of Californians regardless of the format in which it is stored. We believe this bill is in the best interest of all citizens of California.
This letter underscores what EFF also strongly believes—privacy is not in conflict with public safety. Instead, updating electronic privacy law for the modern digital age protects people in two ways: safeguarding rights and supporting police’s ability to effectively and efficiently do their jobs.
CalECPA creates a clear standard for government searches
Currently, the law and court rulings have generated a lot of complexity about when a warrant is required for digital records, particularly those held by third party online services, such as Google or Twitter. Some companies say that they require a warrant for data. Others do not. S.B. 178 would create a unified standard across the state, allowing investigators to know exactly what they need to do to get the information they need. With a clearly defined law, investigators can be more confident that they followed due process when they bring a case against a suspect.
CalECPA does not hinder law enforcement’s ability to react to emergencies
Generally, investigators would need to get a warrant before accessing data. But, in emergency situations—when there is danger of death or serious bodily injury—police can proceed, as long as they later explain the emergency to the court . This is a meaningful accountability measure that also serves the interests of public safety.
Law enforcement officers also deserve privacy guarantees
Being a police officer and being a member of the public are not mutually exclusive. In other words, when the legislature protects the privacy of Californians, that includes law enforcement officers, and their families, too.
CalECPA improves trust between police and the community
Over the last few years, local law enforcement agencies have come under intense scrutiny over the use of sophisticated surveillance technologies, often without limit. By supporting S.B. 178, SDPOA has sent a clear message that its members support privacy as a community value and their commitment to finding the right balance between civil liberties and public safety.
The time is now for other California law enforcement to also stand up and support S.B. 178.
Update: As of Sept. 4, 2015, California Correctional Peace Officers Association (CCPOA) has withdrawn its support of S.B. 178.
The following is a guest post from Eric Crampton, Head of Research at the New Zealand Initiative, who previously served as Lecturer and Senior Lecturer in Economics at the Department of Economics & Finance at the University of Canterbury.
Australia National University’s Dr. George Barker suggested that New Zealand could do well by strengthening its copyright legislation. He warned against the fair dealing exceptions that have crept into the law and asked, “Why not have copyright law like property law—i.e. it lasts forever?”
That is a good question. And it is an important one as New Zealand and other countries consider extending the term of copyright under the Trans-Pacific Partnership agreement. Current New Zealand law maintains copyright in written and artistic works for 50 years after the death of the writer. Copyright in film and sound recordings is shorter, lasting 50 years from the works being first made available. While the text of the TPP is not yet public, it appears that the agreement would extend copyright’s duration to 70 years from the death of the creator.
So why shouldn’t copyright be infinite?
Five years ago, Larrikin Music, who bought the rights to an old Australian folk song, sued Men At Work for including an 11-note flute sequence from it in their 80s-hit, “Down Under”. Where Men At Work had intended homage in its celebration of all things Australian, Larrikin, and the law, saw copyright infringement.
But does that really go far enough? If an 11-note sequence counts as infringement, how much do modern artists owe Pachelbel’s descendants? The four-chord sequence making up the core of his Canon in D has been repeated in dozens, if not hundreds, of subsequent songs. Should evidence produced by Australia’s Axis of Awesome be used in copyright lawsuits by anyone who can document that, ten generations back, Johann Pachelbel was a great-great-grandfather? It seems absurd.
Even from the perspective of a profit-seeking artist, copyright is a double-edged sword. Stronger copyright both increases the rewards from having produced a piece of work and increases the cost of creating new works.
Too weak of copyright can mean that too few works are created, although artists have gotten far better at working out alternative ways of earning a living when, regardless of the letter of copyright law, enforcement has become difficult. Further, at standard time discounting rates, a 20-year extension to copyright’s term might provide only about a two percent increase in the value of any earned royalties. It is not particularly plausible that many new works would come into existence because of that slight increase.
On the other side, too strong of copyright can surely kill new creation. Artistic works feed off each other. New works build on older traditions, reinterpreting old folk tales and old folk tunes for new generations. The Brothers Grimm collected and published older folk tales like Cinderella and Sleeping Beauty in the 1800s. In the 1900s, Walt Disney brought those stories to life in a new form. In the 2000s, well, it is hard for new innovation to occur because copyright law, at least in the United States, has frozen the usage of most important works produced since 1923. An extension of copyright’s duration does far more to reward those who own the rights to existing works than it does to encourage new creation.
But, ultimately, why should copyright be limited? Because current creators draw on a global commons in their artistic creations, and future generations of artists deserve a commons too.
~
If you're Kiwi, ask your trade negotiator to stand firm and oppose the U.S. copyright term extension proposal in the TPP:
On our TPP's Copyright Trap page we link to more articles about how the threat of copyright term extension under the TPP impacts users around the world.
Although grassroots activism has dealt it a blow, the Senate Intelligence Committee's Cybersecurity Information Sharing Act (CISA) keeps shambling along like the zombie it is. In July, Senator McConnell vowed to hold a final vote on the bill before Congress left for its six-week long summer vacation. In response, EFF and over 20 other privacy groups ran a successful Week of Action, including over 6 million faxes opposing CISA, causing the Senate to postpone the vote until late September.
Senators submitted many amendments to the bill before going on vacation. The amendments, like the original language of the bill, fail to address key issues like the deep link between these government "cybersecurity" authorities and surveillance, as well as the new spying powers the bill would grant to companies.
But “cybersecurity” is already intimately tied to surveillance—a problem CISA would only worsen. Documents released by the New York Times reveal the government used the Comprehensive National Cyber Security Initiative (CNCI) to pay telecommunications companies to spy on consumers using their networks. The CNCI includes initiatives for information gathering, but it’s always been presented to the public as fostering research and encouraging public awareness of cybersecurity problems—not spying on Americans' Internet traffic.
The revelations are stunning. The NSA paid telecommunications companies nearly $300 million dollars in the 2010 fiscal year to invest in surveillance equipment as part of the CNCI. In fact, STORMBREW’s Breckenridge site was “100% subsidized with CNCI funding.”
In contrast, the DHS only requested $37.2 million during the same time period to support research and development in cybersecurity science and technology. Even if DHS received what it requested, does the American public really want surveillance to outweigh research and education 10 to 1?
The news is compounded by other recently-released Snowden documents that show how the NSA uses foreign intelligence laws to run an intrusion defense system (IDS) on US soil. The documents show that a Justice Department memo gave the agency permission to monitor Internet cables, “without a warrant and on American soil, for data linked to computer intrusions originating abroad — including traffic that flows to suspicious Internet addresses or contains malware.”
CISA—and its amendments—do not even begin to address these serious problems. Instead, they mandate information sharing with the intelligence community, creating even more cyberspying.
EFF will continue to oppose CISA—even if some of these amendments pass—because CISA's vague definitions, broad legal immunity, and new spying powers allow for a tremendous amount of unnecessary damage to users' privacy, and it’s highly unlikely that the public will learn about it. Even an amendment (#2612) offered by by Senator Al Franken, which narrows some of the definitions in CISA, does little to clarify its most troubling provisions.
What's worse is that information-sharing bills like CISA are being painted as silver bullets to data breaches. They aren't. The bills don't address problems like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.
Awful Amendments
Plenty of the amendments would make the bill even worse. We've already discussed the horrible CFAA amendment, #2626, proposed by Senator Sheldon Whitehouse. The amendment not only increases the scope of the already expansive Computer Fraud and Abuse Act (CFAA) but also authorizes injunctions against botnets (amending 18 U.S.C. § 1345) in a way that creates serious constitutional issues. After all, much of what DOJ and FBI want to do in shutting down botnets is, arguably, a search or a seizure under the Fourth Amendment; moreover, such injunctions may prevent users from communicating, thus raising First Amendment issues. The amendment is a great example of how not to amend the draconian CFAA. If the Senate wants to improve the CFAA, it should take a page out of our book.
Senator Carper has proposed another dubious change to CISA, amendment #2627. The bill attempts to codify the Department of Homeland Security's EINSTEIN program without any public debate. EINSTEIN is an intrusion detection system—the parent of which was created by the NSA—to scan incoming Internet traffic to the federal government like emails and other connections. DHS has not told the public what agencies are using EINSTEIN. It’s possible that when you email your representative, DHS may also receive a copy. Before codifying EINSTEIN, DHS must be more transparent about the program. The most recent update from DHS about the program is from 2013, and many concerns have been raised about EINSTEIN’s legality and privacy implications. Unlike CISA, Senator Carper's amendment mandates federal agencies create a plan to identify sensitive information and encrypt it; however, the clause exempts the Department of Defense and the intelligence community. Nor does the amendment authorize additional funding for federal agencies to improve security.
Senator Carper's attempt to make a horrible bill marginally better is admirable, but he—along with other Senators—should oppose the bill. Even the best amendments fail to fix CISA's serious flaws.
Not Awful Amendments
Some of the amendments try to narrow the scope of the bill. Senator Chris Coons' amendment #2552 would limit information sharing to that necessary to describe or identify a cybersecurity threat, while Senator Wyden's amendment (#2621) would require companies and the government to remove personal information unrelated to the threat.
But these well-meaning changes don't address the root problems in the bill: the outrageously broad and vague definition of "cybersecurity threat" and the granting of new authorities to spy on users. Senator Franken's amendment #2612 attempts to address that definition, but even his amendment isn’t enough. Again, no amendment scales back the two new authorities to spy on users and launch countermeasures in the bill.
Other amendments are better, including Senator Patrick Leahy's #2587, which would remove the current CISA provision exempting all “cyber threat indicators and defensive measures” received by the government from disclosure under the Freedom of Information Act and may help ensure the public can obtain information about how, if CISA is enacted into law, the information “sharing” system actually operates; Senator Jeff Flake's 6-year sunset (#2582); and, Senator Mike Lee's email privacy amendment (#2556), which would codify US v. Warshak by amending the Electronic Communications Privacy Act to require warrants for email and other stored content.
While some advocates will paint these amendments as "steps forward,” the amendments merely shuffle deck chairs on the Titanic—even with the better amendments, the bill is still a bad idea. The Senators are going about the wrong strategy. Democrats and libertarian Republicans should be opposing CISA outright. That's why we're asking users to continue emailing their Senators to stop this bill. While CISA is the very definition of a zombie bill, the public outcry against it has made a difference. But we can’t stop now. Join us by tweeting, faxing, or emailing your Senator.
Pages
Deeplinks
No posts found
Subscribe to EFF Updates
Deeplinks Archives
Deeplinks Topics
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- Innovation
- International
- Know Your Rights
- Privacy
- Trade Agreements and Digital Rights
- Security
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anonymity
- Anti-Counterfeiting Trade Agreement
- Biometrics
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- CALEA
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- CyberSLAPP
- Defend Your Right to Repair!
- Defending Digital Voices
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA
- DMCA Rulemaking
- Do Not Track
- DRM
- E-Voting Rights
- EFF Europe
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2015 Copyright Review Process
- FTAA
- Genetic Information Privacy
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- ICANN
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- OECD
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- Patents
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Printers
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- RFID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student and Community Organizing
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trans-Pacific Partnership Agreement
- Travel Screening
- TRIPS
- Trusted Computing
- Video Games
- Wikileaks
- WIPO
- Transparency
- Uncategorized
eff.org/nsa-spying
