The Bill of Rights at The Border: The First Amendment and the Right to Anonymous Speech

The Bill of Rights at The Border: The First Amendment and the Right to Anonymous Speech
By Stephanie Lacambra

The U.S. border has been thrown into the spotlight these last few months, with border agents detaining travelers for hours, demanding travelers unlock devices, and even demanding passwords and social media handles as a prerequisite for certain travelers entering the country. As the U.S. government issues a dizzying array of new rules and regulations, people in the U.S. and abroad are asking: are there meaningful constitutional limits on the ability of border agents to seize and search the data on your electronic devices and in the cloud?

The answer is: Yes. As we’ll explain in a series of posts on the Bill of Rights at the border and discuss in detail in our border search guide, border agents and their activities are not exempt from constitutional scrutiny.

In this first post, we’ll focus on the First Amendment.

The First Amendment is meant to safeguard five fundamental rights: speech, assembly, religion, press, and petition to the government for redress of grievances. The First Amendment also protects the right to exercise these basic rights anonymously because, as Supreme Court Justice John Paul Stevens wrote:

Anonymity is a shield from the tyranny of the majority. . . . It thus exemplifies the purpose behind the Bill of Rights and of the First Amendment in particular: to protect unpopular individuals from retaliation . . . at the hand of an intolerant society.

But when border agents scrutinize the massive volume of sensitive information in our digital devices or in the cloud, they infringe on First Amendment rights in at least four distinct ways.

  • First, device searches may reveal your social media profile handles –  inclusive of pseudonymous accounts. This allows border agents to match those handles to your passport identity, which effectively unmasks you and prevents you from being able to speak anonymously online. The same is true if you comply with an agent’s demand that you tell them your social media handles.
  • Second, device searches may also chill your ability to associate with an expressive institution anonymously, like a political group. Border agents can use a device search or knowledge of your social media handles to unearth a variety of private associational ties that can be mapped and harvested for more personal information and connections. What is worse, the investigation may intrude upon your contacts’ privacy as well as your own.
  • Third, requiring you to let CBP review your web-browsing history violates your right to access and receive information anonymously. This intrusion also occurs when CBP scrutinizes your shopping histories to reveal your private decisions to acquire expressive materials, such as books and movies.
  • Finally, requiring journalists to unlock devices that contain confidential journalistic sources and work product inhibits their ability to shield the identity of their sources and undermines the integrity and independence of the newsgathering process.

Border searches of our digital devices and cloud data thus implicate core free speech rights. Therefore, border agents should at least be required to obtain a warrant supported by probable cause before any such search of our private digital information.

Indeed, the First Amendment requires even more. For example, when police officers demand purchasing records from booksellers (implicating the right to access information anonymously), the First Amendment requires not only probable cause, but a compelling need, the exhaustion of less restrictive investigative methods, and a substantial nexus between the information sought and the investigation. Given that a digital device search is far more invasive upon First Amendment rights than disclosure of what books a person buys at a single bookseller, border agents should be required to do the same.

And the government should take special care with respect to journalists. The Privacy Protection Act prohibits the government from searching or seizing a journalist’s materials without probable cause that the journalist has committed a crime. While the statute exempts border searches for the purpose of enforcing the customs laws, it does not exempt border searches for other purposes, such as a criminal investigation.

Unfortunately, so far, courts have refused to recognize the free speech implications of digital border searches. But we hope and expect that will change as courts are forced to weigh the increasing amount of sensitive information easily accessible on our devices and in the cloud, and the increasing frequency and scope of border searches of this information.

Without First Amendment protections at the border, the threat of self-censorship looms large. Travelers faced with the risk of border agent intrusion into such sensitive data are more prone to self-censorship when expressing themselves, when considering private membership in political groups, or when deciding whether to access certain reading or media material. This is especially true for people who belong to unpopular groups, who espouse unpopular opinions, or who read unpopular books or view unpopular movies.

Likewise, confidential sources that provide invaluable information to the public about government or corporate malfeasance may refrain from whistleblowing if they fear journalists cannot protect their identities during border crossings. This is why EFF is calling for stronger Constitutional protection of your digital information and urging people to contact Congress on this issue today.

We’re also collecting stories of border search abuses at:

The good news is there’s a lot you can do at the border to protect your digital privacy. Take the time to review our pocket guides on Knowing Your Rights and Protecting your Digital Data at the border. And for a deeper dive into these issues, take a look at our Border Search Guide on protecting the data on your devices and in the cloud.

March 22, 2017 at 11:48PM
via Deeplinks

To keep Tor hack source code secret, US gov’t dismisses child porn case

To keep Tor hack source code secret, US gov’t dismisses child porn case
By Cyrus Farivar

Enlarge (credit: scyther5 / Getty Images News)

Rather than share the now-classified technological means that investigators used to locate a child porn suspect, federal prosecutors in Washington state have dropped all charges against a man accused of accessing Playpen, a notorious and now-shuttered website.

The case, United States v. Jay Michaud, is one of nearly 200 cases nationwide that have raised new questions about the appropriate limitations on the government’s ability to hack criminal suspects. Michaud marks just the second time that prosecutors have asked that case be dismissed.

“The government must now choose between disclosure of classified information and dismissal of its indictment,” Annette Hayes, a federal prosecutor, wrote in a court filing on Friday. “Disclosure is not currently an option. Dismissal without prejudice leaves open the possibility that the government could bring new charges should there come a time within the statute of limitations when and the government be in a position to provide the requested discovery.”

Read 18 remaining paragraphs | Comments

March 6, 2017 at 06:25AM
via Ars Technica UK

Sen. Wyden: Border Searches of Digital Devices Should Require a Warrant

Sen. Wyden: Border Searches of Digital Devices Should Require a Warrant
By Sophia Cope

This week Sen. Wyden (D-OR) sent a letter to Department of Homeland Security (DHS) Secretary John Kelly stating that he will soon introduce legislation that would require law enforcement agencies to obtain a warrant before searching the data on digital devices at the border. We applaud Sen. Wyden for taking a stand on this important privacy issue.

Sen. Wyden said that he wants to “guarantee that the Fourth Amendment is respected at the border.”

We have been arguing for a while that the Fourth Amendment requires a warrant based on probable cause for border searches of cell phones, laptops and other mobile devices that contain gigabytes of highly personal information.

Sen. Wyden’s letter comes after several recent reports that Customs and Border Protection (CBP) agents have been conducting invasive searches of the digital devices of Americans and foreign travelers alike. For example, CBP agents demand that travelers unlock or decrypt their devices, or simply disclose their device passcodes. Additionally, CBP agents access not only public social media posts by demanding handles, but also private social media and other “cloud” content via smartphone apps. The AP recently reported that border agents accessed an American citizen’s eBay and Amazon accounts via his cell phone.

Sen. Wyden also wants to prohibit government agents from forcing travelers to disclose the login credentials to their social media and other online accounts. Secretary Kelly proposed requiring this from foreign visitors to the U.S. during a congressional hearing earlier this month.

Sen. Wyden argued that DHS/CBP policies and practices violate the privacy and civil liberties of travelers, “distract CBP from its core mission and needlessly divert agency resources away from those who truly threaten our nation,” and harm U.S. economic interests by discouraging international business travel.

Sen. Wyden also asked Secretary Kelly to respond to five excellent questions by March 20, 2017:

  1. What legal authority permits CBP to ask for or demand, as a condition of entry, that a U.S. person disclose their social media or email account password?
  2. How is CBP use of a traveler’s password to gain access to data stored in the cloud consistent with the Computer Fraud and Abuse Act?
  3. What legal authority permits CBP to ask for or demand, as a condition of entry, that a U.S. person turn over their device PIN or password to gain access to encrypted data? How are such demands consistent with the Fifth Amendment?
  4. How many times in each calendar year 2012-2016 did CBP personnel ask for or demand, as a condition of entry, that a U.S. person disclose a smartphone or computer passcode, or otherwise provide access to a locked smartphone or computer? How many times has this occurred since January 20, 2017?
  5. How many times in each calendar year [2012-2016] did CBP personnel ask for or demand, as a condition of entry, that a U.S. person disclose a social media or email account password, or otherwise provide CBP personnel access to data stored in an online account? How many times has this occurred since January 20, 2017?

While we believe that the Constitution requires the highest level of legal protection for digital data at the border and we urge courts to make this clear in case law, we support Sen. Wyden’s effort to enshrine a probable cause warrant requirement in legislation. The faster we reach this unequivocal rule the better.

We also look forward to Secretary Kelly’s responses to Sen. Wyden’s questions.

In the meantime, please tell us your border search stories. You can write to us at If you want to contact us securely via email, please use PGP/GPG. Or you can call us at +1-415-436-9333.

February 22, 2017 at 07:09AM
via Deeplinks

History tells us the wars on privacy and sharing will get worse before it gets better

History tells us the wars on privacy and sharing will get worse before it gets better
By Rick Falkvinge

All governments of the world are cracking down on privacy and increasing mass surveillance, sometimes in the name of copyright enforcement, sometimes in the name of fighting terrorism, sometimes because they just want to. There’s a pattern here of similar things in the past – something is horrible, horrible, horrible, until the point where fighting the phenomenon just looks silly, counterproductive, and inhumane. Cannabis is there today, and it’s going to be years if not decades until it’s just as silly to fight people sharing knowledge and culture with each other, trying to brand them as awful people.

The striking pattern here is that people in power may regard an issue as completely peripheral, even downright uninteresting – like powerholders regard copyright – and still use the push from legacy industry interests as an excuse to get what they really want, like the copyright industry demanding mass surveillance.

Nixon declared war on cannabis… what year was it again? Oh nevermind exactly what year, it was as far back as when Nixon was president, which says a whole lot more than an exact year (it was 1968). His campaign advisor has since gone on record saying they knew all along they lied about the dangers of drugs, but that declaring war on them helped them shatter the communities that threatened Nixon’s re-election, specifically the hippies that opposed the Vietnam war.

“Did we know we [the Nixon administration] were lying about the drugs? Of course we did.” — John Erlichman

The pattern seems to be that social breakthroughs, getting rid of the old taboos, happen in a few areas first that test the waters, and when nothing bad happens, the floodgates open. Bloomberg did a good feature of it from a US perspective, analyzing US breakthroughs like women’s suffrage, marriage between people of different skin tones (which was once illegal!), and other similar issues.

“A few pioneer states get out front before the others, and then a key event—often a court decision or a grassroots campaign reaching maturity—triggers a rush of state activity that ultimately leads to a change in federal law.” — Bloomberg

When it comes to privacy in general, and sharing music, movies, culture, and knowledge between each other in particular, we can tell that we’re not at the “okay, this policy is just silly, everybody’s doing it and nobody cares” phase yet. Everybody’s sharing and nobody cares, except the copyright industry, and the powers that be are using every excuse of that industry to crack down and toughen existing laws. Even though everybody who knows something understands that the laws are not just ineffective, but counterproductive and silly, there’s no room for such thinking where the lobbyists of legacy industries roam unchallenged.

It took some 50 years to get to the “okay, this persecution is just silly” phase with cannabis. Let’s not make it fifty years with sharing and digital civil liberties.

Privacy remains your own responsibility.

The post History tells us the wars on privacy and sharing will get worse before it gets better appeared first on Privacy Online News.

February 20, 2017 at 04:32PM
via Privacy Online News

Understanding the different Maslow need levels for privacy

Understanding the different Maslow need levels for privacy
By Rick Falkvinge

When we aspire to have privacy, we may do so for a number of different reasons. All these reasons are valid, but some are more urgent than others, psychologically speaking. When debating privacy issues, it’s important to be aware of these psychological models and the very real consequences involved.

The psychologist Abraham Maslow created a theory known as the Maslow Hierarchy of Human Needs, which predicts the ranked order people will adhere to in seeking out certain things in their life. Where privacy is ranked on this list is a matter of which environment you operate in, and it’s crucial to recognize the differences.

Generally speaking, Maslow predicted that people won’t progress to addressing a higher level of needs until the current level is fully satisfied. The first level involves basic physiological needs – food, air, water, heat. Once these are satisfied, people start working on the second – safety from violence, safety in having food, air, and water for tomorrow as well; general freedom from worry. The third level is a sense of belonging to a group or tribe, the fourth is enjoying a sense of respect within that tribe, and the fifth and highest is self-development, once all other levels are satisfied.

The key thing to bear in mind here is that if you’re unsatisfied with safety (level two), for instance, then nothing of what you’re being served on levels three, four, and five really matters. If you don’t have your basic physical needs like food, water, or even oxygen met (level one), then no other needs are taken into account at that point. If you’re starving, you’re not going to be concerned with respect in your group.

Maslow’s Hierarchy of Human Needs. (Click to enlarge.)

Here’s the key realization that people want privacy for vastly different reasons. This is really common sense, but to have a model for it like this helps to make the concepts tangible.

Most of us who debate the merits of privacy do so for self-development reasons. We think it’s a better society where people have privacy, and for good reasons – very good reasons: all societies where privacy is or has been absent (North Korea, East Germany) have generally been… shall we call them low-satisfaction societies. But the key is that we’re still debating from an internal motivation of self-development (in this case, it makes no difference whether we’re seeking to develop ourselves or our society in general).

Those of us who talk at conferences about privacy and who write about it on blogs like this generally don’t talk about privacy because of physical safety concerns. Nor do we do so for a sense of belonging. You could argue that people who talk and write about privacy from the safety and comfort of an office or a café do so competing for respect in their group or tribe (level four), but that’s still a follow-on effect from the meritocracy development on level five.

Now, compare this who people who get mortar shells flying toward their location the second it is revealed. There are stories of reporters in rebel zones who have wanted to use a satellite phone to contact the outside world for whatever reason, and where the local commander led them to a deserted area, handed them a satphone and started the clock. After eight minutes of having the phone active, the commander would say “that’s enough”, terminate the call, turn off the phone and rapidly walk away from the location with the reporter. About four minutes after that, explosive ordnance would start raining down and killing anything within a football field area of the precise location of where the phone call was made. Somebody in this situation also wants privacy, but for completely different reasons: basic, actual, physical safety – what the model says is level two on the Maslow scale.

The important thing to realize here is that somebody arguing privacy from level five (self-development) will have their actions affected by not offending their previously-met needs on levels three and four (belonging, respect, and recognition). Somebody arguing privacy from level two (physical safety) will have no such concerns whatsoever. This level-five mechanism would manifest as a respect for contemporary taboos when arguing on conferences and columns, even when those taboos get in the way of actual developments in privacy.

(There are exceptions to the respect for taboos. I’ve frequently taken flak for disrespecting them – some of them. Maybe I’m respecting other ones subconsciously.)

There’s a conflict of interest here that’s based on how we’re psychologically wired at the physical level: somebody arguing for privacy from a level-five standpoint will not do so in a way that jeopardizes the needs met at lower levels.

There are also other noteworthy political reasons people will aspire and demand privacy. Most would do it from a human rights or civil liberties standpoint. However, if you’re looking at many governments in Asia, they could not care less about human rights as a Western concept – but they do want strong privacy, because it enables whistleblowing of corruption in their government. Thus, they want it from a level three standpoint – the ability to report corruption without repercussions from your peers, essentially.

There’s a saying here: politics is the art of making people agree with you, but for their own reasons.

Now, you could argue that you’re learning to use privacy properly as a hobby because you see a day where you might really need it, the way mass surveillance is developing and governments are cracking down on liberty. This would be a very valid argument. This would not be entirely unlike learning to quickly fight house fires as a form of self-development (level five), until the night you wake up from your smoke alarm and put your skills to use (level one). Or hoard some food as a form of self-development where people ridicule you as a tinfoil-hat doomsday prepper, until that day an ordinary snowstorm shuts down all food deliveries and you just go out to your bunker and causally grab some tasty freeze-dried chow, while others scramble for bread and rice where they can get it. Something that’s on level five today may be on a lower level tomorrow.

It’s with this insight that a lot of us are arguing for privacy, which remains your own responsibility.

The post Understanding the different Maslow need levels for privacy appeared first on Privacy Online News.

February 15, 2017 at 10:26AM
via Privacy Online News

Trump’s Attorney General’s Record on Privacy

Trump’s Attorney General’s Record on Privacy
By Kate Tummarello

President Donald Trump’s nominee to lead the country’s law enforcement has cleared the Senate.

The Senate voted 52-47 on Wednesday to confirm Sen. Jeff Sessions, whose record on civil liberties issues—including digital rights—has drawn fire from Democratic lawmakers and public interest groups.

EFF has expressed concerns about Sessions’ record on surveillance, encryption, and freedom of the press. Those concerns intensified during his confirmation process.

Throughout his confirmation hearing in front of the Senate Judiciary Committee and his written responses to additional questions from lawmakers, Sessions made a number of troubling statements. He said he would support legislation to enable a privacy-invasive Rapid DNA system. He refused to definitively commit not to put journalists in jail for doing their job. He dodged questions about Justice Department policies on Stingrays, and wouldn’t refused to commit to publish guidelines on how federal law enforcement uses government hacking. He called it “critical” that law enforcement be able to “overcome” encryption.

His Senate record on surveillance is also disturbing. Sessions helped to derail reform to the Electronic Communications Privacy Act in the Senate. He also opposed the USA FREEDOM Act, a set of moderate reforms to the NSA’s mass collection of information about Americans’ domestic phone calls. In 2015, he went so far as to pen an alarmist op-ed against the bill, in which he claimed that the bulk phone records collection was “subject to extraordinary oversight” and warned the bill “would make it vastly more difficult for the NSA to stop a terrorist than it is to stop a tax cheat.”

During the hearing, USA FREEDOM sponsor Sen. Patrick Leahy pressed Sessions on whether he is committed to enforcing the surveillance reform law. Sessions responded that the prohibition on bulk collection “appears to be” the governing statute for U.S. government surveillance. His qualified answer raises concerns. And while he pledged to follow that law, he couldn’t confirm it prohibited bulk collection of domestic phone records in all cases. (It does.)

In a marathon, all-night debate in opposition to Sessions, Senate Democrats pointed to his track record on surveillance and privacy as a source of concern.

Montana Democrat Sen. Jon Tester pointed to Sessions’ repeated votes in favor of “the most intrusive aspects of the Patriot Act.” He asked, “Will he fight on behalf of government officials that listen into our phone calls or scroll through our emails or preserve our Snapchats?”

Washington Democrat Sen. Maria Cantwell said she is concerned by Sessions’ support for “President [George W.] Bush’s warrantless wiretapping and surveillance programs,” and his support for backdoor access to encrypted technologies. “I do have concerns that the president’s nominee…may not stand up to the President of the United States in making sure that the civil liberties of Americans are protected.”

Now that he has been confirmed, EFF and other civil liberties advocates will work to hold him accountable as Attorney General and block any attempts by him or anyone else to broaden the government surveillance powers that threaten our basic privacy rights.

February 9, 2017 at 06:21PM
via Deeplinks

Healthy Domains Initiative Isn’t Healthy for the Internet

Healthy Domains Initiative Isn’t Healthy for the Internet
By Jeremy Malcolm and Mitch Stoltz

EFF had high hopes that the Domain Name Association’s Healthy Domains Initiative (HDI) wouldn’t be just another secretive industry deal between rightsholders and domain name intermediaries. Toward that end, we and other civil society organizations worked in good faith on many fronts to make sure HDI protected Internet users as well.

Those efforts seem to have failed. Yesterday, the Domain Name Association (DNA), a relatively new association of domain registries and registrars, suddenly launched a proposal for “Registry/Registrar Healthy Practices” on a surprised world, calling on domain name companies to dive headlong into a new role as private arbiters of online speech. This ill-conceived proposal is the very epitome of Shadow Regulation. There was no forewarning about the release of this proposal on the HDI mailing list; indeed, the last update posted there was on June 9, 2016, reporting “some good progress,” and promising that any HDI best practice document “will be shared broadly to this group for additional feedback.” That never happened, and neither were any updates posted to HDI’s blog.

While yesterday’s announcement claims that “civil society” was part of a “year-long process of consultation” leading to this document, it doesn’t say which groups participated, or how they were selected. In any purported effort to develop a set of community-based principles, a failure to proactively reach out to affected stakeholders, especially if they have already expressed interest, exposes the effort as a sham. “Inclusion” is one of the three key criteria that EFF developed in explaining how fair processes can lead to better outcomes, and this means making sure that all stakeholders who are affected by Internet policies have the opportunity to be heard. The onus here lies on the organization that aims to develop those policies, and in this the DNA has clearly failed.

Copyright Censorship Through Compulsory Private Arbitration

So, what did HDI propose in its Registry/Registrar Healthy Practices [PDF]? The Practices divide into four categories, quite different from one another: Addressing Online Security Abuse, Complaint Handling for “Rogue” Pharmacies, Enhancing Child Abuse Mitigation Systems, and Voluntary Third Party Handling of Copyright Infringement Cases. We will focus for now on the last of these, because it is the newest and most overreaching voluntary enforcement mechanism described in the Practices.

The HDI recommends the construction of “a voluntary framework for copyright infringement disputes, so copyright holders could use a more efficient and cost-effective system for clear cases of copyright abuse other than going to court.” This would involve forcing everyone who registers a domain name to consent to an alternative dispute resolution (ADR) process for any copyright claim that is made against their website. This process, labelled ADRP, would be modeled after the Uniform Dispute Resolution Policy (UDRP), an ADR process for disputes between domain name owners and trademark holders, in which the latter can claim that a domain name infringes its trademark rights and have the domain transferred to their control.

This is a terrible proposal, for a number of reasons. First and foremost, a domain name owner who contracts with a registrar is doing so only for the domain name of their website or Internet service. The content that happens to be posted within that website or service has nothing to do with the domain name registrar, and frankly, is none of its business. If a website is hosting unlawful content, then it is the website host, not the domain registrar, who needs to take responsibility for that, and only to the extent of fulfilling its obligations under the DMCA or its foreign equivalents.

Second, it seems too likely that any voluntary, private dispute resolution system paid for by the complaining parties will be captured by copyright holders and become a privatized version of the failed Internet censorship bills SOPA and PIPA. While the HDI gives lip service to the need to “ensure due process for respondents,” if the process by which the HDI Practices themselves were developed is any guide, we cannot trust that this would be the case. If any proof is needed of this, we only need to look at the ADRP’s predecessor and namesake, the UDRP, a systemically biased process that has been used to censor domains used for legitimate purposes such as criticism, and domains that are generic English words. Extending this broken process beyond domain names themselves to cover the contents of websites would make this censorship exponentially worse.

Donuts Are Not Healthy

Special interests who seek power to control others’ speech on the Internet often cloak their desires in the rhetoric of “multistakeholder” standards development. HDI’s use of terms like “process of consultation,” “best practices,” and “network of industry partners” fits this mold. But buzzwords don’t actually give legitimacy to a proposal, nor substitute for meaningful input from everyone it will affect.

The HDI proposal was written by a group of domain name companies. They include Donuts Inc., a registry operator that controls over 200 of the new top-level domains, like .email, .guru, and .movie. Donuts has taken many steps that serve the interests of major corporate trademark and copyright holders over those of other Internet users. These include a private agreement with the Motion Picture Association of America to suspend domain names on request based on accusations of copyright infringement, and a “Domain Protected Marks List Plus” that gives brand owners the power to stop others from using common words and phrases in domain names–a degree of control that they don’t get from either ICANN procedures or trademark law.

The “Healthy Practices” proposal continues that solicitude towards corporate rightsholders over other Internet users. This proposal begs the question: healthy for whom?

If past is prologue, we can expect to see heaps of praise for this proposal from the same special interests it was designed to serve, and from their allies in government who use Shadow Regulations like this one to avoid democratic accountability for unpopular, anti-user policies. But no talk of “self-regulation” nor “best practices” can transform an industry’s private wishlist into legitimate governance of the Internet, or an acceptable path for other Internet companies to follow.

February 10, 2017 at 02:08AM
via Deeplinks