EFF: Updates

Subscribe to EFF: Updates feed
EFF's Deeplinks Blog: Noteworthy news from around the internet
Updated: 5 hours 44 min ago

How Grassroots Activists in Georgia Are Leading the Opposition Against a Dangerous “Computer Crime” Bill

Mon, 02/26/2018 - 1:40pm

A misguided bill in Georgia (S.B. 315) threatens to criminalize independent computer security research and punish ordinary technology users who violate fine-print terms of service clauses. S.B. 315 is currently making its way through the state’s legislature amid uproar and resistance that its sponsors might not have fully anticipated. At the center of this opposition is a group of concerned citizen-advocates who, through their volunteer advocacy, have drawn national attention to the industry-wide implications of this bill.

Scott M. Jones and David Merrill from Electronic Frontiers Georgia—a group that participates in the Electronic Frontier Alliance network —spoke to us about their efforts to inform legislators and the public of the harms this bill would cause.

You have most recently been organizing around Georgia Senate Bill 315. What is the bill about, and what are your concerns with it?

Scott: Senate Bill 315 is a computer intrusion bill. Georgia already has on the books some very strong laws against computer intrusion, computer fraud, and the malicious side of hacking. I think this is pretty well covered in state law as it is.

There was an incident last year at Kennesaw State University. Some of the functions for conducting elections in the state of Georgia were farmed out to KSU and their Election Center, and there was a data breach there. That was very big in the news. What they didn’t say in the news at the time was that [it was] a security researcher who found a vulnerability and reported it ethically. As it turns out, the researcher in question was not even targeting KSU election systems, but merely found inappropriate personal information via a Google search, and then tried to get authorities to act quickly to remove it. This person, as we found out later, was investigated by the FBI and they came up clean. [The FBI] didn’t have anything to charge them with, so they left.

The state feels very embarrassed by this, and the attorney general’s office has asked for a bill that goes above and beyond the existing statutes that we have against computer crime. That’s where Senate Bill 315 came from. To use the language that the attorney general’s office used, they want to build it to criminalize so-called “poking around.” Basically, if you’re looking for vulnerabilities in a non-destructive way, even if you’re ethically reporting them—especially if you’re ethically reporting them—suddenly you’re a criminal if this bill passes into law.

David: I’ve worked in Atlanta cyber security for about 13 years and it’s a very tight-knit community. People from one company will go to another company, or a lot of the founders from one company will end up founding another company. A lot of them started from incubators and think tanks at our university system here—a lot of them at Georgia Institute of Technology. So if you have a chilling effect on one founder or one person who is interested in this kind of topic it can really stifle an entire industry and the whole chain of people creating all these other organizations.

Other than security researchers, who else needs to be concerned about this bill?

Scott: The other issue with Senate Bill 315 is it’s so broadly written that it could bring in terms of service [enforcement]. Terms of service come from a private company—for instance, your cable and Internet provider have terms of service. The bill is so broadly written that a violation of terms of service could possibly be construed as a criminal violation, and that would be improper delegation of powers.

David: S.B. 315 uses the term, “unauthorized access,” which is a very murky term. If you’re trying to go through all the proper channels in advance and get authorization for something, it’s not always clear who the person who has the authority to give that authorization is. If it’s a website and you’re testing some part of a website’s security you might think it’s the website administrator, but often it’s not. Often it’s their IT dev ops team or the tech ops team or something else. You may even get permission from one person and think you’re in the clear, and the next thing you know they say that’s not the correct authorization. With the broadness of the way this bill is written, there are way too many circumstances where somebody could be in violation of the law just performing their daily duties.

What is your game plan right now for fighting this bill?

Scott: It was voted on by the Senate, so now it goes on to the House and it will be heard in committee. The game plan right now would be to line up support to have a good showing at the House committee meeting. What we need in addition to ordinary people who do technology every day is some C-level people—CEOs, CIOs, CFOs, CTOs, CISOs, etc.

Electronic Frontiers Georgia participates in the Electronic Frontier Alliance. From that perspective, are there any notable differences between legislative-based organizing and, say, generally raising awareness of digital rights locally?

Scott: As far as legislative versus non-legislative organizing: Electronic Frontiers Georgia is also very interested in raising general awareness and teaching basic concepts, but I’m finding that it’s really hard to do both. We’re in legislative mode while the legislature is in session, which is roughly January 1st through about April 1st. After the legislative season is over we pivot back to educational and social mode. It’s good to do both, but it can be very difficult to do both at the same time. Groups that are actively doing activism at the state level shouldn’t beat themselves up if they’re not able to keep the same educational schedule up during the busy legislative season.

Electronic Frontiers Georgia has started working with other community groups in the area on the S.B. 315 fight. What advice would you give to grassroots groups who want to work more collaboratively with each other but have never done so before?

Scott: What I’m finding is that there are a lot of groups in the area but a lot of them are siloed, which is to say that they essentially keep to themselves and don’t mix with the other groups very frequently. They’re focused on their main core interest, and they just probably haven’t considered some of the issues like S.B. 315. It’s a challenge to bring disparate groups together, but I’m trying to talk to them. For example, I’m giving a talk on S.B. 315 to DC404, which is the local DEFCON group—an information security group.

We’re also trying to invite in other groups that are not necessarily technology-focused that I think would be interested in this particular fight if they just understood it better. One of the real struggles with S.B. 315 is trying to convince people who don’t work in technology that this is something they should care about. With news of data breaches every day, how do you explain to somebody that this is actually going to make security worse rather than make it better? That requires a lot of explaining. Some of these groups are looking for speakers and content, and that’s an opportunity for us to step in and fill that, and maybe explain our position to a better degree.

For more on Georgia S.B. 315, read here. If you’re advocating for digital rights within your community, please explore the Electronic Frontier Alliance and consider joining.

This interview has been lightly edited for length and readability. Additional information about the KSU breach was added after the original interview.

The Problems With FISA, Secrecy, and Automatically Classified Information

Mon, 02/26/2018 - 1:32pm

We need to talk about national security secrecy. Right now, there are two memos on everyone’s mind, each with its own version of reality. But the memos are just one piece. How the memos came to be—and why they continue to roil the waters in Congress—is more important.                                   

On January 19, staff for Representative Devin Nunes (R-CA) wrote a classified memo alleging that the FBI and DOJ committed surveillance abuses in its applications for and renewal of a surveillance order against former Trump administration advisor Carter Page. Allegedly, the FBI and DOJ’s surveillance application included biased, politically-funded information.

The House Permanent Select Committee on Intelligence, on which Rep. Nunes serves as chairman, later voted to release the memo. What the memo meant, however, depended on who was talking.  Some Republican House members took the memo as fact, claiming it showed “abuse” and efforts to “undermine our country.”  But Rep. Adam Schiff (D-CA)—who serves as Ranking Member on the House Permanent Select Committee on Intelligence, across from Nunes—called the memo “profoundly misleading” and, in an opinion for The Washington Post, said it “cherry-picks facts.”

Even the FBI entered the debate, slamming the memo and saying the agency had “grave concerns about material omissions of fact that fundamentally impact the memo's accuracy." And Assistant Attorney General Stephen Boyd of the DOJ said releasing the memo without review would be “extraordinarily reckless.” Finally, the president said the memo “totally vindicates” him from special counsel Robert Mueller’s investigation into his administration.

So a lawmaker made serious charges about surveillance abuses and corruption at the highest levels, and the rest of Congress and the public were ensnared in a guessing game: Could they trust Devin Nunes and what he says? Is the memo he wrote, and the allegations in it, just smoke or is there fire? Unfortunately, the information needed to evaluate his claims is hidden within multiple, nested layers of secrecy.

The secrecy starts with surveillance applications and secret court opinions, which are protected by classification that requires proper security clearance. Only a handful of lawmakers can read the materials, but even they can’t openly discuss them in public. They could write a report, but the FBI and Justice Department would ask to redact the report. After redactions, the report would be subject to a committee vote for release. If the report is cleared by committee, it ordinarily requires the president’s approval.

At any point in the process, this information could have been mislabeled, misidentified, embellished, or obscured, and we’d have almost no way of knowing.

It’s time to talk about FISA again, and the problems with its multi-layered secrecy regime.

We’re going to talk about a surveillance law that, when passed, installed secrecy both in a court system and in Congress, barring the public and their representatives from accessing important information. When that information is partially revealed, it’s near impossible for the public to trust it. 

The Foreign Intelligence Surveillance Act and Its Regime of Secrecy

Passed in 1978, the Foreign Intelligence Surveillance Act (FISA) dictates how the government conducts physical and electronic surveillance for national security purposes against “foreign powers” and “agents of foreign powers.” FISA allows surveillance against “U.S. persons,” Americans and others in the U.S., so long as the agency doing the surveillance demonstrates and provides probable cause that the U.S. person is engaged in terrorism, espionage, or other activities on behalf of a foreign power.

Typically when law enforcement conducts a search, the Fourth Amendment requires that they get a search warrant approved by a neutral magistrate, a judge assigned to hear warrant applications. Under FISA, surveillance orders go through a slightly different review. The statute created an entirely separate court venue filled with 11 judges designated to review FISA surveillance orders. These judges make up the Foreign Intelligence Surveillance Court (FISC).                                                                                    

Similar to how courts review standard search warrants, FISC judges review FISA surveillance applications out of public view. Judges typically hear arguments from the government and no one else, court hearings are not public, and the FISA orders themselves are kept secret.

(Notably, this warrant-like review does not happen under Section 702 of FISA, which the NSA uses to collect billions of communications without a warrant, including Americans’ communications. Under Section 702, which you can read about here, FISC judges do not review individual targets of surveillance and instead sign off on programmatic surveillance policies.)

In the FISC, secrecy in each step is heightened. The court’s opinions and any transcript or record of the proceedings are automatically classified. Even the court’s physical location is constructed to be “the nation’s most secure courtroom,” with reinforced concrete and hand scanners to keep unauthorized people out.

This secrecy is hard to unravel after the fact. When recently asked by Rep. Nunes for more information about the renewed FISA surveillance warrant on Carter Page, Rosemary Collyer, the presiding judge of the FISC wrote:

“As you know, any such transcripts would be classified. It may also be helpful for me to observe that, in a typical process of considering an application, we make no systematic record of questions we ask or responses the government gives.”

Although surveillance conducted for run-of-the-mill law enforcement is often shadowy, the FISA process is far more shielded from public view. For example, standard search warrants are used to gather evidence for later prosecutions that are by default public. That means at some point the government has to face—and knows it has to face—a defense attorney’s efforts to question the evidence gathered from the search warrant. This is known as a “motion to suppress,” and with typical search warrants, these motions are filed in a public court. When that court hears a motion to suppress, it usually issues an order discussing why the surveillance violated—or didn’t violate—the law. This is how our legal system is intended to function. Lawyers and the public actually learn what the law is through this process, because in our system it is the duty of courts to “say what the law is.” For that reason, secret law is a perversion of our system.

Moreover, the public disclosure of law enforcement search warrants serves important ends outside of any particular legal challenge. For one, they let the public know what police are doing, both in their name and with their tax dollars. Second, they allow for greater accountability when police overstep their authority or otherwise misbehave.

FISC proceedings routinely fail this test.

FISA orders are for foreign intelligence purposes, so the surveillance is rarely used in a prosecution and rarely challenged in a motion to suppress.  Moreover, even if the fruits of FISA surveillance are used in court, criminal defendants and other litigants are deprived of access to this information, so they have little way of knowing if evidence brought against them may have come from an improper FISA order. (FISA provides a mechanism for defendants to request this information, but no defendant has succeeded in doing so in FISA’s 40-year history.) This impedes a defendant’s ability to challenge their prosecution, and it prevents related, public knowledge of these challenges.

But the secrecy in FISA extends much further than FISC, adding further opaque layers between what intelligence agencies and the court do and what the public sees.

Lacking Congressional Oversight

In practice, congressional oversight of the FISA process and the underlying materials is severely constrained. Although they have security clearances by virtue of their office, many lawmakers are kept far away from classified documents because they do not have cleared staff to assist in processing the information, and their requests are given lower priority than members of the intelligence oversight committees.

Even members of those House and Senate intelligence committees do not always have access to everything. In the case of the Nunes memo, only the “Gang of Eight” congressional leaders and a handful of others out of the 435 members of the House of Representatives and the 100 members of the Senate reportedly had access to the underlying FISA surveillance applications and unredacted FISC opinions.

This problem has restricted Congress members before. In 2003, when then-House intelligence committee chairman Jay Rockefeller learned of the NSA’s unconstitutional spying programs under President George W. Bush, he had little capability to fight back. He wrote to then-Vice President Dick Cheney:

“As you know, I am neither a technician nor an attorney. Given the security restrictions associated with this information, and my inability to consult staff or counsel on my own, I feel unable to fully evaluate, much less endorse these activities."

Rockefeller—who knew of the programs—could not speak of them. For everyone else, reading FISA and FISC materials is close to impossible. Even after Congress passed the USA FREEDOM Act in 2015 requiring that significant FISC Opinions be released to the public, these opinions are still highly redacted and tightly guarded, and no FISA application material has never been revealed to the public.

It’s for these reasons that EFF has long called for Congress to reform how it oversees surveillance activities conducted by the Executive Branch, including by providing all members of Congress with the tools they need to meaningfully understand and challenge activities that are so often veiled in extreme secrecy.

Why This Matters

FISA’s inherent secrecy causes a chain reaction. Because the FISC’s surveillance orders are kept secret, it is hard to know if they are ever improper. Because criminal defendants are kept in the dark about what evidence was used to obtain a FISA order, they cannot meaningfully challenge if the order was wrongly issued.

In Congress, because lawmakers are widely excluded from knowing the FISC’s procedures, efforts to fix the process are scarce. And, as we’ve seen with the Nunes memo, because so few lawmakers can access FISA materials, if one lawmaker uses that access to make extraordinary claims, trying to prove or refute those claims is mostly futile.

Plainly, outsiders do not know who is telling the truth. Because the public cannot read the underlying FISA materials that the memo is based on, they can’t accurately separate fact from fiction. They cannot see the FISC’s written approval for the order. They cannot see the order itself. And they cannot see the materials that went into the surveillance application.

According to reports, the majority of Congress is in the exact same position. They have not been able to see the FISC’s written approval for the order; they cannot see the order itself. And they cannot see the materials that went into the surveillance application.

Rep. Adam Schiff, a member of the Gang of Eight, has tried to refute the Nunes memo, relying on the classified FISA order and surveillance application to write a sort of counter-memo. But Schiff’s counter-memo was originally blocked by the Trump administration, with a lawyer for the president explaining that it “contains numerous properly classified and especially sensitive passages.”

What is sensitive about those passages, we don’t know. Why they are classified, we don’t know. What they could clear up, we don’t know. And we can’t assess the White House’s claim that this counter-memo is too sensitive to be released, even though it approved release of the Nunes memo.

On February 24, the House Intelligence Committee ignored the White House’s wishes and released Rep. Schiff’s counter memo. The memo offered several claimed rebuttals to many of the allegations in the original Nunes memo, but it included far more redactions, leaving the public to, yet again, guess at the full truth.                                                                       

And that’s the problem with FISA. Because of near airtight classification for everything that occurs in the FISC—and a corresponding congressional inaccessibility to that classified information—it is exceedingly difficult to know when we are being told the truth. A single member of the Gang of Eight could, at any time, present information to the public as truth, with few opportunities for others to rebut or verify those claims.

These truths should not be held at the mercy of classification, and they should not be a matter of security clearances, committee votes, and personal accusations. These problems are exacerbated by Congress’ systemic failures to assert its constitutional oversight role. FISA prevents the public from knowing much of what its own government does in national security investigations, and it prevents much of Congress from being able to stop single bad actors from misrepresenting classified material.

EFF will continue to fight for governmental transparency. It is one of the strongest vehicles we have to ensure that our government is protecting our rights, and that our government’s members are telling the truth.