Deeplinks

EFF Launches Community Security Training Series (Sa, 25 Mär 2017)
EFF is pleased to announce a series of community security trainings in partnership with the San Francisco Public Library. High-profile data breaches and hard-fought battles against unlawful mass surveillance programs underscore that the public needs practical information about online security. We know more about potential threats each day, but we also know that encryption works and can help thwart digital spying. Lack of knowledge about best practices puts individuals at risk, so EFF will bring lessons from its comprehensive Surveillance Self-Defense guide to the SFPL. EFF has tailored this series for technology beginners who may be unaware of potential privacy dangers, but already use smart phones or computers. Library patrons are invited to bring their devices to EFF's introductory classes which include discussions of basic online security concepts and privacy tools. Lisa Wright and Willie Theaker, members of EFF's TechOps Team, will facilitate Digital Privacy and Security: A Beginner-to-Intermediate Workshop followed by Encryption Apps for your Phone: An Intermediate Workshop. There will be two opportunities to attend each class. Digital Privacy and Security: A Beginner-to-Intermediate Workshop Tuesday, March 28, 2017 6:00 pm to 7:30 pm Encryption Apps for your Phone: An Intermediate Workshop Tuesday, April 4, 2017 6:00 pm to 7:30 pm Digital Privacy and Security: A Beginner-to-Intermediate Workshop Tuesday, April 11, 2017 6:00 pm to 7:30 pm Encryption Apps for your Phone: An Intermediate Workshop Tuesday, April 18, 2017 6:00 pm to 7:30 pm Event details are included in each link to the EFF calendar above. Space is limited and attendance is on a first-come, first-served basis so attendees should prepare to arrive early. We encourage all EFF supporters to help people in their circles learn more about online rights issues and how to keep themselves—and each other— safer. At the end of April, EFF's spring Bay Area Members' Speakeasy will feature a more advanced workshop on email encryption and key generation open to EFF members and their guests—we encourage you to bring a friend! Following the workshop, all EFF members will be invited to join our PGP keysigning party to help bring the community together and further expand the web of trust. If you are a current Bay Area member accepting email, you will receive a personal invitation including event details. Not a member yet? Join today! With the Surveillance Self-Defense project and these local events, EFF strives to help make information about online security accessible to beginners as well as seasoned techno-activists and journalists. We hope you will consider our tips on how to protect your digital privacy, but we also hope you will encourage those around you to learn more and make better choices with technology. After all, privacy is a team sport and everyone wins. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Another Loss For Broadcast TV Streaming, And A Dangerous Shift Of Decision-Making Power (Fr, 24 Mär 2017)
Another court has ruled that streaming local broadcast TV channels to mobile devices is something that only traditional pay-TV companies can do—startups need not apply. The Ninth Circuit appeals court has ruled that FilmOn, an Internet video service, cannot use the license created by Congress for “secondary transmissions” of over-the-air TV broadcasts. That likely means that FilmOn and other Internet-based services won’t be able to stream broadcast TV at all. That’s a setback for local TV and the news, weather, local advertising, and community programming it carries. The court’s harmful ruling is bad enough, and is made worse by the way it arrived at that decision. Instead of interpreting the Copyright Act according to its own independent judgment, the court deferred to the opinion of the Register of Copyrights, an official who has no authority to make or interpret laws on her own. And the Register has often acted as more of an advocate for the media and entertainment industries than a neutral authority. Ms. Pallante, the former Register, famously said that “copyright is for the author first and the nation second,” and has gone on to become the head of a trade association for publishers. Can startups take advantage of the law that allows incumbent pay-TV services to carry broadcast TV? The fight to send broadcast TV over the Internet has been a long one. For most people in the U.S., it’s hard if not impossible to watch local TV stations live over the Internet. Unlike other forms of video programming that are available in many different ways, local broadcasts usually require a TV set and a finicky antenna or an expensive cable subscription. Of course, the technology to send local broadcast TV to Internet-connected devices has been around for a while. Copyright law, not technology, has been the barrier. Copyright applies when shows are transmitted “to the public.” That means cable operators need licenses from copyright holders. And since the Supreme Court’s Aereo decision, Internet-based services that “look like cable” to the customer also need licenses. The major difficulty is that the programs, commercials, and other material shown on TV channels have many different copyright holders. A service that wants to help viewers see those channels in more places and on more devices is faced with the difficult (in fact, often impossible) task of negotiating a license with each and every one of those owners before their material goes on the air. Fail to license even a single program or commercial and the would-be cable competitor risks lawsuits and ruinous copyright penalties. But copyright law also includes a way for pay-tv systems to get the permissions they need by paying a set fee. That mechanism, known as Section 111, applies to any “facility” that “receives signals” from broadcast TV stations and “makes secondary transmissions” of those signals to paying subscribers. The law was passed long before Internet video streaming, but its core definition of a “cable system” is written broadly enough to include an Internet-based system like FilmOn’s. Nope, because that law is unclear and the Register of Copyrights said it shouldn’t apply. Major TV and movie studios have long opposed letting Internet-based services use the Section 111 license, and so did Maria Pallante, who was the Register of Copyrights (the head of the Copyright Office) until 2016. She wrote several letters and papers arguing that only traditional cable systems should be able to use the license. In the studios’ case against FilmOn, one of several they filed around the country, the federal district court in Los Angeles ruled that Congress wrote Section 111 broadly enough to include Internet-based services. This week, the Ninth Circuit reversed that decision. The court recognized that applying a complex 41-year-old law to today’s technology is not straightforward: “FilmOn and other Internet-based retransmission services are neither clearly eligible nor clearly ineligible for the compulsory license [Section] 111 makes available to ‘cable systems.’” At this point, the court could have grappled with the purposes of the law, its legislative history, and its effects on the TV market to reach a result. But it didn’t do this in any significant way. Instead, it “deferred” to the Register of Copyrights and treated her opinions on this question as the final word. The judges wrote that the Copyright Office “has a much more intimate relationship with Congress and is institutionally better equipped than we are to sift through and to make sense of the fact and heterogeneous expanse that is the [Copyright] Act’s legislative history.” That’s a troubling conclusion. While the Copyright Office staff might be more familiar with this area of law than a federal judge, the Office doesn’t have the authority to make or interpret laws. Treating the Register of Copyrights’ opinions about the law as binding invades both Congress’s power to make laws and the courts’ role as interpreters of the law. While the Copyright Office serves important functions, including registering copyrights and keeping records of them, and growing the Library of Congress’s collection, it shouldn’t be given the powers of a court to issue binding interpretations of the law. This decision leaves streaming services for broadcast TV in a double bind: they need to get permission from rightsholders, but they can’t get that permission using the streamlined method that Congress created. In practical terms, that means traditional pay-TV systems can retransmit broadcast TV to paying subscribers, but newer competitors that use streaming can’t. Protected against competition from streaming technology, cable subscription prices continue to climb, and broadcast TV continues to diminish as a source of local information and opinion. Related Cases:  WNET v. Aereo Fox v. Aereokiller Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Australia Stalls Copyright Safe Harbor Proposal (Fr, 24 Mär 2017)
Copyright safe harbors for Internet intermediaries are under attack from Big Media both in the United States and in Europe. Laying the blame for falling revenues on platforms such as YouTube and Facebook (despite that fact that revenues aren't actually falling at all), their aim is to impose new controls over how these platforms allow you to access and share content online. The control at the top of their wish-list is a compulsory upload filter, that would automatically screen everything that you upload. Such a requirement would be a costly imposition on smaller platforms and new innovators, and provide governments with a ready-built infrastructure for content censorship. In Australia, the situation is a little different—because due to an oversight in implementation of the original U.S.-Australia Free Trade Agreement in 2005, they never had a copyright safe harbor system to begin with; or rather, a much narrower one which only applies to ISPs, but not to other Internet platforms, nor even to other Internet access providers such as libraries and educational institutions. This oversight was due to be remedied with the passage of new amendments to Australia's Copyright Act. (The TPP, had it passed, would also have required Australia to bring in this reform.) Unfortunately pressure from copyright holders, including a well-orchestrated astroturf campaign, put the kibosh on that this week, when the safe harbor reforms were dropped from the copyright amendment Bill. What does this mean in practice? Essentially it translates into a huge potential legal liability for Internet platforms that allow users to upload content. Because they don't have any protection from liability for user content that infringes copyright, there is the risk that their services could be characterised by a court as inducing or contributing to copyright infringement, much in the same way that file sharing software was accused of doing so in a rash of U.S. lawsuits in the early 2000s. While much of that file sharing software was driven into extinction, the same fate did not befall America's user generated content websites. This wasn't for lack of trying by Big Media. In the Viacom v. Youtube case, they argued that YouTube was liable for copyright infringements in the videos that its users uploaded. Thanks to the DMCA safe harbor Viacom lost the case (though an appeal was later settled), and to this day websites in the U.S. remain entitled to allow users to upload content of their choice, without taking on advance responsibility for the copyright status of that content. Instead, if a copyright infringement is alleged, the copyright holder issues a takedown notice to the website, which will remove it and leave the next steps up to the user and the copyright holder. In Australia, a similar case might be decided differently, and content sharing platforms could be shut down in the absence of an adequate safe harbor protection. This leaves platforms with the stark choice to run the risk of being required to pay enormous penalties to copyright holders, or preemptively enter into agreements with copyright holders to pay license fees for all user uploaded content, or exit the Australian market altogether. In short, Australian online innovators face a lot more risk and uncertainty for as long as they lack adequate copyright safe harbor protection. Australia had the opportunity to bring its laws into line with equivalent laws from the U.S. and Europe, and international standards as encapsulated in the Manila Principles on Intermediary Liability. This week, it squandered that opportunity by sending the proposal back to the drawing board, and it's Australian innovators, libraries, educational institutions, and their users who will suffer. We urge the Australian government to look beyond the copyright lobby to the broad sectors of Australian society who have expressed support for this important reform, and to reintroduce it at the earliest opportunity. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

House Schedules Vote on Eliminating Consumer Online Privacy Rights Next Week (Fr, 24 Mär 2017)
Majority Leader McCarthy Confirms House to Immediately Act on Behalf of the Cable and Telephone Industry Following the Senate Vote Yesterday, the U.S. Senate by a razor thin margin of 50 to 48 voted to take away the privacy rights of Internet users as a favor to the cable and telephone industry. Now the House is planning to take up the legislation immediately next week before people can discover the damage they are about to inflict to consumer privacy online. These Are Our Legal Rights To Privacy They Are Dismantling Americans have enjoyed a legal right to privacy from your communications provider under Section 222 of the Telecommunications Act for more than twenty years. When Congress made that law, it had a straightforward vision in how it wanted the dominate communications network (at that time the telephone company) to treat your data, recognizing that you are forced to share personal information in order to utilize the service and did not have workable alternatives. Take Action Now Congress has begun to reverse course by eliminating your communication privacy protections in order to open the door for the cable and telephone industry to aggressively monetize your personal information. Proponents of such a drastic course change in law would have you believe that a repeal of the Federal Communications Commission's updated privacy rules for broadband providers would still leave your privacy protections intact. This understates the gravity of what H.J. Res. 86 and S.J. Res 34 may do to consumer privacy. Make no mistake, if Congress decides to codify a repeal of consumer privacy under the Congressional Review Act (as opposed to simply amending the law or the FCC changing the privacy rules again), it can have a serious impact on your legal right to privacy in your communications over broadband. Proponents of eliminating consumer privacy will go even further and say that it is the FCC's fault that they must harm the legal protections you have enjoyed for more than twenty years by stating it was the agency that overreached its legal authority and acted in a manner that was unconnected with the law. But when Congress actually wrote the law, the charge it gave the FCC seemed fairly clear. The Senate Commerce Committee, for example, expressed a clear intent of specific legal obligations for the communications provider by stating the following: “In general, a Bell company may not share with anyone customer-specific proprietary information without the consent of the person to whom it relates. Exceptions to this general rule permit disclosure in response to a court order or to initiate, render, bill and collect for telecommunications services.” The House Commerce Committee in their own report indicated a similar line of thinking: “This section defines three fundamental principles to protect all consumers. These principles are: (1) the right of consumers to know the specific information that is being collected about them; (2) the right of consumers to have proper notice that such information is being used for other purposes; and (3) the right of consumers to stop the reuse or sale of that information.” In essence, the FCC has done the job Congress told it to do many years ago. However, the cable and telephone industry have sensed an opportunity to exploit the flurry of repeals Congress has taken up and laid out a series of misleading arguments to convince Congress to proactively do harm to your privacy. They were successful at convincing 50 U.S. Senators to go along with their plan. Now the fight has moved to the House of Representatives. There is only one way to stop them from winning. We must speak up and call our elected officials to reject H.J. Res 86 and S.J. Res 34 and preserve our legal rights to consumer online privacy. Take Action Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Senate Puts ISP Profits Over Your Privacy (Do, 23 Mär 2017)
The Senate just voted to roll back your online privacy protections. Speak up now to keep the House from doing the same thing. ISPs have been lobbying for weeks to get lawmakers to repeal the FCC’s rules that stand between them and using even creepier ways to track and profit off of your every move online. Republicans in the Senate just voted 50-48 (with two absent votes) to approve a Congressional Review Action resolution from Sen. Jeff Flake which—if it makes it through the House—would not only roll back the FCC’s rules but also prevent the FCC from writing similar rules in the future. That would be a crushing loss for online privacy. ISPs act as gatekeepers to the Internet, giving them incredible access to records of what you do online. They shouldn’t be able to profit off of the information about what you search for, read about, purchase, and more without your consent. We can still kill this in the House: call your lawmakers today and tell them to protect your privacy from your ISP. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

The Bill of Rights at The Border: The First Amendment and the Right to Anonymous Speech (Do, 23 Mär 2017)
The U.S. border has been thrown into the spotlight these last few months, with border agents detaining travelers for hours, demanding travelers unlock devices, and even demanding passwords and social media handles as a prerequisite for certain travelers entering the country. As the U.S. government issues a dizzying array of new rules and regulations, people in the U.S. and abroad are asking: are there meaningful constitutional limits on the ability of border agents to seize and search the data on your electronic devices and in the cloud? The answer is: Yes. As we’ll explain in a series of posts on the Bill of Rights at the border and discuss in detail in our border search guide, border agents and their activities are not exempt from constitutional scrutiny. In this first post, we’ll focus on the First Amendment. The First Amendment is meant to safeguard five fundamental rights: speech, assembly, religion, press, and petition to the government for redress of grievances. The First Amendment also protects the right to exercise these basic rights anonymously because, as Supreme Court Justice John Paul Stevens wrote: Anonymity is a shield from the tyranny of the majority. . . . It thus exemplifies the purpose behind the Bill of Rights and of the First Amendment in particular: to protect unpopular individuals from retaliation . . . at the hand of an intolerant society. But when border agents scrutinize the massive volume of sensitive information in our digital devices or in the cloud, they infringe on First Amendment rights in at least four distinct ways. First, device searches may reveal your social media profile handles –  inclusive of pseudonymous accounts. This allows border agents to match those handles to your passport identity, which effectively unmasks you and prevents you from being able to speak anonymously online. The same is true if you comply with an agent’s demand that you tell them your social media handles. Second, device searches may also chill your ability to associate with an expressive institution anonymously, like a political group. Border agents can use a device search or knowledge of your social media handles to unearth a variety of private associational ties that can be mapped and harvested for more personal information and connections. What is worse, the investigation may intrude upon your contacts’ privacy as well as your own. Third, requiring you to let CBP review your web-browsing history violates your right to access and receive information anonymously. This intrusion also occurs when CBP scrutinizes your shopping histories to reveal your private decisions to acquire expressive materials, such as books and movies. Finally, requiring journalists to unlock devices that contain confidential journalistic sources and work product inhibits their ability to shield the identity of their sources and undermines the integrity and independence of the newsgathering process. Border searches of our digital devices and cloud data thus implicate core free speech rights. Therefore, border agents should at least be required to obtain a warrant supported by probable cause before any such search of our private digital information. Indeed, the First Amendment requires even more. For example, when police officers demand purchasing records from booksellers (implicating the right to access information anonymously), the First Amendment requires not only probable cause, but a compelling need, the exhaustion of less restrictive investigative methods, and a substantial nexus between the information sought and the investigation. Given that a digital device search is far more invasive upon First Amendment rights than disclosure of what books a person buys at a single bookseller, border agents should be required to do the same. And the government should take special care with respect to journalists. The Privacy Protection Act prohibits the government from searching or seizing a journalist’s materials without probable cause that the journalist has committed a crime. While the statute exempts border searches for the purpose of enforcing the customs laws, it does not exempt border searches for other purposes, such as a criminal investigation. Unfortunately, so far, courts have refused to recognize the free speech implications of digital border searches. But we hope and expect that will change as courts are forced to weigh the increasing amount of sensitive information easily accessible on our devices and in the cloud, and the increasing frequency and scope of border searches of this information. Without First Amendment protections at the border, the threat of self-censorship looms large. Travelers faced with the risk of border agent intrusion into such sensitive data are more prone to self-censorship when expressing themselves, when considering private membership in political groups, or when deciding whether to access certain reading or media material. This is especially true for people who belong to unpopular groups, who espouse unpopular opinions, or who read unpopular books or view unpopular movies. Likewise, confidential sources that provide invaluable information to the public about government or corporate malfeasance may refrain from whistleblowing if they fear journalists cannot protect their identities during border crossings. This is why EFF is calling for stronger Constitutional protection of your digital information and urging people to contact Congress on this issue today. We’re also collecting stories of border search abuses at: borders@eff.org The good news is there’s a lot you can do at the border to protect your digital privacy. Take the time to review our pocket guides on Knowing Your Rights and Protecting your Digital Data at the border. And for a deeper dive into these issues, take a look at our Border Search Guide on protecting the data on your devices and in the cloud. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Call Your Senators Thursday Morning to Save Your Privacy (Mi, 22 Mär 2017)
Congress is getting serious about taking away your online privacy. We have to get serious about stopping them. The Senate is going to vote on Thursday on a measure from Sen. Jeff Flake that would repeal the broadband privacy rules passed by the FCC last year. According to at least one of the measure’s co-sponsors, it will likely have the votes it needs to pass in the Senate unless we take action right now. Those rules were a huge win for consumers, and—if Congress doesn’t get in the way—they’ll protect Internet users from creepy tracking by their ISPs when they go into effect later this year. As we’ve argued, repealing the FCC’s privacy rules is a bad move for consumers. If Congress repeals the rules, your ISP will be able to sell records about what you look at, what you purchase, and who you talk to online. The FCC may not be able to write new privacy rules, and, because of the current legal landscape, it’s not clear that any federal agency would be able to step in and protect consumers when ISPs violate their privacy. Now is the time to act. Call your lawmakers and tell them to oppose the resolution to repeal the FCC’s privacy rules. Take Action Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Know About Digital Devices Searches in California Schools? Send a Report to EFF. (Mi, 22 Mär 2017)
Here in California, we’re in a tough battle over how and when the government can search through the digital devices of teachers and students. A terrible proposal—A.B. 165—seeks to strip over 6-million Californians of privacy safeguards baked into our state laws, giving the government a loophole to rifle through personal digital devices in schools without a warrant issued by a judge. We’re looking for individuals in California’s public schools who can report on experiences with digital device searches. Are you a student who had a school administrator search your device without your consent? Are you a parent whose son or daughter was punished because of data found on their device? Are you a teacher who has seen or been part of questionable searches in the school context? We want to hear about it. Types of stories that would be especially useful for us: Examples in which digital device searches may have violated existing California law and resulted in negative consequences (embarrassment, administrative action, criminal investigation) for students or teachers; Examples in which digital device searches in schools exposed sensitive details about students, teachers, or their families, including medical concerns; immigration status, economic status, sexual orientation, or political speech; Other examples of digital devices searches in California schools that you found concerning. Please report stories using our survey and share this request with your friends. A.B. 165 is currently scheduled for a hearing before the Assembly Committee on Privacy and Consumer Protection on April 18. That means that right now is a very important time to make sure all our California legislators hear us. Please speak out now against A.B. 165Take ActionSpeak out. Not in California? You can still make a difference. Please reach out to your friends in California and ask them to speak out, and please share this blog post on social media. Read more about how A.B. 165 will impact privacy in California and could be the first step toward rolling back privacy protections for other communities. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Consumers Press the USTR Nominee on Trade Transparency (Mi, 22 Mär 2017)
Even before U.S. Trade Representative (USTR) nominee Robert Lighthizer takes office, he’s already feeling the heat from Congress and from public interest representatives about improving transparency and public access to trade negotiations. In written answers given as part of Lighthizer’s confirmation hearing last week, Senator Ron Wyden asked him, “What specific steps will you take to improve transparency and consultations with the public?”. Lighthizer’s reply (which he repeated in similar form in response to similar questions from other Senators) was as follows: If confirmed, I will ensure that USTR follows the TPA [Trade Promotion Authority, aka. Fast Track] requirements related to transparency in any potential trade agreement negotiation. I will also look forward to discussing with you ways to ensure that USTR fully understands and takes into account the views of a broad cross-section of stakeholders, including labor, environmental organizations, and public health groups, during the course of any trade negotiation. My view is that we can do more in this area to ensure that as we formulate and execute our trade policy, we receive fulsome input and have a broad and vigorous dialogue with the full range of stakeholders in our country. Senator Maria Cantwell sought to drill down into more specifics, by having Lighthizer address the skewed Trade Advisory Committees that currently advise the USTR. In response to her question: Do you agree that it is problematic for a select group of primarily corporate elites to have special access to shape US trade proposals that are not generally available to American workers and those impacted by our flawed trade deals? Lighthizer replied: It is important that USTR’s Trade Advisory Committees represent all types of stakeholders to ensure that USTR benefits fully from a diverse set of viewpoints in considering the positions it takes in negotiations. If confirmed, I will work to ensure that USTR’s Trade Advisory Committees are appropriately constituted in order to achieve this goal. Cantwell also invited Lighthizer to commit to replacing the advisory system with a new process that invites the American public to help shape U.S. proposals for trade agreements and give input on negotiated texts, as well as to having all proposals and negotiated texts published online in a timely fashion so the workers and the broader public that will be impacted by these agreements have a full understanding of what is being negotiated. He declined to do so, going only so far as to say that he would look forward to discussing “additional means for ensuring public input into U.S. trade negotiations”, as well as “ways to ensure that USTR fully understands and takes into account the views of all stakeholders during the course of a trade negotiation”. This rather vague commitment certainly doesn’t close the door on the administration adopting the kind of reforms that EFF has demanded, but it also suggests that we will have to continue fighting hard for them to avoid yet another cop-out by the agency. Trans-Atlantic Consumer Groups Speak Out Thankfully, we’re not alone in that fight. EFF has just returned from the annual public forum of the Trans-Atlantic Consumer Dialogue (TACD), a forum of U.S. and European consumer groups, of which we are a member. This diverse group released a Positive Consumer Agenda for trade which includes the following demands: Any regulatory cooperation dialogue and trade negotiation must be transparent. Agendas of the meetings and rounds must be made publicly available well in advance as well as negotiating documents and minutes of meetings and rounds. For trade negotiations, negotiations should not begin until all parties agree to publish their textual proposals as well as consolidated negotiating texts after each round on publicly available websites. … US positions on trade deals can be formulated the way other US federal regulations are: through an on-the-record public process established under the Administrative Procedure Act to formulate positions, obtain comments on draft texts throughout negotiations, and seek comments on proposed final texts. In the European Union, the Commission should open a public consultation when drafting negotiating mandates to mirror the legislative process. Trade Isn’t the Right Tool For Every Internet Problem A third front in our battle to reform the USTR’s closed and opaque trade negotiation practices is in a submission to the U.S. International Trade Commission (ITC) that we submitted this week. The ITC was seeking public submissions in an enquiry on digital trade, to gather input into a report that it is writing to advise the USTR on the topic. The submission reiterates our demands that the USTR publish its proposals, publish draft texts, have an independent transparency officer, open up proposals to notice and comments and a public hearing process, and open up Trade Advisory Committees to be more inclusive. But it also points out that the USTR shouldn’t consider trade negotiations as the right tool to regulate every aspect of the Internet that touches on trade: Whereas the Commission aims to describe regulatory and policy measures currently in force in important markets abroad that may significantly impede digital trade, our bottom line is that not all such measures that impede digital trade are necessarily protectionist. … [They may] also have important non-trade justifications that serve broader social and economic needs such as freedom of expression and access to information, consumer safety and privacy, and preservation of the stability and security of Internet networks. When the only tool you have is a hammer, every problem looks like a nail—and the USTR has been hammering away like mad at topics as diverse as net neutrality, domain names, encryption standards, and intermediary liability. But because there are many other dimensions of these issues besides the trade dimension, trade negotiations aren’t necessarily the best venue to address them; and certainly not while those negotiations remain as closed and opaque as they are at present. As the renegotiation of NAFTA is around the corner, the need for USTR to reform its outdated practices is becoming increasingly urgent. With Congress, consumer groups, and international trade experts all demanding similar reforms from the next Trade Representative, we certainly hope that Robert Lighthizer is feeling the heat, and that he will rise to the challenge once he takes office. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

The New Laptop Ban Adds to Travelers' Lack of Privacy and Security (Mi, 22 Mär 2017)
It can be difficult to understand the intent behind anti-terrorist security rules on travel and at the border. As our board member Bruce Schneier has vividly described, much of it can appear to be merely "security theater"—steps intended to increase the feeling of security, while doing much less to actually achieve it. This week the U.S. government, without warning or public explanation, introduced a sweeping new device restriction on travelers flying non-stop to the United States from ten airports in eight Muslim-majority countries, and nine airlines from those countries. Passengers on these flights must now pack large electronics (including tablets, cameras, and laptops) into their checked luggage. Information is still emerging regarding the rationale behind the ban, which went into effect at 3:00 Eastern Time Tuesday morning. The United Kingdom on Monday joined the United States with a similar regulation aimed at a differing set of flights. These new restrictions on the transport of digital devices that have provoked a growing sense of insecurity among personal and business travelers flying between America, the Middle East and Turkey, and rightly so. Travelers to and within the United States were already concerned over reports of increasing levels of warrantless inspection of their devices at the border of the United States. Earlier this month, U.S.  Customs and Border Protection revealed that there were more device searches in February alone than were conducted in the whole of the 2015 fiscal year. One of the few consolations is that these invasive searches take place with your knowledge, during security searches of your body and personal items. As we recently described in our guide to digital searches at the border, and in our brief to the Fourth Circuit Federal Court of Appeals, the U.S. border is not a rights-free zone: searches should be noted, and if known about, can be challenged as unlawful. There is also the small compensation that, if officials do not demand access to your laptop, tablet or phone, you can at least be confident that your digital possessions have not been invasively searched. Requiring digital devices to be checked as luggage removes those reassurances, and adds new concerns. If someone else has physical access to your device almost all information security guarantees are off the table. Data can be cloned for later examination. If you encrypt your stored data, you might limit how much direct data can be extracted—but even so, you cannot stop the examiner from installing new spyware or hardware. New software can be installed for later logging or remote control; protections can be disabled or manipulated. Under these conditions, it's very hard to make any assurances about how safe your personal data can be in transit. Some security researchers have devised exotic ways to reveal physical tampering; others spend their time defeating those systems. But if your device is out of your possession, all bets are off. This is not to assert that the new regulations are intended to enable these widespread, unaccountable searches. But given the content of the new regulation and the manner in which it was introduced, it's not surprising that rather than improving the confidence of travelers that their life and possessions remain safe and secure, it's led to even more doubt and uncertainty. Because the United States authorities has provided little transparency into or notice of their decision, we have no idea what protection this regulation is attempting to provide. It is particularly unclear what the security benefit of limiting the ban to a few airlines and airports achieves. (Even if you believe, as officials within the Trump administration have stated, that some nationalities pose a particular threat, potential terrorists are surely smart enough to fly to an intervening nation which has not imposed the same controls, and take one of the multi-stop flights on which the United States still permits laptops as a carry-on.) At best, it seems like the real threat is so limited that the United States feels it not worth the cost to inconvenience other travelers. At worst, it adds to the sense that some crossing the border—for instance, citizens of these nations and American visitors to them—should have fewer protections and practical opportunities for legal defense against invasive searches at the border than others. Security theater, or not, improving security at the border includes as a goal ensuring the sense of security and confidence that travelers have that their personal data and devices are safe from unlawful interference. To do that, the United States authorities needs to be more transparent in its reasoning, more protective of the highly personal information held on digital devices, and far less arbitrary in its search and treatment of different groups of travelers. A strong set of legal safeguards consistent governing digital device searches of every traveller—whether they are U.S. citizens, residents, or visitors—would be more secure, and safer for all. For practical advice for protecting your data at the border, see our detailed new guide and printable border search pocket guide. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Patents Are A Big Part Of Why We Can’t Own Nice Things: the Supreme Court Should Fix That (Mi, 22 Mär 2017)
Today, the Supreme Court heard arguments in a case that could allow companies to keep a dead hand of control over their products, even after you buy them.  The case, Impression Products v. Lexmark International, is on appeal from the Court of Appeals for the Federal Circuit, who last year affirmed its own precedent allowing patent holders to restrict how consumers can use the products they buy. That decision, and the precedent it relied on, departs from long established legal rules that safeguard consumers and enable innovation. When you buy something physical—a toaster, a book, or a printer, for example—you expect to be free to use it as you see fit: to adapt it to suit your needs, fix it when it breaks, re-use it, lend it, sell it, or give it away when you’re done with it. Your freedom to do those things is a necessary aspect of your ownership of those objects. If you can’t do them, because the seller or manufacturer has imposed restrictions or limitations on your use of the product, then you don’t really own them. Traditionally, the law safeguards these freedoms by discouraging sellers from imposing certain conditions or restrictions on the sale of goods and property, and limiting the circumstances in which those restrictions may be imposed by contract. But some companies are relentless in their quest to circumvent and undermine these protections. They want to control what end users of their products can do with the stuff they ostensibly own, by attaching restrictions and conditions on purchasers, locking down their products, and locking you (along with competitors and researchers) out. If they can do that through patent law, rather than ordinary contract, it would mean they could evade legal limits on contracts, and that any one using a product in violation of those restrictions (whether a consumer or competitor) could face harsh penalties for patent infringement. Impression Products v. Lexmark International is Lexmark’s latest attempt to prevent purchasers from reusing and refilling its ink cartridges with cheaper ink. If Lexmark can use patent law to accomplish this, it won’t just affect the person or company that buys the cartridge, but also anyone who later acquires or refills it, even if they never agreed to what Lexmark wanted. The case will turn on how the Supreme Court applies patent law’s “exhaustion doctrine.” As the Court explained in its unanimous Quanta v. LG Electronics decision, the exhaustion doctrine provides that “the initial authorized sale of a patented item terminates all patent rights.” Meaning, a patent holder can’t use patent rights to control what you can do with the product you’ve purchased, because they no longer have patent rights in that particular object. As we explained in a brief submitted along with Public Knowledge, Mozilla, the AARP, and R Street Institute to the Supreme Court, the doctrine protects both purchasers and downstream users of patented products. Without the exhaustion doctrine, patent holders would be free to impose all kinds of limits on what you can do with their products, and can use patent infringement’s severe penalties as the enforcement mechanism. The doctrine also serves patent law’s constitutional purpose—to promote progress and innovation—by ensuring that future innovators have access to, and can research and build on, existing inventions, without seeking permission from the patent holder. This isn’t Lexmark’s first bite at the apple. The company first tried to argue that copyright law, and section 1201 of the DMCA (which prohibits circumvention of DRM), gave it the right to prevent re-use of its toner cartridges. In 2004, the Sixth Circuit roundly rejected Lexmark’s copyright claims. The court explained that even if Lexmark could claim copyright in the code at issue, and while it might want to protect its market share in cartridges, “that is not the sort of market value that copyright protects.” The Sixth Circuit also shot down Lexmark’s section 1201 claims, stating [n]owhere in its deliberations over the DMCA did Congress express an interest in creating liability for the circumvention of technological measures designed to prevent consumers from using consumer goods while leaving copyrightable content of a work unprotected. In fact, Congress added the interoperability provision in part to ensure that the DMCA would not diminish the benefit to consumers of interoperable devices "in the consumer electronics environment." Having lost on its copyright claims, Lexmark found a warmer welcome at the Federal Circuit, who last year held that so long as the company “restricted” the sale of its product (in this case through a notice placed on the side of the cartridge) Lexmark could get around patent exhaustion, and retain the right to control downstream users’ behavior under patent law. The Federal Circuit’s ruling in Lexmark seriously undermines the exhaustion doctrine, allowing patent holders to control users’ behavior long after the point of purchase merely by including some form of notice of the restriction at the point of sale. As we’ve said before, this is especially troubling because downstream users and purchasers may be entirely unaware of the patent owner’s restrictions. The Federal Circuit’s the ruling is also significantly out of step with how the majority of the law treats these kinds of restrictions. While sellers can use contract law to bind an original purchaser to mutually agreed-upon terms (with some limits) for hundreds of years, courts have disfavored sellers’ attempts to use other laws to control goods after a transfer of ownership. Courts and legal scholars have long acknowledged that such restrictions impair the purchasers’ personal autonomy, interfere with efficient use of property, create confusion in markets, and increase information costs. The Federal Circuit’s ruling is even out of step with copyright law, whose exhaustion principle is codified in the first sale doctrine. We’re hopeful that the Supreme Court will reverse the Federal Circuit and bring patent law’s exhaustion doctrine back in line. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Supreme Court: A Patent Owner Can Lie In Wait (Di, 21 Mär 2017)
In a ruling today that will cheer up patent trolls, the Supreme Court said patent owners can lie in wait for years before suing. This will allow trolls to sit around while others independently develop and build technology. The troll can then jump out from under the bridge and demand payment for work it had nothing to do with. Today’s 7-1 decision arrives in a case called SCA Hygiene v. First Quality Baby Products. This case involves a patent on adult diapers but has a much broader reach. The court considered whether the legal doctrine of “laches” applies in patent cases. Laches is a principle that penalizes a rightsholder who “sleeps on their rights” by waiting a long time to file a lawsuit after learning of a possible infringement. It protects those that would be harmed by the assertion of rights after a lengthy delay. For example, laches would work against a patent owner that saw an infringing product emerge yet waited a decade to sue, after significant investment of time and resources had been put into the product. The ruling in SCA follows a similar decision in Petrella v. MGM holding that laches is not available as a defense in copyright cases. The Supreme Court has generally rejected “patent exceptionalism” and has often reversed the Federal Circuit for creating special rules for patent law. So today’s decision was not especially surprising. In our view, however, there were compelling historical and policy arguments for retaining a laches defense in patent law. Together with Public Knowledge, EFF filed an amicus brief at the Supreme Court explaining the many ways that companies accused of patent infringement can be harmed if the patent owner sleeps on its rights. For example, evidence relevant to invalidity can disappear. This is especially true for software and Internet-related patents. In his dissent, Justice Breyer cited our brief and explained: [T]he passage of time may well harm patent defendants who wish to show a patent invalid by raising defenses of anticipation, obviousness, or insufficiency. These kinds of defenses can depend upon contemporaneous evidence that may be lost over time, and they arise far more frequently in patent cases than any of their counterparts do in copyright cases. The seven justices in the majority suggested that patent defendants might be able to assert “equitable estoppel” instead of laches. But that would likely require showing that the patent owner somehow encouraged the defendant to infringe. In most cases, especially patent troll cases, the defendant has never even heard of the patent or the patent owner before receiving a demand. This means estoppel is unlikely to be much help. Ultimately, today’s ruling is a victory for trolls who would wait in the shadows for years before using an obscure patent to tax those who do the hard work of bringing products and services to market. Related Cases:  SCA Hygiene v. First Quality Baby Products Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Hearing Wednesday: EFF Testifying Before House Committee That Use of Facial Recognition by Law Enforcement Poses Critical Threat to Privacy (Di, 21 Mär 2017)
One Out of Two Americans Already in a Face Recognition Database Accessible to Law Enforcement Washington, D.C.—On Wednesday, March 22, Electronic Frontier Foundation (EFF) Senior Staff Attorney Jennifer Lynch will testify at a hearing before the House Committee on Oversight and Government Reform about the FBI's efforts to build up and link together massive facial recognition databases that may be used to track innocent people as they go about their daily lives. The FBI has amassed a facial recognition database of more than 30 million photographs and has access to hundreds of millions more. The databases include photos of people who aren’t suspected of any criminal activity that come from driver’s license and passport and visa photos, even as the underlying identification technology becomes ever more powerful. The government has done little to address the privacy implications of this massive collection of biometric information. Lynch will testify that the use of facial recognition technology will allow the government to track Americans on an unprecedented level. The technology, like other biometric programs, such as fingerprint and DNA collection, poses critical threats to privacy and civil liberties. Lynch will tell the House committee that Congress has an opportunity to develop legislation that would protect Americans from inappropriate and excessive biometrics collection and use. What: Full House Committee on Oversight and Government Reform Hearing: Law Enforcement’s Use of Facial Recognition Technology Who: EFF Senior Staff Attorney Jennifer Lynch When: Wednesday, March 22, 9:30 a.m. Where: 2154 Rayburn House Office Building            Washington. D.C. For more information on facial recognition: https://www.eff.org/foia/fbi-facial-recognition-documents For more on biometric data collection: https://www.eff.org/issues/biometrics   Contact:  Jennifer Lynch Senior Staff Attorney jlynch@eff.org Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Border Agents Need A Warrant to Search Travelers’ Phones, EFF Tells Court (Mo, 20 Mär 2017)
The Border Isn’t a Constitution-Free Zone Richmond, Virginia—Border agents must obtain a warrant to search travelers’ phones, tablets, and laptops, which contain a vast trove of sensitive, highly personal information that is protected by the Fourth Amendment, the Electronic Frontier Foundation (EFF) told a federal appeals court today. Searches of devices at the border have more than doubled since the inauguration of President Trump—from nearly 25,000 in all of 2016, to 5,000 in February alone. This increase, along with the increasing number of people who carry these devices when they travel, has heightened awareness of the need for stronger privacy rights while crossing the U.S. border.  While the Fourth Amendment ordinarily requires law enforcement officials to get a warrant supported by probable cause before searching our property, in cases that predate the rise of digital devices, courts granted border agents the power to search our luggage without a warrant or any suspicion of wrongdoing. But portable digital devices differ wildly from luggage or other physical items we carry with us to the airport because they provide access to the entirety of our private lives, EFF said in an amicus brief filed at the U.S. Court of Appeals for the Fourth Circuit in the border search case U.S. v. Kolsuz. In 2014 the Supreme Court noted that cellphones now hold “the privacies of life” for people, including highly personal, private information such as photos, texts, contact lists, email messages, and videos. Many digital devices can access personal records stored in the “cloud,” such as financial or medical information. Before smartphones were invented, that kind of information would be kept in our home offices, desk drawers, or basement storage. If law enforcement officers wanted to enter your home or lock box as part of a search, they’d need to go before a judge, prove probable cause that you’re involved in a crime, and get a warrant.  “The border isn’t a constitution-free zone,” said Adam Schwartz, EFF senior staff attorney. “The U.S. Supreme Court ruled in 2014 that mobile phones are a window into our private lives and police need to show there’s probable cause that the people they arrest have committed crimes and obtain a warrant to search their phones. There should be no less protection for individuals who have not been arrested or shown to have committed any crime, but who instead simply want to enter the United States.” It’s never been more important for courts to follow the standard set by the Supreme Court about cell phone searches and apply it to borders searches. Reports have surfaced of border agents searching the devices of innocent U.S. citizens, green card holders, and foreign visitors. While all kinds of travelers have suffered this intrusion, many reports involve journalists, Muslim-Americans, and Americans with Middle Eastern-sounding names. Asian Americans Advancing Justice-Asian Law Caucus, Brennan Center for Justice, Council on American-Islamic Relations and six of its chapters, and The National Association of Criminal Defense Lawyers joined EFF in filing the brief. “Law enforcement officials should be required to meet the same standards for searching our cell phones wherever we are—in our cities, on the highway, at vehicle checkpoints, and at the border. Regardless of the location, when officials want to crack open the private information in someone’s phone, they must first obtain a warrant,” said Schwartz. For the brief:https://www.eff.org/document/us-v-kolsuz-eff-amicus-brief For EFF’s new border guide:https://www.eff.org/wp/digital-privacy-us-border-2017 For EFF’s new border pocket guide:https://www.eff.org/document/eff-border-search-pocket-guide Contact:  Adam Schwartz Senior Staff Attorney adam@eff.org Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Hearing Wednesday: National Security Letters Violate the First Amendment (Mo, 20 Mär 2017)
EFF to Argue NSL Gag Orders Are Unconstitutional in San Francisco Appeals Court San Francisco – The Electronic Frontier Foundation (EFF) will urge an appeals court Wednesday to find that the FBI violates the First Amendment when it unilaterally gags recipients of national security letters (NSLs), and the law should therefore be found unconstitutional. The hearing is set for Wednesday, March 22, at 1:30pm in San Francisco. EFF represents two communications service providers—CREDO Mobile and Cloudflare—that were restrained for years from speaking about the NSLs they received, including even acknowledging that they had received any NSLs. Early Monday, just days before the hearing, the FBI finally conceded that EFF could reveal that these two companies were fighting a total of five NSLs. CREDO and Cloudflare have fought for years to publicly disclose their roles in battling NSL gag orders. Both companies won the ability to talk about some of the NSLs they had received several months ago, but Monday’s decision by the FBI allows them to acknowledge all the NSLs at issue in this case. On Wednesday, EFF Staff Attorney Andrew Crocker will tell the United States Court of Appeals for the Ninth Circuit that these gags are unconstitutional restrictions on CREDO and Cloudflare’s free speech and that the FBI’s belated decision to lift some of the gags only underscores why judicial oversight is needed in every case. The gag orders barred these companies from participating in discussion and debate about government use of NSLs—even as Congress was debating changes to the NSL statute in 2015. What: In re National Security Letters Who: EFF Staff Attorney Andrew Crocker Date: March 22 1:30 pm Where: Courtroom 3, 3rd Floor Room 307 U.S. Court of Appeals for the Ninth Circuit James R. Browning U.S. Courthouse 95 Seventh Street San Francisco, CA 94103 For the FBI notice allowing the companies to identify themselves: https://www.eff.org/document/notice-regarding-public-identification-nsl-recipients For more on this case: https://www.eff.org/issues/national-security-letters Contact:  Andrew Crocker Staff Attorney andrew@eff.org Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Five Creepy Things Your ISP Could Do if Congress Repeals the FCC’s Privacy Protections (Mo, 20 Mär 2017)
Why are we so worried about Congress repealing the FCC’s privacy rules for ISPs? Because we’ve seen ISPs do some disturbing things in the past to invade their users’ privacy. Here are five examples of creepy practices that could make a resurgence if we don’t stop Congress now. Take ActionCall Congress and help keep creepy ISP practices a thing of the past! 5. Selling your data to marketers Which ISPs did it before? We don’t know—but they’re doing it as you read this! It’s no secret that many ISPs think they’re sitting on a gold mine of user data that they want to sell to marketers. What some people don’t realize is that some are already doing it. (Unfortunately they’re getting away with this for now because the FCC’s rules haven’t gone into effect yet.) According to Ad Age, SAP sells a service called Consumer Insights 365, which “ingests regularly updated data representing as many as 300 cellphone events per day for each of the 20 million to 25 million mobile subscribers.” What type of data does Consumer Insights 365 “ingest?” Again, according to Ad Age, “The service also combines data from telcos with other information, telling businesses whether shoppers are checking out competitor prices… It can tell them the age ranges and genders of people who visited a store location between 10 a.m. and noon, and link location and demographic data with shoppers' web browsing history.” And who is selling SAP their customers’ data? Ad Age says “SAP won't disclose the carriers providing this data.” In other words, mobile broadband providers are too afraid to tell you, their customers, that they’re selling data about your location, demographics, and browsing history. Maybe that’s because it’s an incredibly creepy thing to do, and these ISPs don’t want to get caught red-handed. And speaking of getting caught red-handed, that brings us to… 4. Hijacking your searches Which ISPs did it before? Charter, Cogent, DirecPC, Frontier, Wide Open West (to name a few) Back in 2011, several ISPs were caught red-handed working with a company called Paxfire to hijack  their customers’ search queries to Bing, Yahoo!, and Google. Here’s how it worked. When you entered a search term in your browser’s search box or URL bar, your ISP directed that query to Paxfire instead of to an actual search engine. Paxfire then checked what you were searching for to see if it matched a list of companies that had paid them for more traffic. If your query matched one of these brands (e.g. you had typed in “apple”, “dell”, or “wsj”, to name a few) then Paxfire would send you directly to that company’s website instead of sending you to a search engine and showing you all the search results (which is what you’d normally expect). The company would then presumably give Paxfire some money, and Paxfire would presumably give your ISP some money. In other words, ISPs were hijacking their customers’ search queries and redirecting them to a place customers hadn’t asked for, all while pocketing a little cash on the side. Oh, and the ISPs in question hadn’t bothered to tell their customers they’d be sending their search traffic to a third party that might record some of it. It’s hard to believe we’re still on the subtle end of the creepy spectrum. But things are about to get a whole lot more in-your-face creepy, with… 3. Snooping through your traffic and inserting ads Which ISPs did it before? AT&T, Charter, CMA This is the biggest one people are worried about, and with good reason—ISPs have every incentive to snoop through your traffic, record what you’re browsing, and then inject ads into your traffic based on your browsing history. Plenty of ISPs have done it before—AT&T did it on some of their paid wifi hotspots; Charter did it with its broadband customers; and a smaller ISP called CMA did the same. We don’t think this one requires much explaining for folks to understand just how privacy invasive this is. But if you need a reminder, we’re talking about the company that carries all your Internet traffic examining each packet in detail1 to build up a profile on you, which they can then use to inject even more ads into your browsing experience. (Or, even worse—they could hire a third-party company like NebuAd or Phorm to do all this for them.) That’s your ISP straight up spying on you to sell ads—and turning the creepiness factor up to eleven.2 And speaking of spying, we’d be remiss if we didn’t mention… 2. Pre-installing software on your phone and recording every URL you visit Which ISPs did it before? AT&T, Sprint, T-Mobile When you buy a new Android phone, you probably expect it to come with some bloatware—apps installed by the manufacturer or carrier that you’re never going to use. You don’t expect it to come preinstalled with software that logs which apps you use and what websites you visit and sends data back to your ISP. But that’s exactly what was uncovered when security researcher and EFF client Trevor Eckhart did some digging into Carrier IQ, an application that came preinstalled on phones sold by AT&T, Sprint, and T-Mobile. This is even creepier than number three on our list (watching your traffic and injecting ads), because at least with number three, your ISP can only see your unencrypted traffic. With Carrier IQ, your ISP could also see what encrypted (HTTPS) URLs you visit and record what apps you use. Simply put, preinstalled software like Carrier IQ gives your ISP a window into everything you do on your phone. While mobile ISPs may have backed down on using Carrier IQ in the past (and the situation led to a class action lawsuit), you can bet that if the FCC’s privacy rules are rolled back there’ll be ISPs be eager to start something similar. But none of these creepy practices holds a candle to the ultimate, creepiest thing ISPs want to do with your traffic, which is… 1. Injecting undetectable, undeletable tracking cookies in all of your HTTP traffic Which ISPs did it before? AT&T, Verizon The number one creepiest thing on our list of privacy-invasive practices comes courtesy of Verizon (and AT&T, which quickly killed a similar program after Verizon started getting blowback). Back in 2014 Verizon Wireless decided that it was a good idea to insert supercookies into all of its mobile customers’ traffic. Yes, you read that right—it’s as if some Verizon exec thought “inserting tracking headers into all our customers’ traffic can’t have a down side, can it?” Oh, and, for far too long, they didn’t bother to explicitly tell their customers ahead of time. But it gets worse. Initially, there was no way for customers to turn this “feature” off. It didn’t matter if you were browsing in Incognito or Private Browsing mode, using a tracker-blocker, or had enabled Do-Not-Track: Verizon ignored all this and inserted a unique identifier into all your unencrypted outbound traffic anyway. According to the FCC, it wasn’t until “two years after Verizon Wireless first began inserting UIDH, that the company updated its privacy policy to disclose its use of UIDH and began to offer consumers the opportunity to opt-out of the insertion of unique identifier headers into their Internet traffic.” As a result, anyone—not just advertisers—could track you as you browsed the web. Even if you cleared your cookies, advertisers could use Verizon’s tracking header to resurrect them, which led to something called “zombie cookies.” If that doesn’t sound creepy, we don’t know what does. As you can see, there’s a lot at stake in this fight. The FCC privacy rules congress is trying to kill would limit all of these creepy practices (and even ban some of them outright). So don’t forget to call your senators and representative right now—because if we don’t stop Congress from killing the FCC’s ISP privacy rules now, we may end up with a lot more than five creepy ISP practices in the future. Take ActionCall Congress and help keep creepy ISP practices a thing of the past! 1. To be absolutely precise, your ISP could track and record all your HTTP traffic, and the domain name you visit for HTTPS websites. 2. We’ve heard some arguments that is just what Google or Facebook do, but there’s a big difference. You can choose not to use Google or Facebook, and it’s easy to install free tools that block their tracking on other parts of the web. EFF even makes such a tool, called Privacy Badger! But changing ISPs or paying for a VPN is hard (and some people don’t have more than one choice of ISP). For more, see our post on busting three ISP privacy rollback myths. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Brazil Proposes New Digital Copyright Rules for the WTO (Sa, 18 Mär 2017)
Copyright rules don't belong in trade agreements—so where do they belong? For the most part, the World Intellectual Property Organization (WIPO) is probably the right place; it's a fully multilateral body that devotes its entire attention to copyright, patent, and other so-called intellectual property (IP) rules, rather than including them as an afterthought in agreements that also deal with things like dairy products and rules of origin for yarn. Although we don't always like the rules that come out of WIPO, at least we can be heard there—and sometimes our participation makes a tangible difference. The landmark Marrakesh Treaty for blind, visually impaired and print disabled users provides a good example. But there's another multilateral international body that can also lay claim to authority over international intellectual property rules—the World Trade Organization (WTO). When the WTO first covered copyright and patent rules in a dedicated agreement called TRIPS, it was decried by activists as being far too strict. Today, ironically, those same activists (even EFF) often tout TRIPS as a more appropriate baseline standard for global IP rules, in contrast to the stricter (or "TRIPS-plus") rules demanded for inclusion in preferential trade agreements such as the Anti-Counterfeiting Trade Agreement (ACTA) and the Trans-Pacific Partnership (TPP). For those who believe in linking copyright and trade, the WTO is an obvious candidate to fill the vacuum left by the TPP's recent demise. At the most recent session of the WTO's TRIPS Council on March 1 and 2, Brazil circulated a paper [PDF] titled "Electronic Commerce and Copyright" to address issues around trade in copyright works in the digital age. This document didn't come out of the blue; it draws strongly upon an earlier discussion paper, also addressing the challenges of copyright in the digital environment, that Brazil and others in its GRULAC (Group of Latin American and Caribbean Countries) group introduced at WIPO in 2015. Brazil's latest paper highlights three issues around electronic commerce and copyright that it believes belong on the WTO's agenda; not as the basis for a binding treaty, but for discussion and informal coordinated action by member states. These are: Transparency While copyright holder groups complain that Internet platforms don't pay enough for streaming copyright content (a so-called "value gap"), a big part of the perceived problem is that it's difficult for the creators of that content to know where the money is going. The music industry, in particular, is notorious for the opacity of the payment arrangements between intermediaries and creators such as songwriters and performers. Brazil identifies the need to improve the transparency of these payments, although it doesn't go into detail about how this should be accomplished. When EFF brought musician and entrepreneur Imogen Heap to WIPO, she explained the potential for blockchain technology to provide this much-needed transparency. But rather than invest in exploring this or other transparency initiatives, big media has continued to devote most of its attention to a failing war on piracy. Balance of rights and obligations The paper correctly identifies the need to maintain balance between the interests of copyright holders and those of users of copyright works, as technologies change and new ways of using such works emerge. But the paper goes off the rails when it suggests that it may be unlawful under the WTO's three-step test for countries to allow users to bypass DRM on copyright works, on the grounds that DRM is "essential for the normal exploitation of works in e-trade." Although we support the paper's bottom-line conclusion that "WTO Members should unequivocally assert the principle that exceptions and limitations available in physical formats should also be made available in the digital environment," we don't think this precludes rolling back penalties for the circumvention of DRM. On the contrary, circumvention is often the only way for users to gain access to content on the devices of their choice, and is imperative for preservation, archival, and reuse of such content. Territoriality of copyright The final issue addressed in Brazil's paper is the most fundamental one: the disconnect between the global nature of the Internet, and the territorial status of national copyright systems. The problem that Brazil identifies is that by using international credit cards, users can gain access to content through overseas content platforms, and thereby circumvent services based in their own home countries, which are subject to that country's copyright rules. It proposes that "Member states should make their best efforts to make their national copyright legislation applicable to trade relations where content is accessed from within their national borders." But if this means blocking or banning users from accessing overseas content services, we have serious concerns. Such measures are entirely unnecessary anyway, as the world already has a common set of copyright rules as standards for global trade—that's exactly what the WTO TRIPS agreement provides. Brazil hasn't made out a case for more. So far, other WTO members have shown little appetite for the WTO to undertake new work on copyright rules, with the knowledge that such negotiations would be highly contentious. (This is also why Brazil has chosen to describe it as an "electronic commerce" proposal rather than as an "intellectual property" proposal.) However, the promulgation of "soft law" standards on copyright protection under the aegis of the WTO is a more tenable proposition, and Brazil's aim with this paper is to seed that process. That's why it's important to keep a watchful eye even on non-normative documents such as these, to ensure that if the WTO does take any new measures on global copyright rules, users' rights are preserved. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

If the Government Can't Get Domain Seizures Right, Why Would Big Pharma Do Better? (Sa, 18 Mär 2017)
So far we've seen no response from the Domain Name Association (DNA) to our criticisms from earlier this month about its self-styled Registry/Registrar Healthy Practices [PDF]. Part of its plan is that domain registries ought to yank online pharmacy domains from the Internet without due process on Big Pharma's say-so. ICE seizure notice for vicodin.com But an interesting new data point about the wisdom of such a policy emerged this week. It has been reported that Immigration and Customs Enforcement (ICE), part of the United States Department of Homeland Security, had seized the domain vicodin.com, named after a common prescription pain medication. The problem? That domain actually belongs to the manufacturer and registered trademark holder for Vicodin. In other words, it seems that the domain should never have been seized. We've never been fans of the ICE's domain name seizures. They have been used to violate free speech rights, without any meaningful opportunity for the owner or users of the domain to be heard before the domain is seized. But at least such seizures are issued under a warrant issued by a United States District Court judge, and there is a mechanism of redress (however slow and inconvenient) when a domain is seized wrongfully. That's what happened to the music blog Dajaz1, whose domain was seized by ICE and kept offline for over a year while the recording industry tried and failed to come up with evidence of copyright infringement. And it's what apparently happened today to vicodin.com If responsibility for the seizure of domain names passes to domain name registries or registrars, at the direction of Big Pharma—as the DNA proposes—all bets are off. We can well imagine that if the DNA's proposal is accepted as an industry-wide practice the number of mistaken domain name seizures will skyrocket, and that its victims will have even less recourse than they have against an ICE seizure. It's not just pharmacy domains that are at risk. Under a private policy of the registry operator Donuts, an architect of the Healthy Domains Initiative, the Motion Picture Association of America (MPAA) has similar powers as Big Pharma to call for the deletion or transfer of domain names that are alleged to host copyright-infringing material. Although EFF was able to defeat a proposal to make a similar policy into an industry-wide practice, we doubt we'll have heard the last of it.  Domain Name Regulator ICANN met with its community this week in Copenhagen. Big Pharma and Big Content lobbyists were among those who descended on the gathering, to promote their vision of private Internet content enforcement through the domain name system; a privatized SOPA, if you will. So far, ICANN has resisted accepting any such enforcement role, and rightly so. Today's reminder that even the U.S. government can't get this method of enforcement right should send a further note of caution about this misguided approach. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

EFF, ACLU, and 45 Civil Rights, Immigration, and Health Advocacy Organizations Oppose AB 165, a California Bill Stripping Students and Teachers of Basic Privacy Protections (Fr, 17 Mär 2017)
“Californians cannot afford to go back to the digital dark ages,” groups warn. EFF and a diverse coalition of advocacy groups sent a letter to the California legislature urging elected officials to oppose A,B, 165. This bill would roll back privacy protections for students and teachers by exempting California public schools from the prohibition on warrantless digital searches lawmakers enacted two years ago.  The letter calls for the legislature to protect the legal rights of the 6-million Californians who study and work in public schools. Signers included Transgender Law Center, Courage Campaign, Council on American-Islamic Relations, Health Connected, California Latinas for Reproductive Justice, the American Library Association, and many others.  This attempt to strip away privacy protections comes during a tumultuous political moment in American history, where many political activists, immigrant families, and LGBTQ Americans are rightly fearful of federal policies that endanger their safety, privacy, and other civil liberties. The coalition letter called out these concerns specifically:  "Students or staff from Muslim or immigrant communities are rightly concerned that they or their family members and friends would be at risk if their digital information were wrongfully obtained and misused. Half of California students have at least one immigrant parent – and more than half of these parents are not citizens. Members of the school community may fear reprisal for participating in online or real-world social or political activism that their school’s administration may not support. LGBTQ students or staff may have concerns about their personal and professional relationships and even their safety. And youth who live in poverty, for whom their cell phone may be their primary or only means of accessing the Internet and thus seeking information about health, sexuality, or other sensitive topics, are vulnerable to even greater exposure of their personal lives than other students with greater access to technology in the home." Read the full letter.  EFF urges concerned Californians to speak out against A.B. 165. If you live in California, please contact your elected officials today.  And if you are a student or teacher who has witnessed a device search by a school official in California, please tell us about it.  Not in California? You can still help by sharing this post on social media. Take ActionSpeak out. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

One Step Closer to Reclaiming University Innovation From Trolls (Fr, 17 Mär 2017)
Last year, EFF, along with our partner organizations, launched Reclaim Invention, a campaign to encourage universities across the country to commit to adopting patent policies that advance the public good. Reclaim Invention asks universities to focus on by bringing their inventions to the public, rather than selling or licensing them to patent assertion entities whose sole business model is threatening other innovators with patent lawsuits. Now, thanks to Maryland State Delegate Jeff Waldstreicher, the project is taking a step forward. In February, Delegate Waldstreicher introduced H.B. 1357, a bill modeled on Reclaim Invention’s draft legislation, the Reclaim Invention Act. Like the Reclaim Invention Act, H.B. 1357 would require Maryland state universities to adopt policies for technology transfer that commit them to managing their patent portfolio in the public interest, and outlines what that policy should include. The bill would also void any agreement by the university to license or transfer a patent to a patent assertion entity (or patent troll). At a hearing earlier this month, the Maryland Assembly’s House Appropriations Committee heard testimony in support of the bill from Delegate Waldstrecher, Knowledge Ecology International (KEI)’s James Love, and data scientist Adam Kreisberg.  As KEI’s James Love explained, the bill would allow universities to continue to license or assign patent rights to companies, but would prohibit them from assigning patents “to organizations who are just suing people for infringement.” According to Love, when it comes to public universities, "you don’t want public sector patents to be used in a way that's a weapon against the public.” EFF, with Public Knowledge, Creative Commons, and KEI [.pdf], and Yarden Katz, Fellow in Systems Biology at Harvard Medical School [.pdf] also submitted written testimony supporting the bill. Katz, who studies "the impact of commercialization on scientific research,” explains:  [r]esearch has shown that university patents, including those produced by public universities, can end up in the hands of NPRs. For instance, as of 2016, the notorious NPA ‘Intellectual Ventures’ had nearly 500 patents that originated from American universities in its portfolio…including some from the University of Maryland. If the Maryland legislature passes the bill, Katz states it would “set an example for other states by adopting a framework for academic research that puts public interests front and center.” If you’re in Maryland you can urge your lawmakers to defend innovation and pass H.B. 1357. Take ActionTell your state lawmakers: keep university patents away from trolls. If you’re not in Maryland, you can take action to encourage your university to sign the Public Interest Patent Pledge and urge your state lawmakers to keep university patents out of the hands of trolls. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Three Myths the Telecom Industry is Using to Convince Congress to Repeal the FCC’s Privacy Rules, Busted (Fr, 17 Mär 2017)
Back in October of 2016, the FCC passed some pretty awesome rules that would bar your internet service provider (ISP) from invading your privacy. The rules would keep ISPs like Comcast and Time Warner Cable from doing things like selling your personal information to marketers, inserting undetectable tracking headers into your traffic, or recording your browsing history to build up a behavioral advertising profile on you—unless they can get your consent. They were a huge victory for everyday Internet users in the U.S. who value their privacy. But since the restrictions also limit the ability of ISPs and advertisers alike to profit from the treasure trove of data ISPs have about their subscribers, powerful interests have come out in force to strip those protections away. Lobbyists in DC are pulling out all the stops trying to convince Congress that these straightforward, no-nonsense privacy rules are unnecessary, unfair, overly burdensome, or all of the above. EFF wrote a memo for congressional staffers that busts these myths. And we’re sharing the content of that memo with you, Team Internet, so you can see the type of FUD  ISPs and their allies are pushing in order to take away your privacy. (Fair warning: some of these are fairly wonky, so if you’re not the type that gets excited by telecom law, you can always skip to the part where you call your senators and representative and tell them not to repeal the FCC’s ISP privacy rules—because if we raise our voices together, we can stop Congress before it’s too late.) Take ActionCall Congress now and tell them not to repeal the FCC's privacy rules! Myth 1: If the FCC’s privacy rules are repealed, state officials and the Federal Trade Commission will fill the gap—so customers’ privacy will still be protected. Fact: Unfortunately, recent court decisions have limited the FTC’s ability to enforce privacy rules on ISPs. Plus, relying on each state to enforce its own laws to protect privacy would create a terrible patchwork of mismatched regulations. You’d think with all the uncertainty and bureaucracy that would create, the ISPs would actually prefer clear, bright-line rules at the national level. But you’d be wrong: at this point, they’ll say anything to block the FCC’s privacy-protective rules. Extended Version:The 2016 FTC v AT&T Mobility decision at the 9th Circuit eliminated the Federal Trade Commission’s authority to enforce privacy rules on ISPs in Arizona, Alaska, Hawaii, California, Idaho, Montana, Nevada, Oregon, and Washington. Other courts may do the same. And while some states’ Attorney Generals have brought actions against ISPs that mislead or deceive consumers about how the companies collect, share, and sell customer data, many other states have scaled back their enforcement on the premise that federal enforcement was sufficient and preferable. What’s more, a state-by-state patchwork of consumer protection enforcement is bad for customers and telecoms. It leaves customers in states with weaker consumer protection statutes or less assertive Attorneys General without crucial safeguards from their ISPs. And it leaves ISPs subject to a bewildering array of regulations depending on where they operate.  That regulatory thicket will impede competition and innovation by discouraging service providers from entering new markets. Myth 2: Even if Congress repeals the FCC’s recent privacy rules, the FCC still has authority to enforce consumer privacy protections more generally under Section 222 of the Communications Act. Fact: Due to the way Congress plans to repeal the FCC’s privacy rules, there’s going to be a lot of legal uncertainty about whether or not the FCC will be allowed to do anything related to ISPs and privacy in the future. In other words, it’s not clear if you’ll be at the mercy of your ISP or not, and by the time the courts figure it out, your ISP will have already had the chance to do some pretty creepy things. Extended Version:Section 222 of the Communications Act is the underlying authorization for the rules the FCC has already adopted, but if Congress passes a Congressional Review Act (CRA) resolution to repeal the rules, whether or not the FCC can pass new rules using that authority will be an open question. That’s because a CRA resolution would prohibit the FCC from issuing rules that are “substantially the same” in the future. If the FCC brings an action against an ISP under Section 222 for mishandling customer data, the ISP would likely try to challenge the action in court on the grounds that Congress preempted the agency with the CRA, creating uncertainty around ISP obligations and consumer privacy protections.  Myth 3: The FCC’s privacy rules put Internet service providers at an unfair disadvantage when compared to Internet companies like Google who can profit off of consumers’ data. Fact: Google doesn’t see everything you do on the Internet (neither does Facebook, for that matter, or any other online platform)—they only see the traffic you send to them. And you can always choose to use a different website if you want to avoid Google’s tracking. None of that is true about your ISP. You probably only have one, maybe two options when it comes to ISPs offering high-speed Internet, and your ISP sees everything—they have to, in order to send your traffic to the right place. That’s why we need the FCC’s privacy rules: ISPs are in a position of power, and they’ve shown they’re willing to abuse that power. Plus, if you’re worried about creepy third-party tracking online, you can use free tools to protect yourself; the only way to protect your privacy from your ISP is to pay for a VPN. Extended Version:To begin with, it’s worth remembering that ISPs and companies like Google or Facebook see entirely different parts of your Internet activity; namely that Google or Facebook only see the traffic you send to their servers, while ISPs see all your traffic. Even when you take into account the fact that Google and Facebook have creepy third-party trackers spread across the web, they still only see a fraction of what your ISP sees. Being able to see all of your traffic gives your ISP an unprecedented view into your life (everything from what you’re shopping for, to who you talk to, to what your politics are, to what you read), which not even Google or Facebook can achieve. There’s also another big difference between Comcast and Google: choice. While Internet users can choose between numerous online services for search, email, and more—including services that feature built-in privacy protections as a selling point—most consumers have few if any options when it comes to choosing an ISP. According to the FCC’s 2016 Broadband Progress Report, 51 percent of households have access to only one high-speed broadband provider. If that provider decides to sell their data, they can’t vote with their wallets and choose another ISP. There’s one last difference: Internet users can prevent companies like Google from spying on them as they surf the web. If you want to do something online without being tracked, you can use a variety of free tools that even powerful companies like Google cannot overcome. But nothing short of paying to use a virtual private network—essentially having to pay a fee to protect your online privacy—will protect you from your ISP. Now that you’ve heard the FUD ISPs and the advertising industry are spreading, take a moment and help us protect your privacy from data-hungry ISPs: call Congress today and tell your senators and representative not to repeal the FCC’s ISP privacy rules! Take ActionCall Congress now and tell them not to repeal the FCC's privacy rules! Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

California Youth in Detention and Foster Care Deserve Internet Access (Do, 16 Mär 2017)
It’s 2017, and climbers can tweet from Mount Everest, astronauts can post YouTube videos from the International Space Station, and ocean explorers can live stream from the Mariana Trench.  Considering the ability for technology to overcome those harsh environments, we see no reason that California can’t develop a way to ensure that youth in our state have secure and supervised access to the internet in juvenile detention and foster care programs. EFF is throwing its support behind A.B. 811, a California bill sponsored by Assemblymember Mike Gipson, that would establish that youth in custody have a right to “reasonable access to computer technology and the internet for the purposes of education and maintaining contact with family and supportive adults.” The bill would also establish the right of youth in foster care to have access to computers and the internet. As EFF writes in its letter: When youth are incarcerated, it is the government’s duty to ensure that they receive the necessary services for rehabilitation and successful integration back into the free world. Computer literacy and computer skills are crucial to development in the modern era, particularly when it comes to finding jobs. In addition, since many facilities are located in remote areas, placing youth far from their homes, accommodations should be made using modern technology to allow detainees to maintain meaningful relationships with their families to enhance the support structure for successful rehabilitation. Similarly, youth in foster care must also have access to the same resources that most children receive through their schools, libraries, and homes. Nearly 56,000 youth were in foster care in 2015, according to the Annie E. Casey Foundation. In addition, the California Department of Justice data [.pdf] reports that more than 23,000 youth were detained in secure facilities in 2014, with Hispanic youth representing more than half and Black youth representing roughly a quarter of youth in secure custody. We applaud Assemblymember Gipson for his efforts to ensure this significant at-risk population is provided with the tools they need to succeed.  Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Payment Processors are Still Policing Your Sex Life, and the Latest Victim is FetLife (Mi, 15 Mär 2017)
Eighteenth century writer and philosopher the Marquis de Sade spent the last 13 years of his life in prison for his crimes of writing pornographic novels such as Justine and Juliette. Today those who explore and write about similar sexual fantasies online—now known as BDSM and grounded in the consent of all participants—are suffering similar acts of censorship as the eponymous literary sadist who preceded them by two centuries. The biggest difference is that the church and state have been supplanted as chief censors by private companies such as payment service providers Visa, Mastercard, and PayPal. Five years ago EFF defended the right of publishers such as Smashwords to publish written descriptions of transgressive sexual conduct, against PayPal's threat to cancel payment services unless they withdrew such works from sale. (Following our campaign, in which we were joined by more than two dozen other free speech groups, PayPal relented.) In the same year the Nifty Archives Alliance, which publishes erotic stories, had its donation page temporarily suspended by its payment processor for fear of violating Visa and Mastercard rules. Two years ago, Backpage.com had its payment services suspended by Visa and Mastercard for providing a platform to advertise sexual services. This year it's the turn of adult social network FetLife, which just lost its ability to process credit card payments because it offers a platform for members to discuss and to post depictions of consensual BDSM practices. In this instance the ban appears to have come down from one of the credit card networks, which shut down both of the merchant accounts that FetLife used to process payments, justifying this to one merchant with complaints about "blood, needles, and vampirism" on the website, and to the other with the vague explanation of "illegal or immoral reasons". If any illegal content were on the website that would indeed be cause for concern, but there is no evidence of this. The last time FetLife lost payment processing services in 2013, it was on the basis of complaints of illegal child pornography on the site. Yet on closer investigation, this turned out to amount to sexualized cartoon drawings of the Simpsons, which even if they may have been in poor taste, were constitutionally protected speech under U.S. law. Even so, the site clamped down on fantasy depictions or descriptions of underage sex and incest going forward, and its payment processing services were restored. There is no further evidence of illegal content on FetLife today than there was back then. Nor does it seem obvious the card networks' content rules have been infringed; both networks prohibit imagery of "non-consensual sexual behavior" and "non-consensual mutilation of a person or body part", but consensual BDSM is neither of these. Nonetheless, the credit card ban has had its desired effect of further constricting the range of permissible speech on FetLife, with the site introducing new restrictions on a broad range of edgy sexual practices, including consensual non-consentrace play, drug and alcohol use, and scarification. Despite all this, their payment services still haven't been reinstated, and it's unclear how they can be. In the meantime FetLife does still accept payments via Bitcoin, which due to its open and decentralized infrastructure, is much more resistant to censorship pressures. While there may one day be a future in which digital currencies like Bitcoin are so widely adopted that it's easy for many websites to thrive on them alone, today we live in a world where credit card oligopolies can effectively shut down digital speech they find annoying or offensive. In the course of a round of buck-passing between PayPal and the credit card networks during the Smashwords dispute, Visa had written "Visa would take no action regarding lawful material that seeks to explore erotica in a fictional or educational manner. As you note in your letter, Visa is not in the business of censoring cultural product." While we don't know which of the card networks were responsible for the latest FetLife ban, such fine sentiments seem hard to square with it. It's also difficult to discern what's behind this latest crackdown, but the least likely scenario is that it was a case of proactive self-policing by the credit card network. More likely, this is a case of Shadow Regulation in which the hand of government, or some third party acting as self-appointed morals campaigner, has reached a secret agreement with the payment network behind the scenes. In this context, it may be worth noting that Attorney-General Jeff Sessions recently indicated that he would consider reviving the Justice Department's Obscenity Prosecution Task Force. Whatever the source of the pressure to which the payment network acceded, EFF remains deeply concerned that payment companies aren't doing enough to consistently push back against demands to privately censor lawful sexual content online. In an age where the 50 Shades movies are playing in mainstream cinemas across the country, society ought to have moved on from the days when pornographers such as de Sade were jailed and his books burned. The best way for payment companies to discern when online content has crossed the line into obscenity is to rely on courts to make that judgment. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

D.C. Circuit Court Issues Dangerous Decision for Cybersecurity: Ethiopia is Free to Spy on Americans in Their Own Homes (Mi, 15 Mär 2017)
The United States Court of Appeals for the District of Columbia Circuit today held that foreign governments are free to spy on, injure, or even kill Americans in their own homes--so long as they do so by remote control. The decision comes in a case called Kidane v. Ethiopia, which we filed in February 2014. Our client, who goes by the pseudonym Mr. Kidane, is a U.S. citizen who was born in Ethiopia and has lived here for over 30 years. In 2012 through 2013, his family home computer was attacked by malware that captured and then sent his every keystroke and Skype call to a server controlled by the Ethiopian government, likely in response to his political activity in favor of democratic reforms in Ethiopia. In a stunningly dangerous decision today, the D.C. Circuit ruled that Mr. Kidane had no legal remedy against Ethiopia for this attack, despite the fact that he was wiretapped at home in Maryland. The court held that, because the Ethiopian government hatched its plan in Ethiopia and its agents launched the attack that occurred in Maryland from outside the U.S., a law called the Foreign Sovereign Immunities Act (FSIA) prevented U.S. courts from even hearing the case. The decision is extremely dangerous for cybersecurity. Under it, you have no recourse under law if a foreign government that hacks into your car and drives it off the road, targets you for a drone strike, or even sends a virus to your pacemaker, as long as the government planned the attack on foreign soil. It flies in the face of the idea that Americans should always be safe in their homes, and that safety should continue even if they speak out against foreign government activity abroad.   Factual background Mr. Kidane discovered traces of state-sponsored malware called FinSpy, a sophisticated spyware product which its maker claims is sold exclusively to governments and law enforcement, on his laptop at his home in suburban Maryland. A forensic examination of his computer showed that the Ethiopian government had been recording Mr. Kidane’s Skype calls, as well as monitoring his (and his family’s) web and email usage. The spyware was launched when Kidane opened an attachment in an email. The spying began at his home in Maryland. The spyware then reported everything it captured back to a command and control server in Ethiopia, owned and controlled by the Ethiopian government. The infection was active from October 2012 through March 2013, and was stopped just days after researchers at the University of Toronto’s Citizen Lab released a report exposing Ethiopia's use of FinSpy. The report specifically referenced the very IP address of the Ethiopian government server responsible for the command and control of the spyware on Mr. Kidane’s laptop. We strenuously disagree with the D.C. Circuit’s opinion in this case. Foreign governments should not be immune from suit for injuring Americans in their own homes and Americans should be as safe from remote controlled, malware, or robot attacks as they are from human agents. The FSIA does not require the courts to close their doors to Americans who are attacked, and the court’s strained reading of the law is just wrong. Worse still, according to the court, so long as the foreign government formed even the smallest bit of its tortious intent abroad, it’s immune from suit. We are evaluating our options for challenging this ruling. Related Cases:  Kidane v. Ethiopia Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

The Foilies 2017 (Mo, 13 Mär 2017)
Recognizing the Year’s Worst in Government Transparency A thick fog is rolling in over Sunshine Week (March 12-18), the annual event when government transparency advocates raise awareness about the importance of access to public records.  We are entering an age when officials at the highest levels seek to discredit critical reporting with “alternative facts,” “fake news” slurs, and selective access to press conferences—while making their own claims without providing much in the way to substantiate them. But no matter how much the pundits claim we’re entering a “post-truth” era, it is crucial we defend the idea of proof.  Proof is in the bureaucratic paper trails. Proof is in the accounting ledgers, the legal memos, the audits, and the police reports. Proof is in the data. When it comes to government actions, that proof is often obtained by leveraging laws like the Freedom of Information Act (FOIA) and state-level public records laws—except when government officials seek to ignore the rules to suppress evidence. At the same time, this is also par for the course. As award-winning investigative reporter Shane Bauer recently posted on Twitter: “I’ve been stonewalled by the government throughout my journalistic career. I’m seriously baffled by people acting like this is brand new.” For the third year, the Electronic Frontier Foundation presents “The Foilies,” our anti-awards identifying the times when access to information has been stymied or when government agencies have responded in the most absurd ways to records requests. Think of it as the Golden Raspberries but for government transparency, where the bad actors are actually going off script to deny the public the right to understand what business is being conducted on their behalf. To compile these awards, EFF solicited nominations from around the country and scoured through news stories and the #FOIAFriday Twitter threads to find the worst, the silliest, and the most ridiculous responses to request for public information. Quick Links: The Make America Opaque Again Award - President Donald Trump The Hypocrisy Award - Vice President Mike Pence The Frogmarch Award - Town of White Castle, Louisiana The Arts and Crafts Award Public Health Agency of Canada The Whoa There, Cowboy Award - Milwaukee County Sheriff David Clarke The Longhand Award - Portland Commissioner Amanda Fritz The Wrong Address Award - U.S. Department of Justice The Redaction of Interest Award - General Services Administration The Fake News Award - Santa Maria Police Department The Stupid Meter Award - Elster Solutions, Landis+Gyr, Ericsson The Least Productive Beta Testing Award - Federal Bureau of Investigation The Undermining Openness Award - U.S. Department of Justice The Outrageous Fee Award - Missouri Department of Health and Senior Services The Dehumanization Award - New Orleans City Marshall The Lethal Redaction Award - States of Texas and Arizona The Poor Note-taker Award - Secretary of the Massachusetts Commonwealth The Make America Opaque Again Award President Donald Trump A commitment to public transparency should start at the top. But from the beginning of his campaign, President Trump has instead committed to opacity by refusing to release his tax returns, citing concerns about an ongoing IRS audit. Now that he's been elected, Trump's critics, ethics experts, and even some allies have called on him to release his tax returns and prove that he has eliminated potential conflicts of interest and sufficiently distanced himself from the businesses in his name that stand to make more money now that he's in office. But the Trump administration has not changed its stance. No matter where you stand on the political spectrum, the American public should be outraged that we now have the first sitting president since the 1970s to avoid such a baseline transparency tradition.  The Hypocrisy Award Former Indiana Governor—and current Vice President—Mike Pence Vice President Mike Pence cared a lot about transparency and accountability in 2016, especially when it came to email. A campaign appearance couldn't go by without Pence or his running mate criticizing Democratic candidate Hillary Clinton for using a private email server during her tenure as Secretary of State.  In fact, the Foilies honored Clinton last year for her homebrewed email approach. But Pence seemed much less bothered by those transparency and accountability concerns when he used a private AOL email address to conduct official business as Indiana's governor. The Indianapolis Star reported in February that Pence used the account to communicate "with top advisors on topics ranging from security gates at the governor’s residence to the state’s response to terror attacks across the globe." That means that critical homeland security information was kept in an account likely less secure than government accounts (his account was reportedly hacked too), and Pence's communications were shielded from government records requirements. The Frogmarch Award Town of White Castle, Louisiana The only thing that could’ve made reporter Chris Nakamoto’s public records request in the small town of White Castle, Louisiana a more absurd misadventure is if he’d brought Harold and Kumar along with him. As Chief Investigator for WBRZ in Baton Rouge, Nakamoto filed records requests regarding the White Castle mayor’s salary. But when he turned up with a camera crew at city hall in March 2016 to demand missing documents, he was escorted out in handcuffs, locked in a holding cell for an hour, and charged with a misdemeanor for “remaining after being forbidden.” What’s worse is that Nakamoto was summoned to appear before the “Mayor’s Court,” a judicial proceeding conducted by the very same mayor Nakamoto was investigating.  Nakamoto lawyered up and the charges were dropped two months later. “If anything, my arrest showed that if they’ll do that to me, and I have the medium to broadcast and let people know what’s happening to me, think about how they’re treating any citizen in that town,” Nakamoto says.  The Arts and Crafts Award Public Health Agency of Canada Journalists are used to receiving documents covered with cross-outs and huge black boxes. But in May 2016, Associated Press reporters encountered a unique form of redaction from Public Health Agency of Canada when seeking records related to the Ebola outbreak. As journalist Raphael Satter wrote in a letter complaining to the agency: “It appears that PHAC staff botched their attempt to redact the documents, using bits of tape and loose pieces of paper to cover information which they tried to withhold. By the time it came into my hands much of the tape had worn off and the taped pieces had been torn." Even the wryest transparency advocates were amused when Satter wrote about the redaction art project on Twitter, but the incident did have more serious implications. At least three Sierra Leonean medical patients had their personal information exposed. Lifting up the tape also revealed how the agency redacted information that the reporters believed should’ve been public, such as email signatures. The Office of the Privacy Commissioner of Canada said it would investigate, but Satter says he hasn’t heard anything back for 10 months.  The Whoa There, Cowboy Award Milwaukee County Sheriff David Clarke Milwaukee Sheriff David Clarke rose to prominence in 2016 as one of then-candidate Donald Trump’s top surrogates, prone to making inflammatory remarks about the Black Lives Matter movement, such as calling them a hate group and linking them to ISIS. But the press has also been a regular target.  Milwaukee Journal Sentinel Political Watchdog Columnist Daniel Bice filed a series of records requests with the sheriff’s office, demanding everything from calendars, to details about an NRA-funded trip to Israel, to records related to a series of jail deaths.  So far, Clarke has been extremely slow to release this information, while being extremely quick to smear the reporter on the sheriff’s official Facebook page. Clarke frequently refers to the publication as the “Urinal Sentinel” and has diagnosed Bice with “Sheriff Clarke Derangement Syndrome.” “I deal with open records requests with local governments and police departments, I do it at the city, county, and state level,” Bice says. “He’s by far the worst for responding to public records.”  In May 2016 Clarke published a short essay on Facebook titled, “When Journalism Becomes an Obsession.” Clarke claimed that after he rejected Bice’s request for an interview, Bice retaliated with a series of public records requests, ignoring the fact that these requests are both routine and are often reporter’s only recourse when an official refuses to answer questions.  “This lazy man’s way of putting together newspaper columns uses tax-paid, government employees as pseudo-interns to help him gather information to write stories,” Clarke wrote. Memo to Clarke: requesting and reviewing public records is tedious and time-consuming, and certainly not the way to score an easy scoop. If anything, ranting on Facebook, then issuing one-sentence news releases about those Facebook posts, are the lazy man’s way of being accountable to your constituents. The Longhand Award Portland Commissioner Amanda Fritz A local citizen in Portland, Ore. filed a records request to find out everyone that City Commissioner Amanda Fritz had blocked or muted from her Twitter account. This should’ve been easy. However, Fritz decided to go the long way, scribbling down each and every handle on a sheet of paper. She then rescanned that list in, and sent it back to the requester.  The records did show that Fritz had decided to hush accounts that were trying to affect public policy, such as @DoBetterPDX, which focuses on local efforts to help homeless people, and anonymous self-described urban activist @jegjehPDX.  Here’s a tip for officials who receive similar requests: all you need to do is go to your “Settings and Privacy” page, select the “Muted accounts” or “Blocked accounts” tab, and then click “export your list.”  The Wrong Address Award U.S. Department of Justice America Rising PAC, a conservative opposition research committee, has been filing FOIA requests on a number of issues, usually targeting Democrats. Following Supreme Court Justice Antonin Scalia’s passing, the PAC sent a FOIA to the Attorney General seeking emails referencing the death.  But America Rising never received a response acknowledging the DOJ received the request. That’s because the DOJ sent it to a random federal inmate serving time on child pornography charges. The offender, however, was nice enough to forward the message to the PAC with a note railing against the “malicious incompetence” of the Obama administration. The Redaction of Interest Award General Services Administration One of the threads that reporters have tried to unravel through the Trump campaign is how the prolific businessman would separate himself from his financial interests, especially regarding his 30-year contract with the federal government to build a Trump International Hotel at the location of the federally owned Old Post Office in D.C., a paper airplane’s flight from the White House. BuzzFeed filed a FOIA request with the General Services Administration for a copy of the contract. What they received was a highly redacted document that raised more questions than it answered, including what role Trump’s family plays in the project.  “The American taxpayer would have no clue who was getting the lease to the building,” says reporter Aram Roston, who was investigating how Trump failed to uphold promises made when he put in a proposal for the project. “You wouldn’t know who owned this project.” After pushing back, BuzzFeed was able to get certain sections unredacted, including evidence that Trump’s three children—Ivanka, Donald Jr. and Eric—all received a 7.425% stake through their LLCs, seemingly without injecting any money of their own.  The Fake News Award Santa Maria Police Department In 2015, the Santa Maria Police Department in California joined many other agencies in using the online service Nixle to distribute public information in lieu of press releases. The agency told citizens to sign up for “trustworthy information.” Less than a year later, police broke that trust. The Santa Maria Police posted to its Nixle account a report that two individuals had been arrested and deported, which was promptly picked up the local press. Months later, court documents revealed that it had all been a lie to ostensibly help the individuals—who had been targeted for murder by a rival gang—escape the city. Police were fiercely unapologetic. The agency has yet to remove the offending alert from Nixle or offer any kind of addendum, a direct violation of Nixle’s terms of service, which prohibits the transmission of “fraudulent, deceptive, or misleading communications” through the service. The Stupid Meter Award Elster Solutions, Landis+Gyr, Ericsson In May 2016 several smart meter companies sued transparency website MuckRock and one of its users, Phil Mocek, in a failed attempt to permanently remove documents from the website that they claimed contained trade secrets. Some of the companies initially obtained a court order requiring MuckRock to take down public records posted to the site that the City of Seattle had already released to the requester.  But in their rush to censor MuckRock and its user, the companies overlooked one small detail: the First Amendment. The Constitution plainly protected MuckRock’s ability to publish public records one of its users lawfully obtained from the City of Seattle, regardless of whether they contained trade secrets. A judge quickly agreed, ruling that the initial order was unconstitutional and allowing the documents to be reposted on MuckRock. The case and several others filed against MuckRock and its user later settled or were dismissed outright. The documents continue to be hosted on MuckRock for all to see. But, uh, great job guys! The Least Productive Beta Testing Award Federal Bureau of Investigation The FBI spent most of 2016 doing what might be charitably described as beta testing a proprietary online FOIA portal that went live in March. But beta testing is probably a misnomer because it implies that the site actually improved after its initial rollout. The FBI’s year of “beta testing” included initially proposing a requirement that requesters submit a copy of their photo ID before submitting a request via the portal and also imposed “operating hours” and limited the number of requests an individual could file per day. Yet even after the FBI walked back from those proposals, the site appears designed to frustrate the public’s ability to make the premiere federal law enforcement agency more transparent. The portal limits the types of requests that can be filed digitally to people seeking information about themselves or others. Requesters cannot use the site to request information about FBI operations or activities, otherwise known as the bread and butter of FOIA requests. Oh, and the portal’s webform is capped at 3,000 characters, so brevity is very much appreciated!  Worse, now that the portal is online, the FBI has stopped accepting FOIA requests via email, meaning fax and snail mail are now supposed to be the primary (and frustratingly slow) means of sending requests to the FBI. It almost seems like the FBI is affirmatively trying to make it hard to submit FOIA requests. The Undermining Openness Award U.S. Department of Justice  Documents released in 2016 in response to a FOIA lawsuit by the Freedom of the Press Foundation show that the U.S. Department of Justice secretly lobbied Congress in 2014 to kill a FOIA reform bill that had unanimously passed the U.S. House of Representatives 410-0.  But the secret axing of an overwhelmingly popular transparency bill wasn’t even the most odious aspect of DOJ’s behavior. In talking points disclosed via the lawsuit, DOJ strongly opposed codifying a “presumption of openness,” a provision that would assume by default that every government record should be disclosed to the public unless an agency could show that its release could result in foreseeable harm. DOJ’s argument: “The proposed amendment is unacceptably damaging to the proper administration of FOIA and of the government as a whole,” which is bureaucratese for something like “What unhinged transparency nut came up with this crazy presumption of openness idea anyway?”  That would be Obama, whose FOIA guidance on his first day in office back in 2009 was the blueprint for the presumption of openness language included in the bill. Perhaps DOJ thought it had to save Obama from himself? DOJ’s fearmongering won out and the bill died. Two years later, Congress eventually passed a much weaker FOIA reform bill, but it did include the presumption of openness DOJ had previously fought against. We’re still waiting for the “government as a whole” to collapse. The Outrageous Fee Award Missouri Department of Health and Senior Services When public agencies get requests for digital data, officials can usually simply submit a query straight to the relevant database.  But not in Missouri apparently, where officials must use handcrafted, shade-grown database queries by public records artisans. At least, that’s the only explanation we can come up with for why the Missouri Department of Health and Senior Services estimated that it would take roughly 35,000 hours and $1.5 million to respond to an exceedingly simple request for state birth and death data. Nonprofit Reclaim the Records, whose name pretty eloquently sums up its mission, believed that a simple database query combined with copy and paste was all that was needed to fulfill its request. Missouri officials begged to differ, estimating that it would take them the equivalent of a person working around the clock for more than four years to compile the list by hand.  Although the fee estimate is not the highest the Foilies has ever seen—that honor goes to the Pentagon for its $660 million estimate in response to a MuckRock user’s FOIA request last year—Missouri’s estimate was outrageous. Stranger still, the agency later revised their estimated costs down to $5,000 without any real explanation. Reclaim the Records tried negotiating further with officials, but to no avail, as officials ultimately said they could not fulfill the request. Reclaim the Records has since filed a lawsuit for the data.  The Dehumanization Award New Orleans City Marshall Public officials often dehumanize the news media to score cheap points, but can the same ploy work when fighting public records requests? That’s the issue in a very strange case between the IND, a Lafayette media outlet, and a city marshal. After the marshal lost his bid to keep records secret in the trial court, he appealed on the grounds that IND had no right to bring the lawsuit in the first place.  The marshal, who faced fines, community service, and house arrest for failing to turn over records, argues that Louisiana’s public records law requires that a living, breathing human make a request, not a corporate entity such as IND.  Make no mistake: there is no dispute that an actual human filed the request, which sought records relating to a bizarre news conference in which the marshal allegedly used his public office to make baseless allegations against a political opponent. Instead, the dispute centers on a legal formalism of whether IND can sue on its own behalf, rather than suing under the name of the reporter. The marshal’s seemingly ridiculous argument does have some basis in the text of the statute, which defines a requester as a person who is at least 18 years old. That said, it’s an incredibly cynical argument, putting the letter well over the spirit of the law in what appears to be a well-documented effort by the marshal to violate the law and block public access. We hope the learned Louisiana appellate judges see through this blatant attempt to short-circuit the public records law. The Lethal Redaction Award States of Texas and Arizona  BuzzFeed Reporters Chris McDaniel and Tasneem Nashrulla have been on a quest to find out where states like Texas and Arizona are obtaining drugs used in lethal injection, as some pharmaceutical suppliers have decided not to participate in the capital punishment machine. But these states are fighting to keep the names of their new suppliers secret, refusing to release anything identifying the companies in response to BuzzFeed’s FOIA requests. At the crux of the investigation is whether the states attempted to obtain the drugs illegally from India. At least one shipment is currently being detained by the FDA. The reason for transparency is obvious if one looks only at one previously botched purchase the reporters uncovered: Texas had tried to source pentobarbital from an Indian company called Provizer Pharma, run by five 20-year-olds. Indian authorities raided their offices for allegedly selling psychotropic drugs and opioids before the order could be fulfilled.  The Poor Note-taker Award Secretary of the Massachusetts Commonwealth Updates to Massachusetts’ public records laws were set to take effect in January 2016, with Secretary of the Commonwealth William Galvin tasked with promulgating new regulations to clear up the vague language of the law. But Galvin didn’t exactly take his duty seriously. Instead he crafted a regulation allowing his office to dodge requirements that public records appeals be handled in a timely fashion. But no regulation could take affect without public hearing. So he went through the motions and dispatched an underling to sit at a table and wait out the public comment – but didn’t keep any kind of record of what was said. A close-up captured by a Boston Institute for Nonprofit Journalism reporter showed a pen lying on a blank pad of paper. Asked by a reporter about the lack of notes, the underling said, “I was just here to conduct this hearing. That’s all I can say.” Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

ICANN's Special Privileges for Trademark Owners are The.Worst (Sa, 11 Mär 2017)
If gaining control of hundreds of Internet domains that resemble your business name at a single stroke sounds like a trademark lawyer's wet dream, you may be surprised to learn that this is just one of the special powers that brand owners have under a little-known ICANN mechanism, the Trademark Clearinghouse. A letter released today by twenty-one law professors and practitioners exposes this and other privileges that ICANN bestows on brand owners, and sounds an urgent note of caution to the ICANN working group that is currently reviewing these special powers. One of the flaws in ICANN's complex multi-stakeholder structure is the deference paid to private commercial interests. Within ICANN's Generic Names Supporting Organization (which is responsible for developing policy for most Internet domains), there are no fewer than five separate constituency groups representing commercial interests, and only two representing the interests of non-commercial and not-for-profit interests. One of the commercial constituencies is the influential and well-funded Intellectual Property Constituency, which promotes the interests of trademark and copyright holders within ICANN. Following a sustained lobbying effort, in 2013 the Intellectual Property Constituency won an unprecedented set of new powers for trademark holders as a condition of ICANN's subsequent introduction of hundreds of new top-level domains. Perhaps the worst of these is the Trademark Clearinghouse, a system that gives brand owners special powers to prevent the registration of domain names that contain their trademarks. This veto power applies even in cases where their use in a domain name is not actually a trademark infringement—for example because of the defense of fair use, or because the domain name is in a different category of goods or services to that in which the mark is used, or because the words in the mark are only protected as part a distinctive design. A particularly egregious example of the abuse of the Trademark Clearinghouse is in the veto power reportedly granted to an English company over the use of the word "The" in ICANN's new domains. (We say "reportedly" because the Trademark Clearinghouse doesn't provide any search function enabling us to verify trademark record registrations; quite a backward leap in transparency when compared with national trademark registries.) The company granted this power doesn't, as far as we could ascertain, operate in the automotive, gambling, health services, or education sectors. And yet it has been able to use the veto powers obtained through the Trademark Clearinghouse to gain priority status to register domains such as the.cars, the.casino, the.doctor, the.school, and the.university—amongst many others.  ICANN's acquiescence to even the most outlandish demands of the trademark lobby has also set a precedent enabling some registries to go even further; for example, the registry Donuts (which we recently exposed as an architect of the copyright-blocking Healthy Domains Initiative) offers a DPML-Plus program that allows brand owners to block registrations not only of their registered marks, but also substrings, misspellings and variants of those marks, across hundreds of domains, for a period of ten years. We are aware of no national trademark system anywhere in the world that provides such extensive privileges to brand owners. Neither is there any convincing reason why the domain industry should be providing them with such privileges. Today's letter to ICANN exposes this scam and calls upon ICANN to stop being so solicitous to brand owners at the expense of other legitimate users of the domain name system. In particular, we are very clear that ICANN should not extend the Trademark Clearinghouse to top-level domains that it doesn't already cover, such as the most widely used domains .com, .org, and .net. Looking forward, ICANN should also review the failings of the Trademark Clearinghouse system and roll it back from the more than 1,000 domains to which it already applies. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Work with EFF This Summer! Apply to be a Google Public Policy Fellow (Fr, 10 Mär 2017)
If you’re a student who is passionate about emerging Internet and technology policy issues, come work with EFF this summer as a Google Public Policy Fellow! This is the tenth year we’ve offered this Fellowship1, an opportunity for undergraduate, graduate, and law students to work alongside EFF’s international team for 10 weeks on projects advancing debate on key public policy issues. EFF is looking for someone who shares our passion for the free and open Internet. You'll have the opportunity to work on a variety of issues, including censorship and global surveillance. Applicants must have strong research and writing skills, the ability to produce thoughtful original policy analysis, a talent for communicating with many different types of audiences, and be independently driven. Below are the basic application guidelines. More specific information can be found here. You must be 18 years of age or older by January 1, 2017. In order to participate in the program, you must be a student. Google defines a student as an individual enrolled in or accepted into an accredited institution including (but not necessarily limited to) colleges, universities, masters programs, PhD programs and undergraduate programs. Eligibility is based on enrollment in an accredited university by January 1, 2017. You must be eligible and authorized to work in the United States. Program timeline is June 5, 2017 - August 11, 2017, with regular programming throughout the summer. The application period opens Friday, March 10, 2017 for the North America region and all applications must be received by 12:00AM midnight ET, Friday, March 24, 2017. Acceptance will be announced the week of April 18, 2017. The accepted applicant will receive a stipend of USD $7,500 in 2017 for their 10-week long Fellowship. To apply with the Electronic Frontier Foundation, follow this link. 1. Note: This internship is associated with EFF's international team and is separate from EFF's summer legal internship program. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Leaked Report Slams European Link Tax and Upload Filtering Plans (Do, 09 Mär 2017)
Earlier this week we explained how the tide is turning against the European Commission's proposal for Internet platforms to adopt new compulsory copyright filters as part of its upcoming Directive on Copyright in the Digital Single Market. As we explained, users and even the European Parliament's Committee on the Internal Market and Consumer Protection (IMCO) have criticized the Commission's proposal, which could stifle online expression, hinder competition, and suppress legal uses of copyrighted content, like creating and sharing Internet memes. Since then, a leaked report has revealed that one of the European Parliament's most influential committees has also come out against the proposal. As the IMCO committee's report had done, the report of the European Parliament's Legal Affairs (JURI) Committee not only criticizes the upload filtering proposal (aka. Article 13, or the #censorshipmachine), but renders even harsher judgment on a separate proposal to require online news aggregators to pay copyright-like licensing fees to the publishers they link to (aka. Article 11, or the link tax). We'll take these one at a time. JURI Committee Scales Back the EU's Censorship Machine The JURI committee would maintain the requirement for copyright holders to "take appropriate and proportionate measures to ensure the functioning of agreements concluded with rightsholders for the use of their works." But the committee rejects the proposed requirement for automatic blocking or deletion of uploaded content, because it fails to take account of the limitations and exceptions to copyright that Europe recognizes, such as the right of quotation. The committee writes in an Explanatory Statement: The process cannot underestimate the effects of the identification of user uploaded content which falls within an exception or limitation to copyright. To ensure the continued use of such exceptions and limitations, which are based on public interest concerns, communication between users and rightsholders also needs to be efficient. The committee also affirms that the agreements between rightsholders and platforms don't detract from the safe harbor protection for platforms that Europe's E-Commerce Directive already provides (which is analogous to the DMCA safe harbor in the U.S.). This means that if user-uploaded content appears on a platform without a license from the copyright holder, the platform's only obligation is to remove that content on receipt of a request by the copyright holder. We would have liked to see a stronger denunciation of the mandate for Internet platforms to enter into licensing agreements with copyright holders, and we maintain that the provision is better deleted altogether. Nonetheless, the committee's report, if reflected in the final text, should rule out the worst-case scenario of platforms being required to automatically flag and censor copyright material as it is uploaded.  European Link Tax Faces its Toughest Odds Ever The leaked report goes further in its response to the link tax, recommending that it be dropped from the new copyright directive altogether. Given the failure of smaller scale link tax schemes in Germany and Spain, this was the only sensible position for the committee to take. The Explanatory Statement to the report correctly distinguishes between two separate aspects of the use of news reporting online that the Commission's original proposal incorrectly conflates: Digitalisation makes it easier for content found in press publications to be copied or taken. Digitalisation also facilitates access to news and press by providing digital users a referencing or indexing system that leads them to a wide range of news and press. Both processes need to be recognised as separate processes. Instead of introducing new monopoly rights for publishers, the JURI committee suggests simplifying the process by which publishers can take copyright infringement action in the names of the journalists whose work is appropriated. This would address the core problem of full news reports being republished without permission, but without creating new rights over mere snippets of news that accompany links to their original sources. Far from being a problem, this use is actually beneficial for news organizations. The JURI committee report is just a recommendation for the amendment of the European Commission proposal, and it will still be some months before we learn whether these recommendations will be reflected in the final compromise text. Nonetheless, it is heartening to see the extreme proposals of the Commission getting chiseled away by one of the Parliament's most influential committees. The importance of this shouldn't be underestimated. Although the above proposals are limited to Europe at present, there is the very real prospect that, if they succeed, they will pop up in the United States as well. In fact, U.S. content industry groups are already advocating for the adoption of an upload filtering proposal stateside. That's why it's vital not only for Europeans to speak out against these dangerous proposals, but also for Internet users around the world to stand on guard, and to be ready to fight back. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

EFF Applauds Amazon For Pushing Back on Request for Echo Data (Do, 09 Mär 2017)
The number of Internet-enabled sensors in homes across the country is steadily increasing. These sensors are collecting personal information about what’s going on inside the home, and they are doing so in a volume and detail never before possible. The law, of course, has not kept up. There are no rules specifically designed for law enforcement access to data collected from in-home personal assistants or other devices that record what’s going on inside the home, even though the home is considered the heart of Fourth Amendment protection. That’s why it’s critical that companies push back on requests via currently existing rules for data collected via these new in-home devices.[1] EFF applauds Amazon for doing just that—pushing back on a law enforcement request for in-home recordings from its Echo device. The widely-publicized case involves a first-degree murder investigation out of Bentonville, Arkansas. The victim, Victor Collins, was found in November 2015 his friend’s home. The two had been drinking and watching football with a few others at the friend’s home the night before. The friend, James Bates, was charged with first-degree murder. He pled not guilty and is currently awaiting trial. During a search of the defendant’s home in December 2015, police found an Amazon Echo in the kitchen. The police seemed to think that the device—which is “always listening” to its surrounding for its “wake” words, Alexa, Echo, or Amazon—may have recorded what went on inside the home. They seized the device and later served Amazon with a warrant for any “audio recordings, transcribed records, or other text records related to communications and transactions” between the Echo device and Amazon’s servers for a 48-hour period surrounding the incident, along with subscriber and account information. Amazon turned over the defendant’s subscriber information and purchase history, but it refused to turn over any recordings or transcripts. The police sought to get the data via another route. A few months later, they got a second warrant—this time to search the devices they had in their possession: the physical Echo device and the defendant’s two cell phones (which, if the defendant used the Alexa app, could have contained Alexa recordings or transcripts). They were able to “extract the data” stored on the Echo device and one of the defendant’s phones, but the second phone was encrypted.  In December 2016, the State of Arkansas informed Amazon that it intended to enforce the original warrant. Amazon filed a motion to quash the warrant on February 17, 2017. Amazon argued that the request for the Alexa recordings and transcripts implicated First Amendment protected speech and that the police therefore needed to make a heightened showing before it could compel Amazon to turn over the information. As Amazon explained, the First Amendment protects not only users’ verbal requests to Alexa, but also Alexa’s responses. Alexa’s responses are protected for two reasons. First, they contain expressive material specifically requested by the user, such as podcasts, books, or music. Second, the responses are also the speech of Amazon, and they are protected the same way that a search engine’s results are protected. (Read: Despite some early reports to the contrary, Amazon never argued that the device itself had constitutional rights.) Amazon argued that because the police were seeking access to First Amendment protected content, they needed to show a compelling need for the information and establish a sufficient nexus between the information sought and the underlying investigation. The Bentonville police hadn’t done that, so Amazon was right to push back. A hearing on Amazon’s motion was scheduled for March 8, but it was cancelled after the defendant agreed to release the information to the authorities. With Bates’ consent, Amazon has since turned over the requested recordings to the Bentonville police. We applaud Amazon for sticking up for its user’s rights and pushing back until it had that consent. [1] Depending on what data is requested, generally applicable data protection laws may apply, but they may not in all cases, especially where the data requested is especially sensitive. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Will the TPP Live on in NAFTA and RCEP? (Do, 09 Mär 2017)
The collapse of the Trans-Pacific Partnership (TPP) was the worst defeat suffered by big content since we killed SOPA and PIPA five years ago. But our opponents are persistent, well-funded, and stealthy, and we can't expect them to give up that easily. So, just as they have continued to push for SOPA-like Internet censorship mechanisms in various other fora, so too we have been keeping a watchful eye for the recycling of TPP proposals into other trade negotiations. It hasn't taken long for that to happen. Preliminary steps towards the renegotiation of NAFTA, the North American Free Trade Agreement, have already begun, and Alan Davidson, former director of digital economy issues at the Commerce Department, has flagged the problematic e-commerce provisions of the TPP as suitable for transplanting into the renegotiated agreement. "TPP is a terrific starting point," he is reported as saying. Across the other side of the world, TPP is also being touted as the right standard for Asia's secretive Regional Comprehensive Economic Partnership (RCEP), whose negotiators met in Tokyo last week. This week an Independent Commission on Trade Policy, composing seven former trade negotiators and academics from the Asia-Pacific region, released a report titled Charting a Course for Trade and Economic Integration in the Asia-Pacific. The report recommends "that policy makers should, in light of the U.S. withdrawal, advance the TPP’s high standards in the Asia-Pacific region." Tying these developments together, the trade ministers of the former TPP countries, which include most of the NAFTA and RCEP members, are convening in Chile next week [PDF], and it is expected that several countries will use that meeting to push for the resurrection of the TPP, without the participation of the United States. But the folly of this project is that by failing to learn from the history of the TPP's demise, the participating countries are doomed to repeat it. The proximate cause of the deal's collapse was not the withdrawal of the United States, but the factors that caused that withdrawal—widespread public dissatisfaction with the secrecy of these agreements and their domination by big business, all in the promise of economic gains that have failed to materialize.  Such is the message that more than 200 civil society groups from across the world gave today, in a letter sent to their trade ministers as they head to Chile. The letter, which EFF endorsed, says in part: [W]e believe it is not acceptable for TPP rules to be used as a model for future trade negotiations whether bilateral, regional or multilateral, including the World Trade Organisation. We urge you to accept that this model has failed, and to engage with us and others in a more open and democratic process to develop alternative approaches that genuinely serve the interests of our peoples, our nations and the planet. Without correcting the underlying faults in the process by which the TPP was negotiated, there is no point in attempting to replicate its provisions in future trade deals. We join colleagues from around the world in calling on trade ministers to abandon the closed, captured model of trade negotiation that led to the failed TPP. As disappointing for trade ministries as the failure of the TPP was, they need to head back to the drawing board, fix this broken process, and meaningfully consult with users before attempting any future trade deals that affect the Internet. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Digital Privacy at the U.S Border: A New How-To Guide from EFF (Do, 09 Mär 2017)
Protect Yourself While Traveling To and From the U.S. San Francisco - Increasingly frequent and invasive searches at the U.S. border have raised questions for those of us who want to protect the private data on our computers, phones, and other digital devices. A new guide released today by the Electronic Frontier Foundation (EFF) gives travelers the facts they need in order to prepare for border crossings while protecting their digital information. “Digital Privacy at the U.S. Border” helps everyone do a risk assessment, evaluating personal factors like immigration status, travel history, and the sensitivity of the data you are carrying. Depending on which devices come with you on your trip, your gadgets can include information like your client files for work, your political leanings and those of your friends, and even your tax return. Assessing your risk factors helps you choose a path to proactively protect yourself, which might mean leaving some devices at home, moving some information off of your devices and into the cloud, and using encryption. EFF’s guide also explains why some protections, like fingerprint locking of a phone, are less secure than other methods. “Border agents have more power than police officers normally do, and people crossing the border have less privacy than they usually expect,” said EFF Staff Attorney Sophia Cope. “Border agents may demand that you unlock your phone, provide your laptop password, or disclose your social media handles. Yet this is where many of us store our most sensitive personal information. We hope this guide makes preparing for your trip and protecting your devices easier and more effective.” Many travelers are confused about what is legal at the border, and the consequences for running afoul of a border agent can run the gamut from indefinite seizure of your phone and computer, to denial of entry for foreign visitors, although American citizens always have the right to re-enter the country. EFF’s new guide hopes to clear up misinformation while recognizing that there is no “one size fits all” approach to crossing into the United States. In addition to the full report, EFF has also created a pocket guide for helping people concerned with data protection. “The border is not a Constitution-free zone, but sometimes the rules are less protective of travelers and some border agents can be aggressive,” said EFF Senior Staff Attorney Adam Schwartz. “That can put unprepared travelers in a no-win dilemma at the U.S. border. We need clearer legal protections for everyone, but in the meantime, our report and pocket guides aim to put more power back into the hands of travelers.” For “Digital Privacy at the U.S. Border”: https://www.eff.org/wp/digital-privacy-us-border-2017 For EFF’s pocket guide: https://www.eff.org/document/eff-border-search-pocket-guide For EFF’s summary of your constitutional rights: https://www.eff.org/document/digital-privacy-us-border Contact:  Sophia Cope Staff Attorney sophia@eff.org Adam Schwartz Senior Staff Attorney adam@eff.org Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

EU Internet Advocates Launch Campaign to Stop Dangerous Copyright Filtering Proposal (Mi, 08 Mär 2017)
In the wake of the European Commission’s dangerous proposal to require user-generated content platforms to filter user uploads for copyright infringement, European digital rights advocates are calling on Internet users throughout Europe to stand up for freedom of expression online by urging their MEP (Member of European Parliament) to stop the #CensorshipMachine and “save the meme.” Last year, the European Commission released a proposed Directive on Copyright in the Digital Single Market, Article 13 of which would require all online service providers that “store and provide to the public access to large amounts of works or other subject-matter uploaded by their users” to reach agreements with rights holders to keep allegedly infringing content off their sites – including by implementing content filtering technologies. We’ve talked at length about the dangers of this proposal, and the problems with filtering the Internet for copyright infringement. For one thing, it’s extremely dangerous for fair use and free expression online. This week, two EU-based organizations are calling on Internet users to stand up for their rights to lawfully use copyrighted works, and to call on the European Parliament to remove Article 13 from the proposed directive. Bits of Freedom, a Netherlands-based organization, launched a campaign website where you can “save the meme” by contacting an MEP and urging them to delete Article 13.  The site calls attention to the proposed directive’s impact on popular legal uses of copyrighted content, “like parody, citations and –oh, noes! – memes,” and provides a handy tool for getting in touch with your MEP. Simultaneously, the activist group Xnet, with support from EFF, EDRi, and several other digital rights groups released this video highlighting how Article 13 would give copyright holders the ability to censor a wide swath of online expression. mytubethumb play %3Ciframe%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fembed%2FqAcTeYtUzQY%3Fautoplay%3D1%22%20allowfullscreen%3D%22%22%20frameborder%3D%220%22%20width%3D%22560%22%20height%3D%22315%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from youtube.com Digital rights advocates aren’t the only ones seeing problems with this proposal. Article 13 has been criticized by academics and academic research centers, and members of the EU’s startup community as well. And earlier this month, an important committee charged with reviewing the proposal, the European Parliament Committee on the Internal Market and Consumer Protection, criticized Article 13 as “incompatible with the limited liability regime” currently in effect in the EU under the e-Commerce Directive, legislation the committee refers to as “enormously beneficial.” The committee’s report warns of Article 13’s “negative impacts on the digital economy [and] internet freedoms of consumers, ” as well as its potential effect on market entry for online services. The Committee also criticized the proposal’s call to implement technological filtering solutions, explaining “[t]he use of filtering potentially harms the interests of users, as there are many legitimate uses of copyright content that filtering technologies are often not advanced enough to accommodate.” There’s still time to stop Article 13 before it becomes law in the EU. The proposed directive must pass through several more rounds of review by European Parliament Committees, followed by an informal “trialogue”, where the European Parliament, the European Commission, and the Council of the European Union try to agree on the text of the directive, before it finally moves to consideration by Parliament. If you’re in Europe, you can take action to stop Article 13 by going to savethememe.net. If you’re not, you can share that link with your European friends.   Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Congress is Trying to Roll Back Internet Privacy Protections As You Read This (Di, 07 Mär 2017)
Take ActionCall congress now! Back in 2014 over 3 million Internet users told the U.S. government loudly and clearly: we value our online security, we value our online privacy, and we value net neutrality. Our voices helped convince the FCC to enact smart net neutrality regulations—including long-needed privacy rules. But it appears some members of Congress didn’t get the message, because they’re trying to roll back the FCC’s privacy rules right now without having anything concrete ready to replace them. We’re talking here about basic requirements, like getting your explicit consent before using your private information to do anything other than provide you with Internet access (such as targeted advertising).  Given how much private information your ISP has about you, strict limits on what they do with it are essential. Luckily, we can stop this train wreck before it happens. But we need your help: please call your senators and your representative right now and tell them to oppose any use of the Congressional Review Act (“the CRA”—they’ll know what it is) to roll back the FCC’s new rules about ISP privacy practices. If you want more ammo for your conversation with congressional staff, read on. But if you’re already fired up, please click here to take action right now. Together, we can stop Congress from undermining crucial privacy protections.  What's the tl;dr? Late last year, the FCC passed rules that would require ISPs to protect your private information. It covered the things you would usually associate with having an account with a major company (your name and address, financial information, etc.) but also things like any records they keep on your browsing history, geolocation information (think cell phones), and the content of your communications. Overall, the rules were pretty darn good. But now, Senator Flake (R-AZ) and Representative Blackburn (R-TN) want to use a tool known as a Congressional Review Act resolution to totally repeal those protections. The CRA allows Congress to veto any regulation written by a federal agency (like the FCC). Worse yet, it forbids the agency from passing any “substantially similar” regulations in the future, so the FCC would be forbidden from ever trying to regulate ISP privacy practices. At the same time, some courts have limited the Federal Trade Commission’s ability protect your privacy, too. With the hands of two federal agencies tied, ISPs themselves would be largely in change of protecting their customer’s privacy. In other words, the fox will be guarding the henhouse. Act Now If we seem a little insistent that you take action to stop this, that’s because we sincerely believe that together, we can stop this disaster before it comes to pass. Every time someone calls their representative or senators, an angel gets its wings we’re one step closer to protecting the privacy of all U.S. Internet users. If we raise our voices the same way we did when it came to passing net neutrality, Congress won’t be able to ignore us. Take ActionCall congress now! So please, take action and call your senator and representative today, and tell them not to use the CRA to repeal the FCC’s privacy rules. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Expert Panel Explores Tech Policy at the White House (Di, 07 Mär 2017)
On March 2, EFF Executive Director Cindy Cohn sat down with Alexander Macgillivray and Nicole Wong, both former U.S. Deputy Chief Technology Officers (CTO) under President Obama as well as former legal counsel for Google and Twitter. The panel explored the development of the Obama administration’s policies on the Internet, intellectual property, and digital privacy and speculated on the future of the White House CTO position under President Trump. On March 3rd, we learned that Peter Thiel's former chief of staff Michael Kratsios will be stepping in to the role formerly held by Macgillivray and Wong.  Both panelists underscored the contributions that technologists can make in civil service and that law and policymakers need informed voices in the room and at the table. "It's incumbent upon [the tech community] to start engaging" said Wong. "I think the technical talent within government is getting much better" and part of that comes from convening the right people within government agencies—including those who are more technologically sophisticated—who understand the issues at stake. Macgillivray also stressed the impact that the tech community at large can have on government policy, stating "the engineering community, as it becomes more powerful, will be able to exercise more moral and political muscle." Watch below for the full discussion touching upon diverse digital civil liberties issues including net neutrality, device searches at the border, predictive policing algorithms, and more: mytubethumb play %3Ciframe%20src%3D%22https%3A%2F%2Farchive.org%2Fembed%2F20170302TechPolicyWhiteHouse%22%20webkitallowfullscreen%3D%22true%22%20mozallowfullscreen%3D%22true%22%20allowfullscreen%3D%22%22%20width%3D%22640%22%20height%3D%22480%22%20frameborder%3D%220%22%3E%26amp%3Bamp%3Bnbsp%3B%3C%2Fiframe%3E Privacy info. This embed will serve content from archive.org Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Secret Court Orders Aren't Blank Checks for General Electronic Searches (Di, 07 Mär 2017)
Imagine this: the government, for reasons you don't know, thinks you're a spy. You go on vacation and, while you're away, government agents secretly enter your home, search it, make copies of all your electronic devices, and leave. Those agents then turn those devices upside down, looking through decades worth of your files, photos, and online activity saved on your devices. They don't find any evidence that you're a spy, but they find something else—evidence of another, totally unrelated crime. You're arrested, charged, and ultimately convicted, yet you're never allowed to see what prompted the agents to think you were a spy in the first place. Sounds like something from dystopian fiction, right? Yet it's exactly what happened to Keith Gartenlaub. In January 2014, the FBI secretly entered Gartenlaub's home while he and his wife were on vacation in China. Agents scoured the home, taking pictures, searching through boxes and books, and—critically—making wholesale copies of his hard drives. Agents were authorized by the secret Foreign Intelligence Surveillance Court ("FISC") to search for evidence that Gartenlaub was spying for the Chinese government. There’s only one problem with that theory: the government has never publicly produced any evidence to support it. Nevertheless, Gartenlaub now sits in jail. Not for spying, but because the FBI’s forensic search of his hard drives turned up roughly 100 files containing child pornography, buried among thousands of other files, saved on an external hard drive. Gartenlaub was tried and convicted, and he appealed his conviction to the Ninth Circuit Court of Appeals. EFF (along with our friends at the ACLU) recently filed an amicus brief in support of his appeal. There are plenty of troubling aspects to Gartenlaub’s prosecution and conviction. For one, and unlike normal criminal prosecutions, neither Gartenlaub nor his lawyers have ever seen the affidavit and order issued by the FISC that authorized the search of his home. There are also legitimate concerns about the sufficiency of the evidence used to convict him. But we got involved for a different reason: to weigh in on the Fourth Amendment implications of the FBI’s searches of Gartenlaub’s electronic devices. The unusual facts of this case gave us an unusually good opportunity to push for greater Fourth Amendment protections in all searches of electronic devices. Here’s why: when agents copied and searched Gartenlaub’s devices, they were only authorized to search for national security-related information. But the prosecution that resulted from those searches and seizures had nothing to do with national security at all. So, either the FBI seized information that was outside of the warrant (which the Fourth Amendment prohibits); or it was relying on an exception to the warrant requirement, like “plain view”—an exception that allows law enforcement to seize immediately obvious contraband when the government is in a place to lawfully observe it. Plain view makes sense in the physical world. If cops are executing a search warrant for a home to search for drugs, they shouldn’t have to ignore the dead body lying in the living room. But the way plain view works in the digital context—especially forensic computer searches—is not at all clear. How far can cops rummage around our computers for the evidence they’re authorized to look for? Does a warrant to search for evidence of drug dealing allow cops to open all the photos stored on our computer? Does an order authorizing a search for national security information let the government rifle through a digital porn collection? And where do we draw the line between a specific search, based on probable cause for specific information stored on a computer—which the Fourth Amendment allows— and a general search for evidence of criminal activity—which the Fourth Amendment prohibits? Our electronic devices contain decades' worth of personal information about us. And, in many ways, searches of our electronic devices can be more intrusive than searches of our homes: there is information stored on our phones, computers, and hard drives, about our interests, our political thoughts, our sexual orientations, or religious beliefs, that might never have been previously stored in our homes—or, for that matter, anywhere at all. Because of the sensitivity of this data, we need clear restrictions on law enforcement searches of our electronic devices, so that every search doesn't turn into the type of general rummaging the Fourth Amendment was designed to prevent. In our brief, we argued this case gave the Court a perfect opportunity to set a clear rule. We argued that the FBI’s search of Gartenlaub’s hard drives for evidence of regular, domestic crimes violated the Fourth Amendment, and we urged the Court to adopt a rule that would prohibit the FBI from using evidence that it obtained that was outside the scope of the initial search authorization. This would be a promising first step in limiting law enforcement’s electronic search powers and in protecting our right to privacy in the digital age. Related Cases:  United States v. Gartenlaub Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Hey CIA, You Held On To Security Flaw Information—But Now It's Out. That's Not How It Should Work (Di, 07 Mär 2017)
Wikileaks today released documents that appear to describe software tools used by the CIA to break into the devices that we all use at home and work. While we are still reviewing the material, we have not seen any indications that the encryption of popular privacy apps such as Signal and WhatsApp has been broken. We believe that encryption still offers significant protection against surveillance. The worst thing that could happen is for users to lose faith in encryption-enabled tools and stop using them. The releases do reaffirm that users should make sure they are using the most current version of the apps on their devices.  And vendors should move quickly to patch these flaws to protect users from both government and criminal attackers. The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices—including Android phones, iPhones, and Samsung televisions—that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we're all made less safe by the CIA's decision to keep --  rather than ensure the patching of -- vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.  Related Cases:  EFF v. NSA, ODNI - Vulnerabilities FOIA Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

A Dangerous California Bill Would Leave Students and Teachers Vulnerable to Intrusive Government Searches (Di, 07 Mär 2017)
A dangerous bill in California would make it easy for the government to search the cell phones and online accounts of students and teachers. A.B. 165 rips away crucial protections for the more than 6-million Californians who work at and attend our public schools.  Under the proposed law, anyone acting “for or on the behalf of” a public school—whether that’s the police or school officials—could search through student, teacher, and possibly even parent digital data without a court issuing a warrant or any other outside oversight.  A.B. 165 runs contrary to our values. California is proud to be a leader in protecting the privacy of our citizenry. Not only is the right to privacy baked into the California Constitution, but in 2015 our lawmakers also passed CalECPA—heralded as “the nation’s best digital privacy law”—with broad support from Republicans, Democrats, civil libertarians, tech companies, and members of the law enforcement community. This law strikes the right balance when it comes to protecting privacy and empowering government officials to do their jobs. It ensures that when someone in the government wants to search our digital devices or a police offer wants to search our online accounts, they go to a judge and get a warrant based on probable cause. And it also ensures that the government can act swiftly when life and limb are on the line by providing an exemption when there is an emergency. Some may argue that schools should have different rules.  But not only do Californians of all ages and backgrounds deserve and need digital privacy, A.B. 165 is a sledgehammer, not a scalpel. It destroys all the important CalECPA safeguards that protect Californians in the school context from wide-ranging government searches. If A.B. 165 is enacted, CalECPA protections would be stripped from students and teachers, meaning:  Anyone acting “for or on the behalf of” a public school can conduct a search—that could potentially be anyone from lunch room attendants to on-campus police officers. School officials have no outside oversight when conducting searches and don’t have to report those searches to anyone. School officials  aren’t required to notify anyone—the individual or parents or guardians—about a search There are no clear limits on what digital data can be searched—photos, appointments, social media accounts, email accounts, text messages, and browser history could all be up for grabs. There are no safeguards to protect how data is used or shared, including with federal agencies. In effect, this means that a school official could search through the cell phones or online accounts of California students and teachers without any type of warrant or oversight and pass that data to federal agencies like U.S. Immigration and Customs Enforcement or others. As Pres. Donald Trump is announcing policies that open the door to rounding up and deporting millions of immigrants in the United States and stripping away the rights of transgender students, A.B. 165 creates a dangerous loophole in California’s privacy safeguards. California students use cell phones to access and communicate deeply sensitive information, like learning about local political events, investigating reproductive health, discussing the immigration status of a family member, or exploring their own gender identity. We can show our students that their dignity and privacy matters by safeguarding their rights to read and communicate without the specter of unfettered government access.  Unfortunately, backers of A.B. 165 are the same legislators who fought the passage of CalECPA two years ago. This bill may be aimed at California public schools, but make no mistake: the battle won’t stop here. If these legislators are able to destroy safeguards for our schools, they’ll turn to other communities and try to strip away these legal protections for other Californians. We need to hold the line. A.B. 165 is currently in the privacy subcommittee of the California Assembly. That means that right now is a very important time to make sure all our California legislators hear us. Please speak out now against A.B. 165. And if you are a California student or teacher who has witnessed the search of a digital device or online account on school property, please report it using our form. Not in California? You can still make a difference. Please reach out to your friends in California and ask them to speak out, and please share this blog post on social media. Take ActionOppose A.B. 165   And if you are with a nonprofit or business that wants to join our coalition in this fight, please email rainey@eff.org. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

FOIA Uncovers Part of U.K. Shadow Regulation on Search Engines and Copyright (Di, 07 Mär 2017)
Last month we wrote about the adoption of a new secret agreement between copyright holders and the major search engines, brokered by the U.K. Intellectual Property Office, aimed at making websites associated with copyright infringement less visible in search results. Since the agreement wasn't publicly available, we simultaneously issued a request under the U.K.'s Freedom of Information Act (FOIA), asking for a copy of the text. Today we received it.1 The agreement requires search engines to: expand efforts to more effectively use [copyright infringement] notices to demote domains demonstrated to be dedicated to infringement, and work collaboratively with rights holders to consider other technically reasonable, scalable avenues empirically demonstrated to help materially reduce the appearance of illegitimate sites in the top search rankings. Even before this agreement, Google had already begun to factor the Digital Millennium Copyright Act notices issued against websites into its search ranking algorithm, and Google has confirmed to us that the agreement won't cause it to do anything differently than it was already doing. However the difference is that its independent efforts to demote links associated with copyright infringement are now taking place under an explicit threat of government regulation if it doesn't make good enough progress by 1 June. It's important to know, then, what amounts to "good enough". And, wouldn't you know it, we can't answer that question because the metrics for measuring progress under the agreement were redacted. The response to our FOIA request explains: Disclosure of this agreement in full would compromise its effectiveness in combatting copyright piracy, resulting in the perpetuation of commercial detriment of legitimate copyright holders.  In effect, disclosure of the exempt information could assist persons intent on circumventing an agreed anti-piracy measure. The redacted information is also exempt under section 31(1)(a), which relates to the prevention or detection of crime.  Disclosure of the redacted information could compromise the effectiveness of the Code as a measure to prevent or reduce the likelihood of copyright theft. What we can be sure of, though, is that the more search engines tighten the criteria that demote websites from the top rankings, the more legitimate websites will trigger a false positive against these criteria, and be unfairly demoted. The U.K. agreement actually recognizes this, stating: A whitelist process would need to be created to exclude legitimate sites that could be caught within this lower threshold. For an agreed sample of searches using neutral queries in conjunction with artist or content name, the aggregate results should be as follows... The remainder of that paragraph, though, was also redacted—and a footnote (we would guess added by the copyright lobbyists) notes "Any such process will need to include a mechanism for challenging entries which are not clearly legitimate websites". For a company that previously sustained a record $500m settlement for failing to kow-tow to the demands of rights holders, there are obvious reasons why Google has played along with this process so far. However it must be very careful that its acquiescence to this shadowy regulation doesn't escalate into a series of capitulations to copyright holder demands. You can read the full text of the agreement that we obtained below. mytubethumb play %3Ciframe%20class%3D%22pdf%22%20webkitallowfullscreen%3D%22%22%20mozallowfullscreen%3D%22%22%20allowfullscreen%3D%22%22%20src%3D%22https%3A%2F%2Fwww.eff.org%2Fsites%2Fall%2Flibraries%2Fpdf.js%2Fweb%2Fviewer.html%3Ffile%3Dhttps%253A%252F%252Fwww.eff.org%252Ffiles%252F2017%252F03%252F06%252Fsearch_and_copyright_agreement_signed.pdf%22%20data-src%3D%22https%3A%2F%2Fwww.eff.org%2Ffiles%2F2017%2F03%2F06%2Fsearch_and_copyright_agreement_signed.pdf%22%20height%3D%22700%22%20frameborder%3D%22no%22%20width%3D%22600%22%3Ehttps%3A%2F%2Fwww.eff.org%2Ffiles%2F2017%2F03%2F06%2Fsearch_and_copyright_agreement_signed.pdf%3C%2Fiframe%3E Privacy info. This embed will serve content from eff.org 1. We were not the only people to make such a FOIA request. TJ McIntyre from Digital Rights Ireland also made one and received the same information in return. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

NY State AG’s Lawsuit Against ISP Shows Why We Need Net Neutrality Protections (Mo, 06 Mär 2017)
And Proves What Time Warner Cable Can Do Worse Back in 2013, a couple of Internet pranksters who were fed up with Time Warner Cable’s (TWC) dismal customer service released a parody video and website that asked, “What Can We [TWC] do Worse?”  In response, the company launched an aggressive takedown campaign against the parodists. But thanks to the New York Attorney General (AG) Eric Schneiderman, we now know exactly what Time Warner Cable did “do worse.” Earlier this month, AG Schneiderman filed a lawsuit alleging that Spectrum-Time Warner Cable (Spectrum-TWC) repeatedly misled customers and used its gatekeeping position to extort money out of content providers. If the allegations are true, the complaint provides several stunning examples of the kind of bad behavior we can expect from Internet Service Providers (ISPs) in the absence of meaningful net neutrality protections. The AG’s complaint sets forth a host of specific facts, emails, and other statements that suggest that Spectrum-TWC repeatedly deceived its customers about speed of the their Internet connections and routinely provided its subscribers’ with equipment that was incapable of achieving promised connection speeds. But that wasn’t their only alleged misdeed. According to the complaint, Spectrum-TWC also extracted interconnection fees from backbone Internet and online content providers. Spectrum-TWC knew it needed to increase its interconnection capacity in order to ensure its customers could reliably access popular web services, but refused to do so. As a result, Internet users accessing those services experienced slower speeds and service interruptions. TWC offered to add capacity only if the backbone or content providers agreed to start paying for it. For example, when Netflix failed to pay, the quality of the Netflix video streams received by Spectrum-TWC subscribers dipped significantly during peak hours . . .This resulted in subscribers getting poorer quality streams during the very hours when they were most likely to access Netflix. Once Netflix agreed to pay, subscribers’ viewing experience improved. Riot Games, the producer and distributor for the hugely popular online multiplayer game League of Legends, was also targeted by Spectrum-TWC. According to the complaint, until Riot Games agreed to pay Spectrum-TWC for access to its subscribers, Spectrum-TWC refused to give its subscribers reliable access to Riot’s content — contrary to the carrier’s public promises. This lawsuit deserves particular attention now in light of repeated threats to erode net neutrality protections at the federal level, including the Open Internet Order the FCC adopted in 2015.  Opponents of net neutrality rules often insist that net neutrality rules are a solution in search of a problem.  If even half the allegations in the complaint are true, it’s strong evidence that the problem is real.  Of course, opponents of FCC rules might also suggest that this lawsuit shows there is no need for the FCC to intervene – state attorneys general can take care of it using consumer protection laws, right?  Wrong.  Welcome as the NYAG’s suit is, it’s no substitute for uniform baseline rules that can protect subscribers and innovators nationwide. Moreover, while the FCC’s Open Internet Order may not be perfect, it appears that the Order is already doing some good: it caused Spectrum-TWC to temper some of its bad practices.  For example, after the Order came into effect, Spectrum-TWC agreed at last to resolve a dispute with another service provider, Cogent, and add additional capacity to improve the experience of some of its customers. Unfortunately, newly minted FCC Chairman Ajit Pai has expressed his desire to get rid of the agency’s net neutrality rules, and several members of Congress are also itching to roll back these protections.  In the coming months, we’ll be working to rally support for the open Internet—and we’ll need your help. Watch this space -- and be ready to stand with us in defending net neutrality.   Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

EFF to Court: Forcing Someone to Unlock and Decrypt Their Phone Violates the Constitution (Mo, 06 Mär 2017)
The police cannot force you to tell them the passcode for your phone. Forcing you to turn over or type in your passcode violates the Fifth Amendment privilege against self-incrimination—the privilege that allows people to “plead the Fifth” to avoid handing the government evidence it could use against them. And if you have a phone that’s encrypted by default (which we hope you do), forcing you to type in your passcode to unlock the device means forcing you to decrypt your phone, too. That forced translation—of unintelligible information to intelligible—also violates the Fifth Amendment. But there’s a problem: not all law enforcement officers have received the memo. In one particularly egregious case, military investigators forced the defendant, Sergeant Edward J. Mitchell, to unlock and decrypt his iPhone 6 after he asked for a lawyer. Not only was the investigators’ continued interrogation of Sgt. Mitchell without a lawyer a clear violation of U.S. Supreme Court precedent, but compelling him to unlock and decrypt his phone also violated the Fifth Amendment. The case is currently on appeal to a federal military appeals court, and we filed an amicus brief with the court explaining why. The Fifth Amendment privilege against compelled self-incrimination protects “testimonial” communications. Testimonial communications are those that require a person to use “the contents of his own mind” to communicate some fact. Testimonial communications don’t have to be verbal; the key is that the information conveyed must come from the suspect’s own mind. As we explain in our brief, compelled passcode-based decryption is inherently testimonial—and thus always prohibited by the Fifth Amendment—for two reasons. First, the compelled entry of a memorized passcode forces a person to reveal the contents of their mind to investigators—contents that are absolutely privileged by the Fifth Amendment. As far as the Fifth Amendment is concerned, there’s no difference between forcing a person to type their passcode directly into their phone and forcing them to say it out loud to an investigator. The trial judge in this case understood that and found that typing in a passcode was a “testimonial act.” So just by forcing the defendant to unlock his phone, the investigators violated his Fifth Amendment right. Second, the process of decryption itself is testimonial because it involves translating unintelligible, encrypted evidence into a form that can be used and understood by investigators—again relying on the contents of the suspect’s mind. Encryption transforms plain, understandable information into unreadable letters, numbers, or symbols using a fixed formula or process. When information is encrypted on a phone, computer, or other electronic device, it exists only in its scrambled format. If Sgt. Mitchell’s phone had merely been locked but not also encrypted, had the officers broken into the phone, they would have been able to access and understand the information stored on the phone. But since the phone was encrypted, if they had tried to break into the phone, they would have found only scrambled, encrypted data; they wouldn’t have been able to understand it. The officers needed Sgt. Mitchell, and his unique knowledge, to translate the information on the phone into its unscrambled, intelligible state for them to be able to use it against him. In other words, they were seeking transformation and explanation of data by an accused of the very data they sought to incriminate him with. This thus violated the Fifth Amendment for a second and independent reason—because of the nature of compelled decryption. Oral argument in this case is scheduled for 12:30 p.m. on April 4, 2017 at the University of Notre Dame Law School in Indiana, as part of the Court of Appeals for the Armed Forces’ student outreach program. We hope the court holds that, because of the very nature of decryption, compelled passcode-based decryption hits at the heart of the Fifth Amendment’s privilege against self-incrimination. Thanks to the American Civil Liberties Union and ACLU of the District of Columbia for joining our brief. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

NY City Council Measure Would Require Transparency for NYPD Electronic Surveillance (Sa, 04 Mär 2017)
Two members of the New York City Council introduced a bill on Wednesday, March 1 to enact long overdue transparency rules for the NYPD’s procurement and deployment of electronic surveillance technology. It is the latest in a series of similar proposals around the country modeled on a Silicon Valley law adopted in 2016, which was crafted to impose municipal checks  and balances to constrain on executive power and address the metastasis of surveillance. The Public Oversight of Surveillance Technology (POST) Act, introduced by councilmembers Dan Garodnick and Vanessa Gibson, would require important disclosures by the NYPD before it buys electronic surveillance gear. It would also require an opportunity for public comment on its proposed use policies.  In particular, the POST Act would require the NYPD to publish a use policy for each electronic surveillance platform that it uses, or that it seeks to use in the future. The policy must explain the applicable supervisory guidelines and potential requirements for court authorization, as well as "[s]afeguards or security measures designed to protect…from unauthorized access" of the sort that has plagued federal surveillance efforts. Each platform’s use policy must also include parameters for data retention, access, use, and dissemination, as well as reports or tests about the technology’s potential impact on health and safety. Informed by the history of executive circumvention of legal limits on surveillance authorities, the POST Act also provides for ongoing auditing by the NYPD's inspector general. That office was created three years ago when the Council—responding to mounting concerns about police accountability—overrode a veto by then Mayor Michael Bloomberg, who sought to prevent the Inspector General’s office from being established in the first place. Because of separation of powers principles embedded in the New York State constitution, NYC's POST act is less demanding than the Silicon Valley law on which it was based. Specifically, the NYC proposal lacks a legislative veto over proposed surveillance platforms. The transparency rules proposed in NYC would, however, represent a big step forward from the current baseline. Transparency, relative to the prevailing practice of secret procurement and unaccountable use, could be effectively transformative. Noting a history of secrecy precluding effective oversight by Councilmembers, Faiza Patel & Michael Price from the Brennan Center for Justice at NYU law school explain: The POST Act is sensitive to national security and public safety needs and does not require the police to stop using cutting-edge tools. Nor does the bill undermine operational secrecy. It simply requires disclosure of big-picture information about new technologies and their permissible uses — before they hit the street…. New York needs greater transparency, oversight and democratic accountability for local policing. The POST Act is an essential step in that direction that will promote both public safety and the rights of every New Yorker. Beyond helping secure the rights of New Yorkers, the POST Act could also embolden reform in Congress, which has settled for legislating in the dark by repeatedly authorizing domestic intelligence powers without conducting meaningful oversight. With a key statutory pillar of the NSA’s Internet spying programs set to expire at the end of 2017, municipal campaigns challenging the ubiquity of surveillance are especially timely this year. As the legislative overseers of the nation’s largest police department, the New York City Council will have a chance to show Congress how to do its job. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Trump's Director of National Intelligence Pick Is on the Wrong Side of Surveillance (Fr, 03 Mär 2017)
President Donald Trump’s pick for Director of National Intelligence has laid out his vision for the country’s surveillance, and it’s not good for technology users. In his confirmation in front of the Senate Intelligence Committee this week, former-Sen. Dan Coats, a Republican from Indiana, said there need to be continued conversations about legal authorities to undermine encryption and called reauthorizing an authority that the government uses to spy on Americans’ Internet activities without a warrant his “top legislative priority.”   Government Surveillance Coats made it clear that reauthorizing Section 702—which was created by the FISA Amendments Act and expires at the end of this year—is high on his to-do list. In answers to written questions prior to the hearing as well as during the hearing, Coats repeatedly praised the surveillance authority, calling it “a critical tool” and agreed when Sen. John Cornyn quoted FBI Director James Comey’s description of the authority as the “crown jewels of the intelligence community.” He also repeatedly defended the programs under Section 702—which includes the NSA’s warrantless copying and searching of Americans’ Internet activity—as being “designed to go after foreign bad guys” and subject to “a robust oversight regime.” We’ve long argued that the surveillance programs under Section 702 are not targeted, do not have sufficient oversight, and violate Fourth Amendment protections. That’s why we’re calling on Congress to let the authority sunset. As Congress debates Section 702 reauthorization, lawmakers have repeatedly asked the Office of the Director of National Intelligence to make good on former Director James Clapper’s pledge to produce a long-delayed report on the number of U.S. communications that are swept up under Section 702 surveillance. When asked by Sen. Ron Wyden if he plans to produce that report, Coats said he will “do everything I can to work with [NSA Director Mike] Rogers and the NSA to get you that number.” Coats also appears prepared to ask for rollbacks to crucial privacy reforms enacted in 2015. As a senator, Coats voted against the USA FREEDOM Act, the bill that made privacy-enhancing improvements to the government’s national security surveillance programs, including prohibiting a program involving the bulk collection of Americans’ phone call records. In his written answers, Coats acknowledged that, if confirmed, he “will ensure the [intelligence community] abides by … the changes to the program made as part of the USA FREEDOM Act.” However, he said he’s prepared to come back to Congress if he sees “deficiencies in the program,” including if telecom companies fail to retain phone records for long enough to be useful to intelligence agencies. Privacy advocates fought hard to keep phone record retention requirements out of the USA FREEDOM Act, and we stand ready to fight if Coats or anyone else tries to put them in place in the future.   Encryption Coats called on lawmakers and tech companies to continue working on the issue of law enforcement access to encrypted data. While he said he recognized the value of encryption as an essential security and privacy tool, he also said the “ongoing discussion” about the legal authority to access data even when it’s encrypted should continue. “The CEOs of companies that are making devices and guaranteeing their buyers encryption, they worry about their families, … they worry about attacks on the U.S.,” he said. We’ve fought efforts on the Hill to undermine users’ security, and we will continue to push back on proposals to force companies to give law enforcement backdoors to encrypted technologies.   Privacy Protections Abroad Coats tried to quell lawmakers concerns about the Trump administration undermining privacy protections for foreigners, especially in it’s aggressive anti-immigration push. On Presidential Policy Directive 28 – an Obama-era document that outlines basic privacy protections for foreigners – Coats wrote that he expects the administration is reviewing the policy along with other presidential directives “in the interest of determining whether in their present for they still address national priorities or deserve to be revisited.” But he noted specifically that European officials relied heavily on the privacy protections in PPD-28 when approving the Privacy Shield, a data deal that lets U.S. companies bring European users’ data across the Atlantic. “For that reason, before any changes to the PPD are made, I believe it important to consider the consequence of any modifications,” he wrote. Although we’ve criticized PPD-28 as not going far enough to give privacy protections to those located abroad, rolling back those protections would be worse still. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

What's up at the W3C: further reading for Reply All listeners (Fr, 03 Mär 2017)
The latest episode of the technology podcast Reply All features an excellent summary of some of the issues with the World Wide Web Consortium's current project to create a standard for restricting the use of videos on the web; we've created this post for people who've just listened to the episode and want to learn more. What's going on? The World Wide Web Consortium (W3C) is a standards body: they work to create open standards, rules for connecting up the web that anyone can follow, guaranteeing that anyone can make a web browser, web server, or website. In 2013, the W3C gave in to pressure from a few entertainment companies and big tech companies to make a new kind of standard: a standard for limiting how people could use the videos that they watched in their browser. These controlling technologies are called "Digital Rights Management" (DRM), and the W3C's DRM standard is called "Encrypted Media Extensions" (EME). What is EME for? That's a good question! The companies that want EME say that they need it to prevent copyright infringement. But long experience with DRM has shown, time and again, that it's just not hard to bypass these systems, and once one person figures out how to do that, they can upload un-DRMed versions of the videos to websites where people who want to violate copyright can go (the host of the Reply All episode explains right at the start that he does this when he can't get DRM to work). If DRM is about preventing piracy, it's not doing a very good job. OK, so what is EME for then? We think the real story here isn't the technology, it's the law. In 1998, Congress passed the Digital Millennium Copyright Act (DMCA), which includes an "anti-circumvention" rule that sets out very harsh penalties for tampering with DRM, and is worded so badly and broadly that it has been used to threaten, sue and even jail people who break DRM, even for a lawful reason. When DRM is deployed, it's never limited solely to preventing people from violating copyright law -- it also stops people from doing things that copyright law permits, but that companies don't like. Companies have all kinds of wishes about how their customers would use their products, but those are just wishes, not law. But when companies use DRM to enforce those wishes, they can turn them into law, because breaking the DRM is against the law. Take Netflix, one of the companies really eager to see DRM added to browsers. Netflix started out by mailing DVDs to its customers, something the movie studios hated. But Netflix bought those DVDs fair and square, and even though the copyright holders behind those discs didn't want Netflix to mail them around, those wishes were not laws, and so Netflix got to grow into the service we all use today. Today's Netflix has wishes, too: they want to stop you from recording your Netflix streams to watch later, or to move onto other devices. Those are just wishes too -- the same copyright law that makes DVRs and VCRs legal apply to Netflix streams too. But once Netflix uses EME to prevent you from doing this stuff, it can treat its wishes as laws -- and demand that you do the same. Are you sure this is just about laws? Pretty sure, yup! Just to double-check, EFF proposed a solution that would cleanly separate the technology from the broad powers that corporations get from DMCA 1201. Under our proposal, W3C members would agree that they could only use DMCA 1201 to stop people from doing something that was already illegal, like movie piracy. More than 40 W3C members support this proposal, but the companies that want DRM won't hear of it, and last week, the W3C's Director signaled that he wouldn't listen to the members who want this -- rather, he'll let the W3C be turned into an organization where big companies go to get new avenues for legal control, instead of new technologies. What will EME mean for the web? Once a company uses DRM in its product, it can threaten anyone who opens up that product in ways they don't like. The exact boundaries of DMCA 1201 are contested, with prosecutors, rightsholders, and some courts arguing for a very expansive scope. Because the penalties for losing a DMCA claim are so scary -- in some commercial circumstances it could mean a $500,000 fine and a 5-year prison sentence for a first offense! -- few people want to operate in the gray area threatened by DMCA 1201. There are three important groups in the web ecosystem who will lose their rights thanks to EME: Competitors: these are the intended targets of EME. Companies, free software projects, and individuals who want to let people do more with the videos in their browsers will need permission from the Netflixes of the world in order to develop their tools. It's a first for the W3C: a standard that's designed to stop people from improving the web in lawful ways. Security whistleblowers: these are an unintended -- but welcome (for some companies) -- target for EME. DRM advocates have said that merely disclosing defects in products that use DRM violates Section 1201 of the DMCA. The thinking goes like this: "When you tell people about the errors we made in designing our products, you also show them where the weak points in our DRM's armor is." Security researchers are routinely stopped from going public when they discover high-risk defects in widely used products because their institutions fear reprisal under DMCA 1201. Rather than protecting the right of these researchers to make truthful statements about defective products, the W3C is crafting voluntary guidelines to help its members to decide when to censor reports of defects in their products. People with disabilities: these are also an unintended target of EME. EME includes many adaptations to help those with disabilities enjoy videos, but there are plenty of ways this could be improved. Normally, adapting technology to accommodate disabilities is all about writing code, but because these adaptations would require bypassing DRM, accessibility toolsmiths will need to clear a thicket of permissions before they start work (or risk criminal and civil penalties). Who else feels this way? Lots of organizations in the W3C and hundreds of leading security researchers. The W3C members who've gone on record as supporting EFF's position include: Accessibility organizations: Royal National Institute of Blind People (UK); Braillenet (France); Vision Australia and Media Access Australia (Australia); Benetech and SSB Bart (USA) Research institutes: Lawrence Berkeley Labs; Eindhoven, Oxford, Kings College London, Open University, Vrije University Public interest groups: EFF, Center for Democracy and Technology Cryptocurrency, blockchain and security groups: Ethereum, Blockstream, White Ops Commercial firms, webscale projects and browsers: Hypothes.is, Vivliostyle, Brave Is this just a US problem? Alas, no: the US Trade Representative has been a busy beaver, convincing almost all of the US's trading partners (with the sole exception of Israel) to adopt rules like this. But EFF is on the case: we're suing the US government to invalidate section 1201 of the DMCA. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Healthy Domains Revisited: the Pharmaceutical Industry (Fr, 03 Mär 2017)
Users scored an exciting victory over copyright-based censorship last month, when the Domain Name Association (DNA) and the Public Interest Registry (PIR), in response to criticism from EFF, both abruptly withdrew their proposals for a new compulsory arbitration system to confiscate domain names of websites accused of copyright infringement. But copyright enforcement was only one limb of the the DNA's set of Registry/Registrar Healthy Practices [PDF]. One of the other limbs of these practices was a process for "streamlining complaint handling from illegal or 'rogue' online pharmacies." Although the target is different, the mechanism is much the same: allowing a self-interested private entity to request the cancellation of domain names associated with websites that it alleges infringe its rights. How and Why Big Pharma Blacklists Overseas Pharmacies The treatment of online pharmacies in the Registry/Registrar Healthy Practices is even more unbalanced than in the copyright proposal, in that decisions on whether a domain name should be confiscated would not be made by an independent arbitrator, but by reference to an opaque blacklist maintained by big pharma trade groups the Alliance for Safe Online Pharmacies (ASOP) and LegitScript. These blacklists use the loosest of definitions of "illegal online pharmacy" in order to depict licensed overseas pharmacies as rogue, even if they supply original branded medicines and require a prescription, unless they are also licensed in the country of each and every online customer. Why can't overseas pharmacies just obtain foreign licenses to avoid being blacklisted, then? Because, at least in the case of U.S. sales, that would mean they could only dispense medicines sourced within the U.S. from the manufacturer, at the world's highest prices. In other words, it is literally impossible for a foreign-dispensing pharmacy to obtain a license that would keep them off the ASOP and LegitScript blacklist. Now, it may well be that there should be some international mechanism to regulate overseas pharmacies sending prescription medicines into countries where they are not licensed. EFF doesn't take a position on this because it's outside of our area of expertise, but it's worth noting that there are several similar initiatives already in place, focused on cases that pose a high risk to consumers, such as the criminal trade in fraudulent medicines.1 In contrast, ASOP and LegitScript call all overseas pharmacies that dispense medicines to the U.S. "illegal", regardless of whether they dispense fraudulent or authentic medicines. This is misleading because although it may be against U.S. law for Americans to import medicines from overseas, the pharmacies sending such medicines are not subject to U.S. law. Provided that they comply with the laws in their own countries, such as by maintaining professional licenses and sourcing authentic medication, they are breaking no laws that apply to them. Calling them "illegal" and blacklisting them along with vendors of fraudulent medicines is a misleading tactic at best. Shadow Regulation Gets Big Pharma What the Law Won't This explains why big pharma has fallen back on Shadow Regulation as a way of getting what they want, by putting pressure on pliant Internet intermediaries such as domain registries and registrars who are neither qualified, nor perhaps particularly interested, in distinguishing between fraudulent drug peddlers and licensed pharmacies whose only crime is being based outside of the U.S. By setting up their own front organization ASOP as judge and jury, and Internet intermediaries like the domain name registries as executioners, big pharma is able to effectively maintain a stranglehold on online sales of prescription medicines that they could never get under national or international law. That doesn't mean that online trade in medicines needs to be an unregulated free-for-all. There may be some merit in the DNA's idea of a cross-border framework of cooperation on online medicine sales. But the DNA's big mistake was in allowing big pharma to write the rulebook. If a set of practices on online pharmacies is to be developed, this should be done through an inclusive, balanced and accountable process. This means including all affected stakeholders, so that a balance can be struck between the private interest of patent monopolists and diverse public interests such as access to affordable medicine and maintaining a free and open Internet. The outcome of such a conversation probably wouldn't look much like what we see in the DNA's Registry/Registrar Healthy Practices—which are quite literally lifted holus-bolus from a document of the ASOP/LegitScript mouthpiece Center for Safe Internet Pharmacies (CSIP). A more balanced set of guidelines might, for example, provide a channel for Internet intermediaries to ensure that consumers have accurate information about the provenance of the pharmaceuticals that they buy online, and assist law enforcement authorities in obtaining information about online pharmacies that dispense fraudulent medicines. Meanwhile, it's not as if there are no safeguards already in place for purchasers from online pharmacies. We already mentioned one independent pharmacy watchdog in our last piece on this topic; PharmacyChecker.com. In addition, there are self-regulatory guidelines that many reputable online pharmacies follow, such as those of the Canadian International Pharmacy Association (CIPA). (EFF is presenting on Shadow Regulation at CIPA's AGM today, and our presentation is linked below.) Without even acknowledging the existence of such existing best practice initiatives, the DNA's Registry/Registrar Healthy Practices would have Internet intermediaries hand the reins of Internet content regulation over to big pharma. There is no better illustration of what a dangerous precedent this sets than in the Healthy Practices themselves, which would have granted similar content censorship powers to copyright monopolists, if we hadn't stopped that proposal first. Even if well-meaning, Shadow Regulation will always be inclined to have unintended consequences such as these, because of its deliberate exclusion of Internet users and the public at large. We called it out before, and we're calling it out again: the Healthy Domains Initiative remains unhealthy for the Internet, and the DNA needs to go back to the drawing board. 1. Big pharma has long tried to dishonestly conflate this with international trade in safe generic and branded medicines, by describing them both using blanket phrases like "counterfeit drugs". However they suffered a setback last year, when the World Health Organization (WHO) ruled that it would henceforth use the terminology substandard and falsified in its work on public health concerns around fraudulent medicines, signalling that the WHO has no designs to become an international patent enforcement body. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

California Supreme Court Rules Public Records Act Covers Government Communications on Private Email and Personal Devices (Do, 02 Mär 2017)
In a major victory for transparency, the California Supreme Court ruled today that when government officials conduct public business using private email or personal devices, those communications may be subject to disclosure under the California Public Record Acts (CPRA). In the unanimous opinion, the court overturned an appellate court ruling, writing: CPRA and the [California] Constitution strike a careful balance between public access and personal privacy. This case concerns how that balance is served when documents concerning official business are created or stored outside the workplace. The issue is a narrow one: Are writings concerning the conduct of public business beyond CPRA’s reach merely because they were sent or received using a nongovernmental account? Considering the statute’s language and the important policy interests it serves, the answer is no. Employees’ communications about official agency business may be subject to CPRA regardless of the type of account used in their preparation or transmission. EFF has long been concerned with the potential for officials to hide public records by using private online accounts or personal phones and computers to conduct business.  In this case, activist Ted Smith was seeking records from the City of San Jose that may have been stored in personal devices or accounts. These issues have come up, not only on the local level, but federal as well—all the way up to former Secretary of State Hillary Clinton, who was embroiled in a high-profile scandal over her use of a private email server based out of her home. EFF joined the ACLU in filing an amicus brief in this case, asking the Supreme Court to overturn an appellate court ruling in favor of the City of San Jose. As we wrote in our opening: [The court of appeal's] holding violates both the letter and spirit of the California Public Records Act and Article I, section 3 of the California Constitution by holding that emails related to official business are outside the PRA merely because they are sent and receiving using non-governmental accounts. And the court’s reasoning would allow government officials and employees to circumvent the PRA simply by opening a new browser window and logging into a personal web-based email account as they sit at their government-owned computers. The result would be to curtail if not eliminate public access to informal emails between individual officials and employees and with industry and special interests that provide critical insight into the government operations beyond the often sanitized contents of formal memoranda and bulletins: not just what the government is doing but why it is doing it and at whose behest. The California Supreme Court pointed out in its ruling that agencies aren’t just disembodied entities, but rather rely on human beings to prepare, retain, or use records: “When employees are conducting agency business, they are working for the agency and on its behalf.” The court added: “The whole purpose of CPRA is to ensure transparency in government activities. If public officials could evade the law simply by clicking into a different email account, or communicating through a personal device, sensitive information could routinely evade public scrutiny.” While government officials should not be able to use private devices to evade public scrutiny, at the same time, government employees shouldn’t have to forfeit all rights to privacy by holding public office, and their personal communications shouldn’t be subject to search every time someone files a public records request. The court seemed to take this issue into account and provided some guidance on what records on private devices would be subject to disclosure. As the Court wrote in the opinion: We clarify, however, that to qualify as a public record under CPRA, at a minimum, a writing must relate in some substantive way to the conduct of the public’s business. This standard, though broad, is not so elastic as to include every piece of information the public may find interesting. Communications that are primarily personal, containing no more than incidental mentions of agency business, generally will not constitute public records. For example, the public might be titillated to learn that not all agency workers enjoy the company of their colleagues, or hold them in high regard. However, an employee’s electronic musings about a colleague’s personal shortcomings will often fall far short of being a “writing containing information relating to the conduct of the public’s business." Ultimately, the Court’s message was clear: if you’re a government official conducting the public’s business, those are public records, no matter where those records are stored. Today’s decision will have wide-ranging impact on how public records are treated throughout the state, whether that’s elected officials communicating with lobbyists through Twitter direct messages or law enforcement officers exchanging controversial text messages on their personal smartphones. The case doesn’t end the discussion, though. We hope it will also trigger policy reforms within agencies to ensure that employees and officials do not use personal communications tools to conduct public business: this requirement would ultimately be the best way to ensure transparency and privacy.  Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

New FCC Chairman Begins Attacks on Internet Privacy (Mi, 01 Mär 2017)
UPDATE: 3/2/17 Updated to include which types of consumer data were impacted by these changes. Your ISP knows a lot about who you are and what you do online. Their records just got a whole lot less secure. Newly minted Republican FCC Chairman Ajit Pai just granted the telecom industry its wish: he has blocked new requirements that Internet service providers (ISPs) like Comcast apply common sense security practices to protect your private data. By suspending the FCC's proposed data security rules for ISPs, Pai is pitting Internet users against the very companies we trust to get us online. And the ISPs will continue to win—unless we fight back. Internet users won a significant victory last year when the FCC issued its Broadband Privacy Rules. As part of these rules, ISPs would be required to protect their customers' sensitive information. For instance, ISPs would need to take reasonable steps to protect Social Security numbers, financial information, health information, and records of Web browsing data against hackers. In the wake of major ISPs like Comcast suffering huge data breaches, this would clearly be sound policy—but Chairman Pai apparently disagrees. And of course, ISPs are gleeful about his decision because they'd prefer not to be scrutinized when they fail to properly protect your data. Unfortunately, this isn’t the worst of it. Republicans in Congress are planning a much bigger assault on the Internet, by making it illegal for the FCC to protect consumer privacy online. With heavy support from the cable and telephone industry, they are hoping to use a rare and far reaching tool known as a Congressional Review Act resolution, which would not only completely eliminate all of the FCC's broadband privacy rules (not just the data security rule), it would prohibit the FCC from ever enacting any "substantially similar" privacy rules in the future. Because of the current regulatory landscape, the Federal Trade Commission is also barred from policing ISPs, leaving no federal cop on the beat to protect consumer privacy in this space. In other words, ISPs would have carte blanche when it comes to rifling through, sharing, and selling your private data. We need to act now to stop Pai and the ISP lobbyists in DC from dismantling these important privacy protections. The good news is we've done it before: by speaking out, Internet users all over the country sent a clear message to DC that we value net neutrality and privacy. Now we can do it again. Tell your representatives in Congress that you will not accept their efforts to undermine your online privacy rights and that you expect the FCC to uphold its consumer privacy protections. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

An Illinois Court Just Didn’t Get It: We Are Entitled to Expect Privacy In Our Smart Meter Data, Which Reveals What’s Going On Inside Our Homes (Mi, 01 Mär 2017)
Cities across the country are switching to wireless smart meters. You may even have one in your home. Utility companies say the new technology helps consumers monitor their energy use and potentially save money. But smart meters also reveals intimate details about what’s going on inside the home. By collecting energy use data at high frequencies—typically every 5, 15, or 30 minutes—smart meters know exactly how much electricity is being used, and when. Patterns in your smart meter data can reveal when you are home, when you are sleeping, when you take a shower, and even whether you cook dinner on the stove or in the microwave. These are all private details about what’s going on inside your home—details that should be clearly within the bounds of Fourth Amendment protection. But a federal district court in Illinois has held—in a lawsuit alleging that smart meters installed in Naperville, Illinois, put the privacy of the city’s citizens at risk—that Americans can’t reasonably expect any privacy in the data collected by these devices. According to the court, smart meter data is completely beyond the protection of the Fourth Amendment. The case is currently on appeal to the United States Court of Appeals for the Seventh Circuit, which should throw out the district court’s sweeping, dangerous decision because it threatens the privacy of Americans across the country. Roughly 65 million smart meters have been installed in the United States in recent years, with 88% of them, over 57 million, in homes of American consumers. More than 40 percent of American households currently have a smart meter, and experts predict that number will reach about 80% by 2020. This case has far-reaching implications. The lower court’s decision was based on flawed assumptions about smart meter technology. The court was convinced that data collected from smart meters is no different from data collected from analog meters, in terms of what it reveals about what’s going on inside the home. But that’s simply not the case. Smart meters not only produce far more data than analog meters—those set at collecting data in 15-minute intervals produce 2,880 meter readings per month compared to just one monthly reading for analog meters—but the data is also far more intimate. A single monthly read of cumulative household energy use does not reveal how energy is being used throughout the course of a day. But smart meter data does. And its time granularity tells a story about what is going on inside the home for anyone who wishes to read it. The case law is clear: details of the home are entitled to the utmost Fourth Amendment protection. And this should include smart meter data. EFF and Privacy International asked the Seventh Circuit if we could weigh in on this important case. We’ve requested to file a brief to help the court understand the broader impact of the lower court’s decision—and specifically, where the lower court went wrong. We hope the federal appeals court accepts our brief and throws out the lower court’s dangerous and out-of-touch ruing. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Liveblogging Today’s House Judiciary Hearing on Section 702 (Mi, 01 Mär 2017)
The U.S. government’s warrantless Internet spying is in the hot seat today. The House Judiciary Committee is holding a two-part hearing this morning about the Section 702, created by the FISA Amendments Act, which the government uses to justify the unconstitutional mass surveillance of Americans’ online activity. EFF opposes the sweeping surveillance that happens under Section 702, and we’re calling on Congress to let the authority lapse when it is set to expire at the end of the year. In advance of this hearing, a coalition of Internet giants known as Reform Government Surveillance issued a letter calling for significant reforms to Section 702. We hope that the companies’ letter will set the tone for this hearing: Section 702 must not be reauthorized in its current form. Below is our running live blog of the House Judiciary hearing’s unclassified portion. ------------------------------ 8:00 a.m. (PST) -- While the hearing started at 10 a.m. (EST), the Committee is still in its closed, classified session. We’ll start live blogging as soon as the public portion of the hearing begins. 8:53 a.m. (PST) -- The classified hearing is going longer than expected.  9:40 a.m. (PST) -- The Committee is still in closed session. We'll start blogging as soon as there's something to blog.  10:20 a.m. (PST) -- The closed session is finally over after more than three hours and the unclassified hearing is about to start.  10:40 a.m. (PST) -- Chairman Goodlatte (R-VA) has reconvened the hearing with a description of Section 702 that completely glosses over the fact that the operation of "Upstream," a program purportedly authorized under the section, scans vast quantities of Americans' communications without probable cause. Here's the full text of his statement. 10:55 a.m. (PST) -- The Committee’s top Democrat Rep. John Conyers took the intelligence community to task for failing to deliver on its promise to provide lawmakers an estimate of the number of U.S. communications that are “incidentally” swept up by the NSA under Section 702. While lawmakers repeatedly asked for that report to inform the congressional debate over Section 702 reauthorization, “the intelligence community has not so much as responded to our December letter” asking for an update on the timing of the estimate, he said. “I had hoped for better.” Conyers said lawmakers “will not simply take the government’s word on the size of the so-called incidental collection.” He’s right, and we won’t take the government’s word either. No one outside of the intelligence community (or even inside the IC, it seems) has a good estimate of how many Americans are impacted by the warrantless Internet surveillance under Section 702. That is unacceptable as Congress debates reauthorizing this sweeping surveillance authority. 10:59 a.m. (PST) -- Mr. Kosseff (a professor at the U.S. Naval Academy) takes the position that “foreign intelligence” represents a blanket exception to the Fourth Amendment’s warrant requirement, and that Section 702 falls within it. We at EFF cannot disagree more. 11:05 a.m. (PST) -- Ms. Doss (a former NSA attorney) makes the deeply misleading claim that Section 702 collection is targeted surveillance. That’s just plain wrong; Section 702 includes spying directly on the Internet backbone. 11:06 a.m. (PST) -- The Committee has gone into recess for approximately 45 minutes so that members can make it to the floor for a vote. 12:33 p.m. (PST) -- We're now nearly 90 minutes into the "45 minute" recess. No sign of the Committee reconvening yet. 12:43 p.m. (PST) -- The Committee has reconvened and noted civil libertarian, Elizabeth Goitein from NYU’s Brennan Center, is testifying. 12:52 p.m. (PST) -- Ms. Goitein pushed back on the claim that surveillance under Section 702 targets individuals located abroad. Despite the intelligence community’s claims to the contrary, Section 702 surveillance collects “a massive amount of Americans’ communications” which the government keeps “for years and routinely searches … for information to use against Americans in ordinary criminal proceedings,” she said. Thanks to Section 702, “the FBI is reading Americans’ emails and listening to their phone calls without a factual basis to suspect them of wrongdoing, let alone a warrant.” This is crucial fact-checking of the myths spread by intelligence community officials. 12:55 p.m. (PST) -- Former NSA attorney April Doss just made the absurd claim that it would be more privacy intrusive for the NSA to estimate how many Americans’ communications are swept up in Section 702 collection. 1:00 p.m. (PST) -- Rep. Ted Lieu comes out strong against the backdoor loophole that lets law enforcement agencies like the FBI access Americans’ communications collected under Section 702. “That information can be passed to the FBI to do a criminal proceeding,” he said, calling it “a flat out violation of the Fourth Amendment.” 1:06 p.m. (PST) -- Rep. Raul Labrador asks: is it possible to subject the 250 million Internet transactions collected per year by the NSA to rigorous oversight? Ms. Goitein notes that there have been a large number of documented violations of law and NSA regulations and there is essentially no effective oversight. 1:10 p.m. (PST) -- Rep. Labrador raised the question of whether such a vast surveillance system can have adequate safeguards to prevent abuse. Specifically, he cited the recent example of National Security Adviser Michael Flynn resigning after it was leaked that the FBI had reviewed calls between Flynn and the Russian ambassador to the U.S. ahead of President Donald Trump’s inauguration. “Can we prevent them from using this personal information to settle [political] scores?” Labrador asked. While refraining from commenting on the specifics of Flynn’s surveillance, the Brennan Center’s Liza Goitein said the potential for abuse is one of the problems with the law. “The statute is not narrow enough,” she said. 1:16 p.m. (PST) -- Rep. Jim Jordan was skeptical of the intelligence community’s claim that it is difficult to come up with a long-promised estimate of how many Americans have had their communications collected under Section 702. “That seems like baloney to me,” the Ohio Republican said. “It’s the greatest intelligence service on the planet. You’d think they’d be able to know that.” 1:20 p.m. (PST) -- In response to questions from Rep. Jim Jordan, Goitein notes that the Privacy and Civil Liberties Oversight Board report shows that the FBI and NSA routinely search Section 702 collection for evidence that U.S. citizens have committed crimes unrelated to national security. But of course, we don’t know if any such citizens have been prosecuted because the NSA has been less than forthright in their notification requirements. 1:22 p.m. (PST) -- Rep. Ted Lieu raised the critical point that Section 702 surveillance isn’t limited to national security concerns. Instead, it is limited to “foreign intelligence” issues, which is a much broader category. “That could apply to academics, students, human rights activists, lawyers,” he said. “It’s this massive group.” Goitein agreed, replying that the system relies on the intelligence community makes responsible decisions about who to target. “We are trusting on the self restraint of the people who are operating these programs,” she said. 1:25 p.m. (PST) -- Lieu also made the point that EFF has long-argued: the NSA violates the Fourth Amendment’s prohibition on warrantless seizures when it collects Americans’ communications even before it violates the Fourth Amendment’s prohibition on warrantless searches before it scans those communications. As Lieu put it: “Why is the seizure of Americans’ communications not a violation of the Fourth Amendment, totally aside from the searching of it?” 1:28 p.m. (PST) -- Rep. Ted Poe notes that the NSA doesn’t need to “target” Americans under Section 702 since that would unquestionably require a warrant. Instead, they can just “run across” Americans’ communications that’s “incidentally” collected, and then criminally prosecute them. Indeed, the FBI can search data collected under Section 702 without a warrant. “I think that is illegal and a violation of the Constitution and an abuse of power” says Rep. Poe. 1:40 p.m. (PST) -- Mr. Kosseff notes that it’s possible that a clean reauthorization of Section 702, the US-EU Privacy Shield might fail, since Section 702 contains no privacy protections for non-US persons. 1:48 p.m. (PST) -- The hearing ended on crucial point. As Goitein put it: “Oversight not an end in itself. It’s never a substitute for adequate substantive limits in the law. The law and the rules allow the FBI to read Americans’ emails without obtaining a warrant. The FBI could be scrupulously adhering to those rules, and we still have a problem.” 1:50 p.m. (PST) -- And with that, the hearing is adjourned. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Stupid Patent of the Month: IBM Patents Out-of-Office Email (Mi, 01 Mär 2017)
Update: March 1, 2017 Today IBM told Ars Technica that it "has decided to dedicate the patent to the public" and it filed a formal disclaimer at the Patent Office making this dedication. While this is just one patent in IBM's massive portfolio, we are glad to learn that it has declared it will not enforce its patent on out-of-office email. On January 17, 2017, the United States Patent and Trademark Office granted IBM a patent on an out-of-office email system. Yes, really. United States Patent No. 9,547,842 (the ’842 Patent),“Out-of-office electronic mail messaging system,” traces its history to an application filed back in 2010. That means it supposedly represents a new, non-obvious advance over technology from that time. But, as many office workers know, automated out-of-office messages were a “workplace staple” decades before IBM filed its application. The Patent Office is so out of touch that it conducted years of review of this application without ever discussing any real-world software. The ’842 Patent describes technology that would have been stupefyingly mundane to a 2010 reader. A user inputs “availability data” such as a “start date, an end date and at least one availability indicator message.” The system then uses this data to send out-of-office messages. The only arguably new feature it claims is automatically notifying correspondents a few days before a vacation so that they can prepare in advance for a coworker’s absence. From a technological perspective, this is a trivial change to existing systems. Indeed, it is like asking for a patent on the idea of sending a postcard, not from a vacation, but to let someone know you will go on a vacation. It is worth considering the full prosecution history (PDF) of the ’842 Patent to understand how the patent system reached such an absurd result. There were two big oversights. First, the examiner never considered whether this patent’s software-related claims were eligible under the Supreme Court’s decision in Alice v. CLS Bank. Second, the Patent Office did an abysmal job of reviewing prior art and considering obviousness. In Alice, the Supreme Court ruled that an abstract idea does not become eligible for a patent simply because it is implemented on a generic computer. That decision came down in June 2014, so the Patent Office had plenty of time to apply it to the application that led to this patent. If it had, it likely would have rejected the claims. The ’842 Patent goes out of its way to make clear that its method can be implemented on a generic computer. The final three columns of the patent recite at length how its claims can be implemented in any programming language on essentially any kind of hardware. At one point, the examiner did reject some of the application’s claims under Section 101 of the Patent Act (which is the statute the Alice decision applies). But IBM overcame the rejection simply by arguing that the patent’s method was implemented in computer hardware. In January 2013, IBM noted that “it was agreed [between IBM and the patent examiner] that the rejection ... under 35 U.S.C. § 101 could be overcome by reciting that a hardware storage device stores computer readable instructions or program code.” Even if that was a reasonable response in 2013, it certainly was not after Alice. Yet the Patent Office never revisited the issue. We have submitted multiple rounds of comments (1, 2, 3, and 4) to the Patent Office urging it to be more diligent in applying Alice. Even if the claims of the ’842 Patent were non-abstract, they still should have been rejected as obvious. We’ve written before about how the Patent Office does a terrible job of finding and considering real-world evidence when reviewing patents. In fact, it seems to operate in an alternative universe where patents themselves provide the only evidence of the state of the art in software. The prosecution that led to the ’842 Patent is a stark illustration of this. You might think that a patent examiner faced with a patent application on an out-of-office email system might look at some real out-of-office email solutions. But the examiner considered only patents and patent applications. The Patent Office spent years going back-and-forth on whether IBM’s claims where new compared to a particular 2006 patent application. But it never considered any of the many, many, existing real-world systems that pre-dated IBM’s application. A figure from IBM’s patent (left) and from its 1998 publication about Notes (right) To take just one example, the Patent Office never considered this detailed specification from 1998 (PDF) from IBM describing the out-of-office agent in Notes. Nor did it consider other well-known email features like scheduling and signatures. If the Patent Office had taken a peek at the real world, and applied a modicum of common-sense, it would have quickly rejected IBM’s claims. Some advocates for software patents have recently been pushing for legislative reform to undo Alice. Indeed, IBM is among those asking Congress to reopen the software patent floodgates. If they succeed, perhaps IBM can finally get a patent on shorter meetings (that application was rejected under Section 101). It’s clear that software patents do not help people who actually write software. And while Alice has caused some frustration for those who churn out software patents, it has not harmed the software industry. The patent system is still far from perfect. But the last thing we need is to go backwards and encourage the Patent Office to issue more nonsense like IBM’s patent on out-of-office email. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen

Data Brokers: Don’t Let Your Data be Used For Human Rights Abuses (Mo, 27 Feb 2017)
EFF, Amnesty International, Color of Change, the Center for Democracy and Technology, and our other coalition partners are urging data brokers to take a stand against government surveillance and discrimination based on religion, national origin, and immigration status. As explained in a joint statement released today, data brokers collect and analyze huge amounts of personal data that could easily be used to identify and profile and track people in violation of their basic human rights. EFF and our allies are calling on data brokers to disclose whether they’ve received government requests for their data, and to make the following pledge: We will not allow our data, or services, to be purchased or otherwise used in ways that could lead to violations of the human rights of Muslims or immigrants in the United States. If we cannot guarantee that our data, or services, will not ultimately be used for such purposes, we will refuse to provide them. You can read the full statement here. If you’re in California, you can take action to protect your friends, coworkers, and neighbors. California state Sen. Ricardo Lara has introduced a bill that would prevent California from sharing state and local government data with the federal government, when that data could be used to create lists, registries, or databases based on people's religion, national origin, or ethnicity. Take action now and show your support for S.B. 31. Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF
>> mehr lesen