Julian Sanchez's Techdirt Profile

Julian Sanchez

About Julian Sanchez

Posted on Techdirt - 17 March 2016 @ 08:33am

How Apple Could Lose By Winning: The DOJ's Next Move Could Be Worse

Since the conflict over smartphone security, long simmering between Apple and the FBI, burst into the headlines last month, many of us who advocate for strong encryption have watched the competing legal arguments advanced by the parties with a certain queasiness. Many of the arguments on Apple’s side?whether offered by the company itself or the myriad groups who have weighed in with friend-of-the-court briefs?have turned critically on the government’s unprecedented invocation of the hoary All Writs Act to compel the company to write and authenticate a novel piece of software effectively dragooning Apple engineers into government service.

But there has always been an obvious alternative?a way to achieve the FBI’s aim of circumventing iPhone security features without requiring any Apple employees to write a line of new code: the Lavabit Option.

That is, instead of asking Apple to create a hacking tool that would permit the FBI to attempt to brute-force a phone’s passcode without triggering escalating delays between guesses or deletion of encrypted data, they could simply demand that Apple turn over the source code and documentation the FBI would need to develop its own custom version of the iOS boot ROM, sans security features. Then, they require Apple to either cryptographically sign that code or provide the government with access to its developer credentials, so that the FBiOS can run on an iPhone.

That hypothetical possibility is raised explicitly by the Justice Department in a footnote to its most recent motion in its ongoing litigation with Apple, which explains that the FBI had not gone that route because it “believed such a request would be less palatable to Apple.” Having tried it the easy way, the FBI suggests it’s happy to do things the hard way: “If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers.”

The government follows up with a citation to the Fourth Circuit’s ruling in the now-infamous Lavabit case. Because the secure e-mail service Lavabit maintained minimal logs of user metadata, the government had obtained an order to install a “pen register”?a mechanism for recording metadata in realtime?on the company’s systems in order to monitor a particular user, widely believed to be Edward Snowden. In order to make that data intelligible, however, it also demanded the use of the SSL keys used to encrypt all users’ traffic. When the Fourth Circuit upheld that demand, CEO Ladar Levinson chose to shutter the site entirely.

Apple’s latest reply brief clearly registered the company’s dismayed response to this legal shot across the bow:

The catastrophic security implications of that threat only highlight the government’s misunderstanding or reckless disregard of the technology at issue and the security risks implicated by its suggestion.

Such a move would signal a race to the bottom of the slippery slope that has haunted privacy advocates: A world where companies can be forced to sign code developed by the government to facilitate surveillance. In this case, that means software to brute force a passcode, but could as easily apply to remote exploits targeting any networked device that relies on developer credentials to authenticate trusted updates. Which is to say, nearly any modern networked device. It entails, quite literally, handing the government the keys to the kingdom.

What’s particularly worrying is that, while this approach is massively more troubling from a security perspective than funneling such requests through the company itself on a case-by-case basis, it would likely stand on a less shaky legal foundation.

Apple’s arguments throughout this case have stressed the unprecedented nature of the FBI’s attempt to conscript the firm’s engineers, noting that the All-Writs Act invoked by the government was meant to enable only the particular types of orders familiar from common law, not grant an all-purpose power to “order private parties to do virtually anything the Justice Department and FBI can dream up.” The trouble is, an order to turn over information in the “possession custody or control” of a private party is just such a traditional order. Such demands are routinely made, for instance, via a subpoena duces tecum requiring a person or company to produce documents.

It’s likely that Apple’s developer keys are stored in a Hardware Security Module that would make it difficult or impossible to produce a copy of their firmware signing key directly to the government. But that might not be much legal help. In a separate iPhone unlocking case in New York, magistrate judge James Ornstein recently rejected the government’s argument that a previous All-Writs Act case, New York Telephone Co., required Apple’s compliance. In that case, Ornstein noted, the government’s

agents would normally have been able to install the authorized pen register without the company’s assistance but for the fact that the subject telephone’s wires were so placed as to prevent the agents from gaining surreptitious access. The agents thus needed the telephone company not to provide technical expertise they lacked, but only to step out of the way and let them perform their authorized surveillance on company property.

But that sounds much closer to what would be involved in a case where Apple is required to authenticate government-written code: Just “step out of the way” and let the FBI access the HSM containing the keys used to sign updates.

Similarly, many of the First Amendment arguments raised by Apple and the Electronic Frontier Foundation?to the effect that “code is speech” and the requirement that Apple create new software amounts to “compelled speech”?would also fall by the wayside. They might still advance such arguments with respect to the “endorsement” implicit in using company credentials to sign software, but a court may not find that as intuitive as the idea that “compelled speech” is involved in requiring engineers to devise wholly novel and potentially complicated software.

Many of Apple’s other arguments, of course, would remain untouched: There’s the idea that Congress has established a comprehensive statutory framework specifying the means of law enforcement access to digital content via laws like the Communications Assistance for Law Enforcement Act and the Electronic Communications Privacy Act, making the All-Writs Act an inappropriate mechanism to seek authority withheld by Congress. Nor would a “sign our code” approach affect any of Apple’s claims about the broader security harms inherent in the creation of developer-authenticated tools to break security. But the long list of legal barriers to the FBI getting its way would surely be significantly reduced.

That means it’s not just important that Apple win in this case?it matters how it wins. If the company emerges victorious on grounds fundamentally tied to the mandate to create software rather than the demand to authenticate it, it could prove a pyrrhic victory indeed, opening the door for the government to insist on doing things the “hard way,” and inaugurating an era of government scripted malware signed to look like genuine updates.

Posted on Techdirt - 13 September 2012 @ 03:54pm

Credit Where It's Due: DOJ Changes Its Tune On FISA Transparency

Earlier this week, I complained that the Department of Justice seemed to be stonewalling a Freedom of Information Act request I’d filed seeking copies of mandatory semi-annual reports to Congress on the National Security Agency’s compliance with the procedures and civil liberties safeguards of the FISA Amendments Act–which the House voted yesterday to reauthorize for another five years. After sitting on the request for two months (the statutory deadline is 20 business days), DOJ had finally replied with a letter claiming they could “neither confirm or deny the existence” of reports that were required by federal law. I thought this was a little ridiculous. Fortunately, there were officials at the Justice Department who thought so too.

Having appealed the denial of my request, I got an impressively prompt reply on Tuesday evening from the director of the Office of Information Policy at DOJ, assuring me that she recognized the agency’s initial response had been “incorrect,” and that a new one would be forthcoming immediately. By Wednesday morning, their stance had changed entirely: They had found the reports I sought, and were forwarding them to the Office of the Director of National Intelligence (ODNI) for review to determine what would need to be redacted before release–with a request that ODNI seek to expedite its analysis to compensate for their own delay.

Now, to be sure, I’d rather have had this response a month ago, and the documents before the House vote, but at this point DOJ appears to be doing exactly what they’re supposed to and making a good faith effort to facilitate the redaction and release of these important assessments. So it seemed appropriate to follow up on my initial blog post to acknowledge that–and in particular Office of Information Policy director Melanie Pustay, who straightforwardly acknowledged the error and acted quickly to correct it. We’ll see soon enough whether a similar spirit of transparency reigns at ODNI.

Cross-posted from Cato-at-Liberty.

Posted on Techdirt - 11 September 2012 @ 07:07am

Testing 'The Most Transparent Administration in History'

Barack Obama pledged to preside over the “most transparent administration in history,” drawing an explicit contrast with the extreme secrecy of his predecessor. The Web site of the Department of Justice highlights that pledge, declaring its commitment to faithfully carry out a presidential directive encouraging such transparency, especially with regards to Freedom of Information Act requests, which are a vital tool for public accountability and informed democratic deliberation about government’s activities. Earlier this summer, I decided I’d put that commitment to what should have been an easy test.

When Congress passed the controversial FISA Amendments Act of 2008, granting the NSA broad power to conduct sweeping electronic surveillance of Americans’ international communications without individualized search warrants, it wisely required the Justice Department to issue semi-annual reports to Congress on the government’s implementation of the law, evaluating compliance with the various rules, guidelines, and procedures in place to reduce the risk of civil liberties abuses. While these reports are classified, redacted versions of several previous installments have been released to the public in response to Freedom of Information Act requests. The most recent is from May of 2010, which means that by now there are three or four further reports on the government’s use of its new spying powers which haven’t been seen by the public.

Since the FAA is set to expire at the end of this year, and Congress is rapidly steamrolling toward reauthorizing the law for another five years, it seems like now would be a good time to let the public see the latest versions of these reports—with any specific references to operational details removed, of course. That’s especially true given that we’ve recently learned that at least one ruling by the secretive FISA Court found some surveillance under the FAA had violated the Fourth Amendment. The latest reports, even in redacted form, might give us further insight into the scale and seriousness of this violation of Americans’ constitutional rights. If, on the other hand, we find no mention of this in the official reports, it would be powerful evidence that Congress is getting a whitewashed account, and that internal oversight may not provide adequate protection for our privacy and liberties. Again, the government has already released several previous installments of this report—though the ACLU ultimately had to file a lawsuit before they agreed to do so—so there should be no doubt now as to whether these are documents they’re obligated to release.

On June 26, therefore, I sent a FOIA request to the Justice Department asking for the release of the newer installments of this important report—specifically asking for expedited review, given the importance of informing the public about the use of the law before Congress renews it. On July 6, I got a response acknowledging that my request had been received and forwarded to the FOIA office of the DOJ’s National Security Division. Federal law requires agencies to reply to these requests within 20 business days. I was still waiting when, a few days ago, a bill extending FAA spying authority was scheduled for consideration before the House of Representatives this week. I did, however, have a brief phone conversation with the NSD’s FOIA officer confirming that she was evaluating my request, and that she understood clearly exactly which reports I was requesting.

Yesterday morning, September 10—more than two months after acknowledging receipt of my request for these three or four documents—I finally got a reply (my emphasis added), denying my request with the following unhelpful boilerplate:

The Office of Intelligence (OI) maintains operational files which consist of copies of all FISA applications, as well as requests for approval of various foreign intelligence and counterintelligence collection techniques such as physical searches.  We did not search these records in response to your request because the existence or nonexistence of such records on specific persons or organizations is properly classified under Executive Order 13526.  To confirm or deny the existence of such materials in each case would tend to reveal which persons or organizations are the subjects of such requests.  Accordingly, we can neither confirm nor deny the existence of records in these files responsive to your request pursuant to 5 U.S.C. §552(b) (1).

This is, in a word, ridiculous. The “existence” of the reports I asked for is required by federal law. To the extent they contain passing references to any specific persons or organizations under investigation, these can easily be redacted, and have been redacted for previous public releases of the same documents. No reasonable person could believe that this reply is applicable to my request. If it had been sent immediately, you could at least put it down to sloppiness or inattention, but remember, it took them two months to send out a denial based on the preposterous claim that it is classified information whether a report mandated by federal statute even exists.

I can appeal—and of course, I intend to—but since that’s likely to drag out the process for at least another month or two, the reports are likely to come too late to be relevant to the debate over FAA reauthorization. Try as I might, it’s almost impossible for me to see this as a good faith response to my request. Instead, it looks an awful lot like a stalling tactic calculated to drag out the process until it’s too late for the documents to be relevant to the debate over the FAA. I suppose this shouldn’t be terribly surprising: DOJ’s modus operandi, at least when it comes to anything controversial or potentially embarrassing to the government, seems to be to force FOIA requesters to waste time, energy, and money going to court even when it’s painfully obvious there’s no legitimate legal basis for sustaining a denial. That this is routine enough to be predictable, however, shouldn’t make it any more acceptable in a democracy.

Cross-posted from Cato at Liberty.

Posted on Techdirt - 19 December 2011 @ 08:37am

How SOPA Will Be (Ab)Used

Proponents of the Stop Online Privacy Act (SOPA) and its Senate counterpart PROTECT-IP often affect incredulity that anyone would “defend piracy” by describing their valiant attempts to stamp out “rogue sites” as a threat to free speech or innovation. Recording Industry Association of America head Cary Sherman, for instance, recently insisted to The New York Times that the bills are “specifically designed to focus on the worst of the worst sites whose model is predicated on theft.” This would be more convincing if the content industries weren’t so clearly continuing their long, proud tradition of making aggressive and overbroad copyright claims that would impede speech and innovation.

In the 80s, Universal Studios famously sued Sony to block the sale of Betamax VCRs, which could be used to “facilitate” the infringement of copyrights in shows and movies aired on broadcast television. Blocking VCR sales, of course, might also have strengthened the market position of the DiscoVision laserdisc system being developed by MCA, Universal’s parent company. The Supreme Court eventually vindicated Sony, but Universal did manage to persuade one lower court to rule in their favor. If SOPA’s blocking provisions could be implemented in the physical world, every VCR (and maybe every Sony product) would have stopped working after that first favorable ruling, until Sony could meet the burden of proving its innocence in a U.S. court. Of course, under a rule like that, consumers might have been wary of buying a VCR in the first place.

And today? It’s the Universal Music Group heading to court, after using a dubious copyright claim to take down an embarrassing video in which pop stars sing the praises of the site Megaupload. Megaupload, you see, is a file locker site, and the recording industry has made it crystal clear that it’s at the top of the industry’s list of “rogue sites” that should be targeted under SOPA. Indeed, when the content industries talk about why SOPA is needed, they invariably cite file lockers generally as the very epitome of a “rogue site.” It is, therefore, a little awkward to have their own artists pointing out the obvious: File lockers can be used by pirates to share infringing files, but also host an enormous amount of perfectly legitimate content, uploaded by users who would be effectively silenced (and cut off from their own files) if the entire site were blocked. Similarly, the recording industry thinks copyright gives it the power to veto cloud-based music storage services, which serve as a kind of virtual hard drive from which users can remotely access and play their own legally purchased and uploaded music. It’s a great convenience for consumers?but the labels think they can use copyright to stop it unless they’re paid a cut.

We might also look to some of the seizures of U.S.-registered sites by Immigration and Customs Enforcement. The sports site Rojadirecta?registered in the U.S. but based in Spain?was seized on the theory that linking to infringing video of sporting events hosted elsewhere on the Internet is enough to trigger forfeiture, even though Spanish courts have repeatedly ruled that such conduct (however shady it might seem) is legal in Spain. As lawyers for the government argued, invoking the very same statute that would provide the basis for SOPA censorship:

“[A]ny property used … in any manner or part to commit or facilitate the commission of an offense [such as criminal copyright infringement]” is subject to forfeiture…. Moreover, it is “[i]rrelevant whether the property’s role in the crime is integral, essential or indispensable,”… and a single incident of facilitating criminal activity is sufficient to trigger forfeiture.

The government further notes that they’re not directly charging Rojadirecta with criminal infringement (nor indeed do they ever have to bring such charges), which means no need to meet that pesky “beyond reasonable doubt” standard?or even “probable cause”. All the government needs for forfeiture, they assert, is a “reasonable belief” that a domain is being used to “facilitate” criminal infringement. This despite the fact that, in the context of obscenity laws, the Supreme Court has held that “Mere probable cause to believe a violation has transpired is not adequate to remove books or film from circulation.” Now, Rojadirecta’s business model is certainly shady, and maybe they’re even guilty of criminal infringement. But are we really comfortable with an entire domain, including vibrant discussion forums that clearly enable protected, non-infringing speech, being blocked pursuant to a “reasonable belief” standard, forcing the company to hire U.S. lawyers and prove their innocence to win the right to speak to U.S. users?

Then there’s the case of Dajaz1.com, a hip hop blog seized for over a year by the government for hosting infringing music files. Except it turned out that those files had actually been provided by PR firms, working for the music labels, who hoped blogs like Dajaz1 would circulate them to create buzz for up-and-coming artists. Oops!

As legal scholar Jason Mazzone has amply documented, the use of dubious copyright claims to chill legitimate speech is depressingly common. The voting machine manufacturer Diebold has tried to use copyright to shut down whistleblower sites that published internal e-mails highlighting security vulnerabilities in software that could determine the outcome of elections. The Church of Scientology has similarly invoked copyright to stifle criticism. In Russia, political opposition groups are routinely raided under the pretext of searching for copyrighted software. Research suggests that most copyright takedown claims to search engines like Google are issued by companies targeting their competitors, and that nearly a third of takedown notices under the Digital Millennium Copyright Act lack a clear basis.

I could easily fill a dozen long blog posts with examples, but let’s cut to the chase. Major movie studios and music labels draw a lot of water in D.C.: the fact that a bill as massively unpopular as SOPA is even being seriously considered, let alone likely to pass, is proof of that. They will effectively control which foreign domains the Justice Department chooses to block directly, and shop around for friendly judges amenable to rubber-stamping orders in civil litigation that require payment providers and ad networks to cut off disfavored sites. The likely targets are their competitors, whether the copyright claims are valid or not. Sites like YouTube that provide entertaining user-generated videos are one less reason to pony up for the next lackluster Adam Sandler movie. Sites that give musicians a way to gain exposure to fans and market their albums without giving a cut to the increasingly redundant middleman threaten to make the labels obsolete. And if open platforms invariably end up hosting some infringing content uploaded by users? Well, that’s as good a pretext as any for shutting down the competition.

Why do critics of SOPA worry that the bill will threaten legitimate speech and innovation? Because its supporters have spent three decades providing overwhelming justification for that fear at every opportunity. If I may end by making a bit of “fair use” of the genius of former Smiths’ front-man Morrisey:

He was a sweet and tender hooligan, hooligan

He said that he’d never, never do it again

And of course he won’t, oh, not until the next time

Empowered with the ability to threaten blocking of entire domains, I’d rather not see what the copyright hooligans do “next time.”

Posted on Techdirt - 9 December 2011 @ 03:22pm

Perhaps SOPA Should Be Called The Stop Online PRIVACY Act

From piracy to privacy

Critics of the Stop Online Piracy Act and its Chinese Firewall approach to combatting Internet piracy have hammered the ill-advised legislation for the predictable damage it would inflict on cybersecurity, innovation, and above all, free speech. More than a hundred eminent law professors?including such renowned constitutional scholars as Harvard’s Lawrence Tribe?have blasted blocking provisions in SOPA (and its Senate counterpart PROTECT-IP) as a form of “prior restraint” of speech prohibited by the First Amendment. Yet SOPA also poses less obvious risks to the privacy of Internet users?risks which have received far less attention.

“We tend to treat freedom of speech issues on the Internet as matters of censorship,” former White House technology advisor Andrew McLaughlin recently explained to The Wall Street Journal, “but the real threat is surveillance.” Censorship and surveillance are natural partners: Monitoring alone often chills speech as effectively as blocking, and content prohibitions naturally give rise to monitoring designed to identify prohibited content. So it is likely to be with SOPA.

Under the notice-and-takedown approach to copyright infringement embedded in the Digital Millenium Copyright Act, Web platforms aren’t expected to actively police the content uploaded by their users: They’re only expected to comply with requests to remove specific identifying files identified by rightsholders. Under SOPA, however, a site can be branded as “dedicated to theft of U.S. property” if, in the statute’s bizarre wording, its owner “is taking, or has taken deliberate actions to avoid confirming a high probability” of infringement. Sites merely accused of insufficient diligence risk being starved of revenue from ad networks or payment providers.

These dire consequences provide a powerful incentive for legitimate sites to implement some form of automated monitoring of user uploaded content, lest they be accused of “deliberately avoiding” awareness of infringement. Sites that do so can be expected to modify their terms of service?lengthy blocks of legalese, which users seldom read closely?to authorize such scans. As many analysts have pointed out, the friction and overhead costs involved in implementing such filters burden both innovation and legitimate “fair uses” of copyrighted content. But such scanning may also have unanticipated knock-on effects on the level of legal privacy protection to which user communications are entitled.

Much infringing content is posted on the public Internet for all to see. But infringement can just as easily occur in more limited, private forums. A pirated file can also be sent as an e-mail attachment, shared exclusively with a circle of friends on a social network, or uploaded to a cloud storage site behind a password wall. A comprehensive scan would have to include these as well?potentially affecting how content is treated under both federal statute and the Constitution. In short, SOPA incentivizes private cloud providers to change their practices in ways that may lower legal barriers to government acquisition of private communications?even for investigations having nothing to do with copyright.

Enter the Fourth Amendment

Courts have only depressingly recently begun recognizing that some forms of cloud-stored data are entitled to the protection of the Fourth Amendment. But Fourth Amendment analysis focuses on whether an individual enjoys a “reasonable expectation of privacy” in the information a government agent seeks to obtain. If files or messages are routinely scanned for infringing content by skittish cloud providers, courts may be more likely to find that the user’s expectation of privacy?and any Fourth Amendment protection that accompanies it?has been waived. Even the lesser privacy protection afforded by the Electronic Communications Privacy Act depends in part on the provider having limited access to user files and messages, which means more scans that are not obviously a necessary part of providing a particular cloud service could provide a basis for questioning the statute’s applicability.

Let’s be optimistic, though, and assume that the law will be interpreted to preserve the privacy protection of user-uploaded content, even if it has been scanned in this way. That protection is still less likely to extend to any logs generated by a provider’s scans. Insofar as these logs indicate which users have been flagged for uploading suspect files, or for sending links to suspect sites, they would reveal information about user content, but could easily be treated as ordinary business records accessible to government via a mere subpoena or other lesser process, rather than a full Fourth Amendment search warrant.

Would DNS redirection violate wiretap laws?

Finally, it’s worth considering some potential effects of falsifying DNS records to redirect traffic bound for foreign sites deemed verboten by the Department of Justice. While SOPA leaves open what happens when someone attempts to reach a blocked site, PROTECT-IP explicitly suggests that a blocking notice chosen by the Attorney General should be shown to users seeking to reach those sites. That suggests that PROTECT-IP could be implemented using a scheme similar to that used by the Department of Homeland Security for seizing U.S. sites, which are pointed to a notice of seizure at 74.81.170.110.

Much here depends on the details of implementation, but such redirection creates a possible backdoor mechanism for the collection of information that normally requires a court order. Ordinarily, when the government wants to acquire communications metadata in realtime?to find out who is communicating to or from a particular phone, e-mail account, or IP address?it must get what’s known as a “pen register” (for outgoing information) or “trap and trace” order (for incoming information) authorized by a judge. The standard for these orders is far lower than the “probable cause” needed for a full-blown wiretap, but they do still require some showing of relevance to an ongoing investigation of a specific crime that the government believes has been or is about to be committed.

If requests for pages hosted at InfringingContent.com, CheapViagraPills.net, or SexyMidgetVideos.org are instead sent to a blocking notification page on a government-controlled server, that server’s logs will effectively capture the IP address of every user who has attempted to initiate a communication with a blocked domain (unless they’re using a proxy or other anonymizing tool). This is especially worrisome in cases where the site in question might host content that is controversial for reasons beyond copyright status.

Potentially still more problematic?and again, depending heavily on the implementation details?such redirection could cause communications intended for one domain to be redirected to the government’s notification server, which would technically constitute an illegal “interception” under federal wiretap law even if the notification server were not configured to accept or record any of that data. The simplest way this might happen is if a DNS server operator interpreted the law as requiring modification of a blocked domain’s mail server (or MX) record. But even an ordinary HTTP page request will often contain some forms of “content”: search queries, login credentials, a user agent string, or cookies placed by the blocked site during previous visits. And of course, DNS is not only used by web browsers, but by other clients operating on other communication protocols. The host currently used by DHS to provide seizure notification only appears to keep port 80 (HTTP), 443 (SSL), and 3389 (terminal services) open, but those settings can be easily changed at any time, before or after redirection begins. In effect, DNS hijacking puts the government on the honor system with respect to communications directed at or through a seized domain. The alternative?failure to resolve without redirection?results in censorship without transparency, as government blocks become indistinguishable from technical or other sources of connection failure.

From worries about its impact on DNSSEC to fears of providing cover for repressive regimes abroad, it’s hard to keep track of all the different reasons to oppose domain censorship as an anti-piracy strategy, but there are strong grounds for adding its effect on privacy to the long, growing list.

Posted on Techdirt - 12 March 2008 @ 03:58pm

House Dems Release Draft of 'Compromise' Surveillance Bill

Democrats in the House of Representatives have finally released a preliminary draft of compromise legislation to amend the Foreign Intelligence Surveillance Act. For civil libertarians who had resigned themselves to one more capitulation to White House demands, the bill will come as a relief: There is not a lot of compromise in this “compromise bill.” Unsurprisingly, that means that administration officials, and the House Republican leadership, regard the bill as unacceptable.

On the hot-button question of retroactive immunity for telecoms alleged to have participated in warrantless National Security Agency wiretaps, the draft bill would shunt suits against the companies to a federal court empowered to hear classified evidence. This may come as welcome news to the telecoms, which had complained that the exculpatory evidence they need to defend themselves consists largely of state secrets. It will probably be less appealing to the Bush administration, which has resisted outside scrutiny of the surveillance activities authorized by the president after 9/11. For similar reasons, the White House is likely to oppose a provision in the draft bill creating a bipartisan commission, endowed with subpoena powers, to investigate government wiretaps from 2001?2007.

The bill’s approach to executive branch wiretaps is in many respects similar to that of the RESTORE Act passed by the House last year, as a side-by-side comparison chart makes clear. The administration is thrown a few bones: Unlike the RESTORE Act, this legislation covers surveillance serving any foreign intelligence purpose, rather than only those related to terrorism or national security. It also expands, from 72 hours to one week, the time allowed for “emergency” wiretaps implemented in advance of court authorization. But on the whole, it embeds significantly more stringent civil liberties safeguards than the White House?approved legislation passed by the Senate. Instead of changing the definition legal of “foreign intelligence” — an important term appearing in a variety of complex statutes — the bill carves out a special exemption, allowing intelligence agencies to acquire communications between specific overseas targets and person in the United States. The bill also requires the development of guidelines to prevent “reverse targeting” of Americans, to ensure that lenient FISA procedures cannot be used to circumvent the more stringent requirements that apply to ordinary criminal investigations. The FISA court must approve surveillance procedures in advance, and both the procedures and agencies’ compliance with “minimization” guidelines designed to limit the unnecessary retention of Americans’ communications are subject to review by the court and a independent Inspector General. It also incorporate’s the Senate bill’s “Wyden Amendment,” providing protection for Americans abroad. Finally, the law is scheduled to sunset in two years, rather than the Senate bill’s six.

Whether House Democrats will be able to succeed in pushing this legislation through is unclear. Senate Intelligence Committee Chair Jay Rockefeller (D-WV), whose support will be critical in getting any law passed, has said that “considerable work remains” before he will be prepared to support proposed reforms. Despite its similarity to the stalled RESTORE Act, though, House leaders may have pulled off a bit of clever political jujitsu by offering new legislation. Republicans had fought hard to frame the debate as a question of inaction, on the one hand, or passage of the Senate bill, on the other. The burden, Democrats presumably hope, will now shift to Republicans to explain why they cannot countenance the passage of “vital” legislation with a few extra safeguards and checks.

Posted on Techdirt - 27 February 2008 @ 03:32pm

Businesses Prefer Not to Be Sued, Film at 11

There’s nothing up on its website about this yet, but the U.S. Chamber of Commerce has thrown its ample weight into the warrantless wiretapping fight, with a letter to the House of Representatives urging legislators to approve retroactive immunity for cooperative telecoms as part of changes to the Foreign Intelligence Surveillance Act. The letter, from the organization’s VP for government affairs, R. Bruce Josten, argues:

The Chamber represents companies across various industries which own or operate vital components of the nation?s critical physical, virtual, and economic infrastructures. The federal government continually depends upon such industries for cooperation and assistance in national security matters, including homeland security programs and activities. The government also turns to these companies in times of crisis, when the speed, agility, and creativity of the private sector can be critical to averting a terrorist attack.

Therefore, the Chamber urges the House to consider S. 2248 and pass this bipartisan compromise legislation. The Chamber firmly believes that the immunity provisions in S. 2248 are imperative to preserving the self-sustaining ?public-private partnership? that both Congress and the Executive Branch have sought to protect the United States in the post-September 11 world. The Chamber encourages you consider the effects on the nation?s security should private sector involvement be muted and relegated to the sidelines in instances when industries can help the government protect this nation.

In the 2006 election cycle, the Chamber gave $19,000 to Democratic candidates for the House and $76,500 to Republicans. Its contributions have been more evenly split in this cycle to date: $15,076 for Democrats and $16,500 to Republicans. Members in close races will therefore likely find the “urges” of the Chamber hard to ignore.

Posted on Techdirt - 25 February 2008 @ 02:05pm

Lessig Decides Against Congressional Bid

Law professor and copyright critic Lawrence Lessig has decided against a run for Congress, citing polling showing “no possible way” of overtaking popular California State Senator Jackie Speier before the April 8 election to fill the seat left empty by the death of Democratic Rep. Tom Lantos. Lessig had been mulling a bid on the urging of a burgeoning netroots campaign to draft him for public office, but decided that the likelihood that he would “lose big” would do more to harm than help his broader nascent effort to “Change Congress.”

That effort will now see a sudden cash influx, as almost $28,000 raised at the Lessig ’08 page on the progressive Web site ActBlue flow into the newborn non-profit’s coffers. Under an arrangement with ActBlue, some $8,600 raised on two other Lessig-related pages will be donated to Creative Commons, an organization founded by Lessig to provide simple legal licenses for creators who wish to enable the sharing and remixing of their works.

Posted on Techdirt - 21 February 2008 @ 05:31pm

Buildup To A Discharge: How Some Representatives Are Looking To Force A Vote On FISA

Sources on the Hill report that, in the wake of last week’s dust-up over surveillance reform in the House of Representatives, House Republicans are preparing to circulate a discharge petition, a mechanism that can be used to circumvent House leadership and move a bill directly to the floor to force a vote. The Senate has already passed White House-supported legislation amending the Foreign Intelligence Surveillance Act to expand the government’s power to eavesdrop on conversations with overseas parties without a warrant — legislation that also includes a controversial provision providing retroactive immunity against civil suits to telecoms that gave the National Security Agency access to customer data without a court order. But House Speaker Nancy Pelosi (D-CA) has refused to schedule a vote on the House version of the Senate’s bill.

Since, under House rules, that legislation is not subject to a discharge petition as currently engrossed, Reps. Vito Fossella (R-NY), Peter King (R-NY), and Pete Hoekstra (R-MI) have introduced their own version. They are currently gathering informal commitments from legislators while waiting out the 30-day time limit before a petition can be formally circulated.

Since discharge petitions are seen as a direct affront to leadership’s control of the agenda, legislators are generally extremely reticent about signing them: The last time one was used successfully was in 2002, when it forced a vote on Shays-Meehan, the House version of the McCain-Feingold campaign reform law. Some members even have blanket policies against signing such petitions. And since they require a simple majority to become effective, Republicans would need to win over many of the conservative Blue Dog Democrats who have urged Pelosi to move forward with the Senate’s version of the FISA bill. And even those willing to break with Pelosi on this issue may have qualms about slapping her in the face quite so overtly.

Instead of being directly used to force a vote, then, a source in the office of a Republican representative projects that the petition will be used to bring pressure directly to bear on Democratic members, and indirectly on the Democratic leadership. The latest assault in that pressure campaign came today in the form of a 24-style scare ad put out by the House Republican Conference, warning of impending terror attacks unless Democrats act quickly to reauthorize warrantless wiretaps.

Posted on Techdirt - 14 February 2008 @ 06:39pm

House Republicans Take Their Ball, Go Home In FISA Fight

It now appears all but certain that the stopgap Protect America Act, which Congress passed in August, will expire this weekend, despite dark warnings from the White House that this would create a parlous “intelligence gap” and stymie intelligence community efforts to track terrorists. House Republicans, led by Minority Leader John Boehner of Ohio, staged a walkout to protest Democrats’ refusal to schedule an immediate vote on a bill approved in the Senate earlier this week enacting more permanent changes to the Foreign Intelligence Surveillance Act. Unlike the RESTORE Act passed in the House back in October, the Senate bill establishes only limited checks on warrantless surveillance of communications between Americans and foreigners, and includes a provision granting retroactive amnesty to telecoms charged with illegally providing customer data to the government without a court order.

Democrats are, for a change of pace, fighting back against charges that they are soft on security issues. Contra predictions of imminent doom, many are now pointing out that the practical effect of the PAA’s lapsing is likely to be quite limited, as any surveillance authorized under the law can continue unabated for another six months. And for all the administration’s dire forecasts, Democrats note that it was House Republicans who voted down a further temporary extension of the PAA in the shadow of a presidential veto threat, and the Republican leader in the Senate who blocked a bicameral conference on the bill, in hopes of forcing the immediate approval of the White House?endorsed Senate bill. In a letter to President Bush today, Senate Majority Leader Harry Reid, who had drawn the ire of progressives for his perceived compliance with White House demands, blasted what he characterized as the administration’s “reckless attempt to manufacture a crisis over the reauthorization of foreign surveillance laws.”

More posts from Julian Sanchez >>