Administration Concedes Open Secret: NSA Spying Broader Than Previously Admitted

Deeplink by Cindy Cohn

In a letter [PDF] released today, the Director of National Intelligence Mike McConnell admits that the so-called "Terrorist Surveillance Program" (TSP) is only the tip of the iceberg when it comes to the NSA's spying on the American public.

To those closely following this issue, it is no secret that the government is engaging in dragnet surveillance of millions of ordinary Americans and has backdoor access to telecommunications providers' networks and records databases. The overwhelming evidence includes statements from fully briefed members of Congress, whistleblower evidence from a former AT&T employee, and numerous newspaper reports. Yet previously the Administration has only confirmed the TSP, characterized as the warrantless wiretapping of particular targets' communications where one party is in the U.S.

The Administration has finally copped to a broader program, and, even though it didn't reveal the details, that's a potentially critical concession. The Administration has steadfastly maintained that courts may not review any other NSA domestic spying activities unless their existence has been officially acknowledged. With this letter, Admiral McConnell has given that official acknowledgment.

The letter also provides even more reason for Congress to reject the Administration's "FISA Modernization" proposal and instead take action to halt the illegal surveillance. Time and again, the Administration has described the blatantly illegal TSP as a "narrow" and "targeted" program, and it's playing a similar game of linguistic misdirection with this bill. Rather than a mere "update" to the law focused on foreign-to-foreign communications, it could facilitate wide-ranging surveillance of Americans' private communications. It would be absurd for Congress to legislate in the dark, before the Administration comes clean about the domestic spying program.

Recent reports suggest a bill could rush through before the August recess starts next week. Please take action now before it's too late.

[Permalink]

Another Loss for Real ID

Deeplink by Hugh D'Andrade

The REAL ID Act took another blow in the Senate last week, hopefully putting legislators one step closer to ditching the national ID mandate.

An amendment tacked onto the Homeland Security appropriations bill would have given $300 million in federal funds to implement the Act. This measly sum would have done nothing to make up for the $23 billion burden states and taxpayers will be forced to bear.

Moreover, throwing more money at the states can't fix REAL ID's fundamental problems. The Act would require possession of a new standardized drivers license for all sorts of everyday tasks, such as getting on a plane or train, and would create a vast national database linking all of the ID records together. Over time, the ID and aggregation of your personal information would facilitate a wide range of tracking and surveillance by the government and businesses.

So far, 17 state legislatures have already expressed their opposition, and, just last month, an immigration reform bill was scuttled as Senators refused to end debate on a provision requiring every American to present a REAL ID in order to get a job.

That's great news, but unfortunately REAL ID isn't dead yet -- keep the momentum going and tell Congress to repeal the Act now.

[Permalink]

minilinks for 2007-07-30

miniLinks by Hugh D'Andrade

• Mining of Data Prompted Fight Over U.S. Spying
  Data mining was the reason Bush administration officials
  were ready to resign in 2004.
  
• NSA Wiretapping Investigations to Continue
  A federal judge ruled that states may continue their suits
  against AT&T.
  
• FBI Program Would Circumvent the Law, Say Experts
  The FBI would like to pay private firms to store phone and
  Internet data.
  
• Are Files Stored on Password-Protected Sites Covered by
  the Fourth Amendment?
  A district judge ruled that users of online storage have a
  reasonable expectation of privacy.
  
• Does P2P Harm National Security?
  Some in Congress worry that sensitive documents could be
  leaked via P2P.
  
• Senate Rejects Extra $300 Million for Real ID
  An amendment that offered relatively small change to Real
  ID's mandate failed to pass.
  
• Travelers Face Greater Use of Personal Data
  The U.S. and the EU have agreed to expand a security
  program that shares personal data.
  
• CA Vote Machines Lose Test to Hackers
  A team of hackers testing voting machines broke through
  security on every model.
  
• Senators to Abandon '08 E-voting Paper Trail Mandate
  The deadline for updating e-voting systems to include paper
  records is pushed back to 2010.
  
• YouTube Responds to Copyright Suit
  Video recognition technology may be working by September,
  YouTube says.
  
• How DRM Becomes Law
  EFF Fellow Cory Doctorow takes a behind-the-scenes look at
  the making of copyright policy.
  
• UK Caps Copyright at 50 Years
  The British government decided not to extend music
  copyright.
  
• FBI Questions Cafe Loafer
  Reading the wrong thing in public can get you in trouble.
  

[Permalink]

Call Congress Now - NSA Spying Bill Headed for Vote This Week!

Deeplink by Derek Slater

House Speaker Nancy Pelosi reportedly suggested that Congress may take action this week on a bill that could rubberstamp the NSA's spying program. The Bush Administration is trying to sell its latest proposal as a serious compromise, but don't be fooled -- it represents an unprecedented power grab that endangers the checks and balances that define our democracy. Please call your representatives now before it's too late.

Contrary to the Administration's characterizations, its "FISA Modernization" bill is not about "updating" the law and allowing surveillance of foreign-to-foreign communications. Instead, it could radically expand the government's ability to spy on Americans without a warrant.

It's highly irresponsible for Congress to even consider this proposal before uncovering the truth about the still-shadowy spying program. In recent weeks, Congress has made strides towards more vigorous oversight and authorized subpoenas for key information, but the proposed bill would short-circuit such scrutiny.

Tell your representatives to stand strong against the Administration and stop the abuse of surveillance powers.

[Permalink]

Copycrime Bill Raises its Ugly Head, Again

Deeplink by Derek Slater

Two months ago, the Justice Department floated draft legislation to expand the scope of, and stiffen the penalties for, criminal copyright infringement, and now a related bill has been introduced in the House. This isn't the first time that Congress has taken up the DoJ's copycrime wishlist, and, for all the reasons we listed in a blog post about a proposal offered up last year, H.R. 3155 is an awful idea.

This bill goes even further than the prior bill in that it would ratchet up statutory damages in certain instances. Under copyright law, copyright owners don't need to prove that they have been harmed in order to get damages and can instead elect to get statutory damages, which a court can set between $750 and $30,000 per work infringed. Such disproportionate penalties can be especially dangerous when it comes to lawsuits against mass-market products like the iPod or TiVo that enable the making of thousands of copies.

H.R. 3155 makes matters worse by allowing a judge to dole out damages for each separate piece of a derivative work or compilation, rather than treating it as one work -- for example, copying an entire album could translate into damages for each individual track, even if the copyrights in those tracks aren't separately registered.

This is particularly unfair because record labels register entire albums as single works principally to strip their artists of reversion rights they would otherwise enjoy if the songs were registered individually. (As some may remember from the 2000 flap over a stealthy RIAA amendment slipped into the Copyright Act, record labels register albums as "compilations" or "collective works" in an effort to characterize them as "works for hire," which are owned outright from their creation by the labels, and thus can never revert to the artist.)

Let's hope this bill meets the same fate as last year's DoJ proposal and is stopped dead in its tracks. Take action now to stop it, and make sure you also support the FAIR USE Act, which would put much-needed limits on statutory damages.

[Permalink]

Give Your Website a Free Speech-Friendly Home

Deeplink by Richard Esguerra

There are countless web hosting services that will help you get your site on the Internet. But do you know what to expect if someone decides to dispute your speech with a nastygram to your web host?

Jimmy Atkinson's first post to the Dedicated Hosting Guide may be a good place to start looking for answers. Titled "Free Speech Hosting: 11 Web Hosts That Won't Dump You at the First Sign of Controversy," Atkinson lists a few hosts that advertise defense of free speech as an important part of their business plan.

We're pleased that individuals like Atkinson are publishing resources to support rights-conscious businesses and customers, and that free speech and privacy are increasingly important value propositions in the market, as evidenced by recent announcements by various search engines about changes to protect users' privacy.

[Permalink]

Stopping Inadvertent P2P Sharing, and Another Knock on Filtering

Deeplink by Fred von Lohmann

Yesterday the House Committee on Oversight and Government Reform held an interesting hearing on the inadvertent sharing of sensitive information over P2P networks. Some users misconfigure their P2P software and end up sharing far more than they bargained for, including credit card numbers, tax returns, medical records. The issue becomes even more serious when the user happens to be a government contractor who has brought home classified or sensitive national security documents.

The good news is that, while everyone took this problem seriously, many of the witnesses and members of the committee clearly understood that P2P is a useful technology and is likely to become even more critical to the Internet in years to come.

The bad news is that other participants (particularly those from Southern California and Nashville) appeared more interested in carrying water for the music and movie industries. They took the opportunity to castigate Limewire CEO Mark Gorton (who was brave enough to testify) for failing to implement copyright filtering at the entertainment industry's behest.

This was a frustrating distraction from the hearing's topic. Not only will filtering fail to slow "Internet piracy," but it's also likely to make the inadvertent sharing problem worse.

If Limewire were to implement mandatory copyright filters, the most likely outcome is that users will abandon it for an unfiltered alternative. Other companies might also succumb to pressure to use filters, but that will only drive users to alternatives distributed by an offshore company or by a dispersed set of hobbyist developers. The further underground users are pushed, the more likely they are to face less refined mechanisms to prevent inadvertent file sharing.

As we've said before, a better solution is to help empower users with control over their computers. Well-designed P2P applications should seek to inform users and give them clear, simple mechanisms to determine what is shared. So far, Limewire has been among the best applications in this regard.

[Permalink]

Dangerous College P2P Legislation Withdrawn

Deeplink by Derek Slater

News.com reports that Sen. Harry Reid has withdrawn a dangerous proposal that threatened to make universities do the entertainment industry's dirty work and use ineffective, burdensome copyright filtering tools on their networks. The Higher Education Reauthorization Act has now passed the Senate without that language. Thanks to everyone who took the time to call their Senators over the last day.

We won this battle in Congress, but we're not out of the woods yet. Unfortunately, the RIAA's college lawsuit campaign rages on, and universities remain under intense pressure to bully their students and install network surveillance technologies. While some schools have implemented draconian penalties for file sharing -- including one strike and you're off the network policies -- others have gone further and started blocking certain P2P tools. Meanwhile, Congress has recently been scolding and scrutinizing colleges for file sharing on their networks, and more legislation may be in the pipeline.

Indeed, Sen. Reid still did tack on another amendment that instructs schools to tell students about the possible penalties for copyright infringement. This new language is far less worrisome, but it doesn't move the ball forward in the P2P dilemma either. While students certainly should know the potential personal consequences of file sharing, all the finger wagging in the world isn't going to stem the tide of "Internet piracy."

The longer this futile fight against ordinary fans continues, the more universities' resources will be wasted, the more legitimate uses of the network will inevitably be chilled, and the more money will be left on the table. After all, tougher enforcement isn't putting a dime in artists' pockets, but a sensible alternative like blanket licensing would.

Hopefully, this week's fight in the Senate will be another reason for the university community to push hard towards a better solution that gets the entertainment industry off schools' backs, ensures that artists are paid, and lets students keep sharing. For more on this topic, read Fred von Lohmann's Washington Post editorial, "Copyright Silliness on Campus."

[Permalink]

Call Your Senators Now - Dangerous Proposal Threatens Campus Networks

Deeplink by Derek Slater

Major copyright holders are backing a legislative proposal [PDF] to make colleges do their dirty work. The Higher Education Reauthorization Act is supposed to make going to college more affordable, but, under a last-minute amendment, certain schools would risk losing federal funding for student aid if they don't divert funds away from education and toward policing corporate copyrighted content on their campus networks. Twenty-five schools will annually be singled out, required to police their students with "technology-based deterrents" (read: network surveillance technologies), and forced to provide evidence to the Secretary of Education about their efforts to stop file sharing.

Senate Amendment 2314 may come up for a vote tomorrow or later this week, so it's critical that you call your Senators now and tell them to reject this proposal. You can find their phone numbers here.

Schools are already being forced to expend significant resources in the face of the RIAA's lawsuit campaign against students and thousands of copyright nastygrams. More enforcement won't stop file sharing, as students will simply migrate towards other readily-accessible sharing tools that can't be easily monitored. But it will chill academic freedom, as legitimate uses of the network will inevitably be stifled.

The federal government shouldn't be in charge of schools' network management decisions. Congress ought to reject this misguided proposal and take up real solutions that get artists paid and let students keep sharing. Please take action and call your Senators now.

Thanks to EDUCAUSE for alerting us to this bill, and check out their site for more about the bill here.

UPDATE, July 24, 11 AM: This amendment is a moving target. A modified version was proposed and then withdrawn yesterday, and we're hearing rumors that another version will be brought forward soon. It's still important that you call your Senators and tell them that pressuring schools to do the industry's dirty work is bad policy.

Update, 7 PM: News.com reports that Sen. Harry Reid withdrew the amendment.

[Permalink]

Harry Potter and the Digital Fingerprints

Deeplink by seth schoen

A few days before Friday's release of Harry Potter and the Deathly
Hallows, someone leaked a (genuine) copy of the book widely
using file-sharing networks and photo-sharing web sites -- photographing
every single page with a digital camera. The quality isn't
great -- the leaker evidently didn't have a nifty Internet Archive Scribe station -- but the text is legible.

Perhaps the leaker didn't realize that the digital camera he or she
used -- a Canon Rebel 300D -- left digital
fingerprints behind in every image. We downloaded a copy of the
leak and took a look at the images with the open-source
ExifTool,
one of dozens of programs capable of reading the industry-standard
EXIF digital photo
metadata format. As the press reported, the camera's serial number is
in there, along with over 100 other facts including the date and time
that the photos were taken and an assortment of photo-geek details about
focus and lighting conditions.

It may be, then, that the leaker can be traced; there are several ways
Canon might know who owns (or used to own) this camera, including a
possible warranty registration or service or repair on the camera. A retailer might also have kept relevant records when it originally sold the camera.
Another prospect: if images taken with the same camera were uploaded
to a photo-sharing site like
Flickr, their EXIF metadata might
associate use of that camera with a particular account. (Flickr and
other sites usually don't allow the public to search by EXIF tag values. But it's possible that Flickr itself, or a third-party spider that had downloaded all of its images, could perform such a search.)

Last year, we received a letter expressing surprise that many
digital cameras embed their serial
numbers (and other information) into every photo they take. A large
number of photographers are apparently unaware of this possibility,
although it's not a secret and is described in some camera manuals
(as well as digital photography tutorials and other documentation).
It's also possible to remove (or change) the EXIF tag data using
photo-editing software. Camera manufacturers say that they add this data
for the convenience of photographers (for example, to help them keep
track of which cameras and settings they used to achieve particular
effects), not to enable spying and tracking. For example, a Kodak employee
told a concerned photographer:

Inclusion of serial number is a standard part of the EXIF data package and it's one of the ways the computer can identify one camera from another so if you own multiple units of the same model camera your computer can identify them separately. Obviously that's not something that most users would have but it does happen a lot in the business world - large insurance companies and real estate firms are a couple of examples.

(He added that users who were unhappy about EXIF data in their photographs could remove it if they chose.)

Some recent camera setups can
even use GPS to include ("geocode") information about the physical geographic
location where a photo was taken -- a boon to hobbyists, tourists, and
others, but an obvious privacy risk if future photographers somehow remain
unaware that this information is being embedded into their images.

Of course, digital cameras aren't the only devices that may keep a
record that could track a document back to its creator. We've
extensively discussed how
most color laser
printers invisibly embed the printer serial number and date and
time of printing on every page, in a pattern of tiny yellow dots.
Although customers have
been complaining, printer manufacturers have so far refused to
let customers disable the tracking. (HP, for example, recently wrote
to update one customer that it was wrong to say initially that it was unable to
disable the tracking; instead, it now says it "will not" do so.)

Most computer users are unaware that CD burners in their PCs also
contain a similar tracking mechanism that embeds a unique serial
number, called a Recorder Identification Code, on every CD they burn.
(As far as we know, this mechanism has also been extended to DVD
burners.) This rule is enforced by
Philips via its patents on
the CD formats. The standards for the RID code are not directly
available to the public, but Philips writes:

As result of the discussion in March of 1995, between the consumer electronics manufacturers and the recording industry [...] it will be possible to trace each disc back to the exact machine on which it was made using coded information in the recording itself. [...] The RID coding system, which has been incorporated in the various Orange Books which contain the CD-R and CD-RW Standard Specifications, specifies a system which enables every CD recorder/rewriter to write its unique ID to every CD disc recorded by that CD recorder. [...] THE USE OF THE RID CODE IS MANDATORY.

So at a start, we have digital cameras, color laser printers, color
photocopiers, CD burners, and DVD burners all invisibly embedding their
unique serial numbers -- and much more -- into every document they
produce. And more and more devices are using a serial number of some
kind as an integral part of their communications. Network cards contain
unique, usually
persistent MAC addresses that are seen by routers and other nearby
computers (and could track a computer from wireless access point to
wireless access point, or wired network to wired network). Cell phones contain -- and transmit -- a variety
of serial numbers, such as IMEI codes, allowing an individual
subscriber to be
tracked in real-time even while not making a telephone call. It seems that our devices
are increasingly acquiring unique digital fingerprints and are not
particularly shy about leaving these fingerprints behind in interactions.

And here we're talking only about digital fingerprints that were intentionally
built into devices -- whether in the name of improved functionality
or in response to secret requests from the government or the recording
industry -- and not about tracking mechanisms that merely result by accident
from the physical construction of devices (like
sensor
pattern noise in digital cameras and scanners). Clearly, the digital
fingerprints devices leave behind are proliferating much faster than users
are being made aware of them.

[Permalink]