You Should Not Trust Russia’s New “Trusted Root CA”

3 months 1 week ago

Last week, Russian citizens began receiving instructions to either download a government-approved web browser, or change their basic browser settings, according to instructions issued by their government’s Ministry of Digital Development and Communications.

On the one hand, these changes may be necessary for Russians to access government services and websites impacted by international sanctions. Nonetheless, it is a worrying development: the Russian state’s stopgap measure to keep its services running also enables spying on Russians, now and in the future.

The Internet governance entities ICANN and RIPE rejected Ukraine’s requests to revoke Russian top-level domains, access to Domain Name System root servers, and its IP addresses. However, international sanctions have heavily impacted Russia’s internet infrastructure. In part, this has happened because Certificate Authorities (CAs), the trusted notaries that underpin data security on the web, have begun refusing orders from domains ending in “.ru”, and have revoked certificates from Russia-based banks. Because international CAs like Digicert and Sectigo have largely stopped working for Russian websites, the Russian government has stepped in and suggested that citizens install its “Russian Trusted Root CA.”

While the capabilities of Russia’s new root certificate authority are not completely clear, the certificate is valid for ten years. It has the capability not just to issue certificates for domains; it can also inspect the traffic of the users who communicate with those domains.

The new “Russian Trusted Root CA” won’t expire for 10 years

Although this new state-sponsored root CA was apparently prompted by the international sanctions against Russia, the Russian government has long shown signs of wanting more control over internet infrastructure. Russia passed a “sovereign internet" censorship law in 2019, and last year the Russian government ran a test to see if it could disconnect from the global internet.

The internet isn’t just transmission lines and data centers. Internet infrastructure also includes technical services like Domain Name System resolvers, CAs, internet gateways, and domain registries. It will be difficult for the Russian state to create entirely domestic, state-controlled versions of all of these services. But the incentives to try are growing. For example, networking hardware manufacturer Cisco recently cut ties with Russian firms in response to the invasion of Ukraine, making it clear that Russia can’t count on Cisco to aid in domestic surveillance and censorship (Ironically, Cisco has had no compunctions about assisting other regimes with censorship, and indeed had a central role in developing the custom technology needed to build China’s “Great Firewall”).

Some version of a self-contained national internet—a so-called “splinternet”—may be described in terms of domestic self-reliance, but it inevitably comes with opportunities for state surveillance. Russia isn’t the first country to try this. In 2019, Kazakhstan attempted dragnet surveillance with its own root certificate. The Iranian state has proposed a bill to control “international gateways,” so the country’s outbound traffic would be directed through an ad hoc agency controlled by the armed forces and security agencies. In the EU there’s a proposal to mandate government CAs in browsers, with no ability to challenge or guarantee browser security and autonomy - in the name of user safety. These are all attempts to create borders within the internet, and they set dangerous templates for other governments to execute.

We do not know when or if Russia will disconnect itself from the foreign internet—or if that’s even possible. But for the people of Russia, including the many who oppose the invasion of Ukraine, digital security has already been put at risk. The certificate authority Russians have been instructed to install paves the way for a decade of digital surveillance, with the power to bypass the cryptographic privacy measures every internet user relies on.

Alexis Hancock

Podcast Episode: Watching the Watchers

3 months 1 week ago

Imagine being detained by armed agents whenever you returned from traveling outside the country. That’s what life became like for Academy Award-winning filmmaker Laura Poitras, who was placed on a terrorist watch-list after she made a documentary critical of the U.S. invasion and occupation of Iraq. Poitras was detained close to 100 times between 2006 and 2012, and border agents routinely copied her notebooks and threatened to take her electronics. 

It was only after Poitras teamed up with EFF to sue the government that she was able to see evidence of the government’s six-year campaign of spying on her. This week on our podcast, Poitras joins EFF’s Cindy Cohn and Danny O’Brien to talk about her continuing work to uncover spying on journalists, and what we can do to fight back against mass surveillance. 

Click below to listen to the episode now, or choose your podcast player: Privacy info. This embed will serve content from


You can also find the MP3 of this episode on the Internet Archive. In this episode, you’ll learn about:

  • What life was like for Poitras when she was placed on a terror watch list and put under FBI surveillance
  • Why security is a “team sport,” and what we can all do to protect ourselves as well as more vulnerable people  
  • Poitras’ new work about the NSO Group, an Israeli spyware company that has been accused of facilitating human rights abuses worldwide
  • What legal strategies can be used to push back on mass surveillance
  • The role of whistleblowers like Edward Snowden and human rights activists in uncovering spying abuses, and how they can be better protected
  • The laws that we need to protect professional journalists and citizen journalists in an age where anyone can record the news 

Laura Poitras is a filmmaker, journalist, and artist. Citizenfour, the third installment of her post-9/11 Trilogy, won the 2014 Academy Award for Best Documentary. 

Poitras’ reporting on NSA global mass surveillance, based on Edward Snowden’s disclosures, won the George Polk Award for national security journalism, and the 2014 Pulitzer Prize for Public Service, together with The Guardian and Washington Post.


NSA Watchlist:

Surveillance and the USA PATRIOT Act:

Edward Snowden and CITIZENFOUR:

Hepting Case/Jewel Case/AT&T Facility in San Francisco/State Secrets Privilege:

Malware and Digital Violence:

Encryption and Privacy:

Journalists’ Shield Law and Whistleblower Protection:

Foreign Intelligence Surveillance Act:


Music for How to Fix the Internet was created for us by Reed Mathis and Nat Keefe of BeatMower. 

This podcast is licensed Creative Commons Attribution 4.0 International, and includes the following music licensed Creative Commons Attribution 3.0 Unported by their creators: 

  • Come Inside by Snowflake (c) copyright 2019 Licensed under a Creative Commons Attribution (3.0) license. Ft: Starfrosch, Jerry Spoon, Kara Square, spinningmerkaba
  • Kalte Ohren by Alex (c) copyright 2019 Licensed under a Creative Commons Attribution (3.0) license. Ft: starfrosch & Jerry Spoon. 
  • Come Inside by Zep Hurme (c) copyright 2019 Licensed under a Creative Commons Attribution (3.0) license. Ft: snowflake 
  • Drops of H2O ( The Filtered Water Treatment ) by J.Lang (c) copyright 2012 Licensed under a Creative Commons Attribution (3.0) license. Ft: Airtone. 

Laura Poitras:

It was very aggressive.  In one case, they confiscated my computer, and phones, and recording devices. Other cases, they would just threaten to do that. They would say, "This would all be much easier for you if you just give us your passwords and let us look at your electronics." Some cases they would say, "If you don't answer our questions, we'll find our answers on your electronic devices." 

So although this was happening as I continued to make work and continued to be stopped every time. I always ask questions. I always took notes, and they were not forthcoming in terms of why. Being watch listed is a process without any recourse, nobody asks for any evidence of why. You can’t mount a defense. 

Cindy Cohn: 

That's Laura Poitras, and she's our guest today. If her name is familiar, it's because she directed the Oscar winning documentary Citizenfour about the NSA and the whistleblower Edward Snowden.

Danny O’Brien: 

Laura watches the watchers. She turns her lens on those who surveil us. She knows firsthand what it feels like to be tracked by the government.


I'm Cindy Cohn, EFF's, Executive Director.


I'm Danny O'Brien, special advisor to the Electronic Frontier foundation. On this podcast, we help you understand the web of technology all around us, and explore solutions to build a better digital future. Welcome to How to Fix the Internet.


Well, Laura, thank you so much for coming to talk to us. I'm so looking forward to this conversation.


Yeah, it's great to see you, and to talk with you, Cindy. I'm such a huge admirer of EFF's work in protecting our privacy and securing the internet, and keeping it a place for free conversation and exchange of ideas.


Oh, thanks. Well, it's love, love all around here. So you are well known as someone who really likes to turn a lens on the people who are watching us. How did you get interested in this kind of viewpoint of watching the watchers?


I think a number of things happened right after 9/11, which one of the major things that the US government did in addition to its occupation of Iraq, and creating a secret prisons and Guantanamo Bay prison and torturing people was surveillance, was mass, global surveillance.

And this was decided in the immediate aftermath of 9/11. And we didn't know that at the time though, it wasn't something that the public was informed about, but it happened behind the scenes. And through my reporting, and over the years, and through the bravery of whistleblowers, we've learned more and more of how it was that the US government used 9/11 as an excuse to use mass surveillance, both internally and illegally against US citizens and then in global collection of communication.

And so it's been going back a long time. My work on looking at America post 9/11 began with a film I made about the US occupation of Iraq, and that I started filming in 2004 and released it two years later. And that film about the occupation became part of a trilogy. And the final part of the trilogy is Citizenfour, which is the film that you reference about Edward Snowden and the NSA.


But as part of this, you had the tables turned on you. Right? You became one of the people being watched at the border. Can you talk a little bit about what that was like?


I think we should say here that EFF has been very much a part of my learning about the US targeting. I was placed on a terrorist watch list after I made the film in Iraq. After it was finished, after I'd come home and released the film, I started being detained at airports, at US airports, both flying domestically and internationally.

And when I was detained, it was very aggressive. They provided very little context or information, even though I asked to know why I was being stopped. But it happened every time I boarded a plane or actually every time I returned home to the US, internationally. I would land. And they would ask everybody on the plane to show their passports before they could get off the plane. So this would take oftentimes 30 minutes, 40 minutes after a long flight. And then I would show my passport. And then I'd be escorted by armed agents, and taken into secondary screening, and questioned about my travel.

And I say that also, I think it's important to note that as extreme as it was, which was very extreme to be detained all the time every time I flew, particularly when I was doing journalistic work and they were threatening to take my electronics. They would copy my notebooks. As bad it was for me, I was in the privileged category of being a US citizen, and being a journalist.

I say that just to say that as extreme as it is for me, it's much more extreme for people of different nationalities, ethnicities, religions, et cetera.


Did you ever meet anyone else who was going through this same experience of being, as you say, not absolutely targeted, but obviously having to go through a rigmarole every time they went through the border?


Sure. There's a lot. I mean, if you are in secondary screening, I'd often start up conversations with people and they would say that it happened to them all the time. Often, rarely were there US citizens in secondary screening. Usually, it was people from other countries. Oftentimes, people would say that they're human rights workers, and it happens to them every time.

You can't find out anything of why it's happening to you. You can't present any evidence to stop it. And it continued from 2006 and then they stopped detaining me in 2012. So for six years, I was probably detained in airports close to 100 times.




This is part where we're watching the watchers. I've gotten to learn a lot more about their watch listing through my reporting and got, and I've had the ability to expose some of it through whistleblowers, such as Edward Snowden. And so when he released documents to myself and other journalists, one of the, of course, first things that I searched for it in the NSA archive was watch listing. And then there you see it. Reading an NSA agents talking about, "Here we are, we've started our new watch listing program. This is how it works. We've created this in the post 9/11 era to protect the Homeland.

And this is how you nominate people." And so watch listing as a verb. And so, seeing those documents and then being able to report on them and release on them. Other whistleblowers have come forward, so now the government can't deny that it has a watch listing program, but its still, many people are caught up in it.


It took years of litigation, not only in your case but in a couple other cases we were tracking  and some others that we were tracking before the government even admitted they had a list and then they defended having the list.  It was a great honor to get to do the FOIA case for you. And we found some things out. So you want to talk about that a little bit?


Yeah, sure.  I was thrilled when I got my first FBI files, even though they were heavily redacted because it was evidence. Here it is, oh my God. They really were, they were watching me. We learned through the FOIA that there was a grand jury investigation, and that grand jury investigation included requests for my personal data from multiple organizations, which is all, they are all redacted. But we can assume that is all of the internet providers, probably any bank, any financial institutions that I did business with.

All of these records were obtained by the government. And this would've been in 2007. So this is many years before Edward Snowden contacted me. Many years. And in the aftermath of making the film about the occupation of Iraq.

And so the investigation, so it was a high level, counter terrorism investigation run out of the New York office. They sent FBI agents to my film screenings and reported back what I said. They collected massive amounts of all of my personal data. And I think one thing that's I think relevant is to say that this kind of classification, so I was on a terrorist watch list and clearly I was doing journalism.

I'm a filmmaker. This is what I do. And this kind of using of creating categories to define people so that they can be separated from their rights, basically, and we see this in the case of Julian Assange and Wikileaks, when they classified them as a hostile intelligence agency. We're seeing it now with civil society groups in Palestine, the six groups that have recently been reclassified as terrorist groups.

I mean, these are directly to silence, to open people for all kinds of investigation, potentially prosecution. Obviously, full surveillance. They considered me a terrorist, and all I was doing was making films.


The National Security folks, they don't get any points for letting somebody off the list. They only get points for putting people on the list. I points. I don't mean that literally. I just mean that their endeavor is about trying to put as many people into that category as they can. Backing people out of it is something that they didn't appear to even have a real process to do before the litigation happened.

And the list just got longer and longer. They only got caught, honestly, for some of the things that they did. I think you're a good example of somebody who didn't look like what the American people thought a terrorist should look like. I think at one point, one of the Kennedys ended up on one of the lists.

And so that made some news. But it really does show that you need people who are watching the watchers, and you need checks and balances around this thing. One of the things that I think I sometimes wonder, if Mr. Snowden hadn't come along and you hadn't gotten the Oscar, would we have been able to get you off of these lists?


I think it's true. There was a long time where I thought it was very likely I'd be indicted and/or never be able to return to the United States. I mean, when I started reporting on the NSA and when Snowden came forward, I just thought this is okay. And the evidence supports that. I mean, we have, there's the recent reporting from Yahoo news that focuses on the CIA's war against Wiki Leaks.

But in that it reports that the CIA also were advocating to label myself and Glen Greenwald as information brokers, that we're not journalists, we're information brokers. And that therefore we are subject to potential prosecution and certainly for complete surveillance. And so I think it's important that when we started this reporting to set the stage for this, that I do, I think the media absolutely failed in the aftermath of 9/11 to, in its duty to do adversarial journalism.

And I think that one of the tipping points was Wikileaks and Chelsea Manning's release where all of a sudden the news media had to confront that, okay, there are war crimes happening in these occupations of Iraq and Afghanistan. And then in the case of then three years later, Ed comes forward. The government tried to shut this down. I mean, they told the Guardian and the Washington Posts, "You can't publish this, this is a threat to national security." And we went forward and published it.


When we launched the Hepting case, which is the predecessor to the Jewel case about the NSA spying, we had evidence of the AT&T facility in downtown San Francisco being used as part of this mass surveillance program. And the government's efforts to suppress it were not subtle.  So, this isn't subtle stuff. And the way that the secrecy tends to grow and metastasize and then take steps to protect itself is one of the things that really makes it hard for, I think, democracy to work. Right? For people to know what the government is doing in their name, which has to be fundamental to a society that considers itself self-governing.


Yeah. I mean, there's a scene in Citizenfour, which is EFF arguing the Jewel case in, at the ninth circuit where you have the government coming forward making this argument how the extreme danger would pose to allow even the case to go forward. Right? The State's secrets privilege that you can't even bring a case. Right? You can't even argue the merits, because for the government to have to argue the merits would be a violation of States secrets privilege. I mean, it's so obscene

You work documenting surveillance and specifically the surveillance of people involved in journalism continues. So, let's talk a little bit about the NSO group and the work that you've been doing there.


I just finished a short film called Terror Contagion and that film follows an investigation into NSO group that's being conducted by forensic architecture. And this is an organization, a research agency in London that exposes state and corporate violence. And this is an investigation that they undertook is to look at the links between digital violence and physical violence.

And they undertook it for very personal reasons because many of the people who work at Forensic Architecture have their very close colleagues and collaborators have been targeted with Pegasus, which is the malware the, or the cyber weapon that's been developed and sold by the NSO group, which is an Israeli cyber weapons manufacturer. It's a film that I made. And it's an investigation that we did that we began during the lockdown last year, and continues to reveal itself in just in terms of all of its darkness.

I mean, so Pegasus is notorious for being used by governments and targeting journalists, lawyers, and human rights defenders around the world. The most disturbing case is the link between Pegasus and the assassination of Jamal Khashoggi by the Saudi government. So in that case, one of Khashoggi's very close collaborators was targeted with Pegasus.

They were doing political organizing. And Khashoggi was later lured into the embassy, brutally butchered, literally butchered. And then in recent reporting through the Pegasus project, we've learned that also his fiance and other close associates were then later to targeted with Pegasus.

So, this is a film about the NSO group that this company that it's just been linked with horrible violations. And it reminds me very much of how in the context of post 9/11 American foreign policy, how the US government used companies like Blackwater, private companies like Blackwater and other private mercenary groups to do their dirty work.



And so they're hired. They come in, they're completely non-accountable. And do the bidding of states. And so I think there's something very similar to how this kind of digital violence is that private sector, weapons grade level, cyber weapons being used to target dissidents, human rights defenders, lawyers, journalists. This is a private sector that absolutely needs to be regulated. This needs to stop.


This has been known by governments, by spy agencies, by other people for a very long time. But yet I think for ordinary folks, it's hard to see until someone like you comes along and tries to really make it real.


I mean, I would frame that a little bit differently, Cindy, because I feel that in, if you look historically at people who are dissidents and have exposed power, it doesn't, it's not an abstraction. This, it's physical, it's in your head. I mean, one of the things that really came forward in these interviews we did with people who'd been targeted with Pegasus is the violation, the violation that you don't know who you can speak to. The sense that you are concerned that you are a vector for violence for your friends and colleagues or sources. Right?

And so you have journalists who immediately their first thought is, "Oh my God, what about my sources?" So I don't think it's this kind of a threat that's not palpable. I think the threat is very palpable. 


But you're right, for people who are targeted by it, it's a very, very powerful tool. And we have some things that we can do to help protect people, but we really need to do more. EFF has been involved in a bunch of cases around both government use of surveillance technology and when do you hold a company responsible for it?

And the courts have and terrible at really recognizing these harms. And I think understanding how this works is one of the critical pieces for how we build a better society, and recognizing the harm that comes from being watched all the time. Whether that's in a commercial context or these kinds of much more dangerous, physically dangerous situations involving journalists and whistle blowers, and human rights activists is one of the things that we have to really understand as a society. So we can build rules that really protect against these harms.


“How to Fix the Internet” is supported by The Alfred P. Sloan Foundation’s Program in Public Understanding of Science and technology. Enriching people’s lives through a keener appreciation of our increasingly technological world and portraying the complex humanity of scientists, engineers, and mathematicians.


Well, we are all about at least trying to chart a way to a better future in this environment. One thing that you have touched upon is that journalism and reporting is developing tools to make these networks more visible. Do you think that there is an opportunity here for reporting done well to begin to shine a light on networks and approaches that states have used for hundreds of years, and make them something that at least people can see in front of them?


I think journalists are key to exposing these kinds of abuse of power. I mean, organizations like Citizenlab that have been really at the forefront of tracking NSO Group and the use of Pegasus. I mean, that's people using digital expertise to hold governments accountable. I mean, all this is really, it's crucial and should be supported. And then again, I'd go back to the essential role of whistleblowers who make the choice to risk their freedom and/or their lives to expose information that the public should know. It's unfortunate that these are the systems that we're relying on. We're relying on independent journalism, we're relying on whistleblowers putting their lives on the line to expose these kinds of abuses of power.


You've been tracking this for so long you'll know that for every whistleblower that hits the headlines like Ed Snowden or Chelsea Manning, there are dozens who provide just as useful information but don't get that kind of coverage. Either because people don't understand it is what they're saying or that they're actively harassed or discredited by governments. I do think that there's a possibility that the technologies that we are bringing out to distribute information makes the whistleblower's job a little bit easier in the modern age.


It’s tough. I would say, and I'm sure that you two guys say this to your listeners, the importance of using encryption technology that to protect your information. That everybody should download Signal, and have Wire, and use these tools because you both because you want to protect your privacy on an individual level, but also provide solidarity for those who also need to protect their information. And so the more people that use these technologies, the better.


Yeah We at EFF, we say security is a team sport. And I think that that's really true about encrypted communication things, and the development of things like SecureDrop as a way for people to get information to journalists without creating as clear a trail back to them. I see, I think encryption is great. Of course, that means that in our future we've protected encryption and it's not under attack all the time.

It also means that we've done something about the governmental secrecy problem. We live in a world now where people don't have any secrets, only the government has secrets. And we need to flip that back around. Right? And we can do that. I mean, that's a hard political lift, but it's not a difficult thing to articulate what it would look like if governments had less secrecy and people had more privacy. 


Let's dream a little. If we got all these things done, what would it be like for someone like you who's doing coverage? What would it be like for journalists and dissidents in making their way? How would all of our lives be better if we were able to make these changes?


I mean, to begin with, whistleblowers wouldn't have to risk their lives or risk prison to communicate information that the public should know. The public has a right to know. That should just not be the system where we learn about things like watch lists and government mass surveillance at the scale that we know of it because of Edward Snowden.

So, maybe my problem is I can't just jump to this kind of any kind of utopian future. But let's have investigations into crimes that were committed in the last 20 years. To me, that would be a great start. Let's release the torture report in its entirety. Let's reveal the war crimes that have been committed. Let's hold people accountable, or at least release the information so the public knows.


We don't need deep thinking about what we need to do to fix it. We just need the political will to do it. But protecting whistleblowers, reducing secrecy, creating accountability are all very straightforward. Whistleblowers are the last... It's like protest. Right? That both whistle blowing and protests are things that you need to have when the systems aren't functioning. Right? They should be the escape valves for malfunctioning systems rather than the only way to make things go forward. So when you're at the point where you have whistleblowers and people taking to the streets in protest, that's a sign that the system itself isn't functioning and we should treat it as such.


I would reframe that also. I mean, this is not a country that ever had systems of democracy that served everyone. Right? As we know, it's a society that's built on violence. And so there's never returning to any kind of past that had a sense of justice.


Well, that’s a fair point. 


Yeah. One of the things I got from what Cindy was just saying, there is what we're seeing now is the signs of a failing system. That you have whistleblowers and you have big exposes because the existing system isn't working. But I think one of the saddest things about what we see is that people have to conduct such heroics and have to be presented in this sort of way of being individual freedom fighters when this should just be something that is limited from the very get-go. What do you think is the role of a journalist in trying to move to a society which doesn't need these heroics?


Okay. So I'll try and be a bit more positive. Things that I do think we should look at as positives of this era, for instance, citizen journalists. I don't think we would have a movement, a racial justice movement in this country without citizen journalists. This was not being covered by our mainstream news organizations until journalists that were living in communities that were subjected to violence came forward with evidence and they're able to do it directly without a gatekeeper. Right?

It's not a coincidence that Edward Snowden reached out to myself, a documentary filmmaker and Glen Greenwald. We were not part of the establishment. And he knew that he needed to work with journalists that weren't going to buckle. And I do think that that examples like that or examples like the young woman who filmed the brutal murder of George Floyd. I mean, she's a journalist. I mean, she changed history, what she did. And it wasn't that our news organizations were following those stories. But those stories were happening every day in communities.


And I think what that means is that we not only have to shore up the legal protections for traditional journalists with a federal reporter shield, but we actually have to expand that out to anyone who is conducting acts of journalism. 


And that's the way it works under the California Shield law. So we have models for this. It's the act of journalism is the thing that gets protected, not the status of the human being. And I think that's a really smart insight that now that we all have in our hands devices that can record the news, then we need to protect all the people who can record the news who do that for us.


I absolutely agree with that. Of course, these are the people that the government most wants to peel off when it provides, when they're talking about protections of journalists. I mean, we have this with Julian Assange case where he's, where you have a publisher being targeted under the Espionage Act.


So the other part of this that seems to come through is a failure of due process. Right? That we have secret courts, and we have this entire world of classified government action, which doesn't get the same kind of oversight and the same kind of justice to the people it mistreats. I mean, this is actually a question to both of you. Is there a model where you can see that we can restore some kind of, or even improve due process in a digital age, in this when governments, or even individuals have this huge level of technological ability to disrupt people's lives?


Yeah. I don't have a lot of faith in our systems, but I just don't.


I mean, there's plenty of things we could do.  I have been arguing in court for a long time that the Foreign Intelligence Surveillance Act lets you bring litigation if you are improperly targeted or affected by government surveillance. If we lift the secrecy shroud over that litigation that we do in Jewel, or in the Fazaga case that's in front of the United States Supreme Court, then we'll create a system of accountability for illegal spying. It's there in the law.

We need to read the law the right way and apply it. And again, clear talk about who's a journalist, or what who's doing journalism and what kind of protections they get? Who's doing whistle blowing, and what kind of protections they get? These are all, these are all situations in which what we need is the political will.  So yeah, I got lots of solutions, most of them are legal in this particular realm. Some are technical, like encrypt all the things. But what we really need is, frankly, people like Laura and others who continue to bring this to popular attention because that's how you get the political will.


Yeah. I mean, I don't know political will. I guess my work is looking at the egregious violence and abuses of US empire, and I don't know that political will is going to provide any meaningful to somebody whose family has been killed in a drone strike. I think we, as a country, we need to reckon with those crimes.


Well, I think that's very fair.


So there are some forms of state violence, state actions that have perceived as beyond the pale. And that doesn't mean that they don't happen. It means that they have to happen in secret. Right? So gas attacks, chemical weapons, all of these things. Do you think that there are certain forms of surveillance and mass surveillance that should be put into that category so that even states under the greatest kind of duress simply can't use that technology?


Should these technologies be banned? Yeah. I mean, I think they've been abused. I mean, I don't think we need... I don't think they keep people safer and we shouldn't collect people's... We shouldn't do bulk, mass surveillance evidence free so that we can have big repositories in Utah. Yeah. I think that should end. It doesn't make anyone safer and it's absolutely been proven to be a violation.


Laura, I so respect that you're still in this fight and that you're continuing to look for ways to shine the light on the watchers. It is a joy and a pleasure to get to feel like we're in this fight together. And thank you so much for coming on and talking with us and giving us a little glimpse into where things have been and where they are now.


Thanks, Cindy. And thank you for the work you all do at EFF.


Thank you... 


Well, I think we have to admit on the show that some problems are harder to fix than others. And pervasive mass state surveillance is a huge problem, and we need a lot of political will and a lot of people working together to try and solve it. And can't just depend on the whistleblowers that Laura covers. And frankly, Laura's amazing work over 20 years to do this on its own.


But we also see that we can't solve the problems without having a good picture of the problems. And making these problems visible is what Laura has done so well for so long. We have a better understanding of the shape of surveillance based upon her work, both physically and what it feels like to be surveilled.


One of the things that came out of just talking to Laura directly is how scary it is to be targeted in this way, how it impacts people's lives, and also the people around them. Again, the one thing that you have to keep conveying to people about the consequences of surveillance is that it's all very well to say that you have nothing to hide, but when you're spied upon, everybody that's connected to you gets spied upon. And if we don't push back, the most vulnerable people in society, the people that actually keep really massive violations of human rights and illegality in check, they're the people who get most affected.


And I think that Laura's perspective is always very international. And so we see how the problems of mass surveillance are really the problems of the way that nation states interact with each other and interact with people who criticize them. And so we can talk a lot about the United States and what the US does domestically to people like Laura.

But I think she always reminds us that people who are not in America, not in American systems are more targeted by these kinds of systems, and that the problem really does require an international focus and not just a US focus. 

The other thing that became really clear is how much we need to protect whistleblowers, how much we need to lift the veil of secrecy, and make sure that you don't have to be a hero in order to be a whistleblower. You don't have to take extraordinary risks to be somebody who's pointing out where either a government or a powerful company is doing something that's wrong.

But it's also clear that we need non heroic people, too. We need people who aren't going to take those kinds of risks to be protected as well. And to be able to go about their day or to support this kind of change without finding themselves or risking that they're going to be targeted, too.


We have to make fighting surveillance something that everyone can do, rather than relying on the people who put their lives at risk to illustrate it. 


Well, thank you very much to Laura Poitras. 


If you've enjoyed this, please visit where you'll find more episodes. You can learn about the issues, and you can donate to become an EFF member and lots more.

Members are the only reason we can do this work. Plus you can get cool stuff like an EFF hat or an EFF hoodie, or even an EFF camera cover for your laptop.

Music for How to Fix the Internet was created for us by Reed Mathis and Nat Keefe of BeatMower. This podcast is licensed Creative Commons Attribution 4.0 International, and includes music licensed Creative Commons Attribution 3.0 Unported by their creators. You can find those creators names and links to their music in our episode notes, or on our website at

How to Fix the Internet is supported by the Alfred P. Sloan foundation's program in public understanding of science and technology. I'm Danny O'Brien.


And I'm Cindy Cohn.


Joe Mullin

EFF Asks Federal Appellate Court to Re-hear Important Patent Transparency Case

3 months 1 week ago

After pushing for more than three years to access court records in a lawsuit brought by a notorious patent troll, Uniloc, against Apple, EFF is challenging a federal appellate court’s decision that imperils the public’s ability to understand what happens in patent litigation.

The U.S. Court of Appeals for the Federal Circuit overruled the district court’s decision to grant public access to records documenting the legal fight last month. The court ruled that the public had no interest in accessing the records, which contained information about patent licenses. 

We disagree with the ruling, and believe it will close off public access to future patent disputes. That’s why EFF challenged the Federal Circuit’s decision on Friday, petitioning for re-hearing by the panel or the entire court.

Our petition argues that the Federal Circuit’s decision is contrary to law and harmful to the integrity of the judicial system. The records Uniloc is trying to seal were filed with Apple’s motion to dismiss the case—a motion that convinced the district court to do just that. In a prior appeal, the Federal Circuit confirmed that there is a strong presumption of public access to documents filed with this kind of important motion, including some of the same records at issue in this most recent appeal. 

That decision was binding law that the panel in this appeal was obligated to follow. Instead, two of the three judges ignored it and found no presumption or right of public access to these records. The remaining judge wrote a vociferous dissent, emphasizing that the public’s right of access to court records such as these is “sacrosanct,” and explaining why the district court’s decision should stand.

The panel majority reached the opposite conclusion because it failed to apply the legal presumption of public access correctly. Instead of recognizing the central role these records played in the judicial process, the two judges created a new exception based on the type of information the records contain—basic information about Uniloc’s patent licenses.

As our brief argues, that ruling “turned the presumption of public access on its head: instead of treating the public’s right to access dispositive court records as sacrosanct, it sanctified the secrecy of patent licensing information.”

The petition also argues that the panel decision will harm the public’s ability to access court more broadly. “The panel’s legal errors must not be taken lightly: excessive sealing is a pervasive problem in patent cases,” we wrote.

This case highlights the pervasive problem: both Uniloc and Apple—opposing parties in the underlying court fight—agreed with each other to block out the public and keep these records secret.

This posture often leaves the public with no advocate for transparency. And if courts give litigants all the secrecy they desire, the public will not be able to observe, understand, or trust court decisions. 

Public access to court records promotes the integrity of the judicial system. That’s why EFF believes the Federal Circuit’s flawed decision cannot go unchallenged and uncorrected. We hope a majority of the judges on the panel or full court recognize that and intervene. Whatever they do, EFF will continue fighting to protect the public’s right of access to court records and proceedings.

Related Cases: Uniloc v. Apple
Alex Moss

The Foilies 2022

3 months 1 week ago
Recognizing the year's worst in government transparency.

The Foilies were compiled by the Electronic Frontier Foundation (Director of Investigations Dave Maass, Senior Staff Attorney Aaron Mackey, Frank Stanton Fellow Mukund Rathi, Investigative Researcher Beryl Lipton, Policy Analyst Matthew Guariglia) and MuckRock (Co-Founder Michael Morisy, Senior Reporting Fellows Betsy Ladyzhets and Dillon Bergin, and Investigations Editor Derek Kravitz), with further review and editing by Shawn Musgrave. Illustrations are by EFF Designer Caitlyn Crites. The Foilies are published in partnership with the Association of Alternative Newsmedia.

Each year during Sunshine Week (March 13-19), The Foilies serve up tongue-in-cheek "awards" for government agencies and assorted institutions that stand in the way of access to information. The Electronic Frontier Foundation and MuckRock combine forces to collect horror stories about Freedom of Information Act (FOIA) and state-level public records requests from journalists and transparency advocates across the United States and beyond. Our goal is to identify the most surreal document redactions, the most aggravating copy fees, the most outrageous retaliation attempts, and all the other ridicule-worthy attacks on the public's right to know.

And every year since 2015, as we're about to crown these dubious winners, something new comes to light that makes us consider stopping the presses.

As we were writing up this year's faux awards, news broke that officials from the National Archives and Records Administration had to lug away boxes upon boxes of Trump administration records from Mar-a-Lago, President Trump's private resort. At best, it was an inappropriate move; at worst, a potential violation of laws governing the retention of presidential records and the handling of classified materials. And while Politico had reported that when Trump was still in the White House, he liked to tear up documents, we also just learned from journalist Maggie Haberman's new book that staff claimed to find toilets clogged up with paper scraps, which were potentially torn-up government records. Trump has dismissed the allegations, of course. 

This was all too deliciously ironic considering how much Trump had raged about his opponent (and 2016 Foilies winner) Hillary Clinton's practice of storing State Department communications on a private server. Is storing potentially classified correspondence on a personal email system any worse than hoarding top secret documents at a golf club? Is "acid washing" records, as Trump accused Clinton, any less farcical than flushing them down the john? 

Ultimately, we decided not to give Trump his seventh Foilie. Technically he isn't eligible: his presidential records won't be subject to FOIA until he's been out of office for five years (releasing classified records could take years, or decades, if ever).

Instead, we're sticking with our original 16 winners, from federal agencies to small town police departments to a couple of corporations, who are all shameworthy in their own rights and, at least metaphorically, have no problem tossing government transparency in the crapper.

The C.R.E.A.M. (Crap Redactions Everywhere Around Me) Award - U.S. Marshals

Courtesy Jason Leopold, BuzzFeed News

The Wu‐Tang Clan ain’t nothing to F’ with…unless the F stands for FOIA.

Back in 2015, Wu-Tang Clan produced Once Upon a Time in Shaolin, but they only produced one copy and sold it to the highest bidder: pharma-bro Martin Shkreli, who was later convicted of securities fraud.

When the U.S. Marshals seized Shkreli's copy of the record under asset forfeiture rules, the Twitterverse debated whether you could use FOIA to obtain the super secretive album. Unfortunately, FOIA does not work that way. However, BuzzFeed News reporter Jason Leopold was able to use the law to obtain documents about the album when it was auctioned off through the asset forfeiture process. For example, he got photos of the album, the bill of sale, and the purchase agreement.

But the Marshals redacted the pictures of the CDs, the song titles, and the lyric book citing FOIA's trade secrets exemption. Worst of all, they also refused to divulge the purchase price–even though we're talking about public money. And so here we are, bringing da motherfoia-ing ruckus.

(The New York Times would later reveal that PleasrDAO, a collective that collects digital NFT art, paid $4 million for the record.)

Wu-Tang's original terms for selling the album reportedly contained a clause that required the buyer to return all rights in the event that Bill Murray successfully pulled off a heist of the record. We can only daydream about how the Marshals would've responded if Dr. Peter Venkman himself refiled Leopold's request.

The Operation Slug Speed Award - U.S. Food and Drug Administration

The federal government’s lightning fast (by bureaucratic standards) timeline to authorize Pfizer’s COVID-19 vaccine lived up to its Operation Warp Speed name. But the Food and Drug Administration gave anything but the same treatment to a FOIA request seeking data about that authorization process.

55 years - that’s how long the FDA, responding to a lawsuit by doctors and health scientists, said it would take to process and release the data it used to authorize the vaccine. And yet, the FDA needed only months to review the data the first time and confirm that the vaccine was safe for the public.

The estimate was all the more galling because the requesters want to use the documents to help persuade skeptics that the vaccine is safe and effective, a time-sensitive goal as we head into the third year of the pandemic.

Thankfully, the court hearing the FOIA suit nixed the FDA’s snail’s pace plan to review just 500 pages of documents a month. In February, the court ordered the FDA to review 10,000 pages for the next few months and ultimately between 50,000-80,000 through the rest of the year.

These 10-day Deadlines Go To 11 Award - Assorted Massachusetts Agencies

Most records requesters know that despite nearly every transparency law imposing response deadlines, they often are violated more than they are met. Yet Massachusetts officials' time-warping violations of the state’s 10-business-day deadline take this public records’ reality to absurd new levels.

DigBoston's Maya Shaffer detailed how officials are giving themselves at least one extra business day to respond to requests while still claiming to meet the law’s deadline. In a mind-numbing exchange, an official said that the agency considers any request sent after 5 p.m. to have technically been received on the next business day. And because the law doesn’t require agencies to respond until 10  business days after they’ve received the request, this has in effect given the agency two extra days to respond. So if a request is sent after 5 p.m. on a Monday, the agency counts Tuesday as the day it received the request, meaning the 10-day clock doesn’t start until Wednesday.

The theory is reminiscent of the This Is Spinal Tap scene in which guitarist Nigel Tufnel shows off the band’s “special” amplifiers that go “one louder” to 11, rather than maxing out at 10 like every other amp. When asked why Spinal Tap doesn’t just make the level 10 on its amps louder, Tufnel stares blankly before repeating: “these go to eleven.” 

Although the absurdity of Tufnel’s response is comedic gold, Massachusetts officials’ attempt to make their 10-day deadline go to 11 is contemptuous, and also likely violates laws of the state and those of space and time. 

The Return to Sender Award - Virginia Del. Paul Krizek 

There are lawmakers who find problems in transparency laws and advocate for improving the public’s right to know. Then there’s Virginia lawmaker Paul Krizek.

Krizek introduced a bill earlier this year that would require all public records requests to be sent via certified mail, saying that he “saw a problem that needed fixing,” according to the Richmond Times-Dispatch. 

The supposed problem? A records request emailed to Krizek got caught in his spam filter, and he was nervous that he missed the response deadline. That never happened; the requester sent another email that Krizek saw and he responded in time. 

Anyone else might view that as a public records (and technology) success story: the ability to email requests and quickly follow up on them proves that the law works. Not Krizek. He decided that his personal spam filter hiccup should require every requester in Virginia to venture to a post office and pay at least $3.75 to make their request.

Transparency advocates quickly panned the bill, and a legislative committee voted in late January to strike it from the docket. Hopefully the bill stays dead and Krizek starts working on legislation that will actually help requesters in Virginia.

The Spying on Requestors Award - FBI

If government surveillance of ordinary people is chilling, spying on the public watchdogs of that very same surveillance is downright hostile. Between 1989 and at least 2004, the FBI kept regular tabs on the National Security Archive, a domestic nonprofit organization that investigates and archives information on, you guessed it, national security operations. The Cato Institute obtained records showing that the FBI used electronic and physical surveillance, possibly including wiretaps and “mail covers,” meaning the U.S. Postal Service recorded the information on the outside of envelopes sent to or from the Archive.

In a secret 1989 cable, then-FBI Director William Sessions specifically called out the Archive’s “tenacity” in using FOIA. Sessions specifically fretted over former Department of Justice Attorney Quinlan J. Shea and former Washington Post reporter Scott Armstrong’s leading roles at the Archive, as both were major transparency advocates.

Of course, these records that Cato got through its own FOIA request were themselves heavily redacted. And this comes after the FBI withheld information about these records from the Archive when it requested them back in 2006. Which makes you wonder: how do we watchdog the spy who is secretly spying on the watchdog?

The Futile Secrecy Award - Concord Police Department

When reporters from the Concord Monitor in 2019 noticed a vague $5,100 line item in the Concord Police Department's proposed budget for “covert secret communications," they did what any good watchdog would do–they started asking questions. What was the technology? Who was the vendor? And they filed public records requests under New Hampshire's Right to Know Law.

In response, CPD provided a license agreement and a privacy policy, but the documents were so redacted, the reporters still couldn't tell what the tech was and what company was receiving tax dollars for it. Police claimed releasing the information would put investigations and people's lives at risk. With the help of the ACLU of New Hampshire, the Monitor sued but Concord fought it for two years all the way to the New Hampshire Supreme Court. The police were allowed to brief the trial court behind closed doors, without the ACLU lawyers present, and ultimately the state supreme court ruled most of the information would remain secret.

But when The Monitor reached out to EFF for comment, EFF took another look at the redacted documents. In under three minutes, our researchers were able to use a simple Google search to match the redacted privacy policy to Callyo, a Motorola Solutions product that facilitates confidential phone communications.

Hundreds of agencies nationwide have in fact included the company's name in their public spending ledgers, according to the procurement research tool GovSpend. The City of Seattle even issued a public privacy impact assessment regarding its police department's use of the technology, which noted that "Without appropriate safeguards, this raises significant privacy concerns." Armed with this new information, the Monitor called Concord Police Chief Brad Osgood to confirm what we learned. He doubled-down: "I’m not going to tell you whether that’s the product."

The Highest Fee Estimate Award  - Pasco County Sheriff's Office

In September 2020, the Tampa Bay Times revealed in a multi-part series that the Pasco County Sheriff’s Office was using a program called “Intelligence-led Policing” (ILP). This program took into consideration a bunch of data gathered from various local government agencies, including school records, to determine if a person was likely to commit a crime in the future—and then deputies would randomly drop by their house regularly to harass them.

Out of suspicion that the sheriff’s office might be leasing the formula for this program to other departments, EFF filed a public records request asking for any contact mentioning the ILP program in emails specifically sent to and from other police departments. The sheriff responded with an unexpectedly high-cost estimate for producing the records. Claiming there was no way at all to clarify or narrow the broad request, they projected that it would take 82,738 hours to review the 4,964,278 responsive emails—generating a cost of $1.158 million for the public records requester, the equivalent of a 3,000-square seaside home with its own private dock in New Port Richey.

The Rip Van Winkle Award  - FBI

Last year, Bruce Alpert received records from a 12-year-old FOIA request he filed as a reporter for the Times-Picayune in New Orleans. Back when he filed the request, the corruption case of U.S. Rep. William Jefferson, D-New Orleans, was still hot — despite the $90,000 in cash found in Jefferson’s cold freezer.

In 2009, Alpert requested documents from the FBI on the sensational investigation of Jefferson, which began in 2005. In the summer of that year, FBI agents searched Jefferson’s Washington home and, according to a story published at the time, discovered foil-wrapped stacks of cash  "between boxes of Boca burgers and Pillsbury pie crust in his Capitol Hill townhouse.”  Jefferson was indicted on 16 federal counts, including bribery, racketeering, conspiracy and money laundering, leading back to a multimillion-dollar telecommunications deal with high-ranking officials in Nigeria, Ghana and Cameroon.

By the time Alpert got the 83 pages he requested on the FBI’s investigation into Jefferson, Alpert himself was retired and Jefferson had been released from prison. Still, the documents did reveal a new fact about the day of the freezer raid: another raid was planned for that same day, but at Jefferson’s congressional office. This raid was called off after an FBI official, unnamed in the documents, warned that while the raid was technically constitutional, it could have “dire” consequences if it appeared to threaten the independence of Congress.

In a staff editorial about the extreme delay, The Advocate (which acquired the Times-Picayune in 2019) quoted Anna Diakun, a staff attorney with the Knight First Amendment Institute at Columbia University: “The Freedom of Information Act is broken.” We suppose it's better late than never, but never late is even better.

The FOIA Gaslighter of the Year  Award— Louisiana Attorney General Jeff Landry

In another case involving the Times-Picayune, the FOIA gaslighter of the year award goes to Louisiana Attorney General Jeff Landry for suing reporter Andrea Gallo after she requested documents related to the investigation into (and seeming lack of action on) sexual harassment complaints in Landry’s office. 

A few days later, following public criticism, Landry then tweeted that the lawsuit was not actually a lawsuit against Gallo per se, but legal action “simply asking the Court to check our decision” on rejecting her records request.

Gallo filed the original request for complaints against Pat Magee, a top aide to Landry, after hearing rumblings that Magee had been placed on administrative leave. The first response to Gallo’s request was that Magee was under investigation and the office couldn’t fulfill the request until that investigation had concluded. A month later, Gallo called the office to ask for Magee and was patched through to his secretary, who said that Magee had just stepped out for lunch but would be back shortly.

Knowing that Magee was back in the office and the investigation likely concluded, Gallo started pushing harder for the records. Then, late on a Friday when Gallo was on deadline for another story, she received an email from the AG’s office about a lawsuit naming her as the defendant.

A month later, a Baton Rouge judge ruled in favor of Gallo, and ordered Landry to release the records on Magee. Shortly after Gallo received those documents, another former employee of the AG’s office filed a complaint against Magee, resulting in his resignation.

The Redacting Information That’s Already Public Award - Humboldt-area Law Enforcement 

Across the country, police departments are notorious for withholding information from the public. Some agencies take months to release body camera footage after a shooting death or might withhold databases of officer misconduct. California’s state legislature pushed back against this trend in 2018, with a new law that specifically puts officer use-of-force incidents and other acts of dishonesty under the purview of the California Public Records Act.

But even after this law was passed, one northern California sheriff was hesitant to release information to journalists – so hesitant that it redacted information that had already been made public. After a local paper, the North Coast Journal, filed a request with the Humboldt County Sheriff’s Office under the 2018 law, the sheriff took two full years to provide the requested records.

Why the long delay? One possible reason: the agency went to the trouble of redacting information from old press releases – releases that, by definition, were already public.

For example, the sheriff’s office redacted the name of a suspect who allegedly shot a sheriff’s deputy and was arrested for attempting to kill a police officer in May 2014–including blacking out the name from a press release the agency had already released that included the suspect's name. And it's not like the press had accidentally missed the name the first time: reporter Thadeus Greenson had published the release in  the North Coast Journal right after it came out.

That isn't Greenson's only example of law enforcement redacting already public information: in response to another public records request, the Eureka Police Department included a series of news clippings, including one of Greenson's own articles, again with names redacted.

The Clear Bully Award - Clearview AI

Clearview AI is the “company that might end privacy as we know,” claimed The New York Times’s front page when it publicly exposed the small company in January 2020.

Clearview had built a face recognition app on a database of more than three billion personal images, and the tech startup had quietly found customers in police departments around the country. Soon after the initial reports, the legality of Clearview’s app and its collection of images was taken to court. (EFF has filed friend-of-the-court briefs in support of those privacy lawsuits.)

Clearview’s existence was initially revealed via public records requests filed by Open the Government and MuckRock. In September 2021, as it faced still-ongoing litigation in Illinois, Clearview made an unusual and worrying move against transparency and journalism: it served subpoenas on OTG, its researcher Freddy Martinez, and Chicago-based Lucy Parsons Labs (none of which are involved in the lawsuit).

The subpoenas requested internal communications with journalists about Clearview and its leaders and any information that had been discovered via records requests about the company.

Government accountability advocates saw it as retaliation against the researchers and journalists who exposed Clearview.  The subpoena also was a chilling threat to journalists and others looking to lawfully use public records to learn about public partnerships with private entities. What’s more, in this situation, all that had been uncovered had already been made public online more than a year earlier.

Fortunately, following reporting by Politico, Clearview, citing “further reflection about the scope of the subpoenas” and a “strong view of freedom of the press,” decided to withdraw the subpoenas. We guess you could say the face recognition company recognized their error and did an about face.

Whose Car is it Anyway? Award - Waymo

Are those new self-driving cars you see on the road safe? Do you and your fellow pedestrians and drivers have the right to know about their previous accidents and how they handle tight turns and steep hills on the road?

Waymo, owned by Google parent Alphabet Inc. and operator of an autonomous taxi fleet in San Francisco, answers, respectively: none of your business, and no! A California trial court ruled in late February that Waymo gets to keep this information secret.

Waymo sued the California Department of Motor Vehicles to stop it from releasing unredacted records requested by an anonymous person under the California Public Records Act. The records include Waymo’s application to put its self-driving cars on the road and answers to the DMV’s follow-up questions. The DMV outsourced the redactions to Waymo, and claiming that it needed to protect its trade secrets, Waymo sent the records back with black bars over most of its answers, and even many of the DMV’s questions.

Waymo doesn’t want the public to know which streets its cars operate on, how the cars safely park when picking up and dropping off passengers, and when the cars require trained human drivers to intervene. Waymo even redacted which of its two models — a Jaguar and a Chrysler — will be deployed on California streets … even though someone on those streets can see that for themselves.

#WNTDWPREA (The What Not to Do With Public Records Ever Award) - Anchorage Police Department

“What Not to Do Wednesday,” a social media series from the Anchorage Police Department, had been an attempt to provide lighthearted lessons for avoiding arrest. The weekly shaming session regularly featured seemingly real situations requiring a police response. Last February, though, the agency became its own cautionary tale when one particularly controversial post prompted community criticism and records requests, which APD declined to fulfill.

As described in a pre-Valentine’s Day #WNTDW post, officers responded to a call about a physical altercation between two “lovebirds.” The post claimed APD officers told the two to “be nice” and go on their way, but instead the situation escalated: “we ended up in one big pile on the ground,” and one person was ultimately arrested and charged.

Some in the public found the post dismissive toward what could have been a domestic violence event — particularly notable because then-Police Chief Justin Doll had pointed to domestic violence as a contributor to the current homicide rates, which had otherwise been declining.

Alaska’s News Source soon requested the name of the referenced arrested individual and was denied. APD claimed that it does not release additional information related to “What Not To Do Wednesday” posts. A subsequent request was met with a $6400 fee.

FWIW, materials related to WNTDW is not a valid exemption under Alaska’s public records law.

By the end of February 2021, the APD decided to do away with the series.

“I think if you have an engagement strategy that ultimately creates more concern than it does benefit, then it’s no longer useful,” Chief Doll later said. It’s not clear if APD is also applying this logic to its records process. 

Do As I Say, Not As I Do Award - Texas Attorney General Ken Paxton

Texas law requires a unique detour to deny or redact responsive records, directing agencies to go through the Attorney General for permission to leave anything out. It’s bad news for transparency if that office circumvents proper protocol when handling its own records requests; it’s even worse if those records involve a government official—current Texas AG Ken Paxton—and activities targeted at overthrowing the democratic process.

On January 6, 2021, Paxton (who is currently up for reelection, facing multiple charges for securities fraud, and was reportedly the subject of a 2020 FBI investigation) and his wife were in Washington, D.C. to speak at a rally in support of former President Donald Trump, which was followed by the infamous invasion of the Capitol by Trump supporters. Curious about Paxton’s part in that historic event, a coalition of Texas newspapers submitted a request under the state’s public records law for the text messages and emails Paxton sent that day in D.C.

Paxton’s office declined to release the records. It may not have even looked for them. The newspapers found that the AG doesn’t seem to have its own policy for searching for responsive documents on personal devices, which would certainly be subject to public records law, even if the device is privately-owned.

The Travis County District Attorney subsequently determined that Paxton’s office had indeed violated the Texas open records law.  Paxton maintains that no wrongdoing occurred and, as of late February, hadn’t responded to a letter sent by the DA threatening a lawsuit if the situation is not remedied ASAP

“When the public official responsible for enforcing public records laws violates those laws himself,” Bill Aleshire, an Austin lawyer, told the Austin American-Statesman, “it puts a dagger in the heart of transparency at every level in Texas.”

The Transparency Penalty Flag Award - Big 10 Conference 

In the face of increasing public interest, administrators at the Big 10 sporting universities tried to take a page out of the ol’ college playbook last year and run some serious interference on the public records process.

In an apparent attempt to “hide the ball” (that is, their records on when football would be coming back), university leaders suggested to one another that they communicate via a portal used across universities. Reporters and fans saw the move as an attempt to avoid the prying eyes of avid football fans and others who wanted to know more about what to expect on the field and in the classroom.

“I would be delighted to share information, but perhaps we can do this through the Big 10 portal, which will assure confidentiality?” Wisconsin Chancellor Rebecca Blank shared via email.

“Just FYI — I am working with Big Ten staff to move the conversation to secure Boardvantage web site we use for league materials,” Mark Schlissel, then-President of the University of Michigan, wrote his colleagues. “Will advise.”

Of course, the emails discussing the attempted circumvention became public via a records request. Officials’ attempt to disguise their secrecy play was even worse than a quarterback forgetting to pretend to hand off the ball in a play-action pass.

University administrators claimed that the use of the private portal was for ease of communication rather than concerns over public scrutiny. We’re still calling a penalty, however. 

The Remedial Education Award - Fairfax County Public Schools

Once a FOIA is released, the First Amendment generally grants broad leeway to the requester to do what they will with the materials. It’s the agency’s job to properly review, redact, and release records in a timely manner. But after Callie Oettinger and Debra Tisler dug into a series of student privacy breaches by Fairfax County Public Schools, the school decided the quickest way to fix the problem was to hide the evidence. Last September, the pair received a series of letters from the school system and a high-priced law firm demanding the removal of the documents from the web and they return or destroy the documents.

The impulse to try to silence the messenger is a common one: A few years ago Foilies partner MuckRock was on the receiving end of a similar demand in Seattle. While the tactics don’t pass constitutional muster, they work well enough to create headaches and uncertainty for requesters that often find themselves thrust into a legal battle they weren’t looking to fight. In fact, in this case, after the duo showed up for the initial hearing, a judge ordered a temporary restraining order barring the further publication of documents. This was despite the fact that they  had actually removed all the personally identifiable data from the versions of the documents they posted.

Fortunately, soon after the prior restraint, the requesters received pro bono legal assistance from Timothy Sandefur of the Goldwater Institute and Ketan Bhirud of Troutman Pepper. In November — after two months of legal wrangling, negative press, and legal bills for the school — the court found the school’s arguments “simply not relevant” and “almost frivolous,” as the Goldwater Institute noted.

For more transparency trials and tribulations, check out The Foilies archives at

Dave Maass

Big Tech Pay-Outs to European ISPs Would Just Concentrate Their Power

3 months 2 weeks ago

As the debate about how to rein in Big Tech and its anti-competitive practices continues, news publishers and telecommunications providers are increasingly calling for large pay-outs from major platforms. However, these proposals risk restricting users into ever-smaller walled gardens and cementing the dominance of a few big players.

On Valentine’s day, an open letter from the CEOs of Deutsche Telekom, Telefónica, Vodafone, and Orange surfaced. In the letter, the heads of Europe’s biggest telecommunications providers called “for large content platforms to contribute to the cost of European digital infrastructure that carries their services.” Claiming that the current situation is “not sustainable” for their companies, they argued that “Europe will fall behind” if this situation is not addressed.

The request for large platforms to pay telecom providers to carry their content is not new. In 2011, the same group (absent Deutsche Telekom) attempted to levy charges on Google and other content providers, suggesting an overhaul of how data travels across the internet. In 2013, Orange struck a deal with Google under which Google would pay an undisclosed amount to the carrier for the traffic sent across its networks.

For years, telecom operators have tried to catch up with innovation, but with little real success. In the beginning, it was their inability to identify ways to diversify their centralized business models within the internet’s more decentralized environment. Instead, they have used their political capital to keep pushing, unsuccessfully, for proposals based on the simple idea that everyone else should have to pay up. They even went as far as the ITU. And, the more the internet has grown, the more telecom providers have remained stuck in outdated business models. Part of the problem has always been that telecom providers have never fully grasped the fact that users are mainly paying to connect to the ends of the network and not the middle. In other words, the value of the internet connection comes from the fact that Google, Facebook, or TikTok—not to mention smaller and regional platforms excluded from big telecom deals—make it valuable for them. Without large and small platforms and their services, users would have no reason to use telecom providers’ networks. 

This dynamic of requiring large platforms to pay telecom providers to carry their content may bring the net neutrality debate to mind. But, this post is not about net neutrality. This post is about a different trend that is picking up speed: attempting to force big technology companies to negotiate, with very little transparency, deals that end up creating barriers to entry for smaller businesses on both sides of the equation. Make no mistake, the concern about the concentration of power in big technology companies should neither be underestimated nor ignored; more fundamentally, however, promoting secret deals as the solution to any of the current problems will only make things worse.

And it’s not just the telecom providers. Last year, Australia’s News Media Bargaining Code set the tone for the relationship between Big Tech and publishers by forcing Google and Facebook to negotiate and pay publishers—namely, Rupert Murdoch’s News Corp—to host the publisher’s content.. France followed soon after, with Google agreeing to pay the Alliance de la presse d’information generale (APIG) $36 million dollars in the first case under the new EU Copyright Directive. Canada is considering similar rules, while the UK, Argentina, Brazil, and Germany have all enacted – or are in the process of enacting – such rules. Big Tech is paying and it is paying big time. Now, telecommunication providers want a piece of this payout, and they might get it.

The obvious question here is how sustainable this is in the long run, especially considering the fact that these deals create an even greater financial interest in maintaining Big Tech’s dominance.

In this context, the paradigm that is forming is one where power will concentrate in the hands of even fewer telecommunications and Big Tech players. While Google and Facebook may be able to afford huge payouts to host publisher content and travel on telecom provider networks, smaller companies cannot. This means more users will be limited to increasingly walled-in ecosystems and services with more concentrated threats to user privacy and expression, especially as smaller players get shut out of such deals.

The openness and freedom that define the internet at its best suffer within walled-garden spaces. These kinds of deals will exacerbate this problem as Facebook and Google become centers for more kinds of user interaction, adding new services that draw users further into their closed systems. In the case of Facebook News in France, for example, users are exposed to the news and information only from certain “partners” adhering to Facebook’s terms and conditions. Independent journalism and informal reporting will vanish or, at best, get hidden.

Now, imagine if Facebook’s and Google’s reach were to extend to infrastructure. Although it is premature to guess the level of involvement and investment Big Tech will be required to commit and what it will mean exactly, it is almost a certainty that big technology companies will get unprecedented access to infrastructure opportunities they have long desired. We are already witnessing a trend towards more privatized networks and more privatized internet infrastructure, with research suggesting that big technology companies are “gaining control over not only the content but the means of transferring the content.” If core parts of the internet’s infrastructure are co-opted by big technology firms, it would further the existing dependencies we tend to experience in the latter. As Brett Frischmann argues:

Ultimately, the outcome of this debate may very well determine whether the internet continues to operate as a mixed infrastructure that supports widespread user production of commercial, public, and social goods, or whether it evolves into a commercial infrastructure optimized for the production and delivery of commercial outputs.

And, no regulation from Europe will be able to prevent this; once Big Tech is in Europe’s infrastructure, there won’t be a way out.

Europe has repeatedly said it wants to be a leader in innovation. Of course, it means every word of it. But, no one is – nor should be – entitled to the proceeds of technical innovation, and trying to enforce that through regulation is a bad idea.

Konstantinos Komaitis

Federal Court in Virginia Holds Geofence Warrant Violates Constitution

3 months 2 weeks ago

In the first order of its kind, a federal district court has held that a warrant used to identify all devices in the area of a bank robbery, including the defendant’s, “plainly violates the rights enshrined in [the Fourth] Amendment.” The court questioned whether similar warrants could ever be constitutional.

The case is United States v. Chatrie, and addresses a controversial tool called a geofence warrant. The police issued the warrant to Google seeking information on every device within the area of the robbery during a one-hour period. The geographic area was about 17.5 acres (about 3 and a half times the footprint of a New York city block) and included a church, a chain restaurant, a hotel, several apartments and residences, a senior living facility, a self-storage business, and two busy streets.

Google’s initial search identified 19 devices, with a total of 210 individual location points. Google assigned anonymizing identifiers to each device and provided their locations to the police. Following a three-step process designed by Google, the police expanded the time period to two hours to get additional location information for 9 of the devices. Ultimately, police obtained detailed, identifying subscriber information for three devices. One of those belonged to the defendant.

Mr. Chatrie filed a motion to suppress the geofence evidence, and, after several hearings and extensive expert testimony, the court issued a thorough, 63-page order holding the warrant was unconstitutional. The court held that it’s not enough for the police to allege that a crime was committed and the perpetrator used a cellphone. If the police want to get information on every device in the area, they must also establish probable cause to search every person in the area, something that’s likely impossible in a busy area like this one.

The court further held that Google’s three-step process did not cure the warrant's defects. The initial anonymization of the data didn’t help because, as the court recognized, “[e]ven ‘anonymized’ location data—from innocent people—can reveal astonishing glimpses into individuals' private lives when the Government collects data across even a one- or two-hour period.”

The second and third steps of the process, taken ostensibly to narrow the number of devices disclosed to police, couldn’t buttress the search either. They were “undertaken with no judicial review whatsoever” and “provided law enforcement unchecked discretion to seize more intrusive and personal data with each round of requests—without ever needing to return to a neutral and detached magistrate for approval.” There were no objective guardrails in the warrant or “any semblance of objective criteria to guide how officers would narrow the lists of users.” And even though Google (rather than the police) insisted on narrowing at the second step, the court held “Fourth Amendment protections should not be left in the hands of a private actor.”

Chatrie follows several other courts that have also held geofence warrants to be unconstitutional, but in each of those cases, the judges were reviewing the warrant before a defendant had ever been charged. The Chatrie case is different because the warrant was approved by a magistrate, and the investigation ultimately resulted in the case brought against Mr. Chatrie. With the help of experienced defense attorneys and extensive testimony from Google and expert witnesses for both the defense and prosecution, the parties were able to create a robust factual record, which the court detailed in its order. This should prove extremely helpful for other defendants challenging similar geofence warrants in the future.

The facts established in the case confirmed much of what we already suspected—that Google has a voluminous, detailed, and searchable database of location information, which it collects from "numerous tens of millions" of its users. The data comes from a database Google calls “Sensorvault,” where it stores location data for one of its services called “Location History.” Google collects Location History data from different sources, including wifi connections, GPS and Bluetooth signals, and cellular networks. And it logs a device’s location, on average, every two minutes. This makes it much more precise than cell site location information and allows Google to estimate a device’s (and by extension, the device owner’s) location to within 20 meters or less.

This precision also allows Google to infer where a user has been, what they were doing at the time, and the path they took to get there. Google can even determine a user’s elevation and establish what floor of a building that user may have been on. As the court noted, “Location History appears to be the most sweeping, granular, and comprehensive tool—to a significant degree—when it comes to collecting and storing location data.”

However, the fact witnesses also showed that, despite this claimed precision, the data may not be all that accurate. It may place a device inside the geofenced area that was, in fact hundreds of feet away and vice versa. This creates the possibility of both false positives and false negatives—people could be implicated for the robbery when they were nowhere near the bank, or the actual perpetrator might not show up at all in the data Google provides to police.

Unfortunately for Mr. Chatrie, despite the court’s determination that the warrant was plainly unconstitutional, the court nevertheless refused to suppress the evidence. The court held that the officer acted in good faith on what he thought was a valid warrant. This is a frustrating outcome that lets the police off the hook in this case. However, the court’s order makes clear that this can’t happen again in the future. The police are now on notice that geofence warrants are, by default, unconstitutional, and there are very few—if any—scenarios in which they could satisfy the Fourth Amendment.

Related Cases: Carpenter v. United States
Jennifer Lynch

Utah: Urge Governor Cox to Veto This Weak Data Privacy Bill

3 months 2 weeks ago

EFF fights for strong data privacy laws in statehouses across the country. That’s why we joined a coalition of privacy advocates in urging Utah's lawmakers to stop the bill. Now we're asking Gov. Spencer J. Cox to veto SB227, which passed quickly through the state’s legislature last week. This bill protects privacy in name only, and lacks real protections or teeth. By setting such a low bar for privacy, and blessing some anti-privacy company tactics, it does not set a strong foundation for future privacy improvements in Utah. It should not become law. If you’re in Utah, please join us in asking Gov. Cox to veto this bill.

Take Action

Tell Gov. Cox to Veto This Weak Data Privacy Bill

Strong privacy laws should help everyday people protect and manage their privacy. They should cover the companies and practices that pose the most potential for harm. They should be easy for people to use, so protecting our privacy doesn’t become an additional part-time (or full-time) job. They should ensure that people aren’t penalized if they choose to protect their privacy. And they should give people the tools to stand up for themselves if companies trample their privacy rights.

This weak Utah bill does none of those things. It specifically does not, for example, cover companies that profile people based on their data. It’s built on an opt-out structure, meaning people have to figure out which companies have their information and go to each of them, one at a time, to make their privacy requests. It doesn’t even allow for tools that people could use to make this process easier, such as requiring companies to recognize a global privacy signal that would broadcast a user’s intentions to web sites they visit.

This bill also fails on some of EFF’s highest priorities for effective and protective privacy legislation. The Utah bill expressly permits companies to charge people more or give them a lesser service if they ask a company not to sell their information. This makes privacy a luxury for only those who can afford it. It also lacks a private right of action—an individual right to sue, which is standard in many federal and state privacy laws. Even worse, it gives businesses a “right to cure” before any governmental enforcement. That gives businesses a “get out of jail free” card to violate the law, secure in the knowledge that they cannot be punished for privacy invasions that precede government requests that they stop. In short, this bill does nothing to incentivize companies to respect individual privacy.

The Utah bill is a much weaker version of a similar law that passed in Virginia last year. EFF opposed that bill, and has urged other state lawmakers not to follow in Virginia’s footsteps. The race to the bottom is accelerating. Now a version of Utah’s weaker bill has already appeared in the Iowa legislature. Virginia’s privacy law was empty; Utah’s bill is even worse. For example, Utah limits Virginia’s already flawed definition of a “sale” of data, and removes people’s right to appeal when companies refuse to comply with their requests.

State lawmakers must do better. We respectfully urge Gov. Cox to veto this bill and ask the legislature to pass a bill that truly protects the people of Utah.

Take Action

Tell Gov. Cox to Veto This Weak Data Privacy Bill

Hayley Tsukayama

Here’s How ICE Illegally Obtained Bulk Financial Records from Western Union

3 months 2 weeks ago

Senator Ron Wyden has released a letter to the U.S. Department of Homeland Security’s (DHS) Inspector General voicing his concern over a previously-unknown bulk data collection program that was carried out by Homeland Security Investigations(HSI), a unit within DHS’s U.S. Immigration and Customs Enforcement (ICE). For more than two  years, HSI used administrative subpoenas to acquire millions of financial records from two companies involved in money transfers, Western Union and Maxitransfers Corporation (Maxi). This is a blatantly illegal exploitation of government subpoena power–and an all too familiar one that must stop.

Beginning in 2019, HSI sent eight administrative subpoenas to these financial services companies asking that they turn over all records for money transfers over $500 to or from California, Texas, New Mexico, Arizona, and Mexico. Each administrative subpoena sought records for six-months at a time. In response, Western Union and Maxi provided 6.2 million financial records, including personal information such as names and addresses, to HSI. All of the information was entered into a database called Transaction Record Analysis Center (TRAC), which is run by a non-profit and facilitates law enforcement access to bulk financial data for 5 years. According to Sen. Wyden, HSI terminated the program in January 2022 after his office contacted HSI about it.

This practice presents real-world harms to people who, for good reason, would like to keep private the transfer of money and the identifying information that goes with it. Sharing financial and other personally identifying records of domestic violence survivors, asylum seekers, and human rights activists could expose them to danger, particularly given that TRAC allows hundreds of law enforcement agencies unfettered access to these records. 

Moreover, this kind of bulk surveillance is illegal. By statute, these administrative subpoenas must seek records “relevant” to an agency investigation. Simply put, there is no way these broad requests for bulk records would turn up only documents “relevant” to specific investigations; instead it put everyone who transferred money, including U.S. persons, under surveillance.

This is not the first time government agencies have floated overly-broad interpretations of what records are, and are not, “relevant” in order to collect as much information as possible. In 2015, after a lawsuit brought by EFF, the Drug Enforcement Administration purged a database containing billions of Americans’ international call records that had been in operation since the 1990’s. The NSA also infamously stretched the limits of what calls were and were not “relevant” to investigations when it collected hundreds of millions of call detail records from telecommunications providers, a practice that the Second Circuit called “unprecedented and unwarranted.”

U.S. Customs and Border Protection (CBP), another DHS subagency, has even been previously reprimanded for sending the exact same type of administrative subpoena as in this case to Twitter to demand the company unmask an anonymous user that ran an account critical of another DHS subagency.

What Should Be Done?

There are several things that can be done to remedy this harm and minimize the endless cycle of government agencies’ illegal collection of bulk data.

First, we reiterate Sen. Wyden’s call for an investigation into the HSI program. The public has a right to know how and why this program happened, and what steps are being taken to ensure this violation doesn’t happen again.

Second, the records collected under this illegal program must be immediately purged, both from TRAC and any other agencies that possess copies of the information.

Third, companies like Western Union and Maxi should stop caving to these overbroad administrative subpoenas for sensitive customer information by filing motions to quash. These administrative subpoenas are government requests—not official warrants, signed by a judge, that legally compel the company to hand over all of this data. Companies should answer only when compelled by law to do so. Until then, they have an obligation to protect their customers’ information, and that obligation should extend to protections from overly-broad and easily rebuttable government fishing expeditions.

Finally, lawmakers need to prioritize strong consumer data privacy legislation to prevent a situation like this one from recurring. Such privacy legislation must protect the most vulnerable among us, including the low-income, immigrant, and unbanked populations that often rely on money transfer services such as Western Union to go about their daily lives. 

Matthew Guariglia

How the NTIA Can Fund Future-Proof Open Access Fiber

3 months 2 weeks ago

EFF Legal Intern Emma Hagemann contributed to the corresponding comment.

The National Telecommunications and Information Administration (NTIA) has big decisions to make in its effort to implement the new federal broadband infrastructure program. If done right, and with the right state policies in place, a great number of Americans will obtain access to multi-gigabit broadband in the coming years.

EFF sent comments to the NTIA urging them to fund the deployment of open access fiber networks, properly vet all projects seeking funding, and provide assistance to motivated local and regional entities who want to build their own open-access networks. This framework should allow the NTIA to best distribute the more than $48 billion of broadband funding allotted through the Infrastructure Investment and Jobs Act (IIJA), and deliver to all Americans access to reliable, affordable, high-speed broadband.

The NTIA Should Fund Open Access Fiber Networks

The law calls for establishing projects that (1) provide service that meets speed, latency, reliability, and consistency requirements, and (2) can easily scale speeds over time to meet evolving needs. As such, the NTIA must consider not what is good enough for today, but what meets the standards of 20, 30, or even 50 years into the future.

After years of technical research, and comparison to all other last mile options, EFF has concluded that open access fiber is the ideal model and transmission medium. It  not only provides every American with service that is future-proofed in speed, consistency, and capacity, but does so in a cost-efficient, self-sustaining manner.

Fiber-optic cable infrastructure, unlike the coaxial cables commonly used today, or the now-obsolete copper phone lines, is the only infrastructure that can be upgraded to achieve the performance needed for decades to come without significant new investment. Current research shows that a single fiber-optic cable today can transmit over 300 terabits per second over hundreds of miles; in theory, it can carry even more years from now. The infrastructure has long proven able to deliver low-latency, high-bandwidth, and extremely reliable service.

With the inherent superiority of fiber, an open-access network becomes the only model that can economically deliver the full range of services and applications that need high-capacity infrastructure  to even the most unserved and high-cost regions of America. In an open-access network, the entity who builds the physical fiber-optic infrastructure is prohibited from selling broadband services. Instead, they lease the capacity of their infrastructure to internet service providers who, in a state of competition, are incentivized to deliver high-quality, low-cost service to as many people as possible. EFF’s own cost model study finds that an open-access network could cover nearly 80% of US households without government subsidies. A traditional broadband provider can only reach 50%. Should the NTIA disburse a significant portion of its $48 billion to build open-access fiber networks, it will set in motion the ability for states to eventually service every US household with high-quality, low-cost service for decades to come.

The NTIA Should Avoid Funding Projects That Overpromise and Underdeliver

The NTIA should vet those seeking project funding to ensure they have the proper operational and technical capability to deploy the services promises, and the commitment to see a project through. As part of the process, we urge the NTIA to be as publicly transparent as possible with their reviews and allow opportunities for additional input if necessary. There must also be a means for the NTIA to ensure funds are used properly and effectively after they are awarded.

Rigorous scrutiny is necessary to avoid mistakes made in past federal policy. During the Federal Communications Commission’s (FCC) Rural Development Opportunity Fund (RDOF) process just last year, lack of scrutiny resulted in federal dollars being awarded to entities that cannot deliver on their promises, and face clear barriers to scaling for future demand. Specifically, more than $2 billion went to just two companies. One of those overpromised, basing their proposal on an unproven means of delivering last mile broadband access. Another proposed a deployment strategy that is doomed to underdeliver. There must be due diligence ensuring the $48 billion dollars are properly spent to avoid speculative and intentionally anti-competitive bids designed to stall or outright prevent fiber infrastructure providers from connecting homes to the gigabit future.

The NTIA Should  Help States and Localities to Build Their Own Networks

Many cities, municipalities, rural cooperatives, and other local entities in unserved and underserved areas are tired of being left behind by monopolistic internet service providers (ISPs). These local public entities want to go about it themselves, but many lack the logistical expertise to apply for grant funding, or technical expertise to build out a network. The NTIA should recognize pre-existing local desires to create their own internet service, and provide these folks with the resources they need.

There is precedent for federal agencies taking a hands-on approach to building infrastructure. That’s how rural electrific grids, many still in operation today, were initially built. EFF proposes the NTIA establish a franchise-like model of broadband deployment. The NTIA should lend its expertise to motivated local partners, who will develop and maintain fiber-optic broadband networks that serve their communities. This should include assistance in accessing grant funds, and training on building future-proof fiber networks. Where different local partners will have different needs, the NTIA should be prepared to offer a wide variety of assistance options, like workshops,telephonic troubleshooting, and grant-writing assistance.

The national ISPs failed large parts of rural America. Just as the rural electrification effort created infrastructure that continues to power rural America, the up-front effort of teaching localities to build their own networks will connect Americans for decades to come. 

EFF’s comments also emphasize: 

  • The need to avoid a ‘first worst’ strategy in grant assessment. Some say initial funds should only be given to those addressing the worst areas first. This only penalizes those who have been proactive in addressing their unserved communities. Proactive actors should be able to move on to addressing the next worst, the underserved. 
  • The viability of long-term low-interest financing to build out open access fiber-optic infrastructure. 
  • The need to condition grants on open access and universal deployment. 
  • How to prioritize funding smaller, local entities with smaller grants, instead of giving big ISPs funding that they have historically squandered
  • The existence of fiber proof of concepts in urban areas like Chattanooga and rural areas like a portion of rural Missouri with a population density of 2.4 people per mile.  

You can find EFF’s report on the superiority of fiber here, and the study we funded on open-access fiber here. Our full comment to the NTIA can be found here.   

Chao Liu

Using Your Phone in Times of Crisis

3 months 2 weeks ago

Secure communications are especially important in times of crisis. Just being aware of surveillance has chilling effects in how we exercise speech, which is often under attack by all sorts of actors from criminals to our own governments. With war in Ukraine and political crackdowns in Russia, it is critical for Russians and Ukrainians alike to let their loved ones know they're ok, to stay informed, and to organize.

It is not surprising that in times of crisis many people default to the most widely available system for staying in touch–the mobile network. But communicating over mobile networks comes with risks you should know about. Not only are there plenty of tools to intercept communications on these networks, but anyone with access to the network does not even need to engage in interception. That leaves your communications vulnerable to malicious hackers, companies, employees, law enforcement, and foreign government agencies.

The mobile network does not encrypt calls or text messages end-to-end, nor does it conceal your location. Anyone with access to the network can see all of that information.

Phone calls and text messages are easily intercepted, in particular when carried over the oldest of cell networks: 2G. This is why we’ve asked Apple and Google to offer capabilities for users to turn off 2G. Google has rolled out this option for its latest devices, but it is generally not available in Russia or Ukraine. Apple, we’re still waiting.

While we’ve urged people to stay away from 2G when possible, the 3G, 4G, and 5G networks aren’t secure options for voice and text communications either, particularly for those in Russia and Ukraine. Using these networks, your communications aren’t protected with end-to-end encryption, which means anyone intercepting them—including intermediaries—can see and hear the contents of your communication.  

If you shouldn’t be using the traditional mobile network for calls and text, what should you use? 

There are many apps that provide end-to-end encryption for both voice and text conversations regardless of the network used to transmit the communications. But there are limits to these protections, because unencrypted metadata offers a lot of insights about you. Metadata is the information that is transmitted along with your message. For example, this can include who sent a message, the recipient of a message, and the location of who sent it.

Even when using end-to-end encrypted messaging applications, your location is still available through the mobile network while your device is connected to it. This is necessary for the system to work. When someone calls you, for example, the network has to know where to send the call. While obviously very useful, it also means that anyone with access to the network can get your location. Cell site simulators (CSS) can also be used to locate people in the vicinity of the CSS. Reports claim the Russian military has not only destroyed 3G and 4G towers in Ukraine but also set up CSS there— an act that has apparently backfired and made Russian communications vulnerable as well.

Regardless of where you are—and particularly in Russia and Ukraine—you should not rely on phone calls or SMS to protect the privacy of your communications from government actors. Regardless of the generation of your network, end-to-end encrypted messaging apps like WhatsApp, FaceTime Audio, Threema, Wire, Signal, or Viber will provide significantly more security for your calls and messages. For two factor authentication or 2FA (the code you get to login into your account) you should try to use an app over SMS when possible.

Because everyone has a different threat model, knowing the strengths and weaknesses of different types of communication will help you make informed decisions on what’s the best to do, which apps have the best fit for your risk, and when to turn off your phone, or just leave it at home if possible.

Andrés Arrieta

EFF to European Court: “Right to be Forgotten” Shouldn’t Stop The Public From Reading The News

3 months 2 weeks ago

The “right to be forgotten," which exists in European Union member states and allows for mandatory delisting of results from search engines, must be balanced against the rights of the public to read media archives. EFF joined together with more than a dozen other media and free expression groups to make that point clear in a recent case from the European Court of Human Rights (ECtHR).

In Hurbain v. Belgium, the applicant, the editor-in-chief of Belgian daily newspaper Le Soir, argued that his right to freedom of expression was violated when he was ordered to delete an article about a deadly 1994 car accident from his newspaper’s website, or at least remove the name of the driver. The ECtHR’s Chamber, a judicial body that hears most of its cases, found there was no violation of freedom of expression, thus extending the “right to be forgotten” to media archives. The applicant requested a referral to ECtHR’s Grand Chamber, which only hears its most serious cases.

EFF and our partner organizations submitted an amicus brief before the Grand Chamber, asking for sharp limits on the “right to be forgotten.”  Most European countries exempt the media from all or most of the obligations on data erasure. Any court rulings that interfere with a media archive should be “subject to the strictest scrutiny,” we argued.

We underlined that any further expansion of the “right to be forgotten” would create more uncertainty for the publishers and editors.  It would put a significant burden on media outlets and online archives, which would face an unmanageable number of requests to have content removed, altered, or anonymized. If this decision stands, media outlets may try to avoid this risk simply by restricting or deleting their content in advance.

Instead, EFF and our partner organizations suggest that the Grand Chamber adopts a more balanced test when dealing with online media archives and the “right to be forgotten.” The guiding presumption in such cases should be that the integrity of online media archives must be preserved. 

A few other factors must be considered. First, has a claimant suffered substantial damage or harm due to the content linked to their name? This should be “sufficiently specific” harm, and not “mere embarrassment or discomfort.” Second, has sufficient weight been given to the purpose of the media archive? The public interest in archived media reports may increase over time, when, for instance, the individual decides to run for office, or the information becomes central to academic, scientific, or historical research purposes. Third, the right to receive information remains an important factor and must be given weight. For example, we argued that information about a ten-year-old bankruptcy concerns the person who went bankrupt, but it also concerns the operations and fairness of the courts.

In short, this expansion of the right to be forgotten creates a potential “serious and negative” effect on access to information, and media freedom. EFF advocates for a limited scope and geographic reach of this right. In Hurbain, EFF and our partners called on the ECtHR’s Grand Chamber to adopt a nuanced approach to balance individual’s “right to be forgotten” with the integrity of online media archives, keeping in mind the highest standards for the protection of journalistic activities and media freedom.

You can read our full amicus brief here

Meri Baghdasaryan
1 hour 25 minutes ago
EFF's Deeplinks Blog: Noteworthy news from around the internet
Subscribe to EFF update feed