Category Archives: Internet

Librarians Call on W3C to Rethink its Support for DRM

by News on July 18, 2017, no comments

The International Federation of Library Associations and Institutions (IFLA) has called on the World Wide Web Consortium (W3C) to reconsider its decision to incorporate digital locks into official HTML standards. Last week, W3C announced its decision to publish Encrypted Media Extensions (EME)—a standard for applying locks to web video—in its HTML specifications.

IFLA urges W3C to consider the impact that EME will have on the work of libraries and archives:

While recognising both the potential for technological protection measures to hinder infringing uses, as well as the additional simplicity offered by this solution, IFLA is concerned that it will become easier to apply such measures to digital content without also making it easier for libraries and their users to remove measures that prevent legitimate uses of works.

[…]

Technological protection measures […] do not always stop at preventing illicit activities, and can often serve to stop libraries and their users from making fair uses of works. This can affect activities such as preservation, or inter-library document supply. To make it easier to apply TPMs, regardless of the nature of activities they are preventing, is to risk unbalancing copyright itself.

IFLA’s concerns are an excellent example of the dangers of digital locks (sometimes referred to as digital rights management or simply DRM): under the U.S. Digital Millennium Copyright Act (DMCA) and similar copyright laws in many other countries, it’s illegal to circumvent those locks or to provide others with the means of doing so. That provision puts librarians in legal danger when they come across DRM in the course of their work—not to mention educators, historians, security researchers, journalists, and any number of other people who work with copyrighted material in completely lawful ways.

Of course, as IFLA’s statement notes, W3C doesn’t have the authority to change copyright law, but it should consider the implications of copyright law in its policy decisions: “While clearly it may not be in the purview of the W3C to change the laws and regulations regulating copyright around the world, they must take account of the implications of their decisions on the rights of the users of copyright works.”

EFF is in the process of appealing W3C’s controversial decision, and we’re urging the standards body to adopt a covenant protecting security researchers from anti-circumvention laws.

Do Last Week’s European Copyright Votes Show Publishers Have Captured European Politics?

by News on July 18, 2017, no comments

Three European Parliament Committees met during the week of July 10, to give their input on the European Commission’s proposal for a new Directive on copyright in the Digital Single Market. We previewed those meetings last week, expressing our hope that they would not adopt the Commission’s harmful proposals. The meetings did not go well.

All of the compromise amendments to the Directive proposed by the Committee on Culture and Education (CULT) that we previously catalogued were accepted in a vote of that committee, including the upload filtering mechanism, the link tax, the unwaivable right for artists, and the new tax on search engines that index images. Throwing gasoline on the dumpster fire of the upload filtering proposal, CULT would like to see cloud storage services added to the online platforms that are required to filter user uploads. As for the link tax, they have offered up a non-commercial personal use exemption as a sop to the measure’s critics, though it is hard to imagine how this would soften the measure in practice, since almost all news aggregation services are commercially supported.

The meeting of the Industry, Research and Energy (ITRE) Committee held in the same week didn’t go much better than that of the CULT Committee. The good news, if we can call it that, is that they softened the upload filtering proposal a little. The ITRE language no longer explicitly refers to content recognition technologies as a measure to be agreed between copyright holders and platforms that host “significant amounts” (the Commission proposal had said “large amounts”) of copyright protected works uploaded by users. On the other hand, such measures aren’t ruled out, either; so the change is a minor one at best.

There is no similar saving grace in the ITRE’s treatment of the link tax. Oddly for a committee dedicated to research, it proposed amendments to the link tax that would make life considerably harder for researchers, by extending the tax to become payable not only on snippets from news publications but also those taken from academic journals, and whether those publications are online or offline. The extension of the link tax to journals came by way of a single word amendment to recital 33 [PDF]:

Periodical publications which are published for scientific or academic purposes, such as scientific journals, should n̶o̶t̶ also be covered by the protection granted to press publications under this Directive.

This deceptively small change would open up a whole new class of works for which publishers could demand payment for the use of small snippets, apparently including works that the author had released under an open access license (since it’s the publisher, not the author, that is the beneficiary of the new link tax).

The JURI Committee also met during the week, although it did not vote on any amendments. Even so, the statements and discussions of the participants at this meeting are just as important as the votes of the other committees, given JURI’s leadership of the dossier. The meeting (a recording of which is available online) was chaired by German MEP Axel Voss, who has recently replaced the previous chair Theresa Comodini as rapporteur. Whereas MEP Comodini’s report for the committee had been praised for its balance, Voss has taken a much more hardline approach. Addressing him as Chair, Pirate Party MEP Julia Reda stated during the meeting:

I have never seen a Directive proposal from the Commission that has been met with such unanimous criticism from academia. Europe’s leading IP law faculties have stated in an open letter, and I quote, “There is independent scientific consensus that Articles 11 and 13 cannot be allowed to stand,” and that the proposal for a neighboring right is “unnecessary, undesirable, and unlikely to achieve anything other than adding to complexity and cost”.

The developments in the CULT, ITRE and JURI committees last week were disappointing, but they do not determine the outcome of this battle. More decisive will be the votes of the Civil Liberties, Justice and Home Affairs (LIBE) Committee in September, followed by negotiations around the principal report in the JURI Committee and its final vote on October 10. Either way, by year’s end we will know whether European politicians have been utterly captured by their powerful publishing lobby, or whether the European Parliament still effectively represents the voices of ordinary European citizens.

Why the Ninth Circuit Got It Wrong on National Security Letters and How We’ll Keep Fighting

by News on July 18, 2017, no comments

In a disappointing opinion issued on Monday, the Ninth Circuit upheld the national security letter (NSL) statute against a First Amendment challenge brought by EFF on behalf of our clients CREDO Mobile and Cloudflare. We applaud our clients’ courage as part of a years-long court battle, conducted largely under seal and in secret.

We strongly disagree with the opinion and are weighing how to proceed in the case. Even though this ruling is disappointing, together EFF and our clients achieved a great deal over the past six years. The lawsuit spurred Congress to amend the law, and our advocacy related to the case caused leading tech companies to also challenge NSLs. Along the way, the government went from fighting to keep every single NSL gag order in place to the point where many have been lifted, some in whole and many in part. That includes this case, of course, where we can now proudly tell the names of our clients to the world.

No matter what happens with these particular lawsuits, we are not done fighting unconstitutional use of NSLs and similar laws.

Making sense of a disappointing ruling

National security letters are a kind of subpoena issued by the FBI to communications service providers like our clients to force them to turn over customer records. NSLs nearly always contain gag orders preventing recipients from telling anyone about these surveillance requests, all without any mandatory court oversight. As a result, the Internet and communications companies that we all trust with our most sensitive information cannot be truthful with their customers and the public about the scope of government surveillance.

NSL gags are perfect examples of “prior restraints,” government orders prohibiting speech rather than punishing it after the fact. The First Amendment embodies the Founders’ strong distrust of prior restraints as powerful censorship tools, and the Supreme Court has repeatedly said they are presumptively unconstitutional unless they meet the “most exacting” judicial scrutiny. Similarly, because NSLs prevent recipients from talking about the FBI’s request for customer data, they are content-based restrictions on speech, which are subject to strict scrutiny. So NSL gags ought to be put to the strictest of First Amendment tests.

Unfortunately, the Ninth Circuit questioned whether NSLs are prior restraints at all. And although the court did acknowledge they are separately content-based restrictions on speech, it said the law is narrowly tailored even though it plainly allows censorship that is broader in scope and longer in duration than the government actually needs. As a result, the court held the government’s interest in national security overcomes any First Amendment interests at stake.

The ruling is seriously flawed.

Not-so-narrow tailoring

In order to find that the law satisfied strict scrutiny, the court overlooked both the overinclusiveness and indefinite duration of NSL gag orders. Narrow tailoring requires that a restriction on speech be fitted carefully to just what the government needs to protect its investigation and that no less speech-restrictive alternatives are available.

But NSLs are often wildly overinclusive. For example, they prevent even a company with millions of users like Cloudflare from simply saying it has received an NSL, on the theory that individual users engaged in terrorism or espionage might somehow infer from that fact alone that the government is on their trail.

The court admitted that a blanket gag in this scenario might well be overinclusive, but it simply deferred to the FBI’s decisionmaking. But of course, under the First Amendment, decisions about censorship aren’t supposed to be left to officials whose “business is to censor.” And here, we know that NSLs routinely issue to big tech companies with large numbers of users like both Cloudflare and CREDO, and only in rare circumstances does the FBI allow these companies to report on specific NSLs they’ve received.

Similarly, the FBI often leaves NSL gags in place indefinitely, sometimes even permanently. Indeed, the FBI has told our client CREDO that one of the NSLs in the case is now permanent, and the Bureau will not further revisit the gag it imposed to determine whether it still serves national security. Here again, the court acknowledged that at the least, narrow tailoring requires a gag “must terminate when it no longer serves” the government’s national security interests. But instead of applying the First Amendment’s narrow tailoring requirement, the court declined to “quibble” with the censoring agency, the FBI, and its loophole-ridden internal procedures for reviewing NSLs. Nevertheless, these procedures “do not resolve the duration issue entirely,” as the Ninth Circuit understatedly put it, since they may still produce permanent gags, as with CREDO. As a result, the court suggested that NSL recipients can repeatedly challenge permanent gags until they’re finally lifted.

The problem of prior restraints and judicial review

However, that points to the other fundamental problem with NSLs: they are issued without any mandatory court oversight. As discussed above, prior restraints are almost never constitutional. The Supreme Court has said that even in the rare circumstance when prior restraints can be justified, they must be approved by a neutral court, not just an executive official. But the NSL statute doesn’t require a court to be involved in all cases; instead, judicial review takes place only if NSL recipients file a lawsuit, like our clients did, or if they ask the government to go to court to review the gag using a procedure known as “reciprocal notice.”

The Ninth Circuit had two responses to this lack of judicial oversight.

First, it wrongly suggested the law of prior restraints simply does not apply here. The theory is that unlike cases involving newspapers that are prevented from publishing, NSL recipients haven’t shown a preexisting desire to speak, and when they do, they’re asking to publish information they supposedly learned from the government. But as we pointed out, that’s inconsistent with case law that says, for instance, that witnesses at grand jury proceedings—which are historically both secret and subject to court oversight—cannot be indefinitely gagged from talking about their own testimony. NSL gags go much further.

Second, the court suggested that even though the burden is on NSL recipients to challenge gags, this is a “de minimis” burden that doesn’t violate the First Amendment. When Congress passed the USA FREEDOM Act in 2015, it gave recipients the option of invoking reciprocal notice and asking the government to go to court rather than filing their own lawsuit. That’s simply not good enough; the First Amendment requires the government be the one to go to court to prove to a judge it actually requires an NSL accompanied by a gag. Not to mention that forcing companies that receive NSLs to fight them in court and defend user privacy may actually be a heavy burden.

Big progress nonetheless

Despite these considerable errors in the Ninth Circuit’s opinion, we shouldn’t lose sight of progress made along the way. Nearly all of the features of the NSL statute that the court pointed to as saving graces of the law—the FBI’s internal review procedures and the option for reciprocal notice most notably—exist only because Congress stepped in during our lawsuit to amend the law.

So what’s left to providers that receive NSLs? Push back on the gags early and often. The “reciprocal notice” process, which the government says only requires a short letter or a phone call, should be done as a matter of course for any company receiving an NSL. And since the Ninth Circuit said that courts retain the ability to re-evaluate the gags as long as they remain in place, gagged providers should ask a court to step in and make sure the FBI can still prove the need for the gag—potentially over and over—until the gag is finally lifted. EFF wants to help with this, and we’re happy to consult with anyone subject to an NSL gag.

We’ve also encouraged technology companies to make the best of the reciprocal notice procedure as part of our annual Who Has Your Back? report. If the government continues to argue that recipients don’t necessarily “want to speak” about NSLs, we can now point to the growing trend of major tech companies—Apple, Adobe, and Dropbox, among others—that have committed to invoking reciprocal notice and challenging every NSL they receive.

Finally, we’ve seen other courts question gag orders in related contexts, and we’ve supported companies like Facebook and Microsoft in these fights. We’re confident that in the long run, these prior restraints will be roundly rejected yet again.

Microsoft Bing Reverses Sex-Related Censorship in the Middle East

by News on July 18, 2017, no comments

Imagine trying to do online research on breast cancer, or William S. Burroughs’ famous novel Naked Lunch, only to find that your search results keep coming up blank. This is the confounding situation that faced Microsoft Bing users in the Middle East and North Africa for years, made especially confusing by the fact that if you tried the same searches on Google, it did offer results for these terms.

Problems caused by the voluntary blocking of certain terms by intermediaries are well-known; just last week, we wrote about how payment processors like Venmo are blocking payments from users who describe the payments using certain terms—like Isis, a common first name and name of a heavy metal band, in addition to its usage as an acronym for the Islamic State. Such keyword-based filtering algorithms will inevitably results in overblocking and false positives because of their disregard for the context in which the words are used.

Search engines also engage in this type of censorship—in 2010, I co-authored a paper [PDF] documenting how Microsoft Bing (brand new at the time) engaged in filtering of sex-related terms in the Middle East and North Africa, China, India, and several other locations by not allowing users to turn off “safe search”. Despite the paper and various advocacy efforts over the years, Microsoft refused to budge on this—until recently.

At RightsCon this year, I led a panel discussion about the censorship of sexuality online, covering a variety of topics from Facebook’s prudish ideas about the female body to the UK’s restrictions on “non-conventional” sex acts in pornography to Iceland’s various attempts to ban online pornography. During the panel, I also raised the issue of Microsoft’s long-term ban on sexual search terms in the Middle East, noting specifically that the company’s blanket ban on the entire region seemed more a result of bad market research than government interference, based on the fact that a majority of countries in the MENA region do not block pornography, let alone other sexual content.

Surprisingly, not long after the conference, I did a routine check of Bing and was pleased to discover that “Middle East” had disappeared from the search engine’s location settings, replaced with “Saudi Arabia.” The search terms are still restricted in Saudi Arabia (likely at the request of the government), but users in other countries across the diverse region are no longer subject to Microsoft’s safe search. Coincidence? It’s hard to say; just as we didn’t know Microsoft’s motivations for blacklisting sexual terms to begin with, it was no more transparent about its change of heart.

Standing up against this kind of overbroad private censorship is important—companies shouldn’t be making decisions based on assumptions about a given market, and without transparency and accountability. Decisions to restrict content for a particular reason should be made only when legally required, and with the highest degree of transparency possible. We commend Microsoft for rectifying their error, and would like to see them continue to make their search filtering policies and practices more open and transparent.

Network Engineers Speak Out for Net Neutrality

by News on July 17, 2017, no comments

Today, a group of over 190 Internet engineers, pioneers, and technologists filed comments with the Federal Communications Commission explaining that the FCC’s plan to roll back net neutrality protections is based on a fundamentally flawed and outdated understanding of how the Internet works.

Signers include current and former members of the Internet Engineering Task Force and Internet Corporation for Assigned Names and Numbers’ committees, professors, CTOs, network security engineers, Internet architects, systems administrators and network engineers, and even one of the inventors of the Internet’s core communications protocol.

This isn’t the first time many of these engineers have spoken out on the need for open Internet protections. In 2015, when the EFF and ACLU filed a friend-of-the-court brief defending the net neutrality rules, dozens of engineers signed onto a statement supporting the technical justifications for the Open Internet Order.

The engineers’ statement filed today contains facts about the structure, history, and evolving nature of the Internet; corrects technical errors in the proposal; and gives concrete examples of the harm that will be done should the proposal be accepted.

The engineers explain that:

“Based on certain questions the FCC asks in the Notice of Proposed Rulemaking (NPRM), we are concerned that the FCC (or at least Chairman Pai and the authors of the NPRM) appears to lack a fundamental understanding of what the Internet’s technology promises to provide, how the Internet actually works, which entities in the Internet ecosystem provide which services, and what the similarities and differences are between the Internet and other telecommunications systems the FCC regulates as telecommunications services.”

The engineers point to specific errors in the NPRM. As one example among many: the NPRM tries to argue that ISPs, not edge providers, are the main drivers for services such as streaming movies, sharing photos, posting on social media, automatic translation, and so on. The NPRM also erroneously assumes that transforming an IP packet from IPv4 to IPv6 somehow changes the form of the payload.

The engineers explain how the Internet (and in particular broadband) has changed since 2002, when the FCC first explicitly classified broadband internet access service as an information service, and why that classification is no longer appropriate in light of technical developments. Drawing on this background information, they then respond to specific questions from the NPRM in order to correct the FCC’s mistakes.

The statement provides nearly a dozen different examples of consumer harm that could have been prevented by the light-touch, bright-line rules—like when AT&T distorted the market for content by using its gatekeeping power to not charge its customers for its DIRECTV video service while charging third-parties more to similarly zero-rate data. It also gives several examples of consumer benefits that happened as a result of the 2015 Open Internet Order, like mobile service providers finally removing the prohibition that was stopping customers from tethering their personal computers to their mobile devices in order to use their mobile broadband connections.

The NPRM fundamentally misunderstands the basic technology underlying how the Internet works. If the FCC were to move forward with its NPRM as proposed, the results could be disastrous: the FCC would be making a major regulatory decision based on plainly incorrect assumptions about the underlying technology and Internet ecosystem that will have a disastrous effect on innovation in the Internet ecosystem as a whole.

TAKE ACTION

Stand up for net neutrality

EFF to FCC: Tossing Net Neutrality Protections Will Set ISPs Free to Throttle, Block, and Censor the Internet for Users

by News on July 17, 2017, no comments

FCC Plan to Scuttle Open Internet Rule ‘Disastrous’ For the Future of the Internet, Experts Say

Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the FCC to keep in place net neutrality rules, which are essential to prevent cable companies like Comcast and Verizon from controlling, censoring, and discriminating against their subscribers’ favorite Internet content.

In comments submitted today, EFF came out strongly in opposition to the FCC’s plan to reverse the agency’s 2015 open Internet rules, which were designed to guarantee that service providers treat everyone’s content equally. The reversal would send a clear signal that those providers can engage in data discrimination, such as blocking websites, slowing down Internet speeds for certain content—known as throttling—and charging subscribers fees to access movies, social media, and other entertainment content over “fast lanes.” Comcast, Verizon, and AT&T supply Internet service to millions of Americans, many of whom have no other alternatives for high-speed access. Given the lack of competition, the potential for abuse is very real.

EFF’s comments join those of many other user advocates, leading computer engineers, entrepreneurs, faith communities, libraries, educators, tech giants, and start-ups that are fighting for a free and open Internet. Last week those players gave the Internet a taste of what a world without net neutrality would look like by temporarily blocking and throttling their content. Such scenarios aren’t merely possible—they are likely, EFF said in its comments. Internet service providers (ISPs) have already demonstrated that they are willing to discriminate against competitors and block content for their own benefit, while harming the Internet experience of users.

“ISPs have incentives to shape Internet traffic and the FCC knows full well of instances where consumers have been harmed. AT&T blocked data sent by Apple’s FaceTime software, Comcast has interfered with Internet traffic generated by certain applications, and ISPs have rerouted users’ web searches to websites they didn’t request or expect,” said EFF Senior Staff Attorney Mitch Stoltz. “These are just some examples of ISPs controlling our Internet experience. Users pay them to connect to the Internet, not decide for them what they can see and do there.”

Nearly 200 computer scientists, network engineers, and Internet professionals also submitted comments today highlighting deep flaws in the FCC’s technical description of how the Internet works. The FCC is attempting to pass off its incorrect technical analysis to justify its plan to reclassify ISPs so they are not subject to net neutrality rules. The engineers’ submission—signed by such experts as Vint Cerf, co-designer of the Internet’s fundamental protocols; Mitch Kapor, a personal computer industry pioneer and EFF co-founder; and programmer Sarah Allen, who led the team that created Flash video—sets the record straight about how the Internet works and how rolling back net neutrality would have disastrous effects on Internet innovation.

“We are concerned that the FCC (or at least Chairman Pai and the authors of the Notice of Proposed Rulemaking) appears to lack a fundamental understanding of what the Internet’s technology promises to provide, how the Internet actually works, which entities in the Internet ecosystem provide which services, and what the similarities and differences are between the Internet and other telecommunications systems the FCC regulates as telecommunications services,” the letter said.

“It is clear to us that if the FCC were to reclassify broadband access service providers as information services, and thereby put the bright-line, light-touch rules from the Open Internet Order in jeopardy, the result could be a disastrous decrease in the overall value of the Internet.”

For EFF’s comments:
https://www.eff.org/document/eff-comments-fcc-nn

For the engineers’ letter:
https://www.eff.org/document/internet-engineers-commentsfcc-nn

For more about EFF’s campaign to keep net neutrality:
https://www.eff.org/issues/net-neutrality

Contact:
Mitch
Stoltz
Senior Staff Attorney
Corynne
McSherry
Legal Director

With Release of NAFTA Negotiating Objectives, Our New Infographic Makes Sense of It All

by News on July 17, 2017, no comments

Current Digital Trade Negotiations

The United States Trade Representative (USTR) has just released its trade negotiating objectives [PDF] for a revision of NAFTA, the North American Free Trade Agreement between the United States, Mexico, and Canada. NAFTA is expected to open up a new front in big content’s neverending battle for stricter copyright rules, following the unexpected defeat of the Trans-Pacific Partnership (TPP). Meanwhile, big tech companies are now wielding increasing influence with the USTR, and demanding that it negotiate rules that protect their businesses also, such as prohibitions against restrictions on the cross-border transfer of data.

In EFF’s comments to the USTR about what its negotiating objectives should be, we urged it not to include new copyright rules in NAFTA, because of how this would prevent the United States from improving its current law or adapting to technological change. We also expressed the need for caution about including some of the new digital trade (or e-commerce) rules that big tech companies have been asking for, for similar reasons, and because the trade negotiation process notoriously lacks the balance that would be required for it to negotiate a sound set of rules.

Copyright Rules

The negotiating objectives are hopelessly general, but it seems that our requests largely fell on deaf ears. The negotiating objectives on intellectual property relevantly include to:

  • Ensure provisions governing intellectual property rights reflect a standard of protection similar to that found in U.S. law.
  • Provide strong protection and enforcement for new and emerging technologies and new methods of transmitting and distributing products embodying intellectual property, including in a manner that facilitates legitimate digital trade. …
  • Ensure standards of protection and enforcement that keep pace with technological developments, and in particular ensure that rightholders have the legal and technological means to control the use of their works through the Internet and other global communication media, and to prevent the unauthorized use of their works.
  • Provide strong standards [of, sic] enforcement of intellectual property rights, including by requiring accessible, expeditious, and effective civil, administrative, and criminal enforcement mechanisms.

These provisions are consistent with the U.S. demanding similar provisions to those that had been contained in the TPP, including life plus 70 year terms of copyright protection, criminal penalties for “commercial scale” copyright infringement, and legal protections for DRM—all of which would be new to NAFTA. Disappointingly, there is no reference to be found to the inclusion of a “fair use” exception to copyright, as we had requested in our submission.

Digital Trade (E-Commerce) Rules

As for digital trade, the objectives include to:

  • Ensure non-discriminatory treatment of digital products transmitted electronically and guarantee that these products will not face government-sanctioned discrimination based on the nationality or territory in which the product is produced.
  • Establish rules to ensure that NAFTA countries do not impose measures that restrict crossborder data flows and do not require the use or installation of local computing facilities.
  • Establish rules to prevent governments from mandating the disclosure of computer source code.

While some of these rules might not be harmful, if they were drafted in an adequately open and consultative fashion, we have previously expressed concerns that the ban on restrictions on crossborder data flows may not allow countries adequate policy space to protect the privacy of users’ data. We are also worried about the possibility that a blanket ban on laws requiring the disclosure of source code could limit countries from introducing new measures to protect users from vulnerabilities in digital products such as routers and Internet of Things (IoT) devices.

Our New Infographic Makes Sense of It All

You might well be wondering how the new version of NAFTA will compare with other digital trade negotiations, such as the TPP (which could still rise again between the other eleven countries besides the United States), and the Regional Comprehensive Economic Partnership (RCEP, whose negotiators are meeting this week in Hyderabad, India). To help explain, we’ve put together this infographic which illustrates five of the major ongoing trade agreements that are likely to contain provisions on digital issues. It provides a quick overview of their current status, the countries involved, and the issues that they contain.

Click to view full-size

One thing that all of these agreements have in common is that there is no easy way for users to access them. Negotiation rounds take place in far-flung cities of the world, with little or sometimes no notice to the general public, and next to no transparency about the texts under discussion, and with little or no official means of access to the negotiators for public interest advocates such as EFF. Nevertheless, EFF is on the ground in Hyderabad this week to stand up for users, and we plan to do the same in the coming NAFTA negotiations too.

Despite today’s release of the USTR’s negotiating objectives for NAFTA, they are nowhere near detailed enough for us to know what rules the USTR will really be asking for from our partners. And that’s dangerous, because we don’t really know what we’re fighting against, and whether our fears are justified or overblown. Worse, we might never know until the agreement is concluded—unless it is leaked in the meantime. That’s just not acceptable, and it needs to change.

Keep reading Deeplinks for updates on the progress of each of these trade agreements, and how they will affect you. And if you’d like to support our difficult work in fighting for users’ rights in all of these secretive venues, you can help by donating to EFF.

CBP Responds to Sen. Wyden: Border Agents May Not Search Travelers’ Cloud Content

by News on July 17, 2017, no comments

Border agents may not use travelers’ laptops, phones, and other digital devices to access and search cloud content, according to a new document by U.S. Customs and Border Protection (CBP). CBP wrote this document on June 20, 2017, in response to questions from Sen. Wyden (D-OR). NBC published it on July 12. It states:

In conducting a border search, CBP does not access information found only on remote servers through an electronic device presented for examination, regardless of whether those servers are located abroad or domestically. Instead, border searches of electronic devices apply to information that is physically resident on the device during a CBP inspection.

This is a most welcome change from prior CBP policy and practice. CBP’s 2009 policy on border searches of digital devices does not prohibit border agents from using those devices to search travelers’ cloud content. In fact, that policy authorizes agents to search “information encountered at the border,” which logically would include cloud content encountered by searching a device at the border.

We do know that border agents have used travelers’ devices to search their cloud content. Many news reports describe border agents scrutinizing social media and communications apps on travelers’ phones, which show agents conducting cloud searches.

EFF will monitor whether actual CBP practice lives up to this salutary new policy. To help ensure that border agents follow it, CBP should publish it. So far, the public only has second-hand information about this “nationwide muster” (the term CBP’s June 17 document uses to describe this new CBP written policy on searching cloud data). Also, CBP should stop seeking social media handles from foreign visitors, which blurs CBP’s new instruction to border agents that cloud searches are off limits.

Separately, CBP’s responses to Sen. Wyden’s questions explain what will happen to a U.S. citizen who refuses to comply with a border agent’s demand to disclose their device password (or unlock their device) in order to allow the agent to search their device:

[A]lthough CBP may detain an arriving traveler’s electronic device for further examination, in the limited circumstances when that is appropriate, CBP will not prevent a traveler who is confirmed to be a U.S. citizen from entering the country because of a need to conduct that additional examination.

This is what EFF told travelers would happen in our March 2017 border guide, based on law and reported CBP practice. It is helpful that CBP has confirmed this in writing. However, CBP also should publicly state whether U.S. lawful permanent residents (green card holders) will be denied entry for not facilitating a CBP search of their devices. They should not be denied entry. Notably, Sen. Wyden asked CBP to answer this question about all “U.S. persons,” and not just U.S. citizens.

CBP’s responses leave other important questions unanswered. For example, CBP should publicly state whether, when border agents ask travelers for their device passwords, the agents must (in the words of Sen. Wyden) “first inform the traveler that he or she has the right to refuse.” CBP did not answer this question. The international border is an inherently coercive environment, where harried travelers must seek permission to come home from uniformed and frequently armed agents in an unfamiliar space. To ensure that agents do not strong-arm travelers into surrendering their digital privacy, agents should be required to inform travelers that they may choose not to unlock their devices.

Also, CBP should publicly answer Sen. Wyden’s question about how many times in the last five years CBP has searched a device “at the request of another government agency.” Such searches will usually be improper. Historically, courts have granted border agents greater search powers than other law enforcement officials, but only for purposes of enforcing customs and immigration laws. If border agents search travelers at the request of other agencies, they presumably do so for others purposes, and so use of their heightened powers is improper. While CBP’s document provides information about CBP’s assistance requests to other agencies (for example, to seek technical help with decryption), this sheds no light on other agencies’ requests to CBP to use a traveler’s presence at the border as an excuse to conduct a warrantless search, which likely would not be justified at the interior of the country.

EFF applauds Sen. Wyden for his leadership in congressional oversight of CBP’s border device searches. We also thank CBP for answering some of Sen. Wyden’s questions. But many questions remain.

CBP’s June 2017 responses confirm that much more must be done to protect travelers’ digital privacy at the U.S. border. An excellent first step would be to enact Sen. Wyden’s bipartisan bill to require border agents to get a warrant before searching the digital devices of U.S. persons.