Why I’m So Persistently Intrigued by Blockchain

After I changed jobs last September, I stopped doing a lot of digital activism. The break has been great, honestly. It’s hard to fight on NSA surveillance abuses, crackdowns on whistleblowers, and free speech violations for literally years at a time. It was in many ways easier to focus on strategy and the day-to-day challenges of keeping smart people happy in their jobs, coordinated in their work, and highly productive.

The one program area I kept in my docket was blockchain. I’ve published a bunch of different blog posts in the last few months exploring the collision of free expression and blockchain regulations:

Could Regulatory Backlash Entrench Facebook’s New Cryptocurrency Libra?

EFF and Open Rights Group Defend the Right to Publish Open Source Software to the UK Government

Why Outlawing Cryptocurrency Purchases by Americans is a Terrible Idea

Coin Center’s Report Explores Privacy Coins, Decentralized Exchanges, and the First Amendment

SEC’s Action Against Decentralized Exchange Raises Constitutional Questions

I also want to share a bit about why I’m interested in this issue, since my parents find it baffling.

My first job in consumer advocacy was at a scrappy but principled nonprofit called the Privacy Rights Clearinghouse. In addition to writing consumer guides about protecting  privacy and cataloguing data breaches by companies, we’d get questions from consumers who were struggling with privacy issues. People could literally call us up on the phone and say, “I’m having this horrible privacy problem, do you have any suggestions?” We’d point them to our guides, or to other nonprofits working in the space, or sometimes we’d explain how to file a complaint with the appropriate regulatory agency. A lot of the time, we’d just tell them how to find an attorney, or ask them if they’d be interested in talking to the press.

I remember one individual I spoke to called me after his Paypal account had been frozen, and he hadn’t been able to access the funds he had in there. I did some research at the time, and found scores of other consumers complaining about the same thing. That was the first in a long line of consumer complaints I heard about banks and Paypal, and most often accounts were frozen due to some sort of identity or privacy issues. The message from Paypal was, give us more of your personal data and we’ll let you have your money back. It had this vague feeling of privacy blackmail, not the least because Paypal was happy to let people set up accounts and use the service for a while before demanding more identification.

And then one of my projects, the Chelsea Manning Support Network, had our PayPal account frozen. I had channels to Paypal so I felt fairly confident we’d get it resolved, but multiple conference calls with representatives of Paypal didn’t get us anywhere. Paypal was pretty vague about its reasoning for freezing our accounts, but at least one person I spoke with mentioned Know Your Customer requirements. The Network had been using PayPal to process donations from the beginning, so why freeze the account then? And while most of our donations weren’t processed through PayPal, almost all of our international donors used PayPal. We’d be cutting off basically all our international supporters.

Plus, I worried that PayPal was just the beginning. If it’s PayPal this week, what’s to stop Visa and MasterCard from shutting us down next week?

I think a lot lately about the costs of opposing the government. Chelsea Manning is the obvious example but there are many others. Covering the costs of her initial trial was an enormous, multi-year fundraising endeavor. Adding in the cost of her appeal? It was impossible to raise that much money, especially when she wasn’t in the news as much. And now she’s facing contempt of court charges with hundreds of thousands of dollars in fines unless she’s willing to testify against Wikileaks.  I have no idea how the community will be able to raise that much money,

And she’s far from the only one. There are several handfuls of whistleblowers I know now who not only suffered in their careers and had their names dragged through the mud for trying to oppose government abuses of power, but who also had to shoulder years of costly court battles.

The Chelsea Manning Support Network was good at getting in the news, and so that’s what we did. We put out a press release, several reporters snagged the story, and PayPal started getting called for quotes. Within a day, Paypal had unfrozen (thawed?) our account and full functionality was restored. We never did give them any additional access to our accounts or more data on us. It was just public pressure.

But most people who have an account frozen with Paypal can’t put out a press release and get a bunch of news coverage.

After that, I paid attention to stories of people who had bank accounts closed or frozen, or who weren’t allowed to open accounts at all. I documented some of those for EFF, and others I just took notes on with a vague sense that one day I might have time to write a longer research paper on the issue. I also got more interested in blockchain.

There are a lot of things blockchain is not good for. Critics are constantly pointing out all the ways blockchain sucks at doing various things—which is true, it’s remarkably inefficient for a lot of stuff. But it’s permissionless and it’s hard to censor, which means the base technology (if not the many applications on top of it) doesn’t have the Paypal problem.

And the more I got interested in blockchain issues, the more I started recognizing a lot of other digital rights issues. Just like the Clinton Administration tried to ban encryption, there are regulators today toying with whether to ban publications of open source software in an attempt to stop blockchain innovation. Some regulators are scared of privacy coins (digital tokens that have a lot of the privacy-preserving attributes we already have with cash), while other are trying to impose Know Your Customer standards on blockchain projects.

All of which has made me think more about our financial institutions, about the policies companies like Visa and PayPal get to set and the long term implications for the rest of us.

I have increasingly thought that we need a fundamental shift in the power imbalances of our financial institutions. I’ve wondered about a regulatory response, and in some ways I think that’s the purest and simplest solution: everyone should have a legal right to a bank account; transactions shouldn’t be censored by a payment provider any more than the water company should deny water to people it doesn’t like; we need reform of the credit reporting system so people can bounce back from histories of bad credit more quickly; and we’d need real privacy around our financial transactions, because they’re incredibly sensitive and revealing. That includes high standards for when the government wants to snoop through our bank transactions.

But the relationship between the government and the financial institutions that are benefiting from the current system is so cozy, and the literal cost of effectively lobbying in DC is so absurd, that my pragmatic side is skeptical that real legal safeguards will be put into place in my lifetime.

Which is why I always end up mulling on blockchain. Not because it’ll fix everything, but because there’s a sliver of a chance that some version of this technology might be a lever to start righting fundamental injustices in our current financial system.

Image by Pete Linforth from Pixabay

What It Means for Our Movement That the NSA is Halting One of Its Worst Surveillance Practices

eff-nsa-utah-data-center
NSA’s data center in Utah

The New York Times broke the news Friday that the NSA is ending a surveillance program that has been the subject of years of criticism by civil liberties advocates and members of Congress alike. The news came in waves: a brief snippet from Charlie Savage, then a slightly longer update, then confirmation from the NSA, and then the final version (I assume) from Savage that went up hours after the original.  The NSA is promising to end the practice of collecting Americans’  emails and text exchanges with foreigners that mention key identifiers—like email addresses—that aren’t actually directed to or from the targets of NSA surveillance.  (For my fellow tech policy nerds, we call this “about” surveillance.)

Not only that, but the NSA promises to “delete the vast majority of its upstream internet data to further protect the privacy of U.S. person communications.”

My colleague Kate has a thorough write-up of how to consider this within the larger context of NSA reforms Congress needs to enact, and everyone should go read it. I’m not here to talk about the legal and technical landscape related to this announcement.

I just want to talk about how awesome this moment is.

Continue reading “What It Means for Our Movement That the NSA is Halting One of Its Worst Surveillance Practices”

Updating the Electronic Communications Privacy Act

In 1979, the Supreme Court created a crack in our Fourth Amendment protections. In Smith v. Maryland, the Court ruled that the Fourth Amendment didn’t protect the privacy of the numbers we dialed on our phones because we had voluntarily shared those numbers with the phone company when we dialed them. This principle — known as the Third Party Doctrine — basically suggests that when we share data with a communications service provider like a telephone company or an email provider, we know our data is being handed to someone else and so we can’t reasonably expect it to be private anymore.

Originally published on EFF Deeplinks blog.

Yesterday was a watershed moment in the fight for electronic privacy: the Senate Judiciary Committee overwhelmingly passed an amendment that mandates the government get a probable cause warrant before reading our emails. The battle isn’t over — the reform, championed by Senator Patrick Leahy (D-VT), still needs to pass the rest of the Senate and the House, and be signed by the President to become a law. But yesterday, thanks to thousands of people speaking out, we were able to begin the process of overhauling our archaic privacy laws into alignment with modern technology.

It was a big win for us, even if it was only the first step in the process of reforming privacy law to keep the government out of our inboxes. So we’re dedicating this EFFector to the battle to reform outdated privacy law: what the government can get, what the law ought to be, and what we’re doing to fix the gaping loopholes that leave users vulnerable to government snooping.

The Fourth Amendment and Electronic Privacy

The Fourth Amendment protects us from unreasonable government searches and seizures. In practical terms, this means that law enforcement has to get a warrant — demonstrating to a judge that it has probable cause to believe it will find evidence of a crime — in order to search a place or seize an item. In deciding whether the Fourth Amendment applies, courts always look to see whether people have both a subjective expectation of privacy in the place to be searched, and whether society would recognize that expectation of privacy as reasonable. The Supreme Court made this point clear in a landmark 1967 case, Katz v. United States, when it ruled that a warrantless wiretap of a public payphone violated the Fourth Amendment.

The Third Party Doctrine, or How the Supreme Court Got Us Into This Mess

In 1979, the Supreme Court created a crack in our Fourth Amendment protections. In Smith v. Maryland, the Court ruled that the Fourth Amendment didn’t protect the privacy of the numbers we dialed on our phones because we had voluntarily shared those numbers with the phone company when we dialed them. This principle — known as the Third Party Doctrine — basically suggests that when we share data with a communications service provider like a telephone company or an email provider, we know our data is being handed to someone else and so we can’t reasonably expect it to be private anymore.

The government took this small opening created by Smith v. Maryland and blew it wide open. It argued that this narrow 1979 decision about phone dialing applied to the vast amount of data we now share with online service providers — everything from email to cell phone location records to social media. This is bogus and dangerous. When we hand an email message to Gmail to deliver on our behalf, we do so with an intention that our private communications will be respected and kept in strict confidence, and that no human being or computer will review the message other than the intended recipient. But the government argues that because we handed our communications to a service provider, the Fourth Amendment doesn’t require them to
get a warrant before snooping around our inbox.

Luckily, the courts are beginning to agree with us. In a leading case where EFF participated as amicus, United States v. Warshak, the Sixth Circuit Court of Appeals agreed with us that people had a reasonable expectation of privacy in their email, even if it is stored with a service provider, and therefore the government needed a search warrant to access it. And in the recent Supreme Court case, United States v. Jones, Justice Sotomayor said that she thought the Third Party Doctrine was outdated, while she and four other Justices — including Justice Alito — raised concerns about the information gathered by our
cellphones.

The Eighties Were Good for a Lot of Things — But Not Sustainable Email Privacy Law

It’s not just the Constitution, however. Congress has made clear that certain forms of data are protected by federal statute as well. Following the Katz decision, Congress passed the Wiretap Act in 1968, supplementing the strong Fourth Amendment privacy protections in phone conversations by enacting a comprehensive set of federal statutes. These statutes were designed to ensure that law enforcement has a compelling reason before intercepting phone calls.

And as electronic communication started to become more prevalent, Congress passed the Electronic Communications Privacy Act (ECPA) in 1986 that somewhat improved the privacy rights around certain electronic communications. But as it reflects the technology of 1986, ECPA has aged poorly. It doesn’t address documents stored in the cloud, information revealing our personal associations, or the vast quantities of location data our mobile devices collect on us everyday. And, as a result of loopholes in the law, the Department of Justice, citing ECPA, has argued that it has a right to access emails without a warrant as soon as they are 180 days old, or have been opened and left on the server.

We think that 180-day limit and a distinction between opened and unopened email is arbitrary and wrong. As the Washington Post said in an editorial earlier this week, “If you left a letter on your desk for 180 days, you wouldn’t imagine that the police could then swoop in and read it without your permission, or a judge’s.”

That’s why this week’s vote was so important: it was a critical first step in updating ECPA to evolve with the modern technologies we use today, and to close archaic loopholes that give government too much access with not enough judicial oversight.

What EFF and Activists Like You Are Doing

We’re taking a two-prong approach.

First, we’re fighting for the Fourth Amendment in the courts. We practice impact litigation, taking on clients pro-bono in cases where we believe we can create positive legal precedent around digital privacy and government surveillance. We also submit amicus briefs in cases where we don’t have a direct client, such as in the Warshak and Jones cases noted above. In Warshak we argued that the government could only access emails stored on an ISP with a search warrant, notwithstanding the third party doctrine. And in Jones, we argued the government’s attachment of a GPS tracking device to a car for 28 days was a Fourth Amendment “search,” meaning a warrant was required. The Court agreed with us in both cases, and
as a result privacy protections are stronger now than in the past. And we’ve filed many more amicus briefs this past year, arguing for a search warrant requirement in cases involving cell phone location records [PDF], GPS devices, and home video surveillance.

Second, we’re creating a movement of engaged Internet users and rallying them to demand the government stay out of our email. Yesterday’s win was a result of the tens of thousands of concerned individuals who signed our petition to Congress calling for ECPA reform and who spoke out in other ways. We’re also teaming up with advocacy groups, web companies, start-ups, and venture capitalists in demanding ECPA reform through the Digital Due Process coalition. And we recently joined other advocacy groups in launching VanishingRights.com.

What aren’t we doing? Compromising. Unfortunately often the pressure in DC inside politics is to trade off one important right against another. We don’t think that’s EFF’s role. Instead, we’re advocating for what’s best for the Internet and Internet users, and while we are flexible, we aren’t willing to horse trade with your privacy and due process.

Want to read more about ECPA and our work to reform it? Check out these links:

Take action: Don’t let privacy law get stuck in 1986

Attempt to Modernize Digital Privacy Law Passes the Senate Judiciary Committee

ECPA and the Mire of DC Politics: We Shouldn’t Have to Trade Video Privacy to Get Common-Sense Protections of our Email

Don’t be a Petraeus: A Tutorial on Anonymous Email Accounts

Reform to Require Warrant for Private Online Messages Up for Vote, but Down on Privacy

When Will Our Email Betray Us? An Email Privacy Primer in Light of the Petraeus Saga