Chinese Skype Client Hands Confidential Communications to Eavesdroppers

This Wednesday, Information Warfare Monitor published damning evidence showing that TOM-Skype, the version of the voice and chat program distributed in China not only blocks keywords from chat conversations, but also spies on and remotely reports the contents of Skype users' private text conversations. This directly contradicts Skype's previous assurances that "full end-to-end security is preserved and there is no compromise of people’s privacy", even on the customized Chinese client.

This special breached version of Skype, distributed by the Chinese portal company TOM Online, has long been known to block certain contentious phrases from instant message conversations. IWM's Nart Villeneuve's research shows that when these keywords are mentioned in conversations, the client software also sends an encrypted message to one of eight remote servers hosted in China.

Due to poor security on these servers, Villeneuve was able to uncover what was being sent: extensive logs on user activity, including archives of more than 166,000 censored messages from 44,000 users.

The TOM-Skype client was introduced as part of a business deal between Skype's parent company, eBay, and the Chinese Internet company. Skype has denied involvement in TOM's additions to their core client software, but it was well aware that TOM had introduced censorship features into the Chinese Skype client. At that time it asserted that its users' privacy was nonetheless secure. We now know that Skype is in no position to make that assurance.

This breach is not an isolated Chinese problem. All Skype users are affected; conversations will be monitored even if only one side of a coversation is using the Chinese client. As of June 2007, there were 42 million registered users of TOM's compromised client, increasing at a rate of 70,000 new users per day. Anyone communicating with those millions will find their communications monitored and potentially reported to an unknown third-party - even if they are not using the TOM client themselves.

What can Skype do? While it might disclaim responsibility, arguing that this political spyware was not directly written by its own coders, the company is directly implicated by its close relationship with TOM. When Chinese visitors go to the Skype homepage, they are redirected to a page offering a download of TOM's compromised client version. TOM's Skype page in turn indicates that TOM's version is an authorized Skype product for Chinese users. Skype does not warn its visitors of the differences between the non-Chinese client and TOM's client, and has made no effort to pro-actively monitor what differences there are, or convey the implications of those differences to users.

Villeneuve spent many hours decoding the extra packets to understand what was going on: Skype's own engineers could surely have spotted this behavior in seconds. Instead, an eBay spokesman said that the software's behaviour was "changed without [its] knowledge or consent and [it is] extremely concerned."

At a minimum, eBay can show its commitment to "the security and privacy of [its ] users" by terminating its relationship with TOM and withdrawing TOM's permission to use eBay trademarks. It should no longer redirect to TOM, instead presenting an eBay-developed Chinese-localized version of Skype. It should also prominently warn its own users of the dangers of talking to those using the compromised client. It should attempt to obtain binding assurances from TOM that all copies of the logged data have been destroyed, and should advise all affected users whether this has taken place.

In the meantime, if you want to chat securely, consider using Off the Record Messaging (OTR) on another instant messaging network. OTR is a publicly audited security protocol that does not depend on a third-party. It can run on a number of different instant messaging networks, and is implemented by a range of software products on MacOS, Windows, and Linux. For more peace of mind, use OT in conjunction with open source products like Pidgin, Miranda or Adium. The code of open source software is available for examination by anyone, which minimizes the possibility of a government trojan being inserted into the final downloadable version. OTR will not prevent governments from monitoring the destination of instant messages, but it will protect the contents of your messages.

(Villeneuve also found logs containing information about user's Skype voice calls, including times and destination usernames and numbers. There is no indication that the contents of Skype voice calls themselves were recorded or transmitted. Because Skype's audio encryption protocol remains secret, however, we only have eBay's assurances on its invulnerability to external surveillance. From now on, users may have less reason to trust the company's word on matters of privacy or security without external confirmation.)

[Permalink]

Court Protects Privacy of Satellite Receiver Owners

Last month, EFF filed an amicus brief in Echostar v. Freetech, where Echostar sought the identities of every consumer who purchased a Freetech "CoolSat" free-to-air (FTA) satellite receiver during the past five years. EFF argued that this demand, issued in discovery in a lawsuit between Echostar and Freetech, represented an unwarranted intrusion into the privacy of individual consumers. Today, the court agreed, issuing an order blocking Echostar's subpoenas.

The ruling potentially sets an important precedent, as it represents the first time a federal court has explicitly rejected a third-party subpoena on the basis of the privacy interests of nonparty consumers.

Echostar is the company behind the DISH satellite TV service. Freetech makes receivers for unencrypted, free-to-air satellite transmissions (there are many free, unencrypted satellite channels). In December 2007, Echostar sued Freetech, alleging that the Freetech CoolSat receiver was specifically designed for after-market modification to enable unauthorized reception of DISH programming. According to Echostar, Freetech "sold thousands of these FTA Receivers to consumer pirates for the sole purpose of circumventing [Echostar]'s Security System."

In the course of discovery, Echostar sent subpoenas to the distributors of CoolSat receivers, demanding that they hand over their customer lists, including the name, address, email address, and purchase details for every person to have purchased a CoolSat receiver over the past 5 years.

As EFF explained in its amicus brief, these subpoenas represent a serious intrusion into the privacy of legitimate purchasers of these FTA receivers. Not only would it be an intrusion to be contacted by Echostar about a device you purchased months or years ago, but other satellite TV companies have used customer lists to launch mass litigation campaigns against consumers. After DirecTV obtained similar customer lists in litigation in 2001, it sent more than 170,000 letters to individuals demanding "settlements" of $3,500.

In refusing to allow Echostar to obtain the CoolSat customer lists, the court specifically weighed Echostar's need for the information against the privacy interests of the customers whose information would be disclosed. The court expressed concern that "both those who purchase the FTA receivers for proper and improper purposes will be swept up in the process." The court went on to conclude that "the requests for customer lists, therefore, could lead to the perceived harassment of legitimate users and a concomitant chilling effect on the purchase and lawful use of Freetech's FTA receivers."

Kudos to the court for keeping the privacy interests of nonparties in mind as commercial litigants dispatch third-party subpoenas that would otherwise carelessly intrude into the lives of individual consumers.

[Permalink]

Computers Seized from Berkeley Activist Space

Yesterday, the FBI, UC Berkeley police, and Alameda County Sheriff's deputies conducted a raid on the Long Haul Infoshop, a community space that is home to a number of leftist and anarchist groups, including a newspaper and a radio station. Armed with a warrant (PDF), authorities entered and quickly removed every computer in the Long Haul space.

According to the Associated Press, a UC Berkeley spokesman said that the raid was part of an investigation into threatening e-mails tracked to computers there. Among the computers seized were computers belonging to the Slingshot newspaper, and the Berkeley Daily Planet reports that police "got [Berkeley Liberation Radio's] hard drive."

Even with a warrant, the authorities may have acted in violation of federal law when they seized the computers. The seizure of media computers would appear to be a violation of the Privacy Protection Act, which says that the authorities are not entitled to "search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper [or] broadcast."

The purpose of the Privacy Protection Act is to ensure the freedom of speech and of the press. While there are exceptions to the act (such as when the documents seized themselves contain classified information or child pornography), the intent of the act is to prevent the government from using its search and seizure powers to shut down newspapers and radio stations, or otherwise interfere with the free flow of information to the public.

The seizure of computers is of special interest to EFF, since the first case we fought — and won — was a result of the illegal seizure of several computers from Steve Jackson Games in 1990. In that case, the federal court held that the Secret Service violated the Privacy Protection Act, and ordered the agency to pay for the harm it had caused.

[Permalink]

Sixth Circuit Dodges Constitutional Question on Email Privacy; Warshak Case Dismissed on Procedural Grounds

Today, the full panel of Sixth Circuit judges dismissed [opinion] on procedural grounds the case of Warshak v. US, a lawsuit challenging the constitutionality of no-notice, warrantless searches of email stored by an email provider. A three-judge panel of Sixth Circuit judges had previously held [PDF], based in part on briefing by EFF [PDF], that the federal statute that authorized such searches of remote email accounts — the Stored Communications Act — violated the Fourth Amendment on its face.

It's a shame that the court refused to reach the critical question at the center of the Warshak case: does the Fourth Amendment require the government to obtain a search warrant based on probable cause before secretly rifling through your Yahoo! mail or Gmail accounts? Without clear legal rulings on such issues, we face continued uncertainty about how the Constitution protects our private Internet communications, uncertainty that the government will continue to exploit.

The Sixth Circuit en banc panel held that because Warshak could not demonstrate that the government was likely to conduct further no-notice warrantless searches of his email — the government had twice previously done so — the issue was not "ripe" for a judicial decision. EFF shares the sentiments of Circuit Judge Boyce F. Martin, Jr., who authored the original decision finding the SCA unconstitutional as well as the dissent in today's decision:

While I am saddened, I am not surprised by today’s ruling. It is but another step in the ongoing degradation of civil rights in the courts of this country.... History tells us that it is not the fact that a constitutional right is at issue that portends the outcome of a case, but rather what specific right we are talking about. If it is free speech, freedom of religion, or the right to bear arms, we are quick to strike down laws that curtail those freedoms. But if we are discussing the Fourth Amendment’s right to be free from unreasonable searches and seizures, heaven forbid that we should intrude on the government’s investigatory province and actually require it to abide by the mandates of the Bill of Rights. I can only imagine what our founding fathers would think of this decision. If I were to tell James Otis and John Adams that a citizen’s private correspondence is now potentially subject to ex parte and unannounced searches by the government without a warrant supported by probable cause, what would they say? Probably nothing, they would be left speechless.

The decision is disappointing, but does not reject the underlying constitutional ruling on the merits. The original reasoning remains sounds, and this decision only reinforces the importance of our mission to obtain a clear ruling from the courts that your emails, IMs, text messages and web browsing receive the same Fourth Amendment protection as your private snail mail and telephone calls. Help EFF fight for an enduring and robust Fourth Amendment by joining now.

[Permalink]

Surveilling Drivers For Safety, For The Environment, and For Profit

There is a growing movement to surveil the drivers of cars — for insurance purposes.

One idea is that vehicle insurance premiums should depend on verifiable, periodic measurements of how far a car has been driven. The case for such premiums is strong: driving further clearly increases the risk of an accident, and "Pay As You Drive" premiums would allow (some) drivers to pay less for insurance; would allow insurance companies to make higher profits; and would reduce the congestion, greenhouse emission and traffic accident costs that each mile driven causes for society.

Another idea is that vehicles should collect data on the way that they are being driven (location, speed, acceleration and braking patterns, type of roads, time of day, smoothness of steering, etc). These measurements can be used to identify good drivers, and offer them insurance discounts — or to spot dangerous drivers, charge them higher premiums and encourage them to take driving skills courses. The policy case for this kind of measurement may turn out to be strong too, though it is less well-established.

The problem with these proposals is that they are often accompanied by a technical proposal for a tracking device that sits in your car and transmits voluminous data over wireless or satellite links, so that insurance companies can decide how much to charge you. Many modern vehicles are already collecting this information, and the insurance industry just needs to get a copy of it.

One state currently considering these schemes is California. The State's Department of Insurance held a workshop last week on how best to modify existing regulations to implement Pay As You Drive insurance. EFF participated in the process; you can read our letter to the Department (written with Andrew Blumberg at Stanford) here.

Briefly, EFF's view is that there is a perfectly good, ubiquitous and tamper-resistant device avaialable for measuring vehicle mileage: the odometer. It may be good policy to require fine-grained dependence of insurance premiums upon mileage — but if so, the data should be collected by examining odometers rather than 24/7 wireless or satellite surveillance. We think the public agrees: a similar tracking scheme by UK insurer Norwich Union was abandoned this week.

The best way to protect drivers' privacy, of course, is to not record any facts about where and when and how they are driving at all. But in the long run, there may be sound policy cases for devices that spot dangerous drivers, or charge road tolls based on congestion, etc. If policy-makers are persuaded that there is a strong need for such systems, they need to be built in a way that has the minimal possible privacy consequences. Cryptography offers many ways to implement these kinds of schemes without compromising locational privacy (one technical example is described in this paper). The general principle is that only the minimal amount of information should leave the vehicle: the total billable amount, for instance. If verification is an issue, cryptography and some extra hardware can provide it.

If governments are persuaded that they should allow insurers or anybody else to use detailed information on location or other vehicle observations, they should mandate that these schemes not upload any information from vehicles except for the premium itself, and they should require that the privacy properties of any technology being proposed for vehicles be audited by the computer security community before it is deployed.

If we let insurance companies, car manufacturers or tech companies build a gigantic driver surveillance system, it will be exceedingly difficult to go back to the days where you could drive to a church, or a gay bar, or a political meeting, or a cheap motel at lunchtime, without some company (or hacker) permanently recording that fact.

[Permalink]

EFF Releases Updated White Paper on Best Practices for Online Service Providers

Today EFF released a revised white paper on Best Practices for Online Service Providers, an update of the 2004 OSP Best Practices white paper. In the white paper, EFF offers some suggestions, both legal and technical, for the best privacy practices for collecting, storing and disclosing data that balance the needs of OSPs and their users' privacy and civil liberties.

OSPs are vital links between their users and the Internet, offering bandwidth, email, web, and other Internet services. In the process of offering services, OSPs collect and store detailed information about their users and their user's online activities.

User information can be of great interest to the government and civil litigants, leading to numerous requests from law enforcement and lawyers to hand over private user information and logs. Yet, compliance with these demands takes away from an OSP's goal of providing users with reliable, secure network services.

In the OSP Best Practices white paper, we offer information for OSPs in order to help them make sound, ethical decisions about how to safeguard private data and preserve freedom of expression online.

Summary of Recommendations

1. Develop procedures for dealing with legal information requests and providing notice to users.
2. Work with both attorneys and engineers to develop a privacy policy that fits your OSP’s practices.
3. Collect the minimum amount of information necessary to provide OSP services.
4. Store information for the minimum time necessary for operations.
5. Effectively obfuscate, aggregate and delete unneeded user information.
6. Maintain written policies addressing data collection and retention.
7. Enable SSL as much as possible throughout your site to secure users’ information and communications.
8. Understand threats to the security of sensitive information and communications on your systems, and mitigate them appropriately.
9. Follow best-practice principles for the use of cookies on your site.
10. Insist that the OSPs and other service providers you work with observe these best practices, too.

OSPs can face many other legal issues beyond user privacy, from DMCA takedown requests to defamation claims to issues with adult materials. While these are outside the scope of the OSP Best Practices paper, EFF recommends that OSPs review the EFF Bootcamp materials, which provides the basics on a number of key legal issues for Web 2.0 companies. We also recommend reading EFF’s Legal Guide for Bloggers, which provides a basic roadmap to the legal issues one may confront as an online publisher.

[Permalink]

New Ninth Circuit Case Protects Text Message Privacy From Police and Employers

Today’s Ninth Circuit Court of Appeals opinion in Quon v. Arch Wireless is a victory for the privacy of email and text messages. The holding means that law enforcement needs a probable cause warrant to access stored copies of your electronic messages less than 180 days old, regardless of whether you have already downloaded or read them. It also stops employers from getting the contents of employee emails or text messages from the service provider without employee consent.

In Quon, the City of Ontario Police Department provided its officers with two-way alphanumeric pagers. The officers were informed that it was a violation of City policy to use the pagers for personal matters. The City reserved the right to audit the messages. Employees were also informed that if they exceeded the monthly character limit set by the provider, that they would be responsible for paying the resulting additional charges. Officer Quon used his pager to send both business and personal messages, including messages to the other plaintiffs. He went over his monthly limit. Despite the formal usage policy, Quon was told that the informal policy and practice was that if he paid the overage fees, his messages would not be audited. Quon paid those fees several months in a row. At some point, the Department decided that it wanted to audit officers’ messages. It asked the text provider, defendant Arch Wireless, to deliver the contents of officers’ text messages to it. Because the City was the subscriber on the account, Arch printed out copies of the messages and delivered them to the City. Quon’s personal messages with the other plaintiffs were included in the printouts. Quon and his correspondents sued Arch for violating the Stored Communications Act and the City for violating the Fourth Amendment.

The Ninth Circuit held that Arch violated the SCA when it disclosed the contents of the text messages to the subscriber, the City, without the permission of the users. At issue was whether Arch was an Electronic Communications Service (ECS) holding the messages in “electronic storage”, or a Remote Computing Service (RCS), storing the messages on behalf of the subscriber. Messages held by an ECS receive a lot of privacy protection. An ECS is prohibited from disclosing the contents of communications without either a probable cause warrant obtained by law enforcement or consent from the “addressee or intended recipient”. Messages held by an RCS receive less privacy protection. An RCS is prohibited from disclosing the contents of communications without the consent of the subscriber. Law enforcement does not need a warrant to get messages from an RCS. It can use a mere subpoena or “specific and articulable facts” court order to get message contents from an RCS.

Arch regularly archived messages sent to and from its pagers. If Arch was an ECS holding those messages in “electronic storage”, then it was prohibited from disclosing the messages without consent from Quon, the addressee. If Arch was an RCS, then it may disclose the messages with consent from the subscriber, in this case the City, which they did.

In the past, the Department of Justice and others have argued that once a recipient accesses his messages, whether they be email or texts, the message is no longer in “electronic storage” as the SCA defines it. The message loses the higher protection granted to communications held by an ECS. The Ninth Circuit rejects this view in Quon. It looks to its ruling in Theofel v. Farey-Jones, which held that e-mails stored on an email providers servers for backup protection after delivery to the recipient— were in “electronic storage” under the statute and received ECS protection. In Theofel, the Court stated that “[w]here the underlying message has expired in the normal course, any copy is no longer performing any backup function. An ISP that kept permanent copies of temporary messages could not fairly be described as ‘backing up’ those messages.” We have wondered how to apply the “expired in the normal course” language, and this opinion makes it clear. If the archived message was created as a backup copy of an electronic communication sent through an ECS, that copy continues to receive ECS protection.

This ruling has two privacy friendly results. First, the police need a warrant to get your email and text messages if stored for less than 180 days. Second, even if your employer pays for your use of third party text or email services, your boss can’t get copies of your messages from that provider without your permission. Wow.

The next issue the Ninth Circuit decides is that text messages are protected by the Fourth Amendment. The DOJ and others have argued that because email and text messages are stored by third parties that have the practical ability to read them, senders and recipients have no expectation of privacy in those messages and thus they receive no constitutional protection from unreasonable searches and seizures. The Ninth Circuit rejects this view, as a panel of the Sixth Circuit did in a landmark ruling last year, Warshak v. US. It holds that text messages, and presumably emails, are like letters or packages, and are protected even though the shipper could open them.

One of the more complicated Fourth Amendment issues is the effect of acceptable use policies, monitoring policies or other terms of service that say that the service provider or employer reserves the right to monitor or audit the messages. While those policies may give employers or service providers the right to read messages, the question was whether law enforcement therefore could do so as well. Here, the Ninth Circuit followed its prior ruling in United States v. Heckenkamp which held that a student did not lose his reasonable expectation of privacy in information stored on his computer, despite a university policy that it could access his computer in limited circumstances while connected to the university’s network. (Full disclosure: Granick represented Heckenkamp in the first round of motions to suppress in the case.) The Court thus rejected a binary view of privacy, that user consent to access for some purposes destroyed the expectation of privacy for every purpose, including warrantless or unreasonable government searches. Unless there is regular monitoring and access, people retain a legitimate expectation of privacy in their messages.

Finally and impressively, the Court gave real teeth to the “reasonableness” inquiry under the Fourth Amendment. In this case, the Department’s access was regulated by the Fourth Amendment because it is a government employer. (Note that the first part of the ruling involving privacy rights under the SCA does not depend on whether the employer is public or private.) However, a jury found that the Police Department read the plaintiffs’ messages for the non-disciplinary purpose of learning whether continued overages meant it needed a more extensive service plan from Arch. This was a legitimate, non-law enforcement purpose. Nevertheless, the Court found that there were less intrusive means of learning this than reading employees’ text messages. Because government employers are required to use less intrusive means if feasible, the Department’s actions here violated the Fourth Amendment.

The holding that text messages and email are protected by the Fourth Amendment is an immensely important one which gives the victims of unlawful searches the ability to suppress illegally obtained evidence. It protects the privacy of employees who use a messaging service paid for by their company. It also calls into question the SCA’s disparate treatment of messages younger and older than 180 days, though the opinion does not directly address that issue. Finally, this opinion does not simply defer to a government employer’s judgment about what is reasonable where communications privacy is at stake, but actually requires a more privacy friendly course where feasible.

Professor Orin Kerr also has commentary about this opinion up on The Volokh Conspiracy. To read his thoughts, click here.

[Permalink]

Sweden and the Borders of the Surveillance State

A proposed new law in Sweden (voted on this week, after much delay) will, if passed, allow a secretive government agency ostensibly concerned with signals intelligence to install technology in twenty public hubs across the country. There it will be permitted to conduct a huge mass data-mining project, processing and analysing the telephony, emails, and web traffic of millions of innocent individuals. Allegedly these monitoring stations will be restricted to data passing across Sweden's borders with other countries for the purposes of monitoring terrorist activity: but there seems few judicial or technical safeguards to prevent domestic communications from being swept up in the dragnet. Sound familiar?

The passing of the FRA law (or "Lex Orwell", as the Swedish are calling it) next week is by no means guaranteed. Many Swedes are up in arms over its provisions (the protest Facebook group has over 5000 members; the chief protest site links to thousands of angry commenters across the Web). With the governing alliance managing the barest of majorities in the Swedish Parliament, it would only take four MPs in the governing coalition opposing this bill to effectively remove it from the government's agenda.

As with the debate over the NSA warrantless wiretapping program in the United States, much of this domestic Swedish debate revolves around how much their own nationals will be caught up with this dragnet surveillance. But as anyone who has sat outside the US debate will know, there is a wider international dimension to such pervasive spying systems. No promise that a dragnet surveillance system will do its best to eliminate domestic traffic removes the fact that it *will* pick up terabytes of the innocent communications of, and with, foreigners - especially those of Sweden's supposed allies and friends.

Sweden is a part of the European Union: a community of states which places a strong emphasis on the values of privacy, proportionality, and the mutual defence of those values by its members. But even as the EU aspires to being a closer, borderless community, it seems Sweden is determined to set its spies on every entry and exit to Sweden. When the citizens of the EU talk to their Swedish colleagues, what happens to their private communications then?

When revelations regarding the United Kingdom's involvement in a UK-US surveillance agreement emerged in 2000, the European Parliament produced a highly critical report (and recommended that EU adopt strong pervasive encryption to protect its citizens' privacy).

Back then, UK's cavalier attitude to European communications, and its willingness to hand that data to the United States and other non-EU countries, greatly concerned Europe's elected legislators. Already questions are being asked in the European Parliament about Sweden's new plans and their effect on European citizen's personal data. Commercial companies like TeliaSonera have moved servers out of Sweden to prevent their customers from being wiretapped by the Swedish Department of Defence. Sweden's own business community have expressed concern that companies may move out of Sweden to protect their private financial data.

Sweden has often led the charge for government openness and consumer advocacy, and has, understandably, much national pride in seeing its past policies exported and reflected in Europe and beyond. Before Sweden's MPs vote next week to allow its government surveillance access to whole Net, they should certainly consider its effect on their Swedish citizens' privacy. But it should also ponder exactly how their vote will be seen by their closest neighbors. If the Lex Orwell passes, Sweden may not need something so sophisticated as a supercomputer to hear what the rest of the world thinks about their new values.

[Permalink]

Three Media Mistakes on Warrantless Wiretapping

Here's a game you can play when reading or watching news about the President's warrantless wiretapping program. There are a few mistakes that the media keeps repeating over and over and over — see if you can spot them.

Friday night's exchange on PBS News Hour between host Judy Woodruff and New York Times columnist David Brooks is typical:

JUDY WOODRUFF: There was a little bit of news, David, today, that he -- maybe bigger than that -- that McCain agrees with the president that this wiretapping of Americans on their international phone calls and e-mails is legal. Was this a surprise? Some say this is a switch from where he was earlier.

DAVID BROOKS: ... Politically, I think it won't hurt him. And his second point is there's law, I'm going to enforce the law. But, politically, people want -- the FISA program, frankly, has been always been popular politically.

For the moment, let's put aside Brooks' equivocation over McCain's flawed and deliberately ambiguous position on wiretapping, and zoom out to look at the three central ways this exchange mischaracterizes the larger wiretapping debate:

One: "I'm Going To Enforce The Law." It's unclear what Brooks is attempting to say here. In fact, the immunity legislation pushed by McCain and Congressional Republicans is intended to let corporations off the hook for breaking the law with impunity. Far from "enforcing the law," immunity legislation would completely undermine the law, effectively placing a Congressional seal of approval on corporate vigilanteism.

Similar conflations have been made by Fox News and Fox's Bill O'Reilly.

Two: "The FISA program, frankly, has always been popular politically." Brooks doesn't mean "the FISA program," he means "the warrantless wiretapping program." It's important to distinguish between the two: FISA — the Foreign Intelligence Surveillance Act — was put in place in 1978 and limits corporate cooperation with government surveillance through a carefully-designed system of court oversight and warrants. In contrast, the Bush administration's surveillance program was specifically designed to circumvent the FISA law and wiretap Americans without oversight.

Of course, "the FISA program" sounds a lot less bad than "the warrantless wiretapping program." The telcos benefit enormously from this blurring, and yet the media consistently fails to make the distinction. This mistake has also been made by The Hill, NPR, NBC, MSNBC, Fox, and by columnist Bob Novak.

In addition, Brooks' assertion of the program's popularity is wrong. According to repeated polling, a strong majority of Americans oppose both the warrantless wiretapping program and telco immunity legislation.

Three: "McCain agrees with the president that this wiretapping of Americans on their international phone calls and e-mails is legal." Judy Woodruff is a few shades more accurate than Brooks here, but her mistake is in the word "international". The government has not only been intercepting international communications — they've also been intercepting communications that begin and end inside the USA. Even if you've never phoned or emailed outside the US, it's likely that communications you've made have been intercepted by the Bush administration under this program.

We know this through a careful technical analysis of the evidence provided by whistleblower and former AT&T employee Mark Klein. (You can read the analysis [PDF] and see the evidence [PDF] for yourself.) A March 2008 article in the Wall Street Journal confirmed the program's domestic focus.

(As a particularly insane variation on this theme, news organizations sometimes simply assert that the government's "authority to spy on terrorists" is at stake, as in these reports by The Washington Post, The Des Moines Register, USA Today, Fox News, and Fox's Chris Wallace.)

Those are three of the biggest mistakes the media consistently makes: First, claiming that immunity legislation supports the rule of law, when it's in fact specifically designed to undermine it. Second, confusing the 1978 FISA act with the radical new surveillance regime concocted by the Bush administration. And third — probably the most pervasive of all — mischaracterizing the wiretapping program as targeted at "international" or "terrorist" communications, when it in fact intercepts the entirely domestic communications of millions of ordinary Americans.

Next time you see discussion of wiretapping in the media, take a close look and see if you can catch the same mistakes being made again. (And again, and again, and again...)

[Permalink]

Freedom Not Fear: Europe's Growing Protest Against Net Surveillance

This weekend, marches and meetings across Germany will protest the overreaction of countries to the threat of terrorism, and the re-emergence of a surveillance state in that country. "Freedom Not Fear" is not a small event: over 20,000 people demonstrated in the last protest in September, and over thirty cities will be taking part in this weekend's demonstrations. The organizers hope to expand across Europe for an even larger protest on September 20th of this year [Update: the date has been changed to October 4th].

What has prompted such a fierce reaction? The core of the protest is anger at the European Union's passing of the Directive on Mandatory Retention of Communications Traffic Data, an EU regulation that mandates all European ISPs and phone providers to keep records on every landline, cell and Internet phone call, every email sent, and every Internet connection session, for as long as two years.

The data retention directive was passed in March 2006, with a requirement that EU countries put its requirements into national law by September 2007. Many countries have been dragging their feet, however, faced with the daunting task of weakening existing privacy law, as well as negotiating with communication companies to install and maintain the extensive storage and monitoring equipment required.

But the infrastructure to support the collection of gigabytes of data on innocent citizens is being put in place - and already it has expanded beyond even permissions granted by the new Europe-wide regulations. Denmark's implementation of the directive, one of the first, require ISPs to record the protocol and port number of every TCP/IP session (if "unfeasible", they can opt to only record every 500th packet). On the 19th May, the UK proposed a plan to nationalize data retention entirely: collecting all the data from all ISPs and phone companies and storing it in a central government database for ease of access.

As citizens across the continent realize the extent to which they will be monitored, resistance is growing. Digital Rights Ireland's long-running constitutional challenge to data retention will be heard in the High Court on Thursday, June 5th. The German group leading the protests this weekend, the Working Group on Data Retention, has its own constitutional complaint pending.

Data retention is also rearing its head in the United States, too, with FBI Director Robert Mueller telling Congress last month that compelling ISPs to log Americans' activity for two years would be "tremendously helpful". This weekend's Freedom Not Fear protests are solely in Germany, but the planned September demonstrations will take place across Europe. Perhaps it is time that concerned United States citizens joined the chorus, before data retention has a chance to reach its shores.

[Permalink]