CIA Still Claims Its Drone Program is "Secret"

Last week, the Wall Street Journal reported the Obama Administration may finally lift the legal veil of secrecy surrounding the CIA’s covert drone program. The ACLU has been involved in a lawsuit over the US government’s constitutional authority to target American citizens with strikes overseas with its supposedly covert CIA drone program. On Monday, however, the CIA decided to continue to claim the program is a state secret and that they should not have to admit or deny it exists.

This, despite the fact that, as Journal reported, "U.S. drone strikes are hardly a secret. Officials have spoken openly about them, even discussing the operations in formal speeches. But they are still classified, and unauthorized disclosures about details of individual missions could constitute a felony."

Ironically, on the same day, the White House announced a new policy for which suspects get targeted by the covert program, saying counterterrorism chief John Brennan would have the final say on who gets targeted by The Program Which Must Not Be Named.

EFF Releases New FOIA Documents and Files Amicus Brief in Transparency Case

• Patriot Act

EFF published the full set of documents the Justice Department has handed over so far in our FOIA lawsuit for the Justice Department’s secret interpretation of section 215 of the Patriot Act, of which Senators Ron Wyden and Tom Udall warned "most Americans would be stunned to learn the details of how these secret court opinions have interpreted section 215 of the Patriot Act."

Meanwhile, a court in New York ruled against New York Times reporter Charlie Savage, along with the ACLU, in their separate lawsuit asking for the Justice Department’s secret memo on the same matter. Both EFF and ACLU have separate suits pending related to Section 215 in different jurisdictions.

• State Department documents on ACTA

The EFF also received a response from the State Department last week in response to our FOIA request for documents related to the Anti-Counterfeiting Trade Agreement (ACTA). ACTA contains harsh copyright standards that EFF has been protesting for years. The documents suggested that ACTA was not submitted to the normal State Department review process to determine its constitutionality before it was signed by the Deputy Trade Ambassador. Read more about the FOIA request and how law professors cast further doubt on ACTA’s constitutionality here.

• FOIA Suit for White House Visitor Records

EFF, along with Citizens for Responsibility and Ethics in Washington (CREW) and a host of other civil society organizations, recently filed an amicus brief in the long running Freedom of Information Act case against Department of Homeland Security (DHS) and the Secret Service for access to the White House visitor logs. Previously, the Obama administration released many of the logs, but is still arguing in court that they are not subject to FOIA because they do not belong to a specific agency. However, given it’s clear Secret Service is part of DHS, there is no threat to public safety, and the White House has released many records already, that there is no reason they should be withheld from the FOIA process.

NSA Forced to Declassify Document It Accidentally Posted Online

In an embarrassing incident two weeks ago, the National Security Agency (NSA)—notorious for overclassification and secrecy—was forced to use a "rarely used authority" to declassify a "properly classified" document in full after they mistakenly posted it on their website, according to secrecy expert Steven Aftergood. Instead of redacting the alleged sensitive material in the online post, they highlighted it.

But, according to Aftergood, as is the case in many circumstances of government classification, it is hard to see why it wasn’t declassified in the first place:

There was nothing exceptional about the contents of the document, and there was no overriding public interest that would have compelled its disclosure if it had been properly classified.  Nor is any national security damage likely to follow its release.

Final Volume of the CIA’s Bay of Pigs Study Will Remain Classified

Two weeks ago, a federal judge ruled for the government in a FOIA suit filed by the National Security Archives asking the CIA to formally declassify a draft of the last volume of a history of the Bay of Pigs Invasion. Unfortunately, the federal judge ruled the government could keep the draft version classified, despite the fact that it was written 31 years ago about an event that happened more than 50 years ago.

The judge reasoned that the final volume was a draft not intended "for inclusion in the final publication" and therefore the ‘deliberative process’ exemption to FOIA applied, which provides an exemption to disclosure for documents that help government officials arrive at final agency policy positions. As McClatchy reported, "The judge agreed with the CIA assertion that release of Volume V would have a chilling effect on current CIA historians who might be reluctant to try out ‘innovative, unorthodox or unpopular interpretations in a draft manuscript’ if they thought it would be made public."

The deliberative process privilege – when narrowly invoked – serves legitimate purposes. It is designed to provide lower level government employees with the freedom to express ideas, without fear of public disclosure if those ideas are not ultimately adopted by the agency. However, in this case, the (former) government employee who wrote the draft volume sought its release – through a FOIA request – 10 years ago. At the time, the information contained within the draft was still classified, so his request was denied. Now, however, the information is no longer classified, and, given that the person whose "deliberative process" the CIA is allegedly protecting sought the draft’s release, it is hard to understand what the public interest in protecting the document, 30 years after its creation, could possibly be.

San Francisco - Today the Immigration Policy Center (IPC) and the Electronic Frontier Foundation (EFF) release "From Fingerprints to DNA: Biometric Data Collection in U.S. Immigrant Communities and Beyond." The paper outlines the current state of U.S. government collection of biometric information and the problems that could arise from these growing databases of records. It also points out how immigrant communities are immediately affected by the way this data is collected, stored, and shared.

There is a growing push to link biometric collection with immigration enforcement. The U.S. Department of Homeland Security (DHS) takes approximately 300,000 fingerprints per day from non-U.S. citizens crossing the border into the United States, and it collects biometrics from noncitizens applying for immigration benefits and from immigrants who have been detained. In addition, state and local law enforcement officers regularly collect fingerprints and DNA, as well as face prints and even iris scans. All of these government databases are growing and are being increasingly interconnected. For example, the Secure Communities program takes the fingerprints of people booked into local jails, matches them to prints contained in large federal immigration databases, and then uses this information to deport people.

"Some people believe biometrics and databases are the silver-bullets that will solve the immigrant enforcement dilemma. But biometrics are not infallible, and databases contain errors. These problems can result in huge negative consequences for U.S. citizens and legal immigrants mistakenly identified," said Michele Waslin, Senior Policy Analyst at the IPC.

"Biometric data collection can lead to racial profiling and can disproportionately affect immigrants," said EFF Staff Attorney Jennifer Lynch. "It also gives the government a new way to find and track people throughout the United States. The government needs to act now to limit unnecessary biometric collection and address the serious privacy issues regarding the amount and type of data collected, as well as what triggers that data collection, with whom the data is shared, and the security of that data."

For the full white paper "From Fingerprints to DNA: Biometric Data Collection in U.S. Immigrant Communities":
https://www.eff.org/document/fingerprints-dna-biometric-data-collection-us-immigrant-communities-and-beyond

For "From Fingerprints to DNA: By the Numbers":
https://www.eff.org/document/fingerprints-dna-numbers

For more on biometrics:
https://www.eff.org/issues/biometrics

Contacts:

Jennifer Lynch
   Staff Attorney
   Electronic Frontier Foundation
   jlynch@eff.org

New York - The Electronic Frontier Foundation (EFF) is urging a federal judge not to let television networks squash an innovative streaming service with a bogus copyright infringement lawsuit.

In an amicus brief filed today, EFF and Public Knowledge asked the court to block a preliminary injunction that could prevent Aereo Inc. from establishing a customer base in New York City, arguing that shutting down the service at this early stage sends a dangerous message to other start-up companies working to improve consumers' TV viewing experience.

"The threat of lengthy litigation would discourage any business from working to add value to the television viewing experience, leaving the market in the hands of a few established players," said EFF Staff Attorney Mitch Stoltz. "Remember, these are the same folks who tried to keep VCRs off the market years ago, and more recently fought viciously against remote DVRs, which allow cable subscribers access to content they've already bought but is stored elsewhere. This is yet another attempt by TV networks to profit from, control, or stop new technology they didn't think of first."

Aereo lets users in New York watch local channels by renting their own small antenna located at the Aereo facility, with the signal from the antenna sent over the Internet to that single user. The TV networks argue that this somehow constitutes a public performance and therefore infringes their copyright, even though it would be perfectly legal for someone to install their own antenna and run a wire to a TV set without paying a fee to anyone.

"All Aereo is doing, conceptually, is moving the rabbit ears from your roof to theirs," said EFF Senior Staff Attorney Kurt Opsahl. "Yet the TV networks want to play games with the law to get a cut of the profits or shut it down. We're asking the court to consider the legal and customary rights of television viewers, as well as the threats a preliminary injunction could bring to future innovation."

For the full brief in WNET v. Aereo Inc.:
https://www.eff.org/node/70851

Contacts:

Mitch Stoltz
   Staff Attorney
   Electronic Frontier Foundation
   mitch@eff.org

Kurt Opsahl
   Senior Staff Attorney
   Electronic Frontier Foundation
   kurt@eff.org

This week, the Supreme Court put to rest any doubt that when it invalidated a patent that added nothing novel to an otherwise unpatentable idea, back in March, it was talking about software patents, too. In that case, Mayo v. Prometheus, the Court reviewed the three types of inventions that cannot be patented: laws of nature, natural phenomena, and abstract ideas and held that the patent at issue there—one covering diagnostic testing—represented nothing more than a law of nature, with "conventional steps, specified at a high level of generality," appended. At the time, we commented that this ruling should likewise apply to software patents, so that merely adding a "conventional step" to an otherwise abstract idea would not make that abstract idea patentable (which is exactly what happened in the Ultramercial v. Hulu case). On Monday, the Supreme Court told the Federal Circuit to reconsider its Ultramerical ruling in light of Mayo, which sounds a lot like an endorsement that Mayo's limitations on patentable subject matter should extend to software, too.

When Mayo was first decided, we were pleased to see that the Supreme Court’s language included abstract ideas in its analysis. Of course, many consider most software, and the algorithms that form its basis, abstract ideas that should not be patented. So you can see why the Mayo ruling, applied to abstract ideas, would have the potential to limit some of the worst software patents we’ve seen. 

Case in point: Ultramercial.  We’ve written about this dangerous ruling before (here and here), but, in case you missed it, there the Federal Circuit upheld a patent that merely claimed a process for doing no more than viewing ads online before accessing copyrighted content. The court claimed that the patent was not abstract because the steps were completed on the Internet, despite the fact that the underlying idea—viewing ads in exchange for content—was indeed abstract. Essentially, if more courts and the Patent Office follow Ultramercial, the mere act of performing an abstract idea on the Internet would somehow make that otherwise abstract idea no longer abstract. Given the myriad ways in which the world is moving online, you can see just how badly this could go. 

Lately, many have argued about whether the Mayo ruling would apply to software, too. We think it clearly should, and does. It seems the Supreme Court thinks so, too. We hope the Federal Circuit will get it right this time and strike Ultramercial from the books. 

EFF is proud to participate in World IPv6 Launch Day on June 6, 2012.

It is a testament to the enduring success and growing importance of the Internet that the original space of over four billion addresses has effectively been exhausted. Workarounds are in common use to share and reuse addresses, making this a problem that most users can continue to ignore for now. On the other hand, it already forces network engineers to work under difficult constraints and justify each request for a new address. Serving a variety of hostnames from only one IP address can make SSL certificate management complex, adding a needless obstacle to HTTPS adoption. Address scarcity also presents a serious roadblock to new ISPs, especially outside North America. As every new mobile device service is now an ISP too, the problem is only accelerating.

IPv6 solves this issue by starting out with a much larger block of addresses. Famously, the address space of 2¹²⁸ is large enough to assign almost 5 x 10²⁸, or 50 billion billion billion, addresses to every living human. The protocol also includes built-in features for configuration and encryption that have traditionally been performed by other software running on top of the IP network layer, and support for extremely large frame sizes for future scalability.

The transition to IPv6 presents some privacy concerns that users should be aware of. As first conceived, a portion of an IPv6 address would be generated from a device's MAC address, making it possible for every remote machine a user communicates with to calculate the unique hardware identity of the user's machine. That allows sites and services anywhere in the world to recognize and track the user's device forever. The sparse address space and decreased need to pool IP addresses with Network Address Translation also make it easier to uniquely identify and track a user.

However, more and more operating system vendors are including plugins to mitigate these concerns and, better yet, enabling them by default. IPv6 support is also available from the Tor Project, but for now you will need to know the address of an IPv6 bridge to use it. As more people adopt IPv6, we should all be vigilant about protecting our privacy, but right now we see no serious hurdles that should warrant putting off IPv6 adoption.

Because the IPv6 protocol follows the standard TCP/IP networking model and sits squarely on the Internet layer, many IPv4 applications can be updated to add IPv6 support with only small changes. For site operators like EFF, the changes can be almost as simple as updating the server software's configuration file to include its IPv6 address and adding IPv6 'AAAA' domain name records. We also recommend configuring an IPv6 aware firewall, such as ip6tables for GNU/Linux.

If getting ready for the Internet of the future is so easy, why hasn't everyone already done it? Unfortunately, for major hosting providers and ISPs, it can be a much bigger task. In order to provide your server with a v6 IP address, they might need to upgrade a significant portion of their network infrastructure. Very few home ISPs offer IPv6, and home routers with IPv6 support haven't been on the shelves for very long. Until demand increases, uptake might be slow, and with workarounds to share IPv4 addresses in place demand remains low. The organizations taking part in World IPv6 Launch Day are helping to change this picture.

If your ISP or hosting provider doesn't offer native IPv6, you can still offer connectivity or start using IPv6 care of a transition technology whereby v6 traffic is tunneled through an IPv4 address. A number of providers and client packages can help make configuring this scenario relatively painless.

www.eff.org will launch over IPv6 on June 6, 2012. Due to hosting limitations, our other sites and services will follow at an as yet undetermined date. In the meantime, future-proofed users can enjoy a preview at ipv6.eff.org.

In the ongoing effort to bring you cool things that support important civil liberties issues, EFF is happy to unveil our third annual DEF CON hacker conference t-shirt featuring the dangerous, and yet cuddly Script Kitty. He hacks, he glows, and he demands coders' rights.

Our spokeskitten shows that, if you own a killer robot, you have the right to pwn it.  The front of the shirt features our EFF-DEF CON logo mashup in a subtle homage to our mutual support (as well as a shout-out to EFF's advocacy for remix culture and fair use).  And watch the front and back glow acid green under cover of darkness!

In honor of DEF CON's 20th anniversary, we've made this year's special edition member t-shirt available on our site! Get a cottony chunk of hacker history even if you can't make it to Las Vegas this summer.  Just join EFF or renew your membership through our D(EFF)CONtest page.  Support one of the amazing fundraising teams on the leaderboard, or make an independent donation.

While you're at it, start your own D(EFF)CONtest team and be your own first contributor.  Compete to protect coders' rights and win a whole lot of 1337 including a stay at the Rio Hotel and Casino, DEF CON Human Badges, Ninja Party badges, passes to theSummit, and more!

New legislation in the Netherlands makes it the first country in Europe to establish a legal framework supporting net neutrality. In addition to the net neutrality provisions, the law contains language that restricts when ISPs can wiretap their users, and limits the circumstances under which ISPs can cut off a subscriber's Internet access altogether.

The anti-wiretapping section of the new law specifies that ISPs may not use technologies like deep packet inspection (DPI), except under limited circumstances, or with explicit consent from the ISP’s customer, or to comply with a court order or other legislative provisions. One Dutch ISP, KPN, came under fire last year for using DPI to determine whether its subscribers were using VoIP on mobile devices.

The new law sets out an exhaustive list of six circumstances in which an ISP can disconnect or suspend the Internet access of subscribers. These include: termination at the request of the subscriber, non-payment by a subscriber, in cases of deception, at the expiry of a fixed contract, force majeure, or if the ISP is required to terminate by law or a court order. In addition, the network neutrality provisions also permit blocking of an Internet connection where necessary for the integrity and security of a network.

The provisions are the Dutch government’s implementation of  the 2009 EU Telecoms Package revision framework. Article 1(3a) of the Framework Directive states that EU Member States may only adopt measures interfering with citizens’ ability to access and use the Internet in limited circumstances. In particular measures may only be imposed if they are "appropriate, proportionate and necessary within a democratic society, and their implementation shall be subject to adequate procedural safeguards in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law, including effective judicial protection and due process."

As Dutch digital rights group Bits of Freedom notes, the new provisions are needed because "[c]urrently, Internet providers on the basis of their terms and conditions may terminate or suspend the Internet connection for various reasons." This law ensures that ISPs cannot disconnect users for nebulous terms of service violations. This gives Internet users some protection against ISPs adopting voluntary or semi-voluntary measures, such as policies to disconnect Internet users on three allegations of copyright infringement.

This is important as voluntary three strikes policies become an increasingly real danger. In the United States, for example, ISPs and major media trade groups have developed a voluntary "graduated response" program — the so-called "six strikes" deal — that is set to go into effect this July. EFF is now calling on Internet users to pressure the participating ISPs for a public commitment not to cut users off under the new program.

The Dutch law comes after vigorous campaigning by civil society groups including influential digital rights group, Bits of Freedom. Ot van Daalen, the Director of that organization, hopes it will spark similar legislation elsewhere. "Bits of Freedom campaigned hard for these provisions and our work paid off. The law sets an example for other countries, and we call on the rest of Europe to follow."

The International Telecommunication Union (ITU) will hold the World Conference on International Telecommunications (WCIT-12) in December in Dubai, an all-important treaty-writing event where ITU Member States will discuss the proposed revisions to the International Telecommunication Regulations (ITR). The ITU is a United Nations agency responsible for international telecom regulation, a bureaucratic, slow-moving, closed regulatory organization that issues treaty-level provisions for international telecommunication networks and services. The ITR, a legally binding international treaty signed by 178 countries, defines the boundaries of ITU’s regulatory authority and provides "general principles" on international telecommunications. However, media reports indicate that some proposed amendments to the ITR—a negotiation that is already well underway—could potentially expand the ITU’s mandate to encompass the Internet.

In similar fashion to the secrecy surrounding ACTA and TPP, the ITR proposals are being negotiated in secret, with high barriers preventing access to any negotiating document. While aspiring to be a venue for Internet policy-making, the ITU Member States do not appear to be very open to the idea of allowing all stakeholders (including civil society) to participate. The framework under which the ITU operates does not allow for any form of open participation. Mere access to documents and decision-makers is sold by the ITU to corporate "associate" members at prohibitively high rates. Indeed, the ITU’s business model appears to depend on revenue generation from those seeking to ‘participate’ in its policy-making processes. This revenue-based principle of policy-making is deeply troubling in and of itself, as the objective of policy making should be to reach the best possible outcome.

Release the documents

The ITU Member States should urgently lift restrictions on sharing the preparatory materials and ITR amendments, and release the documents. The current preparatory process lacks the transparency, openness of process, and inclusiveness of all relevant stakeholders that is the hallmark of Internet policy-making. A truly multi-stakeholder participation model requires equal footing for each relevant stakeholders including civil society, the private sector, the technical community, and participating governments. These principles are the minimum that one could expect following commitments made at the World Summit on Information Society (WSIS). The ITU Secretary-General Dr. Hamadoun I. Touré reiterated these commitments last year at the Internet Governance Forum in Kenya:

In its own words, the "ITU remains firmly committed to the WSIS process," and it considers itself to have "made considerable progress in many areas in advancing the implementation of the WSIS outcomes."

And in practice? Not likely. This is why EFF, European Digital Rights, CIPPIC and CDT and a coalition of civil society organizations from around the world are demanding that the ITU Secretary General, the  WCIT-12 Council Working Group, and ITU Member States open up the WCIT-12 and the Council working group negotiations, by immediately releasing all the preparatory materials and Treaty proposals. If it affects the digital rights of citizens across the globe, the public needs to know what is going on and deserves to have a say. The Council Working Group is responsible for the preparatory work towards WCIT-12, setting the agenda for and consolidating input from participating governments and Sector Members.

We demand full and meaningful participation for civil society in its own right, and without cost, at the Council Working Group meetings and the WCIT on equal footing with all other stakeholders, including participating governments. A transparent, open process that is inclusive of civil society at every stage is crucial to creating sound policy.

Respect the multi-stakeholder process

Civil society has good reason to be concerned regarding an expanded ITU policy-making role. To begin with, the institution does not appear to have high regard for the distributed multi-stakeholder decision making model that has been integral to the development of an innovative, successful and open Internet. In spite of commitments at WSIS to ensure Internet policy is based on input from all relevant stakeholders, the ITU has consistently put the interests of one stakeholder—Governments—above all others. This is discouraging, as some government interests are inconsistent with an open, innovative network. Indeed, the conditions which have made the Internet the powerful tool it is today emerged in an environment where the interests of all stakeholders are given equal footing, and existing Internet policy-making institutions at least aspire, with varying success, to emulate this equal footing. This formula is enshrined in the Tunis Agenda, which was committed to at WSIS in 2005:

83. Building an inclusive development-oriented Information Society will require unremitting multi-stakeholder effort. We thus commit ourselves to remain fully engaged—nationally, regionally and internationally—to ensure sustainable implementation and follow-up of the outcomes and commitments reached during the WSIS process and its Geneva and Tunis phases of the Summit. Taking into account the multifaceted nature of building the Information Society, effective cooperation among governments, private sector, civil society and the United Nations and other international organizations, according to their different roles and responsibilities and leveraging on their expertise, is essential.

84. Governments and other stakeholders should identify those areas where further effort and resources are required, and jointly identify, and where appropriate develop, implementation strategies, mechanisms and processes for WSIS outcomes at international, regional, national and local levels, paying particular attention to people and groups that are still marginalized in their access to, and utilization of, ICTs.

Indeed, the ITU’s current vision of Internet policy-making is less one of distributed decision-making, and more one of ‘taking control.’ For example, in an interview conducted last June with ITU Secretary General Hamadoun Touré, Russian Prime Minister Vladimir Putin raised the suggestion that the union might take control of the Internet: "We are thankful to you for the ideas that you have proposed for discussion," Putin told Touré in that conversation. "One of them is establishing international control over the Internet using the monitoring and supervisory capabilities of the International Telecommunication Union (ITU)."

Perhaps of greater concern are views espoused by the ITU regarding the nature of the Internet. Yesterday, at the World Summit of Information Society Forum, Mr. Alexander Ntoko, head of the Corporate Strategy Division of the ITU, explained the proposals made during the preparatory process for the WCIT, outlining a broad set of topics that can seriously impact people's rights. The categories include "security," "interoperability" and "quality of services," and the possibility that ITU recommendations and regulations will be not only binding on the world’s nations, but enforced.

In this sense, it is somewhat concerning that the ITU appears to draw its inspiration for Internet reform from the earliest days of the network. For example, earlier this year, Ntoko zeroed in on online anonymity, which EFF has fought to protect in the past. Citing the early days of ARPAnet, when the Internet consisted of a number of academic institutions who could identify each other by IP address, Ntoko has expressed his view regarding the anonymous nature of the Internet as: "[it] wasn't always that way, and shouldn't be in the future."

Rights to online expression are unlikely to fare much better than privacy under an ITU model. During last year’s IGF in Kenya, a voluntary code of conduct was issued to further restrict free expression online. A group of nations (including China, the Russian Federation, Tajikistan and Uzbekistan) released a Resolution for the UN General Assembly titled, "International Code of Conduct for Information Security."  The Code seems to be designed to preserve and protect national powers in information and communication. In it, governments pledge to curb "the dissemination of information that incites terrorism, secessionism or extremism or that undermines other countries’ political, economic and social stability, as well as their spiritual and cultural environment." This overly broad provision accords any state the right to censor or block international communications, for almost any reason.

Promote openness and transparency

Currently, there are several organizations dealing with Internet Policy at the global and regional level. The Committee of Ministers of the Council of Europe issued guidance on Internet governance in a Declaration on Internet Governance Principles. It emphasizes the need for openness and transparency:

Multi-stakeholder governance

The development and implementation of Internet governance arrangements should ensure, in an open, transparent and accountable manner, the full participation of governments, the private sector, civil society, the technical community and users, taking into account their specific roles and responsibilities. The development of international Internet-related public policies and Internet governance arrangements should enable full and equal participation of all stakeholders from all countries.

Responsibilities of states

States have rights and responsibilities with regard to international Internet-related public policy issues. In the exercise of their sovereignty rights, states should, subject to international law, refrain from any action that would directly or indirectly harm persons or entities outside of their territorial jurisdiction. Furthermore, any national decision or action amounting to a restriction of fundamental rights should comply with international obligations and in particular be based on law, be necessary in a democratic society and fully respect the principles of proportionality and the right of independent appeal, surrounded by appropriate legal and due process safeguards.

Decentralised management

The decentralised nature of the responsibility for the day-to-day management of the Internet should be preserved. The bodies responsible for the technical and management aspects of the Internet, as well as the private sector should retain their leading role in technical and operational matters while ensuring transparency and being accountable to the global community for those actions which have an impact on public policy.

There are some factors in place that may insulate strong democracies such as the United States from the more harmful elements of the ITU proposal. As with all international policy-making venues, ITU outputs will not become law until enacted domestically by Member States such as the United States, Canada o Sweden. This means that any ITU policies antithetical to a free and democratic society might not make it into domestic law.  Central to this will be the legitimacy of the institution, and the United States government, for example, has already stated that the ITU’s lack of adherence to multi-stakeholder principles is deeply problematic and a barrier to the institution’s legitimacy.

In spite of this, a closed and expanded ITU policy-making role remains a threat to an already fragile public interest. Several governments have continuously sought to launder unpopular measures through international intergovernmental venues that would subvert democratic Internet principles or hard-won international human rights law protections. The Council of Europe’s Cybercrime Treaty is a good example of policy laundering at an international level. Similarly, multi-lateral or pluri-lateral agreements, like ACTA and TPP, are a way to bypass national and global inter-governmental institutions that are more transparent and open to civil society participation as well as democratic checks and balances.

The ITU proposal will establish an ongoing source of international policy that does not have the interests and rights of Internet users in mind. Further, unlike other venues which recognize the importance of ongoing flexibility in Internet policy-making, the ITRs are a treaty, legally binding on its signatories. While the ITU’s refusal to commit to a multi-stakeholder model may act to safeguard strong democracies such as the United States, European countries and Canada from its more harmful policy outputs, democratic countries with weaker internal checks and balances will find it more difficult to provide such insulation. Even countries with well-entrenched safeguards for human rights may be tempted to adopt laws that conflict with human rights where these align with powerful domestic interests, as was demonstrated by recent attempts to pass SOPA/PIPA and CISPA in the United States.

We urge the ITU Secretary General et al to ensure that the outcomes of the WCIT and its preparatory process truly represent the common interests of all who hold a stake in the future of our information society. If your government is a member of ITU, demand transparency and tell them to open the process and disclose the WCIT preparatory documents and Treaty amendments. 

According to a recent investigation by the Swedish news show Uppdrag Granskning, Sweden’s telecommunications giant Teliasonera is the latest Western company revealed to be colluding with authoritarian regimes by selling them high-tech surveillance gear to spy on its citizens. Teliasonera has allegedly enabled the governments of Belarus, Uzbekistan, Azerbaijan, Tajikistan, Georgia and Kazakhstan to spy on journalists, union leaders, and members of the political opposition. One Teliasonera whistle-blower told the reporters, "The Arab Spring prompted the regimes to tighten their surveillance. ... There’s no limit to how much wiretapping is done, none at all."

The investigative report, titled "Black Boxes," in reference to the black boxes Teliasonera allowed police and security services to install in their operation centers--which granted them the unrestricted capability to monitor all communications—including Internet traffic, phone calls, location data from cell phones, and text messages—in real-time. This has caused concern among Swedish citizens and Teliasonera shareholders, who had previously been assuaged by assurances from the telecommunications company that they follow the law in the countries in which they are operating. After a meeting with Peter Norman, Sweden’s Minister of Financial Markets, the chairman of Teliasonera’s board of directors issued a statement, announcing that they had launched "an action programme for handling issues related to protection of privacy and freedom of expression in non-democratic countries, in a better and more transparent way."

Teliasonera’s declaration of good intentions may be too little too late after the damning evidence of abuse compiled by Uppdrag Granskning. Documents obtained by their investigators showed an Azerbaijani had his phone tapped after he published a piece about being beaten at the hands of government security agents while covering a story. The report also found that black-box surveillance was used in Belarus to track down, arrest, and prosecute protesters who attended an anti-government protest rally following the 2010 Belarusian presidential election. One Azerbaijani citizen says he was interrogated solely due to the fact that he voted for the Armenian representative in the 2009 Eurovision song contest.

In the post-Soviet state of Georgia, these recent revelations have prompted the Georgian Young Lawyers Association (GYLA) to challenge indiscriminate wiretapping in their country, alleging that far from complying with local statutes, Teliasonera was breaking Georgian law.

GYLA points out that the Georgian criminal code and constitution protect personal information such as private phone calls. Police must obtain a court order before they can listen in to a citizen’s private phone conversations. GYLA attorney Maya Khutsishvili says that companies can only provide private information about a person to investigative bodies based on such a court order—and that a court’s ruling must indicate why the investigative body needs to listen to a specific person or receive other kinds of personal information.

EFF believes that for Western countries providing telecommunications equipment or services, merely complying with the law is insufficient. Authoritarian regimes can interpret the law in ways that justify unlimited spying on journalists and political dissidents. Or, as is the case in Georgia, the laws on the books are not enforced—unrestricted surveillance is the order of the day. If tech companies want to avoid being repression’s little helper, they must know their customer and refrain from cooperating with governments that they believe will use their technology to facilitate human rights violations.

A series of events in the last two weeks have set the stage for how surveillance drones will be operated by local law enforcement in the United States and how citizens can demand privacy protections as domestic use escalates.

As EFF has previously reported, Congress passed a bill in February mandating the FAA must open national airspace to drones, despite the extensive and unprecedented civil liberties dangers they pose to every American. The FAA, in new rules announced on Monday, made the authorization procedure easier, stating they have "streamlined the process" for "public agencies"—which includes local law enforcement—to legally operate drones in U.S. skies.

We know that dozens of law enforcement agencies already have drones, based on information from EFF’s Freedom of Information Act lawsuit over the FAA’s initial refusal to release the list of authorizations. And one of the biggest cities with a police department on the list was Seattle.

It turned out Seattle’s city council—which oversees the police department—was just as surprised as many citizens to see Seattle Police Department’s name on the list. The city council learned about the drones through a reporter asking questions related to EFF’s lawsuit, not through official channels. After front page stories in the Seattle Times and an official apology from the Seattle police department, Seattle is now the first city to consider privacy safeguards for drone use by law enforcement.

The ACLU of Washington has asked the city council to pass a legally binding ordinance detailing "what kind of information can be collected, who can collect it, how the information can be used, and how long it can be kept," along with "an auditing process to make sure the policies are followed."  The Seattle Times agreed. In an editorial written on May 6, the city’s largest paper urged city council to adopt "usage restrictions, image-retention limits, and regular audits and reviews of drones as a law-enforcement tool."

Seattle’s Police Department has already pledged drones would not be used for surveillance, and only "for situations like crime scene photography, missing person searches, and barricaded person scenarios." They’ve also indicated they would work with the FAA to develop privacy policies. But as the Seattle Times noted, privacy safeguards must be implemented by binding ordinance, "not by policy nods, promises and good intentions."

In a similar incident just yesterday, after the Shelby County Tennessee sheriff’s office requested two drones as part of a $400,000 Homeland Security grant, the Shelby county commission questioned the Sheriff’s Office on how they would be using the drone and asked them to draw up privacy guidelines. The sheriff’s office promptly withdrew its request for drones. But encouragingly, the commission is still pushing the sheriff’s office for privacy policies. As the Memphis Daily News reported, "several commissioners said they might still pursue setting some guidelines on the use of such surveillance through a memorandum of understanding with the sheriff’s office."

Responding to an EFF public records request, Miami-Dade County also released information about its drones earlier this week, which it bought using a grant from the Justice Department (DOJ).

The FAA itself estimates that there may be as many as 30,000 drones in the US by the year 2020, and with the loosened restrictions coupled with the Department of Homeland Security and DOJ issuing grants for local police forces to buy drones, it’s imperative that local governments act swiftly to ban surveillance drones outright or institute robust safeguards for their citizens. Americans cannot afford to wait for the FAA or Congress to act.

Does your local police department own and operate a drone? Check out our interactive map here to find out.

EFF would also like your help. In the coming days, we’re going to announce a crowd-sourcing campaign aimed at finding out as much information as possible on each law enforcement agency’s use of drones and how citizens can voice their concerns to their local governments. Right now, if you have any information on how your local law enforcement plans to use drones, email dronesinfo@eff.org. You can get this information by calling your local police department.

And stay tuned for more, as we plan on announcing a detailed campaign soon.