As a result, Saravá's site is down. Here's a mirror of the original statement from Saravá. Also, here's an amusing picture of the group putting new drives in to try to get the site back up.
Not so fast. Recall that India has implemented a similar regulation. Remember the whole dispute with RIM a while back? From the linked article:
the ISP license also bans internet providers from deploying 'bulk encryption' and further restricts the level of encryption for individuals, groups or organisations to a key length of only 40 bits in symmetric key algorithms or equivalents.
Such weak encryption is easily broken, highly insecure and not suitable for e-commerce or any other sensitive applications.
For the use of encryption equipment stronger than 40 bits, individuals, groups or organisations are required to obtain prior written permission and to deposit the decryption key, split into two parts, with the Department of Telecommunications.
IANANE, but the regulation does not appear to be as limited as you suggest. Part II, Section 4, Clause 5 states:
All landing station and infrastructure licensee(s) shall establish a Monitoring System with its interface to the Authority . . . for the purpose of monitoring of telecommunications traffic (voice and data) within one hundred and twenty (120) days . . . .
And later on in clause (6) it requires each system to have "the following features:"
Capability to monitor, control, measure and record traffic in real-time
The clause you are referring to (and the only reference to encryption) occurs on the next page:
The Licensee(s) and Access Provider shall ensure that signaling information is uncompressed, unencrypted, and not formatted in a manner which the installed monitoring system is unable to decipher using installed capabilities.
But the limitation of this clause to signaling information seems to conflict with the earlier statement that the monitoring system must be capable of recording voice and data traffic in real time. I suppose you could argue that turning over the encrypted stream is sufficient, but I wouldn't want to hang my hat on that.
It'll be interesting to see how this is enforced. My guess will be that if they take the position that it applies to VPNs, it will not be enforced against the foreign visitor. There are many internet cafes in Pakistan and many hotels with internet service so there would be a huge logistical problem to enforce it. Sadly, Pakistanis and long-term ex-pats who use a VPN from their home or office could be targeted, especially if they are government opponents or dissidents.
I've always considered Egypt to be on of the more progressive muslim states
Whaaaaat?
Egypt is ruled by a dictator that tolerates no dissent. There has been a state of emergency there for 44 years! Let's see, where to start. In 2009, the U.S. Department of State Human Rights report had this to say:
Police, security personnel, and prison guards often tortured and abused prisoners and detainees, sometimes in cases of detentions under the Emergency Law, which authorizes incommunicado detention indefinitely, subject to a judge's ruling.
and
Police and the SSIS reportedly employed torture methods such as stripping and blindfolding victims; suspending victims by the wrists and ankles in contorted positions or from a ceiling or door frame with feet just touching the floor; beating victims with fists, whips, metal rods, or other objects; using electric shocks; dousing victims with cold water; sleep deprivation; and sexual abuse, including sodomy. There was evidence that security officials sexually assaulted some victims or threatened to rape them or their family members. Human rights groups reported that the lack of legally required written police records often effectively blocked investigations.
It just goes on and on. And, keep in mind, the U.S. DOS reports tend to be very conservative, so when this stuff ends up in a DOS report, things on the ground are much, much worse.
Well, how about we move away from certificate authorities. Impossible, you say? Not so.
Enter the Monkeysphere, a project that leverages the GPG web of trust to build trust paths for secure browsing (among other uses). From the site:
When you direct the browser to an https site using the Monkeysphere plugin and validation agent, if the certificate presented by the site does not pass the default browser validation (using standard, hierarchical X.509), the certificate and site URL are passed to the validation agent. The agent then checks the public keyservers for keys with UIDs matching the site url (e.g. https://zimmermann.mayfirst.org./ If there is a trust path to that key, according to your own OpenPGP trust designations, the certificate is considered valid, and a browser 'security exception' is put in place to allow connections to the site.
I have this Jetway, a slightly different model. I wanted 2 drives in a RAID array. It's designed to hold 1 3.5" and 1 2.5" drive, but I put 2x3.5" drives in (granted, one is mounted with a bit of duct tape). I also added one extra case fan. It's been running great and nice and quiet (and cheap!).
I care deeply about personal privacy for the same reason I care deeply about gun rights - chances are that I will never carry a weapon in my life, but our society as a whole is made safer and more resilient by the fact that law-abiding citizens can own and use them in self defense.
Ummm, yeah, the shooter who killed 14 in NY state "had a permit for two handguns and wore body armor, indicating he was prepared for a confrontation with police."
source.
Slander and defamation, by definition, require a false statement of fact causing harm to the aggrieved party. Slander is for verbal statements, whereas libel refers to written statements. See slander - wikipedia.
And, at least in the US, slander and defamation are not crimes. Rather, they are civil remedies (a tort) enforceable not by the state through prosecution, but by the aggrieved individual bringing suit.
Look on your CA website for the contract that governs your CA. It should have a clause on revocations. For example, this is the.pdf for ipsCA's contract (.pdf, only in Spanish) and it clearly provides that if there's a problem with the certificate that makes it untrustworthy, you get a new one for free.
This is page 45-46, which talks about the reasons why a certificate may be revoked:
Los Certificados deberán ser revocados cuando concurra alguna de las circunstancias siguientes:
*snip*
Por cualquier causa que razonablemente induzca a creer que el servicio de certificación haya sido comprometido hasta el punto que se ponga en duda la fiabilidad del Certificado.
Rough translation: The certificate may be revoked when... there's something that makes you reasonably believe that the certificate has been compromised to the point that it is not reliable.
And then on page 47 it says:
La revocación del Certificado por causa no imputable al Suscriptor originará la emisión de un nuevo Certificado a favor del Suscriptor por el plazo equivalente al restante para concluir el período originario de validez del Certificado revocado.
Rough translation: If the revocation of the certificate is not the fault of the subscriber (that's you), then you get a new certificate with the same validity period as the old one.
Obviously, you have to check with the contract governing your CA, but you might find something similar, so check with your CA before paying for new certs.
I was visited by two FBI agents last Friday (10/1/04) because I am the registered agent for the Seattle Indymedia Center. The agents informed me that they were here on a "courtesy visit" on behalf of the Swiss government based on a series of photographs posted on a French indymedia site (http://nantes.indymedia.org) . The agents informed me that the post contained personally identifying information about the officers including their home address and phone number.
I asked them what the US government's interest was in Swiss police and French websites. They informed me that no law had been violated but they were just requesting on behalf of the Swiss government that the identifying information be removed. I clarified that their concern was with the identifying information, and not with the photographs, because taking pictures of someone in a public forum is not objectionable. They agreed with me and said that their only concern was the identifying information.
I asked them for the URL of the offending post. They did not know what a URL was. I asked them what the address was for the post-- "the address you would type into your internet browser." They looked confused, consulted their notes, and stated that they weren't sure, but they thought it was http://natz.indymedia.org (in fact, the correct address is nantes.indymedia.org). I informed them that it would be very difficult to track down the post considering that there are thousands of posts on indymedia sites everyday.
I told them that the Seattle Indymedia Center has no authority regarding the Nantes Indymedia Center and that they should probably direct their request directly to the Nantes Indymedia Center. They left.
I pulled up the Nantes site. On the front page of the site, at the very top, was a large logo of the FBI, and an article regarding how their ISP (Rackspace) had received a request from none other than the FBI to remove a certain post...
Nothing happened for a few days, and then today the server is gone. This is what we know for a fact:
Rackspace received a subpoena requesting certain information.
Rackspace decided to turn over our entire server.
Rackspace has refused to provide a copy of the subpoena on advice of counsel (most likely because the subpoena contains a gag order)
When we inquired of Rackspace, this was their response: "Unfortunately, we have received a federal order to provide your hardware to the requesting agency. We are complying at this time. Our datacenter technicians are building you a new server which will be online as soon as possible. Your account manager will notify you once the new server is online and available.
I apologize for abruptness of this. However, we are required to comply with all federal orders of this nature. Please let us know if there is anything that we can do to make this easier on you."
Indymedia is working on a press release on this matter and is working with EFF to assess its legal options.
We do not yet have the subpoena because Rackspace is under a gag order. But, it is highly likely that the subpoena merely requested information. Rackspace could not provide the information, so it relied on a clause in its contract that pretty much allows it to do whatever it wants in response to a court order. In this case, Rackspace turned over the entire box.
While the server in the UK is subject to UK law, if a subpoena is served on a US corporation requesting information, and that information is located in some other country, the corporation is required to provide the information. Because Rackspace could not quickly locate the information, they decided to turn over the entire server.
This was a subpoena not a search warrant. Rackspace was served with a subpoena most likely requesting information about who posted photographs of undercover swiss police officers on http://nantes.indymedia.org (don't try to follow this link, because the server has been removed by Rackspace). Because they could not sort out the requested information, Rackspace simply turned over the servers in question.
The FBi has stated that no crime is under investigation, yet they are issuing subpoenas, indicating that SOME crime is under investigation. This whole thing stinks. EFF is investigating.
I was personally visited by FBI agents regarding the post on http://nantes.indymedia.org. The post in question had NO PERSONALLY IDENTIFYING INFORMATION WHATSOEVER. It contained photographs of undercover agents who were posing as protesters. The FBI agents alleged that the posts contained personally identifying information, but I looked up the post and there were only pictures, nothing else.
Furthermore, even if there had been personal information on the site, if that information was obtained legally, it is protected by the First Amendment. A recent case in Washington state held that an individual could post names and addresses of law enforcement officials obtained legally.
Regardless, the fact remains that the post in question had no personal information in it. When I spoke to the FBI agents, they admitted that there was absolutely nothing wrong with taking pictures of undercover officers in a public forum and posting them to a website. That is exactly what happened here.
The act does not provide for a private federal law suit based on this particular law. You can still sue under State laws (at least those that are not preempted under Section 8(b)(1)). The act does not supercede other state law claims under laws that are unrelated to regulating email. This means claims founded on common law (trespass or contract claims for example) or another generally-applicable law (for example, a state consumer protection act) will survive this act. See Section 8(b)(2)(A).
Also, three other types of claims may asserted. First, State attorneys general may sue spammers on behalf of state residents. See Section 7(f)(1). Second, ISPs may sue spammers. See Section 7(g)(1). Third, the Federal Trade Commission, and certain other federal agencies, may sue spammers. See Section 7(a)-(b).
Internet Service Providers may sue under Section 8(g)(1) of the Act:
A provider of Internet access service adversely affected by a violation of section 5(a)(1), 5(b) or 5(d), or a pattern or practice that violates [section 5(a)(2)-(5)], may bring a civil action . . .
And get this, ISPs can recover up to $100 per violation under Section 8(g)(3).
Look for a challenge by spammers to the no-spam list based on the First Amendment in the coming months. They probably will not fare any better than the telemarketers, but I'll betcha' they'll try.
The key here is 17 U.S.C. 512(f) which holds copyright owners such as Diebold responsible for abusing the provisions of the DMCA. Also check out section 4 of EFF's application for a temporary restraining order (PDF is here) which outlines the claims against Diebold under the DMCA.
Although Diebold has agreed not to take any further action in these cases, that doesn't make up for the fact that they have blatantly abused the DMCA provisions in the past. It's kind of like being run over by a car, and then having the driver say, "well, I won't drive anymore." It doesn't exactly make you whole.
Also, OPG has asserted an interference with contractual relations claim-- essentially saying that Diebold is interfering with the contract between Hurricane Electric (the ISP) and its client, OPG. See section 3 of the application for a temporary restraining order.
Unfortunately, you're wrong. People waive their rights all the time. You have a right not to be searched without probable cause, but when the police ask "do you mind if I search your car?" and you say "Sure," you just waived your Fourth Amendment rights until you invoke them again.
Among other rights you can waive are your speedy trial rights, your right to remain silent, and your right to an attorney (although this last one is hard to waive.
There is an entire body of cases that discuss when a waiver is "knowing and intelligent" and therefore valid. For example, see, North Carolina v. Butler (implied waiver of Miranda rights upheld), and Edwards v. Arizona (initial waiver valid, but once defendant invoked his right to counsel, police could not question further).
Slashdot Mirror
I blame sleep deprivation and not speaking PT. Sorry!
As a result, Saravá's site is down. Here's a mirror of the original statement from Saravá. Also, here's an amusing picture of the group putting new drives in to try to get the site back up.
There is also the film's website. Which, of course, appears to be /.'d.
The above link is the argument in Jewel. Here is the audio of the arguments in the Hepting case (wma).
Erm.... the audio recording ... is available. Doh!
The audio recording of the oral arguments are now available (.wma).
Not so fast. Recall that India has implemented a similar regulation. Remember the whole dispute with RIM a while back? From the linked article:
IANANE, but the regulation does not appear to be as limited as you suggest. Part II, Section 4, Clause 5 states:
And later on in clause (6) it requires each system to have "the following features:"
The clause you are referring to (and the only reference to encryption) occurs on the next page:
But the limitation of this clause to signaling information seems to conflict with the earlier statement that the monitoring system must be capable of recording voice and data traffic in real time. I suppose you could argue that turning over the encrypted stream is sufficient, but I wouldn't want to hang my hat on that.
It'll be interesting to see how this is enforced. My guess will be that if they take the position that it applies to VPNs, it will not be enforced against the foreign visitor. There are many internet cafes in Pakistan and many hotels with internet service so there would be a huge logistical problem to enforce it. Sadly, Pakistanis and long-term ex-pats who use a VPN from their home or office could be targeted, especially if they are government opponents or dissidents.
I've always considered Egypt to be on of the more progressive muslim states
Whaaaaat? Egypt is ruled by a dictator that tolerates no dissent. There has been a state of emergency there for 44 years! Let's see, where to start. In 2009, the U.S. Department of State Human Rights report had this to say:
Police, security personnel, and prison guards often tortured and abused prisoners and detainees, sometimes in cases of detentions under the Emergency Law, which authorizes incommunicado detention indefinitely, subject to a judge's ruling.
and
Police and the SSIS reportedly employed torture methods such as stripping and blindfolding victims; suspending victims by the wrists and ankles in contorted positions or from a ceiling or door frame with feet just touching the floor; beating victims with fists, whips, metal rods, or other objects; using electric shocks; dousing victims with cold water; sleep deprivation; and sexual abuse, including sodomy. There was evidence that security officials sexually assaulted some victims or threatened to rape them or their family members. Human rights groups reported that the lack of legally required written police records often effectively blocked investigations.
It just goes on and on. And, keep in mind, the U.S. DOS reports tend to be very conservative, so when this stuff ends up in a DOS report, things on the ground are much, much worse.
Enter the Monkeysphere, a project that leverages the GPG web of trust to build trust paths for secure browsing (among other uses). From the site:
I have this Jetway, a slightly different model. I wanted 2 drives in a RAID array. It's designed to hold 1 3.5" and 1 2.5" drive, but I put 2x3.5" drives in (granted, one is mounted with a bit of duct tape). I also added one extra case fan. It's been running great and nice and quiet (and cheap!).
I care deeply about personal privacy for the same reason I care deeply about gun rights - chances are that I will never carry a weapon in my life, but our society as a whole is made safer and more resilient by the fact that law-abiding citizens can own and use them in self defense.
Ummm, yeah, the shooter who killed 14 in NY state "had a permit for two handguns and wore body armor, indicating he was prepared for a confrontation with police."
source.
Slander and defamation, by definition, require a false statement of fact causing harm to the aggrieved party. Slander is for verbal statements, whereas libel refers to written statements. See slander - wikipedia.
And, at least in the US, slander and defamation are not crimes. Rather, they are civil remedies (a tort) enforceable not by the state through prosecution, but by the aggrieved individual bringing suit.
Not going to happen. The whole project is being discontinued.
This is page 45-46, which talks about the reasons why a certificate may be revoked:
Rough translation: The certificate may be revoked when ... there's something that makes you reasonably believe that the certificate has been compromised to the point that it is not reliable.
And then on page 47 it says:
Rough translation: If the revocation of the certificate is not the fault of the subscriber (that's you), then you get a new certificate with the same validity period as the old one.
Obviously, you have to check with the contract governing your CA, but you might find something similar, so check with your CA before paying for new certs.
Here is a reproduction of the post with the photographs of the two individuals who are allegedly undercover Swiss police officers.
I asked them what the US government's interest was in Swiss police and French websites. They informed me that no law had been violated but they were just requesting on behalf of the Swiss government that the identifying information be removed. I clarified that their concern was with the identifying information, and not with the photographs, because taking pictures of someone in a public forum is not objectionable. They agreed with me and said that their only concern was the identifying information.
I asked them for the URL of the offending post. They did not know what a URL was. I asked them what the address was for the post-- "the address you would type into your internet browser." They looked confused, consulted their notes, and stated that they weren't sure, but they thought it was http://natz.indymedia.org (in fact, the correct address is nantes.indymedia.org). I informed them that it would be very difficult to track down the post considering that there are thousands of posts on indymedia sites everyday.
I told them that the Seattle Indymedia Center has no authority regarding the Nantes Indymedia Center and that they should probably direct their request directly to the Nantes Indymedia Center. They left.
I pulled up the Nantes site. On the front page of the site, at the very top, was a large logo of the FBI, and an article regarding how their ISP (Rackspace) had received a request from none other than the FBI to remove a certain post...
Nothing happened for a few days, and then today the server is gone. This is what we know for a fact:
Indymedia is working on a press release on this matter and is working with EFF to assess its legal options.
While the server in the UK is subject to UK law, if a subpoena is served on a US corporation requesting information, and that information is located in some other country, the corporation is required to provide the information. Because Rackspace could not quickly locate the information, they decided to turn over the entire server.
The FBi has stated that no crime is under investigation, yet they are issuing subpoenas, indicating that SOME crime is under investigation. This whole thing stinks. EFF is investigating.
Furthermore, even if there had been personal information on the site, if that information was obtained legally, it is protected by the First Amendment. A recent case in Washington state held that an individual could post names and addresses of law enforcement officials obtained legally.
Regardless, the fact remains that the post in question had no personal information in it. When I spoke to the FBI agents, they admitted that there was absolutely nothing wrong with taking pictures of undercover officers in a public forum and posting them to a website. That is exactly what happened here.
Really? Since when?
Also, three other types of claims may asserted. First, State attorneys general may sue spammers on behalf of state residents. See Section 7(f)(1). Second, ISPs may sue spammers. See Section 7(g)(1). Third, the Federal Trade Commission, and certain other federal agencies, may sue spammers. See Section 7(a)-(b).
And get this, ISPs can recover up to $100 per violation under Section 8(g)(3).
Look for a challenge by spammers to the no-spam list based on the First Amendment in the coming months. They probably will not fare any better than the telemarketers, but I'll betcha' they'll try.
Although Diebold has agreed not to take any further action in these cases, that doesn't make up for the fact that they have blatantly abused the DMCA provisions in the past. It's kind of like being run over by a car, and then having the driver say, "well, I won't drive anymore." It doesn't exactly make you whole.
Also, OPG has asserted an interference with contractual relations claim-- essentially saying that Diebold is interfering with the contract between Hurricane Electric (the ISP) and its client, OPG. See section 3 of the application for a temporary restraining order.
Unfortunately, you're wrong. People waive their rights all the time. You have a right not to be searched without probable cause, but when the police ask "do you mind if I search your car?" and you say "Sure," you just waived your Fourth Amendment rights until you invoke them again.
Among other rights you can waive are your speedy trial rights, your right to remain silent, and your right to an attorney (although this last one is hard to waive.
There is an entire body of cases that discuss when a waiver is "knowing and intelligent" and therefore valid. For example, see, North Carolina v. Butler (implied waiver of Miranda rights upheld), and Edwards v. Arizona (initial waiver valid, but once defendant invoked his right to counsel, police could not question further).