Pauls musings and tidbits

EFF Fights to Shield Email from Secret Government Searches.

Email Deserves Same Constitutional Protections as Phone Calls, Postal Mail

San Francisco - The government must have a search warrant before it can search and seize emails stored by email service providers, according to a friend-of-the-court brief filed last week by the Electronic Frontier Foundation (EFF) and a coalition of civil liberty groups. EFF filed the brief in support of a landmark district court decision finding that the federal Stored Communications Act (SCA) violates the Fourth Amendment by allowing secret, warrantless searches and seizures of email stored with a third party.

EFF’s amicus brief was filed in Warshak vs. United States, a case brought in the Southern District of Ohio federal court by Steven Warshak to stop the government’s repeated secret searches and seizures of his stored email using the SCA. The district court ruled that the government cannot use the SCA to obtain stored email without a warrant or prior notice to the email account holder. The government, which has routinely used the SCA over the past 20 years to secretly obtain stored email without a warrant, appealed the decision to the 6th U.S. Circuit Court of Appeals. That court is now primed to be the first circuit court ever to decide whether email users have a “reasonable expectation of privacy” in their stored email.

“Email users clearly expect that their inboxes are private, but the government argues the Fourth Amendment doesn’t protect emails at all when they are stored with an ISP or a webmail provider like Hotmail or Gmail,” said EFF Staff Attorney Kevin Bankston. “EFF disagrees. We think that the Fourth Amendment applies online just as strongly as it does offline, and that your email should be as safe against government intrusion as your phone calls, postal mail, or the private papers you keep in your home.”

The EFF brief was also signed by the American Civil Liberties Union, the ACLU of Ohio, and the Center for Democracy and Technology.

For the full amicus brief:
http://eff.org/legal/cases/warshack_v_usa/warshack_amicus.pdf

Contact:

Kevin Bankston
Staff Attorney
Electronic Frontier Foundation
bankston@eff.org

[EFF: Breaking News]

Google Now Gets Purchasing Data, Too.

With their recent push to get the citizens of Planet Google to start using Google Checkout, Google[base ‘]s growing infrastructure of dataveillance now includes purchasing data. From Google Checkout[base ‘]s privacy policy:

• Registration information - When you sign up for Google Checkout, we ask for your personal information so that we can provide you with the service. The information we require to register for the service includes your name, credit or debit card number, card expiration date, card verification number (CVN), address, phone number, and email address. For sellers, we also require you to provide your bank account number, and in some situations, your personal address, your business category, your taxpayer identification number or social security number, and certain information about your sales or transaction volume. This information allows us to process payments and protect users from fraud. In some cases, we may also ask you to send us additional information or to answer additional questions to help verify your information. The information we collect is stored in association with your Google Account.
• Information obtained from third parties - In order to protect you from fraud or other misconduct, we may obtain information about you from third parties to verify the information you provide. For example, we may use card authorization and fraud screening services to verify that your credit or debit card information and address match the information that you provided to us. Also, for sellers, we may obtain information about you and your business from a credit bureau or a business information service such as Dun & Bradstreet.
• Transaction information - When you use Google Checkout to conduct a transaction, we collect information about each transaction, including the transaction amount, a description provided by the seller of the goods or services being purchased, the names of the seller and buyer, and the type of payment used.

John Battelle has much more.

[michaelzimmer.org]

YouTube and Shifting Norms of Public/Private.

The theory of  “privacy as contextual integrity” provides the tools for considering how the introduction of new technologies/practices within a particular context might disrupt norms of information flow, potentially threatening values of privacy, autonomy, or liberty. It is especially useful when considering subtle shifts in information flows that flirt with the boundaries between public & private spheres, such as driving along the highway, having your photo taken in public, or providing information on social network sites such as Facebook.

Another important sphere to consider within the framework of contextual integrity is the explosion of online video sharing sites such as YouTube. Michael Geist starts the conversation in this BBC essay on how private lives are increasingly exposed on net video sites, which concludes with concern about how the spread of these sites might affect our expectations of privacy:

As technology continues to evolve, it is unlikely that such measures will prove successful. With built-in video cameras on laptop computers, portable devices and cell phones, and widespread internet access, the clip culture is rapidly morphing from bits of favourite television shows to videos of our friends, neighbours, and even ourselves.

Rather than banning the technology, we must instead begin to grapple with the implications of these changes by considering the boundaries between transparency and privacy. As our expectations of the availability of video changes, so too must our sense of the video rules of the road.

There is important work to be done in this area[sigma]after the dissertation.

[via Pogo Was Right]

[michaelzimmer.org]

EFF Accepts Barney’s Surrender.

Purple Dinosaur Backs Off and Pays Up; Free Speech Rights Preserved

San Francisco - The corporate owners of the popular children’s television character Barney the Purple Dinosaur have agreed to withdraw their baseless legal threats against a website publisher who parodied the character and to compensate him for fees expended in defending himself.

The agreement settles a suit filed by the Electronic Frontier Foundation (EFF) in August on behalf of Dr. Stuart Frankel against Lyons Partnership, owners of the Barney character. Frankel received repeated, meritless cease-and-desist letters from Lyons, claiming his online parody violated copyright and trademark law. EFF’s suit asked the court to declare that Frankel’s parody was a noninfringing fair use protected by the First Amendment.

“We wish we hadn’t had to file a lawsuit to finally get Barney’s lawyers to stop harassing a man who was just expressing his opinion about a cultural phenomenon,” said EFF Staff Attorney Corynne McSherry. “Hopefully Lyons Partnership has learned its lesson and will have more respect for fair use in the future.”

This settlement is the latest development in EFF’s ongoing campaign to protect online free speech from the chilling effects of bogus copyright claims. Earlier this month, EFF filed suit against Michael Crook — a man who claimed copyright infringement in an effort to censor his online critics.

“Those who misuse copyright should know that they can be sued for doing so,” said McSherry. “This settlement should send a message to those who want to use copyright law as a pretext for censorship.”

EFF was assisted in this case by Elizabeth Rader, James d’Auguste, and Brian Carney, attorneys with the firm of Akin, Gump, Strauss, Hauer & Feld LLP, which is defending Dr. Frankel’s free speech rights on a pro bono basis.

For the original complaint:
http://www.eff.org/legal/cases/barney/frankel_v_lyons_complaint.pdf

For more on Barney’s copyright abuses:
http://www.eff.org/legal/cases/barney/

Contacts:

Corynne McSherry
Staff Attorney
Electronic Frontier Foundation
corynne@eff.org

Fred von Lohmann
Senior Intellectual Property Attorney
Electronic Frontier Foundation
fred@eff.org

[EFF: Breaking News]

After months of pressure from Congressional Democrats, the Justice Department’s inspector general said Monday that his office had opened a full review into the department’s role in President Bush’s domestic eavesdropping program and the legal requirements governing the program.

Democrats said they saw the investigation as a welcome step that could answer questions about the operations and legal underpinnings of the program, which allows the National Security Agency to monitor, without obtaining court warrants, the international communications of Americans and others inside this country with suspected terrorist ties.

“This is a long overdue investigation of a highly controversial program,” said Representative John Conyers Jr., the Michigan Democrat who will take over as chairman of the House Judiciary Committee.

Groups Urge Court to Give E-mail Full Constitutional Protection. Last week, CDT and the ACLU joined a friend-of-the-court brief written by the Electronic Frontier Foundation, urging a federal appeals court to extend to e-mail the same constitutional protection accorded to telephone calls and regular mail. Remarkably, the constitutional status of e-mail has never been decided, and the Justice Department claims that opened e-mail and older stored e-mail can be obtained from service providers without a court order and without notice to the e-mail user. In the case, Warshak v. U.S., a lower federal court ruled that government agents could not force disclosure of email from a service provider unless they provided the relevant subscriber notice and an opportunity to object. [Center for Democracy and Technology]

EFF Fights to Shield Email from Secret Government Searches.

Email Deserves Same Constitutional Protections as Phone Calls, Postal Mail

San Francisco - The government must have a search warrant before it can search and seize emails stored by email service providers, according to a friend-of-the-court brief filed last week by the Electronic Frontier Foundation (EFF) and a coalition of civil liberty groups. EFF filed the brief in support of a landmark district court decision finding that the federal Stored Communications Act (SCA) violates the Fourth Amendment by allowing secret, warrantless searches and seizures of email stored with a third party.

EFF’s amicus brief was filed in Warshak vs. United States, a case brought in the Southern District of Ohio federal court by Steven Warshak to stop the government’s repeated secret searches and seizures of his stored email using the SCA. The district court ruled that the government cannot use the SCA to obtain stored email without a warrant or prior notice to the email account holder. The government, which has routinely used the SCA over the past 20 years to secretly obtain stored email without a warrant, appealed the decision to the 6th U.S. Circuit Court of Appeals. That court is now primed to be the first circuit court ever to decide whether email users have a “reasonable expectation of privacy” in their stored email.

“Email users clearly expect that their inboxes are private, but the government argues the Fourth Amendment doesn’t protect emails at all when they are stored with an ISP or a webmail provider like Hotmail or Gmail,” said EFF Staff Attorney Kevin Bankston. “EFF disagrees. We think that the Fourth Amendment applies online just as strongly as it does offline, and that your email should be as safe against government intrusion as your phone calls, postal mail, or the private papers you keep in your home.”

The EFF brief was also signed by the American Civil Liberties Union, the ACLU of Ohio, and the Center for Democracy and Technology.

For the full amicus brief:
http://eff.org/legal/cases/warshack_v_usa/warshack_amicus.pdf

Contact:

Kevin Bankston
Staff Attorney
Electronic Frontier Foundation
bankston@eff.org

[EFF: Breaking News]

Apple Patches 31 Security Holes.

Apple Computer today released software updates to fix at least 31 separate security flaws in computers powered by different versions of its Mac OS X operating systems. Users can download the free updates using OS X’s Software Update feature, or directly from Apple Downloads.

The first update listed in Apple’s advisory addresses a problem with the built-in wireless cards on certain Mac systems that researcher HD Moore detailed earlier this month and which can be exploited by attackers to install malicious software. Apple said the vulnerability is present in eMac, iBook, iMac, PowerBook G3, PowerBook G4, and Power Mac G4 systems equipped with an original AirPort card; systems with the AirPort Extreme card are not affected.

Other fixes released today mend easily exploitable conditions, such as bugs that attackers could use to install malicious code just by convincing the user to visit a specially crafted site or font files. Among the many other updates included in this bundle are fixes for ClamAV (an antivirus program) for Mac OS X Server, as well as those to mend a slew of problems with the OS X utility used to unzip compressed files.

[Security Fix]

With Fans Like These….

Achieving celebrity in the Internet age can be fraught with complications and, sometimes, lead to some downright creepy situations. First, there were the hackers who gained access to Hollywood socialite Paris Hilton’s cell phone and voice mail messages in 2005, an exploit that led to the online posting of nude photos of the hotel heiress. Now comes news that an apparently obsessed fan of the rock band Linkin Park is accused of hacking into Verizon’s computer system to obtain private information and records of the group’s lead singer and his family.

According to documents posted online at FindLaw, 27-year-old Albuquerque resident Devon Townsend has admitted using her employer’s computer — a machine assigned to the Department of Energy on a U.S. Air Force base in New Mexico — to hack into Verizon’s network and obtain private records on Chester Bennington and his wife Talinda. The government also alleges that Townsend used the access to compromise the Bennington’s PayPal account and to steal photographs of the couple and their children. According to court documents, the Benningtons were tipped off to the compromise when they discovered that their Verizon and PayPal account passwords had been changed to “Who is doing this to you?”

In addition, Townsend is accused of making telephone threats against the Bennington family and to selling bootlegged and pirated copies of Linkin Park recordings.

The government executed a search warrant on Townsend’s residence in mid-November, where they found “posters of Linkin Park members, signed Linkin Park memorabilia, pictures of Townsend taken with Chester Bennington, bootlegged music and video DVDs, concert schedules, copies of messages from Talinda and Chester’s e-mail accounts, intercepted photographs from Talinda and Chester’s e-mail accounts, and other items.” After being confronted with the evidence against her, Townsend confessed to the whole ordeal, according to government documents.

Findlaw has 18 pages of more delicious details from this case in a filing here.

[Security Fix]

Boarding Pass Hacker Breaks Silence.

Chris Soghoian, the Indiana University doctoral student whose online demonstration of serious flaws in airport security prompted an FBI investigation, broke his silence this week after the government terminated its investigation into the matter.

Soghoian had refused to talk to the media ever since the FBI visited his home in Bloomington, Ind., on Oct. 27 and carted away computers and other equipment. The federal action came in response to Soghoian’s decision to post a tool on his Web site that would allow someone to print a fake boarding pass that could be used to evade the “no-fly” list — a key government tool in keeping suspected terrorists off of airplanes.

In an interview with Security Fix on Saturday, Soghoian said he was ready to set the record straight now that the FBI had ended its investigation and the local U.S. attorney had declined to press charges. A spokesperson for the FBI’s Indianapolis field office confirmed that the investigation was closed on Nov. 14.

Soghoian’s boarding pass generator highlighted a loophole in the Transportation Security Administration’s policy for screening passengers against the no-fly list. The problem is that boarding passes are compared to a person’s ID only at initial airport security checkpoints, not at the gates where passengers board planes. And the boarding passes are scanned and verified only at departure gates, not security checkpoints.

In discussing the tool that he created, Soghoian said that even if the TSA plugged the security loophole — by requiring ticket readers at the initial terminal security checkpoint and integrating the no-fly list with every airlines’ computer systems — the current legal status of the TSA’s policy allows anyone to refuse to show ID at check-in if they consent to additional screening.

“Everyone focused on this issue of fake boarding passes, but no one touched on the issue of a person [telling airline security screeners] that they don’t have any ID on them,” Soghoian said.

To help put Soghoian’s point in perspective, consider the case of John Gilmore, co-founder the Electronic Frontier Foundation. In 2002, Gilmore refused to show his ID while checking in for a cross-country flight. He was told he could fly if he agreed to a “secondary screening,” which he also refused. Gilmore said he was told that there were security directives that mandated the showing of ID, but that he was not allowed to view said rules.

Gilmore later sued the government to gain access to the rules. The case wound its way up to the 9th Circuit Court of Appeals, which privately viewed the rules and decided that airline passengers could either present identification OR opt to be subjected to a more extensive search.

[Security Fix]