Tag Archives: privacy

ARL Disappointed in Senate’s Passage of Flawed Cybersecurity Bill

On October 27, 2015, the U.S. Senate voted 74-21 to pass the flawed Cyberinformation Sharing Act (CISA), a slightly modified version from the bill that passed the House of Representatives earlier this year.  CISA, which purports to protect against data breaches, actually raises serious privacy concerns.  In passing CISA, the Senate unfortunately voted against a number of proposed amendments which would have strengthened user privacy.

Among other concerns, CISA will allow companies to expand monitoring of their users’ online activities and permits sharing of vaguely defined cybersecurity threats without adequate privacy safeguards.  It authorizes law enforcement that goes far beyond the scope of cybersecurity.

The Senate and House will now need to conference to resolve the differences between the two versions that passed.

 

New Advocacy and Policy Update Available

The latest ARL Advocacy and Policy Update (covering mid-August to the beginning of October) is now available.  Previous Advocacy and Policy Updates can be found here.

From the current update’s summary:

With its return from an August recess, the US Congress faces several controversial must-pass bills and other divisive issues with little time to spare prior to the passage of a short-term funding measure for the US Government as the Government’s fiscal year ended on September 30. A short-term funding bill that will fund the Government through mid-December was approved in lieu of another Government shutdown.

The US Senate continues to press ahead for passage of the Fair Access to Science and Technology Research Act (FASTR), a bill to codify the Office of Science and Technology Policy’s 2013 memorandum regarding public access to federally funded research.

The White House is building a pool of prospective candidates for the Librarian of Congress position. With James Billington’s retirement at the end of September, the White House has been reaching out to stakeholders, including ARL, for their input and recommendations. Legislation has been introduced in the Senate to limit the term of the Librarian of Congress to 10 years.

Copyright has been an active area over the past six weeks. Members of the House Judiciary Committee are poised to introduce several bills regarding the future of the US Copyright Office— determining the office’s authority and whether it will remain in the Library of Congress. This may be the first issue that the House considers as it continues its review of the Copyright Act for possible reform. A court ruled that Warner/Chappell Music does not hold a valid copyright to the “Happy Birthday” song lyrics, and there were two positive fair use decisions in Lenz v. Universal and Katz v. Google. The Library Copyright Alliance filed comments on the Copyright Office Notice of Inquiry on Extended Collective Licensing, and the 1201 Digital Millennium Copyright Act rulemaking is still underway.

ARL participated in a number of amicus briefs on a variety of issues. ARL, the American Library Association, Association of College and Research Libraries, and Chief Officers of State Library Agencies filed an amicus brief in support of the Federal Communications Commission’s Open Internet Order protecting network neutrality. ARL also joined in an amicus brief in the case Wikimedia v. National Security Agency (NSA), challenging warrantless surveillance and invoking the First Amendment’s protection of privacy.

Congress continues to consider reform of the Electronic Communications Privacy Act, or ECPA and there is widespread support in the House for such reform.

The US Supreme Court has agreed to rehear Fisher v. University of Texas at Austin, a case involving the University of Texas (UT) admissions process, which seeks to improve student body diversity.

On the international front, several additional countries have ratified the Marrakesh Treaty to Facilitate Access to Published Works for Persons Who Are Blind, Visually Impaired, or Otherwise Print Disabled, with Canada moving closer to ratification of the treaty. Another meeting took place in late September–early October to finalize the Trans-Pacific Partnership Agreement, a large, regional, trade agreement among 12 countries including Canada and the US. Finally, the “right to be forgotten” online has been upheld in Europe, and French regulators declared that search engines must apply the right to be forgotten across all domains, not just in France or Europe.

Senate Judiciary Committee Hearing on ECPA Reform

Today, September 16, 2015, the Senate Judiciary Committee will host a hearing on “Reforming the Electronic Communications Privacy Act.”  The Electronic Communications Privacy Act (ECPA) was passed in 1986 and is badly in need of reform.  The law has not kept pace with evolving technologies and denies important privacy protections for electronic communications, allowing agencies to access documents or communications stored online that are older than 180 days without a warrant.  This outdated law has led to an absurdity that affords greater protection to hard copy documents than digital communication.

As libraries and universities move services into the cloud and more communications take place online, it is critical that Fourth Amendment protect information long considered to be private—including what individuals are reading or researching, and to whom they are talking—even in the digital world. The growth of the Internet has launched new forms of communications and changed the way individuals interact since ECPA’s enactment in 1986. ECPA reform would require warrant for content, extending Fourth Amendment protections to online documents.

The ECPA reform bill in the House of Representatives, known as the Email Privacy Act and introduced by Representatives Yoder (R-KS) and Polis (D-CO) currently has 292 co-sponsors, representing an overwhelming majority.   The Senate version, known as the Electronic Communications Privacy Act Amendments Act also has bipartisan support, was introduced by Senators Lee (R-UT) and Leahy (D-VT) and currently has 23 co-sponsors.  Today, the full Senate Judiciary Committee will consider what reforms to ECPA are necessary, with two panels.  The first panel will consist of government witnesses from the Department of Justice, Securities and Exchange Commission and the Federal Trade Commission.  The second panel has four witnesses representing the Tennessee Bureau of Investigation, Google, the Center for Democracy and Technology and BSA | The Software Alliance.

Twenty-nine years after ECPA’s passage, reform is long overdue.  Congress should bring these bills to a vote and pass ECPA reform to ensure that 4th Amendment rights are preserved in today’s digital world.  Hopefully, today’s Senate hearing is a step toward moving ECPA reform forward.

 

ARL Joins Amicus Brief in Surveillance Case, Wikimedia v. NSA

On September 3, 2015, ARL joined an amicus brief with other library associations and bookseller associations in Wikimedia v. NSA, a case that challenges warrantless surveillance.  The amicus brief, authored by the Electronic Frontier Foundation, was also signed on to by the American Booksellers Association, the American Library Association, the Freedom to Read Foundation, and the International Federation of Library Associations and Institutions.

The brief explains that the First Amendment is a broad guarantee that includes the ability to distribute and receive information, and to freely and privately associate.  Libraries have long advocated for and protected patron privacy, and the brief points out the importance of patron confidentiality including in the digital age.

The brief points out that protecting reader privacy is critical:

Providers of books and reading material such as libraries and booksellers are often uniquely positioned to assert readers’ First Amendment rights. Readers change or curtail their reading if they fear government scrutiny of their behavior, especially where the intrusion concerns reading material that is personally embarrassing, politically controversial, or otherwise revealing.

[…]

The resulting inhibition of expressive activity is not hypothetical: patrons care deeply about their intellectual privacy and avoid situations where they cannot preserve it. In Subpoena to Kramerbooks, the D.C. district court found that as a result of a grand jury subpoena for a patron’s book purchases, “[m]any customers have informed Kramerbooks personnel that they will no longer shop at the bookstore because they believed Kramerbooks to have turned documents over . . . that reveal a patron’s choice of books.” 26 Media L. Rep. (BNA) at 1601. Similarly, when the owner of the Tattered Cover bookstore challenged a search warrant for a customer’s purchase history, she testified she received an “‘enormous amount of feedback’ from customers about this case, including over one hundred letters from customers in support of the Tattered Cover’s position.” Tattered Cover, 44 P. 3d at 1050.

Additionally, the brief notes the rise in digital communications and interactions.  It emphasizes that the First Amendment rights apply in the digital world:

Just as libraries and booksellers have standing to challenge law enforcement access to patron records in the physical world so, too, do they have standing to challenge unwarranted access to digital records. Just as government intrusion on the freedom of inquiry causes First Amendment injury in the physical world so, too, does government surveillance cause injury in the digital world . . . By sweeping in and searching vast amounts of Internet traffic, upstream surveillance encroaches on the sensitive interactions between libraries and booksellers and their patrons—interactions that, as shown above, these entities have historically taken great pains to protect.

The full brief can be accessed here.

 

New Advocacy and Policy Update: August 14, 2015

A new ARL Advocacy and Policy Update, covering mid-June to mid-August is now available here.  Prior updates can be accessed here.

The summary and contents from the current Advocacy and Policy Update are reproduced below:

Summary

The US House of Representatives began the summer recess on July 30th, and the US Senate adjourned on August 6th with both reconvening on September 8th. September and October promise to be very busy months as both chambers must act on the FY 2017 appropriations bills, highway trust fund, debt ceiling, and many other issues. It is also hoped that there will be a deal to increase the spending limits under sequestration, which higher education institutions and others have long advocated for.

Much of the activity related to copyright has centered around the Copyright Office. Congressional offices continue to explore and discuss ways to modernize the Copyright Office, including various proposals to move the Copyright Office out of the Library of Congress. Additionally, the Copyright Office has issued notices of inquiries that relate to orphan works, mass digitization, visual works, and extended collective licensing.

There have been positive developments with respect to open access, open educational resources, and open data. The Obama Administration released science and technology priorities for FY 2017, which note that “preserving and improving access to scientific collections, research data, other results of federally funded research, open datasets and open education resources should be a priority for agencies.” The FASTR Bill to enhance public access to research was approved unanimously by the US Senate Committee on Homeland Security and Governmental Affairs.

Privacy and surveillance concerns continue as Congress is considering cybersecurity legislation that raises serious issues for privacy and civil liberties. Litigation around net neutrality is in full swing, with the briefs of telecommunications companies opposing the FCC’s net neutrality rules filed in July.

Finally, ARL continues to promote a simple and quick ratification of the Marrakesh Treaty. Currently, 10 countries have ratified the Treaty, and 10 more are needed for it to enter into force.

Contents

Copyright and Intellectual Property

  • Proposal to “Modernize” the Copyright Office
  • Copyright Office Notice of Inquiry on Visual Works
  • Copyright Office Notice of Inquiry on Mass Digitization and Extended Collective Licensing
  • House Judiciary Committee’s Copyright Review

Open Access, Open Educational Resources, and Open Data

  • Obama Administration Releases Science and Technological Priorities for FY 2017
  • Coalition Calls on White House to Open Up Access to Federally Funded Educational Resources
  • FASTR Bill to Enhance Public Access to Research Approved by US Senate Committee
  • National Technical Information Service (NTIS)

Update Appropriations

Draft Bill Would Eliminate NHPRC

Privacy and Surveillance

  • Cybersecurity Legislation
  • Electronic Communications Privacy Act Reform

Telecommunications

  • Net Neutrality Litigation

International Treaties

  • Trans-Pacific Partnership Agreement
  • Marrakesh Treaty

Coalition Asks President Obama to Pledge to Veto Cybersecurity Information Sharing Act (CISA)

Congress is currently considering the Cybersecurity Information Sharing Act of 2015 (CISA, S. 754), a bill that has serious implications for privacy and civil liberties.  While the bill purportedly is designed to strengthen cybersecurity, it contains significant flaws.  On Monday, July 27, ARL joined a coalition of organizations and security experts in sending a letter to President Obama asking for a pledge to veto CISA due to these concerns:

  • CISA fails to protect personal information.  CISA allows the sharing of vast amounts of personal data to be shared with government agencies.  It allows the sharing of personal and identifying information as a default measure.
  • CISA allows the use of information in investigations unrelated to cybersecurity.  CISA also allows for governments to use cyber threat indicators to investigate a wide range of crimes, including those that are not related to cybersecurity, such as robbery, arson, or trade secret violations.
  • CISA fails to maintain civilian control of domestic cybersecurity.  CISA would permit companies that operate in the civilian sector to share cyber threat indicators with any agency of the federal government, raising serious privacy concerns.
  • CISA permits countermeasures that could damage networks.  CISA would allow companies to deploy “defensive measures” or “countermeasures” that could damage networks that belong to innocent bystanders, even when they would otherwise be illegal under the Computer Fraud and Abuse Act.
  • CISA raises additional transparency concerns.  CISA would create a new exemption to the existing list of nine exemptions under the Freedom of Information Act (FOIA).

 

ARL Applauds Senate on Passage of USA FREEDOM Act

ARL is pleased that the Senate has passed the USA FREEDOM Act, without weakening provisions that protect privacy and civil liberties.  The USA FREEDOM Act prohibits the bulk collection that had been practiced by the National Security Agency and restores essential civil liberties. Passage of this bill is the first step forward in meaningful surveillance reform.  ARL looks forward to working with Congress on continued reforms to protect privacy and civil liberties.

Three Provisions of the PATRIOT Expire; Senate to Vote on USA FREEDOM Act This Week

*Edited to include a link to the Center for Democracy and Technology (CDT) in-depth analysis of Senator McConnell’s proposed amendments to the USA FREEDOM Act*

Today, three key provision of the PATRIOT Act expired, including Section 215, known as the “library records” or “business records” provision.  While the Senate voted 77-17 on late Sunday evening — just hours prior to the midnight expiration of Section 215 and other provisions — to move forward with a vote on the USA FREEDOM Act, a final vote will not come until later this week due to Senate rules requiring additional time for debate.  Senator Paul’s (R-KY) earlier filibuster of the USA FREEDOM Act, which he argued did not go far enough in protecting privacy and civil liberties, delayed the process enough to result in at least temporary sunset of three provisions of the PATRIOT Act.

Section 215 has been used by the National Security Agency (NSA) to conduct mass surveillance, including bulk collection of phone metadata.  The Second Circuit recently ruled that this bulk collection exceeded the authority granted by Section 215.

While the Senate will hold a vote on the USA FREEDOM Act later this week, passage in its current form is not assured.  Majority Leader McConnell (R-KY) has introduced four amendments, all of which would weaken the USA FREEDOM Act.  These amendments would 1) extend the transition period for agency compliance with the USA FREEDOM Act from 6 months to 12 months; 2) replaces the section creating an amicus curiae to the FISA court with one that is less effective; 3) substitute the USA FREEDOM Act in its current form, including a new notice requirement for data retention for companies that intend to retain call detail records for less than 18 months and; 4) substitute the USA FREEDOM Act with all of the above changes and also removes the provision regarding declassification of FISA court opinions.  The third and fourth amendments are complete substitutes of the House-passed version of the USA FREEDOM Act, essentially re-writing the bill with substantial amendments.  CDT has a great in-depth explanation of each amendment here.

Should any of these amendments be accepted, the House of Representatives would need to accept these changes before the bill can be sent to President Obama.  A number of Representatives have already criticized the USA FREEDOM Act as not going far enough to protect privacy and civil liberties and Senator McConnell’s amendments could be rejected in the House.

Efforts to weaken the USA FREEDOM Act, such as those advanced by Senator McConnell, should not be accepted.  The USA FREEDOM Act should be considered to be the bare minimum in a series of reforms to the NSA’s surveillance practices and efforts to change the bill should focus on strengthening, rather than weakening, protections for privacy.  Now that Section 215 and other provisions of the PATRIOT Act have expired, Congress must carefully consider what authorities it wants to grant the NSA and other federal agencies.  Congress is no longer considering extension or reauthorization of existing powers, but will be granting authority to federal agencies once again.  In doing so, ARL urges members of Congress to protect privacy and civil liberties in a meaningful way and ensure that the key protections advanced by the USA FREEDOM Act are not diminished.

ARL Joins Coalition Letter Opposing Two Flawed Surveillance Reform Bills

On Thursday, May 28, 2015, ARL joined a coalition of 51 companies, trade associations and civil society organizations to oppose the FISA Improvements Act of 2015, introduced by Senator Burr (R-NC), and the FISA Reform Act of 2015, introduced by Senator Feinstein (D-CA).  While these bills have been called a “backup plan” if the USA FREEDOM Act is not passed, it is clear that the two bills do not adequately address current surveillance practices and fail to protect privacy and civil liberties.

The letter points out that both bills fail to stop domestic bulk collection and would authorize a government-imposed data retention mandate on private businesses.  It also notes

. . . the FISA Improvements Act would permit domestic bulk collection b leaving unchanged the FISA Pen Register/Trap and Trace law, which was used for years to collect Internet metadata in bulk.  The bill explicitly leaves Section 215 of the PATRIOT Act unchanged for two years, despite recent public assurances by the NSA Director that a transition period longer than 180 days is not necessary.  In addition to this, the bill contains provisions that weaken whistleblower protections, expand surveillance power by granting the FBI The authority to obtain electronic communication transaction records without a court order, and make permanent provisions of the Patriot Act that are currently tied to a sunset date.

The letter concludes:

Section 215 of the PATRIOT Act is set to expire at 12:00am on June 1.  No legislation has passed the Senate, despite a clear demand for surveillance reform.  These proposals are unviable, ineffective and do not offer a path forward.  We strongly urge against consideration of the FISA Improvements Act or the FISA Restoration and Reform Act.

The Center for Democracy and Technology (CDT) has great one-pagers explaining the flaws of Senator Burr’s bill and Senator Feinstein’s bill.

Court of Appeals Issues Landmark Ruling Against NSA Bulk Collection Practices

On May 7, 2015, the Court of Appeals for the Second Circuit ruled on the legality of the National Security Agency’s (NSA) bulk collection of telephone metadata. In a unanimous opinion, the court ruled that the NSA’s bulk collection of telephone records exceeds the authority granted under Section 215 of the USA PATRIOT Act, also known as the “library records” or “business records” provision.

The Second Circuit begins by recognizing that while telephone metadata does not reveal the content of the calls, this fact “does not vitiate the privacy concerns arising out of the government’s bulk collection of such data’ which can reveal a “startling amount of detailed information.” Telephone metadata

might reveal that an individual is: a victim of domestic violence or rape; a veteran; suffering from an addition of one type or another; contemplating suicide; or reporting a crime. Metadata can reveal civil, political, or religious affiliations; they can also reveal an individual’s social status, or whether and when he or she is involved in intimate relationships.

The court also notes that the more metadata collected, the more it can reveal private information.

The court then turned to the facts of the case and summarized the background of the NSA’s bulk collection practices. The NSA has conducted bulk collection of telephone metadata under Section 215 since at least May 2006. The government had collected the data and made “queries” on particular phone numbers that it believed to be associated with a foreign terrorist organization, as well as three “hops,” meaning that the contacts of the contacts of contacts of the original number queried were also looked at. In January 2014, the government limited the number of “hops” from three to two. Additionally, the government required a Foreign Intelligence Service Act Court (FISC) to make a determination that a reasonable articulable suspicion standard had been met, rather than allowing designated NSA officials to determine whether this suspicion existed. The Privacy and Civil Liberties Oversight Group concluded in a 2014 report that the NSA’s program “was inconsistent with §215, violated the Electronic Communications Privacy Act, and implicated privacy and First Amendment concerns.”

After finding that the plaintiffs in the case had standing and the court was not precluded from hearing the case, the Second Circuit turned to the merits of the case and focused on the argument that the program exceeded the authority granted to the government by Section 215.

Section 215 permits the government to apply for “an order requiring the production of any tangible things” provided that they are “relevant to an authorized investigation (other than a threat assessment) . . . to protect against international terrorism or clandestine intelligence activities.” The Second Circuit ruled that while Section 215 “sweeps broadly,” the NSA practices ignore the provision’s statutory limits.

First, while the Second Circuit agreed that the “relevance” standard is generous and Section 215’s use of the term is analogous with the term “relevance” used in the context of a grand jury subpoena, this term is not without its limits. With the NSA’s current bulk collection practices, “The records demanded are all-encompassing; the government does not even suggest that all of the records sought, or even necessarily any of them, are relevant to any specific defined inquiry.” The government argued that the records are “relevant” because they may allow the NSA to identify information that is relevant in the future, but “such an expansive concept of ‘relevance’ is unprecedented and unwarranted.” The court summarizes the government’s argument that “there is only one enormous ‘anti-terrorism’ investigation and that any records that might ever be of use in developing any aspect of that investigation are relevant to the overall counterterrorism effort.”

The Second Circuit points out that warrants and subpoenas for other programs are limited to particular individuals or corporations under investigation as well as specific time periods in stark contrast to the NSA’s program which do not have similar limits:

The records demanded are not those of suspects under investigation, or of people or businesses that have contact with such subjects, or of people or businesses that have contact with others who are in contact with the subjects – they extend to every record that exists, and indeed to records that do not yet exist, as they impose a continuing obligation on the recipient of the subpoena to provide such records on an ongoing basis as they are created. The government can point to no grand jury subpoena that is remotely comparable to the real-time data collection undertaken under this program.

The Second Circuit further notes that term relevant “does not exist in the abstract” and that “§215 does not permit an investigative demand for any information relevant to fighting the war on terror, or anything relevant to whatever the government might want to know.” Instead, it applies only to documents “relevant to an authorized investigation.” Allowing the NSA’s practices to proceed would “require a drastic expansion of the term ‘relevance.’”

Section 215 not only limits collections to what is relevant to an authorized investigation, but also provides that such investigation must not be a “threat assessment.” Thus, the court states, “Congress clearly meant to prevent §215 orders from being issued where the FBI, without any particular, defined information that would permit the initiation of even a preliminary investigation sought to conduct an inquiry to identify a potential threat in advance.” The NSA’s practices are “‘irreconcilable with the statute’s plain text.’”

Turning to the argument that Congress “ratified” the NSA’s practices by reauthorizing Section 215 in 2010 and 2011, the court noted that “Congressional inaction is already a tenuous basis upon which to infer much at all, even where a court’s or agency’s interpretation is fully accessible to the public . . .But here, far from the ordinarily publicly accessible judicial or administrative opinions that the presumption contemplates, no FISC opinions authorizing the program were made public prior to 2013.” Thus, “Congress cannot reasonably be said to have ratified a program of which many members of Congress – and all members of the public – were not aware.” The Second Circuit rejected the argument that Congress “ratified” the bulk collection practices because “these circumstances would ignore reality . . . it is a far stretch to say that Congress was aware of the FISC’s legal interpretation of §215 when it reauthorized the statute in 2010 and 2011.”

Finding that the program was not permitted under Section 215, the Second Circuit declined to rule on whether the NSA’s bulk collection also violated the Fourth Amendment. The court does, however, point to the “seriousness of the constitutional concerns.” It also notes that Congress has been debating the program and that a new version of the USA FREEDOM Act has been introduced into the U.S. House of Representatives and Senate but, “we do not purport to express any view on the constitutionality of any alternative version of the program.”