Yahoo To Anonymize Logs After 90 Days, Compared to Google's 9 Months

Today, Yahoo upped the ante when it comes to protecting search engine users' privacy, announcing a new data retention policy providing for anonymization of search queries — as well as page views, page clicks, ad views and ad clicks — after 90 days. This announcement comes on the heels of Google's announcement in September that it would be anonymizing its logs after 9 months.

It's always good to see search companies competing to provide more privacy to their users, and with this aggressive move, Yahoo has sent a serious shot across Google's bow. Yahoo has shown that a retention period shorter than Google's — much shorter than Google's — is an achievable goal for a major search engine. This announcement should be followed by another from Google, promising to match or beat Yahoo's retention period. If it isn't, though, legislators, regulators and privacy advocates should demand an answer from Google to the question: "If Yahoo can do it, why can't you?"

Unfortunately, it's hard to gauge the true privacy impact of this policy change until we know exactly what steps Yahoo will be taking to anonymize the data. The devil's in the details, and if Yahoo's anonymization process isn't robust enough, this new logging policy may end up being more privacy PR than privacy protection. Fully anonymizing IP addresses and cookie data can be tricky, and even if that data is thrown away completely, there's still the possibility of individuals being identified based on the content of their search queries, as AOL's search data spill demonstrated.

So, as Yahoo finalizes its policy plans, it should take a look at EFF's newly-revised Best Practices for Online Service Providers, which recommends a range of techniques to strongly anonymize online user data. Hopefully, we'll see the details of Yahoo's plan soon, as well as new announcements from other search engines trying to keep up in this accelerating privacy competition. Internet users have long trusted search engines and internet portals like Yahoo and Google with the privacy of their most intimate and sensitive data, and we're glad to see those companies finally vying to earn that trust.

[Permalink]

EFF Joins with Coalition to Provide Policy Roadmap to Next President and Congress

A coalition of more than 25 organizations, including EFF, yesterday released "Liberty and Security: Recommendations for the Next Administration and Congress", a comprehensive catalogue of policy recommendations on a range of critical civil liberties issues.

This collaboratively-created transition roadmap, coordinated by our friends at the Constitution Project, contains 20 chapters providing policy recommendations on a wide variety of issues, from Guantanamo Bay to warrantless wiretapping. EFF has signed on as an ally in support of the recommendations in eleven of those chapters, concerning issues within EFF's mission to protect free speech and privacy on the electronic frontier.

Most importantly, EFF has joined as a supporter of all the recommendations made in the area of "Secrecy, Surveillance, and Privacy", covering goals such as reigning in NSA spying, updating the Electronic Communications Privacy Act, and reforming the State Secrets privilege (consistent with our Privacy Agenda for the New Administration), as well as combating excessive classification and urging greater transparency in government (as previously described in our Transparency Agenda for the New Administration).

After the jump, you can find links to PDFs of all of the individual chapters of the transition catalogue where EFF has signed on as an ally; the entire document is available here [pdf]. We hope that you — and the next President and Congress — find them enlightening.

[Read the entire post]

A Privacy Agenda For The New Administration

This is the first post in a three part series directed at restoring some of the civil liberties we've lost over the past eight years. Today's post is about our privacy rights. We'll follow this up early next week with our thoughts on intellectual property rights and government transparency.

As new leaders prepare to move into the White House and Congress over the next few months, we'd like to call on them to restore Americans' privacy rights. Here's a little "wish list" we'd like to put forward:

1. Repeal or repair the FISA Amendments Act (FISAAA). There are a great many flaws in FISAAA, which was passed last Summer after a long and difficult fight. Most significantly, the provisions granting retroactive immunity from litigation to telecommunications companies complicit in the Bush Administration's warrantless wiretapping program should be repealed so that the millions of Americans who have been illegally surveilled can have their day in court.

2. Reform the Electronic Communications Privacy Act (ECPA). ECPA is a major law restricting the government's ability to surveil citizens and is in desperate need of reform. It has become dangerously out-of-sync with recent technological developments and Americans' expectation of online privacy. In particular, the privacy of personal data should not depend on how long an ISP has stored that data or whether the data is stored locally or remotely.

3. Reform the State Secrets Privilege. The State Secrets Privilege has been radically abused by the Bush Administration, particularly to shield its electronic surveillance activity from judicial review. The new administration should voluntarily reduce its use of the privilege, and work with Congress to reform the privilege and insure that claims of state secrecy are subject to independent judicial scrutiny.

4. Scale back the use of National Security Letters to gag and acquire data from online service providers. The REAL ID Act, with its requirement that Americans carry a national ID card, has been rejected by many U.S. states and should be federally repealed. Large-scale government data collection and data-mining projects like Automated Targeting System (ATS) should be reduced or eliminated. Invasive border-searches of electronic devices should be stopped.

[Permalink]

Freedom Not Fear 2008

Freedom Not Fear is the world's ongoing demonstration against the encroachment of civil liberties by anti-terrorist laws -- particularly in the online world. This year the protests take place this Saturday, October 11th in nearly thirty countries, including the very first events in the Americas.

The origin of the campaign comes from Europeans' anger at the EU's 2006 data retention directive, a pan-European law that requires ISPs to log email and web traffic data for a minimum of six months, and often more. Terabytes of personal data on millions of innocent Europeans are now being collated, paid for by customers and taxpayers, and open for access by any criminal or civil investigation, no matter how trivial.

Freedom Not Fear has since evolved into a more general warning: showing how fundamental freedoms like privacy, freedom of expression, and democratic participation lose when reactionary surveillance systems penetrate our open networks, justified by a hyperbolic rhetoric of fear.

The range of groups and countries that have joined Freedom Not Fear has shown that just how wide the offensive front against your privacy has become, and how many are keen to join the defence. This Sunday, Freedom Not Fear events will take place in 22 European cities, as well as (thanks to the Electronic Privacy Information Center, IP Justice, EFF and others), in Washington, D.C. In South America, protests are planned in Buenos Aires, Argentina, and Manta in Ecuador, and other countries are preparing to join.

For those countries without substantial privacy legislation, this year's Freedom Not Fear demonstrations are calling for the adoption of Data Protection laws in their countries. Strong privacy laws should finally affirm freedoms guaranteed by the fundamental rights of privacy in the International Covenant on Civil and Political Rights, the Universal Declaration of Human Rights, and in many other international and regional human rights treaties.

If you'd like to join the demonstrations in your own country, reach out to your national contact listed here, and add the banner to your own web page.

[Permalink]

Chinese Skype Client Hands Confidential Communications to Eavesdroppers

This Wednesday, Information Warfare Monitor published damning evidence showing that TOM-Skype, the version of the voice and chat program distributed in China not only blocks keywords from chat conversations, but also spies on and remotely reports the contents of Skype users' private text conversations. This directly contradicts Skype's previous assurances that "full end-to-end security is preserved and there is no compromise of people’s privacy", even on the customized Chinese client.

This special breached version of Skype, distributed by the Chinese portal company TOM Online, has long been known to block certain contentious phrases from instant message conversations. IWM's Nart Villeneuve's research shows that when these keywords are mentioned in conversations, the client software also sends an encrypted message to one of eight remote servers hosted in China.

Due to poor security on these servers, Villeneuve was able to uncover what was being sent: extensive logs on user activity, including archives of more than 166,000 censored messages from 44,000 users.

The TOM-Skype client was introduced as part of a business deal between Skype's parent company, eBay, and the Chinese Internet company. Skype has denied involvement in TOM's additions to their core client software, but it was well aware that TOM had introduced censorship features into the Chinese Skype client. At that time it asserted that its users' privacy was nonetheless secure. We now know that Skype is in no position to make that assurance.

This breach is not an isolated Chinese problem. All Skype users are affected; conversations will be monitored even if only one side of a coversation is using the Chinese client. As of June 2007, there were 42 million registered users of TOM's compromised client, increasing at a rate of 70,000 new users per day. Anyone communicating with those millions will find their communications monitored and potentially reported to an unknown third-party - even if they are not using the TOM client themselves.

What can Skype do? While it might disclaim responsibility, arguing that this political spyware was not directly written by its own coders, the company is directly implicated by its close relationship with TOM. When Chinese visitors go to the Skype homepage, they are redirected to a page offering a download of TOM's compromised client version. TOM's Skype page in turn indicates that TOM's version is an authorized Skype product for Chinese users. Skype does not warn its visitors of the differences between the non-Chinese client and TOM's client, and has made no effort to pro-actively monitor what differences there are, or convey the implications of those differences to users.

Villeneuve spent many hours decoding the extra packets to understand what was going on: Skype's own engineers could surely have spotted this behavior in seconds. Instead, an eBay spokesman said that the software's behaviour was "changed without [its] knowledge or consent and [it is] extremely concerned."

At a minimum, eBay can show its commitment to "the security and privacy of [its ] users" by terminating its relationship with TOM and withdrawing TOM's permission to use eBay trademarks. It should no longer redirect to TOM, instead presenting an eBay-developed Chinese-localized version of Skype. It should also prominently warn its own users of the dangers of talking to those using the compromised client. It should attempt to obtain binding assurances from TOM that all copies of the logged data have been destroyed, and should advise all affected users whether this has taken place.

In the meantime, if you want to chat securely, consider using Off the Record Messaging (OTR) on another instant messaging network. OTR is a publicly audited security protocol that does not depend on a third-party. It can run on a number of different instant messaging networks, and is implemented by a range of software products on MacOS, Windows, and Linux. For more peace of mind, use OT in conjunction with open source products like Pidgin, Miranda or Adium. The code of open source software is available for examination by anyone, which minimizes the possibility of a government trojan being inserted into the final downloadable version. OTR will not prevent governments from monitoring the destination of instant messages, but it will protect the contents of your messages.

(Villeneuve also found logs containing information about user's Skype voice calls, including times and destination usernames and numbers. There is no indication that the contents of Skype voice calls themselves were recorded or transmitted. Because Skype's audio encryption protocol remains secret, however, we only have eBay's assurances on its invulnerability to external surveillance. From now on, users may have less reason to trust the company's word on matters of privacy or security without external confirmation.)

[Permalink]

Court Protects Privacy of Satellite Receiver Owners

Last month, EFF filed an amicus brief in Echostar v. Freetech, where Echostar sought the identities of every consumer who purchased a Freetech "CoolSat" free-to-air (FTA) satellite receiver during the past five years. EFF argued that this demand, issued in discovery in a lawsuit between Echostar and Freetech, represented an unwarranted intrusion into the privacy of individual consumers. Today, the court agreed, issuing an order blocking Echostar's subpoenas.

The ruling potentially sets an important precedent, as it represents the first time a federal court has explicitly rejected a third-party subpoena on the basis of the privacy interests of nonparty consumers.

Echostar is the company behind the DISH satellite TV service. Freetech makes receivers for unencrypted, free-to-air satellite transmissions (there are many free, unencrypted satellite channels). In December 2007, Echostar sued Freetech, alleging that the Freetech CoolSat receiver was specifically designed for after-market modification to enable unauthorized reception of DISH programming. According to Echostar, Freetech "sold thousands of these FTA Receivers to consumer pirates for the sole purpose of circumventing [Echostar]'s Security System."

In the course of discovery, Echostar sent subpoenas to the distributors of CoolSat receivers, demanding that they hand over their customer lists, including the name, address, email address, and purchase details for every person to have purchased a CoolSat receiver over the past 5 years.

As EFF explained in its amicus brief, these subpoenas represent a serious intrusion into the privacy of legitimate purchasers of these FTA receivers. Not only would it be an intrusion to be contacted by Echostar about a device you purchased months or years ago, but other satellite TV companies have used customer lists to launch mass litigation campaigns against consumers. After DirecTV obtained similar customer lists in litigation in 2001, it sent more than 170,000 letters to individuals demanding "settlements" of $3,500.

In refusing to allow Echostar to obtain the CoolSat customer lists, the court specifically weighed Echostar's need for the information against the privacy interests of the customers whose information would be disclosed. The court expressed concern that "both those who purchase the FTA receivers for proper and improper purposes will be swept up in the process." The court went on to conclude that "the requests for customer lists, therefore, could lead to the perceived harassment of legitimate users and a concomitant chilling effect on the purchase and lawful use of Freetech's FTA receivers."

Kudos to the court for keeping the privacy interests of nonparties in mind as commercial litigants dispatch third-party subpoenas that would otherwise carelessly intrude into the lives of individual consumers.

[Permalink]

Computers Seized from Berkeley Activist Space

Yesterday, the FBI, UC Berkeley police, and Alameda County Sheriff's deputies conducted a raid on the Long Haul Infoshop, a community space that is home to a number of leftist and anarchist groups, including a newspaper and a radio station. Armed with a warrant (PDF), authorities entered and quickly removed every computer in the Long Haul space.

According to the Associated Press, a UC Berkeley spokesman said that the raid was part of an investigation into threatening e-mails tracked to computers there. Among the computers seized were computers belonging to the Slingshot newspaper, and the Berkeley Daily Planet reports that police "got [Berkeley Liberation Radio's] hard drive."

Even with a warrant, the authorities may have acted in violation of federal law when they seized the computers. The seizure of media computers would appear to be a violation of the Privacy Protection Act, which says that the authorities are not entitled to "search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper [or] broadcast."

The purpose of the Privacy Protection Act is to ensure the freedom of speech and of the press. While there are exceptions to the act (such as when the documents seized themselves contain classified information or child pornography), the intent of the act is to prevent the government from using its search and seizure powers to shut down newspapers and radio stations, or otherwise interfere with the free flow of information to the public.

The seizure of computers is of special interest to EFF, since the first case we fought — and won — was a result of the illegal seizure of several computers from Steve Jackson Games in 1990. In that case, the federal court held that the Secret Service violated the Privacy Protection Act, and ordered the agency to pay for the harm it had caused.

[Permalink]

Sixth Circuit Dodges Constitutional Question on Email Privacy; Warshak Case Dismissed on Procedural Grounds

Today, the full panel of Sixth Circuit judges dismissed [opinion] on procedural grounds the case of Warshak v. US, a lawsuit challenging the constitutionality of no-notice, warrantless searches of email stored by an email provider. A three-judge panel of Sixth Circuit judges had previously held [PDF], based in part on briefing by EFF [PDF], that the federal statute that authorized such searches of remote email accounts — the Stored Communications Act — violated the Fourth Amendment on its face.

It's a shame that the court refused to reach the critical question at the center of the Warshak case: does the Fourth Amendment require the government to obtain a search warrant based on probable cause before secretly rifling through your Yahoo! mail or Gmail accounts? Without clear legal rulings on such issues, we face continued uncertainty about how the Constitution protects our private Internet communications, uncertainty that the government will continue to exploit.

The Sixth Circuit en banc panel held that because Warshak could not demonstrate that the government was likely to conduct further no-notice warrantless searches of his email — the government had twice previously done so — the issue was not "ripe" for a judicial decision. EFF shares the sentiments of Circuit Judge Boyce F. Martin, Jr., who authored the original decision finding the SCA unconstitutional as well as the dissent in today's decision:

While I am saddened, I am not surprised by today’s ruling. It is but another step in the ongoing degradation of civil rights in the courts of this country.... History tells us that it is not the fact that a constitutional right is at issue that portends the outcome of a case, but rather what specific right we are talking about. If it is free speech, freedom of religion, or the right to bear arms, we are quick to strike down laws that curtail those freedoms. But if we are discussing the Fourth Amendment’s right to be free from unreasonable searches and seizures, heaven forbid that we should intrude on the government’s investigatory province and actually require it to abide by the mandates of the Bill of Rights. I can only imagine what our founding fathers would think of this decision. If I were to tell James Otis and John Adams that a citizen’s private correspondence is now potentially subject to ex parte and unannounced searches by the government without a warrant supported by probable cause, what would they say? Probably nothing, they would be left speechless.

The decision is disappointing, but does not reject the underlying constitutional ruling on the merits. The original reasoning remains sounds, and this decision only reinforces the importance of our mission to obtain a clear ruling from the courts that your emails, IMs, text messages and web browsing receive the same Fourth Amendment protection as your private snail mail and telephone calls. Help EFF fight for an enduring and robust Fourth Amendment by joining now.

[Permalink]

Surveilling Drivers For Safety, For The Environment, and For Profit

There is a growing movement to surveil the drivers of cars — for insurance purposes.

One idea is that vehicle insurance premiums should depend on verifiable, periodic measurements of how far a car has been driven. The case for such premiums is strong: driving further clearly increases the risk of an accident, and "Pay As You Drive" premiums would allow (some) drivers to pay less for insurance; would allow insurance companies to make higher profits; and would reduce the congestion, greenhouse emission and traffic accident costs that each mile driven causes for society.

Another idea is that vehicles should collect data on the way that they are being driven (location, speed, acceleration and braking patterns, type of roads, time of day, smoothness of steering, etc). These measurements can be used to identify good drivers, and offer them insurance discounts — or to spot dangerous drivers, charge them higher premiums and encourage them to take driving skills courses. The policy case for this kind of measurement may turn out to be strong too, though it is less well-established.

The problem with these proposals is that they are often accompanied by a technical proposal for a tracking device that sits in your car and transmits voluminous data over wireless or satellite links, so that insurance companies can decide how much to charge you. Many modern vehicles are already collecting this information, and the insurance industry just needs to get a copy of it.

One state currently considering these schemes is California. The State's Department of Insurance held a workshop last week on how best to modify existing regulations to implement Pay As You Drive insurance. EFF participated in the process; you can read our letter to the Department (written with Andrew Blumberg at Stanford) here.

Briefly, EFF's view is that there is a perfectly good, ubiquitous and tamper-resistant device avaialable for measuring vehicle mileage: the odometer. It may be good policy to require fine-grained dependence of insurance premiums upon mileage — but if so, the data should be collected by examining odometers rather than 24/7 wireless or satellite surveillance. We think the public agrees: a similar tracking scheme by UK insurer Norwich Union was abandoned this week.

The best way to protect drivers' privacy, of course, is to not record any facts about where and when and how they are driving at all. But in the long run, there may be sound policy cases for devices that spot dangerous drivers, or charge road tolls based on congestion, etc. If policy-makers are persuaded that there is a strong need for such systems, they need to be built in a way that has the minimal possible privacy consequences. Cryptography offers many ways to implement these kinds of schemes without compromising locational privacy (one technical example is described in this paper). The general principle is that only the minimal amount of information should leave the vehicle: the total billable amount, for instance. If verification is an issue, cryptography and some extra hardware can provide it.

If governments are persuaded that they should allow insurers or anybody else to use detailed information on location or other vehicle observations, they should mandate that these schemes not upload any information from vehicles except for the premium itself, and they should require that the privacy properties of any technology being proposed for vehicles be audited by the computer security community before it is deployed.

If we let insurance companies, car manufacturers or tech companies build a gigantic driver surveillance system, it will be exceedingly difficult to go back to the days where you could drive to a church, or a gay bar, or a political meeting, or a cheap motel at lunchtime, without some company (or hacker) permanently recording that fact.

[Permalink]

EFF Releases Updated White Paper on Best Practices for Online Service Providers

Today EFF released a revised white paper on Best Practices for Online Service Providers, an update of the 2004 OSP Best Practices white paper. In the white paper, EFF offers some suggestions, both legal and technical, for the best privacy practices for collecting, storing and disclosing data that balance the needs of OSPs and their users' privacy and civil liberties.

OSPs are vital links between their users and the Internet, offering bandwidth, email, web, and other Internet services. In the process of offering services, OSPs collect and store detailed information about their users and their user's online activities.

User information can be of great interest to the government and civil litigants, leading to numerous requests from law enforcement and lawyers to hand over private user information and logs. Yet, compliance with these demands takes away from an OSP's goal of providing users with reliable, secure network services.

In the OSP Best Practices white paper, we offer information for OSPs in order to help them make sound, ethical decisions about how to safeguard private data and preserve freedom of expression online.

Summary of Recommendations

1. Develop procedures for dealing with legal information requests and providing notice to users.
2. Work with both attorneys and engineers to develop a privacy policy that fits your OSP’s practices.
3. Collect the minimum amount of information necessary to provide OSP services.
4. Store information for the minimum time necessary for operations.
5. Effectively obfuscate, aggregate and delete unneeded user information.
6. Maintain written policies addressing data collection and retention.
7. Enable SSL as much as possible throughout your site to secure users’ information and communications.
8. Understand threats to the security of sensitive information and communications on your systems, and mitigate them appropriately.
9. Follow best-practice principles for the use of cookies on your site.
10. Insist that the OSPs and other service providers you work with observe these best practices, too.

OSPs can face many other legal issues beyond user privacy, from DMCA takedown requests to defamation claims to issues with adult materials. While these are outside the scope of the OSP Best Practices paper, EFF recommends that OSPs review the EFF Bootcamp materials, which provides the basics on a number of key legal issues for Web 2.0 companies. We also recommend reading EFF’s Legal Guide for Bloggers, which provides a basic roadmap to the legal issues one may confront as an online publisher.

[Permalink]