Crossing the U.S. Border? Here’s How to Securely Wipe Your Computer
(Mi, 26 Jul 2017)
Many people crossing the U.S. border are concerned about the amount of power that the government has asserted to search and examine travelers’ possessions, including searching through
or copying contents of digital devices, like photos, emails, and browsing history. The frequency of these intrusive practices has been increasing over time.
Some travelers might choose to delete everything on a particular device or disk to ensure that border agents can’t access its contents, no matter what. Our 2017 guide for travelers addressed this option, but did not give detailed advice on how to do it, because we think most
travelers won’t consider it their best option. Before embarking on wiping your computers, please read our guide to understand your legal rights at the U.S. border.
We don’t recommend disk wiping as a border crossing security measure for most travelers. It’s a less common data protection technique than the other ones highlighted in our guide,
which include encryption and minimizing data that you carry. Wiping your computer will make it unusable to you. Also, it may draw the attention of border agents, since it is unusual
for travelers to carry blank devices with them. This may be of particular concern to travelers who are not U.S. citizens, who may receive more scrutiny from border agents. Again, you
should consider your risks and security needs carefully before deciding how best to secure your data for border crossings as everyone’s individual risk factors and data security needs
Now that you’ve been sufficiently cautioned, let’s look closely at wiping your computers.
Why might you want to want to wipe a disk instead of just deleting individual files, messages, and so on? The main reason is what can happen if a device is seized. Forensic inspection
of a seized device with special software tools can recover significant amounts of deleted information and references to individual files and software that have previously been
removed. Wiping your disk entirely is a valuable means of protecting data against such a forensic examination, and also not having to make individual decisions about whether to erase
It’s also important if you want to make sure photos or videos are truly deleted from a camera or phone’s SD card, since these devices rarely delete media securely.
A laptop can wipe its own hard drive, or removable storage media like USB drives or SD cards, by overwriting the contents. One method of doing this is formatting the storage medium,
but note that this term is applied to two very different processes. Only “low-level formatting” (also called “secure formatting” or “formatting with overwriting”) actually erases the
hard drive by overwriting data. “Quick format” or “high-level format” does not do so, and is thus less secure. Formatting tools let you choose between a quick format and a secure
overwriting format. For data destruction, always choose a secure overwriting format.
You should already have built-in tools that can perform a low-level format or wipe a hard drive, or you may download third-party tools to do this. Below are some steps you can take
with major computer operating systems to wipe your devices or removable media. Keep in mind that after wiping a hard drive, you may need to reinstall the operating system before you
can use the device again.
One consideration when wiping computer media is the limited ability to delete data on solid-state drives (SSDs) ubiquitous in modern computers, including flash-based removable media
as well as internal SSD hard drives. Because of a technology called wear leveling, overwriting may not reliably delete these kinds of storage media in full. This
technology tries to spread out where things are stored to prevent any one part of the storage medium from being used more than another part. Researchers have shown that overwriting a single file on an SSD often doesn’t destroy that file’s contents;
even after the entire device has been overwritten, wear leveling may leave a small random portion of the data on these media in a recoverable form. There are software vendors that
promise to securely delete SSDs, but it is still not clear to us whether this can be done reliably to make the information completely unrecoverable. Encrypting your SSD may be the
best way to prevent access to the information on the drive, though of course you have to do that ahead of crossing the border.
The built-in Disk Management tool can format removable media (be sure to uncheck the “Perform a quick format” option). It will not format the built-in hard drive if the computer was
started from it. Formatting the built-in hard drive requires starting the computer from a bootable CD or USB drive, such as DBAN, described briefly below.
The built-in Disk Utility tool can format external storage media (be sure to click “Security options” and select “Most secure”) and the built-in hard drive. Like its Windows
equivalent, it will not format the built-in hard drive if the computer was started from it. To erase the built-in hard drive,
access recovery utilities, which includes the Disk Utility, by pressing ⌘R while the system is starting up. Unlike opening Disk Utility on an already-running computer, this approach
will permit erasing the built-in hard drive.
Most Linux distributions have a built-in disk utility that can format either removable media or the built-in hard drive. For GNOME environments, open GNOME disk utility (or “Disks”),
select a particular partition, then click the gear icon and then “Format partition…” Remember to select “Overwrite existing data with zeroes.” Note that formatting a hard drive
partition that’s used to boot your operating system will make your computer unbootable until an operating system is reinstalled.
To restore your ChromeOS machine to its factory state, you can make use of the “Powerwash” feature. Powerwash
deletes all the locally stored user data on the device, but not things that have been backed up to Google’s cloud.
A More Complex Method
If you want to completely erase the contents of your built-in hard drive by overwriting, the most reliable option may be to download a bootable data erasure tool like DBAN. The DBAN image file needs to be downloaded and written onto a USB drive or CD-ROM; then the computer is booted from the medium containing DBAN, which
gives an option to overwrite the hard drives. DBAN works independently of the operating system installed on the device, but you should exercise caution as using DBAN correctly
requires following directions precisely.
Want to learn more about how to protect your digital data when you cross the U.S. border? See
EFF’s full guide. You can also download and print our pocket guide for defending privacy at the U.S.
border and our one-page overview of the law at the border.
It’s sad that travelers have to worry about elaborate defensive measures to prevent border agents from snooping through their devices for no particular reason at all. Concerned about
border agents running roughshod over our rights? There’s a bill in Congress that aims to fix
this. Tell your elected representatives to rein in CBP.
for border privacy
>> mehr lesen
EFF Asks Court to Strike Down Unconstitutional Restraint on Our Speech
(Di, 25 Jul 2017)
EFF has asked a federal court to rule in its favor in a lawsuit we filed against an Australian company
that sought to use foreign law to censor us from
expressing our opinion about its patent. While the company, Global Equity Management (SA) Pty Ltd (GEMSA,) knows its way around U.S. courts—having filed dozens of
lawsuits against big tech companies claiming patent infringement—it has failed to respond to ours.
Today we asked for a default judgment, which if granted means we win the case.
It all started when GEMSA’s patent litigation was featured in our
June 2016 blog series “Stupid Patent of the Month.” The company wrote to EFF accusing us of “false and malicious
slander.” It subsequently filed a lawsuit and obtained an injunction from a South Australia court ordering EFF to take down the blog post and blocking us from ever talking about any
of its intellectual property.
We have not removed the post. The South Australian injunction can’t be enforced in the U.S. under a 2010 federal law that took aim against “libel tourism,” a practice by which plaintiffs—often billionaires,
celebrities, or oligarchs—sued U.S. writers and academics in countries like England where it was easier to win a defamation case.
The Securing the Protection of Our Enduring and Established Constitutional Heritage Act (SPEECH Act) says foreign orders aren’t
enforceable in the United States unless they are consistent with the free speech protections provided by the U.S. and state constitutions, as well as state law. Our lawsuit, filed in
U.S. District Court, Northern District of California, maintains that GEMSA’s injunction, which seeks to silence expression of an opinion, would never survive scrutiny under the First
Amendment in the United States and should therefore be declared unenforceable. We stood ready to defend our right to express constitutionally protected speech.
GEMSA, which has three pending patent lawsuits in in the Northern District of California, had until May 23 to respond to our case. That day came and went without a word. We
can’t speculate as to why GEMSA hasn’t responded. To get a default judgment, we need to show that not only has GEMSA failed to answer our claims but also, regarding our claim that the
South Australia injunction is unenforceable in the U.S., the law is on our side.
We believe that we should prevail. The law does not allow companies or individuals to make an end run around the First Amendment by finding a judge in another country to sign an
injunction that censors speech in the U.S. The law the Australian court applied to grant the injunction didn’t provide as much protection for EFF’s speech as American law, which means
it’s unenforceable under the SPEECH Act. Additionally, the injunction is unconstitutional under American law as it prohibits all future speech by EFF about any of GEMSA’s patents.
Such prohibitions are also known as prior restraints, and are allowed only in the rarest of circumstances, none of which apply here.
Our laws also don’t allow plaintiffs to be left under a cloud of uncertainty as to their ability to speak publicly about something as important as patent litigation and reform.
The Australian injunction states that failure to comply could result in the seizure of EFF’s assets and prison time for its officers. GEMSA attorneys have threatened to take the
Australian injunction to American search engine companies to deindex the blog post, making the post harder to find online.
The court should set the record straight and grant our request for a default judgment. Our laws call for no less.
>> mehr lesen
Global Condemnation for Turkey's Detention of Innocent Digital Security Trainers
(Mo, 24 Jul 2017)
The detention of a group of human rights defenders in Turkey for daring to learn about digital security and encryption continued last week with a brief appearance of the accused in an
Istanbul court. Six were returned to jail, and four released on bail. In an additionally absurd twist, the four released activists were named in new detention orders on Friday, and
are now being re-arrested.
Among those currently being held in jail are Ali Gharavi and Peter Steudtner, digital security trainers from Sweden and Germany, who had traveled to Turkey to provide
online privacy advice for a conference of human rights defenders. The meeting was raided by Turkish police on July 5, and appears to be the sole basis for the prosecution.
The court charged Gharavi and Steudtner with "committing crimes in the name of a terrorist organization without being a member." Their co-defendants include Idil Eser, the Director of
Amnesty Turkey, Veli Acu and Günal Kurşun of the Human Rights Agenda
Association, and Özlem Dalkıran of the Helsinki Citizens’ Assembly. Four others were released on
bail, but new detention orders against them were announced on Friday, with two re-arrested over the weekend.
Gharavi and Steudtner have worked for many years in the global human rights community, providing advice about digital security and online well-being. Ali helped EFF with its Surveillance Self-Defence Guides, and has held key technology roles at the Center for Victims of Torture and
Tactical Tech. Steudtner's expertise was in holistic security, which combined technical training with his pacifist, non-violent principles.
When asked about the arrests, Turkey's President Recep Tayipp Erdogan said
that the group had "gathered for a meeting which was a continuation of July 15," referencing the date of the attempted coup against him in 2016. The government has used the coup as a
justification for the subsequent mass arrests of over 50,000 people including journalists,
academics, judges and, most recently, technologists.
Strong digital security helps everyone; learning about encryption is not a sign of criminal activity. The Turkish authorities and media have continued, nonetheless, to tie the use of
secure communications tools to the coup. A report in the conservative Islamist paper Yeni Akit declared that the detainees had secret government documents, and used the mobile communications app "ByLock" to
stay in contact with groups connected to the coup. ByLock is a known
insecure app that is largely unknown outside of Turkey and has been widely criticised by digital security experts. It is profoundly unlikely that Gharavi or Steudtner used it. Use
of ByLock was also the sole reason the Turkish police gave for the arrest of Amnesty's Chair, Taner Kiliç, last month.
The condemnation of the Turkish courts' actions has been swift. U.S. State Department spokesperson Heather Nauert said
the U.S. "strongly condemns the arrest of six respected human rights activists and calls for their immediate release," and urged Turkey to drop the charges, which it said
undermine the country's rule of law.
Eliot Engel, the U.S. House of Representatives' ranking member on the Foreign Affairs committee, said that "The arrest of these brave men
and women is unacceptable, and the latest example of the erosion of democracy in Turkey... I call on Turkish authorities to release Idil Eser and her fellow activists without delay or
condition, and Secretary Tillerson must make this a top priority in his engagement with Turkey’s government."
Sweden's Foreign Minister, Margot Wallstrom has
called for the release of Gharavi, who is a Swedish national. "It is our understanding that Gharavi was in Turkey to participate in a peaceful seminar about freedom of the
internet and we have urged Turkey to quickly clarify the grounds for the accusations against him," she said in a statement.
Germany, Steudtner's home country, has taken an even more forceful line. "We are strongly convinced that this arrest is absolutely unjustified," German Chancellor Angela Merkel said,
according to the DPA news agency. Germany's Foreign Minister Sigmar Gabriel
cut short a vacation to deal with the case, and summoned the Turkish Ambassador in Berlin, who was told
"without diplomatic pleasantries" of Germany's expectation that Steudtner and his colleagues should be released immediately. Gabriel later warned that "the case of Peter Steudtner
shows that German citizens are no longer safe from arbitrary arrests," and suggested that his continuing detention will lead to a "re-orienting" of German's policy toward Turkey.
The baseless prosecution of these human rights defenders, including Peter and Ali, two innocent technologists from allies of Turkey, highlights the decline of Turkey's democratic
institutions. We continue to urge the Turkish authorities to listen to a chorus of countries and international organizations, and to free all ten victims of this profound injustice
>> mehr lesen
RCEP Discussions on Ecommerce: Gathering Steam in Hyderabad
(Mo, 24 Jul 2017)
Sixteen countries from Asia-Pacific are meeting in Hyderabad for the 19th round of the Regional Comprehensive Economic Partnership (RCEP) which takes place in India from 18-28 July,
2017. EFF is participating to advocate for improved transparency and openness in the negotiations, and to express our concerns about possible new rules on intellectual property and
ecommerce that some countries are proposing for the agreement.
RCEP is a free trade agreement (FTA) aimed at broadening regional economic integration and liberalising trade and investment between the 10 ASEAN economies and its trading partners
including Australia, China, India, Japan, Korea, and New Zealand. The total population covered by RCEP exceeds 3 billion, and with the combined GDP of about US$ 17 trillion accounting
for about 40% of the world’s trade makes RCEP the biggest mega-regional trade agreement that is under negotiation.
The idea of RCEP was first introduced at an ASEAN Summit in 2011 and formal negotiations were launched in 2012. Over the last five years, the scope of the agreement has grown to
include commitments for trade in goods and services, boosting economic and technical cooperation, and intellectual property. Worryingly, discussions on ecommerce issues including
rules on software, data flows, and regulatory standards that have not been addressed in other trade mechanisms are also being included in the RCEP negotiations.
Reports suggest that Japan, Australia, South Korea, and New Zealand have been pushing for binding commitments from the RCEP members on ecommerce. A separate working group on ecommerce
(WGEC) has been established with the aim of formalising a chapter on ecommerce in the final agreement. The agreement and the issues being negotiated are being kept confidential,
however a few chapters drafts have been leaked including the ‘Terms of Reference (TOR)’ for the WGEC. WGEC members are hopeful of concluding the deal by year end which would include
‘liberalisation commitments’ and norms for ecommerce including provisions on investment, dispute settlement and competition.
The proposed elements for the TOR (for negotiations) are understood to include domestic regulatory frameworks for market access, customs duties on electronic transmission,
non-discriminatory treatment of digital products, paperless trading, electronic signatures, digital certificates and online consumer protection issues such as storage and transfer of
personal data protection and spam.
Controversial issues such as prohibition on requirements concerning the location of computing facilities and allowing cross-border transfer of information by electronic means
are also expected to be included within the scope of the chapter. Further, countries including Australia and Japan have proposed making a permanent commitment to zero duties on
digital transmissions, and prohibiting rules requiring on compulsory disclosure of source codes.
Given the secrecy of the negotiations, the lack of opportunities for public input in the process, and the complexity of issues involved, EFF convened an expert panel on ecommerce
issues in the RCEP negotiations in Hyderabad. The public meeting was organised in partnership with the National Institute of Public Finance and Policy (NIPFP) and the National Law
University of Law, Hyderabad. Speakers included Professor Ajay Shah (NIPFP), Parminder Jeet Singh (ItforChange) and Professor VC Vivekananda (Bennett University).
Panelists raised several issues including ensuring non-discriminatory treatment of digital products transmitted electronically and the need for guaranteeing that these products will
not face government-sanctioned discrimination based on the nationality or territory in which the product is produced. Security risks associated with the prohibition of source code
disclosure, and the costs of imposing measures that restrict cross-border data flows and or require the use or installation of local computing facilities were also raised by
The event was a success with negotiators from nine countries including Vietnam, Japan, Australia, New Zealand, Laos, Cambodia, South Korea and Thailand showing up for the meeting.
Given that access for users at such negotiations is restricted the large number of negotiators showing interest was very encouraging. Understandably, the negotiators did not ask
questions or participate in the discussions, however their interest in the issues is evident in WGEC members turning up for the panel. This is definitely an improvement on the
previous negotiations where there has been limited participation from negotiators at similar events. We also received feedback that the WGEC would like to see specific issues being
discussed in-depth including positive commitments that could be included.
EFF is maintaining a cautious and critical stance on the inclusion of e-commerce rules in RCEP, and the inclusion of similar rules in NAFTA, simultaneously being negotiated on the other
side of the world. While it is possible to deal with e-commerce in a trade agreement in a balanced way that respects users’ rights, this is made unnecessarily difficult when those
rules are being negotiated in secret. Nonetheless, until a better way of engaging with negotiators exists, EFF will continue to
provide our input through unofficial side events and bilateral meetings, because this is the best way that we can stand up for your rights in what remains an unfair and secretive
>> mehr lesen
Tell Congress: We Want Trade Transparency Reform Now!
(Do, 20 Jul 2017)
The failed Trans-Pacific Partnership (TPP) was a lesson in what happens when trade agreements are negotiated in secret. Powerful
corporations can lobby for dangerous, restrictive measures, and the public can't effectively bring balance to the process. Now, some members of Congress are seeking to make sure that
future trade agreements, such as the renegotiated
version of NAFTA, are no longer written behind closed doors. We urge you to write your representative and ask them to demand transparency in trade.
TAKE ACTIONDemand transparency in trade deals
Representative Debbie Dingell (D-MI) has
today introduced the Promoting Transparency in Trade Act (H.R. 3339) [PDF], with co-sponsorship by
Representatives Laura DeLauro (D-CT), Tim Ryan (D-OH), Marcy Kaptur (D-OH), Jamie Raskin (D-MD), Keith Ellison (D-MI), Raúl Grijalva (D-AZ), John Conyers (D-MI), Jan Schakowsky
(D-IL), Louise Slaughter (D-NY), Mark DeSaulnier (D-CA), Dan Lipinski (D-IL), Chellie Pingree (D-ME), Brad Sherman (D-CA), Jim McGovern (D-MA), Rick Nolan (D-MN), and Mark Pocan
(D-WI). Representative Dingell describes the bill as follows:
The Promoting Transparency in Trade Act would require the U.S. Trade Representative (USTR) to publicly release the proposed text of trade deals prior to each negotiating
round and publish the considered text at the conclusion of each round. This will help bring clarity to a process that is currently off limits to the American people.
Actively releasing the text of trade proposals will ensure that the American public will be able to see what is being negotiated and who is advocating on behalf of policies
that impact their lives and economic well-being.
We wholeheartedly agree. Indeed, these are among the recommendations that EFF has been pushing for for some time, most recently at a January 2017 roundtable on trade transparency that we held with stakeholders from industry, civil society, and
government. That event resulted in a set of five recommendations on the
reform of trade negotiation processes that were endorsed by the Sunlight Foundation the Association of
Research Libraries, and OpenTheGovernment.org.
A previous version of the Promoting Transparency in Trade Act
was introduced into the previous session of Congress, but died in committee. Compared with that version, this latest bill is an improvement because it requires the publication of
consolidated draft texts of trade agreements after each round of negotiations, which the previous bill did not.
Another of our recommendations that is reflected in the bill is to require the appointment of an independent Transparency Officer to the USTR. Currently, the Transparency Officer is
the USTR's own General Counsel, which creates an conflict of interest between the incumbent's duty to defend the office's current transparency practices, and his or her duties to the
public to reform those practices. An independent officer would be far more effective at pushing necessary reforms at the office.
The Promoting Transparency in Trade Act faces challenging odds to make it through Congress. Its next step towards passage into law will be its referral to the House Committee on Ways
and Means, and probably its Subcommittee on Trade, which will decide whether the bill will be sent to the House of Representatives for a vote. The Senate will also have to vote on the
bill before it becomes law. The more support that we can build for the bill now, the better its chances for surviving this perilous process.
Passage of this bill may be the best opportunity that we'll have to avoid a repetition of the closed, secretive process that led to the TPP. With the renegotiation of NAFTA commencing
with the first official round of meetings in Washington, D.C. next month, it's urgent that these transparency reforms be adopted soon. You can help by writing to your representative
in Congress and asking them to support the bill in committee.
TAKE ACTIONDemand transparency in trade deals
>> mehr lesen
Librarians Call on W3C to Rethink its Support for DRM
(Mi, 19 Jul 2017)
The International Federation of Library Associations and Institutions (IFLA) has called on the World Wide Web Consortium (W3C) to reconsider
its decision to incorporate digital locks into official HTML standards. Last week, W3C announced its decision to publish Encrypted Media Extensions (EME)—a standard for applying
locks to web video—in its HTML specifications.
IFLA urges W3C to consider the impact that EME will have on the work of libraries and archives:
While recognising both the potential for technological protection measures to hinder infringing uses, as well as the additional simplicity offered by this solution, IFLA is
concerned that it will become easier to apply such measures to digital content without also making it easier for libraries and their users to remove measures that prevent
legitimate uses of works.
Technological protection measures […] do not always stop at preventing illicit activities, and can often serve to stop libraries and their users from making fair uses of works.
This can affect activities such as preservation, or inter-library document supply. To make it easier to apply TPMs, regardless of the nature of activities they are preventing, is
to risk unbalancing copyright itself.
IFLA’s concerns are an excellent example of the dangers of digital locks (sometimes referred to as digital rights management or simply
DRM): under the U.S. Digital Millennium Copyright Act (DMCA) and similar copyright laws in many other countries, it’s illegal to
circumvent those locks or to provide others with the means of doing so. That provision puts librarians in legal danger when they come across DRM in the course of their work—not to
mention educators, historians, security researchers, journalists, and any number of other people who work with copyrighted material in completely lawful ways.
Of course, as IFLA’s statement notes, W3C doesn’t have the authority to change copyright law, but it should consider the implications of copyright law in its policy decisions: “While
clearly it may not be in the purview of the W3C to change the laws and regulations regulating copyright around the world, they must take account of the implications of their decisions
on the rights of the users of copyright works.”
EFF is in the process of appealing W3C’s controversial decision, and we’re urging the
standards body to adopt a covenant protecting security researchers from anti-circumvention laws.
>> mehr lesen
Do Last Week's European Copyright Votes Show Publishers Have Captured European Politics?
(Mi, 19 Jul 2017)
Three European Parliament Committees met during the week of July 10, to give their input on the European Commission's proposal for a new Directive on copyright in the Digital Single
Market. We previewed those meetings last week, expressing our hope
that they would not adopt the Commission's harmful proposals. The meetings did not go well.
All of the compromise amendments to the Directive proposed by the Committee on Culture and Education (CULT) that we previously catalogued were accepted in a vote of that committee,
including the upload filtering mechanism, the link tax, the unwaivable right for artists, and the new tax on search engines that index images. Throwing gasoline on the dumpster
fire of the upload filtering proposal, CULT would like to see cloud storage services added to the online platforms that are required to filter user uploads. As for the link tax, they
have offered up a non-commercial personal use exemption as a sop to the measure's critics, though it is hard to imagine how this would soften the measure in practice, since almost all
news aggregation services are commercially supported.
The meeting of the Industry, Research and Energy (ITRE) Committee held in the same week didn't go much better than that of the CULT Committee. The good news, if we can call it that,
is that they softened the upload filtering proposal a little. The ITRE language no longer explicitly refers to content recognition technologies as a measure to be agreed between
copyright holders and platforms that host "significant amounts" (the Commission proposal had said "large amounts") of copyright protected works uploaded by users. On the other hand,
such measures aren't ruled out, either; so the change is a minor one at best.
There is no similar saving grace in the ITRE's treatment of the link tax. Oddly for a committee dedicated to research, it proposed amendments to the link tax that would make life
considerably harder for researchers, by extending the tax to become payable not only on snippets from news publications but also those taken from academic journals, and whether those
publications are online or offline. The extension of the link tax to journals came by way of a single word amendment to recital
Periodical publications which are published for scientific or academic purposes, such as scientific journals, should n̶o̶t̶ also be
covered by the protection granted to press publications under this Directive.
This deceptively small change would open up a whole new class of works for which publishers could demand payment for the use of small snippets, apparently including works that the
author had released under an open access license (since it's the publisher, not the author, that is the beneficiary of the new link tax).
The JURI Committee also met during the week, although it did not vote on any amendments. Even so, the statements and discussions of the participants at this meeting are just as
important as the votes of the other committees, given JURI's leadership of the dossier. The meeting (a recording of which is available online) was chaired by German MEP Axel Voss, who has recently replaced the
previous chair Theresa Comodini as rapporteur. Whereas MEP Comodini's report for the committee had been praised for its balance, Voss has taken a much more hardline approach.
Addressing him as Chair, Pirate Party MEP Julia Reda stated during the meeting:
I have never seen a Directive proposal from the Commission that has been met with such unanimous criticism from academia. Europe's leading IP law faculties have stated in an open letter, and I quote, "There is independent scientific consensus that Articles 11 and 13 cannot be
allowed to stand," and that the proposal for a neighboring right is "unnecessary, undesirable, and unlikely to achieve anything other than adding to complexity and cost".
The developments in the CULT, ITRE and JURI committees last week were disappointing, but they do not determine the outcome of this battle. More decisive will be the votes of the Civil
Liberties, Justice and Home Affairs (LIBE) Committee in September, followed by negotiations around the principal report in the JURI Committee and its final vote on October 10. Either
way, by year's end we will know whether European politicians have been utterly captured by their powerful publishing lobby, or whether the European Parliament still effectively
represents the voices of ordinary European citizens.
>> mehr lesen
Why the Ninth Circuit Got It Wrong on National Security Letters and How We’ll Keep Fighting
(Mi, 19 Jul 2017)
In a disappointing opinion issued on Monday, the Ninth Circuit upheld the national security letter (NSL)
statute against a First Amendment challenge brought by EFF on behalf of our clients CREDO Mobile and Cloudflare. We
applaud our clients’ courage as part of a years-long court battle, conducted largely under seal and in secret.
We strongly disagree with the opinion and are weighing how to proceed in the case. Even though this ruling is disappointing, together EFF and our clients achieved a great deal over
the past six years. The lawsuit spurred Congress to amend the law, and our advocacy related to the case caused leading tech companies to also challenge NSLs. Along the
way, the government went from fighting to keep every single NSL gag order in place to the point where many have been lifted, some in whole and many in part. That includes this case, of
course, where we can now proudly tell the namesof our clients to the world.
No matter what happens with these particular lawsuits, we are not done fighting unconstitutional use of NSLs and similar laws.
Making sense of a disappointing ruling
National security letters are a kind of subpoena issued by the FBI to communications service providers like our clients to force them to turn over customer records. NSLs nearly always
contain gag orders preventing recipients from telling anyone about these surveillance requests, all without any mandatory court oversight. As a result, the Internet and communications
companies that we all trust with our most sensitive information cannot be truthful with their customers and the public about the scope of government surveillance.
NSL gags are perfect examples of “prior restraints,” government orders prohibiting speech rather than punishing it after the fact. The First Amendment embodies the Founders’ strong
distrust of prior restraints as powerful censorship tools, and the Supreme Court has repeatedly said they are presumptively unconstitutional unless they meet the “most exacting”
judicial scrutiny. Similarly, because NSLs prevent recipients from talking about the FBI’s request for customer data, they are content-based restrictions on speech, which are subject
to strict scrutiny. So NSL gags ought to be put to the strictest of First Amendment tests.
Unfortunately, the Ninth Circuit questioned whether NSLs are prior restraints at all. And although the court did acknowledge they are separately content-based restrictions on speech,
it said the law is narrowly tailored even though it plainly allows censorship that is broader in scope and longer in duration than the government actually needs. As a result,
the court held the government’s interest in national security overcomes any First Amendment interests at stake.
The ruling is seriously flawed.
In order to find that the law satisfied strict scrutiny, the court overlooked both the overinclusiveness and indefinite duration of NSL gag orders. Narrow tailoring requires that a
restriction on speech be fitted carefully to just what the government needs to protect its investigation and that no less speech-restrictive alternatives are available.
But NSLs are often wildly overinclusive. For example, they prevent even a company with millions of users like Cloudflare from simply saying it has received an NSL, on the theory that
individual users engaged in terrorism or espionage might somehow infer from that fact alone that the government is on their trail.
The court admitted that a blanket gag in this scenario might well be overinclusive, but it simply deferred to the FBI’s decisionmaking. But of course, under the First Amendment,
decisions about censorship aren’t supposed to be left to officials whose "business is to censor.” And here,
we know that NSLs routinely issue to big tech companies with large numbers of users like both Cloudflare and CREDO, and only in rare circumstances does the FBI allow these companies
to report on specific NSLs they’ve received.
Similarly, the FBI often leaves NSL gags in place indefinitely, sometimes even permanently. Indeed, the FBI has told our client CREDO that one of the NSLs in the case is now
permanent, and the Bureau will not further revisit the gag it imposed to determine whether it still serves national security. Here again, the court acknowledged that at the least,
narrow tailoring requires a gag “must terminate when it no longer serves” the government’s national security interests. But instead of applying the First Amendment’s narrow
tailoring requirement, the court declined to “quibble” with the censoring agency, the FBI, and its loophole-ridden internal
procedures for reviewing NSLs. Nevertheless, these procedures “do not resolve the duration issue entirely,” as the Ninth Circuit understatedly put it, since they may still produce
permanent gags, as with CREDO. As a result, the court suggested that NSL recipients can repeatedly challenge permanent gags until they’re finally lifted.
The problem of prior restraints and judicial review
However, that points to the other fundamental problem with NSLs: they are issued without any mandatory court oversight. As discussed above, prior restraints are almost never
constitutional. The Supreme Court has said that even in the rare circumstance when prior restraints can be justified, they must be approved by a neutral court, not just an executive
official. But the NSL statute doesn’t require a court to be involved in all cases; instead, judicial review takes place only if NSL recipients file a lawsuit, like our clients did, or
if they ask the government to go to court to review the gag using a procedure known as “reciprocal notice.”
The Ninth Circuit had two responses to this lack of judicial oversight.
First, it wrongly suggested the law of prior restraints simply does not apply here. The theory is that unlike cases involving newspapers that are prevented from publishing, NSL
recipients haven’t shown a preexisting desire to speak, and when they do, they’re asking to publish information they supposedly learned from the government. But as we pointed out,
that’s inconsistent with case law that says, for instance, that witnesses at grand jury proceedings—which are historically both secret and subject to court oversight—cannot be
indefinitely gagged from talking about their own testimony. NSL gags go much further.
Second, the court suggested that even though the burden is on NSL recipients to challenge gags, this is a “de minimis” burden that doesn’t violate the First Amendment. When Congress
passed the USA FREEDOM Act in 2015, it gave recipients the option of invoking reciprocal notice and asking the government to go to court rather than filing their own lawsuit. That’s
simply not good enough; the First Amendment requires the government be the one to go to court to prove to a judge it actually requires an NSL accompanied by a gag. Not to
mention that forcing companies that receive NSLs to fight them in court and defend user privacy may actually be a heavy burden.
Big progress nonetheless
Despite these considerable errors in the Ninth Circuit’s opinion, we shouldn’t lose sight of progress made along the way. Nearly all of the features of the NSL statute that the court
pointed to as saving graces of the law—the FBI’s internal review procedures and the option for reciprocal notice most notably—exist only because Congress stepped in during our lawsuit to amend the law.
So what’s left to providers that receive NSLs? Push back on the gags early and often. The “reciprocal notice” process, which the government says only requires a short letter or a
phone call, should be done as a matter of course for any company receiving an NSL. And since the Ninth Circuit said that courts retain the ability to re-evaluate the gags as
long as they remain in place, gagged providers should ask a court to step in and make sure the FBI can still prove the need for the gag—potentially over and over—until the gag is
finally lifted. EFF wants to help with this, and we’re happy to consult with anyone subject to an NSL gag.
We’ve also encouraged technology companies to make the best of the reciprocal notice procedure as part of our
annual Who Has Your Back? report. If the government continues to argue that recipients don’t necessarily “want to speak” about NSLs, we can now point to the growing trend
of major tech companies—Apple, Adobe, and Dropbox, among others—that have committed to invoking reciprocal notice and
challenging every NSL they receive.
Finally, we’ve seen other courts question gag orders in related contexts, and we’ve supported companies like Facebook and Microsoft in these fights. We’re
confident that in the long run, these prior restraints will be roundly rejected yet again.
National Security Letters (NSLs)In re: National Security Letter 2011 (11-2173)In re National Security Letter 2013 (13-80089)In re National Security Letter 2013 (13-1165)
>> mehr lesen
Microsoft Bing Reverses Sex-Related Censorship in the Middle East
(Di, 18 Jul 2017)
Imagine trying to do online research on breast cancer, or William S. Burroughs’ famous novel Naked Lunch, only to find that your search results keep coming up blank. This is
the confounding situation that faced Microsoft Bing users in the Middle East and North Africa for years, made especially confusing by the fact that if you tried the same searches on
Google, it did offer results for these terms.
Problems caused by the voluntary blocking of certain terms by intermediaries are well-known; just last week, we wrote about how payment processors like Venmo are blocking payments from users who describe
the payments using certain terms—like Isis, a common first name and name of a heavy metal band, in addition to its usage as an acronym for the Islamic State. Such keyword-based
filtering algorithms will inevitably results in overblocking and false positives because of their disregard for the context in which the words are used.
Search engines also engage in this type of censorship—in 2010, I co-authored a paper [PDF]
documenting how Microsoft Bing (brand new at the time) engaged in filtering of sex-related terms in the Middle East and North Africa, China, India, and several other locations by not
allowing users to turn off “safe search”. Despite the paper and various advocacy efforts
over the years, Microsoft refused to budge on this—until recently.
At RightsCon this year, I led a panel discussion about the censorship of sexuality online, covering a variety
of topics from Facebook’s prudish ideas about the
female body to the UK’s restrictions on
“non-conventional” sex acts in pornography to Iceland’s various attempts to ban online pornography. During the panel, I also raised the issue of
Microsoft’s long-term ban on sexual search terms in the Middle East, noting specifically that the company’s blanket ban on the entire region seemed more a result of bad market
research than government interference, based on the fact that a majority of countries in the MENA region do not block pornography, let alone other sexual content.
Surprisingly, not long after the conference, I did a routine check of Bing and was pleased to discover that “Middle East” had disappeared from the search engine’s location settings, replaced with “Saudi Arabia.” The
search terms are still restricted in Saudi Arabia (likely at the request of the government), but users in other countries across the diverse region are no longer subject to
Microsoft’s safe search. Coincidence? It's hard to say; just as we didn't know Microsoft's motivations for blacklisting sexual terms to begin with, it was no more transparent about
its change of heart.
Standing up against this kind of overbroad private censorship is important—companies shouldn’t be making decisions based on assumptions about a given market, and without transparency
and accountability. Decisions to restrict content for a particular reason should be made only when legally required, and with the highest degree of transparency possible. We commend
Microsoft for rectifying their error, and would like to see them continue to make their search filtering policies and practices more open and transparent.
>> mehr lesen
Network Engineers Speak Out for Net Neutrality
(Di, 18 Jul 2017)
Today, a group of over 190 Internet engineers, pioneers, and technologists filed comments with the Federal
Communications Commission explaining that the FCC’s plan to roll back net
neutrality protections is based on a fundamentally flawed and outdated understanding of how the Internet works.
Signers include current and former members of the Internet Engineering Task Force and Internet Corporation for Assigned Names and Numbers' committees, professors, CTOs, network
security engineers, Internet architects, systems administrators and network engineers, and even one of the inventors of the Internet’s core communications protocol.
This isn’t the first time many of these engineers have spoken out on the need for open Internet protections. In 2015, when the EFF and ACLU filed a friend-of-the-court brief defending the net neutrality rules, dozens of engineers signed onto a statement supporting the technical justifications for the Open Internet Order.
The engineers’ statement filed today contains facts about the structure, history, and evolving nature of the Internet; corrects technical errors in the proposal; and gives concrete
examples of the harm that will be done should the proposal be accepted.
The engineers explain that:
"Based on certain questions the FCC asks in the Notice of Proposed Rulemaking (NPRM), we are concerned that the FCC (or at least Chairman Pai and the authors of the NPRM) appears
to lack a fundamental understanding of what the Internet's technology promises to provide, how the Internet actually works, which entities in the Internet ecosystem provide which
services, and what the similarities and differences are between the Internet and other telecommunications systems the FCC regulates as telecommunications services."
The engineers point to specific errors in the NPRM. As one example among many: the NPRM tries to argue that ISPs, not edge providers, are the main drivers for services such as
streaming movies, sharing photos, posting on social media, automatic translation, and so on. The NPRM also erroneously assumes that transforming an IP packet from IPv4 to IPv6 somehow
changes the form of the payload.
The engineers explain how the Internet (and in particular broadband) has changed since 2002, when the FCC first explicitly classified broadband internet access service as an
information service, and why that classification is no longer appropriate in light of technical developments. Drawing on this background information, they then respond to specific
questions from the NPRM in order to correct the FCC's mistakes.
The statement provides nearly a dozen different examples of consumer harm that could have been prevented by the light-touch, bright-line rules—like when AT&T distorted the market
for content by using its gatekeeping power to not charge its customers for its
DIRECTV video service while charging third-parties more to similarly zero-rate data. It also gives several examples of consumer benefits that happened as a result of the 2015 Open
Internet Order, like mobile service providers finally removing the prohibition that was stopping customers from tethering their personal computers to their mobile devices in order to
use their mobile broadband connections.
The NPRM fundamentally misunderstands the basic technology underlying how the Internet works. If the FCC were to move forward with its NPRM as proposed, the results could be
disastrous: the FCC would be making a major regulatory decision based on plainly incorrect assumptions about the underlying technology and Internet ecosystem that will have a
disastrous effect on innovation in the Internet ecosystem as a whole.
TAKE ACTIONStand up for net neutrality
>> mehr lesen
EFF to FCC: Tossing Net Neutrality Protections Will Set ISPs Free to Throttle, Block, and Censor the Internet for Users
(Di, 18 Jul 2017)
FCC Plan to Scuttle Open Internet Rule 'Disastrous' For the Future of the Internet, Experts Say
Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the FCC to keep in place net neutrality rules, which are essential to prevent cable companies like Comcast and Verizon
from controlling, censoring, and discriminating against their subscribers’ favorite Internet content.
In comments submitted today, EFF came out strongly in opposition to the FCC’s plan to reverse the agency’s 2015 open Internet
rules, which were designed to guarantee that service providers treat everyone’s content equally. The reversal would send a clear signal that those providers can engage in data
discrimination, such as blocking websites, slowing down Internet speeds for certain content—known as throttling—and charging subscribers fees to access movies, social media, and other
entertainment content over “fast lanes.” Comcast, Verizon, and AT&T supply Internet service to millions of Americans, many of whom have no other alternatives for high-speed
access. Given the lack of competition, the potential for abuse is very real.
EFF’s comments join those of many other user advocates, leading computer engineers, entrepreneurs, faith communities,
libraries, educators, tech giants, and start-ups that are fighting for a free and open Internet. Last week those players gave the Internet a taste of what a world without net neutrality would look like by temporarily blocking and throttling their
content. Such scenarios aren’t merely possible—they are likely, EFF said in its comments. Internet service providers (ISPs) have already demonstrated that they are willing to
discriminate against competitors and block content for their own benefit, while harming the Internet experience of users.
“ISPs have incentives to shape Internet traffic and the FCC knows full well of instances where consumers have been harmed. AT&T blocked data sent by Apple’s FaceTime software, Comcast has
interfered with Internet traffic generated by certain applications, and ISPs have rerouted users’ web searches to websites they didn’t request or expect,” said EFF Senior Staff
Attorney Mitch Stoltz. “These are just some examples of ISPs controlling our Internet experience. Users pay them to connect to the Internet, not decide for them what they can see and
Nearly 200 computer scientists, network engineers, and Internet professionals also submitted comments today highlighting deep flaws in the FCC’s technical description of how the Internet works. The FCC is attempting to pass off its incorrect technical analysis to
justify its plan to reclassify ISPs so they are not subject to net neutrality rules. The engineers’ submission—signed by such experts as Vint Cerf, co-designer of the Internet’s
fundamental protocols; Mitch Kapor, a personal computer industry pioneer and EFF co-founder; and programmer Sarah Allen, who led the team that created Flash video—sets the record
straight about how the Internet works and how rolling back net neutrality would have disastrous effects on Internet innovation.
“We are concerned that the FCC (or at least Chairman Pai and the authors of the Notice of Proposed Rulemaking) appears to lack a fundamental understanding of what the Internet’s
technology promises to provide, how the Internet actually works, which entities in the Internet ecosystem provide which services, and what the similarities and differences are between
the Internet and other telecommunications systems the FCC regulates as telecommunications services,” the letter said.
“It is clear to us that if the FCC were to reclassify broadband access service providers as information services, and thereby put the bright-line, light-touch rules from the
Open Internet Order in jeopardy, the result could be a disastrous decrease in the overall value of the Internet.”
For EFF’s comments:
For the engineers’ letter:
For more about EFF’s campaign to keep net neutrality:
Senior Staff Attorney
>> mehr lesen
With Release of NAFTA Negotiating Objectives, Our New Infographic Makes Sense of It All
(Di, 18 Jul 2017)
The United States Trade Representative (USTR) has just released its trade negotiating
objectives [PDF] for a revision of NAFTA, the North American Free Trade Agreement between the United States, Mexico, and
Canada. NAFTA is expected to open up a new front in big content's neverending battle for stricter copyright rules, following the unexpected defeat of the Trans-Pacific Partnership (TPP). Meanwhile,
big tech companies are now wielding increasing influence with the USTR, and demanding that it negotiate rules that protect their businesses also, such as prohibitions against
restrictions on the cross-border transfer of data.
In EFF's comments to the USTR about what its negotiating objectives should
be, we urged it not to include new copyright rules in NAFTA, because of how this would prevent the United States from improving its current law or adapting to technological change. We
also expressed the need for caution about including some of the new digital trade (or e-commerce) rules that big tech companies have been asking for, for similar reasons, and because
the trade negotiation process notoriously lacks the balance that would be required for it to negotiate a sound set of rules.
The negotiating objectives are hopelessly general, but it seems that our requests largely fell on deaf ears. The negotiating objectives on intellectual property relevantly include to:
Ensure provisions governing intellectual property rights reflect a standard of protection similar to that found in U.S. law.
Provide strong protection and enforcement for new and emerging technologies and new methods of transmitting and distributing products embodying intellectual property, including in
a manner that facilitates legitimate digital trade. ...
Ensure standards of protection and enforcement that keep pace with technological developments, and in particular ensure that rightholders have the legal and technological means to
control the use of their works through the Internet and other global communication media, and to prevent the unauthorized use of their works.
Provide strong standards [of, sic] enforcement of intellectual property rights, including by requiring accessible, expeditious, and effective civil, administrative, and criminal
These provisions are consistent with the U.S. demanding similar provisions to those that had been contained in the TPP, including life plus 70 year terms of copyright protection,
criminal penalties for "commercial scale" copyright infringement, and legal protections for DRM—all of which would be new to NAFTA. Disappointingly, there is no reference to be found
to the inclusion of a "fair use" exception to copyright, as we had requested in our submission.
Digital Trade (E-Commerce) Rules
As for digital trade, the objectives include to:
Ensure non-discriminatory treatment of digital products transmitted electronically and guarantee that these products will not face government-sanctioned discrimination based on
the nationality or territory in which the product is produced.
Establish rules to ensure that NAFTA countries do not impose measures that restrict crossborder data flows and do not require the use or installation of local computing
Establish rules to prevent governments from mandating the disclosure of computer source code.
While some of these rules might not be harmful, if they were drafted in an adequately open and consultative fashion, we have previously expressed concerns that the ban on restrictions
on crossborder data flows may not allow countries adequate policy space
to protect the privacy of users' data. We are also worried about the possibility that a blanket ban on laws requiring the disclosure of source code could limit countries from introducing new measures to protect users
from vulnerabilities in digital products such as routers and Internet of Things (IoT) devices.
Our New Infographic Makes Sense of It All
You might well be wondering how the new version of NAFTA will compare with other digital trade negotiations, such as the TPP (which could still rise again between the other eleven
countries besides the United States), and the Regional Comprehensive Economic Partnership (RCEP, whose negotiators are meeting this week in Hyderabad, India). To help explain,
we've put together this infographic which illustrates five of the major ongoing trade agreements that are likely to contain provisions on digital issues. It provides a quick overview
of their current status, the countries involved, and the issues that they contain.
Click to view full-size
One thing that all of these agreements have in common is that there is no easy way for users to access them. Negotiation rounds take place in far-flung cities of the world, with
little or sometimes no notice to the general public, and next to no transparency about the texts under discussion, and with little or no official means of access to the negotiators
for public interest advocates such as EFF. Nevertheless, EFF is on the ground in Hyderabad this week to stand up for users, and we plan to do the same in the coming NAFTA negotiations
Despite today's release of the USTR's negotiating objectives for NAFTA, they are nowhere near detailed enough for us to know what rules the USTR will really be asking for from our
partners. And that's dangerous, because we don't really know what we're fighting against, and whether our fears are justified or overblown. Worse, we might never know until
the agreement is concluded—unless it is leaked in the meantime. That's just not acceptable, and it needs to change.
Keep reading Deeplinks for updates on the progress of each of these trade agreements, and how they will affect you. And if you'd like to support our difficult work in fighting for
users' rights in all of these secretive venues, you can help by donating to EFF.
>> mehr lesen
CBP Responds to Sen. Wyden: Border Agents May Not Search Travelers’ Cloud Content
(Mo, 17 Jul 2017)
Border agents may not use travelers’ laptops, phones, and other digital devices to access and search cloud content, according to a new document by U.S. Customs and Border Protection
(CBP). CBP wrote this document on June 20, 2017, in response to questions from Sen. Wyden
(D-OR). NBC published it on July 12. It states:
In conducting a border search, CBP does not access information found only on remote servers through an electronic device presented for examination, regardless of whether those
servers are located abroad or domestically. Instead, border searches of electronic devices apply to information that is physically resident on the device during a CBP inspection.
This is a most welcome change from prior CBP policy and practice. CBP’s 2009 policy on border searches of
digital devices does not prohibit border agents from using those devices to search travelers’ cloud content. In fact, that policy authorizes agents to search “information encountered
at the border,” which logically would include cloud content encountered by searching a device at the border.
We do know that border agents have used travelers’ devices to search their cloud content. Manynewsreportsdescribe border agents
scrutinizing social media and communications apps on travelers’ phones, which show agents conducting cloud searches.
EFF will monitor whether actual CBP practice lives up to this salutary new policy. To help ensure that border agents follow it, CBP should publish it. So far, the public only has
second-hand information about this “nationwide muster” (the term CBP’s June 17 document uses to describe this new CBP written policy on searching cloud data). Also, CBP should stop
seeking socialmediahandlesfromforeignvisitors, which blurs CBP’s new instruction to border agents that cloud searches
are off limits.
Separately, CBP’s responses to Sen. Wyden’s questions explain what will happen to a U.S. citizen who refuses to comply with a border agent’s demand to disclose their device
password (or unlock their device) in order to allow the agent to search their device:
[A]lthough CBP may detain an arriving traveler’s electronic device for further examination, in the limited circumstances when that is appropriate, CBP will not prevent a traveler
who is confirmed to be a U.S. citizen from entering the country because of a need to conduct that additional examination.
This is what EFF told travelers would happen in our March 2017 border guide, based on
law and reported CBP practice. It is helpful that CBP has confirmed this in writing. However, CBP also should publicly state whether U.S. lawful permanent residents (green card
holders) will be denied entry for not facilitating a CBP search of their devices. They should not be denied entry. Notably, Sen. Wyden asked CBP to answer this question about all
“U.S. persons,” and not just U.S. citizens.
CBP’s responses leave other important questions unanswered. For example, CBP should publicly state whether, when border agents ask travelers for their device passwords, the agents
must (in the words of Sen. Wyden) “first inform the traveler that he or she has the right to refuse.” CBP did not answer this question. The international border is an inherently
coercive environment, where harried travelers must seek permission to come home from uniformed and frequently armed agents in an unfamiliar space. To ensure that agents do not
strong-arm travelers into surrendering their digital privacy, agents should be required to inform travelers that they may choose not to unlock their devices.
Also, CBP should publicly answer Sen. Wyden’s question about how many times in the last five years CBP has searched a device “at the request of another government agency.” Such
searches will usually be improper. Historically, courts have granted border agents greater search powers than other law enforcement officials, but only for purposes of enforcing
customs and immigration laws. If border agents search travelers at the request of other agencies, they presumably do so for others purposes, and so use of their heightened powers is
improper. While CBP’s document provides information about CBP’s assistance requests to other agencies (for example, to seek technical help with decryption), this sheds no light on
other agencies’ requests to CBP to use a traveler’s presence at the border as an excuse to conduct a warrantless search, which likely would not be justified at the interior of the
EFF applauds Sen. Wyden for his leadership in congressional oversight of CBP’s border device searches. We also thank CBP for answering
some of Sen. Wyden’s questions. But many questions remain.
CBP’s June 2017 responses confirm that much more must be done to protect travelers’ digital privacy at the U.S. border. An excellent first step would be to enact Sen. Wyden’s
bipartisan bill to require border agents to get a warrant before searching the digital devices of
>> mehr lesen
EFF to Minnesota Supreme Court: Sheriff Must Release Emails Documenting Biometric Technology Use
(Mo, 17 Jul 2017)
A Minnesota sheriff’s office must release emails showing how it uses biometric technology so that the community can understand how invasive it is, EFF argued in a brief filed in the
Minnesota Supreme Court on Friday.
The case, Webster v. Hennepin County, concerns a particularly egregious failure to respond to a public records request that an individual filed as part of a 2015 EFF and MuckRock campaign to track biometric technology use by law enforcement across
EFF has filed two briefs in support of web engineer and
public records researcher Tony Webster’s request, with the latest brief [.pdf] arguing that
agencies must provide information contained in emails to help the public understand how a local sheriff uses biometric technology. The ACLU of Minnesota joined EFF on the brief.
As we write in the brief:
This case is not about whether or how the government may collect biometric data and develop and domestically deploy information-retrieval technology as a potential sword against
the general public. That is just one debate we must have, but critical to it and all public debates is that it be informed by public [records]
The case began when Webster filed a request based on EFF’s letter template with Hennepin County, a jurisdiction that includes Minneapolis, host city of the 2018 Super Bowl. He
sought emails, contracts, and other records related to the use of technology that can scan and recognize fingerprints, faces, irises, and other forms of biometrics.
After the county basically ignored the request, Webster sued. An administrative law judge ruled in 2015 that the county had violated the state’s public records law both because it
failed to provide documents to Webster and because it did not have systems in place to quickly search and disclose electronic records.
An intermediate appellate court ruled in 2016 that the county had to turn over the records Webster sought, but it reversed the lower court’s ruling that the county did not have
adequate procedures in place to respond to public records requests.
Both Webster and the county appealed the ruling to the Minnesota Supreme Court. In its appeal, the county argues that public records requesters create undue burden on agencies when
they specify that they search for particular key words or search terms.
EFF’s brief in support of Webster points out the flaws in the county’s search term argument. Having requesters identify specific search terms for documents they seek helps agencies
conduct better searches for records while narrowing the scope of the request. This ultimately reduces the burden on agencies and leads to records being released more quickly.
EFF would like to thank attorneys Timothy Griffin and Thomas Burman of Stinson Leonard Street LLP for drafting the brief and serving as
>> mehr lesen
Australian PM Calls for End-to-End Encryption Ban, Says the Laws of Mathematics Don't Apply Down Under
(Fr, 14 Jul 2017)
"The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia", said Australian Prime Minister Malcolm Turnbull today. He has
been rightly mocked for this nonsense claim, that foreshadows moves to require online messaging providers to provide law enforcement with back door access to encrypted messages. He
explained that "We need to ensure that the internet is not used as a dark place for bad people to hide their criminal activities from the law." It bears repeating that Australia is
part of the secretive spying and information sharing Five Eyes alliance.
But despite the well-deservedmockerythatensued, we shouldn't make too
much light of the real risk that this poses to Internet freedom in Australia. It's true enough, for now, that a ban on end-to-end encrypted messaging in Australia would have
absolutely no effect on "bad people", who would simply avoid using major platforms with weaker forms of encryption, in favor of other apps that use strong end-to-end encryption based
on industry standard mathematical algorithms. It would hurt ordinary citizens who rely on encryption to make sure that their conversations are secure and private from prying eyes.
However, as similar demands are made elsewhere around the world, more and more app developers might fall under national laws that require them to compromise their encryption
standards. Users of those apps, who may have a network of contacts who use the same app, might hesitate to shift to another app that those contacts don't use, even if it would be more
secure. They might also worry that using end-to-end encryption would be breaking the law (a concern that "bad people" tend to be far less troubled by). This will put those users at
If enough countries go down the same misguided path, that sees Australia following in the steps of Russia and the United Kingdom, the future could be a new international agreement banning strong
encryption. Indeed, the Prime Minister's statement is explicit that this is exactly what he would like to see. It may seem like an unlikely prospect for now, with strong statements at the United Nations level in support of end-to-end encryption, but we truly can't
know what the future will bring. What seems like a global accord today might very well start to crumble as more and more countries defect from it.
We can't rely on politicians to protect our privacy, but thankfully we can rely on math ("maths", as Australians say). That's what makes access to strong encryption so important, and
Australia's move today so worrying. Law enforcement should have the tools they need to investigate crimes, but that cannot extend to a ban on the use of mathematical algorithms in
software. Mr Turnbull has to understand that we either have an internet that "bad people" can use, or we don't have an Internet. It's actually as simple as that.
>> mehr lesen
California's Top Newspapers Endorse Broadband Privacy Bill
(Fr, 14 Jul 2017)
Broadband privacy? Say what? That was probably what you were asking yourself in March when you read about Congress’s vote to repeal privacy rules for your Internet provider. If you
were paying attention—and you should in an era where free press, voter privacy, and other constitutional rights are being challenged—you
quickly realized what Congress did. It sold out your right to keep your browsing history and personal information private so the cable companies can sell it and make even more money
off of you than they already do. Nice, right?
Luckily, many states, including California, have stepped up to the plate for you. They have introduced bills that give back to you the right to control how your private information is
used by the companies that control the Internet pipeline into your home. In California, lawmakers in Sacramento are considering a bill that would reinstate those privacy rules,
requiring Internet providers to get your permission before they can profit off of your personal information.
Silicon Valley should rally behind Chau’s AB 375 and ensure online privacy protections for all Californians —San Jose Mercury News
California has always led the country on many fronts: the environment, civil liberties, to name a few. It’s time for us to lead now. California’s top media organizations have gotten behind this
legislation, A.B. 375, introduced by Assemblymember Ed Chau, a Democrat from Monterey Park.
If you care about your online privacy, you should, too. Here’s what the editorial boards of the state’s leading newspapers have to say:
Sacramento Bee Editorial Board
AT&T, Comcast and other Internet service providers can continue to track every search you make and website you visit and sell that information to the highest bidder, under
legislation recently signed by President Donald Trump.
That legislation, which reversed an Obama regulation, ought to alarm any American who ventures online, no matter their political persuasion. Now comes Assemblyman Ed Chau, a Democrat
from Monterey Park, carrying a bill that for Californians would reverse the legislation and provide some privacy at a time when seemingly nothing is private.
San Diego Union-Tribune Editorial Board
Assembly Bill 375 would require Internet service providers to have customers “opt in” before they are allowed to sell information on their online searches and visits. Here’s hoping
state lawmakers realize the value of having such a law and reject the telecom companies’ claim that it is “unfair” to not let them capitalize on the sort of information that Facebook
and Google accumulate about their users.
The difference, of course, is that people pay heavily for Internet service because in the modern era, it is akin to a must-have utility. Facebook and Google are free. It is absurd
that consumers paying companies for a service should be expected to accept that the price paid includes a gross loss of privacy.
San Francisco Chronicle
AB375, by Assemblyman Ed Chau, D-Monterey Park (Los Angeles County), would address actions taken in March by President Trump and the Republican-dominated Congress that killed an FCC
privacy rule allowing customers to prevent giant phone and cable companies from gathering and using personal data such as their financial and health choices. Chau’s bill, which is
still in committee, would restore those protections for Californians. It should pass.
California is uniquely able to take a strong stand in favor of consumer privacy. If the digital age has a technological and corporate center, it is here. We’re also large enough to
make a difference nationally.
San Jose Mercury News
California has an obligation to take a lead in establishing the basic privacy rights of consumers using the Internet. Beyond being the right thing to do for the whole country,
building trust in tech products is an essential long-term business strategy for the industry that was born in this region. California Assemblyman Ed Chau, D-Monterey Park, understands
this. After Congressional Republicans erased Americans’ Internet broadband privacy protections in March, Chau crafted A.B. 375 to at least provide these rights to Californians.
>> mehr lesen
Payment Processors Are Profiling Heavy Metal Fans as Terrorists
(Fr, 14 Jul 2017)
If you happen to be a fan of the heavy metal band Isis (an unfortunate name, to be sure), you may have trouble ordering its merchandise
online. Last year, Paypal suspended a fan who ordered an Isis
t-shirt, presumably on the false assumption that there was some association between the heavy metal band and the terrorist group ISIS.
Then last month Internet scholar and activist Sascha Meinrath discovered that entering words such as "ISIS" (or "Isis"), or "Iran", or (probably) other words from this U.S. government blacklist in the description field for a Venmo payment will result in an
automatic block on that payment, requiring you to complete a pile of paperwork if you want to see your money again. This is even if the full description field is something like "Isis
heavy metal album" or "Iran kofta kebabs, yum."
These examples may seem trivial, but they reveal a more serious problem with the trust and responsibility that the Internet places in private payment intermediaries. Since even many
non-commercial websites such as EFF's depend on such intermediaries to process payments, subscription fees, or donations, it's no exaggeration to say that payment processors form an
important part of the financial infrastructure of today's Internet. As such, they ought to carry corresponding responsibilities to act fairly and openly towards their customers.
Unfortunately, given their reliance on bots, algorithms, handshake deals, and undocumented policies and blacklists to control what we do online, payment intermediaries aren't carrying
out this responsibility very well. Given that these private actors are taking on responsibilities to help address important global problems such as terrorism and child online protection, the lack of transparency and accountability with which they execute these weighty responsibilities is a matter of
The readiness of payment intermediaries to do deals on those important issues leads as a matter of course to their enlistment by governments and special interest groups to do similar
deals on narrower issues, such as the protection of the financial interests of big pharma, big tobacco, and big content. It is in this way that payment intermediaries have insidiously
become a weak leak for censorship of free speech.
Cigarettes, Sex, Drugs, and Copyright
For example, if you're a smoker, and you try to buy tobacco products from a U.S. online seller using a credit card, you'll probably find that you can't. It's not illegal to do so, but
thanks to a "voluntary" agreement with law enforcement authorities dating back to 2005, payment
processors have effectively banned the practice—without any law or court judgment.
Another example that we've previously written about are the payment processors' arbitrary rules blocking sites that discuss sexual fetishes, even though that speech is
constitutionally protected. The congruence between the payment intermediaries' terms of service on the issue suggests a degree of coordination between them, but their lack
of transparency makes it impossible to be sure who was behind the ban and what channels they used to achieve it.
A third example is the ban on pharmaceutical sales. You can still buy
pharmaceuticals online using a credit card, but these tend to be from unregulated, rogue pharmacies that lie to the credit card processors about the purpose for which their merchant
account will be used. For the safer, regulated pharmacies that require a prescription for the drugs they sell online, such as members of the Canadian International Pharmacy
Association (CIPA), the credit card processors enforce a blanket ban.
Finally there are "voluntary" best practices on copyright and trademark infringement. These include the RogueBlock program of the International Anti-Counterfeiting Coalition (IACC)
in 2012, about which information is available online, along with a 2011 set of "Best Practices to Address Copyright Infringement and the Sales of Counterfeit Products on the
Internet," about which no online information is found. The only way that you can find out about the standards that payment intermediaries use to block websites accused of copyright or
trademark infringement is by reading what academics have written about it.
Lack of Transparency Invites Abuse
The payment processors might respond that their terms of service are available online, which is true. However, these are ambiguous at best. On Venmo, transactions for items that promote hate, violence, or racial intolerance are banned, but there is nothing in its terms of service to indicate
that including the name of a heavy metal band in your transaction will place it in limbo. Similarly, if you delve deep enough into Paypal's terms of service you will find out that
selling tickets to professional UK football matches is banned, but you won't find out how this restriction came about,
or who had a say in it.
Payment processors can do better. In 2012, in the wake of the payment industry's embargo of
Wikileaks and its refusal to process payments to European vendors of horror films and sex toys, the European Parliament Committee on Economic and Monetary Affairs made the following resolution:
[The Committee c]onsiders it likely that there will be a growing number of European companies whose activities are effectively dependent on being able to accept payments by card;
[and] considers it to be in the public interest to define objective rules describing the circumstances and procedures under which card payment schemes may unilaterally refuse
We agree. Bitcoin and other cryptocurrencies notwithstanding, online payment processing remains largely oligopolistic. Agreements between the few payment processors that make up the
industry and powerful commercial lobbies and governments, concluded in the shadows, can have deep impacts on entire online communities. When payment processors are drawing their terms
of service or developing algorithms that are based on industry-wide agreements, standards, or codes of conduct—especially if these involve governments or other third parties—they
ought to be developed through a process that is inclusive, balanced and accountable.
The fact that you can't use Venmo to purchase an Isis t-shirt is just one amusing example. But the Shadow Regulation of the payment services
industry is much more serious than that, also affecting culture, healthcare, and even your sex life online. Just as we've called other Internet intermediaries to account for the ways
in which their "voluntary" efforts threaten free
speech, the online payment services industry needs to be held to the same standard.
>> mehr lesen
Net Neutrality Won't Save Us if DRM is Baked Into the Web
(Do, 13 Jul 2017)
Yesterday's record-smashing Net Neutrality day of action showed that the Internet's users care about an open playing field and don't want a handful
of companies to decide what we can and can't do online.
Today, we should also think about other ways in which small numbers of companies, including net neutrality's biggest foes, are trying to gain the same kinds of control, with
the same grave consequences for the open web. Exhibit A is baking digital rights
management (DRM) into the web's standards.
ISPs that oppose effective net neutrality protections say that they've got the right to earn as much money as they can from their networks, and if people don't like it, they can just
get their internet somewhere else. But of course, the lack of competition in network service means that most people can't do this.
Big entertainment companies -- some of whom are owned by big ISPs! -- say that because they can make more money if
they can control your computer and get it to disobey you, they should be able to team up with browser vendors and standards bodies to make that a reality. If you don't like it, you
can watch someone else's movies.
Like ISPs, entertainment companies think they can get away with this because they too have a kind of monopoly --copyright, which gives rightsholders the power to control many uses of
their creative works. But just like the current FCC Title II rules that stop ISPs from flexing their muscle to the detriment of web users, copyright law places limits on the powers of
Copyright can stop you from starting a business to sell unlicensed copies of the studios' movies, but it couldn't stop Netflix from starting a business that mailed DVDs around for money; it couldn't stop Apple from selling you a computer that would "Rip, Mix, Burn" your copyrighted music, and it couldn't stop cable companies from starting businesses that retransmitted broadcasters' signals.
That competitive balance makes an important distinction between "breaking the law" (not allowed) and "rocking the boat" (totally allowed). Companies that want to rock the boat are
allowed to enter the market with new, competitive offerings that go places the existing industry fears to tread, and so they discover new, unmapped and fertile territory for services
and products that we come to love and depend on.
But overbroad and badly written laws like Section 1201 of the 1998 Digital Millennium Copyright Act (DMCA) upset this balance. DMCA 1201 bans tampering with DRM, even if you're only
doing so to exercise the rights that Congress gave you as a user of copyrighted works. This means that media companies that bake DRM into the standards of the web get to decide what
kinds of new products and services are allowed to enter the market, effectively banning others from adding new features to our media, even when those features have been declared legal
ISPs are only profitable because there was an open Internet where new services could pop up, transforming the Internet from a technological curiosity into a necessity of life that
hundreds of millions of Americans pay for. Now that the ISPs get steady revenue from our use of the net, they want network discrimination, which, like the discrimination used by DRM
advocates, is an attempt to change "don't break the law" into "don't rock the boat" -- to force would-be competitors to play by the rules set by the cozy old guard.
For decades, activists struggled to get people to care about net neutrality, and their opponents from big telecom companies said, "people don't care, all they want is to get online,
and that's what we give them." The once-quiet voices of net neutrality wonks have swelled into a chorus of people who realize that an open web was important to their future. As we saw
yesterday, the public broadly demands protection for the open Internet.
Today, advocates for DRM say that "People don't care, all they want is to watch movies, and that's what we deliver." But there is an increasing realization that letting major movie
studios tilt the playing field toward them and their preferred partners also endangers the web's future.
Don't take our word for it: last April, Professor Tim Wu, who coined the term "net neutrality" and is one of the world's foremost advocates for a neutral web, published an open letter to Tim Berners-Lee, inventor of the web and Director of the World Wide Web Consortium
(W3C), where there is an ongoing effort to standardize DRM for the web.
In that letter, Wu wrote:
I think more thinking need be done about EME’s potential consequences for competition, both as between browsers, the major applications, and in ways unexpected. Control of
chokepoints has always and will always be a fundamental challenge facing the Internet as we both know. That’s the principal concern of net neutrality, and has been a concern when
it comes to browsers and their associated standards. It is not hard to recall how close Microsoft came, in the late 1990s and early 2000s, to gaining de facto control over the
future of the web (and, frankly, the future) in its effort to gain an unsupervised monopoly over the browser market.
EME, of course, brings the anti-circumvention laws into play, and as you may know anti-circumvention laws have a history of being used for purposes different than the original
intent (i.e., protecting content). For example, soon after it was released, the U.S. anti-circumvention law was quickly by manufacturers of inkjet printers and garage-door openers
to try and block out aftermarket competitors (generic ink, and generic remote controls). The question is whether the W3C standard with an embedded DRM standard, EME, becomes a
tool for suppressing competition in ways not expected.
This week, Berners-Lee made important and stirring contributions to the net neutrality debate, appearing in this
outstanding Web Foundation video and explaining how anti-competitive actions by ISPs endanger the things that made the web so precious and transformative.
Last week, Berners-Lee disappointed activists who'd asked for a modest
compromise on DRM at the W3C, one that would protect competition and use standards to promote the same level playing field we seek in our Net Neutrality campaigns. Yesterday, EFF
announced that it would formally appeal Berners-Lee's decision to
standardize DRM for the web without any protection for its neutrality. In the decades of the W3C's existence, there has never been a successful appeal to one of Berners-Lee's
The odds are long here -- the same massive corporations that oppose effective net neutrality protections also oppose protections against monopolization of the web through DRM, and
they can outspend us by orders of magnitude. But we're doing it, and we're fighting to win. That's because, like Tim Berners-Lee, we love the web and believe it can only continue as a
force for good if giant corporations don't get to decide what we can and can't do with it.
>> mehr lesen
Industry Efforts to Censor Pro-Terrorism Online Content Pose Risks to Free Speech
(Do, 13 Jul 2017)
In recent months, social media platforms—under pressure from a number of governments—have adopted new policies and practices to remove content that promotes terrorism. As the Guardian reported, these policies are typically
carried out by low-paid contractors (or, in the case of YouTube, volunteers) and with little to no transparency and accountability. While the motivations of these companies might be
sincere, such private censorship poses a risk to the free expression of Internet users.
As groups like the Islamic State have gained traction online, Internet intermediaries have come under pressure from governments and other actors, including the following:
the Obama Administration;
the U.S. Congress in the form of legislative
proposals that would require Internet companies to report “terrorist activity” to the U.S. government;
the European Union in the form of a “code of conduct” requiring
Internet companies to take down terrorist propaganda within 24 hours of being notified, and via the EU Internet
individual European countries such as the U.K., France and Germany that
have proposed exorbitant fines for Internet companies that fail to take down pro-terrorism content; and,
victims of terrorism who seek to hold social media companies civilly liable in U.S. courts for providing “material
support” to terrorists by simply providing online platforms for global communication.
One of the coordinated industry efforts against pro-terrorism online content is the development of a shared database of “hashes of the most extreme and egregious terrorist images and videos” that the
companies have removed from their services. The companies that started this effort—Facebook, Microsoft, Twitter, and Google/YouTube—explained that the idea is that by sharing “digital
fingerprints” of terrorist images and videos, other companies can quickly “use those hashes to identify such content on their services, review against their respective policies and
definitions, and remove matching content as appropriate.”
As a second effort, the same companies created the GlobalInternetForum to Counter Terrorism, which will help the companies “continue to make our hosted consumer
services hostile to terrorists and violent extremists.” Specifically, the Forum “will formalize and structure existing and future areas of collaboration between our companies and
foster cooperation with smaller tech companies, civil society groups and academics, governments and supra-national bodies such as the EU and the UN.” The Forum will focus on
technological solutions; research; and knowledge-sharing, which will include engaging with smaller technology companies, developing best practices to deal with pro-terrorism content,
and promoting counter-speech against terrorism.
Internet companies are also taking individual measures to combat pro-terrorism content. Google announced several new efforts, while both Google and Facebook have committed to using artificial intelligence technology to find pro-terrorism content for removal.
Private censorship must be cautiously deployed
While Internet companies have a First Amendment right to moderate their platforms as they see fit, private censorship—or what we sometimes call shadow regulation—can be just as detrimental to users’ freedom of expression as governmental regulation of speech. As social media
companies increase their moderation of online content, they must do so as cautiously as possible.
Through our project Onlinecensorship.org, we monitor private censorship and advocate for companies to be more transparent and accountable
to their users. We solicit reports from users of when Internet companies have removed specific posts or other content, or whole accounts.
We consistently urge companies to follow basic guidelines to mitigate the impact on users’ free speech. Specifically, companies should have narrowly tailored, clear, fair, and
transparent content policies (i.e., terms of service or “community guidelines”); they should engage in consistent and fair enforcement of those policies; and they should have robust
appeals processes to minimize the impact on users’ freedom of expression.
Over the years, we’ve found that companies’ efforts to moderate online content almost always result in overbroad content takedowns or account deactivations. We, therefore, are
justifiably skeptical that the latest efforts by Internet companies to combat pro-terrorism content will meet our basic guidelines.
A central problem for these global platforms is that such private censorship can be counterproductive. Users who engage in counter-speech against terrorism often find themselves on
the wrong side of the rules if, for example, their post includes an
image of one of more than 600 “terrorist leaders” designated by Facebook. In one instance, a journalist from the United Arab Emirates was temporarily banned from the platform for
posting a photograph of Hezbollah leader Hassan Nasrallah with a LGBTQ pride flag overlaid on it—a clear case of parody counter-speech that Facebook’s content moderators failed to
A more fundamental problem is that having narrow definitions is difficult. What counts as speech that “promotes” terrorism? What even counts as “terrorism”? These U.S.-based companies
may look to the State Department’s list of designated terrorist organizations as a starting point. But Internet
companies will sometimes go further. Facebook, for example, deactivated the personal accounts of Palestinian journalists; it did the same thing for Chechen independence activists under the guise that they were involved in
“terrorist activity.” These examples demonstrate the challenges social media companies face in fairly applying their own policies.
A recent investigative report by ProPublica revealed how Facebook’s
content rules can lead to seemingly inconsistent takedowns. The authors wrote: “[T]he documents suggest that, at least in some instances, the company’s hate-speech rules tend to favor
elites and governments over grassroots activists and racial minorities. In so doing, they serve the business interests of the global company, which relies on national governments not
to block its service to their citizens.” The report emphasized the need for companies to be more transparent about their content rules, and to have rules that are fair for all users
around the world.
Artificial intelligence poses special concerns
We are concerned about the use of artificial intelligence automation to combat pro-terrorism content because of the imprecision inherent in systems that automatically block or
remove content based on an algorithm. Facebook has perhaps been the most aggressive in deploying AI in the form of machine learning technology in this context. The company’s latest AI efforts include using image matching to detect previously tagged content, using natural language
processing techniques to detect posts advocating for terrorism, removing terrorist clusters, removing new fake accounts created by repeat offenders, and enforcing its rules across
other Facebook properties such as WhatsApp and Instagram.
This imprecision exists because it is difficult for humans and machines alike to understand the context of a post. While it’s true that computers are better at some tasks than people,
understanding context in written and image-based communication is not one of those tasks. While AI
algorithms can understand very simple reading comprehension problems, they still struggle with even basic tasks such as capturing meaning in children’s books. And while it’s
possible that future improvements to machine learning algorithms will give AI these capabilities, we’re not there yet.
Google’s Content ID, for example, which was designed to address copyright infringement, has also
blocked fair uses, news reporting, and even posts by copyright owners themselves. If automatic takedowns based on copyright are difficult to get right, how can we expect new
algorithms to know the difference between a terrorist video clip that’s part of a satire and one that’s genuinely advocating violence?
Until companies can publicly demonstrate that their machine learning algorithms can accurately and reliably determine whether a post is satire, commentary, news reporting, or
counter-speech, they should refrain from censoring their users by way of this AI technology.
Even if a company were to have an algorithm for detecting pro-terrorism content that was accurate, reliable, and had a minimal percentage of false positives, AI automation would still
be problematic because machine learning systems are not robust to distributional change. Once machine learning algorithms are trained, they are as brittle as any other algorithm, and
building and training machine learning algorithms for a complex task is an expensive, time-intensive process. Yet the world that algorithms are working in is constantly evolving and
soon won’t look like the world in which the algorithms were trained.
This might happen in the context of pro-terrorism content on social media: once terrorists realize that algorithms are identifying their content, they will start to game the system by
hiding their content or altering it so that the AI no longer recognizes it (by leaving out key words, say, or changing their sentence structure, or a myriad of other ways—it depends
on the specific algorithm). This problem could also go the other way: a change in culture or how some group of people express themselves could cause an algorithm to start tagging
their posts as pro-terrorism content, even though they’re not (for example, if people co-opted a slogan previously used by terrorists in order to de-legitimize the terrorist group).
We strongly caution companies (and governments) against assuming that technology will be the panacea in identifying pro-terrorism content, because this technology simply doesn’t yet
Is taking down pro-terrorism content actually a good idea?
Apart from the free speech and artificial intelligence concerns, there is an open question of efficacy. The sociological assumption is that removing pro-terrorism content will reduce
terrorist recruitment and community sympathy for those who engage in terrorism. In other words, the question is not whether terrorists are using the Internet to recruit new
operatives—the question is whether taking down pro-terrorism content and accounts will meaningfully contribute to the fight against global terrorism.
Governments have not sufficiently demonstrated this to be the case. And some experts believe this absolutely not to be the case. For example, Michael German, a former FBI agent with
counter-terrorism experience and current fellow at the Brennan Center for Justice, said, “Censorship has never been an effective method of achieving security, and shuttering websites
and suppressing online content will be as unhelpful as smashing printing presses.” In fact, as we’ve argued before, censoring the content and accounts of determined groups could
be counterproductive and actually result in pro-terrorism content being publicized more widely (a phenomenon known as the Streisand Effect).
Additionally, permitting terrorist accounts to exist and allowing pro-terrorism content to remain online, including that which is publicly available, may actually be beneficial by
providing opportunities for ongoing engagement with these groups. For example, a Kenyan government official stated
that shutting down an Al Shabaab Twitter account would be a bad idea: “Al
Shabaab needs to be engaged positively and [T]witter is the only avenue.”
Keeping pro-terrorism content online also contributes to journalism, open source intelligence gathering, academic research, and
generally the global community’s understanding of this tragic and complex social phenomenon. On intelligence gathering, the United Nations has said that “increased Internet use for terrorist purposes provides a
corresponding increase in the availability of electronic data which may be compiled and analysed for counter-terrorism purposes.”
While we recognize that Internet companies have a right to police their own platforms, we also recognize that such private censorship is often in response to government pressure,
which is often not legitimately wielded.
Governments often get private companies to do what they can’t do themselves. In the U.S., for example, pro-terrorism content falls within the protection of the First Amendment. Other countries, many of which do not
have similarly robust constitutional protections, might nevertheless find it politically difficult to pass speech-restricting laws.
Ultimately, we are concerned about the serious harm that sweeping censorship regimes—even by private actors—can have on users, and society at large. Internet companies must be
accountable to their users as they deploy policies that restrict content.
First, they should make their content policies narrowly tailored, clear, fair, and transparent to all—as the Guardian’s Facebook Files demonstrate, some companies have a long way to go.
Second, companies should engage in consistent and fair enforcement of those policies.
Third, companies should ensure that all users have access to a robust appeals process—content moderators are bound to make mistakes, and users must be able to seek justice when that
Fourth, until artificial intelligence systems can be proven accurate, reliable and adaptable, companies should not deploy this technology to censor their users’ content.
Finally, we urge those companies that are subject to increasing governmental demands for backdoor censorship regimes to improve their annual transparency reporting to include
statistics on takedown requests related to the enforcement of their content policies.
>> mehr lesen
Historic Day of Action: Net Neutrality Allies Send 1.6 Million Comments to FCC
(Do, 13 Jul 2017)
When you attack the Internet, the Internet fights back.
Today, the Internet went all out in support of net neutrality. Hundreds of popular websites featured pop-ups suggesting that those sites had been blocked or throttled by
Internet service providers. Some sites got hilariously creative—Twitch replaced all of its emojis with that annoying
loading icon. Netflix shared GIFs that would neverfinishloading. PornHub simply noted that “slow porn sucks.”
Together, we painted an alarming picture of what the Internet might look like if the FCC goes forward with its plan to roll back net neutrality protections: ISPs prioritizing their
favored content sources and deprioritizing everything else. (Fight for the Future has put together a great collection of
examples of how sites participated in the day of action.)
Today has been about Internet users across the country who are afraid of large ISPs getting too much say in how we use the Internet. Voices ranged from huge corporations to ordinary
Internet users like you and me.
Together with Battle for the Net and other friends, we delivered 1.6 million comments to the FCC, breaking the record we set
during Internet Slowdown Day in 2014. The message was clear: we all rely on the Internet. Don’t dismantle net neutrality protections.
If you haven’t added your voice yet, it’s not too late. Take a few moments to tell the FCC why net neutrality is important to you. If you already
have, take a moment to encourage your friends to do the same.
TAKE ACTIONStand up for net neutrality
Here are just a few examples of what Team Internet has been saying about net neutrality today.
“We live in an uncompetitive broadband market. That market is dominated by a handful of giant corporations that are being given the keys to shape telecom policy. The big internet
companies that might challenge them are doing it half-heartedly. And [FCC Chairman] Ajit Pai seems determined to offer up a massive corporate handout without listening to everyday
“Is this what you want? Does this sound like a path toward better, faster, cheaper internet access? Toward better products and services in a more competitive market? To me, it sounds
like Americans need to demand that our government actually hear our concerns, look at our skyrocketing bills, and make real policy that respects us, instead of watching the staff of
an unelected official laugh as he ignores us. It sounds like we need to flood the offices of the FCC and Congress with calls and paperwork, demanding to know how giving handouts to
huge corporations will help us.”
Nilay Patel, The Verge
“Title II net neutrality protections are the civil rights and free speech rules for the internet. When traditional media outlets refuse to pay attention, Black, indigenous, queer and
trans internet users can harness the power of the Internet to fight for lives free of police brutality and discrimination. This is why we’ll never stop fighting for enforcement of the
net neutrality rules we fought for and saw passed by the FCC two years ago. There’s too much at stake to urge anything less.”
Malkia Cyril, Co-Founder and Executive
Director, Center for Media Justice
“We’re still picking ourselves off the floor from all the laughing we did when AT&T issued a press release this afternoon announcing that it was joining the ‘Day of Action for
preserving and advancing the open internet.’
“If only it were true. In reality, AT&T is just a company that is deliberately misleading the public. Their lobbyists are lying. They want to kill Title II — which gives the FCC
the authority to actually enforce net neutrality — and are trying to sell a congressional ‘compromise’ that would be as bad or worse than what the FCC is proposing. No thanks.”
Craig Aaron and Candace Clement, Free PressInternetIRL, presented by Color of Change
“Everyone except these ISPs benefits from an open Internet… that’s it. It’s like a handful of companies. Not only is this about business—and it is about business and
innovation—it’s also about freedom of speech.”
Sen. Al Franken
“No matter what, do not get discouraged or retreat into a state of silence and inaction. There are many like me who are listening and the role each of us plays is vital. We are not
alone in believing that the FCC should be a governmental agency ‘of the people, by the people, and for the people.’”
Mignon Clyburn, FCC Commissioner
To everyone who has participated in today’s day of action, thank you.
TAKE ACTIONStand up for net neutrality
>> mehr lesen
Dear Security Conference Speakers – EFF’s Coders Rights Project Has Your Back
(Mi, 12 Jul 2017)
Every year, EFF has lawyers with its Coders’ Rights Project on hand in Las Vegas at Black Hat, B-Sides and DEF CON for security
researchers with legal questions about their research or presentations. EFF’s Coders’ Rights Project protects programmers, researchers, hackers, and developers engaged in cutting-edge
exploration of technology. Security and encryption researchers help build a safer future for all of us using digital technologies, but too many legitimate researchers face serious legal challenges that prevent or inhibit their work.
The 2017 summer security conference legal team will include:
Staff Attorney Kit Walsh, who works on exemptions protecting security research and vehicle repair, along with a host of other beneficial activities threatened by Section 1201, the
anti-circumvention provision of the Digital Millennium Copyright Act (DMCA).
Criminal Defense Staff Attorney Stephanie Lacambra, a former Federal and San Francisco Public Defender who has turned her expertise toward defending your civil liberties online.
Senior Staff Attorney Nate Cardozo, a Computer Fraud and Abuse Act expert who works on issues including the Wassenaar Arrangement, cryptography, hardware hacking, and electronic
Deputy Executive Director and General Counsel Kurt Opsahl, who leads the Coders’ Rights Project and has been helping security researchers present at the summer security
conferences since DEF CON was at the Alexis Park.
If you are wondering about whether your research came into a legal gray area, or concerned that the vendor will threaten legal action, please reach out to firstname.lastname@example.org. All EFF legal consultations are pro bono (free), part of our commitment to help the security researcher community. You can also stop by
the EFF booths at each conference to make an appointment with one of our attorneys, though we highly recommend contacting us as far in advance of your talk as possible.
And as always, even if you don’t have a legal question, come say hi at the booth or watch one of our talks at DEF CON
>> mehr lesen
Opponents Hope to Mislead California’s Legislators Before They Vote on Broadband Privacy Next Week
(Mi, 12 Jul 2017)
The large broadband providers and their associations who spent millions in Washington, D.C. to repeal broadband privacy just a few months ago in Congress are fighting to protect their
victory in California. They are throwing every superficial argument against A.B. 375 in hopes to confuse California’s legislature enough to give them a pass despite an overwhelming
83% of the American public demanding a
response to the Congressional Review Act repeal of their privacy rights.
EFF obtained copies of their letters and feel it is vitally important California’s elected officials know that the industry is unloading a plethora of misleading arguments, some of
which they themselves are actively contradicting in other forums. Here are some examples of their attempt to have it both ways—where they repealed our privacy rights in D.C.
yet express shock and dismay that state legislatures would respond to the public’s demands.
We Warned ISPs That Repealing the Federal Protections Would Result in a Patchwork of State by State Laws
The irony in the very companies who spent millions of dollars lobbying in DC to repeal our federal broadband privacy rights are now fighting state attempts to protect consumers
because they supposedly prefer a federal rule. It is not lost on EFF that each state having to engage in broadband privacy individually without a federal floor is not ideal,
we have said as much during the fight in DC. While
California’s A.B. 375 represents model legislation EFF supports, not every state will enact the same law and some states may leave their citizens completely unprotected. That is a far
cry from where we were in 2016 before Congress repealed our broadband privacy rights, and it is because of companies like Comcast, AT&T, and Verizon that we have arrived at this
We fought hard to stop Congress from repealing our broadband privacy rights. Tens of thousands of Americans picked up the phone to demand Congress vote no on the broadband privacy
repeal but they were ignored. Today 83% of
the public, regardless of political affiliation, all believe that ISPs must secure their permission first before being allowed to sell their personal data. In other words, more
than 8 out of 10 Americans support what A.B. 375 seeks to codify into law.
Despite our repeated warnings to the industry and Congress that eliminating a uniform federal framework that protected personal information will result in states responding to protect
their citizens, they pushed ahead and now find themselves on defense across the country.
EFF supports states responding to the demands of the public for privacy protections, particularly in light of Congress having failed to do so. It has become even more important as the
Federal Communications Commission itself is actively undermining
consumer protections on behalf of Comcast, AT&T, and Verizon. It should surprise no one that state legislators who care about consumer privacy will act and ultimately having
as many state laws on the books as possible to protect personal information is a superior outcome to having no clear protections at all.
And if A.B. 375 becomes law, we hope it would serve as the model for states across the country to avoid a patchwork problem, but again this problem was created by the ISP lobby
repealing the federal rules in the first place.
AT&T is a Leader in Contradicting Itself
To California’s Legislature, AT&T right now is saying the following:
“AT&T and other major Internet service providers have committed to legally enforceable Privacy Principles that are consistent with the privacy framework developed by the FTC over
the past twenty years.”
In essence, there is no need to pass a state law because the Federal Trade Commission can enforce the law on us. But what exactly is AT&T saying about the FTC’s enforcement power
in the courts?
Source: AT&T’s 2016 Brief in FTC vs AT&T Mobility
That is right. They are arguing that the FTC has no legal enforcement power over them. They are making that argument right
now in the Ninth Circuit Court of Appeals, which means if they win there a second time (the case is on en banc appeal) then California will have no Federal Trade Commission
enforcer on privacy.
On other fronts AT&T and others are arguing that the bill is unnecessary because the FCC’s powers remain perfectly intact after the Congressional Review Act repeal.
“The bill is not needed. The FCC retains statutory authority to enforce consumer privacy protections with respect to Internet service providers.” - AT&T
"We want to assure you that the action taken by Congress earlier this year has changed nothing for consumers." -CompTIA, TechNet, Bay Area Council
We have explained in detail exactly what Congress
did when it invoked the Congressional Review Act repeal of our broadband privacy rights. Ironically, last week AT&T agreed with us when their association US Telecom petitioned the FCC to help clear up the mess created by the CRA
broadband privacy repeal because it has also muddied up the waters for their efforts to combat robocalls. In essence, they do not know their legal rights to sharing telephone
customer information in that instance just like customers now no longer have clear legal rights to their broadband privacy. It is also worth noting that the FCC that is on course now to end the legal obligations of AT&T to preserve an
open Internet and protect privacy.
“We Don’t Engage in That Kind of Activity”
This is the biggest whopper they are spreading here in Sacramento because anyone who takes the time to look up the history of ISP conduct will quickly find out that they have been
trying to profit off their customers’ personal information for years. The problem for them has been the law got in the way (until recently) or elected officials put political
pressure on ISPs to change their plans.
In 2008, Charter play tested the idea of recording everything you do on the
Internet and packaging it into profiles by using Deep Packet Inspection technology that was capable of detailed monitoring of your activity. The bipartisan political response from Congress was fierce and
Charter quickly backed down from its plans. It is worth noting that cable broadband services were not clearly covered under the Communications Act’s privacy obligations until the 2015
Open Internet Order.
We know as of 2015 telecom carriers work with Ad Adage to “ingest” data from
cellphones close to 300 times a day every day across 20 to 25 million mobile subscribers (we aren’t told which mobile telephone companies participate in this practice, they keep
that a secret). That data is used to inform retailers about customer browsing info, geolocation, and demographic data.
We know in 2011 ISPs engaged in search hijacking where your Internet search queries were
monitored in order to be rerouted in coordination with a company called Paxfire.
We know AT&T was inserting ads into the traffic of people who use their wifi hotspots in
airports. Even small rural ISPs have engaged in
ad injection to advertise on behalf of third parties.
We know AT&T, Sprint, and T-Mobile preinstalled “Carrier IQ” on their phones,
which gave them the capability to track everything you do, from what websites you visit to what applications you use. It took a class
action lawsuit for the carriers to begin backing down from this idea.
And lastly, we know in 2014 Verizon tagged every one of their mobile customers’ HTTP connections with a semi permanent
super-cookie, and used those super-cookies to enable third parties such as advertisers to target individual customers. Not only that, but Verizon’s super-cookie also allowed
unaffiliated third parties to track you, no matter what steps you took to preserve your privacy. And worst of all, AT&T was going to follow suit to get in on the action but quickly retreated after Verizon got into legal trouble with the federal government.
Pretending a Straight Forward and Widely Accepted Definition of Broadband is Untested
In several opposition letters the opponents assert the definition of “Internet access service” may result in any Internet business suddenly becoming affected by the
legislation. This is a false reading of the definition in the bill and likely an attempt to stall the legislation by pretending we have not been living with these definitions for
A.B. 375’s definition of ISPs mirrors the Federal Communication Commission’s definition of broadband
service, which has been on the books since 2010 to institute Network Neutrality. The Public Utilities Code (the underlying statute for the Public Utilities Commission) has
connected the definition of broadband to the FCC’s definition for the last
A.B. 375 defines ISPs as follows:
“Internet service provider” means a person or entity engaged in the provision of Internet access service, but only to the extent that the person or entity is providing Internet
“Internet access service” means a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all
Internet endpoints, including any capabilities that are incidental to and enable the operation of the communications service, but excluding dial-up Internet access service.
“Internet access service” also encompasses any service that the Federal Communications Commission or the Public Utilities Commission finds to be providing a functional equivalent
to the service described in this subdivision.
Opponents are raising concerns with the term “functional equivalent” despite the 70 words preceding the term to limit and explicitly define what an eligible functional equivalent
is. Lets break down the definition in its component parts to demonstrate. An ISP covered under A.B. 375 must be the following things:
1) Mass-market retail service
2) Transmit data by wire or radio
3) Capable of receiving and sending data to all or substantially all Internet endpoints
4) Includes capabilities that are incidental to and enable the operation of the communications service
5)Does not include dial up Internet
6) Directly provide the Internet access service
7) Includes services the FCC or CPUC finds to do parts 1-6 above
If this Level of Obfuscation and Attempts to Prevent a Law That Restores Your Broadband Privacy Rights Upsets You? You Need to Pick Up The Phone
Take ActionTell your representatives to support online privacy.
>> mehr lesen
Notice to the W3C of EFF's appeal of the Director's decision on EME
(Mi, 12 Jul 2017)
[[Update, July 13: After consultation with W3C CEO Jeff Jaffe on timing, we've temporarily withdrawn this appeal, for one week, for purely logistical purposes. I am teaching a
workshop all next week at UC San Diego and will re-file the objection at the end of the week, so that I will be able to devote undivided attention to garnering the necessary support
from other W3C members. -Cory]]
Dear Tim, Jeff, and W3C colleagues,
On behalf of the Electronic Frontier Foundation, I would like to formally submit our request for an appeal of the Director's decision to publish Encrypted Media Extensions as a W3C
Recommendation, announced on 6 July 2017.
The grounds for this appeal are that the question of a covenant to protect the activities that made DRM standardization a fit area for W3C activities was never put to the W3C
membership. In the absence of a call for consensus on a covenant, it was improper for the Director to overrule the widespread members' objections and declare EME fit to be published
as a W3C Recommendation.
The announcement of the Director's decision enumerated three ways in which DRM standardization through the W3C -- even without a covenant -- was allegedly preferable to allowing DRM
to proceed through informal industry agreements: the W3C's DRM standard was said to be superior in its accessibility, its respect of user privacy, and its ability to
level the playing field for new entrants to the market.
However, in the absence of a covenant, none of these benefits can be realized. That is because laws like the implementations of Article 6 of the EUCD, Section 1201 of the US Digital
Millennium Copyright Act, and Canada's Bill C-11 prohibit otherwise lawful activity when it requires bypassing a DRM system.
1. The enhanced privacy protection of a sandbox is only as good as the sandbox, so we need to be able to audit the sandbox.
The privacy-protecting constraints the sandbox imposes on code only work if the constraints can't be bypassed by malicious or defective software. Because security is a process, not a product and because there is no security through obscurity, the claimed benefits of EME's sandbox require continuous, independent
verification in the form of adversarial peer review by outside parties who do not face liability when they reveal defects in members' products.
This is the norm with every W3C recommendation: that security researchers are empowered to tell the truth about defects in implementations of our standards. EME is unique among all
W3C standards past and present in that DRM laws confer upon W3C members the power to silence security researchers.
EME is said to be respecting of user privacy on the basis of the integrity of its sandboxes. A covenant is absolutely essential to ensuring that integrity.
2. The accessibility considerations of EME omits any consideration of the automated generation of accessibility metadata, and without this, EME's accessibility benefits are
constrained to the detriment of people with disabilities.
It's true that EME goes further than other DRM systems in making space available for the addition of metadata that helps people with disabilities use video. However, as EME is
intended to restrict the usage and playback of video at web-scale, we must also ask ourselves how metadata that fills that available space will be generated.
For example, EME's metadata channels could be used to embed warnings about upcoming strobe effects in video, which may trigger photosensitive epileptic seizures. Applying such a
filter to (say) the entire corpus of videos available to Netflix subscribers who rely on EME to watch their movies would safeguard people with epilepsy from risks ranging from
discomfort to severe physical harm.
There is no practical way in which a group of people concerned for those with photosensitive epilepsy could screen all those Netflix videos and annotate them with strobe warnings, or
generate them on the fly as video is streamed. By contrast, such a feat could be accomplished with a trivial amount of code. For this code to act on EME-locked videos, EME's
restrictions would have to be bypassed.
It is legal to perform this kind of automated accessibility analysis on all the other media and transports that the W3C has ever standardized. Thus the traditional scope of
accessibility compliance in a W3C standard -- "is there somewhere to put the accessibility data when you have it?" -- is insufficient here. We must also ask, "Has W3C taken steps to
ensure that the generation of accessibility data is not imperiled by its standard?"
There are many kinds of accessibility metadata that could be applied to EME-restricted videos: subtitles, descriptive tracks, translations. The demand for, and utility of, such data
far outstrips our whole species' ability to generate it by hand. Even if we all labored for all our days to annotate the videos EME restricts, we would but scratch the surface.
However, in the presence of a covenant, software can do this repetitive work for us, without much expense or effort.
3. The benefits of interoperability can only be realized if implementers are shielded from liability for legitimate activities.
EME only works to render video with the addition of a nonstandard, proprietary component called a Content Decryption Module (CDM). CDM licenses are only available to those who promise
not to engage in lawful conduct that incumbents in the market dislike.
For a new market entrant to be competitive, it generally has to offer a new kind of product or service, a novel offering that overcomes the natural disadvantages that come from being
an unknown upstart. For example, Apple was able to enter the music industry by engaging in lawful activity that other
members of the industry had foresworn. Likewise Netflix still routinely engages in conduct (mailing out DVDs) that
DRM advocates deplore, but are powerless to stop, because it is lawful. The entire cable industry -- including Comcast -- owes its existence to the willingness of new market entrants to break with the existing boundaries of "polite behavior."
EME's existence turns on the assertion that premium video playback is essential to the success of any web player. It follows that new players will need premium video playback to
succeed -- but new players have never successfully entered a market by advertising a product that is "just like the ones everyone else has, but from someone you've never heard of."
The W3C should not make standards that empower participants to break interoperability. By doing so, EME violates the norm set by every other W3C standard, past and present.
Through this appeal, we ask that the membership be formally polled on this question: "Should a covenant protecting EME's users and investigators against anti-circumvention regulation
be negotiated before EME is made a Recommendation?"
Thank you. We look forward to your guidance on how to proceed with this appeal.
>> mehr lesen
We Must Keep the Internet Free and Open. EFF, Tech Giants, Startups and Internet Users Tell FCC: Don’t Sell Out Net Neutrality To Appease ISPs
(Mi, 12 Jul 2017)
AirBnB, Amazon, ACLU, Google, Etsy, Y Combinator Among Organizations Standing Up To Government Plan To Let ISPs Block Content, Charge Fees for ‘Fast Lanes’
San Francisco—The Electronic Frontier Foundation (EFF) and a broad coalition of user advocacy groups and major
technology companies and organizations joined forces today to protest the FCC’s plan to toss out net neutrality rules that preserve Internet freedom and prevent cable and telecommunications companies from controlling what we can see and
Without net neutrality, Internet service providers (ISPs) can block your favorite content, throttle or slow down Internet speeds to disadvantage competitors’ content, or make you pay more than you already do to access movies and
other online entertainment.
To show just how important net neutrality is to free choice on the Internet, EFF and a host of other organizations are temporarily halting full access to their website homepages today
with a prominent message that they’re “blocked.” Only upgrading to “premium” (read: more expensive) service plans will allow users access to blocked sites and services, the message
says. (Don’t worry, the sites aren’t really blocked. Clicking on the message will take you to a link for DearFCC, our tool for
submitting comments to the FCC and making your voice heard.)
“We’re giving subscribers a preview of their Internet experience if the FCC dismantles the current net neutrality rules,” said EFF Legal Director Corynne McSherry. “AT&T, Comcast,
and Verizon will be able to block your favorite content or steer you to the content they choose—often without you knowing it. Those without deep pockets—libraries, schools, startups
and nonprofits—will be relegated to Internet slow lanes.”
The online community—gig economy site AirBnb, maker site Etsy, file storage provider DropBox, and hundreds more—have joined EFF and other user advocates today to deliver a message to
the FCC: we want real net neutrality protections.
“It’s our Internet and we will defend it,” said EFF Senior Staff Attorney Lee Tien. “We won’t allow cable companies and ISPs, which already garner immense profits from customers, to
become Internet gatekeepers.”
For EFFs Day Of Action page:
For more about net neutrality:
Senior Staff Attorney and Adams Chair for Internet Rights
>> mehr lesen
Today’s the Day: Let's Save Net Neutrality
(Mi, 12 Jul 2017)
You might have noticed something unusual when you visited the EFF website today: our
site was “blocked” unless you shelled out for “premium” Internet access.
As part of the day of action to support net neutrality, we decided to
imagine what might happen if FCC Chairman Ajit Pai caves to industry pressure and abandons the net neutrality rules the FCC adopted just two years ago. If you don’t want to live in
that future, it’s time to take action.
Take Actionspeak up for net neutrality
To make it easy for Team Internet to do just that, we’ve created a special site called DearFCC.org where we’ll help you write your own comment to
the agency. We’ll offer some suggestions to get you started, but you can say whatever you like. What’s most important is that the FCC hears from you.
The fight over net neutrality isn’t just about consumer protection: it’s about your freedom of speech.
Some large ISPs say they support net neutrality, but that they just want the FCC to go enforce it under a
different legal provision, or have Congress pass a specific net neutrality law. But this is just a trick—they already know that if the FCC goes back to classifying broadband as an
information service, its net neutrality rules will fail (just like they
did last time). They also know that Congress isn’t likely to pass a real net neutrality statute anytime soon, if ever, given the millions that telecom giants have invested in
making sure they get to write any regulation of their industry.
Make no mistake: if we want to FCC to do its part to protect a free and open Internet—where Internet service providers don’t discriminate between different types of content or
communications—we can’t let the agency go forward with its plan to abandon Title II (the legal foundation for today’s net neutrality rules). Competition between ISPs won’t guarantee
net neutrality, especially when most of the country has only one option for
broadband Internet access.
The fight over net neutrality isn’t just about consumer protection, though: it’s about your
freedom of speech. What makes the Internet great is that anyone can use it to get their voice heard. Your message, your idea, or your story can reach millions of people, just as
many people as large broadcasting companies can reach. If big ISPs win this fight, the next iteration of the Internet might look something more like cable TV, where providers have a
great deal of influence over which messages their members hear—and they can deprioritize or even flat-out block content they don’t like.
If you love the Internet the way it is, then speak out now.
TAKE ACTIONSPEAK UP FOR NET NEUTRALITY
>> mehr lesen
The Death Knell is Tolling for Shipping & Transit LLC
(Di, 11 Jul 2017)
Second court recommends awarding legal fees to defendant hit with patent troll’s lawsuit
A court in the Southern District of Florida has recommended (PDF) that
prolificpatenttrollShipping & Transit LLC pay a defendant’s legal
costs. This is the second court in less than a
week to find Shipping & Transit’s patent litigation suit “exceptional” for purposes of awarding legal fees to a defendant.
The latest finding comes out of Shipping & Transit LLC v. Lensdiscounters.com, a case originally filed by Shipping & Transit just over a year ago, but not lasting
nearly that long. When at an early hearing it came out there were serious defects in
Shipping & Transit’s case, Shipping & Transit immediately sought to end the lawsuit. Lensdiscounters opposed letting Shipping & Transit run away without
consequences. Lensdiscounters told the court its belief that Shipping & Transit had failed to investigate infringement before filing its lawsuit and that Shipping & Transit’s
patents were invalid. It argued it should be awarded the cost it incurred in defending
against Shipping & Transit’s infringement claim.
In a report signed on July 10, a magistrate judge agreed (PDF). The court found
Shipping & Transit’s explanation for why it believed it had a case of infringement worth pursuing to be “flawed.” Instead, it appeared to the court that “likely,  from the
inception, [Shipping & Transit] never intended to litigate its patent infringement rights” and “it appears that [Shipping & Transit] brought this case merely to elicit a quick
settlement from Defendant on questionable patents.” With respect to Shipping & Transit’s “questionable patents,” the court noted that despite Shipping & Transit filing over
300 cases in Florida alone, the court “could not find one case  where the substantive issue of patent validity was reached.” Instead, Shipping & Transit “routinely and promptly”
dismissed cases “to end any inquiry” any time the validity of its patents was challenged. These facts lead the judge to recommend that the court order Shipping & Transit to
pay Lensdiscounters’ legal fees.
Because this report is from a magistrate judge, it still needs to be confirmed by the District Court judge. However, it represents yet another finding by a court that Shipping &
Transit’s patent infringement lawsuits are exceptional and should lead to an award of fees to defendants targeted by Shipping & Transit. This latest decision from Florida, along
with the similar order (PDF) from California, have Shipping & Transit’s
death knell bell tolling across the country.
>> mehr lesen
Stalemate Continues in Negotiations Over European Copyright Filters
(Di, 11 Jul 2017)
This week is an important one in the ongoing negotiations over new copyright rules in Europe—which will have reverberations all over the world. As you may recall, the negotiations centre around two worrisome proposals being
pushed by publisher and music industry lobby groups for inclusion in a new Digital Single Market Directive: a requirement for mandatory upload filtering by user content platforms (Article 13), and
a link tax payable by news aggregators in favor
of publishers (Article 11).
The convoluted process of negotiation over new European laws means that not only do three European institutions (the European Parliament, the Council of the European Union, and the
European Commission) have to reach an accord on the terms of the Directive, but within the European Parliament itself there are also multiple committees that get to weigh in. The Lead
Committee is the Legal Affairs or JURI Committee, but it is required to take account of the opinions, and proposed amendments, of the other committees. This week two of those
committees will go to a vote on their opinions and suggested amendments, while the JURI committee will consider its own amendments to the European Commission's original proposal.
The Committee on Culture and Education (CULT), whose extreme proposals for amendment to the Commission proposal we critiqued in a previous post, will be voting on July 11 on which amendments it will
put forward to JURI for inclusion in the Parliament's final compromise text. Since none of CULT's suggested amendments to Articles 11 and 13 would improve on the original proposal—in
fact, they would make it worse—we are urging Members of the European Parliament (MEPs) who are member of the CULT simply to vote for the deletion of those Articles. In particular, as
pointed out by European Digital Rights (EDRi, of which EFF is a member), for CULT to support mandatory filtering of uploads on user content platforms would directly contradict that committee's own opposition to mandatory filtering of terrorist and other
On the same day, the Industry, Research and Energy (ITRE) Committee will also vote on its draft opinion and amendments. Its takes on the upload filter and link tax proposals are not
as extreme as those of CULT. In fact its suggested amendment to the Article 11 link tax would gut that misconceived proposal, replacing it with a relatively unobjectionable provision
that simply allows press publishers to stand in for journalists in enforcing their existing copyrights in news articles. ITRE's suggested amendment to Article 13 doesn't go so far
though, and continues to require platforms to take additional measures such as upload filtering at the behest of copyright holders; therefore we maintain that ITRE should instead vote
for deletion of this Article.
Two more European Parliamentary committees are also weighing in on these controversial proposals. The IMCO or Consumer Protection and Internal Market Committee voted on its opinion
and amendments on 8 June, with a recommendation against the Article 13 upload filtering plan—this should hopefully be persuasive, as it has a special cooperative status with JURI on
this topic. Unfortunately, IMCO did not also vote against the Article 11 link tax, but supported the Commission's original proposal. Next to vote after this week will be
the Civil Liberties, Justice and Home Affairs (LIBE) Committee, which will vote on its opinion and amendments on September 25.
European activists have put together a Save the Meme website which can be used to contact MEPs about the upload filtering and link tax
proposals. Today, in advance of the CULT and ITRE votes and JURI's consideration of its amendments, would be an excellent day for our European members to take advantage of that
opportunity and ask their representatives to vote against the Commission's harmful proposals.
>> mehr lesen
Requiring Judicial Review for Every Gag Order Is a Simple Way to Have Our Backs: Apple Does but Google and Facebook Fall Short
(Mo, 10 Jul 2017)
As a civil liberties organization, it’s our job to evaluate how tech companies handle our most private data and to encourage them to do better year over year. Our Who Has Your Back report is designed to do both, which is one reason we revisit the report’s criteria every year—always striving to
raise the bar.
In this post, we’ll highlight one of the new stars that does just that: “Stands up to NSL gag orders.” To earn
a star in this category, companies must publicly commit to invoking a new statutory procedure to have a judge review every indefinite National Security Letter (NSL) gag order the
The NSL as we know it today was created by the USA PATRIOT Act’s Section 505. These letters, served on communications service providers like phone companies and ISPs, allow the FBI to
secretly demand data about anyone’s private communications and Internet activity without any meaningful oversight or prior judicial review. Recipients of NSLs are subject to a gag
order that forbids them from ever revealing the letters' existence to their coworkers, their friends, or even their family members, much less the public.
Since 2011, EFF has been fighting the NSL statute in court on behalf of CREDO Mobile and Cloudflare.
Our lawsuit argues that the gag orders attached to nearly every NSL—which the FBI is permitted to apply without any court involvement whatsoever—are unconstitutional prior restraints.
In response to our suit, Congress included in the 2015 USA
FREEDOM Act, a process to allow providers to push back against those gag orders.
The new process gives technology companies a right to request judicial review of the gag orders accompanying NSLs (referred to as “reciprocal notice”). When a company invokes the
reciprocal notice process, the government is required to bring the gag order before a judge within 30 days. The judge then reviews the gag order and either approves, modifies, or
invalidates it. The company is permitted to appear in that proceeding and argue, but is not required to do so.
To be entirely clear, we don’t think reciprocal notice fixes the serious constitutional problems with NSLs. The First Amendment requires that when the government wants to impose a gag
order, it must bear the complete burden of going to court and proving the gag is truly necessary. The government has attempted to avoid this requirement by making court review
optional. Reciprocal notice doesn’t fix the constitutional problem with NSLs—it still requires the NSL recipient to stand up to the government and start the process.
The right thing for a company that receives an NSL with a gag order to do is to invoke the reciprocal notice procedure (flawed though it is) and make the government put the gag order
before a judge. One of the primary arguments the government has made in EFF’s NSL lawsuit is that companies haven’t spoken out about NSLs and thus don’t care about being gagged.
That’s simply false, but unless companies continue to challenge these gag
orders as often as possible, the government may get away with its specious argument.
To earn a star for this category, therefore, we ask companies to commit to invoking the new reciprocal notice procedure for every NSL they receive. We are not asking companies
to file lawsuits in opposition to NSLs the way our clients did. We are only asking them to invoke the reciprocal notice provision in 18 U.S.C. § 3511(b)(1)(A). The statute explicitly
envisions this role for the NSL recipient, and the Department of Justice has taken the position that this can be set in motion by a letter or phone call. Furthermore, reciprocal
notice does not require an objection to the underlying information request contained in an NSL.
While this step won’t bring NSLs in line with the Constitution, the reciprocal notice process does at least provide a path toward transparency. But that path doesn’t mean much if the
provider won’t walk it. While a handful of Silicon Valley giants including Apple, Dropbox, Pinterest, and Uber all committed to invoking reciprocal notice for every NSL, we’re
disappointed that others, such as Google and Facebook choose only to confront NSL gag orders on a case-by-case basis. The NSL system is broken and companies should invoke reciprocal
Given that companies have every right to take this step to stand with their users, we’re sorry we couldn’t award more stars in this category. All of Silicon Valley should follow
Apple’s lead, and demand that a judge sign off on every single gag order they receive.
1. We have awarded this star to 12 companies on our report: Adobe, Airbnb, Apple, CREDO, Dropbox, Lyft, Pinterest,
Slack, Sonic, Uber, Wickr, and Wordpress. 14 companies failed to earn the star: Amazon, AT&T, Comcast, Facebook, Google, LinkedIn, Microsoft, Snap, T-Mobile, Tumblr, Twitter,
Verizon, WhatsApp, and Yahoo.
>> mehr lesen
AT&T, Verizon, Other Telco Providers Lag Behind Tech Industry in Protecting Users from Government Overreach, EFF Annual Survey Shows
(Mo, 10 Jul 2017)
Amazon Fails To Follow, Much Less Lead in Privacy Best Practices, Facebook, Google, and Microsoft Fail to Promise They Will Stand Up to FBI Gag Orders
San Francisco, California—While many technology companies continue to step up their privacy game by adopting best practices to protect sensitive customer information when the
government demands user data, telecommunications companies are failing to prioritize user privacy when the government comes knocking, an EFF annual survey shows. Even tech giants such
as Apple, Facebook, and Google can do more to fully stand behind their users.
EFF’s seventh annual “Who Has Your Back” report, released today, digs into the ways many technology companies are
getting the message about user privacy in this era of unprecedented digital surveillance. The data stored on our mobile phones, laptops, and especially our online services can, when
aggregated, paint a detailed picture of our lives—where we go, who we see, what we say, our political affiliations, our religion, and more.
“This information is a magnet for governments seeking to surveil citizens, journalists, and activists. When governments do so, they need to follow the law, and users are increasingly
demanding that companies holding their data enact the toughest policies to protect customer information,” said EFF Activism Director Rainey Reitman.
EFF evaluated the public policies at 26 companies and awarded stars in five categories. This year EFF included two new categories: “promises not to sell out users,” and “stands up to
NSL gag orders.” The first reflects our concern about the stated goal of several members of government to co-opt tech companies to track people by their immigration status or
religion. We awarded stars to companies that prohibit developers and third parties from capturing user data to assist governments in conducting surveillance.
We also awarded stars to companies that exercise their right to make the government initiate judicial review of gag orders that prohibit them from publicly disclosing they have
received a National Security Letter (NSL). NSLs—secret FBI demands for user information issued with no oversight from any court—permit the FBI to unilaterally gag recipients, a power
EFF believes is unconstitutional. Facebook, Google, and Microsoft have failed to promise to step up and exercise the right to have the government put NSL gag orders before a
Nine companies earned stars in every category this year: Adobe, Credo, Dropbox, Lyft, Pinterest, Sonic, Uber, Wickr, and Wordpress. Each has a track record of defending user privacy
against government overreach and improved on their practices to meet the more stringent standards in this year’s Who Has Your Back.
Two tech companies lagged behind in the industry: Amazon and WhatsApp, both of which earned just two stars. EFF’s survey showed that while both companies have done significant work to
defend user privacy—EFF especially lauds WhatsApp’s move to adopt end-to-end encryption by default for its billion users around the world—their policies still lag behind. Online
retail giant Amazon has been rated number one in customer
service, yet it hasn’t made the public commitments to stand behind its users’ digital privacy that the rest of the industry has.
AT&T, Comcast, T-Mobile, and Verizon scored the lowest, each earning just one star. While they have adopted a number of industry best practices, like publishing transparency
reports and requiring a warrant for content, they still need to commit to informing users before disclosing their data to the government and creating a public policy of
requesting judicial review of all NSLs.
“The tech industry as a whole has moved toward providing its users with more transparency, but telecommunications companies—which serve as the pipeline for communications
and Internet service for millions of Americans—are failing to publicly push back against government overreach,” said EFF Senior Staff Attorney Nate Cardozo. “Both legacy telcos and
the giants of Silicon Valley can and must do better. We expect companies to protect, not exploit, the data we have entrusted them with.”
For the full report:
For more on Who Has Your Back:
For more on government surveillance:
Senior Staff Attorney
>> mehr lesen
New Research Estimates Value of Removing DRM Locks
(So, 09 Jul 2017)
Note: We’ve been in touch with a group of economists at the University of Glasgow who are investigating the market value on interoperability. Just in time for “Day Against
DRM,” here are some of their initial conclusions.
My co-authors and I at the University of Glasgow are investigating how restrictions on interoperability imposed by Digital Rights Management (DRM) systems might impact the market for
goods. We are doing this as part of a larger project to better understand the economics of DRM and to figure out what changes would likely occur if the laws were reformed. Our recent
working paper is titled ‘How much do consumers value interoperability: Evidence from the price of DVD players’. [Open Access here]
We use price data scraped from Amazon.com on all consumer DVD players listed since 2010 to analyse whether there is an increase in willingness-to-pay for players that have features
related to interoperability. These features of interest include things like the lack of region controls, the ability to play legacy disc formats, and the ability to play new open file
formats like Xvid. At first, DVD players might seem like an antiquated technology for such a study, but the product has many advantages: locked and unlocked players coexist side by
side in the market and there are hundreds of competing devices on sale with similar capabilities, facilitating statistical analysis.
Why might consumers benefit from interoperability?
Our study is designed to begin to investigate some propositions about why consumers might value interoperability when choosing to purchase devices or content. There are numerous
reasons why that might be the case. For example, people might value backwards interoperability between a device and other devices or content they already own. In a famous economics
paper, Farrell & Saloner (1986) suggest that there are barriers to adoption of a
new standard caused by network effects related to the number of people using the old standard. For example, maybe one’s friends and family use one system and moving to a new system
would leave an early adopter out on a limb. Or, maybe a consumer has invested a lot of money in content that is compatible with the old standard but incompatible with the new one. DRM
might amplify those effects and result in ‘excess inertia’: that is, an overall loss to society caused by slower than optimal uptake of a new standard.
On the other hand, consumers might not (only) make a purchase decision informed by goods that they or their friends already own. They may be more concerned with what we call forwards
interoperability: the capability of a device to interface with future, unknown devices or content. Imagine for example a company pledging not to restrict their format to future
innovators, enabling unintended new benefits to consumers as third-party companies supply complementary goods and content. This might interest consumers worried about
‘future-proofing’ their investment, ensuring that new content is likely to be created for their device.
Overall we find that interoperability has a significant positive effect on the price that consumers are willing to pay for DVD players. The average price that they are willing to pay
increases by $19 USD for players with any interoperability features present. The average price increases by $30 USD for players with the specific ability to play content in open file
formats like Xvid. This feature has the strongest impact on price in our study. The lack of region locks also has a moderately significant effect on price. Backwards compatibility
with legacy formats live VCD had no significant impact on price in any of our models, likely because VCD is a very legacy format, indeed, having been popular in the late 1990s.
Backwards compatibility might have a bigger impact for products that are released at closer time intervals.
Next steps for research
We plan to expand this study, both in terms of global coverage as well as product categories. One of the things we’d like to check is whether the region of the consumer is an
important factor in how they value interoperability.
Ultimately, we intend to examine these dynamics across as many product categories as possible, where DRM-locked options coexist in the market alongside unlocked or hackable options.
Some possible candidate products include network routers, handheld GPS devices, and even ‘smart’ lightbulbs. As more and more devices come with embedded firmware, the ability of
manufacturers to lock out consumers with DRM – or make them interoperable – will have a greater impact on society beyond media devices.
>> mehr lesen
Third Circuit Declares First Amendment Right to Record Police
(Sa, 08 Jul 2017)
The First Amendment protects our right to use electronic devices to record on-duty police officers, according to a new ruling by the U.S. Court of Appeals for the Third Circuit in Fields v. Philadelphia. This right extends to anyone with a recording device, journalists and members of the public
alike. And this right includes capture of photos, videos, and audio recordings.
EFF filed an amicus brief seeking this ruling. We argued that people routinely use their electronic devices
to record and share images and audio, and that this often includes newsworthy recordings of on-duty police officers interacting with members of the public.
The Court’s Reasoning
The Third Circuit began its Fields opinion by framing the right to record in history and policy:
In 1991 George Holliday recorded video of the Los Angeles Police Department officers beating Rodney King and submitted it to the local news. Filming police on the job was rare
then but common now. With advances in technology and the widespread ownership of smartphones, civilian recording of police officers is ubiquitous. . . . These recordings have both
exposed police misconduct and exonerated officers from errant charges.
The Third Circuit recognized that all five federal appellate courts that previously addressed this issue held that the First Amendment protects the right to record the police.
The court next reasoned that the right to publish recordings depends on the predicate right to make recordings. Specifically:
The First Amendment protects actual photos, videos, and recordings, . . . and for this protection to have meaning the Amendment must also protect the act of creating that
material. There is no practical difference between allowing police to prevent people from taking recordings and actually banning the possession or distribution of them.
The court also reasoned that the right to record the police is grounded in the First Amendment right “of access to information about their officials’ public activities.” The court
Access to information regarding public police activity is particularly important because it leads to citizen discourse on public issues, “the highest rung of the hierarchy of
First Amendment values, and is entitled to special protection.”
The court identified the many ways that civilian recordings of police activity are beneficial by capturing critical information:
“To record what there is the right for the eye to see or the ear to hear corroborates or lays aside subjective impressions for objective facts. Hence to record is to see and hear
“Recordings also facilitate discussion because of the ease in which they can be widely distributed via different forms of media.”
“Bystander videos provide different perspectives than police and dashboard cameras, portraying circumstances and surroundings that police videos often do not capture.”
“Civilian video also fills the gaps created when police choose not to record video or withhold their footage from the public.”
Importantly, the court concluded that recordings of on-duty police have “contributed greatly to our national discussion of proper policing.” Among other things, they have “improved
professional reporting, as video content generated by witnesses and bystanders has become a common component of news programming.” As a result, recordings have “spurred action at all
levels of government to address police misconduct and to protect civil rights.”
The Third Circuit erred on the issue of “qualified immunity.” This is a legal doctrine that protects government employees from paying money damages for violating the Constitution, if
the specific right at issue was not clearly established at the time they violated it. In Fields, the Third Circuit unanimously held that going forward, the First Amendment
protects the right to record the police. But the majority held that this right was not clearly established at the time the police officers in the case violated this right.
Judge Nygaard dissented on this point. He persuasively argued that this right was in fact clearly established, given the prior rulings of other appellate courts, the City of
Philadelphia’s own policies, and the frequency that people (including police officers themselves) use their mobile devices to make recordings. On the bright side, the Third Circuit
remanded the question of municipal liability, so there is still a possibility that the injured parties, whose right to record was disrupted by police, can obtain damages from the
Location of Recording
The Third Circuit in Fields sometimes formulated the First Amendment right to record police as existing in “public” places. This is true. But the right also exists in
private places. For example, a home owner might record police officers searching their home without a
warrant. Also, a
complainant about police misconduct, speaking to internal affairs officers inside a police station, might record those officers discouraging her from pressing charges. In such
cases, there is a First Amendment right to record on-duty police officers in a private place.
Rather than ask whether the place of recording was public or private, courts should ask whether the subject of recording had a reasonable expectation of privacy. Critically, on-duty
police have no such expectation while speaking with civilians, whether they are in a public or private place.
The Fields decision is not to the contrary. Rather, it simply addressed the facts in that case, which concerned civilians recording on-duty police officers who happened to be
in public places. Also, the Fields opinion at another point correctly framed the issue as “recording police officers performing their official duties.”
The court discussed another possible limitation on the right to record the police—whether recording may be subject to “reasonable time, place, and manner restrictions” to ensure that
it doesn’t interfere with policy activity. However, this issue was not before the court. It remains to be seen how future courts will address limitations on the First Amendment right
to record the police.
The Third Circuit’s Fields decision is an important victory for the right of technology users to record on-duty police officers. But the struggle continues. Across the country,
many government officials continue to block members of the public from using their
electronic devices to record newsworthy events. EFF will continue to fight for this vital right.
Fields v. City of Philadelphia
>> mehr lesen
Court Orders Prolific Patent Troll Shipping & Transit LLC To Pay Defendant’s Legal Bill
(Sa, 08 Jul 2017)
Shipping & Transit LLC, formerly known as Arrivalstar, is one of the most prolific patent trolls
ever. It has filed more than 500 lawsuits alleging patent infringement. Despite having filed so many cases, it has never had a court rule on the validity of its patents. In recent
years, Shipping & Transit’s usual practice is to dismiss its claims as soon as a defendant spends resources to fight back. A district court in California issued an order (PDF) this week ordering Shipping & Transit to pay a defendant's attorney's fees. The court
found that Shipping & Transit has engaged in a pattern of “exploitative litigation.”
Shipping & Transit owns a number of patents that relate to vehicle tracking. We’ve writtenabout its patent trolling on numerousoccasions. In many cases, Shipping & Transit asserted its patents against businesses
that simply sent email to customers with a tracking number. In other cases, it has sued municipal transport agencies and logistics companies.
The recent fee award is from a case called Shipping & Transit LLC v. Hall Enterprises, Inc. After getting sued, Hall told Shipping & Transit that it should dismiss its claims
because its patents are invalid under Alice v. CLS Bank. Shipping & Transit refused. Hall then went to the expense of preparing and
filing a motion for judgment on the pleadings (PDF) arguing that
Shipping & Transit’s patents are invalid. In response, Shipping & Transit voluntarily dismissed its claims. Hall then filed a motion for attorney’s fees (PDF).
In considering the motion for fees, the court first considered the merits of Hall’s judgment on the pleadings. The court found that the asserted patent claims were directed to the
abstract idea of “monitoring and reporting the location of a vehicle” and that they do not contain an inventive concept sufficient to transfer the abstract idea into a patent-eligible
invention. The court also concluded Shipping & Transit’s legal arguments in defense of its patents were “objectively unreasonable in light of the Supreme Court’s Alice
decision and the cases that applied that decision to invalidate comparable claims.”
The court also considered Shipping & Transit’s litigation history. It wrote:
Although the Court agrees that filing a large number of cases does not necessarily mean Plaintiff litigated in an unreasonable manner, it nevertheless finds troubling that
Plaintiff has repeatedly dismissed its own lawsuits to evade a ruling on the merits and yet persists in filing new lawsuits advancing the same claims. …
Plaintiff’s business model involves filing hundreds of patent infringement lawsuits, mostly against small companies, and leveraging the high cost of litigation to extract
settlements for amounts less than $50,000. These tactics present a compelling need for deterrence and to discourage exploitative litigation by patentees who have no intention of
testing the merits of their claims.
In the court’s view, the combination of Shipping & Transit’s unreasonable legal arguments and its history of exploitative litigation justified an award of fees.
Shipping & Transit could appeal this decision but we believe the appeal would be unlikely to succeed. Any appeal would be decided under an “abuse of discretion” standard that
makes reversal less likely. Also, the Federal Circuit has recently shown increasedwillingness to impose fees on abusive patent
Because Shipping & Transit dismissed its complaint, the court did not have jurisdiction to formally invalidate the patent claims. Nevertheless, the court clearly would have ruled
in Hall’s favor on the motion for judgment on the pleadings had it decided that motion. Shipping & Transit is therefore on notice that these patent claims are invalid and, in our
view, any subsequent litigation asserting these claims would warrant sanctions.
We hope this ruling will finally put an end to Shipping & Transit’s massive patent trolling campaign. The fact that Shipping & Transit was able to file more than 500 cases
with almost-surely invalid patents shows that further reform is needed to slow down patent litigation abuse.
>> mehr lesen
McMansion Hell Take-Down Controversy Illustrates Why the Supreme Court Should Clarify the Limits of the CFAA
(Fr, 07 Jul 2017)
When McMansion Hell blogger Kate Wagner received Zillow’s letter last month demanding that she take down her architecture parody blog, she was scared.
So scared that she temporarily disabled access to her blog via McMansionHell.com until she could find an attorney. We’re happy she found us at EFF.
While all of the claims Zillow made were highly dubious, one stuck out to us
as especially egregious and scary: the claim that McMansion Hell violated a notorious vague criminal statute called the Computer Fraud and Abuse Act, or CFAA. That Zillow’s lawyers thought it was proper to include this threat shows how
strongly we need some sanity brought to the CFAA.
Luckily, the Supreme Court has the opportunity to bring
that sanity—and we urge them to do so.
CFAA’s Ongoing Threat
The CFAA, inspired in part by by a fictional movie, was meant to
criminalize breaking into computers to access or alter data. But it’s language in incredibly broad and vague. It makes it illegal to intentionally access a “protected computer”—which
includes any computer connected to the Internet—“without authorization” or in excess of authorization, but it doesn’t tell us what “without authorization” means.
Sadly, both prosecutors and private parities have taken advantage of this vague language, endeavoring to stretch the law to cover any “bad” conduct that happens to involve a
on in all sorts of cases that have nothing to do within breaking into a computer—including the Zillow McMansion Hell controversy.
For those looking to get content offline, the CFAA is an obvious choice for a powerful scare tactic. That Zillow’s lawyer’s chose to say that Ms. Wagner “may” have violated the CFAA
was cold comfort; for most people even the suggestion of criminal charges is enough to scare them into complying with a takedown demand. This is compounded by a range of court
decisions interpreting the law in conflicting ways. If courts can’t even agree about what the CFAA covers, how can those unfamiliar with the law be expected to tell whether a
CFAA-based demand for an immediate takedown is legitimate?
Time to Rein in the Threat of the CFAA
It’s long past time for both the courts and Congress to put an end to such abusive behavior by clarifying what the law does and doesn’t reach—and by putting Terms of Service
violations on the far side of that line. Right now the Supreme Court seems like the best option.
Earlier this summer, in fact, EFF asked the Supreme
Court to step in and clarify that using a computer in a way that violates corporate policies, preferences, and expectations, which is what Zillow claimed here, cannot be grounds
for a CFAA violation. A clear, unequivocal ruling would go a long way to help stop abuses like those Zillow inflicted on Ms. Wagner. The case, called U.S. v. Nosal, is on appeal from a Ninth Circuit ruling that threatens to transform the CFAA into a mechanism for criminalizing
password sharing and policing Internet use.
EFF has also been pushing for CFAA reform for years and increased those efforts after the tragic death of programmer and Internet
activist Aaron Swartz. Our efforts in Congress have been blocked so far, with tech giants like Google, Facebook, and Oracle shamefully unwilling to support reform even as the law
needlessly claims lives and results in massively overbroad sentences.
The CFAA was passed years before the advent of the modern Internet and is desperately out-of-touch with how we use
computers today. Common sense changes, like clarifying that terms of service violations cannot give rise to federal criminal liability, are needed—both to reign in prosecutorial
discretion and to help stop companies from using the CFAA as a scare tactic. We hope the Supreme Court takes up the Nosal case.
United States v. David Nosal
>> mehr lesen
Trump’s FBI Pick Has a Troubling History on Digital Liberties
(Fr, 07 Jul 2017)
President Donald Trump’s pick to lead the FBI, Christopher Wray, will begin his confirmation process next
week, giving lawmakers an opportunity to press him on his previous statements about expansive surveillance authorities and aggressive copyright prosecution.
Defense of the USA PATRIOT Act
During his tenure as Assistant Attorney General in the Bush Administration, Wray vocally defended a range of controversial provisions in the USA PATRIOT Act—including Section 215,
which would later provide the basis for the bulk collection of Americans’ telephone metadata.
When Wray went before the Senate Judiciary Committee in 2003 to defend the PATRIOT Act, a Department of Justice document indicated that Section 215’s business records provision had
never been used. Wray insisted that was a sign of restraint: “We try to use these provisions sparingly, only in those
instances where we feel that this is the only tool that we can use.” In fact, as the Privacy and Civil Liberties Oversight Board (PCLOB) made clear in its report on the bulk metadata program, Section 215 was sitting
fallow because the Bush Administration was already collecting much of that data—without statutory
Granted, Wray didn’t have all of the information about that secretive wiretapping program until 2004, which we’ll get into below. Still, his insistence that Section 215 was just an
effort to bring counterterrorism powers in line with ordinary criminal authorities reflected a concerning lack of skepticism about the risk of abuse. The same holds for his defense of
a range of other PATRIOT Act provisions: “sneak and peek”
warrants that allow law enforcement to search first and serve notice later; a reduced bar for obtaining a FISA warrant that one district court later found inconsistent with the Fourth Amendment; and a vaguely worded expansion of the kind of Internet data, some of it
potentially very sensitive, that can be collected with a pen/trap order.
Experience teaches that broad grants of surveillance authority are invariably abused, as the PATRIOT Act has been. During Wray’s confirmation process, lawmakers should press him on
his insistence that the Act “helped preserve and protect liberty and freedom, not erode them.”
Outstanding Questions about STELLARWIND
President Bush’s sweeping constellation of warrantless surveillance programs, codenamed STELLARWIND, played a key role in the mythos that surrounded the last two FBI Directors. Wray
was reputedly one of the senior Justice Department officials
ready to resign if then-Deputy Attorney General James Comey chose to do so over STELLARWIND’s legality—though Wray himself wasn’t aware of its existence at the time. Wray has since
praised then-FBI Director Bob Mueller’s willingness to challenge President Bush over those surveillance programs, telling WIRED, “I think that the great thing about [people with] strong moral compasses is that they don’t have to
hand-wring. When they’re uncomfortable, they know what they have to do.”
But when Wray was confronted with a constitutional concern about those intelligence efforts, his response, as reflected in a 2009 inspector general report, seems to have been underwhelming. Wray was read into STELLARWIND in
2004 to address concerns that the government—in working to preserve the spying program’s secrecy—was failing to disclose potentially exculpatory material to which criminal defendants
were entitled under the Constitution. As the Justice Department’s Inspector General later found, “[T]he Department made little effort to understand and comply with its discovery
obligations with Stellar Wind-derived information for the first several years of the program.” What legal analysis had been conducted was, the IG would later write, “factually flawed
Wray and another attorney in the Justice Department’s Criminal Division were tasked with reviewing it. But beyond ordering the other attorney to write a memo of his own, it’s not
clear Wray took any action to remedy the problem. While the memo recommended further research, there seems to have been no follow up. Four years after Wray left the Justice
Department, its Inspector General would write that efforts to comply with the Constitution and other legal responsibilities “are not complete and do not fully ensure that the
government has met its discovery obligations.”
Before he’s given the top job at the country’s law enforcement agency, Wray should have to square his praise for officials willing to challenge unconstitutional surveillance with his
apparent inaction on a constitutional question about the rights of defendants swept up in spying programs.
Aggressive Copyright Prosecutions
As Assistant Attorney General for the Criminal Division, Wray also oversaw and touted the Justice Department’s aggressive prosecutions for intellectual property infringement, some of
them alarmingly trivial. In 2004, for instance, Wray named a guilty plea from a defendant who
shared a pre-release copy of “The Hulk” in a chat room as one of the most significant intellectual property prosecutions of the year. That emphasis seems disproportionate, to say the
least. As Senator Leahy put it in the same Judiciary Committee hearing, “That movie sank like a rock at the box office. Within a couple of weeks, they probably could not have given
away the copies.” Still, the impact on the defendant was very real—including six months’ home confinement.
In a climate in which copyright law is increasingly abused to chill and deter speech online, Wray’s past comments are cause for concern.
Lawmakers should press him to commit to reasonable enforcement and respect for free expression protections.
An Obligation to Explain—and Reconsider
If confirmed, Christopher Wray will lead an agency with vast power to intrude on fundamental digital liberties. During his last tour in government service, he expressed views that
should concern everyday Internet users. During this upcoming confirmation process, we expect lawmakers to review Wray’s record, and we hope he will disavow some of his more dangerous
views on the government surveillance activities that we know to violate our core civil liberties.
>> mehr lesen
Amid Unprecedented Controversy, W3C Greenlights DRM for the Web
(Fr, 07 Jul 2017)
Early today, the World Wide Web Consortium (W3C) standards body publicly announced its intention
to publish Encrypted Media Extensions (EME)—a DRM standard for web video—with no safeguards whatsoever for accessibility, security research or competition, despite an unprecedented
internal controversy among its staff and members over this issue.
EME is a standardized way for web video platforms to control users' browsers, so that we can only watch the videos under rules they set. This kind of technology, commonly called
Digital Rights Management (DRM), is backed up by laws like the United States DMCA Section 1201 (most other countries also have laws like this).
Today, the W3C announced that it would publish its DRM standard with no protections and no compromises at all.
Under these laws, people who bypass DRM to do legal things (like investigate code defects that create dangerous security vulnerabilities) can face civil and criminal penalties.
Practically speaking, bypassing DRM isn't hard (Google's version of DRM was broken for six years before
anyone noticed), but that doesn't matter. Even low-quality DRM gets the copyright owner the extremely profitable right to stop their customers and competitors from using their
products except in the ways that the rightsholder specifies.
EFF objects to DRM: it's a bad idea to make technology that treats the owner of a computer as an adversary to be controlled, and DRM wrecks the fairness of the copyright bargain by
preventing you from exercising the rights the law gives you when you lawfully acquire a copyrighted work (like the rights to make fair uses like remix or repair, or to resell or lend
But EFF understood that the W3C had members who wanted to make DRM, so we suggested a compromise: a covenant, modeled on the existing W3C member-agreement, that would require members to make a
binding promise only to use the law to attack people who infringed copyright, and to leave people alone if they bypassed DRM for legal reasons, like making W3C-standardized video more
accessible for people with disabilities.
This was a very popular idea. It was endorsed by Unesco, by the Internet Archive, by the creator of the W3C's existing membership agreement, by hundreds of top security researchers, by the competition
expert who coined the term "Net Neutrality", and by hundreds of human rights organizations and activists from the global south. The Open Source Initiative amended its definition of "open standard" so that DRM standards could only qualify as a "open" if they protected legitimate activity.
Now, it's fair to say that the W3C's DRM advocates didn't like the idea. After a perfunctory discussion process (during which some progress was made), they walked away from the
negotiations, and the W3C decided to allow the standardization work to continue despite their unwillingness to compromise.
But other W3C members did like the idea. On March 12, the final vote for publishing EME closed, and members ranging from the German National Library to the UK Royal National
Institute for Blind People to the cryptocurrency startup Ethereum, to Brave, a new entrant to the browser market -- along with dozens more—rejected the idea of publishing EME without
some protections for these equities (the numbers in the vote are confidential by W3C's own membership requirements, but all the members mentioned here have given permission to have
their votes revealed.)
It was the most controversial vote in W3C history. As weeks and then months stretched out without a decision, another W3C member, the Center for Democracy and Technology, proposed a very, very narrow version of the covenant, one that would only protect security researchers
who revealed accidental or deliberate leaks of data marked as private and sensitive by EME. Netflix's representative dismissed the idea out of hand, and then the W3C's CEO effectively killed the proposal.
Today, the W3C announced that it would publish its DRM standard with no protections and no
compromises at all, stating that W3C Director Tim Berners-Lee had concluded that the objections raised "had already been addressed" or that they were "overruled."
In its statement, the W3C said that publishing a DRM standard without protections for core open web activities was better than not doing so, because its DRM had better support for
privacy, accessibility, and competition than a non-W3C version of DRM would have.
We disagree. Even by the W3C's own measures, EME represents no improvement upon a non-standards approach, and in some important ways, the W3C's DRM is worse than an ad-hoc,
At root is the way that DRM interacts with the law. Take security: the W3C's specification says that users' computers should be protected from privacy-invading activities by
DRM vendors, but without a covenant, it's impossible to check whether this is happening. Recall that Netflix, one of the principal advocates for DRM at W3C, categorically rejected the
narrowest of covenants, one that would protect solely the activity of revealing DRM flaws that compromised user privacy.
On the question of accessibility, the W3C has simply ignored the substantial formal and informal objections raised by its members, including members with deep expertise in
accessibility, such as Vision Australia, Media Access Australia, Benetech, and the RNIB. These organizations pointed out that having a place for assistive data was nice, but to make
video accessible, it was necessary to use computers to generate that data.
It's great to say that if you know where all the strobe effects are in 10,000,000 hours of videos, you could add warnings to the timelines of those videos to help people with
photosensitive epilepsy. But unless you have an unimaginable army of people who can watch all that video, the practical way to find all those strobes is to feed the video to a
computer, after bypassing the DRM. Otherwise, most video will never, ever be made safe for people with photosensitive epilepsy.
Multiply that by the unimaginable armies of people needed to write subtitles, translate audio, and generate descriptive audio tracks, and you've exceeded the entire human race's
video-annotating capacity several times over—but barely scratched the surface of what computers can (and will be able to) do.
On the question of competition, the W3C's response is even more frustrating and non-responsive. EME only solves part of the video-transmission standard: for a browser to support EME,
it must also license a "Content Decryption Module" (CDM). Without a CDM, video just doesn't work.
All the big incumbents advocating for DRM have licenses for CDMs, but new entrants to the market will struggle to get these CDMs, and in order to get them, they have to make promises
to restrict otherwise legal activities (for example, CDM licensing terms prevent users in some parts of Europe from seeing videos made available in other parts of the EU).
The W3C says that none of this makes DRM any worse than what was there before the standards effort, but they're dead wrong. DRM is covered by a mess of criss-crossing patents that
make any kind of interoperable DRM transcendentally hard to create -- unless there's some way of cutting through the patent thicket. That's where the W3C comes in: its patent policy
requires members to swear not to enforce their patents against people who implement W3C standards. Since the W3C's membership includes key DRM patent owners, it's the one forum where
such a standard can be set.
At EFF, we've spent decades defending people engaged in legitimate activities that companies or governments disliked: researchers who go public with defects in products whose users
are blithely unaware of them; new entrants to monopolized markets who offer better products with features the cozy old guard don't like; public spirited archivists and accessibility
workers who want to preserve digital culture and make sure everyone gets to use it.
We're dismayed to see the W3C literally overrule the concerns of its public interest members, security experts, accessibility members and innovative startup members, putting the
institution's thumb on the scales for the large incumbents that dominate the web, ensuring that dominance lasts forever.
This will break people, companies, and projects, and it will be technologists and their lawyers, including the EFF, who will be the ones who'll have to pick up the pieces. We've seen
what happens when people and small startups face the wrath of giant corporations whose ire they've aroused. We've seen those people bankrupted, jailed, and personally destroyed.
That's why we fought so hard at the W3C, and it's why we're fighting so hard to fix laws like Section 1201 of the DMCA. We've been suing the US government over the constitutionality
of DMCA 1201; in the coming months, we'll be back at the US Copyright Office, arguing to maintain and extend the exemptions to 1201 we won in 2015.
As for the W3C... we're working on it. There is an appeals process for Tim Berners-Lee's decisions at the W3C, which has never been successfully triggered. The entire project of
designing technology to control web users, rather than empowering them, has taken the W3C into uncharted waters, and this is the most unfamiliar of them all. We're looking into this,
counting noses, and assessing our options. We'll keep you informed.
>> mehr lesen
EFF Condemns Detentions at Turkish Digital Security Meeting
(Fr, 07 Jul 2017)
Turkish police officers in plainclothes yesterday raided a digital security training
meeting on the island of Buyukuda in Istanbul, seizing equipment and detaining ten attendees, including Idil Eser, the director of
Amnesty International Turkey. The human rights defenders are still being held in separate detention centers, and were denied access to lawyers and the press for over 24 hours.
Amnesty's Turkey researcher reports that Eser faces at least seven days pre-trial detention under Turkish
law; Global Voices Advocacy says the same for the
other Turkish citizens arrested in the raid. The status of the trainers, who are from Germany and Sweden, is currently unknown.
EFF believes that everyone should be free to learn to protect themselves online and that this is information they have the right to share. Digital security trainings like this one are
frequently held across the world to educate lawyers, journalists, and human rights advocates on how best to protect themselves and their communities. Teaching or learning these skills
is certainly no grounds for detention. By conducting this raid, Turkey joins Iran and Ethiopia as countries where innocent citizens are intimidated and
arrested simply for learning the basic principles of modern technology.
We join Amnesty International, HIVOS,
Article 19, and the rest of the international human rights community in demanding that Turkish authorities release all the Buyukuda detainees, including the two digital security
>> mehr lesen
Photographer Attacked by Ludicrous Online Voting Patent
(Do, 06 Jul 2017)
Ruth Taylor never expected that her hobby would get her sued for patent infringement. Her photography website, Bytephoto.com, barely made enough advertising revenue to cover hosting
costs. The site hosts user-submitted photos and runs weekly competitions, decided by user vote, for the best. Ruth’s main business is her own photography. She supports that business
by visiting more than a dozen local art festivals in Bucks County, Pennsylvania every year.
In 2007, almost four years after Bytephoto began running online photo competitions, a company called Garfum.com Corporation applied for a patent titled “Method of Sharing Multi-Media
Content Among Users in a Global Computer Network.” The patent, U.S. Patent No. 8,209,618, takes the well-known concept of a
competition by popular vote and applies it to the modern context of computer networks. On September 23, 2014, Garfum filed a federal lawsuit accusing Bytephoto of patent infringement
for allowing its users to vote for their favorite photo.
Ruth didn’t understand how someone could patent online contests. “It seemed like a scam.”
Like many people sued for patent infringement, Ruth first learned of the case when a lawyer who had seen the complaint online called out of the blue, hoping to represent her. She was
stunned. “It seemed like a scam,” she said. Ruth didn’t understand how someone could patent online contests. It just didn’t seem logical. A few days later, a process server arrived at
her house to formally serve the complaint. Then Ruth knew it was real.
Garfum’s opening settlement demand was $50,000. This demand far exceeded Bytephoto’s annual revenue. Ruth learned that defending the case could easily cost more than a million
dollars. Since Bytephoto was just a hobby, Ruth had never incorporated it. This meant she was personally on the hook. She faced the choice between paying the settlement and paying
even higher litigation costs. This was especially frustrating because Bytephoto began allowing users to vote for their favorite photographs years before Garfum filed its patent
application. You can’t patent what already exists. But proving this defense in court would take months of expensive discovery.
Fortunately for Ruth, Garfum’s lawsuit arrived after the Supreme Court’s decision in Alice v. CLS Bank. Many judges have allowed challenges under Alice to be filed early
in the case rather than waiting for discovery (since the patent itself is the key evidence). EFF agreed to represent Ruth pro bono and filed a motion asking the court to hold the
patent invalid under Alice. A few days before the hearing on that motion, Garfum voluntarily abandoned its suit.
Ruth’s case is a perfect example of why Alice improves the patent system. Garfum’s broad and abstract patent did nothing to promote innovation. The idea of voting has been
around for centuries. The idea of applying voting to online social networks did not deserve patent protection. Indeed, even Ruth’s own website predated Garfum’s application. Yet a
settlement or litigation expenses could quickly have led to the site being shut down. Fortunately, thanks to the Alice ruling, Ruth was able to defeat Garfum’s absurd claim and
continue running her site and her business.
>> mehr lesen
Everyone Should Have a Real Chance to Defend Their Anonymity
(Do, 06 Jul 2017)
In the United States, everyone – even people accused of offensive conduct – has the right to communicate anonymously, and that right should never be infringed without due process. Our
Constitution guarantees this, whether your speech is popular or distasteful. At the same time, people who have been harmed by an anonymous speaker also have a right to seek justice,
and, where necessary, that process can include unmasking the speaker.
Following a rash of bogus defamation lawsuits designed primarily to unmask anonymous online speakers and retaliate against them, courts around the country adopted legal tests to
determine when people suing anonymous speakers are entitled to unmask them. Recognizing the First Amendment interests at stake, these tests require plaintiffs to establish the
legitimacy of their claims and their need for the information.
But as we explained in a letter brief filed today in a New York state court, those tests mean little if they are not applied rigorously, and if the speaker in question doesn't have a
chance to raise the issue at all. (The brief is currently under seal, but watch this space – we'll be asking the court to unseal it promptly).
Unfortunately, that's precisely what is about to happen to almost 300 Tumblr users who reblogged a sexually explicit video of a 17-year-old girl created 10 years ago. The person in
the video (suing as Jane Doe) thought it had been destroyed, but she recently discovered it had been posted on Tumblr and then reblogged hundreds of times. She wants to sue those
users for distribution of child pornography and intentional infliction of emotional distress. To help her do so, a New York judge has ordered Tumblr to disclose account information for those users. Tumblr pushed
back, and managed to narrow the number of users affected. Nonetheless, last week Tumblr notified those users that their account information would be disclosed unless they challenged
the order by July 7. In other words, the users had just 10 days – including a major holiday weekend – to read the notice, find a lawyer, and run to court to defend their
To be clear, if the allegations are true, the plaintiff in this case has been wronged. But that's just the thing – First Amendment protections for anonymous speech never disappear, no
matter how awful the defendant's alleged act. In fact, that's when the protection is most needed. Depending on how the plaintiff handles the case, close to 300 Tumblr users risk being
publicly associated with child pornography. Those users will be under tremendous pressure to settle any claims, whether or not they have valid defenses. Once lost, their anonymity
cannot be recovered and the association cannot be undone. And keep in mind that Tumblr, no matter how careful it tries to be, may disclose the wrong account information.
The court initially demanded disclosure within just five days, so 10 days is an improvement. But it's still far too little time, especially given that the harm to the plaintiff has
already occurred. There is no immediate need to disclose account information without giving the anonymous speakers sufficient time to challenge the propriety of the order and/or the
accuracy of Tumblr's identification. So we're asking the court to first apply the legal test required by the First Amendment to unmask anonymous speakers, and, if the test is
satisfied, to extend the deadline for disclosure so that users can challenge the order if they have a legitimate basis to do so (e.g., because they were improperly identified, or not
subject to the jurisdiction of the court).
We don't tell the court how to rule once it has applied the test required by the First Amendment. If the standards are met, the court may authorize disclosure. But sidestepping the
test altogether is wrong. We urge the court to do the right thing, and follow the Constitution.
>> mehr lesen
Here's How We're Fighting Back Against “Secret” Search Warrants
(Mi, 05 Jul 2017)
Can the government stop you from finding out it’s been looking through your private Facebook content as part of a “secret” investigation that’s not actually secret? That’s the
question raised by an alarming case pending in the Washington D.C. Court of Appeals. Facebook has described the investigation as "known to the public," and the timing and venue match
the January 20th, 2017 Presidential Inauguration protests (known as “J20”), the investigation of which is indeed quite public. But even if the warrants pertain to another
investigation, the government should not be allowed to impose gag orders with respect to any information that is already publicly known.
Last week, EFF led a group of civil society organizations that included Access
Now, the Center for Democracy and Technology, and New America’s Open Technology Institute in filing a brief demanding that the court apply a stringent constitutional test before enforcing gag
orders accompanying a number of secret search warrants. We argued that the First Amendment rarely if ever allows gag orders in such cases, where the government seeks to limit public
scrutiny of high-profile and potentially politicized investigations.
Here’s what we know: Facebook is fighting gags associated with several search warrants for user content. The company thinks this case is so important that it sent out a kind of bat
signal to groups like EFF. Although the case is under seal, Facebook petitioned the D.C. Court of Appeals (the District’s highest court) to open the proceeding up to amicus briefs and to
reveal that Facebook argues that “neither the government’s investigation nor its interest in Facebook user information” is a secret.
Although we can’t be sure, we have a hunch the search warrants are related to the J20 protests. On January 20, the day of President Trump’s inauguration, police in D.C. arrested
hundreds of protesters, charging many with felony rioting. Over the
last several months, the press has reported on the controversial and wide-ranging investigation into the protests, which apparently included police
infiltration of planning meetings. Additionally, in late January, some defendants
received notice from Facebook that their non-content account information had been subpoenaed by law enforcement. Their attorneys sought to quash those subpoenas, and we believe
the timeline in this case suggests the government sought to get even more private information, including account content, using warrants to Facebook accompanied by gag orders.
Whether or not this case involves the J20 protests, the fact that Facebook says the underlying investigation is already public is almost certainly enough to strike down the gag
orders. Government gags that prevent a provider from notifying its users are an example of prior restraints, which are the “most serious” and “least tolerable” infringement on First
Amendment rights. As a result, the Supreme Court has said they are only constitutional if they meet the most “most
But despite the strong presumption against prior restraints, the government gets gag orders all the time. Two of the most commonly used gag authorities are National Security Letters,
which EFF continues to challenge on appeal in the Ninth Circuit, and nondisclosure orders issued
under the Stored Communications Act, 18 U.S.C. § 2705, at issue in this case.
There are strong arguments that Section 2705 nondisclosure orders are unconstitutional all or nearly all of time. Just in the last several months alone, Microsoft has sued to have Section 2705 declared unconstitutional on its
face, while Adobe succeeded in convincing a court to strike down an indefinite Section 2705
But the apparently public nature of the investigation here makes the gags even more egregious. In order to uphold a prior restraint, a court must be satisfied that it is necessary to
protect against a “a clear and present danger or a serious and imminent threat” to an important
government interest. As we point out in our brief, if the government’s investigation into the Facebook accounts is already known, there’s no way that a gag can prevent any harm
flowing from notifying the users and allowing them to challenge the search warrants. We point to examples from twocases in which the Supreme Court struck down gags that prevented the press from reporting sensitive information that had already been
revealed in open court.
Although the docket is sealed, it’s our understanding that the court has set this case for oral argument in September 2017. We have requested an opportunity to address the court to
represent the public’s interest in ensuring that prior restraints such as this don’t issue without the most exacting scrutiny our court system is prepared to provide. We will keep you
informed of any updates we receive.
>> mehr lesen
A July 4 Message from EFF Co-founder John Perry Barlow
(Di, 04 Jul 2017)
There’s no need to make America great again.
America has been great since it became the first nation on Earth where a set of ideas became the ruling principles of governance.
America was great when it was established that authority did not come from divine right, or indeed anything beyond the ability to earn it.
Those who believe America's greatness depends on her ability to create fear both at home and abroad are the enemies of American greatness.
The best we can do as Americans is cling more steadfastly than ever to the belief that we represent sanctuary to all that need it, and opportunity to all who are willing to work for
it. These are precisely the qualities that made America great in the first place.
And more than anything else, America's greatness resides in our ability to represent love in the world of nations, and not fear.
- John Perry Barlow. July 4, 2017
>> mehr lesen
Congress Needs to End Warrantless Spying, Not Make It Permanent
(Sa, 01 Jul 2017)
Lawmakers are getting serious about renewing the U.S. government’s Internet spying powers, so we need to get serious about stopping their bad proposals.
First out of the gate is a bill from Sen. Tom Cotton, an ardent defender of government surveillance. His bill would not just reauthorize, but make permanent the expiring measure that
the government says justifies the warrantless surveillance of innocent Americans’ online communications—Section 702, as enacted by the FISA Amendments Act. His bill (S. 1297) is
supported by several Republicans in the Senate, including Senate Intelligence Chairman Richard Burr and Sens. John Cornyn, John McCain, and Lindsey Graham.
Section 702 surveillance violates the privacy rights of millions of people. This warrantless
spying should not be allowed to continue, let alone be made permanent as is.
As originally enacted, Section 702 expires every few years, giving lawmakers the chance to reexamine the broad spying powers that impact their constituents. This is especially crucial
as technology evolves and as more information about how the surveillance authority is actually used comes to light, whether through government publication or in the press.
If Congress were to approve Cotton’s bill, lawmakers would not only be ignoring their constituents’ privacy concerns, but they would also be ceding their obligation to regularly
review, debate, and update the law. That is not acceptable.
Luckily, there’s already opposition to the proposal to make Section 702 permanent. During recent hearings at the Senate Intelligence and Judiciary Committees on Section 702
surveillance, Sen. Dianne Feinstein—who has historically been sympathetic to the intelligence community—said she could not support a bill that makes Section 702 permanent.
Now we need other members of Congress to make the same stand. We cannot accept lawmakers ignoring our privacy concerns and their responsibility to review surveillance law, and our
lawmakers need to hear that.
Sign our petition today and tell Congress to oppose S. 1297 and the permanent
reauthorization of Section 702 spying.
Take ActionTELL CONGRESS TO END WARRANTLESS SURVEILLANCE
>> mehr lesen
Stupid Patent of the Month: Using A Computer To Count Calories
(Sa, 01 Jul 2017)
This month’s stupid patent, like many stupid patents before it, simply
claims the idea of using a computer for basic calculations. U.S. Patent No. 6,817,863 (the ’863 patent) is titled “Computer
program, method, and system for monitoring nutrition content of consumables and for facilitating menu planning.” It claims the process of using a computer to track nutrition
information like calorie or vitamin intake. It is difficult to think of a more basic and trivial use for a computer.
The ’863 patent is owned by a patent troll called Dynamic Nutrition Solutions LLC. Dynamic Nutrition filed a lawsuit this month in the Eastern District of Texas accusing Australian company Fatsecret of infringing the ’863 patent.
Dynamic Nutrition had filed four other lawsuits. Consistent with a pattern of nuisance litigation, each of those earlier suits settled very quickly.
What “invention” does the ’863 patent purport to cover? Claim 1 of the patent is reproduced in full below (with comments in brackets):
A computer program comprising a combination of code segments stored in a computer-readable memory and executable by a processor to provide nutrition content information related to
consumables, the computer program comprising:
a code segment operable to receive and store an input related to consumption of consumables, and to associate the input with a calender [sic] date [i.e. program a computer
to track daily food intake]; and
a code segment operable to generate an interactive display screen, wherein the interactive display screen includes— [i.e. include some kind of user interface]
one or more lists of consumables and related nutrition content information, and [i.e. list food options and nutrition information]
a summary section of past consumption of consumables. [i.e. list past food intake]
In other words, program a computer to help people keep track of meals and calorie or vitamin intake.
The application for Dynamic Nutrition’s patent was filed on June 11, 2001. By that time, computers had been around for decades and there was nothing remotely surprising or innovative
about programing a computer to keep track of data—whether it be nutrition data or units shipped or accounts receivable or whatever. Nevertheless, the Patent Office takes an extremely rigid approach to whether or not a patent application is obvious. This means
that companies often get patents on common sense ideas (like taking
photos against white background or filming a yoga
Even leaving aside the issue of obviousness, the claims of the ’863 patent are invalid
under the Supreme Court’s Alice v. CLS Bank decision (which struck down patents that merely claim the use of conventional computers to
implement an abstract idea). Indeed, the first company to be sued by Dynamic Nutrition, Under Armour, filed a motion to dismiss the case under Alice. Under Armour pointed out that the ’863 patent itself
repeatedly emphasizes that its methods can be implemented using any conventional computer or programming language. Given the strength of this argument, it is unsurprising that the
litigation settled before Dynamic Nutrition even filed a response.
Dynamic Nutrition’s patent is not even the only patent that claims using a computer for routine meal planning. A patent troll called DietGoal sued dozens of companies with a meal planning patent. A court invalidated DietGoal’s patent under Alice because it claimed nothing more than the “conventional
and quotidian tasks” of selecting meals. The Federal Circuit affirmed that ruling. The logic of this decision applies straightforwardly to Dynamic Nutrition’s patent claims.
We recently launched our Saved By Alice project where we are highlighting cases where companies attacked by stupid software patents were able
to use the Alice decision to defend themselves. The Dynamic Nutrition litigation is yet another example of why the Alice ruling is important and how it can protect
productive companies from patent trolls.
>> mehr lesen
Internet, Activate! Stand Up for Net Neutrality on July 12
(Fr, 30 Jun 2017)
Two months ago, FCC Chairman Ajit Pai announced his plan to abandon the
agency’s commitment to protecting net neutrality. On July 12, let’s give the world a preview of what the Internet will look like if the FCC goes forward with its plan to dismantle
open Internet protections.
EFF is joining a huge coalition of nonprofits and companies in a day
of action standing up for net neutrality.
One simple way that organizations, companies, and even individuals can participate is to install our widget. If you’ve installed the widget on your website, then on July 12, visitors
will be greeted with an alarming message:
This widget will send a clear message to your site’s visitors: giving up protections for net neutrality will give ISPs a frightening amount of control over your Internet experience.
All of the instructions for installing our widget are available on GitHub. For more information on the day of action, visit
the Battle for the Net website.
If you’re worried about large ISPs deciding how you use the Internet, tell the FCC.
take actionSTAND UP FOR NET NEUTRALITY
>> mehr lesen
Californians: Demand a Vote on Your Broadband Privacy Before the Telecom Lobby Runs Out the Clock
(Fr, 30 Jun 2017)
What do they do when they can’t win the vote? Try to Stop a Vote.
Right now, politicians in Sacramento are holding up a bill that would restore your broadband privacy rights and directly reject Congress and the Trump Administration’s decision to
side with Comcast, AT&T, and Verizon.
It is in fact the first bill ready to be enacted into California law that would be a direct response the latest string of efforts in Washington DC to curb consumer protections
in broadband access. A.B. 375 (Chau) would ensure your broadband provider must secure your permission first before selling your personal information to third parties.
However, it has been stalled in the Senate Rules Committee – likely due to opposition from major cable and telephone companies. If they are successful at keeping the bill stalled
until July 18th, then the bill is dead for the rest of this year.
They can’t win at the vote given the overwhelming public opposition to repealing our privacy rights in the first
place, which is why this is their strategy.
Death by Procedure and Denying the Vote
In California, bills must make it past certain policy committees by specific deadlines, or they are dead for the year. But before a bill can be heard in any policy committee, it must
be referred out by the Rules Committee in a fairly routine matter of deciding which committees should review and vote on the bill before presentation to the full Assembly and Senate.
Two weeks ago, AB375 became eligible to be referred out of the Senate Rules Committee. Assuming normal procedures, advocates expected to testify in support of the bill at a July
3rd hearing. However, the legislation has been mysteriously absent from consideration on the Rules Committee agenda. Two weeks have passed, the Senate Rules Committee
has mettwice, yet A.B. 375 has not been placed on the agenda, debated, or referred out to any
This raises significant questions.
Unless Senate President Pro Tempore Kevin de Leon, who leads the Senate - and chairs the Rule Committee - decides to ignore the pleas of Comcast, AT&T, and Verizon and, instead,
follows normal procedural rules and moves the bill forward so it can receive a vote, the telecom lobby will win in arguably the worst way possible - by simply denying your elected
representatives from even voting at all.
The Momentum is With Us
California is the 20th state to engage in restoring our broadband privacy rights, but it could be the first state to officially make it law by this year. A vast majority of
conservative, liberal, and independent voters opposed Congress repealing our broadband privacy rights and naturally they demanded action. Severalprintpublications in California have
written positive reviews about AB 375. And the legislation itself has been thoroughly vetted and is ready for enactment.
We have until July 18th to push AB 375 to the finish line. Pick up the phone ASAP and make your voice heard!
>> mehr lesen
Don’t Trust in Antitrust Law to Protect Net Neutrality
(Fr, 30 Jun 2017)
Back in 2014, we considered many possible ways of protecting net neutrality that would not rely on the FCC, including antitrust law. Unfortunately, U.S. antitrust law is not up to the
Antitrust law is an economic doctrine that gives little if any weight to freedom of expression and other noneconomic values secured by net neutrality. Antitrust law defines harm in
terms of higher prices and diminished product quality. If antitrust law deems that a practice is not harmful to competition, it does not matter how much it represses speech, distorts
access to knowledge, or intrudes on privacy. Antitrust law has no concept of the "gatekeeper" problem posed by an ISP's control over your conduit to information.
There are other reasons why antitrust isn't an effective tool for net neutrality problems. Antitrust law is fundamentally about protecting competition, but the market for broadband is
very different than the theoretical ideal contemplated by antitrust law.
First, there is very little broadband competition to protect. More than 9 out of 10 Americans live in monopoly or duopoly markets for broadband according to the FCC. Even lower-speed wireless
service is available from only a handful of carriers in most places, all of which oppose net neutrality and have pushed the boundaries of the existing Open Internet Order with
throttling or pay-to-play zero-rating schemes.
Second, broadband service naturally tends towards monopoly. A large incumbent provider that can amass government permissions to use rights-of-way under public streets, on poles and
antenna sites, and on the radio spectrum will always be able to offer cheaper service than a new entrant who has to pay to build the infrastructure and obtain new rights-of-way.
Combine that with customers' notoriously unreliable access to information about
service quality and broadband speeds and the high costs of switching providers, and you have a market that will not be competitive without intervention.
We got a competitive market for dial-up Internet in the 1990s because phone companies were required to allow other service providers to operate using their infrastructure. We could
have that kind of competition again if broadband providers were required to grant similar access. But unless that happens, we will not see meaningful competition of the type that
antitrust law is designed to protect.
Further, antitrust law has been eviscerated over the past century. Under the new "single entity doctrine," a company can't be accused of illegal collusion with its subsidiary or
parent companies, so for example Comcast could make an arrangement to favor NBC-Universal content it owns out much fear from antitrust law. And a pair of Supreme Court decisions in
2004 and 2007 made it much harder to bring antitrust cases against companies in regulated industries, even if the regulations themselves are minimal. The dismal state of competition
in broadband should make it obvious that current antitrust law isn't adequate even to protect competition, let alone protecting customers against data discrimination.
There are a few types of non-neutral practices that could also rise to the level of antitrust violations, such as an ISP's accepting payments to block competing websites, (but
accepting payments from businesses to block websites that criticize them would likely get a pass).
Title II, the current legal basis for net neutrality protections, is the legal tool that is specifically and narrowly tailored to prevent discrimination by carriers of information. In
the past, the FCC has tried to stretch its other authorities to impose net neutrality rules—which alarmed us, since stretching those authorities to achieve something they weren't
meant to do would be bad government and accrue too much power to the FCC. Those approaches were defeated in court, while Title II has been upheld. Now, opponents of net neutrality
urge a return to those dangerous and ineffective approaches, or to antitrust—another legal doctrine designed to do something entirely different from protecting against data
discrimination. It's not the right tool for the job. That tool is Title II, and those who care about net neutrality need to defend it.
take actionSTAND UP FOR NET NEUTRALITY
>> mehr lesen
Five Eyes Unlimited: What A Global Anti-Encryption Regime Could Look Like
(Fr, 30 Jun 2017)
This week, the political heads of the intelligence services of Canada, New Zealand, Australia, the United Kingdom, and the United States (the "Five Eyes" alliance) met in
Ottawa. The Australian delegation entered the meeting saying publicly that they intended to "thwart the encryption of
terrorist messaging." The final communiqué states more diplomatically that "Ministers
and Attorneys General [...] noted that encryption can severely undermine public safety efforts by impeding lawful access to the content of communications during investigations into
serious crimes, including terrorism. To address these issues, we committed to develop our engagement with communications and technology companies to explore shared solutions."
What might their plan be? Is this yet another attempt to ban encryption? A combined effort to compel ISPs and Internet companies to weaken their secure products? At least one leader
of a Five Eyes nation has been talking recently about increasing international engagement with technology companies — with a list of laws in her back pocket that are already capable
of subverting encryption, and the entire basis of user trust in the Internet.
Exporting Britain's Surveillance Regime
Before she was elevated to the role of Prime Minister by the fallout from Brexit, Theresa May was the author of the UK's Investigatory Powers bill, which spelled out the UK's plans
for mass surveillance in a post-Snowden world.
At the unveiling of the bill in 2015, May's officials performed the traditional dance: they stated that they would be looking at controls on encryption, and then stating definitively
that their new proposals included "no backdoors".
Sure enough, the word "encryption" does not appear in the Investigatory Powers Act (IPA). That's because it is written so broadly it doesn't need to.
We've covered the IPA before at EFF, but it's worth re-emphasizing some of the powers it grants the British
Any "communications service provider" can be served with a secret warrant, signed by the Home Secretary. Communications service provider is interpreted extremely broadly to
include ISPs, social media platforms, mail services and other messaging services.
That warrant can describe a set of people or organizations that the government wants to spy upon.
It can require tech companies to insert malware onto their users' computers, re-engineer their own technology, or use their networks to interfere with any other system.
The warrant explicitly allows those companies to violate any other laws in complying with the warrant.
Beyond particular warrants, private tech companies operating in the United Kingdom also have to respond to "technical capability notices" which will require them to "To provide and maintain the capability to
disclose, where practicable, the content of communications or secondary data in an intelligible form," as well as permit targeted and mass surveillance and government hacking.
Tech companies also have to the provide the UK government with new product designs in advance, so that the government
can have time to require new "technical capabilities" before they are available to customers.
These capabilities alone already go far beyond the Nineties' dreams of a blanket ban on crypto. Under the IPA, the UK claims the theoretical ability to order a company like Apple or
Facebook to remove secure communication features from their products—while being simultaneously prohibited from telling the public about it.
Companies could be prohibited from fixing existing vulnerabilities, or required to introduce new ones in forthcoming products. Even incidental users of communication tech could be
commandeered to become spies in her Majesty's Secret Service: those same powers also allow the UK to, say, instruct a chain of coffee shops to use its free WiFi service to deploy
British malware on its customers. (And, yes, coffee shops are given by officials as a valid example of a "communications service provider.")
Wouldn't companies push back against such demands? Possibly: but it's a much harder fight to win if it's not just the UK making the demand, but an international coalition of
governments putting pressure on them to obey the same powers. This, it seems is what May's government wants next.
The Lowest Common Privacy Denominator
Since the IPA passed, May has repeatedly declared her intent to create a an international agreement on "regulating cyberspace". The difficulty of enforcing many of the theoretical
powers of the IPA makes this particularly pressing.
The IPA includes language that makes it clear that the UK expects foreign companies to comply with its secret warrants. Realistically, it's far harder for UK law enforcement to get
non-UK technology companies to act as their personal hacking teams. That's one reason why May's government has talked up the IPA as a "global gold standard" for surveillance, and one that they hope other
countries will adopt.
In venues like the Five Eyes meeting, we can expect Britain to advocate for others to adopt IPA-like powers. In that, they will be certainly be joined by Australia, whose Prime
Minister Malcolm Turnbull recently complained in the Australian Parliament that so many tech companies
"are based in the United States where a strong libertarian tradition resists Government access to private communications, as the FBI found when Apple would not help unlock the iPhone
of the dead San Bernardino terrorist." Turnbull, it seems, would be happy to adopt the compulsory compliance model of the United Kingdom (as would, he implied at the time of the Apple
case, would President Trump).
In the meantime, the British authorities can encourage an intermediary step: other governments may be more likely to offer support for a IPA regime if Britain offers to share the
results of its new powers with them.
Such information-sharing agreements are the raison d'être of the Five Eyes alliance, which began as a program to co-ordinate intelligence operations between the Anglo-American
countries. That the debate over encryption is now taking place in a forum originally dedicated to intelligence matters is an indicator that the states still see extracting private
communications as an intelligence matter.
But hacking and the subversion of tech companies isn't just for spies anymore. The British Act explicitly granted these abilities to conduct "equipment interference" to more than just
GCHQ and Britain's other intelligence agencies. Hacking and secret warrants can now be used by, among others, the civilian police force, inland revenue and border controls. The
secrecy and dirty tricks that used to be reserved for fighting agents of foreign powers is now available for use against a wide range of potential suspects.
With the Investigatory Powers Bill, the United Kingdom is now a country empowered with a blunt tools of surveillance that have no comparison in U.S. or any other countries' law. But,
along with its Five Eyes partners, it is also seen as a moderate, liberal democracy, able to be trusted with access and sharing of confidential data. Similarly, Australia is one of
the few countries in the world (and the only one of the Five) to legally compel ISPs to log data on their users. Canada conducts the
same meta-data surveillance projects as the United States; New Zealand contributes its mass
surveillance data to the shared XKEYSCORE project.
While such data-sharing may be business as usual for the Cold War spies, the risk of such unchecked co-operation have been barely considered by the judicial and legislative branches.
In the world of law enforcement, the UK has for the last year
conducted a sustained lobbying campaign in the United States Congress to grant its police forces fast-track access to American tech companies' communications data. The UK would be
permitted to seize the contents of Google, Facebook and other companies' customers' inboxes without a U.S. court warrant. In return, the U.S. would gain a reciprocal capability over
data held in the U.K.
The danger is that, by forging broad agreements between these five countries, all will end up taking advantage of the lowest privacy standards of each. The United Kingdom will become
the source of data obtained through the Investigatory Powers Bill; the United States will launder data taken from UPSTREAM and other programs through the United Kingdom's legal
system, and so on.
Secret "Five Eyes" is not the venue for deciding on the future of global surveillance. Intelligence agencies and their secret alliances are no model for oversight and control of the
much broader surveillance now being conducted on billions of innocent users of the public Internet. The Investigatory Powers Bill is no "gold standard.” Britain's radical new powers
shouldn't be exported via the Five Eyes, either through law, or through data-sharing agreements conducted without judicial or legislative oversight.
>> mehr lesen
McMansion Hell Responds to Zillow’s Unfounded Legal Claims
(Do, 29 Jun 2017)
Update 5:00pm: Zillow has released a statement saying
the company has "decided against moving forward with legal action." EFF is pleased that Zillow has withdrawn its threat and won't be seeking to take down any of the posts on McMansion
Hell. We hope that other companies seeking to shut down humor, criticism, and parody online see this as a cautionary tale and avoid sending threats in the first place.
Earlier this week, Zillow sent an aggressive cease and desist letter [PDF] to Kate
Wagner, the creator of the McMansion Hell website. Zillow demanded that Wagner remove any image originally sourced from Zillow’s site.
Today EFF sent a response to Zillow on Wagner’s behalf. Our letter [PDF] explains why
none of Zillow’s contentions have any merit. Zillow should abandon its demand and respect online freedom of expression.
McMansion Hell is an architecture blog focused on contemporary residential housing. Using humor and parody, Wagner tries to illustrate the architectural horror of modern McMansions.
Her posts usually include annotated photographs of houses to illustrate her commentary. In addition to posts critiquing individual homes, Wagner publishes essays about urbanism,
architecture, sociology, and interior design. After receiving Zillow’s threat, Wagner temporarily disabled access to her blog via McMansionHell.com. She is relaunching the blog in
Zillow’s demand letter made a number of highly dubious legal claims. For example, Zillow argued that Wagner does not make fair use of the photographs she annotates. Importantly,
Zillow does not own, and cannot assert, the copyright in these photos. But even if it could, McMansion Hell’s annotation of photographs for the purpose of criticism and commentary is
a classic example of fair use.
Zillow also suggested, without any explanation, that Wagner may have violated the Computer Fraud and Abuse Act (CFAA). EFF has long
fought against overbroad applications of the CFAA, which is the federal anti-hacking statute intended to criminalize unauthorized intrusions into computer networks. There is no basis
for a CFAA claim against Wagner. To the extent Zillow was suggesting that she might have violated the CFAA by violating Zillow’s terms of service, courts have repeatedly rejected such claims.
(which they do not), they are unenforceable for the many
reasons we outline in our letter. For example, the recently enacted Consumer Review
Fairness Act of 2016 invalidates any contract that restricts a consumer’s ability to review a product or service. The statute expressly protects “pictorial reviews” and covers
Zillow’s letter unleashed a wave of negativepublicity for the
company. In response, Zillow has insisted that it did not intend to shut down Wagner’s blog. However, it does appear to be standing by its demand that she remove all images sourced
from Zillow’s website. Zillow has no basis for such a demand and our client will not be removing any previous posts. She has informed Zillow, however, that she is not interested in
using its site for her blog in the future. We hope Zillow does the right thing and renounces its attempt to censor McMansion Hell.
>> mehr lesen
Copyright Office Proposes Modest Fixes to DMCA 1201, Leaves Fundamental Flaws Untouched
(Do, 29 Jun 2017)
The U.S. Copyright Office just released a long-awaited report about Section
1201, the law that bans circumventing digital restrictions on copyrighted works. Despite years of
evidence that the social costs of the law far outweigh any benefits, the Copyright Office is mostly happy with the law as it is. The Office does recommend that Congress enact some
narrow reforms aimed at protecting security research, repair activities, and access for people with disabilities.
We’re sorry the Office didn’t take a stronger stance. Section 1201, part of the Digital Millennium Copyright Act, makes it illegal to circumvent any “technological protection measure”
(often called DRM) that controls access to copyrighted works. It also bans the manufacture and sale of tools to circumvent those digital locks. Although it was pitched as a new legal
protection for copyright holders to prevent infringement, the law has given major entertainment companies and other copyright owners lots of control over non-infringing uses of
technology, allowing them to lock out competition in repair and re-sale businesses, and to threaten and silence security researchers. The law has some exceptions, but they are far too
narrow and complicated.
Those flaws are one reason EFF is challenging Section 1201 in court on behalf of researcher Matthew Green and
technologist Andrew “bunnie” Huang. In the lawsuit, filed last year, we explain why Section 1201
is an unlawful restraint on speech and ask the court to strike the law down. Congress has also considered several fixes to the law over the last few years, ranging from comprehensive fixes to smaller corrections.
Meanwhile, after the last rulemaking, the Copyright Office asked for public comments and held hearings about Section 1201, leading to the report released on Thursday. In the report, the Copyright Office announces its belief that “the statute’s overall structure and
scope . . . remains sound.” The Office also believes that bypassing access controls can violate Section 1201 even when the purpose of the circumvention has nothing to do with
copyright infringement. Federal appeals courts are sharply divided on this question, and the Copyright Office seems to be putting its thumb on the scales in favor of rightsholder
control and against freedom of expression and innovation.
If a Section 1201 violation can happen without any connection to copyright infringement, then Section 1201 gives copyright holders (and DRM vendors) vast control over technology
users, beyond what copyright law already gave them. According to the Copyright Office’s interpretation, Section 1201 gives copyright holders “control over the terms of access to their
works online.” That means that by wrapping software, music, games, video, or text in a layer of DRM, copyright holders gain the ability to dictate when, where, and how we can use
those things, and the technology we can use to interact with them. And it means that copyright holders can nullify the public’s fair use rights. The Copyright Office’s approach here
is the wrong approach, and it deepens the law’s constitutional problems.
The report is also notable for what it doesn’t contain: any evidence that we need a ban on circumventing digital locks in the first place. The report points out that “explosive growth
in legitimate digital content delivery services” happened “after the enactment of Section 1201,” but it doesn’t attempt to show that the law was what caused that growth. It also
mentions a statement by a Senate committee in 1998, that “copyright owners will hesitate to make their works readily available on the Internet without reasonable assurance that they
will be protected against massive piracy.” Today, of course, the Internet contains many lifetimes worth of amazing creative work of all kinds, made available by creatives without any
DRM, so that prediction did not come true.
The report doesn’t cite any studies or data showing that Section 1201 has been beneficial to creativity or the digital economy. And the only experts it cites to are entertainment
companies with an interest in keeping the control that 1201 provides them, and the same members of Congress who requested the report in the first place—hardly a convincing case.
The report does make some recommendations for fixing the law, including new and expanded exceptions to the ban on circumvention. The Copyright Office recommends that Congress expand
the permanent exemptions for security testing and encryption research, by removing or mitigating restrictions in those exemptions that have made those exemptions too uncertain for
many in the computer security community to rely on.
The report also recommends a new permanent exemption for assistive technologies for people with disabilities. That change is overdue, as advocates for print-disabled people have had
to request exemptions for screen-reading and other assistive technologies every three years for nearly two decades.
In the last rulemaking cycle, EFF and other organizations requested exemptions covering maintenance, repair, and modification of software. One of the unfortunate effects of Section
1201 in recent years has been to cast a cloud of legal uncertainty over repair businesses ranging from cars to smartphones, and to block the re-use of devices like phone handsets and
printer cartridges. The Copyright Office report recommends a new permanent exemption covering “diagnosis, maintenance, repair, and obsolescence” activities, not limited to any
specific technologies. That would be a positive step. But the report rejects an exemption for modifying software for other reasons, such as to improve or customize the software.
That’s a problem, because those activities are largely legal and beneficial, aside from the legal risk created by Section 1201.
Finally, the report offers some fixes to the rulemaking process for temporary exemptions that happens every three years. Notably, the Copyright Office will offer a way to renew
exemptions from previous cycles with what they claim will be minimal time and expense. We’re expecting the Copyright Office to begin a new rulemaking cycle soon, so we’ll get to see
how well this works in practice and whether they are able to make the process less expensive. In several places in the report, the Copyright Office offers to try to make temporary
exemptions broader and more useful to the populations they affect. We’ll be holding them to that.
However, the Copyright Office still insists that it should be unlawful for anyone to distribute tools to allow beneficiaries of rulemaking exemptions to take advantage of the
exemption, because “it would be impossible to control” subsequent uses of such tools. The real, proven need for circumvention has to take a back seat to the hypothetical scenario
where the beneficiary then decides to infringe.
It’s too bad the Copyright Office won’t address the fundamental flaws of Section 1201, especially given the multitude of problems that the report acknowledges. A simple, comprehensive
fix like the Unlocking Technology Act introduced by Rep. Zoe Lofgren would solve many of the problems that
Section 1201 causes for security professionals, tinkerers, people with disabilities, repair and resale businesses, teachers, students, libraries, and many others. A piecemeal approach
will solve just a few of the current problems, at the cost of ever more complexity and a continuing demand for massive public interest resources to make the exemption process work.
Congress, or the courts, should do more.
2015 DMCA Rulemaking
>> mehr lesen
Let's Encrypt Has Issued 100 Million Certificates
(Mi, 28 Jun 2017)
This evening, the Let's Encrypt certificate authority issued its hundred millionth digital certificate. This is a remarkable milestone in just a
year and a half of public operation; Let's Encrypt is likely now either the largest or second-largest public CA by volume of certificates issued.
Let's Encrypt was created by Mozilla, the University of Michigan, and EFF, with Cisco and Akamai as
founding sponsors, and is operated by the Internet Security Research Group, a non-profit organization. (See also the thoughts of Josh Aas, ISRG's executive director, on reaching this milestone.)
Free certificates from Let's Encrypt allow web sites to offer secure HTTPS connections to their users, protecting the privacy and security of those connections against many network-based threats. EFF continues to help develop the Boulder software that
Let's Encrypt uses internally, as well as Certbot, Let's Encrypt's recommended software for obtaining and installing certificates on web
For various reasons, the hundred-million mark does not mean that a hundred million different sites use Let's Encrypt certificates1. The number of web sites protected by Let's Encrypt is probably between 17 million and 46 million,
depending on what definition of a "web site" we use2. It's hard to
say with certainty whether Let's Encrypt has issued the largest number of certificates because CAs are not currently required to disclose the certificates they issue, but Let's
Encrypt does so voluntarily. And the number of sites protected by Let's Encrypt will continue to grow rapidly as more and more hosting providers and server software offer convenient
Let's Encrypt support to help bring HTTPS to sites that didn't have it before.
We're extremely proud of the contribution that we've made and continue to make in making the web safer for its users.
We'd also like to acknowledge Let's Encrypt's awesome operations team, which has kept a popular high-security service working and growing to meet demand, including at times when over
a million certificates were issued in a single day.
1. Let's Encrypt certificates expire and must be replaced after 90 days; multiple certificates may be issued for the
same web site during the same time period; certificates can protect Internet services other than web sites; and not all certificates that have been issued actually get used or
remain in use for the lifetime of the certificate.
2. For example, do we count https://www.google.com/, https://google.com/, and https://images.google.com/, as one, two,
or three web sites?
>> mehr lesen