Deeplinks

Crossing the U.S. Border? Here’s How to Securely Wipe Your Computer (Mi, 26 Jul 2017)
Many people crossing the U.S. border are concerned about the amount of power that the government has asserted to search and examine travelers’ possessions, including searching through or copying contents of digital devices, like photos, emails, and browsing history. The frequency of these intrusive practices has been increasing over time. Some travelers might choose to delete everything on a particular device or disk to ensure that border agents can’t access its contents, no matter what. Our 2017 guide for travelers addressed this option, but did not give detailed advice on how to do it, because we think most travelers won’t consider it their best option. Before embarking on wiping your computers, please read our guide to understand your legal rights at the U.S. border. We don’t recommend disk wiping as a border crossing security measure for most travelers. It’s a less common data protection technique than the other ones highlighted in our guide, which include encryption and minimizing data that you carry. Wiping your computer will make it unusable to you. Also, it may draw the attention of border agents, since it is unusual for travelers to carry blank devices with them. This may be of particular concern to travelers who are not U.S. citizens, who may receive more scrutiny from border agents. Again, you should consider your risks and security needs carefully before deciding how best to secure your data for border crossings as everyone’s individual risk factors and data security needs are different. Now that you’ve been sufficiently cautioned, let’s look closely at wiping your computers. Why Wipe? Why might you want to want to wipe a disk instead of just deleting individual files, messages, and so on? The main reason is what can happen if a device is seized. Forensic inspection of a seized device with special software tools can recover significant amounts of deleted information and references to individual files and software that have previously been removed. Wiping your disk entirely is a valuable means of protecting data against such a forensic examination, and also not having to make individual decisions about whether to erase particular things. It’s also important if you want to make sure photos or videos are truly deleted from a camera or phone’s SD card, since these devices rarely delete media securely. A laptop can wipe its own hard drive, or removable storage media like USB drives or SD cards, by overwriting the contents. One method of doing this is formatting the storage medium, but note that this term is applied to two very different processes. Only “low-level formatting” (also called “secure formatting” or “formatting with overwriting”) actually erases the hard drive by overwriting data. “Quick format” or “high-level format” does not do so, and is thus less secure. Formatting tools let you choose between a quick format and a secure overwriting format. For data destruction, always choose a secure overwriting format. You should already have built-in tools that can perform a low-level format or wipe a hard drive, or you may download third-party tools to do this. Below are some steps you can take with major computer operating systems to wipe your devices or removable media. Keep in mind that after wiping a hard drive, you may need to reinstall the operating system before you can use the device again. One consideration when wiping computer media is the limited ability to delete data on solid-state drives (SSDs) ubiquitous in modern computers, including flash-based removable media as well as internal SSD hard drives. Because of a technology called wear leveling, overwriting may not reliably delete these kinds of storage media in full. This technology tries to spread out where things are stored to prevent any one part of the storage medium from being used more than another part. Researchers have shown that overwriting a single file on an SSD often doesn’t destroy that file’s contents; even after the entire device has been overwritten, wear leveling may leave a small random portion of the data on these media in a recoverable form. There are software vendors that promise to securely delete SSDs, but it is still not clear to us whether this can be done reliably to make the information completely unrecoverable. Encrypting your SSD may be the best way to prevent access to the information on the drive, though of course you have to do that ahead of crossing the border. Windows The built-in Disk Management tool can format removable media (be sure to uncheck the “Perform a quick format” option). It will not format the built-in hard drive if the computer was started from it. Formatting the built-in hard drive requires starting the computer from a bootable CD or USB drive, such as DBAN, described briefly below. macOS The built-in Disk Utility tool can format external storage media (be sure to click “Security options” and select “Most secure”) and the built-in hard drive. Like its Windows equivalent, it will not format the built-in hard drive if the computer was started from it. To erase the built-in hard drive, access recovery utilities, which includes the Disk Utility, by pressing ⌘R while the system is starting up. Unlike opening Disk Utility on an already-running computer, this approach will permit erasing the built-in hard drive. Linux Most Linux distributions have a built-in disk utility that can format either removable media or the built-in hard drive. For GNOME environments, open GNOME disk utility (or “Disks”), select a particular partition, then click the gear icon and then “Format partition…” Remember to select “Overwrite existing data with zeroes.” Note that formatting a hard drive partition that’s used to boot your operating system will make your computer unbootable until an operating system is reinstalled. ChromeOS To restore your ChromeOS machine to its factory state, you can make use of the “Powerwash” feature. Powerwash deletes all the locally stored user data on the device, but not things that have been backed up to Google’s cloud. A More Complex Method If you want to completely erase the contents of your built-in hard drive by overwriting, the most reliable option may be to download a bootable data erasure tool like DBAN. The DBAN image file needs to be downloaded and written onto a USB drive or CD-ROM; then the computer is booted from the medium containing DBAN, which gives an option to overwrite the hard drives.  DBAN works independently of the operating system installed on the device, but you should exercise caution as using DBAN correctly requires following directions precisely. Take Action Want to learn more about how to protect your digital data when you cross the U.S. border? See EFF’s full guide. You can also download and print our pocket guide for defending privacy at the U.S. border and our one-page overview of the law at the border. It’s sad that travelers have to worry about elaborate defensive measures to prevent border agents from snooping through their devices for no particular reason at all. Concerned about border agents running roughshod over our rights? There’s a bill in Congress that aims to fix this. Tell your elected representatives to rein in CBP. TAKE ACTION Speak up for border privacy Related Cases:  Border Searches
>> mehr lesen

EFF Asks Court to Strike Down Unconstitutional Restraint on Our Speech (Di, 25 Jul 2017)
EFF has asked a federal court to rule in its favor in a lawsuit we filed against an Australian company that sought to use foreign law to censor us from expressing our opinion about its patent. While the company, Global Equity Management (SA) Pty Ltd (GEMSA,) knows its way around U.S. courts—having filed dozens of lawsuits against big tech companies claiming patent infringement—it has failed to respond to ours. Today we asked for a default judgment, which if granted means we win the case. It all started when GEMSA’s patent litigation was featured in our June 2016 blog series “Stupid Patent of the Month.” The company wrote to EFF accusing us of “false and malicious slander.” It subsequently filed a lawsuit and obtained an injunction from a South Australia court ordering EFF to take down the blog post and blocking us from ever talking about any of its intellectual property. We have not removed the post. The South Australian injunction can’t be enforced in the U.S. under a 2010 federal law that took aim against “libel tourism,” a practice by which plaintiffs—often billionaires, celebrities, or oligarchs—sued U.S. writers and academics in countries like England where it was easier to win a defamation case. The Securing the Protection of Our Enduring and Established Constitutional Heritage Act (SPEECH Act) says foreign orders aren’t enforceable in the United States unless they are consistent with the free speech protections provided by the U.S. and state constitutions, as well as state law. Our lawsuit, filed in U.S. District Court, Northern District of California, maintains that GEMSA’s injunction, which seeks to silence expression of an opinion, would never survive scrutiny under the First Amendment in the United States and should therefore be declared unenforceable. We stood ready to defend our right to express constitutionally protected speech. GEMSA, which has three pending patent lawsuits in in the Northern District of California, had until May 23 to respond to our case. That day came and went without a word. We can’t speculate as to why GEMSA hasn’t responded. To get a default judgment, we need to show that not only has GEMSA failed to answer our claims but also, regarding our claim that the South Australia injunction is unenforceable in the U.S., the law is on our side. We believe that we should prevail. The law does not allow companies or individuals to make an end run around the First Amendment by finding a judge in another country to sign an injunction that censors speech in the U.S. The law the Australian court applied to grant the injunction didn’t provide as much protection for EFF’s speech as American law, which means it’s unenforceable under the SPEECH Act. Additionally, the injunction is unconstitutional under American law as it prohibits all future speech by EFF about any of GEMSA’s patents. Such prohibitions are also known as prior restraints, and are allowed only in the rarest of circumstances, none of which apply here. Our laws also don’t allow plaintiffs to be left under a cloud of uncertainty as to their ability to speak publicly about something as important as patent litigation and reform. The Australian injunction states that failure to comply could result in the seizure of EFF’s assets and prison time for its officers. GEMSA attorneys have threatened to take the Australian injunction to American search engine companies to deindex the blog post, making the post harder to find online. The court should set the record straight and grant our request for a default judgment. Our laws call for no less.
>> mehr lesen

Global Condemnation for Turkey's Detention of Innocent Digital Security Trainers (Mo, 24 Jul 2017)
The detention of a group of human rights defenders in Turkey for daring to learn about digital security and encryption continued last week with a brief appearance of the accused in an Istanbul court. Six were returned to jail, and four released on bail. In an additionally absurd twist, the four released activists were named in new detention orders on Friday, and are now being re-arrested. Among those currently being held in jail are Ali Gharavi and Peter Steudtner, digital security trainers from Sweden and Germany, who had traveled to Turkey to provide  online privacy advice for a conference of human rights defenders. The meeting was raided by Turkish police on July 5, and appears to be the sole basis for the prosecution. The court charged Gharavi and Steudtner with "committing crimes in the name of a terrorist organization without being a member." Their co-defendants include Idil Eser, the Director of Amnesty Turkey, Veli Acu and Günal Kurşun of the Human Rights Agenda Association, and Özlem Dalkıran of the Helsinki Citizens’ Assembly. Four others were released on bail, but new detention orders against them were announced on Friday, with two re-arrested over the weekend. Gharavi and Steudtner have worked for many years in the global human rights community, providing advice about digital security and online well-being. Ali helped EFF with its Surveillance Self-Defence Guides, and has held key technology roles at the Center for Victims of Torture and Tactical Tech. Steudtner's expertise was in holistic security, which combined technical training with his pacifist, non-violent principles. When asked about the arrests, Turkey's President Recep Tayipp Erdogan said that the group had "gathered for a meeting which was a continuation of July 15," referencing the date of the attempted coup against him in 2016. The government has used the coup as a justification for the subsequent mass arrests of over 50,000 people including journalists, academics, judges and, most recently, technologists. Strong digital security helps everyone; learning about encryption is not a sign of criminal activity. The Turkish authorities and media have continued, nonetheless, to tie the use of secure communications tools to the coup. A report in the conservative Islamist paper Yeni Akit declared that the detainees had secret government documents, and used the mobile communications app "ByLock" to stay in contact with groups connected to the coup. ByLock is a known insecure app that is largely unknown outside of Turkey and has been widely criticised by digital security experts. It is profoundly unlikely that Gharavi or Steudtner used it. Use of ByLock was also the sole reason the Turkish police gave for the arrest of Amnesty's Chair, Taner Kiliç, last month. The condemnation of the Turkish courts' actions has been swift. U.S. State Department spokesperson Heather Nauert said the U.S. "strongly condemns the arrest of six respected human rights activists and calls for their immediate release," and urged Turkey to drop the charges, which it said undermine the country's rule of law. Eliot Engel, the U.S. House of Representatives' ranking member on the Foreign Affairs committee, said that "The arrest of these brave men and women is unacceptable, and the latest example of the erosion of democracy in Turkey... I call on Turkish authorities to release Idil Eser and her fellow activists without delay or condition, and Secretary Tillerson must make this a top priority in his engagement with Turkey’s government." Sweden's Foreign Minister, Margot Wallstrom has called for the release of Gharavi, who is a Swedish national. "It is our understanding that Gharavi was in Turkey to participate in a peaceful seminar about freedom of the internet and we have urged Turkey to quickly clarify the grounds for the accusations against him," she said in a statement. Germany, Steudtner's home country, has taken an even more forceful line. "We are strongly convinced that this arrest is absolutely unjustified," German Chancellor Angela Merkel said, according to the DPA news agency. Germany's Foreign Minister Sigmar Gabriel cut short a vacation to deal with the case, and summoned the Turkish Ambassador in Berlin, who was told "without diplomatic pleasantries" of Germany's expectation that Steudtner and his colleagues should be released immediately. Gabriel later warned that "the case of Peter Steudtner shows that German citizens are no longer safe from arbitrary arrests," and suggested that his continuing detention will lead to a "re-orienting" of German's policy toward Turkey. The baseless prosecution of these human rights defenders, including Peter and Ali, two innocent technologists from allies of Turkey, highlights the decline of Turkey's democratic institutions. We continue to urge the Turkish authorities to listen to a chorus of countries and international organizations, and to free all ten victims of this profound injustice immediately.
>> mehr lesen

RCEP Discussions on Ecommerce: Gathering Steam in Hyderabad (Mo, 24 Jul 2017)
Sixteen countries from Asia-Pacific are meeting in Hyderabad for the 19th round of the Regional Comprehensive Economic Partnership (RCEP) which takes place in India from 18-28 July, 2017. EFF is participating to advocate for improved transparency and openness in the negotiations, and to express our concerns about possible new rules on intellectual property and ecommerce that some countries are proposing for the agreement. RCEP is a free trade agreement (FTA) aimed at broadening regional economic integration and liberalising trade and investment between the 10 ASEAN economies and its trading partners including Australia, China, India, Japan, Korea, and New Zealand. The total population covered by RCEP exceeds 3 billion, and with the combined GDP of about US$ 17 trillion accounting for about 40% of the world’s trade makes RCEP the biggest mega-regional trade agreement that is under negotiation.  The idea of RCEP was first introduced at an ASEAN Summit in 2011 and formal negotiations were launched in 2012. Over the last five years, the scope of the agreement has grown to include commitments for trade in goods and services, boosting economic and technical cooperation, and intellectual property. Worryingly, discussions on ecommerce issues including rules on software, data flows, and regulatory standards  that have not been addressed in other trade mechanisms are also being included in the RCEP negotiations.  Reports suggest that Japan, Australia, South Korea, and New Zealand have been pushing for binding commitments from the RCEP members on ecommerce. A separate working group on ecommerce (WGEC) has been established with the aim of formalising a chapter on ecommerce in the final agreement. The agreement and the issues being negotiated are being kept confidential, however a few chapters drafts have been leaked including the ‘Terms of Reference (TOR)’ for the WGEC. WGEC members are hopeful of concluding the deal by year end which would include ‘liberalisation commitments’ and norms for ecommerce including provisions on investment, dispute settlement and competition. The proposed elements for the TOR (for negotiations) are understood to include domestic regulatory frameworks for market access, customs duties on electronic transmission, non-discriminatory treatment of digital products, paperless trading, electronic signatures, digital certificates and online consumer protection issues such as storage and transfer of personal data protection and spam. Controversial issues such as prohibition on  requirements concerning the location of computing facilities and allowing cross-border transfer of information by electronic means are also expected to be included within the scope of the chapter. Further, countries including Australia and Japan have proposed making a permanent commitment to zero duties on digital transmissions, and prohibiting rules requiring on compulsory disclosure of source codes.  Given the secrecy of the negotiations, the lack of opportunities for public input in the process, and the complexity of issues involved, EFF convened an expert panel on ecommerce issues in the RCEP negotiations in Hyderabad. The public meeting was organised in partnership with the National Institute of Public Finance and Policy (NIPFP) and the National Law University of Law, Hyderabad. Speakers included Professor Ajay Shah (NIPFP), Parminder Jeet Singh (ItforChange) and Professor VC Vivekananda (Bennett University).  Panelists raised several issues including ensuring non-discriminatory treatment of digital products transmitted electronically and the need for guaranteeing that these products will not face government-sanctioned discrimination based on the nationality or territory in which the product is produced. Security risks associated with the prohibition of source code disclosure, and the costs of imposing measures that restrict cross-border data flows and or require the use or installation of local computing facilities were also raised by panelists.  The event was a success with negotiators from nine countries including Vietnam, Japan, Australia, New Zealand, Laos, Cambodia, South Korea and Thailand showing up for the meeting. Given that access for users at such negotiations is restricted the large number of negotiators showing interest was very encouraging. Understandably, the negotiators did not ask questions or participate in the discussions, however their interest in the issues is evident in WGEC members turning up for the panel. This is definitely an improvement on the previous negotiations where there has been limited participation from negotiators at similar events. We also received feedback that the WGEC would like to see specific issues being discussed in-depth including positive commitments that could be included.  EFF is maintaining a cautious and critical stance on the inclusion of e-commerce rules in RCEP, and the inclusion of similar rules in NAFTA, simultaneously being negotiated on the other side of the world. While it is possible to deal with e-commerce in a trade agreement in a balanced way that respects users’ rights, this is made unnecessarily difficult when those rules are being negotiated in secret.  Nonetheless, until a better way of engaging with negotiators exists, EFF will continue to provide our input through unofficial side events and bilateral meetings, because this is the best way that we can stand up for your rights in what remains an unfair and secretive process
>> mehr lesen

Tell Congress: We Want Trade Transparency Reform Now! (Do, 20 Jul 2017)
The failed Trans-Pacific Partnership (TPP) was a lesson in what happens when trade agreements are negotiated in secret. Powerful corporations can lobby for dangerous, restrictive measures, and the public can't effectively bring balance to the process. Now, some members of Congress are seeking to make sure that future trade agreements, such as the renegotiated version of NAFTA, are no longer written behind closed doors. We urge you to write your representative and ask them to demand transparency in trade. TAKE ACTION Demand transparency in trade deals Representative Debbie Dingell (D-MI) has today introduced the Promoting Transparency in Trade Act  (H.R. 3339) [PDF], with co-sponsorship by Representatives Laura DeLauro (D-CT), Tim Ryan (D-OH), Marcy Kaptur (D-OH), Jamie Raskin (D-MD), Keith Ellison (D-MI), Raúl Grijalva (D-AZ), John Conyers (D-MI), Jan Schakowsky (D-IL), Louise Slaughter (D-NY), Mark DeSaulnier (D-CA), Dan Lipinski (D-IL), Chellie Pingree (D-ME), Brad Sherman (D-CA), Jim McGovern (D-MA), Rick Nolan (D-MN), and Mark Pocan (D-WI). Representative Dingell describes the bill as follows: The Promoting Transparency in Trade Act would require the U.S. Trade Representative (USTR) to publicly release the proposed text of trade deals prior to each negotiating round and publish the considered text at the conclusion of each round.  This will help bring clarity to a process that is currently off limits to the American people.  Actively releasing the text of trade proposals will ensure that the American public will be able to see what is being negotiated and who is advocating on behalf of policies that impact their lives and economic well-being. We wholeheartedly agree. Indeed, these are among the recommendations that EFF has been pushing for for some time, most recently at a January 2017 roundtable on trade transparency that we held with stakeholders from industry, civil society, and government. That event resulted in a set of five recommendations on the reform of trade negotiation processes that were endorsed by the Sunlight Foundation the Association of Research Libraries, and OpenTheGovernment.org. A previous version of the Promoting Transparency in Trade Act was introduced into the previous session of Congress, but died in committee. Compared with that version, this latest bill is an improvement because it requires the publication of consolidated draft texts of trade agreements after each round of negotiations, which the previous bill did not. Another of our recommendations that is reflected in the bill is to require the appointment of an independent Transparency Officer to the USTR. Currently, the Transparency Officer is the USTR's own General Counsel, which creates an conflict of interest between the incumbent's duty to defend the office's current transparency practices, and his or her duties to the public to reform those practices. An independent officer would be far more effective at pushing necessary reforms at the office. The Promoting Transparency in Trade Act faces challenging odds to make it through Congress. Its next step towards passage into law will be its referral to the House Committee on Ways and Means, and probably its Subcommittee on Trade, which will decide whether the bill will be sent to the House of Representatives for a vote. The Senate will also have to vote on the bill before it becomes law. The more support that we can build for the bill now, the better its chances for surviving this perilous process. Passage of this bill may be the best opportunity that we'll have to avoid a repetition of the closed, secretive process that led to the TPP. With the renegotiation of NAFTA commencing with the first official round of meetings in Washington, D.C. next month, it's urgent that these transparency reforms be adopted soon. You can help by writing to your representative in Congress and asking them to support the bill in committee. TAKE ACTION Demand transparency in trade deals
>> mehr lesen

Librarians Call on W3C to Rethink its Support for DRM (Mi, 19 Jul 2017)
The International Federation of Library Associations and Institutions (IFLA) has called on the World Wide Web Consortium (W3C) to reconsider its decision to incorporate digital locks into official HTML standards. Last week, W3C announced its decision to publish Encrypted Media Extensions (EME)—a standard for applying locks to web video—in its HTML specifications. IFLA urges W3C to consider the impact that EME will have on the work of libraries and archives: While recognising both the potential for technological protection measures to hinder infringing uses, as well as the additional simplicity offered by this solution, IFLA is concerned that it will become easier to apply such measures to digital content without also making it easier for libraries and their users to remove measures that prevent legitimate uses of works. […] Technological protection measures […] do not always stop at preventing illicit activities, and can often serve to stop libraries and their users from making fair uses of works. This can affect activities such as preservation, or inter-library document supply. To make it easier to apply TPMs, regardless of the nature of activities they are preventing, is to risk unbalancing copyright itself. IFLA’s concerns are an excellent example of the dangers of digital locks (sometimes referred to as digital rights management or simply DRM): under the U.S. Digital Millennium Copyright Act (DMCA) and similar copyright laws in many other countries, it’s illegal to circumvent those locks or to provide others with the means of doing so. That provision puts librarians in legal danger when they come across DRM in the course of their work—not to mention educators, historians, security researchers, journalists, and any number of other people who work with copyrighted material in completely lawful ways. Of course, as IFLA’s statement notes, W3C doesn’t have the authority to change copyright law, but it should consider the implications of copyright law in its policy decisions: “While clearly it may not be in the purview of the W3C to change the laws and regulations regulating copyright around the world, they must take account of the implications of their decisions on the rights of the users of copyright works.” EFF is in the process of appealing W3C’s controversial decision, and we’re urging the standards body to adopt a covenant protecting security researchers from anti-circumvention laws.
>> mehr lesen

Do Last Week's European Copyright Votes Show Publishers Have Captured European Politics? (Mi, 19 Jul 2017)
Three European Parliament Committees met during the week of July 10, to give their input on the European Commission's proposal for a new Directive on copyright in the Digital Single Market. We previewed those meetings last week, expressing our hope that they would not adopt the Commission's harmful proposals. The meetings did not go well. All of the compromise amendments to the Directive proposed by the Committee on Culture and Education (CULT) that we previously catalogued were accepted in a vote of that committee, including the upload filtering mechanism, the link tax, the unwaivable right for artists, and the new tax on search engines that index images. Throwing gasoline on the dumpster fire of the upload filtering proposal, CULT would like to see cloud storage services added to the online platforms that are required to filter user uploads. As for the link tax, they have offered up a non-commercial personal use exemption as a sop to the measure's critics, though it is hard to imagine how this would soften the measure in practice, since almost all news aggregation services are commercially supported. The meeting of the Industry, Research and Energy (ITRE) Committee held in the same week didn't go much better than that of the CULT Committee. The good news, if we can call it that, is that they softened the upload filtering proposal a little. The ITRE language no longer explicitly refers to content recognition technologies as a measure to be agreed between copyright holders and platforms that host "significant amounts" (the Commission proposal had said "large amounts") of copyright protected works uploaded by users. On the other hand, such measures aren't ruled out, either; so the change is a minor one at best. There is no similar saving grace in the ITRE's treatment of the link tax. Oddly for a committee dedicated to research, it proposed amendments to the link tax that would make life considerably harder for researchers, by extending the tax to become payable not only on snippets from news publications but also those taken from academic journals, and whether those publications are online or offline. The extension of the link tax to journals came by way of a single word amendment to recital 33 [PDF]: Periodical publications which are published for scientific or academic purposes, such as scientific journals, should  n̶o̶t̶  also be covered by the protection granted to press publications under this Directive. This deceptively small change would open up a whole new class of works for which publishers could demand payment for the use of small snippets, apparently including works that the author had released under an open access license (since it's the publisher, not the author, that is the beneficiary of the new link tax). The JURI Committee also met during the week, although it did not vote on any amendments. Even so, the statements and discussions of the participants at this meeting are just as important as the votes of the other committees, given JURI's leadership of the dossier. The meeting (a recording of which is available online) was chaired by German MEP Axel Voss, who has recently replaced the previous chair Theresa Comodini as rapporteur. Whereas MEP Comodini's report for the committee had been praised for its balance, Voss has taken a much more hardline approach. Addressing him as Chair, Pirate Party MEP Julia Reda stated during the meeting: I have never seen a Directive proposal from the Commission that has been met with such unanimous criticism from academia. Europe's leading IP law faculties have stated in an open letter, and I quote, "There is independent scientific consensus that Articles 11 and 13 cannot be allowed to stand," and that the proposal for a neighboring right is "unnecessary, undesirable, and unlikely to achieve anything other than adding to complexity and cost".  The developments in the CULT, ITRE and JURI committees last week were disappointing, but they do not determine the outcome of this battle. More decisive will be the votes of the Civil Liberties, Justice and Home Affairs (LIBE) Committee in September, followed by negotiations around the principal report in the JURI Committee and its final vote on October 10. Either way, by year's end we will know whether European politicians have been utterly captured by their powerful publishing lobby, or whether the European Parliament still effectively represents the voices of ordinary European citizens.
>> mehr lesen

Why the Ninth Circuit Got It Wrong on National Security Letters and How We’ll Keep Fighting (Mi, 19 Jul 2017)
In a disappointing opinion issued on Monday, the Ninth Circuit upheld the national security letter (NSL) statute against a First Amendment challenge brought by EFF on behalf of our clients CREDO Mobile and Cloudflare. We applaud our clients’ courage as part of a years-long court battle, conducted largely under seal and in secret. We strongly disagree with the opinion and are weighing how to proceed in the case. Even though this ruling is disappointing, together EFF and our clients achieved a great deal over the past six years. The lawsuit spurred Congress to amend the law, and our advocacy related to the case caused leading tech companies to also challenge NSLs. Along the way, the government went from fighting to keep every single NSL gag order in place to the point where many have been lifted, some in whole and many in part. That includes this case, of course, where we can now proudly tell the names of our clients to the world.  No matter what happens with these particular lawsuits, we are not done fighting unconstitutional use of NSLs and similar laws.  Making sense of a disappointing ruling National security letters are a kind of subpoena issued by the FBI to communications service providers like our clients to force them to turn over customer records. NSLs nearly always contain gag orders preventing recipients from telling anyone about these surveillance requests, all without any mandatory court oversight. As a result, the Internet and communications companies that we all trust with our most sensitive information cannot be truthful with their customers and the public about the scope of government surveillance.  NSL gags are perfect examples of “prior restraints,” government orders prohibiting speech rather than punishing it after the fact. The First Amendment embodies the Founders’ strong distrust of prior restraints as powerful censorship tools, and the Supreme Court has repeatedly said they are presumptively unconstitutional unless they meet the “most exacting” judicial scrutiny. Similarly, because NSLs prevent recipients from talking about the FBI’s request for customer data, they are content-based restrictions on speech, which are subject to strict scrutiny. So NSL gags ought to be put to the strictest of First Amendment tests. Unfortunately, the Ninth Circuit questioned whether NSLs are prior restraints at all. And although the court did acknowledge they are separately content-based restrictions on speech, it said the law is narrowly tailored even though it plainly allows censorship that is broader in scope and longer in duration than the government actually needs.  As a result, the court held the government’s interest in national security overcomes any First Amendment interests at stake. The ruling is seriously flawed. Not-so-narrow tailoring  In order to find that the law satisfied strict scrutiny, the court overlooked both the overinclusiveness and indefinite duration of NSL gag orders. Narrow tailoring requires that a restriction on speech be fitted carefully to just what the government needs to protect its investigation and that no less speech-restrictive alternatives are available.  But NSLs are often wildly overinclusive. For example, they prevent even a company with millions of users like Cloudflare from simply saying it has received an NSL, on the theory that individual users engaged in terrorism or espionage might somehow infer from that fact alone that the government is on their trail. The court admitted that a blanket gag in this scenario might well be overinclusive, but it simply deferred to the FBI’s decisionmaking. But of course, under the First Amendment, decisions about censorship aren’t supposed to be left to officials whose "business is to censor.” And here, we know that NSLs routinely issue to big tech companies with large numbers of users like both Cloudflare and CREDO, and only in rare circumstances does the FBI allow these companies to report on specific NSLs they’ve received. Similarly, the FBI often leaves NSL gags in place indefinitely, sometimes even permanently. Indeed, the FBI has told our client CREDO that one of the NSLs in the case is now permanent, and the Bureau will not further revisit the gag it imposed to determine whether it still serves national security. Here again, the court acknowledged that at the least, narrow tailoring requires a gag “must terminate when it no longer serves” the government’s national security interests. But instead of applying the First Amendment’s narrow tailoring requirement, the court declined to “quibble” with the censoring agency, the FBI, and its loophole-ridden internal procedures for reviewing NSLs. Nevertheless, these procedures “do not resolve the duration issue entirely,” as the Ninth Circuit understatedly put it, since they may still produce permanent gags, as with CREDO. As a result, the court suggested that NSL recipients can repeatedly challenge permanent gags until they’re finally lifted.  The problem of prior restraints and judicial review However, that points to the other fundamental problem with NSLs: they are issued without any mandatory court oversight. As discussed above, prior restraints are almost never constitutional. The Supreme Court has said that even in the rare circumstance when prior restraints can be justified, they must be approved by a neutral court, not just an executive official. But the NSL statute doesn’t require a court to be involved in all cases; instead, judicial review takes place only if NSL recipients file a lawsuit, like our clients did, or if they ask the government to go to court to review the gag using a procedure known as “reciprocal notice.”  The Ninth Circuit had two responses to this lack of judicial oversight. First, it wrongly suggested the law of prior restraints simply does not apply here. The theory is that unlike cases involving newspapers that are prevented from publishing, NSL recipients haven’t shown a preexisting desire to speak, and when they do, they’re asking to publish information they supposedly learned from the government. But as we pointed out, that’s inconsistent with case law that says, for instance, that witnesses at grand jury proceedings—which are historically both secret and subject to court oversight—cannot be indefinitely gagged from talking about their own testimony. NSL gags go much further. Second, the court suggested that even though the burden is on NSL recipients to challenge gags, this is a “de minimis” burden that doesn’t violate the First Amendment. When Congress passed the USA FREEDOM Act in 2015, it gave recipients the option of invoking reciprocal notice and asking the government to go to court rather than filing their own lawsuit. That’s simply not good enough; the First Amendment requires the government be the one to go to court to prove to a judge it actually requires an NSL accompanied by a gag.  Not to mention that forcing companies that receive NSLs to fight them in court and defend user privacy may actually be a heavy burden.  Big progress nonetheless  Despite these considerable errors in the Ninth Circuit’s opinion, we shouldn’t lose sight of progress made along the way. Nearly all of the features of the NSL statute that the court pointed to as saving graces of the law—the FBI’s internal review procedures and the option for reciprocal notice most notably—exist only because Congress stepped in during our lawsuit to amend the law. So what’s left to providers that receive NSLs? Push back on the gags early and often. The “reciprocal notice” process, which the government says only requires a short letter or a phone call, should be done as a matter of course for any company receiving an NSL.  And since the Ninth Circuit said that courts retain the ability to re-evaluate the gags as long as they remain in place, gagged providers should ask a court to step in and make sure the FBI can still prove the need for the gag—potentially over and over—until the gag is finally lifted. EFF wants to help with this, and we’re happy to consult with anyone subject to an NSL gag. We’ve also encouraged technology companies to make the best of the reciprocal notice procedure as part of our annual Who Has Your Back? report. If the government continues to argue that recipients don’t necessarily “want to speak” about NSLs, we can now point to the growing trend of major tech companies—Apple, Adobe, and Dropbox, among others—that have committed to invoking reciprocal notice and challenging every NSL they receive.  Finally, we’ve seen other courts question gag orders in related contexts, and we’ve supported companies like Facebook and Microsoft in these fights. We’re confident that in the long run, these prior restraints will be roundly rejected yet again. Related Cases:  National Security Letters (NSLs) In re: National Security Letter 2011 (11-2173) In re National Security Letter 2013 (13-80089) In re National Security Letter 2013 (13-1165)
>> mehr lesen

Microsoft Bing Reverses Sex-Related Censorship in the Middle East (Di, 18 Jul 2017)
Imagine trying to do online research on breast cancer, or William S. Burroughs’ famous novel Naked Lunch, only to find that your search results keep coming up blank. This is the confounding situation that faced Microsoft Bing users in the Middle East and North Africa for years, made especially confusing by the fact that if you tried the same searches on Google, it did offer results for these terms. Problems caused by the voluntary blocking of certain terms by intermediaries are well-known; just last week, we wrote about how payment processors like Venmo are blocking payments from users who describe the payments using certain terms—like Isis, a common first name and name of a heavy metal band, in addition to its usage as an acronym for the Islamic State. Such keyword-based filtering algorithms will inevitably results in overblocking and false positives because of their disregard for the context in which the words are used. Search engines also engage in this type of censorship—in 2010, I co-authored a paper [PDF] documenting how Microsoft Bing (brand new at the time) engaged in filtering of sex-related terms in the Middle East and North Africa, China, India, and several other locations by not allowing users to turn off “safe search”. Despite the paper and various advocacy efforts over the years, Microsoft refused to budge on this—until recently. At RightsCon this year, I led a panel discussion about the censorship of sexuality online, covering a variety of topics from Facebook’s prudish ideas about the female body to the UK’s restrictions on “non-conventional” sex acts in pornography to Iceland’s various attempts to ban online pornography. During the panel, I also raised the issue of Microsoft’s long-term ban on sexual search terms in the Middle East, noting specifically that the company’s blanket ban on the entire region seemed more a result of bad market research than government interference, based on the fact that a majority of countries in the MENA region do not block pornography, let alone other sexual content. Surprisingly, not long after the conference, I did a routine check of Bing and was pleased to discover that “Middle East” had disappeared from the search engine’s location settings, replaced with “Saudi Arabia.” The search terms are still restricted in Saudi Arabia (likely at the request of the government), but users in other countries across the diverse region are no longer subject to Microsoft’s safe search. Coincidence? It's hard to say; just as we didn't know Microsoft's motivations for blacklisting sexual terms to begin with, it was no more transparent about its change of heart. Standing up against this kind of overbroad private censorship is important—companies shouldn’t be making decisions based on assumptions about a given market, and without transparency and accountability. Decisions to restrict content for a particular reason should be made only when legally required, and with the highest degree of transparency possible. We commend Microsoft for rectifying their error, and would like to see them continue to make their search filtering policies and practices more open and transparent.
>> mehr lesen

Network Engineers Speak Out for Net Neutrality (Di, 18 Jul 2017)
Today, a group of over 190 Internet engineers, pioneers, and technologists filed comments with the Federal Communications Commission explaining that the FCC’s plan to roll back net neutrality protections is based on a fundamentally flawed and outdated understanding of how the Internet works. Signers include current and former members of the Internet Engineering Task Force and Internet Corporation for Assigned Names and Numbers' committees, professors, CTOs, network security engineers, Internet architects, systems administrators and network engineers, and even one of the inventors of the Internet’s core communications protocol. This isn’t the first time many of these engineers have spoken out on the need for open Internet protections. In 2015, when the EFF and ACLU filed a friend-of-the-court brief defending the net neutrality rules, dozens of engineers signed onto a statement supporting the technical justifications for the Open Internet Order. The engineers’ statement filed today contains facts about the structure, history, and evolving nature of the Internet; corrects technical errors in the proposal; and gives concrete examples of the harm that will be done should the proposal be accepted. The engineers explain that: "Based on certain questions the FCC asks in the Notice of Proposed Rulemaking (NPRM), we are concerned that the FCC (or at least Chairman Pai and the authors of the NPRM) appears to lack a fundamental understanding of what the Internet's technology promises to provide, how the Internet actually works, which entities in the Internet ecosystem provide which services, and what the similarities and differences are between the Internet and other telecommunications systems the FCC regulates as telecommunications services." The engineers point to specific errors in the NPRM. As one example among many: the NPRM tries to argue that ISPs, not edge providers, are the main drivers for services such as streaming movies, sharing photos, posting on social media, automatic translation, and so on. The NPRM also erroneously assumes that transforming an IP packet from IPv4 to IPv6 somehow changes the form of the payload. The engineers explain how the Internet (and in particular broadband) has changed since 2002, when the FCC first explicitly classified broadband internet access service as an information service, and why that classification is no longer appropriate in light of technical developments. Drawing on this background information, they then respond to specific questions from the NPRM in order to correct the FCC's mistakes. The statement provides nearly a dozen different examples of consumer harm that could have been prevented by the light-touch, bright-line rules—like when AT&T distorted the market for content by using its gatekeeping power to not charge its customers for its DIRECTV video service while charging third-parties more to similarly zero-rate data. It also gives several examples of consumer benefits that happened as a result of the 2015 Open Internet Order, like mobile service providers finally removing the prohibition that was stopping customers from tethering their personal computers to their mobile devices in order to use their mobile broadband connections. The NPRM fundamentally misunderstands the basic technology underlying how the Internet works. If the FCC were to move forward with its NPRM as proposed, the results could be disastrous: the FCC would be making a major regulatory decision based on plainly incorrect assumptions about the underlying technology and Internet ecosystem that will have a disastrous effect on innovation in the Internet ecosystem as a whole. TAKE ACTION Stand up for net neutrality
>> mehr lesen

EFF to FCC: Tossing Net Neutrality Protections Will Set ISPs Free to Throttle, Block, and Censor the Internet for Users (Di, 18 Jul 2017)
FCC Plan to Scuttle Open Internet Rule 'Disastrous' For the Future of the Internet, Experts Say Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the FCC to keep in place net neutrality rules, which are essential to prevent cable companies like Comcast and Verizon from controlling, censoring, and discriminating against their subscribers’ favorite Internet content. In comments submitted today, EFF came out strongly in opposition to the FCC’s plan to reverse the agency’s 2015 open Internet rules, which were designed to guarantee that service providers treat everyone’s content equally. The reversal would send a clear signal that those providers can engage in data discrimination, such as blocking websites, slowing down Internet speeds for certain content—known as throttling—and charging subscribers fees to access movies, social media, and other entertainment content over “fast lanes.” Comcast, Verizon, and AT&T supply Internet service to millions of Americans, many of whom have no other alternatives for high-speed access. Given the lack of competition, the potential for abuse is very real. EFF’s comments join those of many other user advocates, leading computer engineers, entrepreneurs, faith communities, libraries, educators, tech giants, and start-ups that are fighting for a free and open Internet. Last week those players gave the Internet a taste of what a world without net neutrality would look like by temporarily blocking and throttling their content. Such scenarios aren’t merely possible—they are likely, EFF said in its comments. Internet service providers (ISPs) have already demonstrated that they are willing to discriminate against competitors and block content for their own benefit, while harming the Internet experience of users. “ISPs have incentives to shape Internet traffic and the FCC knows full well of instances where consumers have been harmed. AT&T blocked data sent by Apple’s FaceTime software, Comcast has interfered with Internet traffic generated by certain applications, and ISPs have rerouted users’ web searches to websites they didn’t request or expect,” said EFF Senior Staff Attorney Mitch Stoltz. “These are just some examples of ISPs controlling our Internet experience. Users pay them to connect to the Internet, not decide for them what they can see and do there.” Nearly 200 computer scientists, network engineers, and Internet professionals also submitted comments today highlighting deep flaws in the FCC’s technical description of how the Internet works. The FCC is attempting to pass off its incorrect technical analysis to justify its plan to reclassify ISPs so they are not subject to net neutrality rules. The engineers’ submission—signed by such experts as Vint Cerf, co-designer of the Internet’s fundamental protocols; Mitch Kapor, a personal computer industry pioneer and EFF co-founder; and programmer Sarah Allen, who led the team that created Flash video—sets the record straight about how the Internet works and how rolling back net neutrality would have disastrous effects on Internet innovation. “We are concerned that the FCC (or at least Chairman Pai and the authors of the Notice of Proposed Rulemaking) appears to lack a fundamental understanding of what the Internet’s technology promises to provide, how the Internet actually works, which entities in the Internet ecosystem provide which services, and what the similarities and differences are between the Internet and other telecommunications systems the FCC regulates as telecommunications services,” the letter said. “It is clear to us that if the FCC were to reclassify broadband access service providers as information services, and thereby put the bright-line, light-touch rules from the Open Internet Order in jeopardy, the result could be a disastrous decrease in the overall value of the Internet.” For EFF’s comments: https://www.eff.org/document/eff-comments-fcc-nn For the engineers’ letter: https://www.eff.org/document/internet-engineers-commentsfcc-nn For more about EFF’s campaign to keep net neutrality: https://www.eff.org/issues/net-neutrality Contact:  Mitch Stoltz Senior Staff Attorney mitch@eff.org Corynne McSherry Legal Director corynne@eff.org
>> mehr lesen

With Release of NAFTA Negotiating Objectives, Our New Infographic Makes Sense of It All (Di, 18 Jul 2017)
The United States Trade Representative (USTR) has just released its trade negotiating objectives [PDF] for a revision of NAFTA, the North American Free Trade Agreement between the United States, Mexico, and Canada. NAFTA is expected to open up a new front in big content's neverending battle for stricter copyright rules, following the unexpected defeat of the Trans-Pacific Partnership (TPP). Meanwhile, big tech companies are now wielding increasing influence with the USTR, and demanding that it negotiate rules that protect their businesses also, such as prohibitions against restrictions on the cross-border transfer of data. In EFF's comments to the USTR about what its negotiating objectives should be, we urged it not to include new copyright rules in NAFTA, because of how this would prevent the United States from improving its current law or adapting to technological change. We also expressed the need for caution about including some of the new digital trade (or e-commerce) rules that big tech companies have been asking for, for similar reasons, and because the trade negotiation process notoriously lacks the balance that would be required for it to negotiate a sound set of rules. Copyright Rules The negotiating objectives are hopelessly general, but it seems that our requests largely fell on deaf ears. The negotiating objectives on intellectual property relevantly include to: Ensure provisions governing intellectual property rights reflect a standard of protection similar to that found in U.S. law. Provide strong protection and enforcement for new and emerging technologies and new methods of transmitting and distributing products embodying intellectual property, including in a manner that facilitates legitimate digital trade. ... Ensure standards of protection and enforcement that keep pace with technological developments, and in particular ensure that rightholders have the legal and technological means to control the use of their works through the Internet and other global communication media, and to prevent the unauthorized use of their works. Provide strong standards [of, sic] enforcement of intellectual property rights, including by requiring accessible, expeditious, and effective civil, administrative, and criminal enforcement mechanisms.  These provisions are consistent with the U.S. demanding similar provisions to those that had been contained in the TPP, including life plus 70 year terms of copyright protection, criminal penalties for "commercial scale" copyright infringement, and legal protections for DRM—all of which would be new to NAFTA. Disappointingly, there is no reference to be found to the inclusion of a "fair use" exception to copyright, as we had requested in our submission. Digital Trade (E-Commerce) Rules As for digital trade, the objectives include to: Ensure non-discriminatory treatment of digital products transmitted electronically and guarantee that these products will not face government-sanctioned discrimination based on the nationality or territory in which the product is produced. Establish rules to ensure that NAFTA countries do not impose measures that restrict crossborder data flows and do not require the use or installation of local computing facilities. Establish rules to prevent governments from mandating the disclosure of computer source code. While some of these rules might not be harmful, if they were drafted in an adequately open and consultative fashion, we have previously expressed concerns that the ban on restrictions on crossborder data flows may not allow countries adequate policy space to protect the privacy of users' data. We are also worried about the possibility that a blanket ban on laws requiring the disclosure of source code could limit countries from introducing new measures to protect users from vulnerabilities in digital products such as routers and Internet of Things (IoT) devices. Our New Infographic Makes Sense of It All You might well be wondering how the new version of NAFTA will compare with other digital trade negotiations, such as the TPP (which could still rise again between the other eleven countries besides the United States), and the Regional Comprehensive Economic Partnership (RCEP, whose negotiators are meeting this week in Hyderabad, India). To help explain, we've put together this infographic which illustrates five of the major ongoing trade agreements that are likely to contain provisions on digital issues. It provides a quick overview of their current status, the countries involved, and the issues that they contain. Current Digital Trade Negotiations Click to view full-size One thing that all of these agreements have in common is that there is no easy way for users to access them. Negotiation rounds take place in far-flung cities of the world, with little or sometimes no notice to the general public, and next to no transparency about the texts under discussion, and with little or no official means of access to the negotiators for public interest advocates such as EFF. Nevertheless, EFF is on the ground in Hyderabad this week to stand up for users, and we plan to do the same in the coming NAFTA negotiations too. Despite today's release of the USTR's negotiating objectives for NAFTA, they are nowhere near detailed enough for us to know what rules the USTR will really be asking for from our partners. And that's dangerous, because we don't really know what we're fighting against, and whether our fears are justified or overblown. Worse, we might never know until the agreement is concluded—unless it is leaked in the meantime. That's just not acceptable, and it needs to change. Keep reading Deeplinks for updates on the progress of each of these trade agreements, and how they will affect you. And if you'd like to support our difficult work in fighting for users' rights in all of these secretive venues, you can help by donating to EFF.
>> mehr lesen

CBP Responds to Sen. Wyden: Border Agents May Not Search Travelers’ Cloud Content (Mo, 17 Jul 2017)
Border agents may not use travelers’ laptops, phones, and other digital devices to access and search cloud content, according to a new document by U.S. Customs and Border Protection (CBP). CBP wrote this document on June 20, 2017, in response to questions from Sen. Wyden (D-OR). NBC published it on July 12. It states: In conducting a border search, CBP does not access information found only on remote servers through an electronic device presented for examination, regardless of whether those servers are located abroad or domestically. Instead, border searches of electronic devices apply to information that is physically resident on the device during a CBP inspection. This is a most welcome change from prior CBP policy and practice. CBP’s 2009 policy on border searches of digital devices does not prohibit border agents from using those devices to search travelers’ cloud content. In fact, that policy authorizes agents to search “information encountered at the border,” which logically would include cloud content encountered by searching a device at the border. We do know that border agents have used travelers’ devices to search their cloud content. Many news reports describe border agents scrutinizing social media and communications apps on travelers’ phones, which show agents conducting cloud searches. EFF will monitor whether actual CBP practice lives up to this salutary new policy. To help ensure that border agents follow it, CBP should publish it. So far, the public only has second-hand information about this “nationwide muster” (the term CBP’s June 17 document uses to describe this new CBP written policy on searching cloud data). Also, CBP should stop seeking social media handles from foreign visitors, which blurs CBP’s new instruction to border agents that cloud searches are off limits. Separately, CBP’s responses to Sen. Wyden’s questions explain what will happen to a U.S. citizen who refuses to comply with a border agent’s demand to disclose their device password (or unlock their device) in order to allow the agent to search their device: [A]lthough CBP may detain an arriving traveler’s electronic device for further examination, in the limited circumstances when that is appropriate, CBP will not prevent a traveler who is confirmed to be a U.S. citizen from entering the country because of a need to conduct that additional examination. This is what EFF told travelers would happen in our March 2017 border guide, based on law and reported CBP practice. It is helpful that CBP has confirmed this in writing. However, CBP also should publicly state whether U.S. lawful permanent residents (green card holders) will be denied entry for not facilitating a CBP search of their devices. They should not be denied entry. Notably, Sen. Wyden asked CBP to answer this question about all “U.S. persons,” and not just U.S. citizens. CBP’s responses leave other important questions unanswered. For example, CBP should publicly state whether, when border agents ask travelers for their device passwords, the agents must (in the words of Sen. Wyden) “first inform the traveler that he or she has the right to refuse.” CBP did not answer this question. The international border is an inherently coercive environment, where harried travelers must seek permission to come home from uniformed and frequently armed agents in an unfamiliar space. To ensure that agents do not strong-arm travelers into surrendering their digital privacy, agents should be required to inform travelers that they may choose not to unlock their devices. Also, CBP should publicly answer Sen. Wyden’s question about how many times in the last five years CBP has searched a device “at the request of another government agency.” Such searches will usually be improper. Historically, courts have granted border agents greater search powers than other law enforcement officials, but only for purposes of enforcing customs and immigration laws. If border agents search travelers at the request of other agencies, they presumably do so for others purposes, and so use of their heightened powers is improper. While CBP’s document provides information about CBP’s assistance requests to other agencies (for example, to seek technical help with decryption), this sheds no light on other agencies’ requests to CBP to use a traveler’s presence at the border as an excuse to conduct a warrantless search, which likely would not be justified at the interior of the country. EFF applauds Sen. Wyden for his leadership in congressional oversight of CBP’s border device searches. We also thank CBP for answering some of Sen. Wyden’s questions. But many questions remain. CBP’s June 2017 responses confirm that much more must be done to protect travelers’ digital privacy at the U.S. border. An excellent first step would be to enact Sen. Wyden’s bipartisan bill to require border agents to get a warrant before searching the digital devices of U.S. persons.
>> mehr lesen

EFF to Minnesota Supreme Court: Sheriff Must Release Emails Documenting Biometric Technology Use (Mo, 17 Jul 2017)
A Minnesota sheriff’s office must release emails showing how it uses biometric technology so that the community can understand how invasive it is, EFF argued in a brief filed in the Minnesota Supreme Court on Friday. The case, Webster v. Hennepin County, concerns a particularly egregious failure to respond to a public records request that an individual filed as part of a 2015 EFF and MuckRock campaign to track biometric technology use by law enforcement across the country. EFF has filed two briefs in support of web engineer and public records researcher Tony Webster’s request, with the latest brief [.pdf] arguing that agencies must provide information contained in emails to help the public understand how a local sheriff uses biometric technology. The ACLU of Minnesota joined EFF on the brief. As we write in the brief: This case is not about whether or how the government may collect biometric data and develop and domestically deploy information-retrieval technology as a potential sword against the general public. That is just one debate we must have, but critical to it and all public debates is that it be informed by public [records] The case began when Webster filed a request based on EFF’s letter template with Hennepin County, a jurisdiction that includes Minneapolis, host city of the 2018 Super Bowl.  He sought emails, contracts, and other records related to the use of technology that can scan and recognize fingerprints, faces, irises, and other forms of biometrics. After the county basically ignored the request, Webster sued. An administrative law judge ruled in 2015 that the county had violated the state’s public records law both because it failed to provide documents to Webster and because it did not have systems in place to quickly search and disclose electronic records. An intermediate appellate court ruled in 2016 that the county had to turn over the records Webster sought, but it reversed the lower court’s ruling that the county did not have adequate procedures in place to respond to public records requests. Both Webster and the county appealed the ruling to the Minnesota Supreme Court. In its appeal, the county argues that public records requesters create undue burden on agencies when they specify that they search for particular key words or search terms. EFF’s brief in support of Webster points out the flaws in the county’s search term argument. Having requesters identify specific search terms for documents they seek helps agencies conduct better searches for records while narrowing the scope of the request. This ultimately reduces the burden on agencies and leads to records being released more quickly. EFF would like to thank attorneys Timothy Griffin and Thomas Burman of Stinson Leonard Street LLP for drafting the brief and serving as local counsel.
>> mehr lesen

Australian PM Calls for End-to-End Encryption Ban, Says the Laws of Mathematics Don't Apply Down Under (Fr, 14 Jul 2017)
"The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia", said Australian Prime Minister Malcolm Turnbull today. He has been rightly mocked for this nonsense claim, that foreshadows moves to require online messaging providers to provide law enforcement with back door access to encrypted messages. He explained that "We need to ensure that the internet is not used as a dark place for bad people to hide their criminal activities from the law." It bears repeating that Australia is part of the secretive spying and information sharing Five Eyes alliance. But despite the well-deserved mockery that ensued, we shouldn't make too much light of the real risk that this poses to Internet freedom in Australia. It's true enough, for now, that a ban on end-to-end encrypted messaging in Australia would have absolutely no effect on "bad people", who would simply avoid using major platforms with weaker forms of encryption, in favor of other apps that use strong end-to-end encryption based on industry standard mathematical algorithms. It would hurt ordinary citizens who rely on encryption to make sure that their conversations are secure and private from prying eyes. However, as similar demands are made elsewhere around the world, more and more app developers might fall under national laws that require them to compromise their encryption standards. Users of those apps, who may have a network of contacts who use the same app, might hesitate to shift to another app that those contacts don't use, even if it would be more secure. They might also worry that using end-to-end encryption would be breaking the law (a concern that "bad people" tend to be far less troubled by). This will put those users at risk. If enough countries go down the same misguided path, that sees Australia following in the steps of Russia and the United Kingdom, the future could be a new international agreement banning strong encryption. Indeed, the Prime Minister's statement is explicit that this is exactly what he would like to see. It may seem like an unlikely prospect for now, with strong statements at the United Nations level in support of end-to-end encryption, but we truly can't know what the future will bring. What seems like a global accord today might very well start to crumble as more and more countries defect from it. We can't rely on politicians to protect our privacy, but thankfully we can rely on math ("maths", as Australians say). That's what makes access to strong encryption so important, and Australia's move today so worrying. Law enforcement should have the tools they need to investigate crimes, but that cannot extend to a ban on the use of mathematical algorithms in software. Mr Turnbull has to understand that we either have an internet that "bad people" can use, or we don't have an Internet. It's actually as simple as that.
>> mehr lesen

California's Top Newspapers Endorse Broadband Privacy Bill (Fr, 14 Jul 2017)
Broadband privacy? Say what? That was probably what you were asking yourself in March when you read about Congress’s vote to repeal privacy rules for your Internet provider. If you were paying attention—and you should in an era where free press, voter privacy, and other constitutional rights are being challenged—you quickly realized what Congress did. It sold out your right to keep your browsing history and personal information private so the cable companies can sell it and make even more money off of you than they already do. Nice, right? Luckily, many states, including California, have stepped up to the plate for you. They have introduced bills that give back to you the right to control how your private information is used by the companies that control the Internet pipeline into your home. In California, lawmakers in Sacramento are considering a bill that would reinstate those privacy rules, requiring Internet providers to get your permission before they can profit off of your personal information. Silicon Valley should rally behind Chau’s AB 375 and ensure online privacy protections for all Californians —San Jose Mercury News California has always led the country on many fronts: the environment, civil liberties, to name a few. It’s time for us to lead now. California’s top media organizations have gotten behind this legislation, A.B. 375, introduced by Assemblymember Ed Chau, a Democrat from Monterey Park. If you care about your online privacy, you should, too. Here’s what the editorial boards of the state’s leading newspapers have to say: Sacramento Bee Editorial Board AT&T, Comcast and other Internet service providers can continue to track every search you make and website you visit and sell that information to the highest bidder, under legislation recently signed by President Donald Trump. That legislation, which reversed an Obama regulation, ought to alarm any American who ventures online, no matter their political persuasion. Now comes Assemblyman Ed Chau, a Democrat from Monterey Park, carrying a bill that for Californians would reverse the legislation and provide some privacy at a time when seemingly nothing is private. San Diego Union-Tribune Editorial Board Assembly Bill 375 would require Internet service providers to have customers “opt in” before they are allowed to sell information on their online searches and visits. Here’s hoping state lawmakers realize the value of having such a law and reject the telecom companies’ claim that it is “unfair” to not let them capitalize on the sort of information that Facebook and Google accumulate about their users. The difference, of course, is that people pay heavily for Internet service because in the modern era, it is akin to a must-have utility. Facebook and Google are free. It is absurd that consumers paying companies for a service should be expected to accept that the price paid includes a gross loss of privacy. San Francisco Chronicle  AB375, by Assemblyman Ed Chau, D-Monterey Park (Los Angeles County), would address actions taken in March by President Trump and the Republican-dominated Congress that killed an FCC privacy rule allowing customers to prevent giant phone and cable companies from gathering and using personal data such as their financial and health choices. Chau’s bill, which is still in committee, would restore those protections for Californians. It should pass. Press Democrat California is uniquely able to take a strong stand in favor of consumer privacy. If the digital age has a technological and corporate center, it is here. We’re also large enough to make a difference nationally. San Jose Mercury News California has an obligation to take a lead in establishing the basic privacy rights of consumers using the Internet. Beyond being the right thing to do for the whole country, building trust in tech products is an essential long-term business strategy for the industry that was born in this region. California Assemblyman Ed Chau, D-Monterey Park, understands this.  After Congressional Republicans erased Americans’ Internet broadband privacy protections in March, Chau crafted A.B. 375 to at least provide these rights to Californians.
>> mehr lesen

Payment Processors Are Profiling Heavy Metal Fans as Terrorists (Fr, 14 Jul 2017)
If you happen to be a fan of the heavy metal band Isis (an unfortunate name, to be sure), you may have trouble ordering its merchandise online. Last year, Paypal suspended a fan who ordered an Isis t-shirt, presumably on the false assumption that there was some association between the heavy metal band and the terrorist group ISIS. Then last month Internet scholar and activist Sascha Meinrath discovered that entering words such as "ISIS" (or "Isis"), or "Iran", or (probably) other words from this U.S. government blacklist in the description field for a Venmo payment will result in an automatic block on that payment, requiring you to complete a pile of paperwork if you want to see your money again. This is even if the full description field is something like "Isis heavy metal album" or "Iran kofta kebabs, yum." These examples may seem trivial, but they reveal a more serious problem with the trust and responsibility that the Internet places in private payment intermediaries. Since even many non-commercial websites such as EFF's depend on such intermediaries to process payments, subscription fees, or donations, it's no exaggeration to say that payment processors form an important part of the financial infrastructure of today's Internet. As such, they ought to carry corresponding responsibilities to act fairly and openly towards their customers. Unfortunately, given their reliance on bots, algorithms, handshake deals, and undocumented policies and blacklists to control what we do online, payment intermediaries aren't carrying out this responsibility very well. Given that these private actors are taking on responsibilities to help address important global problems such as terrorism and child online protection, the lack of transparency and accountability with which they execute these weighty responsibilities is a matter of concern. The readiness of payment intermediaries to do deals on those important issues leads as a matter of course to their enlistment by governments and special interest groups to do similar deals on narrower issues, such as the protection of the financial interests of big pharma, big tobacco, and big content. It is in this way that payment intermediaries have insidiously become a weak leak for censorship of free speech. Cigarettes, Sex, Drugs, and Copyright For example, if you're a smoker, and you try to buy tobacco products from a U.S. online seller using a credit card, you'll probably find that you can't. It's not illegal to do so, but thanks to a "voluntary" agreement with law enforcement authorities dating back to 2005, payment processors have effectively banned the practice—without any law or court judgment. Another example that we've previously written about are the payment processors' arbitrary rules blocking sites that discuss sexual fetishes, even though that speech is constitutionally protected. The congruence between the payment intermediaries' terms of service on the issue suggests a degree of coordination between them, but their lack of transparency makes it impossible to be sure who was behind the ban and what channels they used to achieve it. A third example is the ban on pharmaceutical sales. You can still buy pharmaceuticals online using a credit card, but these tend to be from unregulated, rogue pharmacies that lie to the credit card processors about the purpose for which their merchant account will be used. For the safer, regulated pharmacies that require a prescription for the drugs they sell online, such as members of the Canadian International Pharmacy Association (CIPA), the credit card processors enforce a blanket ban. Finally there are "voluntary" best practices on copyright and trademark infringement. These include the RogueBlock program of the International Anti-Counterfeiting Coalition (IACC) in 2012, about which information is available online, along with a 2011 set of "Best Practices to Address Copyright Infringement and the Sales of Counterfeit Products on the Internet," about which no online information is found. The only way that you can find out about the standards that payment intermediaries use to block websites accused of copyright or trademark infringement is by reading what academics have written about it. Lack of Transparency Invites Abuse The payment processors might respond that their terms of service are available online, which is true. However, these are ambiguous at best. On Venmo, transactions for items that promote hate, violence, or racial intolerance are banned, but there is nothing in its terms of service to indicate that including the name of a heavy metal band in your transaction will place it in limbo. Similarly, if you delve deep enough into Paypal's terms of service you will find out that selling tickets to professional UK football matches is banned, but you won't find out how this restriction came about, or who had a say in it. Payment processors can do better. In 2012, in the wake of the payment industry's embargo of Wikileaks and its refusal to process payments to European vendors of horror films and sex toys, the European Parliament Committee on Economic and Monetary Affairs made the following resolution:  [The Committee c]onsiders it likely that there will be a growing number of European companies whose activities are effectively dependent on being able to accept payments by card; [and] considers it to be in the public interest to define objective rules describing the circumstances and procedures under which card payment schemes may unilaterally refuse acceptance. We agree. Bitcoin and other cryptocurrencies notwithstanding, online payment processing remains largely oligopolistic. Agreements between the few payment processors that make up the industry and powerful commercial lobbies and governments, concluded in the shadows, can have deep impacts on entire online communities. When payment processors are drawing their terms of service or developing algorithms that are based on industry-wide agreements, standards, or codes of conduct—especially if these involve governments or other third parties—they ought to be developed through a process that is inclusive, balanced and accountable. The fact that you can't use Venmo to purchase an Isis t-shirt is just one amusing example. But the Shadow Regulation of the payment services industry is much more serious than that, also affecting culture, healthcare, and even your sex life online. Just as we've called other Internet intermediaries to account for the ways in which their "voluntary" efforts threaten free speech, the online payment services industry needs to be held to the same standard. 
>> mehr lesen

Net Neutrality Won't Save Us if DRM is Baked Into the Web (Do, 13 Jul 2017)
Yesterday's record-smashing Net Neutrality day of action showed that the Internet's users care about an open playing field and don't want a handful of companies to decide what we can and can't do online. Today, we should also think about other ways in which small numbers of companies, including net neutrality's biggest foes, are trying to gain the same kinds of control, with the same grave consequences for the open web. Exhibit A is baking digital rights management (DRM) into the web's standards. ISPs that oppose effective net neutrality protections say that they've got the right to earn as much money as they can from their networks, and if people don't like it, they can just get their internet somewhere else. But of course, the lack of competition in network service means that most people can't do this. Big entertainment companies -- some of whom are owned by big ISPs! -- say that because they can make more money if they can control your computer and get it to disobey you, they should be able to team up with browser vendors and standards bodies to make that a reality. If you don't like it, you can watch someone else's movies. Like ISPs, entertainment companies think they can get away with this because they too have a kind of monopoly --copyright, which gives rightsholders the power to control many uses of their creative works. But just like the current FCC Title II rules that stop ISPs from flexing their muscle to the detriment of web users, copyright law places limits on the powers of copyright holders. Copyright can stop you from starting a business to sell unlicensed copies of the studios' movies, but it couldn't stop Netflix from starting a business that mailed DVDs around for money; it couldn't stop Apple from selling you a computer that would "Rip, Mix, Burn" your copyrighted music, and it couldn't stop cable companies from starting businesses that retransmitted broadcasters' signals. That competitive balance makes an important distinction between "breaking the law" (not allowed) and "rocking the boat" (totally allowed). Companies that want to rock the boat are allowed to enter the market with new, competitive offerings that go places the existing industry fears to tread, and so they discover new, unmapped and fertile territory for services and products that we come to love and depend on. But overbroad and badly written laws like Section 1201 of the 1998 Digital Millennium Copyright Act (DMCA) upset this balance. DMCA 1201 bans tampering with DRM, even if you're only doing so to exercise the rights that Congress gave you as a user of copyrighted works. This means that media companies that bake DRM into the standards of the web get to decide what kinds of new products and services are allowed to enter the market, effectively banning others from adding new features to our media, even when those features have been declared legal by Congress. ISPs are only profitable because there was an open Internet where new services could pop up, transforming the Internet from a technological curiosity into a necessity of life that hundreds of millions of Americans pay for. Now that the ISPs get steady revenue from our use of the net, they want network discrimination, which, like the discrimination used by DRM advocates, is an attempt to change "don't break the law" into "don't rock the boat" -- to force would-be competitors to play by the rules set by the cozy old guard. For decades, activists struggled to get people to care about net neutrality, and their opponents from big telecom companies said, "people don't care, all they want is to get online, and that's what we give them." The once-quiet voices of net neutrality wonks have swelled into a chorus of people who realize that an open web was important to their future. As we saw yesterday, the public broadly demands protection for the open Internet. Today, advocates for DRM say that "People don't care, all they want is to watch movies, and that's what we deliver." But there is an increasing realization that letting major movie studios tilt the playing field toward them and their preferred partners also endangers the web's future. Don't take our word for it: last April, Professor Tim Wu, who coined the term "net neutrality" and is one of the world's foremost advocates for a neutral web, published an open letter to Tim Berners-Lee, inventor of the web and Director of the World Wide Web Consortium (W3C), where there is an ongoing effort to standardize DRM for the web. In that letter, Wu wrote: I think more thinking need be done about EME’s potential consequences for competition, both as between browsers, the major applications, and in ways unexpected. Control of chokepoints has always and will always be a fundamental challenge facing the Internet as we both know. That’s the principal concern of net neutrality, and has been a concern when it comes to browsers and their associated standards. It is not hard to recall how close Microsoft came, in the late 1990s and early 2000s, to gaining de facto control over the future of the web (and, frankly, the future) in its effort to gain an unsupervised monopoly over the browser market. EME, of course, brings the anti-circumvention laws into play, and as you may know anti-circumvention laws have a history of being used for purposes different than the original intent (i.e., protecting content). For example, soon after it was released, the U.S. anti-circumvention law was quickly by manufacturers of inkjet printers and garage-door openers to try and block out aftermarket competitors (generic ink, and generic remote controls). The question is whether the W3C standard with an embedded DRM standard, EME, becomes a tool for suppressing competition in ways not expected. This week, Berners-Lee made important and stirring contributions to the net neutrality debate, appearing in this outstanding Web Foundation video and explaining how anti-competitive actions by ISPs endanger the things that made the web so precious and transformative. Last week, Berners-Lee disappointed activists who'd asked for a modest compromise on DRM at the W3C, one that would protect competition and use standards to promote the same level playing field we seek in our Net Neutrality campaigns. Yesterday, EFF announced that it would formally appeal Berners-Lee's decision to standardize DRM for the web without any protection for its neutrality. In the decades of the W3C's existence, there has never been a successful appeal to one of Berners-Lee's decisions. The odds are long here -- the same massive corporations that oppose effective net neutrality protections also oppose protections against monopolization of the web through DRM, and they can outspend us by orders of magnitude. But we're doing it, and we're fighting to win. That's because, like Tim Berners-Lee, we love the web and believe it can only continue as a force for good if giant corporations don't get to decide what we can and can't do with it.
>> mehr lesen

Industry Efforts to Censor Pro-Terrorism Online Content Pose Risks to Free Speech (Do, 13 Jul 2017)
In recent months, social media platforms—under pressure from a number of governments—have adopted new policies and practices to remove content that promotes terrorism. As the Guardian reported, these policies are typically carried out by low-paid contractors (or, in the case of YouTube, volunteers) and with little to no transparency and accountability. While the motivations of these companies might be sincere, such private censorship poses a risk to the free expression of Internet users. As groups like the Islamic State have gained traction online, Internet intermediaries have come under pressure from governments and other actors, including the following: the Obama Administration; the U.S. Congress in the form of legislative proposals that would require Internet companies to report “terrorist activity” to the U.S. government; the European Union in the form of a “code of conduct” requiring Internet companies to take down terrorist propaganda within 24 hours of being notified, and via the EU Internet Forum; individual European countries such as the U.K., France and Germany that have proposed exorbitant fines for Internet companies that fail to take down pro-terrorism content; and, victims of terrorism who seek to hold social media companies civilly liable in U.S. courts for providing “material support” to terrorists by simply providing online platforms for global communication. One of the coordinated industry efforts against pro-terrorism online content is the development of a shared database of “hashes of the most extreme and egregious terrorist images and videos” that the companies have removed from their services. The companies that started this effort—Facebook, Microsoft, Twitter, and Google/YouTube—explained that the idea is that by sharing “digital fingerprints” of terrorist images and videos, other companies can quickly “use those hashes to identify such content on their services, review against their respective policies and definitions, and remove matching content as appropriate.” As a second effort, the same companies created the Global Internet Forum to Counter Terrorism, which will help the companies “continue to make our hosted consumer services hostile to terrorists and violent extremists.” Specifically, the Forum “will formalize and structure existing and future areas of collaboration between our companies and foster cooperation with smaller tech companies, civil society groups and academics, governments and supra-national bodies such as the EU and the UN.” The Forum will focus on technological solutions; research; and knowledge-sharing, which will include engaging with smaller technology companies, developing best practices to deal with pro-terrorism content, and promoting counter-speech against terrorism. Internet companies are also taking individual measures to combat pro-terrorism content. Google announced several new efforts, while both Google and Facebook have committed to using artificial intelligence technology to find pro-terrorism content for removal. Private censorship must be cautiously deployed While Internet companies have a First Amendment right to moderate their platforms as they see fit, private censorship—or what we sometimes call shadow regulation—can be just as detrimental to users’ freedom of expression as governmental regulation of speech. As social media companies increase their moderation of online content, they must do so as cautiously as possible. Through our project Onlinecensorship.org, we monitor private censorship and advocate for companies to be more transparent and accountable to their users. We solicit reports from users of when Internet companies have removed specific posts or other content, or whole accounts. We consistently urge companies to follow basic guidelines to mitigate the impact on users’ free speech. Specifically, companies should have narrowly tailored, clear, fair, and transparent content policies (i.e., terms of service or “community guidelines”); they should engage in consistent and fair enforcement of those policies; and they should have robust appeals processes to minimize the impact on users’ freedom of expression. Over the years, we’ve found that companies’ efforts to moderate online content almost always result in overbroad content takedowns or account deactivations. We, therefore, are justifiably skeptical that the latest efforts by Internet companies to combat pro-terrorism content will meet our basic guidelines. A central problem for these global platforms is that such private censorship can be counterproductive. Users who engage in counter-speech against terrorism often find themselves on the wrong side of the rules if, for example, their post includes an image of one of more than 600 “terrorist leaders” designated by Facebook. In one instance, a journalist from the United Arab Emirates was temporarily banned from the platform for posting a photograph of Hezbollah leader Hassan Nasrallah with a LGBTQ pride flag overlaid on it—a clear case of parody counter-speech that Facebook’s content moderators failed to grasp. A more fundamental problem is that having narrow definitions is difficult. What counts as speech that “promotes” terrorism? What even counts as “terrorism”? These U.S.-based companies may look to the State Department’s list of designated terrorist organizations as a starting point. But Internet companies will sometimes go further. Facebook, for example, deactivated the personal accounts of Palestinian journalists; it did the same thing for Chechen independence activists under the guise that they were involved in “terrorist activity.” These examples demonstrate the challenges social media companies face in fairly applying their own policies. A recent investigative report by ProPublica revealed how Facebook’s content rules can lead to seemingly inconsistent takedowns. The authors wrote: “[T]he documents suggest that, at least in some instances, the company’s hate-speech rules tend to favor elites and governments over grassroots activists and racial minorities. In so doing, they serve the business interests of the global company, which relies on national governments not to block its service to their citizens.” The report emphasized the need for companies to be more transparent about their content rules, and to have rules that are fair for all users around the world.  Artificial intelligence poses special concerns  We are concerned about the use of artificial intelligence automation to combat pro-terrorism content because of the imprecision inherent in systems that automatically block or remove content based on an algorithm. Facebook has perhaps been the most aggressive in deploying AI in the form of machine learning technology in this context. The company’s latest AI efforts include using image matching to detect previously tagged content, using natural language processing techniques to detect posts advocating for terrorism, removing terrorist clusters, removing new fake accounts created by repeat offenders, and enforcing its rules across other Facebook properties such as WhatsApp and Instagram. This imprecision exists because it is difficult for humans and machines alike to understand the context of a post. While it’s true that computers are better at some tasks than people, understanding context in written and image-based communication is not one of those tasks. While AI algorithms can understand very simple reading comprehension problems, they still struggle with even basic tasks such as capturing meaning in children’s books. And while it’s possible that future improvements to machine learning algorithms will give AI these capabilities, we’re not there yet. Google’s Content ID, for example, which was designed to address copyright infringement, has also blocked fair uses, news reporting, and even posts by copyright owners themselves. If automatic takedowns based on copyright are difficult to get right, how can we expect new algorithms to know the difference between a terrorist video clip that’s part of a satire and one that’s genuinely advocating violence? Until companies can publicly demonstrate that their machine learning algorithms can accurately and reliably determine whether a post is satire, commentary, news reporting, or counter-speech, they should refrain from censoring their users by way of this AI technology. Even if a company were to have an algorithm for detecting pro-terrorism content that was accurate, reliable, and had a minimal percentage of false positives, AI automation would still be problematic because machine learning systems are not robust to distributional change. Once machine learning algorithms are trained, they are as brittle as any other algorithm, and building and training machine learning algorithms for a complex task is an expensive, time-intensive process. Yet the world that algorithms are working in is constantly evolving and soon won’t look like the world in which the algorithms were trained. This might happen in the context of pro-terrorism content on social media: once terrorists realize that algorithms are identifying their content, they will start to game the system by hiding their content or altering it so that the AI no longer recognizes it (by leaving out key words, say, or changing their sentence structure, or a myriad of other ways—it depends on the specific algorithm). This problem could also go the other way: a change in culture or how some group of people express themselves could cause an algorithm to start tagging their posts as pro-terrorism content, even though they’re not (for example, if people co-opted a slogan previously used by terrorists in order to de-legitimize the terrorist group). We strongly caution companies (and governments) against assuming that technology will be the panacea in identifying pro-terrorism content, because this technology simply doesn’t yet exist. Is taking down pro-terrorism content actually a good idea? Apart from the free speech and artificial intelligence concerns, there is an open question of efficacy. The sociological assumption is that removing pro-terrorism content will reduce terrorist recruitment and community sympathy for those who engage in terrorism. In other words, the question is not whether terrorists are using the Internet to recruit new operatives—the question is whether taking down pro-terrorism content and accounts will meaningfully contribute to the fight against global terrorism. Governments have not sufficiently demonstrated this to be the case. And some experts believe this absolutely not to be the case. For example, Michael German, a former FBI agent with counter-terrorism experience and current fellow at the Brennan Center for Justice, said, “Censorship has never been an effective method of achieving security, and shuttering websites and suppressing online content will be as unhelpful as smashing printing presses.” In fact, as we’ve argued before, censoring the content and accounts of determined groups could be counterproductive and actually result in pro-terrorism content being publicized more widely (a phenomenon known as the Streisand Effect). Additionally, permitting terrorist accounts to exist and allowing pro-terrorism content to remain online, including that which is publicly available, may actually be beneficial by providing opportunities for ongoing engagement with these groups. For example, a Kenyan government official stated that shutting down an Al Shabaab Twitter account would be a bad idea: “Al Shabaab needs to be engaged positively and [T]witter is the only avenue.” Keeping pro-terrorism content online also contributes to journalism, open source intelligence gathering, academic research, and generally the global community’s understanding of this tragic and complex social phenomenon. On intelligence gathering, the United Nations has said that “increased Internet use for terrorist purposes provides a corresponding increase in the availability of electronic data which may be compiled and analysed for counter-terrorism purposes.” In conclusion While we recognize that Internet companies have a right to police their own platforms, we also recognize that such private censorship is often in response to government pressure, which is often not legitimately wielded. Governments often get private companies to do what they can’t do themselves. In the U.S., for example, pro-terrorism content falls within the protection of the First Amendment. Other countries, many of which do not have similarly robust constitutional protections, might nevertheless find it politically difficult to pass speech-restricting laws. Ultimately, we are concerned about the serious harm that sweeping censorship regimes—even by private actors—can have on users, and society at large. Internet companies must be accountable to their users as they deploy policies that restrict content. First, they should make their content policies narrowly tailored, clear, fair, and transparent to all—as the Guardian’s Facebook Files demonstrate, some companies have a long way to go. Second, companies should engage in consistent and fair enforcement of those policies. Third, companies should ensure that all users have access to a robust appeals process—content moderators are bound to make mistakes, and users must be able to seek justice when that happens. Fourth, until artificial intelligence systems can be proven accurate, reliable and adaptable, companies should not deploy this technology to censor their users’ content. Finally, we urge those companies that are subject to increasing governmental demands for backdoor censorship regimes to improve their annual transparency reporting to include statistics on takedown requests related to the enforcement of their content policies.
>> mehr lesen

Historic Day of Action: Net Neutrality Allies Send 1.6 Million Comments to FCC (Do, 13 Jul 2017)
When you attack the Internet, the Internet fights back. Today, the Internet went all out in support of net neutrality. Hundreds of popular websites featured pop-ups suggesting that those sites had been blocked or throttled by Internet service providers. Some sites got hilariously creative—Twitch replaced all of its emojis with that annoying loading icon. Netflix shared GIFs that would never finish loading. PornHub simply noted that “slow porn sucks.” Together, we painted an alarming picture of what the Internet might look like if the FCC goes forward with its plan to roll back net neutrality protections: ISPs prioritizing their favored content sources and deprioritizing everything else. (Fight for the Future has put together a great collection of examples of how sites participated in the day of action.) Today has been about Internet users across the country who are afraid of large ISPs getting too much say in how we use the Internet. Voices ranged from huge corporations to ordinary Internet users like you and me. Together with Battle for the Net and other friends, we delivered 1.6 million comments to the FCC, breaking the record we set during Internet Slowdown Day in 2014. The message was clear: we all rely on the Internet. Don’t dismantle net neutrality protections. If you haven’t added your voice yet, it’s not too late. Take a few moments to tell the FCC why net neutrality is important to you. If you already have, take a moment to encourage your friends to do the same. TAKE ACTION Stand up for net neutrality Here are just a few examples of what Team Internet has been saying about net neutrality today. “We live in an uncompetitive broadband market. That market is dominated by a handful of giant corporations that are being given the keys to shape telecom policy. The big internet companies that might challenge them are doing it half-heartedly. And [FCC Chairman] Ajit Pai seems determined to offer up a massive corporate handout without listening to everyday Americans. “Is this what you want? Does this sound like a path toward better, faster, cheaper internet access? Toward better products and services in a more competitive market? To me, it sounds like Americans need to demand that our government actually hear our concerns, look at our skyrocketing bills, and make real policy that respects us, instead of watching the staff of an unelected official laugh as he ignores us. It sounds like we need to flood the offices of the FCC and Congress with calls and paperwork, demanding to know how giving handouts to huge corporations will help us.” Nilay Patel, The Verge “Title II net neutrality protections are the civil rights and free speech rules for the internet. When traditional media outlets refuse to pay attention, Black, indigenous, queer and trans internet users can harness the power of the Internet to fight for lives free of police brutality and discrimination. This is why we’ll never stop fighting for enforcement of the net neutrality rules we fought for and saw passed by the FCC two years ago. There’s too much at stake to urge anything less.” Malkia Cyril, Co-Founder and Executive Director, Center for Media Justice “We’re still picking ourselves off the floor from all the laughing we did when AT&T issued a press release this afternoon announcing that it was joining the ‘Day of Action for preserving and advancing the open internet.’ “If only it were true. In reality, AT&T is just a company that is deliberately misleading the public. Their lobbyists are lying. They want to kill Title II — which gives the FCC the authority to actually enforce net neutrality — and are trying to sell a congressional ‘compromise’ that would be as bad or worse than what the FCC is proposing. No thanks.” Craig Aaron and Candace Clement, Free Press InternetIRL, presented by Color of Change “Everyone except these ISPs benefits from an open Internet… that’s it. It’s like a handful of companies. Not only is this about business—and it is about business and innovation—it’s also about freedom of speech.” Sen. Al Franken “No matter what, do not get discouraged or retreat into a state of silence and inaction. There are many like me who are listening and the role each of us plays is vital. We are not alone in believing that the FCC should be a governmental agency ‘of the people, by the people, and for the people.’” Mignon Clyburn, FCC Commissioner To everyone who has participated in today’s day of action, thank you. TAKE ACTION Stand up for net neutrality
>> mehr lesen

Dear Security Conference Speakers – EFF’s Coders Rights Project Has Your Back (Mi, 12 Jul 2017)
Every year, EFF has lawyers with its Coders’ Rights Project on hand in Las Vegas at Black Hat, B-Sides and DEF CON for security researchers with legal questions about their research or presentations. EFF’s Coders’ Rights Project protects programmers, researchers, hackers, and developers engaged in cutting-edge exploration of technology. Security and encryption researchers help build a safer future for all of us using digital technologies, but too many legitimate researchers face serious legal challenges that prevent or inhibit their work. The 2017 summer security conference legal team will include: Staff Attorney Kit Walsh, who works on exemptions protecting security research and vehicle repair, along with a host of other beneficial activities threatened by Section 1201, the anti-circumvention provision of the Digital Millennium Copyright Act (DMCA). Criminal Defense Staff Attorney Stephanie Lacambra, a former Federal and San Francisco Public Defender who has turned her expertise toward defending your civil liberties online. Senior Staff Attorney Nate Cardozo, a Computer Fraud and Abuse Act expert who works on issues including the Wassenaar Arrangement, cryptography, hardware hacking, and electronic privacy law. Deputy Executive Director and General Counsel Kurt Opsahl, who leads the Coders’ Rights Project and has been helping security researchers present at the summer security conferences since DEF CON was at the Alexis Park. If you are wondering about whether your research came into a legal gray area, or concerned that the vendor will threaten legal action, please reach out to info@eff.org. All EFF legal consultations are pro bono (free), part of our commitment to help the security researcher community. You can also stop by the EFF booths at each conference to make an appointment with one of our attorneys, though we highly recommend contacting us as far in advance of your talk as possible.  And as always, even if you don’t have a legal question, come say hi at the booth or watch one of our talks at DEF CON
>> mehr lesen

Opponents Hope to Mislead California’s Legislators Before They Vote on Broadband Privacy Next Week (Mi, 12 Jul 2017)
The large broadband providers and their associations who spent millions in Washington, D.C. to repeal broadband privacy just a few months ago in Congress are fighting to protect their victory in California. They are throwing every superficial argument against A.B. 375 in hopes to confuse California’s legislature enough to give them a pass despite an overwhelming 83% of the American public demanding a response to the Congressional Review Act repeal of their privacy rights. EFF obtained copies of their letters and feel it is vitally important California’s elected officials know that the industry is unloading a plethora of misleading arguments, some of which they themselves are actively contradicting in other forums. Here are some examples of their attempt to have it both ways—where they repealed our privacy rights in D.C. yet express shock and dismay that state legislatures would respond to the public’s demands. We Warned ISPs That Repealing the Federal Protections Would Result in a Patchwork of State by State Laws The irony in the very companies who spent millions of dollars lobbying in DC to repeal our federal broadband privacy rights are now fighting state attempts to protect consumers because they supposedly prefer a federal rule.  It is not lost on EFF that each state having to engage in broadband privacy individually without a federal floor is not ideal, we have said as much during the fight in DC. While California’s A.B. 375 represents model legislation EFF supports, not every state will enact the same law and some states may leave their citizens completely unprotected. That is a far cry from where we were in 2016 before Congress repealed our broadband privacy rights, and it is because of companies like Comcast, AT&T, and Verizon that we have arrived at this point. We fought hard to stop Congress from repealing our broadband privacy rights. Tens of thousands of Americans picked up the phone to demand Congress vote no on the broadband privacy repeal but they were ignored. Today 83% of the public, regardless of political affiliation, all believe that ISPs must secure their permission first before being allowed to sell their personal data. In other words, more than 8 out of 10 Americans support what A.B. 375 seeks to codify into law. Despite our repeated warnings to the industry and Congress that eliminating a uniform federal framework that protected personal information will result in states responding to protect their citizens, they pushed ahead and now find themselves on defense across the country. EFF supports states responding to the demands of the public for privacy protections, particularly in light of Congress having failed to do so. It has become even more important as the Federal Communications Commission itself is actively undermining consumer protections on behalf of Comcast, AT&T, and Verizon. It should surprise no one that state legislators who care about consumer privacy will act and ultimately having as many state laws on the books as possible to protect personal information is a superior outcome to having no clear protections at all.   And if A.B. 375 becomes law, we hope it would serve as the model for states across the country to avoid a patchwork problem, but again this problem was created by the ISP lobby repealing the federal rules in the first place. AT&T is a Leader in Contradicting Itself To California’s Legislature, AT&T right now is saying the following: “AT&T and other major Internet service providers have committed to legally enforceable Privacy Principles that are consistent with the privacy framework developed by the FTC over the past twenty years.” In essence, there is no need to pass a state law because the Federal Trade Commission can enforce the law on us. But what exactly is AT&T saying about the FTC’s enforcement power in the courts? Source: AT&T’s 2016 Brief in FTC vs AT&T Mobility That is right. They are arguing that the FTC has no legal enforcement power over them. They are making that argument right now in the Ninth Circuit Court of Appeals, which means if they win there a second time (the case is on en banc appeal) then California will have no Federal Trade Commission enforcer on privacy. On other fronts AT&T and others are arguing that the bill is unnecessary because the FCC’s powers remain perfectly intact after the Congressional Review Act repeal. “The bill is not needed. The FCC retains statutory authority to enforce consumer privacy protections with respect to Internet service providers.”  - AT&T "We want to assure you that the action taken by Congress earlier this year has changed nothing for consumers." -CompTIA, TechNet, Bay Area Council We have explained in detail exactly what Congress did when it invoked the Congressional Review Act repeal of our broadband privacy rights. Ironically, last week AT&T agreed with us when their association US Telecom petitioned the FCC to help clear up the mess created by the CRA broadband privacy repeal because it has also muddied up the waters for their efforts to combat robocalls. In essence, they do not know their legal rights to sharing telephone customer information in that instance just like customers now no longer have clear legal rights to their broadband privacy. It is also worth noting that the FCC that is on course now to end the legal obligations of AT&T to preserve an open Internet and protect privacy. “We Don’t Engage in That Kind of Activity” This is the biggest whopper they are spreading here in Sacramento because anyone who takes the time to look up the history of ISP conduct will quickly find out that they have been trying to profit off their customers’ personal information for years. The problem for them has been the law got in the way (until recently) or elected officials put political pressure on ISPs to change their plans. In 2008, Charter play tested the idea of recording everything you do on the Internet and packaging it into profiles by using Deep Packet Inspection technology that was capable of detailed monitoring of your activity. The bipartisan political response from Congress was fierce and Charter quickly backed down from its plans. It is worth noting that cable broadband services were not clearly covered under the Communications Act’s privacy obligations until the 2015 Open Internet Order. We know as of 2015 telecom carriers work with Ad Adage to “ingest” data from cellphones close to 300 times a day every day across 20 to 25 million mobile subscribers (we aren’t told which mobile telephone companies participate in this practice, they keep that a secret). That data is used to inform retailers about customer browsing info, geolocation, and demographic data. We know in 2011 ISPs engaged in search hijacking where your Internet search queries were monitored in order to be rerouted in coordination with a company called Paxfire. We know AT&T was inserting ads into the traffic of people who use their wifi hotspots in airports. Even small rural ISPs have engaged in ad injection to advertise on behalf of third parties. We know AT&T, Sprint, and T-Mobile preinstalled “Carrier IQ” on their phones, which gave them the capability to track everything you do, from what websites you visit to what applications you use. It took a class action lawsuit for the carriers to begin backing down from this idea. And lastly, we know in 2014 Verizon tagged every one of their mobile customers’ HTTP connections with a semi permanent super-cookie, and used those super-cookies to enable third parties such as advertisers to target individual customers. Not only that, but Verizon’s super-cookie also allowed unaffiliated third parties to track you, no matter what steps you took to preserve your privacy. And worst of all, AT&T was going to follow suit to get in on the action but quickly retreated after Verizon got into legal trouble with the federal government. Pretending a Straight Forward and Widely Accepted Definition of Broadband is Untested In several opposition letters the opponents assert the definition of “Internet access service” may result in any Internet business suddenly becoming affected by the legislation. This is a false reading of the definition in the bill and likely an attempt to stall the legislation by pretending we have not been living with these definitions for seven years.   A.B. 375’s definition of ISPs mirrors the Federal Communication Commission’s definition of broadband service, which has been on the books since 2010 to institute Network Neutrality. The Public Utilities Code (the underlying statute for the Public Utilities Commission) has connected the definition of broadband to the FCC’s definition for the last 11 years. A.B. 375 defines ISPs as follows: “Internet service provider” means a person or entity engaged in the provision of Internet access service, but only to the extent that the person or entity is providing Internet access service. “Internet access service” means a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the communications service, but excluding dial-up Internet access service. “Internet access service” also encompasses any service that the Federal Communications Commission or the Public Utilities Commission finds to be providing a functional equivalent to the service described in this subdivision. Opponents are raising concerns with the term “functional equivalent” despite the 70 words preceding the term to limit and explicitly define what an eligible functional equivalent is. Lets break down the definition in its component parts to demonstrate. An ISP covered under A.B. 375 must be the following things: 1) Mass-market retail service 2) Transmit data by wire or radio 3) Capable of receiving and sending data to all or substantially all Internet endpoints 4) Includes capabilities that are incidental to and enable the operation of the communications service 5)Does not include dial up Internet 6) Directly provide the Internet access service 7) Includes services the FCC or CPUC finds to do parts 1-6 above If this Level of Obfuscation and Attempts to Prevent a Law That Restores Your Broadband Privacy Rights Upsets You? You Need to Pick Up The Phone Take Action Tell your representatives to support online privacy.
>> mehr lesen

Notice to the W3C of EFF's appeal of the Director's decision on EME (Mi, 12 Jul 2017)
[[Update, July 13: After consultation with W3C CEO Jeff Jaffe on timing, we've temporarily withdrawn this appeal, for one week, for purely logistical purposes. I am teaching a workshop all next week at UC San Diego and will re-file the objection at the end of the week, so that I will be able to devote undivided attention to garnering the necessary support from other W3C members. -Cory]] Dear Tim, Jeff, and W3C colleagues, On behalf of the Electronic Frontier Foundation, I would like to formally submit our request for an appeal of the Director's decision to publish Encrypted Media Extensions as a W3C Recommendation, announced on 6 July 2017. The grounds for this appeal are that the question of a covenant to protect the activities that made DRM standardization a fit area for W3C activities was never put to the W3C membership. In the absence of a call for consensus on a covenant, it was improper for the Director to overrule the widespread members' objections and declare EME fit to be published as a W3C Recommendation. The announcement of the Director's decision enumerated three ways in which DRM standardization through the W3C -- even without a covenant -- was allegedly preferable to allowing DRM to proceed through informal industry agreements: the W3C's DRM standard was said to be superior in its accessibility, its respect of user privacy, and its ability to level the playing field for new entrants to the market. However, in the absence of a covenant, none of these benefits can be realized. That is because laws like the implementations of Article 6 of the EUCD, Section 1201 of the US Digital Millennium Copyright Act, and Canada's Bill C-11 prohibit otherwise lawful activity when it requires bypassing a DRM system. 1. The enhanced privacy protection of a sandbox is only as good as the sandbox, so we need to be able to audit the sandbox. The privacy-protecting constraints the sandbox imposes on code only work if the constraints can't be bypassed by malicious or defective software. Because security is a process, not a product and because there is no security through obscurity, the claimed benefits of EME's sandbox require continuous, independent verification in the form of adversarial peer review by outside parties who do not face liability when they reveal defects in members' products. This is the norm with every W3C recommendation: that security researchers are empowered to tell the truth about defects in implementations of our standards. EME is unique among all W3C standards past and present in that DRM laws confer upon W3C members the power to silence security researchers. EME is said to be respecting of user privacy on the basis of the integrity of its sandboxes. A covenant is absolutely essential to ensuring that integrity. 2. The accessibility considerations of EME omits any consideration of the automated generation of accessibility metadata, and without this, EME's accessibility benefits are constrained to the detriment of people with disabilities. It's true that EME goes further than other DRM systems in making space available for the addition of metadata that helps people with disabilities use video. However, as EME is intended to restrict the usage and playback of video at web-scale, we must also ask ourselves how metadata that fills that available space will be generated. For example, EME's metadata channels could be used to embed warnings about upcoming strobe effects in video, which may trigger photosensitive epileptic seizures. Applying such a filter to (say) the entire corpus of videos available to Netflix subscribers who rely on EME to watch their movies would safeguard people with epilepsy from risks ranging from discomfort to severe physical harm. There is no practical way in which a group of people concerned for those with photosensitive epilepsy could screen all those Netflix videos and annotate them with strobe warnings, or generate them on the fly as video is streamed. By contrast, such a feat could be accomplished with a trivial amount of code. For this code to act on EME-locked videos, EME's restrictions would have to be bypassed. It is legal to perform this kind of automated accessibility analysis on all the other media and transports that the W3C has ever standardized. Thus the traditional scope of accessibility compliance in a W3C standard -- "is there somewhere to put the accessibility data when you have it?" -- is insufficient here. We must also ask, "Has W3C taken steps to ensure that the generation of accessibility data is not imperiled by its standard?" There are many kinds of accessibility metadata that could be applied to EME-restricted videos: subtitles, descriptive tracks, translations. The demand for, and utility of, such data far outstrips our whole species' ability to generate it by hand. Even if we all labored for all our days to annotate the videos EME restricts, we would but scratch the surface. However, in the presence of a covenant, software can do this repetitive work for us, without much expense or effort. 3. The benefits of interoperability can only be realized if implementers are shielded from liability for legitimate activities. EME only works to render video with the addition of a nonstandard, proprietary component called a Content Decryption Module (CDM). CDM licenses are only available to those who promise not to engage in lawful conduct that incumbents in the market dislike. For a new market entrant to be competitive, it generally has to offer a new kind of product or service, a novel offering that overcomes the natural disadvantages that come from being an unknown upstart. For example, Apple was able to enter the music industry by engaging in lawful activity that other members of the industry had foresworn. Likewise Netflix still routinely engages in conduct (mailing out DVDs) that DRM advocates deplore, but are powerless to stop, because it is lawful. The entire cable industry -- including Comcast -- owes its existence to the willingness of new market entrants to break with the existing boundaries of "polite behavior." EME's existence turns on the assertion that premium video playback is essential to the success of any web player. It follows that new players will need premium video playback to succeed -- but new players have never successfully entered a market by advertising a product that is "just like the ones everyone else has, but from someone you've never heard of." The W3C should not make standards that empower participants to break interoperability. By doing so, EME violates the norm set by every other W3C standard, past and present. Through this appeal, we ask that the membership be formally polled on this question: "Should a covenant protecting EME's users and investigators against anti-circumvention regulation be negotiated before EME is made a Recommendation?" Thank you. We look forward to your guidance on how to proceed with this appeal.
>> mehr lesen

We Must Keep the Internet Free and Open. EFF, Tech Giants, Startups and Internet Users Tell FCC: Don’t Sell Out Net Neutrality To Appease ISPs (Mi, 12 Jul 2017)
AirBnB, Amazon, ACLU, Google, Etsy, Y Combinator Among Organizations Standing Up To Government Plan To Let ISPs Block Content, Charge Fees for ‘Fast Lanes’ San Francisco—The Electronic Frontier Foundation (EFF) and a broad coalition of user advocacy groups and major technology companies and organizations joined forces today to protest the FCC’s plan to toss out net neutrality rules that preserve Internet freedom and prevent cable and telecommunications companies from controlling what we can see and do online. Without net neutrality, Internet service providers (ISPs) can block your favorite content, throttle or slow down Internet speeds to disadvantage competitors’ content, or make you pay more than you already do to access movies and other online entertainment. To show just how important net neutrality is to free choice on the Internet, EFF and a host of other organizations are temporarily halting full access to their website homepages today with a prominent message that they’re “blocked.” Only upgrading to “premium” (read: more expensive) service plans will allow users access to blocked sites and services, the message says. (Don’t worry, the sites aren’t really blocked. Clicking on the message will take you to a link for DearFCC, our tool for submitting comments to the FCC and making your voice heard.) “We’re giving subscribers a preview of their Internet experience if the FCC dismantles the current net neutrality rules,” said EFF Legal Director Corynne McSherry. “AT&T, Comcast, and Verizon will be able to block your favorite content or steer you to the content they choose—often without you knowing it. Those without deep pockets—libraries, schools, startups and nonprofits—will be relegated to Internet slow lanes.” The online community—gig economy site AirBnb, maker site Etsy, file storage provider DropBox, and hundreds more—have joined EFF and other user advocates today to deliver a message to the FCC: we want real net neutrality protections. “It’s our Internet and we will defend it,” said EFF Senior Staff Attorney Lee Tien. “We won’t allow cable companies and ISPs, which already garner immense profits from customers, to become Internet gatekeepers.” For EFFs Day Of Action page: https://www.eff.org/deeplinks/2017/07/todays-day-lets-save-net-neutrality For more about net neutrality: https://www.eff.org/issues/net-neutrality Contact:  Corynne McSherry Legal Director corynne@eff.org Lee Tien Senior Staff Attorney and Adams Chair for Internet Rights lee@eff.org
>> mehr lesen

Today’s the Day: Let's Save Net Neutrality (Mi, 12 Jul 2017)
You might have noticed something unusual when you visited the EFF website today: our site was “blocked” unless you shelled out for “premium” Internet access. As part of the day of action to support net neutrality, we decided to imagine what might happen if FCC Chairman Ajit Pai caves to industry pressure and abandons the net neutrality rules the FCC adopted just two years ago. If you don’t want to live in that future, it’s time to take action. Take Action speak up for net neutrality To make it easy for Team Internet to do just that, we’ve created a special site called DearFCC.org where we’ll help you write your own comment to the agency. We’ll offer some suggestions to get you started, but you can say whatever you like. What’s most important is that the FCC hears from you. The fight over net neutrality isn’t just about consumer protection: it’s about your freedom of speech. Some large ISPs say they support net neutrality, but that they just want the FCC to go enforce it under a different legal provision, or have Congress pass a specific net neutrality law. But this is just a trick—they already know that if the FCC goes back to classifying broadband as an information service, its net neutrality rules will fail (just like they did last time). They also know that Congress isn’t likely to pass a real net neutrality statute anytime soon, if ever, given the millions that telecom giants have invested in making sure they get to write any regulation of their industry. Make no mistake: if we want to FCC to do its part to protect a free and open Internet—where Internet service providers don’t discriminate between different types of content or communications—we can’t let the agency go forward with its plan to abandon Title II (the legal foundation for today’s net neutrality rules). Competition between ISPs won’t guarantee net neutrality, especially when most of the country has only one option for broadband Internet access. The fight over net neutrality isn’t just about consumer protection, though: it’s about your freedom of speech. What makes the Internet great is that anyone can use it to get their voice heard. Your message, your idea, or your story can reach millions of people, just as many people as large broadcasting companies can reach. If big ISPs win this fight, the next iteration of the Internet might look something more like cable TV, where providers have a great deal of influence over which messages their members hear—and they can deprioritize or even flat-out block content they don’t like. If you love the Internet the way it is, then speak out now. TAKE ACTION SPEAK UP FOR NET NEUTRALITY
>> mehr lesen

The Death Knell is Tolling for Shipping & Transit LLC (Di, 11 Jul 2017)
Second court recommends awarding legal fees to defendant hit with patent troll’s lawsuit A court in the Southern District of Florida has recommended (PDF) that prolific patent troll Shipping & Transit LLC pay a defendant’s legal costs. This is the second court in less than a week to find Shipping & Transit’s patent litigation suit “exceptional” for purposes of awarding legal fees to a defendant. The latest finding comes out of Shipping & Transit LLC v. Lensdiscounters.com, a case originally filed by Shipping & Transit just over a year ago, but not lasting nearly that long. When at an early hearing it came out there were serious defects in Shipping & Transit’s case, Shipping & Transit immediately sought to end the lawsuit.  Lensdiscounters opposed letting Shipping & Transit run away without consequences. Lensdiscounters told the court its belief that Shipping & Transit had failed to investigate infringement before filing its lawsuit and that Shipping & Transit’s patents were invalid. It argued it should be awarded the cost it incurred in defending against Shipping & Transit’s infringement claim. In a report signed on July 10, a magistrate judge agreed (PDF). The court found Shipping & Transit’s explanation for why it believed it had a case of infringement worth pursuing to be “flawed.” Instead, it appeared to the court that “likely, [] from the inception, [Shipping & Transit] never intended to litigate its patent infringement rights” and “it appears that [Shipping & Transit] brought this case merely to elicit a quick settlement from Defendant on questionable patents.” With respect to Shipping & Transit’s “questionable patents,” the court noted that despite Shipping & Transit filing over 300 cases in Florida alone, the court “could not find one case [] where the substantive issue of patent validity was reached.” Instead, Shipping & Transit “routinely and promptly” dismissed cases “to end any inquiry” any time the validity of its patents was challenged.  These facts lead the judge to recommend that the court order Shipping & Transit to pay Lensdiscounters’ legal fees. Because this report is from a magistrate judge, it still needs to be confirmed by the District Court judge. However, it represents yet another finding by a court that Shipping & Transit’s patent infringement lawsuits are exceptional and should lead to an award of fees to defendants targeted by Shipping & Transit. This latest decision from Florida, along with the similar order (PDF) from California, have Shipping & Transit’s death knell bell tolling across the country.
>> mehr lesen

Californians: Demand That Your Legislature Restore Your Broadband Privacy Rights (Di, 11 Jul 2017)
Two state Senate committees will hear and vote on A.B 375 next week, legislation that will restore your broadband privacy rights. Update: The Senate Business, Professions and Economic Development Committee has since waived jurisdiction over the bill, so it will face only two committees not three as the post originally stated. Earlier this year, Congress voted to repeal federal privacy rules that kept your ISP from selling information about who you are and what you do online without your permission.  That wildly unpopular vote undid years of work at the FCC to prevent companies that you already pay to access the Internet from also monetizing information about what you look at, what you buy, and who you talk to online. Last week, companies like Comcast, AT&T, and Verizon attempted to stall the bill in its first committee in hopes of running out the clock. They failed, but now they will now make every effort to vote the bill down in any one of these next two committees. If the telecom lobby wins in any of these committees, the bill will be stalled for the rest of the year. EFF will be testifying at both committees in support of the legislation and will be in Sacramento fighting hard this week to convince state legislators to restore your broadband privacy rights. But we can’t do this alone and we need your help. One of the most effective ways to counter the influence of giant cable and telephone companies is for regular people to directly advocate to their elected official to take action. We know requiring cable and telephone companies to obtain your consent first before selling your personal information enjoys support across the political spectrum, but we need to make sure our voice is heard in Sacramento this week. If you live in the state of California, pick up the phone and call your state senator today and demand that they vote yes on A.B. 375. Then recruit your other California friends to also make that call. This is especially important if your hometown senator is listed below, as these senators are first up in deciding whether large cable and telephone companies will retain the ability to monetize your personal information without your consent. Take Action Tell your representatives to support online privacy. Proposed Hearing and Voting Schedule for Next Week Utilities and Energy Committee – Estimated Hearing and Voting Date: Tuesday, July 18, 2017 Senator Ben Hueso (Chair) Senator Mike Morrell (Vice Chair)  Senator Steven Bradford Senator Anthony Cannella Senator Robert M. Hertzberg Senator Jerry Hill Senator Mike McGuire Senator Nancy Skinner Senator Henry I. Stern Senator Andy Vidak Senator Scott D. Wiener Judiciary Committee – Estimated Hearing and Voting Date: Wednesday, July 19, 2017 Senator Hannah-Beth Jackson (Chair) Senator John M. W. Moorlach (Vice Chair) Senator Joel Anderson Senator Robert M. Hertzberg Senator Bill Monning Senator Henry I. Stern Senator Bob Wieckowski
>> mehr lesen

Stalemate Continues in Negotiations Over European Copyright Filters (Di, 11 Jul 2017)
This week is an important one in the ongoing negotiations over new copyright rules in Europe—which will have reverberations all over the world. As you may recall, the negotiations centre around two worrisome proposals being pushed by publisher and music industry lobby groups for inclusion in a new Digital Single Market Directive: a requirement for mandatory upload filtering by user content platforms (Article 13), and a link tax payable by news aggregators in favor of publishers (Article 11). The convoluted process of negotiation over new European laws means that not only do three European institutions (the European Parliament, the Council of the European Union, and the European Commission) have to reach an accord on the terms of the Directive, but within the European Parliament itself there are also multiple committees that get to weigh in. The Lead Committee is the Legal Affairs or JURI Committee, but it is required to take account of the opinions, and proposed amendments, of the other committees. This week two of those committees will go to a vote on their opinions and suggested amendments, while the JURI committee will consider its own amendments to the European Commission's original proposal. The Committee on Culture and Education (CULT), whose extreme proposals for amendment to the Commission proposal we critiqued in a previous post, will be voting on July 11 on which amendments it will put forward to JURI for inclusion in the Parliament's final compromise text. Since none of CULT's suggested amendments to Articles 11 and 13 would improve on the original proposal—in fact, they would make it worse—we are urging Members of the European Parliament (MEPs) who are member of the CULT simply to vote for the deletion of those Articles. In particular, as pointed out by European Digital Rights (EDRi, of which EFF is a member), for CULT to support mandatory filtering of uploads on user content platforms would directly contradict that committee's own opposition to mandatory filtering of terrorist and other extreme content.  On the same day, the Industry, Research and Energy (ITRE) Committee will also vote on its draft opinion and amendments. Its takes on the upload filter and link tax proposals are not as extreme as those of CULT. In fact its suggested amendment to the Article 11 link tax would gut that misconceived proposal, replacing it with a relatively unobjectionable provision that simply allows press publishers to stand in for journalists in enforcing their existing copyrights in news articles. ITRE's suggested amendment to Article 13 doesn't go so far though, and continues to require platforms to take additional measures such as upload filtering at the behest of copyright holders; therefore we maintain that ITRE should instead vote for deletion of this Article. Two more European Parliamentary committees are also weighing in on these controversial proposals. The IMCO or Consumer Protection and Internal Market Committee voted on its opinion and amendments on 8 June, with a recommendation against the Article 13 upload filtering plan—this should hopefully be persuasive, as it has a special cooperative status with JURI on this topic. Unfortunately, IMCO did not also vote against the Article 11 link tax, but supported the Commission's original proposal. Next to vote after this week will be the Civil Liberties, Justice and Home Affairs (LIBE) Committee, which will vote on its opinion and amendments on September 25. European activists have put together a Save the Meme website which can be used to contact MEPs about the upload filtering and link tax proposals. Today, in advance of the CULT and ITRE votes and JURI's consideration of its amendments, would be an excellent day for our European members to take advantage of that opportunity and ask their representatives to vote against the Commission's harmful proposals.
>> mehr lesen

Requiring Judicial Review for Every Gag Order Is a Simple Way to Have Our Backs: Apple Does but Google and Facebook Fall Short (Mo, 10 Jul 2017)
As a civil liberties organization, it’s our job to evaluate how tech companies handle our most private data and to encourage them to do better year over year. Our Who Has Your Back report is designed to do both, which is one reason we revisit the report’s criteria every year—always striving to raise the bar. In this post, we’ll highlight one of the new stars that does just that: “Stands up to NSL gag orders.” To earn a star in this category, companies must publicly commit to invoking a new statutory procedure to have a judge review every indefinite National Security Letter (NSL) gag order the company receives.1 The NSL as we know it today was created by the USA PATRIOT Act’s Section 505. These letters, served on communications service providers like phone companies and ISPs, allow the FBI to secretly demand data about anyone’s private communications and Internet activity without any meaningful oversight or prior judicial review. Recipients of NSLs are subject to a gag order that forbids them from ever revealing the letters' existence to their coworkers, their friends, or even their family members, much less the public. Since 2011, EFF has been fighting the NSL statute in court on behalf of CREDO Mobile and Cloudflare. Our lawsuit argues that the gag orders attached to nearly every NSL—which the FBI is permitted to apply without any court involvement whatsoever—are unconstitutional prior restraints. In response to our suit, Congress included in the 2015 USA FREEDOM Act, a process to allow providers to push back against those gag orders. The new process gives technology companies a right to request judicial review of the gag orders accompanying NSLs (referred to as “reciprocal notice”). When a company invokes the reciprocal notice process, the government is required to bring the gag order before a judge within 30 days. The judge then reviews the gag order and either approves, modifies, or invalidates it. The company is permitted to appear in that proceeding and argue, but is not required to do so. To be entirely clear, we don’t think reciprocal notice fixes the serious constitutional problems with NSLs. The First Amendment requires that when the government wants to impose a gag order, it must bear the complete burden of going to court and proving the gag is truly necessary. The government has attempted to avoid this requirement by making court review optional. Reciprocal notice doesn’t fix the constitutional problem with NSLs—it still requires the NSL recipient to stand up to the government and start the process.  The right thing for a company that receives an NSL with a gag order to do is to invoke the reciprocal notice procedure (flawed though it is) and make the government put the gag order before a judge. One of the primary arguments the government has made in EFF’s NSL lawsuit is that companies haven’t spoken out about NSLs and thus don’t care about being gagged. That’s simply false, but unless companies continue to challenge these gag orders as often as possible, the government may get away with its specious argument. To earn a star for this category, therefore, we ask companies to commit to invoking the new reciprocal notice procedure for every NSL they receive. We are not asking companies to file lawsuits in opposition to NSLs the way our clients did. We are only asking them to invoke the reciprocal notice provision in 18 U.S.C. § 3511(b)(1)(A). The statute explicitly envisions this role for the NSL recipient, and the Department of Justice has taken the position that this can be set in motion by a letter or phone call. Furthermore, reciprocal notice does not require an objection to the underlying information request contained in an NSL. While this step won’t bring NSLs in line with the Constitution, the reciprocal notice process does at least provide a path toward transparency. But that path doesn’t mean much if the provider won’t walk it. While a handful of Silicon Valley giants including Apple, Dropbox, Pinterest, and Uber all committed to invoking reciprocal notice for every NSL, we’re disappointed that others, such as Google and Facebook choose only to confront NSL gag orders on a case-by-case basis. The NSL system is broken and companies should invoke reciprocal notice systematically. Given that companies have every right to take this step to stand with their users, we’re sorry we couldn’t award more stars in this category. All of Silicon Valley should follow Apple’s lead, and demand that a judge sign off on every single gag order they receive. 1. We have awarded this star to 12 companies on our report: Adobe, Airbnb, Apple, CREDO, Dropbox, Lyft, Pinterest, Slack, Sonic, Uber, Wickr, and Wordpress. 14 companies failed to earn the star: Amazon, AT&T, Comcast, Facebook, Google, LinkedIn, Microsoft, Snap, T-Mobile, Tumblr, Twitter, Verizon, WhatsApp, and Yahoo.
>> mehr lesen

AT&T, Verizon, Other Telco Providers Lag Behind Tech Industry in Protecting Users from Government Overreach, EFF Annual Survey Shows (Mo, 10 Jul 2017)
Amazon Fails To Follow, Much Less Lead in Privacy Best Practices, Facebook, Google, and Microsoft Fail to Promise They Will Stand Up to FBI Gag Orders San Francisco, California—While many technology companies continue to step up their privacy game by adopting best practices to protect sensitive customer information when the government demands user data, telecommunications companies are failing to prioritize user privacy when the government comes knocking, an EFF annual survey shows. Even tech giants such as Apple, Facebook, and Google can do more to fully stand behind their users. EFF’s seventh annual “Who Has Your Back” report, released today, digs into the ways many technology companies are getting the message about user privacy in this era of unprecedented digital surveillance. The data stored on our mobile phones, laptops, and especially our online services can, when aggregated, paint a detailed picture of our lives—where we go, who we see, what we say, our political affiliations, our religion, and more. “This information is a magnet for governments seeking to surveil citizens, journalists, and activists. When governments do so, they need to follow the law, and users are increasingly demanding that companies holding their data enact the toughest policies to protect customer information,” said EFF Activism Director Rainey Reitman. EFF evaluated the public policies at 26 companies and awarded stars in five categories. This year EFF included two new categories: “promises not to sell out users,” and “stands up to NSL gag orders.” The first reflects our concern about the stated goal of several members of government to co-opt tech companies to track people by their immigration status or religion. We awarded stars to companies that prohibit developers and third parties from capturing user data to assist governments in conducting surveillance. We also awarded stars to companies that exercise their right to make the government initiate judicial review of gag orders that prohibit them from publicly disclosing they have received a National Security Letter (NSL). NSLs—secret FBI demands for user information issued with no oversight from any court—permit the FBI to unilaterally gag recipients, a power EFF believes is unconstitutional. Facebook, Google, and Microsoft have failed to promise to step up and exercise the right to have the government put NSL gag orders before a court. Nine companies earned stars in every category this year: Adobe, Credo, Dropbox, Lyft, Pinterest, Sonic, Uber, Wickr, and Wordpress. Each has a track record of defending user privacy against government overreach and improved on their practices to meet the more stringent standards in this year’s Who Has Your Back. Two tech companies lagged behind in the industry: Amazon and WhatsApp, both of which earned just two stars. EFF’s survey showed that while both companies have done significant work to defend user privacy—EFF especially lauds WhatsApp’s move to adopt end-to-end encryption by default for its billion users around the world—their policies still lag behind. Online retail giant Amazon has been rated number one in customer service, yet it hasn’t made the public commitments to stand behind its users’ digital privacy that the rest of the industry has. AT&T, Comcast, T-Mobile, and Verizon scored the lowest, each earning just one star. While they have adopted a number of industry best practices, like publishing transparency reports and requiring a warrant for content, they still need to commit to informing users before disclosing their data to the government and creating a public policy of requesting judicial review of all NSLs. “The tech industry as a whole has moved toward providing its users with more transparency, but telecommunications companies—which serve as the pipeline for communications and Internet service for millions of Americans—are failing to publicly push back against government overreach,” said EFF Senior Staff Attorney Nate Cardozo. “Both legacy telcos and the giants of Silicon Valley can and must do better. We expect companies to protect, not exploit, the data we have entrusted them with.” For the full report: https://www.eff.org/who-has-your-back-2017 For more on Who Has Your Back: https://www.eff.org/node/81897 For more on government surveillance: https://www.eff.org/nsa-spying   Contact:  Rainey Reitman Activism Director rainey@eff.org Nate Cardozo Senior Staff Attorney nate@eff.org
>> mehr lesen

New Research Estimates Value of Removing DRM Locks (So, 09 Jul 2017)
Note: We’ve been in touch with a group of economists at the University of Glasgow who are investigating the market value on interoperability.  Just in time for “Day Against DRM,” here are some of their initial conclusions. My co-authors and I at the University of Glasgow are investigating how restrictions on interoperability imposed by Digital Rights Management (DRM) systems might impact the market for goods. We are doing this as part of a larger project to better understand the economics of DRM and to figure out what changes would likely occur if the laws were reformed. Our recent working paper is titled ‘How much do consumers value interoperability: Evidence from the price of DVD players’. [Open Access here] We use price data scraped from Amazon.com on all consumer DVD players listed since 2010 to analyse whether there is an increase in willingness-to-pay for players that have features related to interoperability. These features of interest include things like the lack of region controls, the ability to play legacy disc formats, and the ability to play new open file formats like Xvid. At first, DVD players might seem like an antiquated technology for such a study, but the product has many advantages: locked and unlocked players coexist side by side in the market and there are hundreds of competing devices on sale with similar capabilities, facilitating statistical analysis. Why might consumers benefit from interoperability? Our study is designed to begin to investigate some propositions about why consumers might value interoperability when choosing to purchase devices or content. There are numerous reasons why that might be the case. For example, people might value backwards interoperability between a device and other devices or content they already own. In a famous economics paper, Farrell & Saloner (1986) suggest that there are barriers to adoption of a new standard caused by network effects related to the number of people using the old standard. For example, maybe one’s friends and family use one system and moving to a new system would leave an early adopter out on a limb. Or, maybe a consumer has invested a lot of money in content that is compatible with the old standard but incompatible with the new one. DRM might amplify those effects and result in ‘excess inertia’: that is, an overall loss to society caused by slower than optimal uptake of a new standard. On the other hand, consumers might not (only) make a purchase decision informed by goods that they or their friends already own. They may be more concerned with what we call forwards interoperability: the capability of a device to interface with future, unknown devices or content. Imagine for example a company pledging not to restrict their format to future innovators, enabling unintended new benefits to consumers as third-party companies supply complementary goods and content. This might interest consumers worried about ‘future-proofing’ their investment, ensuring that new content is likely to be created for their device. Main findings Overall we find that interoperability has a significant positive effect on the price that consumers are willing to pay for DVD players. The average price that they are willing to pay increases by $19 USD for players with any interoperability features present. The average price increases by $30 USD for players with the specific ability to play content in open file formats like Xvid. This feature has the strongest impact on price in our study. The lack of region locks also has a moderately significant effect on price. Backwards compatibility with legacy formats live VCD had no significant impact on price in any of our models, likely because VCD is a very legacy format, indeed, having been popular in the late 1990s. Backwards compatibility might have a bigger impact for products that are released at closer time intervals. Next steps for research We plan to expand this study, both in terms of global coverage as well as product categories. One of the things we’d like to check is whether the region of the consumer is an important factor in how they value interoperability. Ultimately, we intend to examine these dynamics across as many product categories as possible, where DRM-locked options coexist in the market alongside unlocked or hackable options. Some possible candidate products include network routers, handheld GPS devices, and even ‘smart’ lightbulbs. As more and more devices come with embedded firmware, the ability of manufacturers to lock out consumers with DRM – or make them interoperable – will have a greater impact on society beyond media devices.
>> mehr lesen

Third Circuit Declares First Amendment Right to Record Police (Sa, 08 Jul 2017)
The First Amendment protects our right to use electronic devices to record on-duty police officers, according to a new ruling by the U.S. Court of Appeals for the Third Circuit in Fields v. Philadelphia. This right extends to anyone with a recording device, journalists and members of the public alike. And this right includes capture of photos, videos, and audio recordings. EFF filed an amicus brief seeking this ruling. We argued that people routinely use their electronic devices to record and share images and audio, and that this often includes newsworthy recordings of on-duty police officers interacting with members of the public. The Court’s Reasoning The Third Circuit began its Fields opinion by framing the right to record in history and policy: In 1991 George Holliday recorded video of the Los Angeles Police Department officers beating Rodney King and submitted it to the local news. Filming police on the job was rare then but common now. With advances in technology and the widespread ownership of smartphones, civilian recording of police officers is ubiquitous. . . . These recordings have both exposed police misconduct and exonerated officers from errant charges. The Third Circuit recognized that all five federal appellate courts that previously addressed this issue held that the First Amendment protects the right to record the police. The court next reasoned that the right to publish recordings depends on the predicate right to make recordings. Specifically: The First Amendment protects actual photos, videos, and recordings, . . . and for this protection to have meaning the Amendment must also protect the act of creating that material. There is no practical difference between allowing police to prevent people from taking recordings and actually banning the possession or distribution of them. The court also reasoned that the right to record the police is grounded in the First Amendment right “of access to information about their officials’ public activities.” The court explained: Access to information regarding public police activity is particularly important because it leads to citizen discourse on public issues, “the highest rung of the hierarchy of First Amendment values, and is entitled to special protection.” The court identified the many ways that civilian recordings of police activity are beneficial by capturing critical information: “To record what there is the right for the eye to see or the ear to hear corroborates or lays aside subjective impressions for objective facts. Hence to record is to see and hear more accurately.” “Recordings also facilitate discussion because of the ease in which they can be widely distributed via different forms of media.” “Bystander videos provide different perspectives than police and dashboard cameras, portraying circumstances and surroundings that police videos often do not capture.” “Civilian video also fills the gaps created when police choose not to record video or withhold their footage from the public.” Importantly, the court concluded that recordings of on-duty police have “contributed greatly to our national discussion of proper policing.” Among other things, they have “improved professional reporting, as video content generated by witnesses and bystanders has become a common component of news programming.” As a result, recordings have “spurred action at all levels of government to address police misconduct and to protect civil rights.” Three Cautions Qualified Immunity The Third Circuit erred on the issue of “qualified immunity.” This is a legal doctrine that protects government employees from paying money damages for violating the Constitution, if the specific right at issue was not clearly established at the time they violated it. In Fields, the Third Circuit unanimously held that going forward, the First Amendment protects the right to record the police. But the majority held that this right was not clearly established at the time the police officers in the case violated this right. Judge Nygaard dissented on this point. He persuasively argued that this right was in fact clearly established, given the prior rulings of other appellate courts, the City of Philadelphia’s own policies, and the frequency that people (including police officers themselves) use their mobile devices to make recordings. On the bright side, the Third Circuit remanded the question of municipal liability, so there is still a possibility that the injured parties, whose right to record was disrupted by police, can obtain damages from the city. Location of Recording The Third Circuit in Fields sometimes formulated the First Amendment right to record police as existing in “public” places. This is true. But the right also exists in private places. For example, a home owner might record police officers searching their home without a warrant. Also, a complainant about police misconduct, speaking to internal affairs officers inside a police station, might record those officers discouraging her from pressing charges. In such cases, there is a First Amendment right to record on-duty police officers in a private place. Rather than ask whether the place of recording was public or private, courts should ask whether the subject of recording had a reasonable expectation of privacy. Critically, on-duty police have no such expectation while speaking with civilians, whether they are in a public or private place. The Fields decision is not to the contrary. Rather, it simply addressed the facts in that case, which concerned civilians recording on-duty police officers who happened to be in public places. Also, the Fields opinion at another point correctly framed the issue as “recording police officers performing their official duties.” Interference The court discussed another possible limitation on the right to record the police—whether recording may be subject to “reasonable time, place, and manner restrictions” to ensure that it doesn’t interfere with policy activity. However, this issue was not before the court. It remains to be seen how future courts will address limitations on the First Amendment right to record the police. Next Steps The Third Circuit’s Fields decision is an important victory for the right of technology users to record on-duty police officers. But the struggle continues. Across the country, many government officials continue to block members of the public from using their electronic devices to record newsworthy events. EFF will continue to fight for this vital right. Related Cases:  Fields v. City of Philadelphia
>> mehr lesen

Court Orders Prolific Patent Troll Shipping & Transit LLC To Pay Defendant’s Legal Bill (Sa, 08 Jul 2017)
Shipping & Transit LLC, formerly known as Arrivalstar, is one of the most prolific patent trolls ever. It has filed more than 500 lawsuits alleging patent infringement. Despite having filed so many cases, it has never had a court rule on the validity of its patents. In recent years, Shipping & Transit’s usual practice is to dismiss its claims as soon as a defendant spends resources to fight back. A district court in California issued an order (PDF) this week ordering Shipping & Transit to pay a defendant's attorney's fees. The court found that Shipping & Transit has engaged in a pattern of “exploitative litigation.” Shipping & Transit owns a number of patents that relate to vehicle tracking. We’ve written about its patent trolling on numerous occasions. In many cases, Shipping & Transit asserted its patents against businesses that simply sent email to customers with a tracking number. In other cases, it has sued municipal transport agencies and logistics companies. The recent fee award is from a case called Shipping & Transit LLC v. Hall Enterprises, Inc. After getting sued, Hall told Shipping & Transit that it should dismiss its claims because its patents are invalid under Alice v. CLS Bank. Shipping & Transit refused. Hall then went to the expense of preparing and filing a motion for judgment on the pleadings (PDF) arguing that Shipping & Transit’s patents are invalid. In response, Shipping & Transit voluntarily dismissed its claims. Hall then filed a motion for attorney’s fees (PDF). In considering the motion for fees, the court first considered the merits of Hall’s judgment on the pleadings. The court found that the asserted patent claims were directed to the abstract idea of “monitoring and reporting the location of a vehicle” and that they do not contain an inventive concept sufficient to transfer the abstract idea into a patent-eligible invention. The court also concluded Shipping & Transit’s legal arguments in defense of its patents were “objectively unreasonable in light of the Supreme Court’s Alice decision and the cases that applied that decision to invalidate comparable claims.” The court also considered Shipping & Transit’s litigation history. It wrote: Although the Court agrees that filing a large number of cases does not necessarily mean Plaintiff litigated in an unreasonable manner, it nevertheless finds troubling that Plaintiff has repeatedly dismissed its own lawsuits to evade a ruling on the merits and yet persists in filing new lawsuits advancing the same claims. … Plaintiff’s business model involves filing hundreds of patent infringement lawsuits, mostly against small companies, and leveraging the high cost of litigation to extract settlements for amounts less than $50,000. These tactics present a compelling need for deterrence and to discourage exploitative litigation by patentees who have no intention of testing the merits of their claims. In the court’s view, the combination of Shipping & Transit’s unreasonable legal arguments and its history of exploitative litigation justified an award of fees. Shipping & Transit could appeal this decision but we believe the appeal would be unlikely to succeed. Any appeal would be decided under an “abuse of discretion” standard that makes reversal less likely. Also, the Federal Circuit has recently shown increased willingness to impose fees on abusive patent litigants.   Because Shipping & Transit dismissed its complaint, the court did not have jurisdiction to formally invalidate the patent claims. Nevertheless, the court clearly would have ruled in Hall’s favor on the motion for judgment on the pleadings had it decided that motion. Shipping & Transit is therefore on notice that these patent claims are invalid and, in our view, any subsequent litigation asserting these claims would warrant sanctions. We hope this ruling will finally put an end to Shipping & Transit’s massive patent trolling campaign. The fact that Shipping & Transit was able to file more than 500 cases with almost-surely invalid patents shows that further reform is needed to slow down patent litigation abuse.
>> mehr lesen

McMansion Hell Take-Down Controversy Illustrates Why the Supreme Court Should Clarify the Limits of the CFAA (Fr, 07 Jul 2017)
When McMansion Hell blogger Kate Wagner received Zillow’s letter last month demanding that she take down her architecture parody blog, she was scared. So scared that she temporarily disabled access to her blog via McMansionHell.com until she could find an attorney. We’re happy she found us at EFF. While all of the claims Zillow made were highly dubious, one stuck out to us as especially egregious and scary: the claim that McMansion Hell violated a notorious vague criminal statute called the Computer Fraud and Abuse Act, or CFAA. That Zillow’s lawyers thought it was proper to include this threat shows how strongly we need some sanity brought to the CFAA. Luckily, the Supreme Court has the opportunity to bring that sanity—and we urge them to do so. CFAA’s Ongoing Threat The CFAA, inspired in part by by a fictional movie, was meant to criminalize breaking into computers to access or alter data. But it’s language in incredibly broad and vague. It makes it illegal to intentionally access a “protected computer”—which includes any computer connected to the Internet—“without authorization” or in excess of authorization, but it doesn’t tell us what “without authorization” means. Sadly, both prosecutors and private parities have taken advantage of this vague language, endeavoring to stretch the law to cover any “bad” conduct that happens to involve a computer—even just violating a website’s terms of use. As journalist Sarah Jeong said on an episode of the podcast ReplyAll about the CFAA, “When nothing else sticks, you can always turn to the CFAA.” It’s tacked on in all sorts of cases that have nothing to do within breaking into a computer—including the Zillow McMansion Hell controversy. For those looking to get content offline, the CFAA is an obvious choice for a powerful scare tactic. That Zillow’s lawyer’s chose to say that Ms. Wagner “may” have violated the CFAA was cold comfort; for most people even the suggestion of criminal charges is enough to scare them into complying with a takedown demand. This is compounded by a range of court decisions interpreting the law in conflicting ways. If courts can’t even agree about what the CFAA covers, how can those unfamiliar with the law be expected to tell whether a CFAA-based demand for an immediate takedown is legitimate? Time to Rein in the Threat of the CFAA It’s long past time for both the courts and Congress to put an end to such abusive behavior by clarifying what the law does and doesn’t reach—and by putting Terms of Service violations on the far side of that line. Right now the Supreme Court seems like the best option. Earlier this summer, in fact, EFF asked the Supreme Court to step in and clarify that using a computer in a way that violates corporate policies, preferences, and expectations, which is what Zillow claimed here, cannot be grounds for a CFAA violation. A clear, unequivocal ruling would go a long way to help stop abuses like those Zillow inflicted on Ms. Wagner. The case, called U.S. v. Nosal, is on appeal from a Ninth Circuit ruling that threatens to transform the CFAA into a mechanism for criminalizing password sharing and policing Internet use. EFF has also been pushing for CFAA reform for years and increased those efforts after the tragic death of programmer and Internet activist Aaron Swartz. Our efforts in Congress have been blocked so far, with tech giants like Google, Facebook, and Oracle shamefully unwilling to support reform even as the law needlessly claims lives and results in massively overbroad sentences. The CFAA was passed years before the advent of the modern Internet and is desperately out-of-touch with how we use computers today. Common sense changes, like clarifying that terms of service violations cannot give rise to federal criminal liability, are needed—both to reign in prosecutorial discretion and to help stop companies from using the CFAA as a scare tactic. We hope the Supreme Court takes up the Nosal case. Related Cases:  United States v. David Nosal
>> mehr lesen

Trump’s FBI Pick Has a Troubling History on Digital Liberties (Fr, 07 Jul 2017)
President Donald Trump’s pick to lead the FBI, Christopher Wray, will begin his confirmation process next week, giving lawmakers an opportunity to press him on his previous statements about expansive surveillance authorities and aggressive copyright prosecution. Defense of the USA PATRIOT Act During his tenure as Assistant Attorney General in the Bush Administration, Wray vocally defended a range of controversial provisions in the USA PATRIOT Act—including Section 215, which would later provide the basis for the bulk collection of Americans’ telephone metadata. When Wray went before the Senate Judiciary Committee in 2003 to defend the PATRIOT Act, a Department of Justice document indicated that Section 215’s business records provision had never been used. Wray insisted that was a sign of restraint: “We try to use these provisions sparingly, only in those instances where we feel that this is the only tool that we can use.” In fact, as the Privacy and Civil Liberties Oversight Board (PCLOB) made clear in its report on the bulk metadata program, Section 215 was sitting fallow because the Bush Administration was already collecting much of that data—without statutory authorization. Granted, Wray didn’t have all of the information about that secretive wiretapping program until 2004, which we’ll get into below. Still, his insistence that Section 215 was just an effort to bring counterterrorism powers in line with ordinary criminal authorities reflected a concerning lack of skepticism about the risk of abuse. The same holds for his defense of a range of other PATRIOT Act provisions: “sneak and peek” warrants that allow law enforcement to search first and serve notice later; a reduced bar for obtaining a FISA warrant that one district court later found inconsistent with the Fourth Amendment; and a vaguely worded expansion of the kind of Internet data, some of it potentially very sensitive, that can be collected with a pen/trap order. Experience teaches that broad grants of surveillance authority are invariably abused, as the PATRIOT Act has been. During Wray’s confirmation process, lawmakers should press him on his insistence that the Act “helped preserve and protect liberty and freedom, not erode them.” Outstanding Questions about STELLARWIND President Bush’s sweeping constellation of warrantless surveillance programs, codenamed STELLARWIND, played a key role in the mythos that surrounded the last two FBI Directors. Wray was reputedly one of the senior Justice Department officials ready to resign if then-Deputy Attorney General James Comey chose to do so over STELLARWIND’s legality—though Wray himself wasn’t aware of its existence at the time. Wray has since praised then-FBI Director Bob Mueller’s willingness to challenge President Bush over those surveillance programs, telling WIRED, “I think that the great thing about [people with] strong moral compasses is that they don’t have to hand-wring. When they’re uncomfortable, they know what they have to do.” But when Wray was confronted with a constitutional concern about those intelligence efforts, his response, as reflected in a 2009 inspector general report, seems to have been underwhelming. Wray was read into STELLARWIND in 2004 to address concerns that the government—in working to preserve the spying program’s secrecy—was failing to disclose potentially exculpatory material to which criminal defendants were entitled under the Constitution. As the Justice Department’s Inspector General later found, “[T]he Department made little effort to understand and comply with its discovery obligations with Stellar Wind-derived information for the first several years of the program.” What legal analysis had been conducted was, the IG would later write, “factually flawed and inadequate.” Wray and another attorney in the Justice Department’s Criminal Division were tasked with reviewing it. But beyond ordering the other attorney to write a memo of his own, it’s not clear Wray took any action to remedy the problem. While the memo recommended further research, there seems to have been no follow up. Four years after Wray left the Justice Department, its Inspector General would write that efforts to comply with the Constitution and other legal responsibilities “are not complete and do not fully ensure that the government has met its discovery obligations.” Before he’s given the top job at the country’s law enforcement agency, Wray should have to square his praise for officials willing to challenge unconstitutional surveillance with his apparent inaction on a constitutional question about the rights of defendants swept up in spying programs. Aggressive Copyright Prosecutions As Assistant Attorney General for the Criminal Division, Wray also oversaw and touted the Justice Department’s aggressive prosecutions for intellectual property infringement, some of them alarmingly trivial. In 2004, for instance, Wray named a guilty plea from a defendant who shared a pre-release copy of “The Hulk” in a chat room as one of the most significant intellectual property prosecutions of the year. That emphasis seems disproportionate, to say the least. As Senator Leahy put it in the same Judiciary Committee hearing, “That movie sank like a rock at the box office. Within a couple of weeks, they probably could not have given away the copies.” Still, the impact on the defendant was very real—including six months’ home confinement. In a climate in which copyright law is increasingly abused to chill and deter speech online, Wray’s past comments are cause for concern. Lawmakers should press him to commit to reasonable enforcement and respect for free expression protections. An Obligation to Explain—and Reconsider If confirmed, Christopher Wray will lead an agency with vast power to intrude on fundamental digital liberties. During his last tour in government service, he expressed views that should concern everyday Internet users. During this upcoming confirmation process, we expect lawmakers to review Wray’s record, and we hope he will disavow some of his more dangerous views on the government surveillance activities that we know to violate our core civil liberties.  
>> mehr lesen

Amid Unprecedented Controversy, W3C Greenlights DRM for the Web (Fr, 07 Jul 2017)
Early today, the World Wide Web Consortium (W3C) standards body publicly announced its intention to publish Encrypted Media Extensions (EME)—a DRM standard for web video—with no safeguards whatsoever for accessibility, security research or competition, despite an unprecedented internal controversy among its staff and members over this issue. EME is a standardized way for web video platforms to control users' browsers, so that we can only watch the videos under rules they set. This kind of technology, commonly called Digital Rights Management (DRM), is backed up by laws like the United States DMCA Section 1201 (most other countries also have laws like this). Today, the W3C announced that it would publish its DRM standard with no protections and no compromises at all. Under these laws, people who bypass DRM to do legal things (like investigate code defects that create dangerous security vulnerabilities) can face civil and criminal penalties. Practically speaking, bypassing DRM isn't hard (Google's version of DRM was broken for six years before anyone noticed), but that doesn't matter. Even low-quality DRM gets the copyright owner the extremely profitable right to stop their customers and competitors from using their products except in the ways that the rightsholder specifies. EFF objects to DRM: it's a bad idea to make technology that treats the owner of a computer as an adversary to be controlled, and DRM wrecks the fairness of the copyright bargain by preventing you from exercising the rights the law gives you when you lawfully acquire a copyrighted work (like the rights to make fair uses like remix or repair, or to resell or lend your copy). But EFF understood that the W3C had members who wanted to make DRM, so we suggested a compromise: a covenant, modeled on the existing W3C member-agreement, that would require members to make a binding promise only to use the law to attack people who infringed copyright, and to leave people alone if they bypassed DRM for legal reasons, like making W3C-standardized video more accessible for people with disabilities. This was a very popular idea. It was endorsed by Unesco, by the Internet Archive, by the creator of the W3C's existing membership agreement, by hundreds of top security researchers, by the competition expert who coined the term "Net Neutrality", and by hundreds of human rights organizations and activists from the global south. The Open Source Initiative amended its definition of "open standard" so that DRM standards could only qualify as a "open" if they protected legitimate activity. Now, it's fair to say that the W3C's DRM advocates didn't like the idea. After a perfunctory discussion process (during which some progress was made), they walked away from the negotiations, and the W3C decided to allow the standardization work to continue despite their unwillingness to compromise. But other W3C members did like the idea. On March 12, the final vote for publishing EME closed, and members ranging from the German National Library to the UK Royal National Institute for Blind People to the cryptocurrency startup Ethereum, to Brave, a new entrant to the browser market -- along with dozens more—rejected the idea of publishing EME without some protections for these equities (the numbers in the vote are confidential by W3C's own membership requirements, but all the members mentioned here have given permission to have their votes revealed.) It was the most controversial vote in W3C history. As weeks and then months stretched out without a decision, another W3C member, the Center for Democracy and Technology, proposed a very, very narrow version of the covenant, one that would only protect security researchers who revealed accidental or deliberate leaks of data marked as private and sensitive by EME. Netflix's representative dismissed the idea out of hand, and then the W3C's CEO effectively killed the proposal. Today, the W3C announced that it would publish its DRM standard with no protections and no compromises at all, stating that W3C Director Tim Berners-Lee had concluded that the objections raised "had already been addressed" or that they were "overruled." In its statement, the W3C said that publishing a DRM standard without protections for core open web activities was better than not doing so, because its DRM had better support for privacy, accessibility, and competition than a non-W3C version of DRM would have. We disagree. Even by the W3C's own measures, EME represents no improvement upon a non-standards approach, and in some important ways, the W3C's DRM is worse than an ad-hoc, industry approach. At root is the way that DRM interacts with the law. Take security: the W3C's specification says that users' computers should be protected from privacy-invading activities by DRM vendors, but without a covenant, it's impossible to check whether this is happening. Recall that Netflix, one of the principal advocates for DRM at W3C, categorically rejected the narrowest of covenants, one that would protect solely the activity of revealing DRM flaws that compromised user privacy. On the question of accessibility, the W3C has simply ignored the substantial formal and informal objections raised by its members, including members with deep expertise in accessibility, such as Vision Australia, Media Access Australia, Benetech, and the RNIB. These organizations pointed out that having a place for assistive data was nice, but to make video accessible, it was necessary to use computers to generate that data. It's great to say that if you know where all the strobe effects are in 10,000,000 hours of videos, you could add warnings to the timelines of those videos to help people with photosensitive epilepsy. But unless you have an unimaginable army of people who can watch all that video, the practical way to find all those strobes is to feed the video to a computer, after bypassing the DRM. Otherwise, most video will never, ever be made safe for people with photosensitive epilepsy. Multiply that by the unimaginable armies of people needed to write subtitles, translate audio, and generate descriptive audio tracks, and you've exceeded the entire human race's video-annotating capacity several times over—but barely scratched the surface of what computers can (and will be able to) do. On the question of competition, the W3C's response is even more frustrating and non-responsive. EME only solves part of the video-transmission standard: for a browser to support EME, it must also license a "Content Decryption Module" (CDM). Without a CDM, video just doesn't work. All the big incumbents advocating for DRM have licenses for CDMs, but new entrants to the market will struggle to get these CDMs, and in order to get them, they have to make promises to restrict otherwise legal activities (for example, CDM licensing terms prevent users in some parts of Europe from seeing videos made available in other parts of the EU). The W3C says that none of this makes DRM any worse than what was there before the standards effort, but they're dead wrong. DRM is covered by a mess of criss-crossing patents that make any kind of interoperable DRM transcendentally hard to create -- unless there's some way of cutting through the patent thicket. That's where the W3C comes in: its patent policy requires members to swear not to enforce their patents against people who implement W3C standards. Since the W3C's membership includes key DRM patent owners, it's the one forum where such a standard can be set. At EFF, we've spent decades defending people engaged in legitimate activities that companies or governments disliked: researchers who go public with defects in products whose users are blithely unaware of them; new entrants to monopolized markets who offer better products with features the cozy old guard don't like; public spirited archivists and accessibility workers who want to preserve digital culture and make sure everyone gets to use it. We're dismayed to see the W3C literally overrule the concerns of its public interest members, security experts, accessibility members and innovative startup members, putting the institution's thumb on the scales for the large incumbents that dominate the web, ensuring that dominance lasts forever. This will break people, companies, and projects, and it will be technologists and their lawyers, including the EFF, who will be the ones who'll have to pick up the pieces. We've seen what happens when people and small startups face the wrath of giant corporations whose ire they've aroused. We've seen those people bankrupted, jailed, and personally destroyed. That's why we fought so hard at the W3C, and it's why we're fighting so hard to fix laws like Section 1201 of the DMCA. We've been suing the US government over the constitutionality of DMCA 1201; in the coming months, we'll be back at the US Copyright Office, arguing to maintain and extend the exemptions to 1201 we won in 2015. As for the W3C... we're working on it. There is an appeals process for Tim Berners-Lee's decisions at the W3C, which has never been successfully triggered. The entire project of designing technology to control web users, rather than empowering them, has taken the W3C into uncharted waters, and this is the most unfamiliar of them all. We're looking into this, counting noses, and assessing our options. We'll keep you informed.
>> mehr lesen

EFF Condemns Detentions at Turkish Digital Security Meeting (Fr, 07 Jul 2017)
Turkish police officers in plainclothes yesterday raided a digital security training meeting on the island of Buyukuda in Istanbul, seizing equipment and detaining ten attendees­, including Idil Eser, the director of Amnesty International Turkey. The human rights defenders are still being held in separate detention centers, and were denied access to lawyers and the press for over 24 hours. Amnesty's Turkey researcher reports that Eser faces at least seven days pre-trial detention under Turkish law; Global Voices Advocacy says the same for the other Turkish citizens arrested in the raid. The status of the trainers, who are from Germany and Sweden, is currently unknown. EFF believes that everyone should be free to learn to protect themselves online and that this is information they have the right to share. Digital security trainings like this one are frequently held across the world to educate lawyers, journalists, and human rights advocates on how best to protect themselves and their communities. Teaching or learning these skills is certainly no grounds for detention. By conducting this raid, Turkey joins Iran and Ethiopia as countries where innocent citizens are intimidated and arrested simply for learning the basic principles of modern technology. We join Amnesty International, HIVOS, Article 19, and the rest of the international human rights community in demanding that Turkish authorities release all the Buyukuda detainees, including the two digital security trainers, immediately.
>> mehr lesen

Photographer Attacked by Ludicrous Online Voting Patent (Do, 06 Jul 2017)
Ruth Taylor never expected that her hobby would get her sued for patent infringement. Her photography website, Bytephoto.com, barely made enough advertising revenue to cover hosting costs. The site hosts user-submitted photos and runs weekly competitions, decided by user vote, for the best. Ruth’s main business is her own photography. She supports that business by visiting more than a dozen local art festivals in Bucks County, Pennsylvania every year. In 2007, almost four years after Bytephoto began running online photo competitions, a company called Garfum.com Corporation applied for a patent titled “Method of Sharing Multi-Media Content Among Users in a Global Computer Network.” The patent, U.S. Patent No. 8,209,618, takes the well-known concept of a competition by popular vote and applies it to the modern context of computer networks. On September 23, 2014, Garfum filed a federal lawsuit accusing Bytephoto of patent infringement for allowing its users to vote for their favorite photo. Ruth didn’t understand how someone could patent online contests. “It seemed like a scam.” Like many people sued for patent infringement, Ruth first learned of the case when a lawyer who had seen the complaint online called out of the blue, hoping to represent her. She was stunned. “It seemed like a scam,” she said. Ruth didn’t understand how someone could patent online contests. It just didn’t seem logical. A few days later, a process server arrived at her house to formally serve the complaint. Then Ruth knew it was real. Garfum’s opening settlement demand was $50,000. This demand far exceeded Bytephoto’s annual revenue. Ruth learned that defending the case could easily cost more than a million dollars. Since Bytephoto was just a hobby, Ruth had never incorporated it. This meant she was personally on the hook. She faced the choice between paying the settlement and paying even higher litigation costs. This was especially frustrating because Bytephoto began allowing users to vote for their favorite photographs years before Garfum filed its patent application. You can’t patent what already exists. But proving this defense in court would take months of expensive discovery. Fortunately for Ruth, Garfum’s lawsuit arrived after the Supreme Court’s decision in Alice v. CLS Bank. Many judges have allowed challenges under Alice to be filed early in the case rather than waiting for discovery (since the patent itself is the key evidence). EFF agreed to represent Ruth pro bono and filed a motion asking the court to hold the patent invalid under Alice. A few days before the hearing on that motion, Garfum voluntarily abandoned its suit. Ruth’s case is a perfect example of why Alice improves the patent system. Garfum’s broad and abstract patent did nothing to promote innovation. The idea of voting has been around for centuries. The idea of applying voting to online social networks did not deserve patent protection. Indeed, even Ruth’s own website predated Garfum’s application. Yet a settlement or litigation expenses could quickly have led to the site being shut down. Fortunately, thanks to the Alice ruling, Ruth was able to defeat Garfum’s absurd claim and continue running her site and her business.
>> mehr lesen

Everyone Should Have a Real Chance to Defend Their Anonymity (Do, 06 Jul 2017)
In the United States, everyone – even people accused of offensive conduct – has the right to communicate anonymously, and that right should never be infringed without due process. Our Constitution guarantees this, whether your speech is popular or distasteful. At the same time, people who have been harmed by an anonymous speaker also have a right to seek justice, and, where necessary, that process can include unmasking the speaker. Following a rash of bogus defamation lawsuits designed primarily to unmask anonymous online speakers and retaliate against them, courts around the country adopted legal tests to determine when people suing anonymous speakers are entitled to unmask them. Recognizing the First Amendment interests at stake, these tests require plaintiffs to establish the legitimacy of their claims and their need for the information. But as we explained in a letter brief filed today in a New York state court, those tests mean little if they are not applied rigorously, and if the speaker in question doesn't have a chance to raise the issue at all. (The brief is currently under seal, but watch this space – we'll be asking the court to unseal it promptly). Unfortunately, that's precisely what is about to happen to almost 300 Tumblr users who reblogged a sexually explicit video of a 17-year-old girl created 10 years ago. The person in the video (suing as Jane Doe) thought it had been destroyed, but she recently discovered it had been posted on Tumblr and then reblogged hundreds of times. She wants to sue those users for distribution of child pornography and intentional infliction of emotional distress. To help her do so, a New York judge has ordered Tumblr to disclose account information for those users. Tumblr pushed back, and managed to narrow the number of users affected. Nonetheless, last week Tumblr notified those users that their account information would be disclosed unless they challenged the order by July 7. In other words, the users had just 10 days – including a major holiday weekend – to read the notice, find a lawyer, and run to court to defend their anonymity. To be clear, if the allegations are true, the plaintiff in this case has been wronged. But that's just the thing – First Amendment protections for anonymous speech never disappear, no matter how awful the defendant's alleged act. In fact, that's when the protection is most needed. Depending on how the plaintiff handles the case, close to 300 Tumblr users risk being publicly associated with child pornography. Those users will be under tremendous pressure to settle any claims, whether or not they have valid defenses. Once lost, their anonymity cannot be recovered and the association cannot be undone. And keep in mind that Tumblr, no matter how careful it tries to be, may disclose the wrong account information. The court initially demanded disclosure within just five days, so 10 days is an improvement. But it's still far too little time, especially given that the harm to the plaintiff has already occurred. There is no immediate need to disclose account information without giving the anonymous speakers sufficient time to challenge the propriety of the order and/or the accuracy of Tumblr's identification. So we're asking the court to first apply the legal test required by the First Amendment to unmask anonymous speakers, and, if the test is satisfied, to extend the deadline for disclosure so that users can challenge the order if they have a legitimate basis to do so (e.g., because they were improperly identified, or not subject to the jurisdiction of the court). We don't tell the court how to rule once it has applied the test required by the First Amendment. If the standards are met, the court may authorize disclosure. But sidestepping the test altogether is wrong. We urge the court to do the right thing, and follow the Constitution.
>> mehr lesen

Here's How We're Fighting Back Against “Secret” Search Warrants (Mi, 05 Jul 2017)
Can the government stop you from finding out it’s been looking through your private Facebook content as part of a “secret” investigation that’s not actually secret? That’s the question raised by an alarming case pending in the Washington D.C. Court of Appeals. Facebook has described the investigation as "known to the public," and the timing and venue match the January 20th, 2017 Presidential Inauguration protests (known as “J20”), the investigation of which is indeed quite public. But even if the warrants pertain to another investigation, the government should not be allowed to impose gag orders with respect to any information that is already publicly known. Last week, EFF led a group of civil society organizations that included Access Now, the Center for Democracy and Technology, and New America’s Open Technology Institute in filing a brief demanding that the court apply a stringent constitutional test before enforcing gag orders accompanying a number of secret search warrants. We argued that the First Amendment rarely if ever allows gag orders in such cases, where the government seeks to limit public scrutiny of high-profile and potentially politicized investigations.  Here’s what we know: Facebook is fighting gags associated with several search warrants for user content. The company thinks this case is so important that it sent out a kind of bat signal to groups like EFF. Although the case is under seal, Facebook petitioned the D.C. Court of Appeals (the District’s highest court) to open the proceeding up to amicus briefs and to reveal that Facebook argues that “neither the government’s investigation nor its interest in Facebook user information” is a secret. Although we can’t be sure, we have a hunch the search warrants are related to the J20 protests. On January 20, the day of President Trump’s inauguration, police in D.C. arrested hundreds of protesters, charging many with felony rioting. Over the last several months, the press has reported on the controversial and wide-ranging investigation into the protests, which apparently included police infiltration of planning meetings. Additionally, in late January, some defendants received notice from Facebook that their non-content account information had been subpoenaed by law enforcement. Their attorneys sought to quash those subpoenas, and we believe the timeline in this case suggests the government sought to get even more private information, including account content, using warrants to Facebook accompanied by gag orders. Whether or not this case involves the J20 protests, the fact that Facebook says the underlying investigation is already public is almost certainly enough to strike down the gag orders. Government gags that prevent a provider from notifying its users are an example of prior restraints, which are the “most serious” and “least tolerable” infringement on First Amendment rights. As a result, the Supreme Court has said they are only constitutional if they meet the most “most exacting scrutiny.” But despite the strong presumption against prior restraints, the government gets gag orders all the time. Two of the most commonly used gag authorities are National Security Letters, which EFF continues to challenge on appeal in the Ninth Circuit, and nondisclosure orders issued under the Stored Communications Act, 18 U.S.C. § 2705, at issue in this case. There are strong arguments that Section 2705 nondisclosure orders are unconstitutional all or nearly all of time. Just in the last several months alone, Microsoft has sued to have Section 2705 declared unconstitutional on its face, while Adobe succeeded in convincing a court to strike down an indefinite Section 2705 gag. But the apparently public nature of the investigation here makes the gags even more egregious. In order to uphold a prior restraint, a court must be satisfied that it is necessary to protect against a “a clear and present danger or a serious and imminent threat” to an important government interest. As we point out in our brief, if the government’s investigation into the Facebook accounts is already known, there’s no way that a gag can prevent any harm flowing from notifying the users and allowing them to challenge the search warrants. We point to examples from two cases in which the Supreme Court struck down gags that prevented the press from reporting sensitive information that had already been revealed in open court. Although the docket is sealed, it’s our understanding that the court has set this case for oral argument in September 2017. We have requested an opportunity to address the court to represent the public’s interest in ensuring that prior restraints such as this don’t issue without the most exacting scrutiny our court system is prepared to provide. We will keep you informed of any updates we receive.
>> mehr lesen

A July 4 Message from EFF Co-founder John Perry Barlow (Di, 04 Jul 2017)
There’s no need to make America great again.  America has been great since it became the first nation on Earth where a set of ideas became the ruling principles of governance. America was great when it was established that authority did not come from divine right, or indeed anything beyond the ability to earn it.  Those who believe America's greatness depends on her ability to create fear both at home and abroad are the enemies of American greatness. The best we can do as Americans is cling more steadfastly than ever to the belief that we represent sanctuary to all that need it, and opportunity to all who are willing to work for it. These are precisely the qualities that made America great in the first place. And more than anything else, America's greatness resides in our ability to represent love in the world of nations, and not fear. - John Perry Barlow. July 4, 2017
>> mehr lesen

Congress Needs to End Warrantless Spying, Not Make It Permanent (Sa, 01 Jul 2017)
Lawmakers are getting serious about renewing the U.S. government’s Internet spying powers, so we need to get serious about stopping their bad proposals. First out of the gate is a bill from Sen. Tom Cotton, an ardent defender of government surveillance. His bill would not just reauthorize, but make permanent the expiring measure that the government says justifies the warrantless surveillance of innocent Americans’ online communications—Section 702, as enacted by the FISA Amendments Act. His bill (S. 1297) is supported by several Republicans in the Senate, including Senate Intelligence Chairman Richard Burr and Sens. John Cornyn, John McCain, and Lindsey Graham. Section 702 surveillance violates the privacy rights of millions of people. This warrantless spying should not be allowed to continue, let alone be made permanent as is. As originally enacted, Section 702 expires every few years, giving lawmakers the chance to reexamine the broad spying powers that impact their constituents. This is especially crucial as technology evolves and as more information about how the surveillance authority is actually used comes to light, whether through government publication or in the press. If Congress were to approve Cotton’s bill, lawmakers would not only be ignoring their constituents’ privacy concerns, but they would also be ceding their obligation to regularly review, debate, and update the law. That is not acceptable. Luckily, there’s already opposition to the proposal to make Section 702 permanent. During recent hearings at the Senate Intelligence and Judiciary Committees on Section 702 surveillance, Sen. Dianne Feinstein—who has historically been sympathetic to the intelligence community—said she could not support a bill that makes Section 702 permanent. Now we need other members of Congress to make the same stand. We cannot accept lawmakers ignoring our privacy concerns and their responsibility to review surveillance law, and our lawmakers need to hear that. Sign our petition today and tell Congress to oppose S. 1297 and the permanent reauthorization of Section 702 spying. Take Action TELL CONGRESS TO END WARRANTLESS SURVEILLANCE
>> mehr lesen

Stupid Patent of the Month: Using A Computer To Count Calories (Sa, 01 Jul 2017)
This month’s stupid patent, like many stupid patents before it, simply claims the idea of using a computer for basic calculations. U.S. Patent No. 6,817,863 (the ’863 patent) is titled “Computer program, method, and system for monitoring nutrition content of consumables and for facilitating menu planning.” It claims the process of using a computer to track nutrition information like calorie or vitamin intake. It is difficult to think of a more basic and trivial use for a computer. The ’863 patent is owned by a patent troll called Dynamic Nutrition Solutions LLC. Dynamic Nutrition filed a lawsuit this month in the Eastern District of Texas accusing Australian company Fatsecret of infringing the ’863 patent. Dynamic Nutrition had filed four other lawsuits. Consistent with a pattern of nuisance litigation, each of those earlier suits settled very quickly. What “invention” does the ’863 patent purport to cover? Claim 1 of the patent is reproduced in full below (with comments in brackets): A computer program comprising a combination of code segments stored in a computer-readable memory and executable by a processor to provide nutrition content information related to consumables, the computer program comprising: a code segment operable to receive and store an input related to consumption of consumables, and to associate the input with a calender [sic] date [i.e. program a computer to track daily food intake]; and a code segment operable to generate an interactive display screen, wherein the interactive display screen includes— [i.e. include some kind of user interface] one or more lists of consumables and related nutrition content information, and [i.e. list food options and nutrition information] a summary section of past consumption of consumables. [i.e. list past food intake] In other words, program a computer to help people keep track of meals and calorie or vitamin intake. The application for Dynamic Nutrition’s patent was filed on June 11, 2001. By that time, computers had been around for decades and there was nothing remotely surprising or innovative about programing a computer to keep track of data—whether it be nutrition data or units shipped or accounts receivable or whatever. Nevertheless, the Patent Office takes an extremely rigid approach to whether or not a patent application is obvious. This means that companies often get patents on common sense ideas (like taking photos against white background or filming a yoga class).  Even leaving aside the issue of obviousness, the claims of the ’863 patent are invalid under the Supreme Court’s Alice v. CLS Bank decision (which struck down patents that merely claim the use of conventional computers to implement an abstract idea). Indeed, the first company to be sued by Dynamic Nutrition, Under Armour, filed a motion to dismiss the case under Alice. Under Armour pointed out that the ’863 patent itself repeatedly emphasizes that its methods can be implemented using any conventional computer or programming language. Given the strength of this argument, it is unsurprising that the litigation settled before Dynamic Nutrition even filed a response. Dynamic Nutrition’s patent is not even the only patent that claims using a computer for routine meal planning. A patent troll called DietGoal sued dozens of companies with a meal planning patent. A court invalidated DietGoal’s patent under Alice because it claimed nothing more than the “conventional and quotidian tasks” of selecting meals. The Federal Circuit affirmed that ruling. The logic of this decision applies straightforwardly to Dynamic Nutrition’s patent claims. We recently launched our Saved By Alice project where we are highlighting cases where companies attacked by stupid software patents were able to use the Alice decision to defend themselves. The Dynamic Nutrition litigation is yet another example of why the Alice ruling is important and how it can protect productive companies from patent trolls.
>> mehr lesen

Internet, Activate! Stand Up for Net Neutrality on July 12 (Fr, 30 Jun 2017)
Two months ago, FCC Chairman Ajit Pai announced his plan to abandon the agency’s commitment to protecting net neutrality. On July 12, let’s give the world a preview of what the Internet will look like if the FCC goes forward with its plan to dismantle open Internet protections. EFF is joining a huge coalition of nonprofits and companies in a day of action standing up for net neutrality. One simple way that organizations, companies, and even individuals can participate is to install our widget. If you’ve installed the widget on your website, then on July 12, visitors will be greeted with an alarming message: This widget will send a clear message to your site’s visitors: giving up protections for net neutrality will give ISPs a frightening amount of control over your Internet experience. All of the instructions for installing our widget are available on GitHub. For more information on the day of action, visit the Battle for the Net website. If you’re worried about large ISPs deciding how you use the Internet, tell the FCC. take action STAND UP FOR NET NEUTRALITY
>> mehr lesen

Californians: Demand a Vote on Your Broadband Privacy Before the Telecom Lobby Runs Out the Clock (Fr, 30 Jun 2017)
What do they do when they can’t win the vote? Try to Stop a Vote. Right now, politicians in Sacramento are holding up a bill that would restore your broadband privacy rights and directly reject Congress and the Trump Administration’s decision to side with Comcast, AT&T, and Verizon. It is in fact the first bill ready to be enacted into California law that would be a direct response the latest string of efforts in Washington DC to curb consumer protections in broadband access. A.B. 375 (Chau) would ensure your broadband provider must secure your permission first before selling your personal information to third parties. However, it has been stalled in the Senate Rules Committee – likely due to opposition from major cable and telephone companies. If they are successful at keeping the bill stalled until July 18th, then the bill is dead for the rest of this year. They can’t win at the vote given the overwhelming public opposition to repealing our privacy rights in the first place, which is why this is their strategy. Death by Procedure and Denying the Vote In California, bills must make it past certain policy committees by specific deadlines, or they are dead for the year. But before a bill can be heard in any policy committee, it must be referred out by the Rules Committee in a fairly routine matter of deciding which committees should review and vote on the bill before presentation to the full Assembly and Senate. Two weeks ago, AB375 became eligible to be referred out of the Senate Rules Committee. Assuming normal procedures, advocates expected to testify in support of the bill at a July 3rd hearing.  However, the legislation has been mysteriously absent from consideration on the Rules Committee agenda. Two weeks have passed, the Senate Rules Committee has met twice, yet A.B. 375 has not been placed on the agenda, debated, or referred out to any policy committee. This raises significant questions. Unless Senate President Pro Tempore Kevin de Leon, who leads the Senate - and chairs the Rule Committee - decides to ignore the pleas of Comcast, AT&T, and Verizon and, instead, follows normal procedural rules and moves the bill forward so it can receive a vote, the telecom lobby will win in arguably the worst way possible - by simply denying your elected representatives from even voting at all. The Momentum is With Us California is the 20th state to engage in restoring our broadband privacy rights, but it could be the first state to officially make it law by this year. A vast majority of conservative, liberal, and independent voters opposed Congress repealing our broadband privacy rights and naturally they demanded action. Several print publications in California have written positive reviews about AB 375. And the legislation itself has been thoroughly vetted and is ready for enactment. We have until July 18th to push AB 375 to the finish line. Pick up the phone ASAP and make your voice heard! Take Action
>> mehr lesen

Don’t Trust in Antitrust Law to Protect Net Neutrality (Fr, 30 Jun 2017)
Back in 2014, we considered many possible ways of protecting net neutrality that would not rely on the FCC, including antitrust law. Unfortunately, U.S. antitrust law is not up to the challenge. Antitrust law is an economic doctrine that gives little if any weight to freedom of expression and other noneconomic values secured by net neutrality. Antitrust law defines harm in terms of higher prices and diminished product quality. If antitrust law deems that a practice is not harmful to competition, it does not matter how much it represses speech, distorts access to knowledge, or intrudes on privacy. Antitrust law has no concept of the "gatekeeper" problem posed by an ISP's control over your conduit to information. There are other reasons why antitrust isn't an effective tool for net neutrality problems. Antitrust law is fundamentally about protecting competition, but the market for broadband is very different than the theoretical ideal contemplated by antitrust law. First, there is very little broadband competition to protect. More than 9 out of 10 Americans live in monopoly or duopoly markets for broadband according to the FCC. Even lower-speed wireless service is available from only a handful of carriers in most places, all of which oppose net neutrality and have pushed the boundaries of the existing Open Internet Order with throttling or pay-to-play zero-rating schemes. Second, broadband service naturally tends towards monopoly. A large incumbent provider that can amass government permissions to use rights-of-way under public streets, on poles and antenna sites, and on the radio spectrum will always be able to offer cheaper service than a new entrant who has to pay to build the infrastructure and obtain new rights-of-way. Combine that with customers' notoriously unreliable access to information about service quality and broadband speeds and the high costs of switching providers, and you have a market that will not be competitive without intervention. We got a competitive market for dial-up Internet in the 1990s because phone companies were required to allow other service providers to operate using their infrastructure. We could have that kind of competition again if broadband providers were required to grant similar access. But unless that happens, we will not see meaningful competition of the type that antitrust law is designed to protect. Further, antitrust law has been eviscerated over the past century. Under the new "single entity doctrine," a company can't be accused of illegal collusion with its subsidiary or parent companies, so for example Comcast could make an arrangement to favor NBC-Universal content it owns out much fear from antitrust law. And a pair of Supreme Court decisions in 2004 and 2007 made it much harder to bring antitrust cases against companies in regulated industries, even if the regulations themselves are minimal. The dismal state of competition in broadband should make it obvious that current antitrust law isn't adequate even to protect competition, let alone protecting customers against data discrimination. There are a few types of non-neutral practices that could also rise to the level of antitrust violations, such as an ISP's accepting payments to block competing websites, (but accepting payments from businesses to block websites that criticize them would likely get a pass). Title II, the current legal basis for net neutrality protections, is the legal tool that is specifically and narrowly tailored to prevent discrimination by carriers of information. In the past, the FCC has tried to stretch its other authorities to impose net neutrality rules—which alarmed us, since stretching those authorities to achieve something they weren't meant to do would be bad government and accrue too much power to the FCC. Those approaches were defeated in court, while Title II has been upheld. Now, opponents of net neutrality urge a return to those dangerous and ineffective approaches, or to antitrust—another legal doctrine designed to do something entirely different from protecting against data discrimination. It's not the right tool for the job. That tool is Title II, and those who care about net neutrality need to defend it. take action STAND UP FOR NET NEUTRALITY
>> mehr lesen

Five Eyes Unlimited: What A Global Anti-Encryption Regime Could Look Like (Fr, 30 Jun 2017)
This week, the political heads of the intelligence services of Canada, New Zealand, Australia, the United Kingdom, and the United States (the "Five Eyes" alliance) met in Ottawa.  The Australian delegation entered the meeting saying publicly that they intended to "thwart the encryption of terrorist messaging." The final communiqué states more diplomatically that "Ministers and Attorneys General [...] noted that encryption can severely undermine public safety efforts by impeding lawful access to the content of communications during investigations into serious crimes, including terrorism. To address these issues, we committed to develop our engagement with communications and technology companies to explore shared solutions." What might their plan be? Is this yet another attempt to ban encryption? A combined effort to compel ISPs and Internet companies to weaken their secure products? At least one leader of a Five Eyes nation has been talking recently about increasing international engagement with technology companies — with a list of laws in her back pocket that are already capable of subverting encryption, and the entire basis of user trust in the Internet. Exporting Britain's Surveillance Regime Before she was elevated to the role of Prime Minister by the fallout from Brexit, Theresa May was the author of the UK's Investigatory Powers bill, which spelled out the UK's plans for mass surveillance in a post-Snowden world. At the unveiling of the bill in 2015, May's officials performed the traditional dance: they stated that they would be looking at controls on encryption, and then stating definitively that their new proposals included "no backdoors". Sure enough, the word "encryption" does not appear in the Investigatory Powers Act (IPA). That's because it is written so broadly it doesn't need to. We've covered the IPA before at EFF, but it's worth re-emphasizing some of the powers it grants the British government. Any "communications service provider" can be served with a secret warrant, signed by the Home Secretary. Communications service provider is interpreted extremely broadly to include ISPs, social media platforms, mail services and other messaging services. That warrant can describe a set of people or organizations that the government wants to spy upon. It can require tech companies to insert malware onto their users' computers, re-engineer their own technology, or use their networks to interfere with any other system. The warrant explicitly allows those companies to violate any other laws in complying with the warrant. Beyond particular warrants, private tech companies operating in the United Kingdom also have to respond to "technical capability notices" which will require them to "To provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form," as well as permit targeted and mass surveillance and government hacking. Tech companies also have to the provide the UK government with new product designs in advance, so that the government can have time to require new "technical capabilities" before they are available to customers. These capabilities alone already go far beyond the Nineties' dreams of a blanket ban on crypto. Under the IPA, the UK claims the theoretical ability to order a company like Apple or Facebook to remove secure communication features from their products—while being simultaneously prohibited from telling the public about it. Companies could be prohibited from fixing existing vulnerabilities, or required to introduce new ones in forthcoming products. Even incidental users of communication tech could be commandeered to become spies in her Majesty's Secret Service: those same powers also allow the UK to, say, instruct a chain of coffee shops to use its free WiFi service to deploy British malware on its customers. (And, yes, coffee shops are given by officials as a valid example of a "communications service provider.") Wouldn't companies push back against such demands? Possibly: but it's a much harder fight to win if it's not just the UK making the demand, but an international coalition of governments putting pressure on them to obey the same powers. This, it seems is what May's government wants next. The Lowest Common Privacy Denominator Since the IPA passed, May has repeatedly declared her intent to create a an international agreement on "regulating cyberspace". The difficulty of enforcing many of the theoretical powers of the IPA makes this particularly pressing. The IPA includes language that makes it clear that the UK expects foreign companies to comply with its secret warrants. Realistically, it's far harder for UK law enforcement to get non-UK technology companies to act as their personal hacking teams. That's one reason why May's government has talked up the IPA as a "global gold standard" for surveillance, and one that they hope other countries will adopt. In venues like the Five Eyes meeting, we can expect Britain to advocate for others to adopt IPA-like powers. In that, they will be certainly be joined by Australia, whose Prime Minister Malcolm Turnbull recently complained in the Australian Parliament that so many tech companies "are based in the United States where a strong libertarian tradition resists Government access to private communications, as the FBI found when Apple would not help unlock the iPhone of the dead San Bernardino terrorist." Turnbull, it seems, would be happy to adopt the compulsory compliance model of the United Kingdom (as would, he implied at the time of the Apple case, would President Trump). In the meantime, the British authorities can encourage an intermediary step: other governments may be more likely to offer support for a IPA regime if Britain offers to share the results of its new powers with them. Such information-sharing agreements are the raison d'être of the Five Eyes alliance, which began as a program to co-ordinate intelligence operations between the Anglo-American countries. That the debate over encryption is now taking place in a forum originally dedicated to intelligence matters is an indicator that the states still see extracting private communications as an intelligence matter. But hacking and the subversion of tech companies isn't just for spies anymore. The British Act explicitly granted these abilities to conduct "equipment interference" to more than just GCHQ and Britain's other intelligence agencies. Hacking and secret warrants can now be used by, among others, the civilian police force, inland revenue and border controls. The secrecy and dirty tricks that used to be reserved for fighting agents of foreign powers is now available for use against a wide range of potential suspects. With the Investigatory Powers Bill, the United Kingdom is now a country empowered with a blunt tools of surveillance that have no comparison in U.S. or any other countries' law. But, along with its Five Eyes partners, it is also seen as a moderate, liberal democracy, able to be trusted with access and sharing of confidential data. Similarly, Australia is one of the few countries in the world (and the only one of the Five) to legally compel ISPs to log data on their users. Canada conducts the same meta-data surveillance projects as the United States; New Zealand contributes its mass surveillance data to the shared XKEYSCORE project. While such data-sharing may be business as usual for the Cold War spies, the risk of such unchecked co-operation have been barely considered by the judicial and legislative branches. In the world of law enforcement, the UK has for the last year conducted a sustained lobbying campaign in the United States Congress to grant its police forces fast-track access to American tech companies' communications data. The UK would be permitted to seize the contents of Google, Facebook and other companies' customers' inboxes without a U.S. court warrant. In return, the U.S. would gain a reciprocal capability over data held in the U.K. The danger is that, by forging broad agreements between these five countries, all will end up taking advantage of the lowest privacy standards of each. The United Kingdom will become the source of data obtained through the Investigatory Powers Bill; the United States will launder data taken from UPSTREAM and other programs through the United Kingdom's legal system, and so on. Secret "Five Eyes" is not the venue for deciding on the future of global surveillance. Intelligence agencies and their secret alliances are no model for oversight and control of the much broader surveillance now being conducted on billions of innocent users of the public Internet. The Investigatory Powers Bill is no "gold standard.” Britain's radical new powers shouldn't be exported via the Five Eyes, either through law, or through data-sharing agreements conducted without judicial or legislative oversight.
>> mehr lesen

McMansion Hell Responds to Zillow’s Unfounded Legal Claims (Do, 29 Jun 2017)
Update 5:00pm: Zillow has released a statement saying the company has "decided against moving forward with legal action." EFF is pleased that Zillow has withdrawn its threat and won't be seeking to take down any of the posts on McMansion Hell. We hope that other companies seeking to shut down humor, criticism, and parody online see this as a cautionary tale and avoid sending threats in the first place. Earlier this week, Zillow sent an aggressive cease and desist letter [PDF] to Kate Wagner, the creator of the McMansion Hell website. Zillow demanded that Wagner remove any image originally sourced from Zillow’s site. Today EFF sent a response to Zillow on Wagner’s behalf. Our letter [PDF] explains why none of Zillow’s contentions have any merit. Zillow should abandon its demand and respect online freedom of expression.  McMansion Hell is an architecture blog focused on contemporary residential housing. Using humor and parody, Wagner tries to illustrate the architectural horror of modern McMansions. Her posts usually include annotated photographs of houses to illustrate her commentary. In addition to posts critiquing individual homes, Wagner publishes essays about urbanism, architecture, sociology, and interior design. After receiving Zillow’s threat, Wagner temporarily disabled access to her blog via McMansionHell.com. She is relaunching the blog in full today. Zillow’s demand letter made a number of highly dubious legal claims. For example, Zillow argued that Wagner does not make fair use of the photographs she annotates. Importantly, Zillow does not own, and cannot assert, the copyright in these photos. But even if it could, McMansion Hell’s annotation of photographs for the purpose of criticism and commentary is a classic example of fair use. Zillow also suggested, without any explanation, that Wagner may have violated the Computer Fraud and Abuse Act (CFAA). EFF has long fought against overbroad applications of the CFAA, which is the federal anti-hacking statute intended to criminalize unauthorized intrusions into computer networks. There is no basis for a CFAA claim against Wagner. To the extent Zillow was suggesting that she might have violated the CFAA by violating Zillow’s terms of service, courts have repeatedly rejected such claims. In subsequent comments to the media and in a conversation with EFF, Zillow has suggested that its fundamental complaint is based on its terms of use, which purports to prohibit any reproduction or modification of images on its site. But, even if these provisions applied (which they do not), they are unenforceable for the many reasons we outline in our letter. For example, the recently enacted Consumer Review Fairness Act of 2016 invalidates any contract that restricts a consumer’s ability to review a product or service. The statute expressly protects “pictorial reviews” and covers McMansion Hell. Zillow’s letter unleashed a wave of negative publicity for the company. In response, Zillow has insisted that it did not intend to shut down Wagner’s blog. However, it does appear to be standing by its demand that she remove all images sourced from Zillow’s website. Zillow has no basis for such a demand and our client will not be removing any previous posts. She has informed Zillow, however, that she is not interested in using its site for her blog in the future. We hope Zillow does the right thing and renounces its attempt to censor McMansion Hell.
>> mehr lesen

Copyright Office Proposes Modest Fixes to DMCA 1201, Leaves Fundamental Flaws Untouched (Do, 29 Jun 2017)
The U.S. Copyright Office just released a long-awaited report about Section 1201, the law that bans circumventing digital restrictions on copyrighted works. Despite years of evidence that the social costs of the law far outweigh any benefits, the Copyright Office is mostly happy with the law as it is. The Office does recommend that Congress enact some narrow reforms aimed at protecting security research, repair activities, and access for people with disabilities. We’re sorry the Office didn’t take a stronger stance. Section 1201, part of the Digital Millennium Copyright Act, makes it illegal to circumvent any “technological protection measure” (often called DRM) that controls access to copyrighted works. It also bans the manufacture and sale of tools to circumvent those digital locks. Although it was pitched as a new legal protection for copyright holders to prevent infringement, the law has given major entertainment companies and other copyright owners lots of control over non-infringing uses of technology, allowing them to lock out competition in repair and re-sale businesses, and to threaten and silence security researchers. The law has some exceptions, but they are far too narrow and complicated. Those flaws are one reason EFF is challenging Section 1201 in court on behalf of researcher Matthew Green and technologist Andrew “bunnie” Huang. In the lawsuit, filed last year, we explain why Section 1201 is an unlawful restraint on speech and ask the court to strike the law down. Congress has also considered several fixes to the law over the last few years, ranging from comprehensive fixes to smaller corrections. Meanwhile, after the last rulemaking, the Copyright Office asked for public comments and held hearings about Section 1201, leading to the report released on Thursday. In the report, the Copyright Office announces its belief that “the statute’s overall structure and scope . . . remains sound.” The Office also believes that bypassing access controls can violate Section 1201 even when the purpose of the circumvention has nothing to do with copyright infringement. Federal appeals courts are sharply divided on this question, and the Copyright Office seems to be putting its thumb on the scales in favor of rightsholder control and against freedom of expression and innovation. If a Section 1201 violation can happen without any connection to copyright infringement, then Section 1201 gives copyright holders (and DRM vendors) vast control over technology users, beyond what copyright law already gave them. According to the Copyright Office’s interpretation, Section 1201 gives copyright holders “control over the terms of access to their works online.” That means that by wrapping software, music, games, video, or text in a layer of DRM, copyright holders gain the ability to dictate when, where, and how we can use those things, and the technology we can use to interact with them. And it means that copyright holders can nullify the public’s fair use rights. The Copyright Office’s approach here is the wrong approach, and it deepens the law’s constitutional problems. The report is also notable for what it doesn’t contain: any evidence that we need a ban on circumventing digital locks in the first place. The report points out that “explosive growth in legitimate digital content delivery services” happened “after the enactment of Section 1201,” but it doesn’t attempt to show that the law was what caused that growth. It also mentions a statement by a Senate committee in 1998, that “copyright owners will hesitate to make their works readily available on the Internet without reasonable assurance that they will be protected against massive piracy.” Today, of course, the Internet contains many lifetimes worth of amazing creative work of all kinds, made available by creatives without any DRM, so that prediction did not come true. The report doesn’t cite any studies or data showing that Section 1201 has been beneficial to creativity or the digital economy. And the only experts it cites to are entertainment companies with an interest in keeping the control that 1201 provides them, and the same members of Congress who requested the report in the first place—hardly a convincing case. The report does make some recommendations for fixing the law, including new and expanded exceptions to the ban on circumvention. The Copyright Office recommends that Congress expand the permanent exemptions for security testing and encryption research, by removing or mitigating restrictions in those exemptions that have made those exemptions too uncertain for many in the computer security community to rely on. The report also recommends a new permanent exemption for assistive technologies for people with disabilities. That change is overdue, as advocates for print-disabled people have had to request exemptions for screen-reading and other assistive technologies every three years for nearly two decades. In the last rulemaking cycle, EFF and other organizations requested exemptions covering maintenance, repair, and modification of software. One of the unfortunate effects of Section 1201 in recent years has been to cast a cloud of legal uncertainty over repair businesses ranging from cars to smartphones, and to block the re-use of devices like phone handsets and printer cartridges. The Copyright Office report recommends a new permanent exemption covering “diagnosis, maintenance, repair, and obsolescence” activities, not limited to any specific technologies. That would be a positive step. But the report rejects an exemption for modifying software for other reasons, such as to improve or customize the software. That’s a problem, because those activities are largely legal and beneficial, aside from the legal risk created by Section 1201. Finally, the report offers some fixes to the rulemaking process for temporary exemptions that happens every three years. Notably, the Copyright Office will offer a way to renew exemptions from previous cycles with what they claim will be minimal time and expense. We’re expecting the Copyright Office to begin a new rulemaking cycle soon, so we’ll get to see how well this works in practice and whether they are able to make the process less expensive. In several places in the report, the Copyright Office offers to try to make temporary exemptions broader and more useful to the populations they affect. We’ll be holding them to that. However, the Copyright Office still insists that it should be unlawful for anyone to distribute tools to allow beneficiaries of rulemaking exemptions to take advantage of the exemption, because “it would be impossible to control” subsequent uses of such tools. The real, proven need for circumvention has to take a back seat to the hypothetical scenario where the beneficiary then decides to infringe. It’s too bad the Copyright Office won’t address the fundamental flaws of Section 1201, especially given the multitude of problems that the report acknowledges. A simple, comprehensive fix like the Unlocking Technology Act introduced by Rep. Zoe Lofgren would solve many of the problems that Section 1201 causes for security professionals, tinkerers, people with disabilities, repair and resale businesses, teachers, students, libraries, and many others. A piecemeal approach will solve just a few of the current problems, at the cost of ever more complexity and a continuing demand for massive public interest resources to make the exemption process work. Congress, or the courts, should do more. Related Cases:  2015 DMCA Rulemaking
>> mehr lesen

Let's Encrypt Has Issued 100 Million Certificates (Mi, 28 Jun 2017)
This evening, the Let's Encrypt certificate authority issued its hundred millionth digital certificate. This is a remarkable milestone in just a year and a half of public operation; Let's Encrypt is likely now either the largest or second-largest public CA by volume of certificates issued. Let's Encrypt was created by Mozilla, the University of Michigan, and EFF, with Cisco and Akamai as founding sponsors, and is operated by the Internet Security Research Group, a non-profit organization. (See also the thoughts of Josh Aas, ISRG's executive director, on reaching this milestone.) Free certificates from Let's Encrypt allow web sites to offer secure HTTPS connections to their users, protecting the privacy and security of those connections against many network-based threats. EFF continues to help develop the Boulder software that Let's Encrypt uses internally, as well as Certbot, Let's Encrypt's recommended software for obtaining and installing certificates on web servers. For various reasons, the hundred-million mark does not mean that a hundred million different sites use Let's Encrypt certificates1. The number of web sites protected by Let's Encrypt is probably between 17 million and 46 million, depending on what definition of a "web site" we use2. It's hard to say with certainty whether Let's Encrypt has issued the largest number of certificates because CAs are not currently required to disclose the certificates they issue, but Let's Encrypt does so voluntarily. And the number of sites protected by Let's Encrypt will continue to grow rapidly as more and more hosting providers and server software offer convenient Let's Encrypt support to help bring HTTPS to sites that didn't have it before. We're extremely proud of the contribution that we've made and continue to make in making the web safer for its users. We'd also like to acknowledge Let's Encrypt's awesome operations team, which has kept a popular high-security service working and growing to meet demand, including at times when over a million certificates were issued in a single day. 1. Let's Encrypt certificates expire and must be replaced after 90 days; multiple certificates may be issued for the same web site during the same time period; certificates can protect Internet services other than web sites; and not all certificates that have been issued actually get used or remain in use for the lifetime of the certificate. 2. For example, do we count https://www.google.com/, https://google.com/, and https://images.google.com/, as one, two, or three web sites?
>> mehr lesen