Thursday, November 12, 2009

EFF Battles US Government Over Efforts to Subpoena Info on Left Wing Site's Visitors

Now here's one of those "holy crap there really is a Big Brother" type stories. Apparently my friends at the Electronic Frontier Foundation (EFF) have been tangling with the US Government over its efforts to subpoena the IP address of every visitor to a left leaning political website called IndyMedia.us. But that's not all, the grand jury subpoena also required the site "not to disclose the existence of this request" unless authorized by the Justice Department.

Just what in the hell is going on here? And what does it say about online journalism and privacy rights? One problem with this government subpoena is that its illegal. It's also disturbing and, how can one say it?: "antithetical to the founding principles of our country"!

Before you start thinking "Oh no, another Obama Adminstration betrayal" let me point out that the subpoena from U.S. Attorney Tim Morrison was filed on June 25, 2008...during the good ole' Constitution burning Bush years.

A report published by EFF, describes how these U.S. attorneys issued a federal grand jury subpoena to Indymedia.us administrator Kristina Clair demanding “all IP traffic to and from www.indymedia.us" for a particular date, potentially identifying every person who visited any news story on the Indymedia site.

Among other things, it instructed Clair to "include IP addresses, times, and any other identifying information," including e-mail addresses, physical addresses, registered accounts, and Indymedia readers' Social Security Numbers, bank account numbers, credit card numbers, and so on.

After talking to other Indymedia volunteers, Clair ended up calling the Electronic Frontier Foundation in San Francisco, which represented her at no cost.

EFF Senior Staff Attorney Kevin Bankston explains that this overbroad demand for internet records not only violated federal privacy law but also violated Clair’s First Amendment rights, by ordering her not to disclose the existence of the subpoena without a U.S. attorney’s permission. Other problems with the subpoena, include that it was not personally served, that a judge-issued court order would be required for the full logs, and that Indymedia did not store logs in the first place.

As Bankston notes, "Because Indymedia follows EFF’s Best Practices for Online Service Providers and does not keep historical IP logs, there was no information for Indymedia to hand over, and the government withdrew the subpoena. However, as the report describes, that wasn’t the end of the tale: Ms. Clair wanted EFF to be able to tell the story of the subpoena and shine a light on the government’s illegal demand, yet the subpoena ordered silence. Under pressure from EFF, the government admitted that the subpoena’s gag order had no legal basis, and ultimately chose not to go to court to try to force Ms. Clair’s silence despite earlier threats to do so."

Bankston then sums up why this story is important:

This story is an an important example of how government abuses breed in secrecy, and an argument for Congress to step in and require meaningful reporting about how the government uses its surveillance authorities. How often does the government attempt such illegal fishing expeditions through internet data? How many online service providers have received similarly bogus demands, and handed over how much data, violating how many internet users’ privacy? How many of those subpoena recipients have been intimidated into silence by unconstitutional gag orders?

...until Congress exerts stronger oversight, we can’t know, except in those occasional instances where a brave online service provider steps up, pushes back, and tells the world. We encourage other online service providers to follow the example of Indymedia.us and Kristina Clair by standing up for their users' rights when the government secretly overreaches. If you're an ISP, a web host, an email provider, an app developer, a Web 2.0 start-up or any other kind of online service provider and you receive a government demand for your users' data, please call a lawyer. If you don't have a lawyer, call EFF.

As noted by CBS news, this is not the first time that the Feds have focused on the liberal Indymedia Web site whose that hosts a myriad of activist writers and advocates. In 2004, the Justice Department sent a grand jury subpoena asking for information about who posted lists of Republican delegates while urging they be given an unwelcome reception at the party's convention in New York City that year. A Indymedia hosting service in Texas once received a subpoena asking for server logs in relation to an investigation of an attempted murder in Italy.

The fact that the government is actively targeting liberal media sites should be a concern to everyone.

For a full fleshing out of this story, the EFF report is the place to go. For those without the time to read it all, here is the closing summation entitled "Closing Lessons":

The experience of Ms. Clair in dealing with the subpoena for Indymedia's logs brings with it several lessons — not only for online service providers but also for the average Internet user, Americans who care about civil liberties, and Congress.

The first lesson is for the average Internet user: yes, your IP address can be and typically is logged by the online services that you use, and yes, the government can obtain those logs, sometimes with only a subpoena issued directly by a prosecutor. If you want to anonymize your IP address to prevent the violation of your online privacy, you can use anonymizing software such as "Tor". You can find out more about Tor and how it works in this section of EFF's Surveillance Self-Defense Manual and at http://www.torproject.org/.

For online service providers, the second lesson is straightforward, and one that EFF has highlighted both in its "Best Practices for Online Service Providers" and its Surveillance Self-Defense manual: if you don't have it, they can't get it. When providers avoid keeping unnecessary Internet logs, responding to subpoenas and other legal demands for such information becomes very simple: "Sorry, but we don't keep those logs and so we don't have any information that's responsive to this subpoena."

The third lesson, again for providers, is that they can and should seek legal advice when they receive legal demands for information. Without a lawyer's advice, providers may hand over data that the government isn't legally entitled to or that the provider is legally forbidden from disclosing, and may be cowed into silence by bogus gag demands.

For example, assume that the subpoena in this case had been served on a service that did keep logs of site visitors' IP addresses. Without advice from counsel like EFF, the recipient would not have known that the request, purportedly based on the SCA, actually violated the SCA, and that providing the information to the government could have created liability for the service provider.

Nor would the provider have understood that the subpoena's purported requirement of secrecy was actually an unenforceable request, or that if there was a gag order it could be challenged in court on First Amendment grounds. Absent advice from a lawyer, the provider's unquestioning silence would unnecessarily add to the growing fog of secrecy that surrounds the government's practices in this area.

This leads to our fourth and final lesson, for members of Congress and their constituents: the level of secrecy surrounding how the government uses its surveillance authority under the Stored Communications Act encourages abuses. Sunlight is the best disinfectant, and the best protection against such abuses is more clarity and transparency when it comes to how the SCA is used. Americans who care about civil liberties should press Congress to update the SCA to further clarify what it does and does not authorize, and to require detailed public reporting about how the statute is used, just like the federal wiretap statute requires annual reports on law enforcement's wiretapping activities.

Without such reform, we may never know how often the government issues unlawful demands like the one described here, or how often providers secretly comply with those demands. The government must be held accountable for its uses — and abuses — of its surveillance authority, and with your and Congress' help, it can be held to account.

Until that day, EFF continues to stand ready to provide assistance the next time the government knocks on someone's door with an unlawful, invalid, overbroad, free speech-threatening, privacy-invasive demand for your sensitive Internet data.

Click here to read the report in its entirety.

For now I'll just send my personal thanks to EFF for their outstanding work!

No comments: