Posts from — February 2008

San Francisco - A federal district court judge in San Francisco today rescinded a controversial order that disabled the “wikileaks.org” domain name which had — until two weeks ago — pointed to Wikileaks, a website designed to give whistleblowers a forum for posting materials of public concern.

This week, the Electronic Frontier Foundation (EFF) moved to intervene in the case, along with the American Civil Liberties Union (ACLU), and the American Civil Liberties Union Foundation of Northern California and the Project on Government Oversight (POGO). In a hearing in federal court today, EFF and its fellow intervenors and amici argued that the order infringed on the First Amendment rights of Internet users who have an interest in accessing material of public concern on the site. Ruling from the bench, Judge Jeffrey White cited concerns about the First Amendment, the effectiveness of disabling the wikileaks.org domain name, and the court’s own jurisdiction over the case as reasons to dissolve his previous orders.

“We’re very pleased that Judge White recognized the serious constitutional concerns raised by his earlier orders,” said EFF Senior Staff Attorney Matt Zimmerman. “Attempting to interfere with the operation of an entire website because you have a dispute over some of its content is never the right approach. Disabling access to an Internet domain in an effort to prevent the world from accessing a handful of widely-discussed documents is not only unconstitutional — it simply won’t work.”

Wikileaks permits third parties to post corporate and government documents that they believe expose wrongdoing. For example, in the past year individuals have posted materials documenting alleged human rights abuses in China and political corruption in Kenya.

The lawsuit began earlier this month, when Swiss bank Julius Baer filed suit against Wikileaks for hosting allegedly leaked documents regarding personal banking transactions of Julius Baer customers. Also sued was Wikileaks’ domain name registrar, Dynadot LLC. On February 15, following a stipulation between Julius Baer and Dynadot, the court issued a permanent injunction, disabling the wikileaks.org domain name and preventing that domain name from being transferred to any other registrar.

In addition to dissolving the permanent injunction, which permits the wikileaks.org domain name to be reactivated, the court also declined to extend a previous temporary restraining order requiring Wikileaks to disable access to 14 disputed Julius Baer documents.

Joining the EFF, ACLU, and POGO motion to intervene was Wikileaks user Jordan McCorkle. The papers were filed in consultation with and on behalf of the intervenors by Steven Mayer of the law firm of Howard Rice Nemerovski Canady Falk & Rabkin. Other attorneys on the case include Christopher Kao and Shaudy Danaye-Elmi of Howard Rice; Zimmerman, Cindy Cohn, and Kurt Opsahl of EFF; and Aden Fine and Ann Brick of the ACLU and ACLU-Northern California, respectively.

For the full order:
http://www.eff.org/files/filenode/baer_v_wikileaks/wikileaks102.pdf

For more on the Wikileaks case:
http://www.eff.org/cases/bank-julius-baer-co-v-wikileaks

Contact:

Matt Zimmerman
Senior Staff Attorney
Electronic Frontier Foundation
mattz@eff.org

San Francisco - The Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU), and the American Civil Liberties Union Foundation of Northern California (ACLU-Northern California) Tuesday filed a motion to intervene in a lawsuit where a federal judge ordered the disabling of one of the domain names associated with “Wikileaks,” a website designed to give whistleblowers a forum for posting materials of public concern.

In early February, Swiss bank Julius Baer filed suit in federal district court against Wikileaks for hosting 14 allegedly leaked documents regarding personal banking transactions of Julius Baer customers. Also sued was Wikileaks’ domain name registrar, Dynadot LLC. On February 15, following a stipulation between Julius Baer and Dynadot, the court issued a permanent injunction, disabling the wikileaks.org domain name and preventing that domain name from being transferred to any other registrar.

“Dynadot’s private agreement to disable access to its customer’s domain name — and the court’s endorsement of that agreement — raise serious First Amendment concerns,” EFF Senior Staff Attorney Matt Zimmerman. “This unwarranted injunction should remind everyone who hosts critical information on the Web that such information may only remain accessible as long as your service provider or registrar is willing to stand up for you against obviously overreaching legal attacks.”

Wikileaks permits third parties to post corporate and government documents that they believe expose wrongdoing. For example, in the past year individuals have posted materials documenting alleged human rights abuses in China and political corruption in Kenya. The court’s order effectively prevents readers who are only familiar with Wikileaks through the wikileaks.org domain name from accessing any material on the site.

“Julius Baer’s private dispute regarding a former employee’s alleged violation of a confidentiality agreement does not warrant this attempt to block access to all material hosted on Wikileaks,” said Zimmerman. “The First Amendment rights of readers who have a legitimate interest in the materials posted on the website simply cannot be treated as acceptable collateral damage to the bank’s claims.”

In the papers filed Tuesday, the intervenors — including the EFF, the ACLU, the Project on Government Oversight (POGO), and Wikileaks user Jordan McCorkle — asked the court for permission to intervene in order to dissolve the injunction disabling the wikileaks.org domain name. The papers were filed in consultation with and on behalf of the intervenors by Steven Mayer of the law firm of Howard Rice Nemerovski Canady Falk & Rabkin. Other attorneys on the case include Christopher Kao and Shaudy Danaye-Elmi of Howard Rice; Zimmerman, Cindy Cohn, and Kurt Opsahl of EFF; and Aden Fine and Ann Brick of the ACLU and ACLU-Northern California, respectively.

At 9:00 a.m. on Friday, February 29, a federal judge in San Francisco will hear arguments regarding a related issue: whether to extend a temporary restraining order aimed at preventing the further distribution of the 14 disputed Julius Baer documents. A hearing to address Tuesday’s motion to intervene and subsequent motion to dissolve the domain name permanent injunction has not yet been scheduled.

For information regarding the February 29 hearing, please contact press@eff.org.

For the full motion to intervene:
http://www.eff.org/files/filenode/baer_v_wikileaks/motiontointervene.pdf

For more on this case:
http://www.eff.org/cases/bank-julius-baer-co-v-wikileaks

Contact:

Matt Zimmerman
Senior Staff Attorney
Electronic Frontier Foundation
mattz@eff.org

Washington, D.C. - The Electronic Frontier Foundation (EFF) filed suit against the Department of Justice (DOJ) today, demanding information about communications between the DOJ’s former top privacy official and Google, the official’s current employer.

Jane C. Horvath was named the DOJ’s first Chief Privacy and Civil Liberties Officer in February of 2006. At that time, Google was fighting a massive DOJ subpoena asking for the text of every query entered into the search engine over a one-week period. The DOJ request — part of a court battle over the constitutionality of a law regulating adult materials on the Internet — ignited a national debate about Internet privacy.

The DOJ later scaled back its request, and a judge eventually allowed access to only 5000 random Google search queries. In a subsequent news article, Horvath was publicly critical of the DOJ’s initial subpoena, saying she had privacy concerns about the massive request for information. Horvath’s new job as Google’s Senior Privacy Counsel was announced in August of 2007.

EFF asked the DOJ for information about communications between Horvath and Google with a Freedom of Information Act (FOIA) request as Horvath prepared to leave the agency, but the DOJ has not responded to the request more than six months after it was submitted.

“Google has an unprecedented ability to collect and retain very personal information about millions of Americans, and the DOJ and other law enforcement agencies have developed a huge appetite for that information,” said EFF Senior Counsel David Sobel. “We want to know what discussions DOJ’s top privacy lawyer had with Google before leaving her government position to join the company.”

EFF’s suit demands records of all correspondence, email, or other communications between Horvath and Google, and asks the court to order the DOJ to immediately process the documents for release.

This FOIA lawsuit is part of EFF’s FLAG Project, which uses FOIA requests and litigation to expose the government’s expanding use of technologies to invade privacy. Previous EFF FOIA requests have uncovered misuse of National Security Letters (NSLs) by the FBI, as well as improper FBI access to email from an entire computer network.

For the full complaint against the DOJ:
http://www.eff.org/files/filenode/doj_google/foia_complaint_filed.pdf

For more on EFF’s FLAG Project:
http://www.eff.org/issues/foia

Contact:

David Sobel
Senior Counsel
Electronic Frontier Foundation
sobel@eff.org

Calls to put the DNA of every UK resident on a national database are impractical, the government has said. A…

A group led by a Princeton University computer security researcher has developed a simple method to steal encrypted information stored…

The European Commission has sketched out guidelines designed to help get RFID (radio frequency identification) technologies up and running in…

San Francisco - A team including the Electronic Frontier Foundation (EFF), Princeton University, and other researchers have found a major security flaw in several popular disk encryption technologies that leaves encrypted data vulnerable to attack and exposure.

“People trust encryption to protect sensitive data when their computer is out of their immediate control,” said EFF Staff Technologist Seth Schoen, a member of the research team. “But this new class of vulnerabilities shows it is not a sure thing. Whether your laptop is stolen, or you simply lose track of it for a few minutes at airport security, the information inside can still be read by a clever attacker.”

The researchers cracked several widely used disk encryption technologies, including Microsoft’s BitLocker, Apple’s FileVault, TrueCrypt, and dm-crypt. These “secure” disk encryption systems are supposed to protect sensitive information if a computer is stolen or otherwise accessed. However, in a paper and video published on the Internet today, the researchers show that data is vulnerable because encryption keys and passwords stored in a computer’s temporary memory — or RAM — do not disappear immediately after losing power.

“These types of attacks were often thought to be in the realm of the NSA,” said Jacob Appelbaum, an independent computer security researcher and member of the research team. “But we discovered that on most computers, even without power applied for several seconds, data stored in RAM seemed to remain when power was reapplied, We then wrote programs to collect the contents of memory after the computers were rebooted.”

Laptops are particularly vulnerable to this attack, especially when they are turned on but locked, or in a “sleep” or “hibernation” mode entered when the laptop’s cover is shut. Even though the machines require a password to unlock the screen, the encryption keys are already located in the RAM, which provides an opportunity for attackers with malicious intent.

The research released today shows that these attacks are likely to be effective against many other disk encryption systems because these technologies have many architectural features in common. Servers with encrypted hard drives are also vulnerable.

“We’ve broken disk encryption products in exactly the case when they seem to be most important these days: laptops that contain sensitive corporate data or personal information about business customers,” said J. Alex Halderman, a Ph.D. candidate in Princeton’s computer science department. “Unlike many security problems, this isn’t a minor flaw; it is a fundamental limitation in the way these systems were designed.”

In addition to Schoen, Appelbaum, and Halderman, the research team included William Paul of Wind River Systems, and Princeton graduate students Nadia Heninger, William Clarkson, Joseph Calandrino, Ariel Feldman as well as Princeton Professor Edward Felten, the director of the Center for Information Technology Policy and a member of EFF’s Board of Directors.

The researchers have submitted the paper for publication and it is currently undergoing review. In the meantime, the researchers have contacted the developers of BitLocker, which is included in some versions of Windows Vista, Apple’s FileVault, and the open source TrueCrypt and dm-crypt products, to make them aware of the vulnerability. One effective countermeasure is to turn a computer off entirely, though in some cases even this does not provide protection.

For the full paper “Lest We Remember: Cold Boot Attacks on Encryption Keys,” a demonstration video, and other background information:
http://citp.princeton.edu/memory/

Contacts:

Seth Schoen
Staff Technologist
Electronic Frontier Foundation
seth@eff.org

Jacob Appelbaum
Computer Security Researcher
jacob@appelbaum.net

J. Alex Halderman
Princeton University
jhalderm@cs.princeton.edu

For weeks, the House has been deliberating on its FISA bill. Key leaders appear to have taken a stand against telecom immunity in this last, crucial week. Show your support for the House to keep telecom immunity out of the final bill!

On February 12, the Senate passed a terrible surveillance bill granting immunity to lawbreaking telecoms, putting the House and Senate at the brink of a face-off. Show your support for the House to keep telecom immunity out of the final bill!

Encourage the Senate to take up the Patent Reform Act of 2007 and improve the state of invention and innovation in America!