The USA FREEDOM Act: NSA Data Collection, the Escalation of Encryption, and Curbing the Digital Arms Race
On October 29, 2013, the USA FREEDOM Act was introduced to end the mass gathering of phone record data by the NSA.
H.R.3361/S.1599 is a bipartisan effort authored by Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, and Rep. James Sensenbrenner Jr. (R-Wis.) that seeks to curb the mass targeting of communications by American citizens by clarifying the language in Section 215 of the USA PATRIOT Act.
How does this affect you?
ServInt supports the USA FREEDOM Act because the same limitations that the bill places on the phone surveillance activities of NSA apply to other forms of communication, specifically Internet traffic. Not only should this bill get the NSA out of your phone calls, it should get them:
• out of your inbox
• out of your search history
• out of your text logs Read more
For this final post on the history of U.S. Internet regulation, we need to look at one of the broadest pieces of cybersecurity policy out there – broad enough to hit just about anybody in the world. The Computer Fraud and Abuse Act (CFAA) of 1984 and its increasingly liberal interpretation have led to a state of affairs in which most U.S Internet users — you and me included — could be considered felons.
Technology is changing far faster than any government could hope to keep up. One of the many challenges of setting cybersecurity policy is that if you set requirements that are technical in nature into the law they will be outdated by the time they are passed. The law can’t be prescriptive when it comes to cybersecurity, so it ends up turning to broad generalization.
The Computer Fraud and Abuse Act is one of those laws that succumbs to broad generalization. Read more
At ServInt, we are well into our eleventh year selling the cPanel server control panel. We have been an authorized cPanel Partner NOC since 2003, and believe it to be the best control panel on the market.
I don’t think it’s too much to say that we are also the world’s foremost experts in cPanel.
And now we have distinguished ourselves by being the very first web hosting provider to achieve 100% cPanel certification through cPanel University for our support and sales staff.
I believe so completely in the importance of a quality control panel – and in cPanel specifically – that I trained and passed my cPanel certification as well. It seemed like a natural step to maintain the best perspective on providing services to our customers. I was surprised – and honored – when Aaron Phillips, cPanel’s COO, told me that I am the first C-level exec at any company to get cPanel certified.
In an effort to help old and new customers who would like to learn more about how to use the cPanel/WHM control panel package, we’ve put together a joint webinar with our friends a cPanel: “cPanel 101 – Top Features.” The webinar will begin on Sep. 26th at 1pm EDT. Click here to sign up.
To celebrate our 100% cPanel certification, and to meet more of our customers face-to-face, we’re also sponsoring a booth at this year’s cPanel Conference in New Orleans (September 29th – October 2nd) and offering VIP tickets to the conference for our clients. You can Register FREE using the code ServintVIP2013.
I hope to see a you in New Orleans. Look for me at the ServInt booth in the Exhibit Hall or find me after my keynote: “Lessons from 18 years in web hosting.”
Any discussion about PRISM centers around the concept of privacy on the Internet. For my third post on the history of U.S. Internet Legislation, I’ll focus in on the laws that govern our privacy online.
When attempting to ascertain the state of online privacy, there tends to be a lot of talk about law enforcement “abuses.” Having a basic understanding of the laws that serve as the basis for most law enforcement and Intelligence community programs that target online activity can help us determine how, and whether, things need to change.
Let’s start our brief look at those laws by imagining that I’m a U.S. Federal officer and you are an American citizen, and my goal is to go through your underwear drawer to look for suspicious activity. To do that I need a search warrant, signed off by a judge, and generally to get that I need probable cause. The Fourth Amendment to the United States constitution, which prevents unreasonable search and seizure, requires that. The Electronic Communications Privacy Act was written to codify that these fourth amendment rights also exist online. However, certain laws carve out exceptions to the warrant requirement under specific conditions.
Discussion of our privacy rights online center around what the government has and doesn’t have the right to do with our online data. In the wake of PRISM I want to define two categories through which we can explore those legal rights:
- Surveillance that is made possible by the acquisition of a search warrant by law enforcement
- Surveillance that is made possible through an exception to the warrant requirement
Below are a few common legislative acts (not an exhaustive list) that empower law enforcement to get data they seek online. Read more
With the U.S. government’s PRISM program, there has been a lot of talk recently about what the government can and will do with Internet communications. What the government can do is limited by the protections granted under various laws governing the Internet. Some of the most important laws governing protections on the Internet are nearly 20 years old and – when written – were ancillary to much broader legislation.
In 1996, when the Internet was full of promise but of questionable scope, two pieces of United States legislation were passed that helped form the basis of the commercial Internet:
Section 230 of the Communications Decency Act (CDA 230)
The Safe Harbor provisions of the Digital Millennium Copyright Act (DMCA Safe Harbor).
As the Chief Operating Officer of a web hosting company, I take a lot of pride in the work we do. Companies like ServInt are building tools for people who are using the power of the Internet to change the world. Without the protections we receive from laws like CDA 230 and DMCA Safe Harbor, this innovation would not be possible. These two laws are the pillars that hold up the U.S. commercial Internet. Read more
Many of you know that ServInt is deeply involved in the fight for intelligent Internet legislation, through my part-time leadership role at the Internet Infrastructure Coalition. I took on that role for two main reasons: one, I care about the Internet. I believe the internet is fueling a global explosion of empowerment that will ultimately prove more lasting and more significant than the industrial revolution, and I want to do my part to make sure it all unfolds freely and fairly for everybody. Following from that, the second reason is that I care about making sure that as the internet grows, the rights of individuals and small businesses — i.e., the core of ServInt’s customer base — are never left behind. So when I represent the hosting industry in discussions about Internet governance, I’m also making sure that your voice is heard, loud and clear.
Making sure your voice is heard is why I’m here in Durban, South Africa, at ICANN 47 — the conference that sets policies and standards and manages open debate for assigned Internet names and numbers.
Those of you who are familiar with ICANN may be thinking: ”hold on, those guys aren’t really concerned with hosting and data centers!” But the truth is that ICANN’s impact on the hosting industry — and the integrity of your businesses — could be huge. Here’s how:
Right now, ICANN is working on a number of things related to domain names that greatly affect hosting providers, like rebooting WHOIS and working on DNSsec. They’re also launching a new generic top level domain (gTLD) system, which could create the biggest new pool of ‘digital real estate’ in the history of the commercial Internet — and they’re working hard to make sure that while doing all this, the Internet and your online business stay stable and secure throughout the process.
Lastly, and perhaps most urgently, ICANN is dealing with how the internet industry will interface with international law enforcement when information requests are filed. Clearly, these are all very important discussions for companies like ServInt, because businesses like yours could be directly affected by these changes.
So what am I doing to help?
To be honest, though I was asked here to speak on behalf of the i2Coalition, I’m spending a lot of my time meeting people and pressing our industry’s case for greater inclusion in the ICANN decision-making process. Your rights — as well as the reliability and affordability of the infrastructure that hosts your online business — need to be protected. The big copyright holders are here already, and they’ve got a seat at the table. Policy makers from developing nations who want to transition control of the internet to a multinational organization like the ITU are here, and they’ve got a seat at the table. We don’t, and I’m here to change that.
The good news is, folks are generally receptive. Most ICANN attendees I talk to aren’t asking “what are you doing here,” they’re asking “what took you so long?” We might have started down this road sooner if we’d known how urgent the mission for ICANN inclusion would eventually be. But we’re here now, and though it may take a while (“multi-stakeholder” organizations like the ICANN move verrrrrry slowwwwly), I am hopeful.
Any discussion of U.S. government laws relating to the Internet and programs like PRISM inevitably begin all the way back in 1986 with the passage of the Electronic Communications Privacy Act. Written before the birth of the modern Internet, ECPA is a key law that enables law enforcement to have access to data while protecting the privacy rights of citizens. ECPA is not a scary law that steals people’s Internet freedom. ECPA is simply an outdated attempt to preserve freedom in the digital arena.
What it is:
At its heart, ECPA is an attempt to try to define the scope of the Fourth Amendment (the part of the Bill of Rights which guards against unreasonable search and seizure, along with requiring any warrant to be judicially sanctioned and supported by probable cause) when it comes to digital communication. Over time, both legislation and judicial precedent have told us what is and isn’t unreasonable search and seizure when it comes to law enforcement action at our home, place of business or on a public street, but in 1986, when Congress took up the task of creating ECPA, they were attempting to outline rules for search and seizure of remotely stored digital data.
ECPA outlines the relationship between data storage providers, their customers, and law enforcement. It acknowledges that providers act as custodians and not owners of information in their possession on behalf of their customers and subscribers. It actually serves to limit the ability of providers to voluntarily disclose customer information to the government.
What should concern you: Read more
If you’ve been following the news recently, you may have heard a lot about the US government’s PRISM program, led by the NSA. There has been a lot of talk about what the government can and cannot do (or will and will not do) under PRISM, and — frankly — a lot of fear as well.
But PRISM is not a US law, it is a government surveillance program built on US laws. To fully understand what kinds of digital information the U.S. government is capable of gathering and analyzing, and under what circumstances, we need to look at the various laws enacted over the years that govern law enforcement in the digital age.
Remember when ServInt was fighting to defeat SOPA and PIPA? Those bills were associated with an attempt to legislate the Internet in some potentially very destructive ways. But SOPA and PIPA are just the tip of the iceberg when it comes to legislation you should know about if you make your living on the Internet. Some proposed laws pose serious risks to the basic concept of a free and open Internet, while others are quite well designed and deserve your full support.
Over the next few weeks, I’ll be walking you through four major legislative initiatives and their associated amendments to give you a background on what legislation you should be aware of as an informed citizen and Internet business owner. Specifically, we’ll look at: Read more
Last week ServInt released an updated SLA that covers all of our products, from VPS to dedicated to cloud. And like everyone else, we laid out the “uptime guarantee” for network, servers, support, etc. This guarantee, though, is simply a threshold, if your service dips below which, you may request hosting credits.
What’s ridiculous is the way some hosts – and some industry “experts” – glibly refer to uptime guarantees as if they were some sort of literal guarantee of future performance: “Wow, they’re offering five nines in their SLA,” “Did you hear about the host that guarantees 100% uptime?”
Uptime guarantees don’t promise what percentage of the time your server will remain online without network disruption, and they are not evidence of future network performance.
An uptime guarantee is – no matter which host you look at – simply a promise of what refund the host offers customers if there is a network outage.
And every network—even the most robust, redundant networks—at some point will experience an outage. Our last network outage was in 2004.
The question is not: Will my host have an outage in the future? They are: How likely is it that my host will be the next to experience an outage? and, How quickly and efficiently will they respond and fix any problem that occurs? Read more
This week, ServInt was one of a dozen hosts to send a letter to the Senate Judiciary Committee to support updating the Electronic Communications Privacy Act, along with the i2Coalition which coordinated the hosting industry’s participation.
The government needs a warrant based on probable cause to search our mail or the documents in our homes. It’s one of our most fundamental rights, guaranteed in the 4th Amendment of the Bill of Rights. But because of this outdated law — the ECPA — which passed in 1986 before the commercial Internet even existed, law enforcement only need a subpoena (issued without a judge’s approval) to read emails that have been opened or are more than 180 days old. Under the ECPA, communications stored on a server over 180 days are said to be abandoned. This rationale has allowed the government to demand access to older electronic communications without a warrant issued by a judge.
That’s right… the government says it doesn’t need a warrant to search through your old email.
This year, Congress is finally considering updating ECPA. ServInt plans to directly engage in this much overdue process, offering its perspective and expertise in dealing with 18 years of serving customers online and dealing responsibly with law enforcement information requests.
We know that aiding law enforcement in responsible ways doesn’t need to come at the expense of our fundamental Constitutional rights. ServInt will be carrying that message, along with other i2Coalition members, up to Capitol Hill this year.
Stay tuned to the ServInt Source where we’ll keep you updated on the status of this and other important Internet legislation.Image by g4114is.