Briefing for Jacob Appelbaum Speaker for WikiLeaks, Member of Tor, and Independent Hacker 28 October 2012 Prepared By Kristen Faulkner | Nolan Kamitaki | Chandan Lodha | Tommy Mullaney | Amy Robinson - 1 - Brief Summary of the Issue Congress is debating a bill requiring all instant messaging (through all kinds of electronic devices) and chat programs to include a mechanism whereby law enforcement authorities can monitor and record the interchange of messages passed through those programs. The bill does not specify whether such monitoring requires a court order, a warrant, or neither. Brief Reaction to the Issue In line with your previous positions, you must 1) oppose this bill; 2) advocate for the repeal of all current wiretapping laws; and 3) encourage individuals to use systems (such as Tor) that enable online anonymity. The Right Approach This bill is a blatant government infringement on individual’s privacy. Therefore, opposing it is critical. However, that is not enough. You must stop the government’s momentum of overstepping privacy rights gained by recent wiretapping laws. To do this you must oppose all current wiretapping laws, with a specific eye toward the ECPA and CALEA, and advocate for their repeal. While repealing all past laws concerning wiretapping may not be feasible, your high profile stand is of the utmost importance in curbing dangerous anti-privacy momentum. In the meantime, you must encourage individuals to use systems like Tor that enable online anonymity and empower citizens to take privacy matters into their own hands and sidestep government over-regulation. Examining the bill with respect to constitutional rights, its infeasibility, society’s best interest, and individuals’ best interests, further supports the proposed approach. Justification for the Right Approach - 2 - A. The legal history Previous rulings have extended the government’s hand in overseeing private communications. Due to the unforeseen increase in digital and electronic communications the Electronic Communications Privacy Act (ECPA) was enacted in 1986 to update the Federal Wiretap Act of 1968.1 The ECPA was an attempt to protect communications (emails, telephone conversations, and data stored electronically) from being intercepted while in transit. It also provided procedures for government officials to obtain warrants to intercept communications. In 1994, the Communication Assistance for Law Enforcement Act (CALEA) significantly amended the ECPA by enabling officials to tap content of new digital technologies. The legislation was extended once more in 2004 when the FCC extended CALEA to apply to broadband networks.2 Legislation has become more and more invasive with respect to privacy, in turn opening gateways for government abuse. The Bush administration admitted to abusing the system by performing warrantless domestic wiretapping.3 This type of abuse is a direct violation of the Fourth Amendment, which protects individuals from warrantless searches, and encroaches on the First Amendment’s freedom of speech. The implementation of the proposed bill would only make such constitutional rights easier to breach. This encroaching momentum of the government is exactly why you must advocate the repeal of all current and invasive wiretapping laws. Rather than implementing systems of scrutiny on its citizens, the government should restore basic, fundamental rights, such as the right to privacy. B. The proposed law is infeasible 1 <http://www.it.ojp.gov/default.aspx?area=privacy&page=1285> 2 CNET News McCullagh, Declan. “FBI: We Need Wiretap-ready Web Sites - Now.” . CBS Interactive, 04 May 2012. Web. 21 Oct. 2012. <http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/> 3 <http://www.washingtonpost.com/wp-dyn/content/article/2007/05/15/AR2007051500999.html> - 3 - The proposed legislation simply will not work. First, the law would be a regulatory disaster, requiring vast resources for futile attempts to prevent the unpreventable. Second, the law would in fact be self-contradicting as it would legally require the addition of large-scale vulnerabilities into instant messaging and chat software. The proposed legislation would be a regulatory disaster for three reasons: 1) it will not prevent the creation of chat sites that do not conform to the wiretapping mechanism requirement; 2) it will crowd out legitimate uses of anonymous communication so that only more nefarious options will exist; and 3) it deals with multinational cyber issues where the United States has a poor track record. First, it is practically guaranteed that the enactment of this bill will cause non-compliant chat programs to pop up all over the place. For example, when the music industry and Digital Rights Management created laws to crack down on copyright-infringing file sharing, a staggering abundance of sites were created as direct violations. The NPD Group, a North American market research company, found that “only 37 percent of music acquired by U.S. consumers in 2009 was paid for.”4 As we can see from the preponderance of illegal music downloading sites, general software piracy sites, and pornography sites, the realm of cyberspace simply cannot be regulated to the degree necessary for enforcing this legislation, and regulation may even exacerbate the situation. Moreover, trying to enforce the proposed legislation will only serve to prevent and crowd out legitimate uses of anonymous communication (like reporting human rights violations from “danger zones”5) by law-abiding citizens. Citizens less inclined to follow the law -- presumably citizens also less likely to use anonymous communication for legitimate purposes -- will be the ones who end up with the ability to communicate anonymously through the illegal services that will inevitably arise. 4 “FAQ,” Recording Industry Association of America, accessed 26 Oct. 2012. <http://www.riaa.com/faq.php> 5 “Users of Tor,” Tor Project, accessed 26 Oct. 2012. <https://www.torproject.org/about/torusers.html.en> - 4 - Finally, even if we assume that government officials can ensure that wiretapping mechanisms are installed in all chat software, the use of this wiretapping capability will be dubious given the often international nature of Internet chat traffic. The United States is historically ineffective when it comes to complying with international law and cyber “crime.” One particularly recent example is the American government’s handling of the Kim Dotcom MegaUpload illegal file-sharing case. In this case, the source of the debacle was the excessively-vague warrant used by American authorities to raid Dotcom’s New Zealand residence, a warrant subsequently found “invalid” by New Zealand High Court Judge Helen Winkelmann.6 The bottom line is that foreign laws on search and seizure may not line up one-for-one with American laws, and given the often international nature of online chat programs, it is far from clear how effectively the new wiretapping capabilities of the proposed law would be used. On top of the fact that the proposed law would not work, the law itself is contradictory: in the name of “security,” it requires the insertion of vulnerabilities into secure software, and these vulnerabilities could be exploited either by outside hackers or by the chat software developers themselves. Requiring all chat and instant messaging programs to include backdoors and vulnerabilities enabling government officials to monitor conversations is tantamount to inviting hackers to participate in the conversation. We would essentially be slapping a bright, “U.S. Government” target on every legal chat program, identifying it as inherently vulnerable to attack. And as we know from Wikileaks, the U.S. government is not particularly good at protecting its “secret” intelligence.7, 8 Moreover, consider a scenario where Company X implements the 6 Ars Technica “Mega-victory: Kim Dotcom search warrants ‘invalid,’ mansion raid ‘illegal,’” , June 28, 2012. Accessed 26 Oct. 2012. <http://arstechnica.com/tech-policy/2012/06/mega-victory-kim-dotcom-search-warrants-invalid-mansion- raid-illegal/> 7 “WikiLeaks.” <http://wikileaks.org/> 8 International Federation of Library Associates and “What is the effect of WikiLeaks for Freedom of Information?” Institutions. <http://www.ifla.org/publications/what-is-the-effect-of-wikileaks-for-freedom-of-information> - 5 - government-mandated wiretapping backdoor into its public chat software; what is to stop Company X from monitoring what or whom government officials monitor? This would undermine any covert intelligence obtained under the proposed law because unscrupulous companies and developers could monitor who the FBI, for instance, is watching. Between hackers and developers, this contradictory law -- intended to combat threats to national security -- would create software vulnerabilities that are threats to national security. C. The Right Approach with respect to individual rights Online anonymity is critical for all individuals. People from all professions rely on online anonymity today. Wiretapping laws would effectively eliminate the possibility of online anonymity and impair many individual’s Internet uses.9 Perhaps most important, everyday normal citizens use online anonymity for a variety of reasons. Individuals use anonymity to protect themselves from identity theft, protect their communications, protect their children, and research sensitive topics. People who do not want Internet Service Providers (ISPs) selling their private browsing records, who do not want their IP