Internet privacy relies heavily on the ability of tech companies to hide user content—such as your emails and bank information—behind a secure wall. But the Department of Justice is waging an unprecedented battle in court to win the power to seize the keys of US companies whenever the US government wants. Edward Snowden has shown that the government is already doing a great job at getting companies to hand over information, breaking down weak doors, and scooping up unlocked material. But if the Justice Department succeeds in this case, it will be far easier for it to do so, and—poof!—there will no longer be any guarantee of internet privacy.
The case started this summer, when Lavabit—an alternative email provider that promised highly secure email—was handed a subpoena by the Department of Justice. The subpoena required that Lavabit supply the billing and subscriber information for one of its users, widely believed to be Edward Snowden. Lavabit supplied this information. Then, the government asked to install a device on Lavabit's servers that would allow it to monitor all of the metadata (time and email addresses) of the individual's account. But Lavabit encrypted all of this information, and the only way for the government to view it was to use Lavabit's private keys to break the encryption. Those keys weren't set up to access an individual account. Instead, they broke the encryption of 400,000 Lavabit email users and would allow the government to rifle through all of that content.
Lavabit offered to record the individual's information that the government requested and hand it over on a regular basis, for a fee of at least $2,000—but it refused to give up its keys. As Ladar Levison, Lavabit's 32-year-old founder, told Mother Jones in August,"What I'm against, at least on a philosophical level…is the bulk collection of information, or the violation of the privacy of an entire user base just to conduct the investigation into a handful of individuals."
The government obtained a warrant demanding that Lavabit give up the keys anyway. When the company refused (at one point, Levison turned over the keys in 11 pages of 4-point type that no one could read) it was held in contempt of court and slapped with a $5,000-a-day fine. The government prosecutor in that closed-door hearing argued that "there's no agents looking through the 400,000 other bits of information, customers, whatever…No one looks at that, no one stores it, no one has access to it." The judge presiding over the case said that sounded "reasonable."
Lavabit handed over the keys right before shutting down the entire company. On October 10, it filed its appeal of the contempt charge in the US Court of Appeals for the 4th Circuit, in a case that civil liberties groups say is the first of its kind. (A Justice Department spokesman says it does not comment on pending litigation. The department is scheduled to file a brief in response to Lavabit by November 12.)
Karl Manheim, a professor at the Loyola Law School in Los Angeles, says that that the government's demand for Lavabit's encryption keys appears "unconstitutional." The same argument is being made by the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union, both of which filed amicus briefs in the case last week. "This case could set a very dangerous precedent," says Brian Hauss, a legal fellow for the ACLU. "The government regularly reminds us how important cybersecurity is right now [in relation to protecting water plants and electrical grids from hackers, for example], so for them to say that and then execute these legal orders that undermine a critical layer of that security, is somewhat paradoxical."
Here's how that critical layer of security works: Any tech company that gives a damn about privacy and security employs Secure Sockets Layer (SSL) encryption, which protects communications from being intercepted by third parties. Companies use different length "keys" to protect their encryption. It can take a lot of time, money, and expertise to crack a company's private encryption keys, but if the company just hands them to you, it's possible to read most anything on its website, including message content. "You can also decrypt the information months or years after the fact," notes Matthew Green, a professor at John Hopkins University and an encryption expert. With Lavabit's key, the US government could read any email in a Lavabit user's inbox. "Once this precedent is set, what stops them from doing this to other companies? How far can this go?" asks Green.
Snowden has maintained that the NSA can break many keys and has exploited a backdoor to Google's and Yahoo's encryption layer—gaining access to the messages and content that flow through these firms without needing any keys. The government has also reportedly asked big tech companies for their master keys, but Google and Microsoft insist they have not provided them. So internet privacy may already be undermined by NSA activity. Yet Hauss argues that if the Justice Department gets its way in court, it will be "much easier" for the NSA to engage in privacy-busting operations because the agency will "just get the key from the company." Hauss adds, "On top of that, it would give [the NSA] more legal backing and make it easier for tech companies to be complicit in these surveillance schemes."
EFF contends that the Justice Department's demand is a violation of the Fourth Amendment. It notes that it is certainly appropriate for the government to demand specific information from an internet service provider as it relates to a warrant, but obtaining the keys would provide the government access to "thousands or perhaps millions of customers who aren't the target of any criminal investigation." In its brief, the ACLU calls the request "unduly burdensome," arguing that a company shouldn't have to blow up its entire business to comply with a government request.
If Lavabit loses its case, it will have the option of petitioning the Supreme Court. Should Lavabit not triumph in the end, tech companies will have to find a new way to protect information on the internet. And they're already looking ahead. Google has started using what's called "Perfect Forward Secrecy" on most of its communications. This system generates new keys each time someone logs in, so there isn't one master key to break all the communications. And Lavabit is working on a project called the Dark Mail Alliance with another secure provider, Silent Circle, which followed Lavabit's lead and shuttered its email service in August in an effort to resist the NSA. The new service will not rely on a master key and aims to make it impossible for the NSA to obtain even a user's metadata. There's no telling how the US government will respond if Lavabit and Silent Circle succeed in developing this service.
"Everyone was saying we have to abandon all hope. There's nothing we can do to protect ourselves," says Phil Zimmermann, the founder of Silent Circle. But he says that coming up with a new way of keeping email secure could change that. "If you just do it by fighting them in court, you might lose. But if you do it by changing the architecture, well, that gives you a big advantage."
When voters across America hit the polls yesterday, many eyes were on Texas, which has faced recent criticism that its new voter ID law could make it harder for women to vote. But plenty of other states have passed restrictive voter ID laws recently. Legislators claim the laws clamp down on voter fraud—there were only 13 credible cases of in-person voter impersonation between 2000 and 2010—by requiring voters to present various forms of identification. Poor, elderly, and minority voters, along with women, are hit particularly hard by these strict voting requirements, and voters of all stripes were feeling the effects as they tried to vote yesterday.
While some Americans headed to Twitter to express their support for the new voting regulations, others used the medium to complain about not having their votes counted or being forced to jump additional hurdles, such as signing a sworn affidavit. And to underscore the confusion that these laws have wrought across the country, some voters didn't know what kind of identification, if any, they needed. There are also reports of poll workers requiring IDs in states like New York and Iowa, which don't have voter ID laws on the books. Mother Jones is tracking voter complaints across the United States, through both Twitter and organizations that run help lines, to determine which states were having trouble. Here's what we've found:
Texashas one of the strictest voter ID laws in the country, requiring voters to prevent photo identification with a name that "substantially" matches the name on the voter registration list. High-profile Texans, including ex-House Speaker Jim Wright and Democratic state Sen. Wendy Davis, would have been unable to vote under the new law. But thanks to an amendment offered by Davis, voters whose names don't match—particularly women who've taken their husbands name—can sign an affidavit swearing under penalty of perjury that they are who say they are. While plenty of voters questioned why the law was such a big deal and said they had no trouble voting—others complained of having to sign affidavits:
Voted w/ wife, who had to sign affidavit to vote, TX no longer in America! Jim Crow law in TX! @GregAbbott_TX
And other voters were incorrectly denied the right to vote even though they had proper identification. "One Texas voter with a current voter registration card and multiple forms of ID was not allowed to vote because her driver's license was expired and her other state-issued ID card did not reflect her current address," says Stacie B. Royster, a spokesperson for Election Protection, a nonpartisan organization that tracks voter issues.
And Krissi Trumeter, who works for the Texas Observer, tells Mother Jones that her passport was denied despite being an accepted form of ID, and she was told she needed a Texas ID to vote. She says she was eventually allowed to vote after about 30 minutes but believes it may have been counted provisionally.
Virginia held a closely watched gubernatorial election, where Republican Ken Cuccinelli faced off against Democrat Terry McAullife (McAullife won). Although Virginia has passed one of the strictest photo voter ID laws in the country, the law isn't in effect yet, and voters are only required to bring in a nonphoto form of ID, such as a bank statement. Hope Amezquita, a legal staff attorney for the ACLU, tells Mother Jones that she received two reports of Virginians having trouble voting because of the current law, but noted that she anticipated a lot more reports next year, when the new law goes into effect.
Tram Nguyen, co-executive director of the Virginia New Majority, a progressive group, tells Mother Jones that her organization received "a few reports" out of Newport News from people who "believe they were improperly removed from the rolls due the voter purge" and had to cast provisional ballots. According to the Washington Post, more than 38,000 Virginian voters were purged recently from the voter rolls.
Lots of voters tweeted about having to show ID in Virginia —Teri Galvez, who has run for Republican National Committeewoman in DC, quipped that showing ID to vote "makes sense"—but other people said they had trouble casting ballots in Virginia, either because of the law or because of voter roll issues:
@dliebelson she filled out proper paperwork and turned it in. They didn't let her vote today. Said she wasn't on the list.
New Jersey doesn't require that people bring ID to vote unless they didn't provide identification when they registered, or the information they provided could not be verified. This voter says he ran into problems:
@FoxNews Edison NJ refused to let me vote until I showed an ID. They told me it is NJ law that I MUST show ID to vote. Since when?
Gavin Aronsen, a former Mother Jones reporter, had trouble voting because he was asked to produce two forms of ID, contrary to Iowa state law. The poll worker allegedly told Aronsen that even though the state didn't have a voter ID law as of November 5, "there will be [one], soon enough."
Even though New York City Mayor Michael Bloomberg said that New Yorkers had "no excuses" not to vote—and New York doesn't have a voter ID law—some people were scared off by reports of voter ID laws in other states and stayed home:
I wanted to vote but i cant find my passport :( and i lost my driving license :(
In Ohio, voters are required to bring in a nonphoto ID, such as a bank statement or utility bill. But some poll workers seemed to be dishing out provisional ballots or turning away people for not having adequate ID:
Fierce little voting tyrant telling a disabled 80 year old woman she can't vote without a drivers license.
Indiana Indiana also requires that the name on a voter's photo identification substantially match the voter registration. This voter was asked for an ID, but notes that he didn't mind going back home to get it "because having an ID is an important part of voting."
Forgot my ID to vote and the woman talked to me for like 3 mins explaining why I have to have one. Clearly didn't check my party designation
Pennsylvania's strict voter ID law is currently on hold until a pending lawsuit is resolved. But that didn't stop poll workers from allegedly asking voters for ID. Election Protection also reported that it received calls from voters concerned they would be required to show photo ID at the polls.
Voter 99 at my polling place this morning. Was (illegally) asked for ID. Go vote. #BucksVotes
On Thursday, the Senate intelligence committee took a step forward toward officially authorizing some of the National Security Agency's more controversial surveillance practices, which have recently come to light thanks to leaks from former NSA contractor Edward Snowden. The panel passed out of committee a bill allowing broad phone surveillance to continue under the Foreign Intelligence Surveillance Act (FISA). Backed by the committee chair, Sen. Dianne Feinstein (D-Calif.), the FISA Improvements Act leaves untouched the NSA's internet surveillance dragnet, PRISM, and does little to improve oversight of the government's surveillance powers. Feinstein's bill will face off against legislation introduced earlier this week by Rep. James Sensenbrenner (R-Wis.) and Sen. Patrick Leahy (D-Vt.) that would significantly curb the government's ability to sweep up the private information of Americans.
Privacy experts say that the FISA Improvements Act, which passed 11-4, codifies current surveillance practices instead of fixing the law to protect the privacy and civil liberties of Americans: "This was an opportunity for Congress to really recalibrate the statute, and it's very disappointing that they've used this opportunity to cement domestic spying programs instead," says Michelle Richardson, legislative counsel for the ACLU.
The primary focus of the bill is Section 215 of FISA. This is the part of the law that provides the legal justification for the bulk collection of the telephone metadata of Americans, including phone numbers and the date and duration of calls (but not the content of those conversations). While the bill's language amends the statute to prevent the NSA from hoovering up phone metadata en masse, it provides gaping loopholes that could allow the agency to continue with its bulk collection practices as usual, such as if there's a "reasonable articulable suspicion" that an investigation is related to international terrorism. The legislation also makes it legal for the government to collect and search records that are three "hops" from a target who is suspected of terrorism—in other words, a suspect, all of that suspect's contacts, and all of their contacts. The bill makes only surface fixes and "absolutely allows for the kind of collection that is already happening right now," according to Amie Stepanovich, the director of the Electronic Privacy Information Center's (EPIC) Domestic Surveillance Project.
Also worrisome to privacy experts is the fact that the bill expands the NSA's powers, by allowing the agency to track cellphone's of non-Americans believed to be located abroad for 72 hours after they enter the United States. The bill additionally levies a penalty of up to 10 years in prison on anyone who accesses NSA information without authorization, like Snowden did.
"The call-records program is legal and subject to extensive congressional and judicial oversight, and I believe it contributes to our national security," Feinstein said in a statement. "But more can and should be done to increase transparency and build public support for privacy protections in place."
Feinstein's modest reforms include limiting the amount of time the government can store the information it collects to five years, with the approval of the attorney general required to search records that are older than three years. And it requires regular reporting to Congress on all FISA violations. The bill also requires the NSA to disclose to the public annually the number of times the agency searched its telephone metadata database.
Feinstein's surveillance bill will now go head to head with Sensenbrenner and Leahy's legislation. They introduced companion bills in the House and Senate that would end the bulk collection of phone metadata and put strict limits on the section of FISA that has been used to justify PRISM (so that if the online information of an Americans is accidentally collected, it cannot be searched). The USA FREEDOM Act has been referred to committee.
Unlike the bills introduced by Sensenbrenner and Leahy, Feinstein's legislation was only made public after it was passed out of committee. EPIC's Stepanovich notes that the secrecy with the which the Feinstein bill was crafted does not bode well for real reform. "This is the problem with all of these programs," she says. "You don't find out about them until it's far too late, and you have secret collection approved by a secret court, that's now being reformed by a law that's kept secret. It is unclear to what substantive 'improvements' the title [of the bill] refers to."
Datalogix tracks the spending habits of more than 110 million households using sources such as store loyalty cards. It partners with Twitter and Facebook to assess whether groups of users buy the cooking gear or brand of shampoo advertised on their social-media pages. Datalogix doesn't know that a certain Mother Jones journalist bought a quart of Ben & Jerry's Chocolate Therapy after changing her Facebook status back to "single," but it can help determine whether a targeted group of twentysomething professional women who left relationships bought that ice cream.
Opt out? You can do so on the company's website, but the request takes 30 days to process and each household member must opt out separately.
Companies that sell similar info: Acxiom, Epsilon, BlueKai, V12 Group
TLO, a "background research" company, uses technology that scans and reads license plates collected by cameras mounted on parking garages, roads, and bridges from coast to coast. The company claims to have collated more than 1 billion time-stamped reports containing photographs and specific locations of vehicles, which TLO markets to law enforcement agencies, law firms, and data brokers.
Opt out? Not unless you can limit your driving to dirt roads.
Companies that sell similar info: MVTRAC, Vigilant Solutions
Cheap credit scores and...Baby Einstein videos?
With credit reports on at least 299 million consumers, Experian doesn't just hold the key to whether you'll get a car loan or home mortgage: It also sells "life-event" data to advertisers, marketing a database that is "updated weekly with the names of expectant parents and families with newborns," and new homeowners, among other information.
Opt out? Experian allows users to opt out online or by phone but notes that "will not eliminate all targeted advertising."
Companies that sell similar info: Equifax, TransUnion
Location is everything
As you surf the web, Neustar uses your computer's IP address to determine your area code, postal code, time zone, whether you're at home or at work, and whether you're using your phone. They then sell this data to companies that point ads at you: "Want to meet singles in Washington, DC?"
Opt out? You can do so on NeuÂstar's site, although you'll have to do it again each time you switch browsers or get a new computer.
Companies that sell similar info: MaxMind, Digital Envoy
Background checks on steroids
You've seen Intelius' ads if you've ever Googled your eighth-grade crush. The company sells data using more than 20 billion records on individuals, including bankruptcies, arrests, and address histories, mostly culled from public records such as driver's license databases and court documents. Intelius also collects relevant content from "blogs or social networking sites."
Opt out? You'll need to send a state-issued ID card or driver's license via fax or US mail, and wait 7 to 14 days.
Companies that sell similar info: Spokeo, PeopleFinders, BeenVerified.com
Tomorrow night, Americans will glue on feathers, douse their faces in fake blood, and scramble to CVS for last-minute costumes to celebrate Halloween. Some costumes will be outrageously creative. Some will be lame. Many will be wildly offensive.
But these aren't the only examples. Right now, Halloween stores are packed with costumes like "Tribal Tease" and "Hey Amigo Mexican," which make light of centuries of genocide, hatred, and discrimination and advance offensive stereotypes. Though the politics of Halloween costumes aren't always obvious—see this debate about whether an advice seeker's roommate is "Japanese" enough to dress as a geisha—The Root points out that there's never an excuse for choosing an ethnically inspired Halloween costume (or dressing up as Hitler or a Nazi). So without further ado, here's a helpful guide to help you figure out whether your Halloween costume is racist, sexist, fascist, or xenophobic. And if it is, take it off.