Aggregator | JCA-NET

注意喚起: 2025年2月マイクロソフトセキュリティ更新プログラムに関する注意喚起 (公開)

JPCERT

2 months 3 weeks ago

休日の渋谷に「天皇制は、いらない！」の声響く

レイバーネット

2 months 3 weeks ago

平和、人権、表現の自由を守るために、能動的サイバー防御関連法案に反対しよう！

レイバーネット

2 months 3 weeks ago

EFF Sues OPM, DOGE and Musk for Endangering the Privacy of Millions

EFF update

2 months 3 weeks ago

Lawsuit Argues Defendants Violated the Privacy Act by Disclosing Sensitive Data

NEW YORK—EFF and a coalition of privacy defenders led by Lex Lumina filed a lawsuit today asking a federal court to stop the U.S. Office of Personnel Management (OPM) from disclosing millions of Americans’ private, sensitive information to Elon Musk and his “Department of Government Efficiency” (DOGE).

The complaint on behalf of two labor unions and individual current and former government workers across the country, filed in the U.S. District Court for the Southern District of New York, also asks that any data disclosed by OPM to DOGE so far be deleted.

The complaint by EFF, Lex Lumina LLP, State Democracy Defenders Fund, and The Chandra Law Firm argues that OPM and OPM Acting Director Charles Ezell illegally disclosed personnel records to Musk’s DOGE in violation of the federal Privacy Act of 1974. Last week, a federal judge temporarily blocked DOGE from accessing a critical Treasury payment system under a similar lawsuit.

This lawsuit’s plaintiffs are the American Federation of Government Employees AFL-CIO; the Association of Administrative Law Judges, International Federation of Professional and Technical Engineers Judicial Council 1 AFL-CIO; Vanessa Barrow, an employee of the Brooklyn Veterans Affairs Medical Center; George Jones, President of AFGE Local 2094 and a former employee of VA New York Harbor Healthcare; Deborah Toussant, a former federal employee; and Does 1-100, representing additional current or former federal workers or contractors.

As the federal government is the nation’s largest employer, the records held by OPM represent one of the largest collections of sensitive personal data in the country. In addition to personally identifiable information such as names, social security numbers, and demographic data, these records include work information like salaries and union activities; personal health records and information regarding life insurance and health benefits; financial information like death benefit designations and savings programs; and nondisclosure agreements; and information concerning family members and other third parties referenced in background checks and health records. OPM holds these records for tens of millions Americans, including current and former federal workers and those who have applied for federal jobs. OPM has a history of privacy violations—an OPM breach in 2015 exposed the personal information of 22.1 million people—and its recent actions make its systems less secure.

With few exceptions, the Privacy Act limits the disclosure of federally maintained sensitive records on individuals without the consent of the individuals whose data is being shared. It protects all Americans from harms caused by government stockpiling of our personal data. This law was enacted in 1974, the last time Congress acted to limit the data collection and surveillance powers of an out-of-control President.

“The Privacy Act makes it unlawful for OPM Defendants to hand over access to OPM’s millions of personnel records to DOGE Defendants, who lack a lawful and legitimate need for such access,” the complaint says. “No exception to the Privacy Act covers DOGE Defendants’ access to records held by OPM. OPM Defendants’ action granting DOGE Defendants full, continuing, and ongoing access to OPM’s systems and files for an unspecified period means that tens of millions of federal-government employees, retirees, contractors, job applicants, and impacted family members and other third parties have no assurance that their information will receive the protection that federal law affords.”

For more than 30 years, EFF has been a fierce advocate for digital privacy rights. In that time, EFF has been at the forefront of exposing government surveillance and invasions of privacy—such as forcing the release of hundreds of pages of documents about domestic surveillance under the Patriot Act—and enforcing existing privacy laws to protect ordinary Americans—such as in its ongoing lawsuit against Sacramento's public utility company for sharing customer data with police.

For the complaint: https://www.eff.org/document/afge-v-opm-complaint

For more about the litigation: https://www.eff.org/deeplinks/2025/02/eff-sues-doge-and-office-personnel-management-halt-ransacking-federal-data

Contacts:
Electronic Frontier Foundation: press@eff.org
Lex Lumina LLP: Managing Partner Rhett Millsaps, rhett@lex-lumina.com

Josh Richman

The TAKE IT DOWN Act: A Flawed Attempt to Protect Victims That Will Lead to Censorship

EFF update

2 months 3 weeks ago

Congress has begun debating the TAKE IT DOWN Act (S. 146), a bill that seeks to speed up the removal of a troubling type of online content: non-consensual intimate imagery, or NCII. In recent years, concerns have also grown about the use of digital tools to alter or create such images, sometimes called deepfakes.

While protecting victims of these heinous privacy invasions is a legitimate goal, good intentions alone are not enough to make good policy. As currently drafted, the Act mandates a notice-and-takedown system that threatens free expression, user privacy, and due process, without addressing the problem it claims to solve.

The Bill Will Lead To Overreach and Censorship

S.B. 146 mandates that websites and other online services remove flagged content within 48 hours and requires “reasonable efforts” to identify and remove known copies. Although this provision is designed to allow NCII victims to remove this harmful content, its broad definitions and lack of safeguards will likely lead to people misusing the notice-and-takedown system to remove lawful speech.

take action

"Take It Down" Has No real Safeguards

The takedown provision applies to a much broader category of content—potentially any images involving intimate or sexual content—than the narrower NCII definitions found elsewhere in the bill. The takedown provision also lacks critical safeguards against frivolous or bad-faith takedown requests. Lawful content—including satire, journalism, and political speech—could be wrongly censored. The legislation’s tight time frame requires that apps and websites remove content within 48 hours, meaning that online service providers, particularly smaller ones, will have to comply so quickly to avoid legal risk that they won’t be able to verify claims. Instead, automated filters will be used to catch duplicates, but these systems are infamous for flagging legal content, from fair-use commentary to news reporting.

TAKE IT DOWN creates a far broader internet censorship regime than the Digital Millennium Copyright Act (DMCA), which has been widely abused to censor legitimate speech. But at least the DMCA has an anti-abuse provision and protects services from copyright claims should they comply. This bill contains none of those minimal speech protections and essentially greenlights misuse of its takedown regime.

Threats To Encrypted Services

The online services that do the best job of protecting user privacy could also be under threat from Take It Down. While the bill exempts email services, it does not provide clear exemptions for private messaging apps, cloud storage, and other end-to-end encrypted (E2EE) services. Services that use end-to-end encryption, by design, are not able to access or view unencrypted user content.

How could such services comply with the takedown requests mandated in this bill? Platforms may respond by abandoning encryption entirely in order to be able to monitor content—turning private conversations into surveilled spaces.

In fact, victims of NCII often rely on encryption for safety—to communicate with advocates they trust, store evidence, or escape abusive situations. The bill’s failure to protect encrypted communications could harm the very people it claims to help.

Victims Of NCII Have Legal Options Under Existing Law

An array of criminal and civil laws already exist to address NCII. In addition to 48 states that have specific laws criminalizing the distribution of non-consensual pornography, there are defamation, harassment, and extortion statutes that can all be wielded against people abusing NCII. Since 2022, NCII victims have also been able to bring federal civil lawsuits against those who spread this harmful content.

As we explained in 2018:

If a deepfake is used for criminal purposes, then criminal laws will apply. If a deepfake is used to pressure someone to pay money to have it suppressed or destroyed, extortion laws would apply. For any situations in which deepfakes were used to harass, harassment laws apply. There is no need to make new, specific laws about deepfakes in either of these situations.

The mishandling of this information could lead to such significant and varied abuses that they are impossible to detail.

What’s in OPM’s Databases?

The data housed by OPM is extraordinarily sensitive for several reasons. The federal government is the nation’s largest employer, and OPM’s records are one of the largest, if not the largest, collection of employee data in the country. In addition to personally identifiable information such as names, social security numbers, and demographics, it includes work experience, union activities, salaries, performance, and demotions; health information like life insurance and health benefits; financial information like death benefit designations and savings programs; and classified information nondisclosure agreements. It holds records for millions of federal workers and millions more Americans who have applied for federal jobs.

The mishandling of this information could lead to such significant and varied abuses that they are impossible to detail. On its own, DOGE’s unchecked access puts the safety of all federal employees at risk of everything from privacy violations to political pressure to blackmail to targeted attacks. Last year, Elon Musk publicly disclosed the names of specific government employees whose jobs he claimed he would cut before he had access to the system. He has also targeted at least one former employee of Twitter. With unrestricted access to OPM data, and with his ownership of the social media platform X, federal employees are at serious risk.

And that’s just the danger from disclosure of the data on individuals. OPM’s records could give an overview of various functions of entire government agencies and branches. Regardless of intention, the law makes it clear that this data is carefully protected and cannot be shared indiscriminately.

In late January, OPM reportedly sent about two million federal employees its "Fork in the Road" form email introducing a “deferred resignation” program. This is a visible way in which the data could be used; OPMs databases contain the email addresses for every federal employee.

How the Privacy Act Protects Americans’ Data

Under the Privacy Act of 1974, disclosure of government records about individuals generally requires the written consent of the individual whose data is being shared, with few exceptions.

Congress passed the Privacy Act in response to a crisis of confidence in the government as a result of scandals including Watergate and the FBI’s Counter Intelligence Program (COINTELPRO). The Privacy Act, like the Foreign Intelligence Surveillance Act of 1978, was created at a time when the government was compiling massive databases of records on ordinary citizens and had minimal restrictions on sharing them, often with erroneous information and in some cases for retaliatory purposes.

These protections were created the last time Congress rose to the occasion of limiting the surveillance powers of an out-of-control President.

Congress was also concerned with the potential for abuse presented by the increasing use of electronic records and the use of identifiers such as social security numbers, both of which made it easier to combine individual records housed by various agencies and to share that information. In addition to protecting our private data from disclosure to others, the Privacy Act, along with the Freedom of Information Act, also allows us to find out what information is stored about us by the government. The Privacy Act includes a private right of action, giving ordinary people the right to decide for themselves whether to bring a lawsuit to enforce their statutory privacy rights, rather than relying on government agencies or officials.

It is no coincidence that these protections were created the last time Congress rose to the occasion of limiting the surveillance powers of an out-of-control President. That was fifty years ago; the potential impact of leaking this government information, representing the private lives of millions, is now even more serious. DOGE and OPM are violating Americans’ most fundamental privacy rights at an almost unheard-of scale.

OPM’s Data Has Been Under Assault Before

Ten years ago, OPM announced that it had been the target of two data breaches. Over twenty-million security clearance records—information on anyone who had undergone a federal employment background check, including their relatives and references—were reportedly stolen by state-sponsored attackers working for the Chinese government. At the time, it was considered one of the most potentially damaging breaches in government history.

DOGE employees likely have access to significantly more data than this. Just as an example, the OPM databases also include personal information for anyone who applied to a federal job through USAJobs.gov—24.5 million people last year. Make no mistake: this is, in many ways, a worse breach than what occurred in 2014. DOGE has access to ten more years of data; it likely includes what was breached before, as well as significantly more sensitive data. (This is not to mention that while DOGE has access to these databases, they reportedly have the ability to not only export records, but to add them, modify them, or delete them.) Every day that DOGE maintains its current level of access, more risks mount.

EFF Fights for Privacy

EFF has fought to protect privacy for nearly thirty-five years at the local, state, and federal level, as well as around the world.

We have been at the forefront of exposing government surveillance and invasions of privacy: In 2006, we sued AT&T on behalf of its customers for violating privacy law by collaborating with the NSA in the massive, illegal program to wiretap and data-mine Americans’ communications. We also filed suit against the NSA in 2008; both cases arose from surveillance that the U.S. government initiated in the aftermath of 9/11. In addition to leading or serving as co-counsel in lawsuits, such as in our ongoing case against Sacramento's public utility company for sharing customer data with police, EFF has filed amicus briefs in hundreds of cases to protect privacy, free speech, and creativity.

EFF’s fight for privacy spans advocacy and technology, as well: Our free browser extension, Privacy Badger, protects millions of individuals from invasive spying by third-party advertisers. Another browser extension, HTTPS Everywhere, alongside Certbot, a tool that makes it easy to install free HTTPS certificates for websites, helped secure the web, which has now largely switched from non-secure HTTP to the more secure HTTPS protocol.

EFF is glad to join the brigade of lawsuits to protect this critical information.

EFF also fights to improve privacy protections by advancing strong laws, such as the California Electronic Communications Privacy Act (CalECPA) in 2015, which requires state law enforcement to get a warrant before they can access electronic information about who we are, where we go, who we know, and what we do. We also have a long, successful history of pushing companies, as well, to protect user privacy, from Apple to Amazon.

What’s Next

The question is not “what happens if this data falls into the wrong hands.” The data has already fallen into the wrong hands, according to the law, and it must be safeguarded immediately. Violations of Americans’ privacy have played out across multiple agencies, without oversight or safeguards, and EFF is glad to join the brigade of lawsuits to protect this critical information. Our case is fairly simple: OPM’s data is extraordinarily sensitive, OPM gave it to DOGE, and this violates the Privacy Act. We are asking the court to block any further data sharing and to demand that DOGE immediately destroy any and all copies of downloaded material.

You can view the press release for this case here.

Jason Kelley