Aggregated News

Let’s Make The Copyright Office Less Political, Not More

eff.org - Tue, 28/03/2017 - 11:26

After three years of discussing changes to copyright law, Congress’s first bill is a strange one. House and Senate Judiciary Committee leaders have introduced a bill that would radically change the way the Register of Copyrights is picked – taking the process out of the hands of the Librarian of Congress and putting it into the hands of Congress and the President. That sounds like a pretty technical move, but it could have real consequences for future innovation and creativity.  Let’s break it down.

As it stands now, the Register is appointed by the Librarian of Congress, and serves under her direction and oversight.  The “Register of Copyrights Selection and Accountability Act of 2017” would require that the head of the Copyright Office be appointed by the President and confirmed by the Senate, and would authorize the President to remove the Register. This would make the Register’s appointment process more democratic – but also more a captive of special interests.

The Copyright Office is supposed to focus on a pretty mundane but important job: registering copyrightable works. Like the entities such as the Congressional Research Service and the GAO, the Copyright Office is also charged with providing advice to Congress, and “information and assistance” to other federal government entities.  It is not, however, responsible for making or officially applying copyright law except in very narrow circumstances (like deciding whether a work qualifies for registration). Instead, the responsibility for setting the nation’s copyright policy rests with Congress.

In the past decade, however, the Copyright Office has played an increasingly central role in policymaking – and it has not been a neutral advocate. The Copyright Office has repeatedly put forward policy proposals and legal analyses that have tended to favor the interests of a particular segment of copyright owners (particularly major media and entertainment companies) over other constituencies. For example, one former Register famously stated, “[c]opyright is for the author first and the nation second.”  Under her leadership, the Office supported the disastrous Stop Online Piracy Act (SOPA). And last year, the Office worked closely and quietly with major entertainment companies to derail the FCC’s effort to improve competition and consumer choice in cable set-top boxes. The Office also pushed through an unpopular rule change that puts many small website owners at risk of losing access to copyright law’s safe harbors for intermediaries. More and more people feel the consequences of this bias at the Copyright Office, as some appellate courts have looked to the Office to decide close and critical legal questions.  And thanks to the Digital Millennium Copyright Act, the Copyright Office also plays a central role in shaping our technological future.

The Register has gone from being a neutral expert to a political player. In theory, the bill would help mitigate this effect by making this Register more accountable to the public – after all, under the current regime the Register answers only to the Librarian of Congress. In practice, though, we fear it’s designed to do something else: allow powerful incumbent interests to use their lobbying power to control this increasingly politicized office.  No president is going to select an appointee that will be shot down by special interests. And while the Librarian of Congress still oversees the Copyright Office, the Librarian of Congress would not be able to remove the Register no matter how poorly they perform their job.

In sum, we’ll have a Register, and a Copyright Office, that is accountable only to the President and the special interests that helped get them approved in the first place.  That will inevitably accelerate the politicization of the Office.

Under the current system, the official in charge of selecting the Register is a member of the one community that can usually be trusted to think about all of the interests copyright law affects: librarians.  As we’ve said before, libraries have an institutional obligation to serve the public, and to support access to knowledge and culture. Given copyright’s constitutional mandate to promote progress, we think the Office’s mission is best served when it is subject to the oversight and guidance of the library community.

It’s bad enough that Congress and the public can no longer look to the Register as a neutral arbiter of copyright policy.  We shouldn’t make the problem worse by effectively making the Copyright Office into an independent regulator and policymaker. Instead, the Register should remain an advisor to Congress and an administrator of the registration system.


Share this: Join EFF
Categories: Aggregated News

California Bill To Ban “Fake News” Would Be Disastrous for Political Speech

eff.org - Tue, 28/03/2017 - 09:14

Memo to California Assemblymember Ed Chau: you can’t fight fake news with a bad law.

On Tuesday, the California Assembly’s Committee on Privacy and Consumer Affairs, which Chau chairs, will consider A.B. 1104—a censorship bill so obviously unconstitutional, we had to double check that it was real. 

It’s real.  The proposed law reads: 

18320.5. It is unlawful for a person to knowingly and willingly make, publish or circulate on an Internet Web site, or cause to be made, published, or circulated in any writing posted on an Internet Web site, a false or deceptive statement designed to influence the vote on either of the following: 

(a) Any issue submitted to voters at an election. 

(b) Any candidate for election to public office.

Tweet at the Assembly Privacy Committee now!

In other words, it would be illegal to be wrong on the internet if it could impact an election. The bill is unconstitutional under U.S. Supreme Court case law (see our opposition letter for more information on that), and likely to draw immediate and costly lawsuits if it is signed into law.

For Chau, A.B. 1104 is an attempt to address the issue of “fake news” that many believe plagued the 2016 election: websites publishing false stories and promoting them over social media.

No law, and certainly not A.B. 1104, will remedy this problem.

American political speech dating back as far as the John Adams-Thomas Jefferson rivalry has involved unfair smears, half and stretched truths, and even outright lies. During the 2016 campaign alone, PolitiFact ranked 202 statements made by President Donald Trump as mostly false or false statements and 63 “Pants on Fire” statements. Hillary Cllinton made 69 statements ranked mostly false or false and seven as “Pants on Fire.”

This bill will fuel a chaotic free-for-all of mudslinging with candidates and others being accused of crimes at the slightest hint of hyberbole, exaggeration, poetic license, or common error. While those accusations may not ultimately hold up, politically motivated prosecutions—or the threat of such—may harm democracy more than if the issue had just been left alone. Furthermore, A.B. 1104 makes no exception for satire and parody, leaving The Onion and Saturday Night Live open to accusations of illegal content. Nor does it exempt news organizations who quote deceptive statements made by politicians in their online reporting—even if their reporting is meant to debunk those claims. And what of everyday citizens who are duped by misleading materials: if 1,000 Californians retweet an incorrect statement by a presidential candidate, have they all broken the law? 

At a time when political leaders are promoting “alternative facts” and branding unflattering reporting as “fake news,” we don’t think it’s a good idea to give the government more power to punish speech.

In the fight against lies, the government must not create the tools to suppress the truth.  Join us today in filling the committee's Twitter streams with our opposition to this bill.


Share this: Join EFF
Categories: Aggregated News

Small ISPs Oppose Congress's Move to Abolish Privacy Protections

eff.org - Tue, 28/03/2017 - 06:06

Call your Representative now!

The Internet is up in arms over Congress's plan to drastically reduce your privacy online, and that includes small Internet providers and networking companies. Many of them agree that we need the Federal Communication Commission's rules to protect our privacy online, and seventeen of them have written to Congress today to express their concerns.

The situation before the FCC’s intervention was succinctly described in the fine print of Verizon’s privacy policy:  “If you do not want information collected for marketing purposes from services such as the Verizon Wireless Mobile Internet services, you should not use those particular services.” That was refreshingly honest. Other ISPs including AT&T, Charter, and Sprint also monitored their customers in intrusive ways, but were less frank in admitting it, even in their privacy policies.

Below is a letter signed by several small Internet providers who share our concerns. Add your voices to theirs: call your Representative today and tell them not to repeal the broadband privacy rules!

Dear U.S. Representatives,

Re: Oppose S.J. Res 34 - Repeal of FCC Privacy Rules

We, the undersigned founders, executives, and employees of ISPs and networking companies, spend our working lives ensuring that Americans have high-quality, fast, reliable, and locally provided choices available when they need to connect to the Internet. One of the cornerstones of our businesses is respecting the privacy of our customers, and it is for that primary reason that we are writing to you today.

We urge Congress to preserve the FCC’s Broadband Privacy Rules and vote down plans to abolish them. If the rules are repealed, large ISPs across America would resume spying on their customers, selling their data, and denying them a practical and informed choice in the matter.

Perhaps if there were a healthy, free, transparent, and competitive market for Internet services in this country, consumers could choose not to use those companies’ products. But small ISPs like ours face many structural obstacles, and many Americans have very limited choices: a monopoly or duopoly on the wireline side, and a highly consolidated cellular market dominated by the same wireline firms.

Under those circumstances, the FCC’s Broadband Privacy Rules are the only way that most Americans will retain the free market choice to browse the Web without being surveilled by the company they pay for an Internet connection.

Signed,

Sonic
Monkeybrains.net
Cruzio Internet
Etheric Networks
University of Nebraska
CREDO Mobile
Aeneas Communications
Digital Service Consultants Inc.
Om Networks
Hoyos Consulting LLC
Mother Lode Internet
Gold Rush Internet
Ting Internet
Andrew Buker (Director of Infrastructure Services & Research computing, University of Nebraska at Omaha)
Tim Pozar (co-founder, TwoP LLC)
Andrew Gallo (Senior Network Architect for a regional research and education network)
Jim Deleskie (co-founder, Mimir networks)
Randy Carpenter (VP, First Network Group)
Kraig Beahn (CTO, Enguity Technology Corp)
Chris Owen (President, Hubris Communications)

 

If you run a small ISP and would like to join our letter, send an email to isp-letter@eff.org.

Take part in the action!


Share this: Join EFF
Categories: Aggregated News

Republicans in Congress Are Disregarding Their Own Privacy Policies

eff.org - Tue, 28/03/2017 - 03:26

Visit Sen. Jeff Flake’s official website, scroll to the bottom, click “Privacy Policy,” and you’ll find a page where the junior senator from Arizona makes this fine promise:

I am committed to protecting the personal privacy of individuals who use the Internet, including website visitors like you.

Call your Congressmember now to save online privacy!

He goes onto say that “your privacy is important to me” and that you should “rest assured” that your data is safe with him.

And yet—last week Sen. Flake rushed a resolution through the Senate to repeal landmark privacy protections enacted by the Federal Communications Commission. The legislation would also bar the FCC from ever again acting to protect users’ data from internet providers.

Under the repeal, the companies that provide your broadband service—be it Comcast, Cox, Time Warner, AT&T, or Verizon—will be able to engage in all sorts of underhanded ways to monetize your personal information. They’ll be allowed to collect your browsing history, hijack your search results, insert unwanted advertisements, and sell your data to marketers. In other words, if this repeal passes, no user should rest assured again.

Sen. Flake isn’t the only senator to act in disregard of their stated commitments to privacy. Forty-nine other Republicans joined him in the vote:

Many of these senators make similar statements in their privacy policies. For example, Sens. John Thune, Dean Heller, and Lamar Alexander’s Privacy Policies start: 

Protecting the personal privacy of individuals who use the Internet is a priority, and we appreciate the opportunity to describe to you the policies we have put in place to safeguard the privacy of individuals who visit our Web site.

Sen. John Cornyn’s Privacy Policy begins:

Senator John Cornyn respects your right to privacy and is committed to protecting the privacy and security of visitors to cornyn.senate.gov, and those who correspond with our offices via email.

Sen. John Boozman’s says: 

Your privacy concerns are very important, so please know that we have safeguards in place to protect the privacy of visitors to my site.

Here’s the thing: if you’re a U.S. lawmaker, protecting privacy doesn’t just mean avoiding collecting their data when they visit your website. It means standing up for users’ rights every day on Capitol Hill—the exact opposite of which is to roll back the strong privacy protections already on the books.

Now the issue is before House of Representatives, which could vote on the resolution as early as Tuesday.  It’s important you call your lawmaker today to demand they vote down the repeal of the FCC privacy rules.

Like their Senate colleagues, House Republicans also claim to respect user privacy. Speaker Paul Ryan’s Campaign site says that he knows “your right to privacy online is important.” Reps. Trent Franks, Tom McClintock, Mimi Walters, and many others use this boilerplate language:

We respect the privacy of our visitors and all those who come in contact with our office—be it in-person, through our Web site, or by mail, phone, or email. We therefore try to collect only such personal information as is needed to provide the information, service, or assistance that you request.

Is this just lip service? To truly respect the privacy of their constituents, these members need to not only limit what they collect but actively resist the telecommunication lobby’s play to collect and exploit our data. Otherwise, when you visit their sites, your internet provider will know it and be able to sell that information.

Don’t let your member of Congress get away with a personal data giveaway. Call them today and demand they vote down the repeal of the FCC’s privacy regulations.

Take part in the action!
Share this: Join EFF
Categories: Aggregated News

Urban Homesteaders Win Cancellation of Bogus Trademarks

eff.org - Tue, 28/03/2017 - 02:44
Global Community Had Faced Baseless Legal Claims and Content Removal Threats

San Francisco – Urban homesteaders can speak freely about their global movement for sustainable living, after convincing the U.S. Patent and Trademark Office (USPTO) to cancel bogus trademarks for the terms “urban homesteading” and “urban homestead.” The authors and activists were represented by the Electronic Frontier Foundation (EFF) and law firm of Winston & Strawn.

“This is a victory for free speech and common sense. Threats over this trademark harmed us and the whole urban homesteading community—a group of people who are dedicated to sharing information about sustainable living online and elsewhere,” said Kelly Coyne, co-author with Erik Knutzen of The Urban Homestead: Your Guide to Self-Sufficient Living in the Heart of the City. “We are so pleased to have this issue settled at last, so we can concentrate on making urban life healthier and happier for anyone who wants to participate in this global effort.”

“Urban homesteading” has been used as a generic term for decades, describing activities like growing food, raising livestock, and producing simple food products at home. But a group called the Dervaes Institute managed to register “urban homesteading” and “urban homestead” as trademarks with the USPTO for “educational services” like blogging.

Citing the trademarks, Dervaes got Facebook to take down content about urban homesteading, including pages that helped publicize Coyne and Knutzen’s book, as well as the Facebook page of a Denver farmer’s market. In 2011, EFF and Winston & Strawn petitioned the USPTO on behalf of Coyne, Knutzen, and book publisher Process Media, asking for the trademarks’ cancellation.

“The words and phrases we use every day to describe basic activities should never be the exclusive property of a single person or business,” said EFF Legal Director Corynne McSherry. “It took six years, but we’re proud that this terrible trademark is off the books.”

“You can’t trademark generic terms and force ordinary conversations off the Internet,” said Winston & Strawn attorney Jennifer Golinveaux.  “We’re relieved that the urban homesteading community can continue sharing information about their important work without worrying about silly legal threats.”

For the full opinion from the U.S. Patent and Trademark Office:
https://www.eff.org/document/opinion-cancelling-trademark

For more on this case:
https://www.eff.org/cases/petition-cancel-urban-homestead-trademark

Contact:  CorynneMcSherryLegal Directorcorynne@eff.org
Share this: Join EFF
Categories: Aggregated News

Five Ways Cybersecurity Will Suffer If Congress Repeals the FCC Privacy Rules

eff.org - Mon, 27/03/2017 - 14:24

Call your Congressmember now to save online privacy!

Back in October of 2016, the Federal Communications Commission passed some pretty awesome rules that would bar your Internet provider from invading your privacy. The rules would keep Internet providers like Comcast and Time Warner Cable from doing things like selling your personal information to marketers, inserting undetectable tracking headers into your traffic, or recording your browsing history to build up a behavioral advertising profile on you—unless they got your permission first. The rules were a huge victory for U.S. Internet users who value their privacy.

But last Thursday, Republicans in the Senate voted to repeal those rules. If the House of Representatives votes the same way and the rules are repealed, it’s pretty obvious that the results for Americans' privacy will be disastrous.

But what many people don’t realize is that Americans’ cybersecurity is also at risk. That’s because privacy and security are two sides of the same coin: privacy is about controlling who has access to information about you, and security is how you maintain that control. You usually can’t break one without breaking the other, and that’s especially true in this context. To show how, here are five ways repealing the FCC’s privacy rules will weaken Americans’ cybersecurity.

 

Risk #1: Snooping On Traffic (And Creating New Targets for Hackers)

In order for Internet providers to make money off your browsing history, they first have to collect that information—what sort of websites you’re browsing, metadata about whom you’re talking to, and maybe even what search terms you’re using. Internet providers will also need to store that information somewhere, in order to build up a targeted advertising profile of you. So where’s the cybersecurity risk?

The first risk is that Internet providers haven’t exactly been bastions of security when it comes to keeping information about their customers safe. Back in 2015, Comcast had to pay $33 million for unintentionally releasing information about customers who had paid Comcast to keep their phone numbers unlisted. “These customers ranged from domestic violence victims to law enforcement personnel”, many of who had paid for their numbers to be unlisted to protect their safety. But Comcast screwed up, and their phone numbers were published anyway.

And that was just a mistake on Comcast’s part, with a simple piece of data like phone numbers. Imagine what could happen if hackers decided to target the treasure trove of personal information Internet providers start collecting. People’s personal browsing history and records of their location could easily become the target of foreign hackers who want to embarrass or blackmail politicians or celebrities. To make matters worse, FCC Chairman (and former Verizon lawyer) Ajit Pai recently halted the enforcement of a rule that would require Internet providers to “take reasonable measures to protect customer [personal information] from unauthorized use, disclosure, or access”—so Internet providers won’t be on the hook if their lax security exposes your data.

This would just be the fallout from passive data collection—where your Internet provider simply spies on your data as it goes by. An even scarier risk is that Internet providers want to be able to do much more than that.

 

Risk #2: Erasing Encryption (And Making it Easier for Hackers to Spy On You)

Right now, your Internet provider can only spy on the portion of your traffic that isn’t encrypted—in other words, whenever you visit a site that starts with https (instead of just http), your Internet provider can’t see the contents of what you’re browsing. They can still see what domain you’re visiting, but they can’t see what specific page, or what’s on that page. That frustrates a lot of Internet providers, because they want to be able to build advertising profiles on the contents of your encrypted data as well.

In order to accomplish that, Internet providers have proposed a standard (called Explicit Trusted Proxies) that would allow them to intercept your data, remove the encryption, read the data (and maybe even modify it), and then encrypt it again and send it on its way. At first blush this doesn’t sound so bad. After all, the data is only decrypted within the Internet provider’s servers, so hackers listening in on the outside still wouldn’t be able to read it, right?

Unfortunately not. According to a recent alert by US-CERT, an organization dedicated to computer security within the Department of Homeland Security:

“Many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data, allowing the possibility of a MiTM [Man-in-The-Middle] attack. Furthermore, certificate-chain verification errors are infrequently forwarded to the client, leading a client to believe that operations were performed as intended with the correct server.”

Further, a recent study found that 54% of connections that were intercepted (i.e. decrypted and re-encrypted) ended up with weaker encryption.

Translating from engineer-speak, that means many of the systems designed to decrypt and then re-encrypt data actually end up weakening the security of the encryption, which exposes users to increased risk of cyberattack. Simply put, if Internet providers think they can profit from looking at your encrypted data and start deploying these systems widely, we’ll no longer be able to trust the security of our web browsing—and that could end up exposing everything from your email to your banking information to hackers.

 

Risk #3: Inserting Ads Into Your Browsing (And Opening Holes In Your Browsing Security)

One of the major threats to cybersecurity if the FCC’s privacy rules are repealed comes from Internet providers inserting ads into your web browsing. Here we’re talking about your Internet provider placing additional ads in the webpages you view (beyond the ones that already exist). Why is this dangerous? Because inserting new code into a webpage in an automated fashion could break the security of the existing code in that page. As security expert Dan Kaminsky put it, inserting ads could break “all sorts of stuff, in that you no longer know as a website developer precisely what code is running in browsers out there. You didn't send it, but your customers received it.”

In other words, security features in sites and apps you use could be broken and hackers could take advantage of that—causing you to do anything from sending your username and password to them (while thinking it was going to the genuine website) to installing malware on your computer.1

 

Risk #4: Zombie Supercookies (Allowing Hackers to Track You Wherever You Go)

Internet providers haven’t been content with just inserting ads into our traffic—they’ve also tried inserting unique tracking tags as well (the way Verizon did two years ago). For Internet providers, the motivation is to make you trackable, by inserting a unique ID number into every unencrypted connection your browser makes with a website. Then, a website that wants to know more about you (so they can decide what price to charge you for a product) can pay your Internet provider a little money and tell them what ID number they want to know about, and your Internet provider will share the desired info associated with that ID number.

At first you might be tempted to file this one away as purely a privacy problem. But this is a great example of how privacy and security really are two sides of the same coin. If your Internet provider is sending these tracking tags to every website you visit (as Verizon did originally), then every website you visit, and every third party embedded in websites you visit, can track you—even if you’ve deleted your browser’s cookies or enabled Incognito mode.

This means that more people will be able to track you as you surf the Web, you’ll see more creepy and disconcerting ads based on things you’ve done in the past, and many of the tools you might use to protect yourself won’t work because the tracking is being added after the data leaves your machine.

  

Risk #5: Spyware (Which Opens the Door for Malware)

The last risk comes from Internet providers pre-installing spyware on our devices—particularly on mobile phones, which most of us purchase directly from the company that provides our cell service, i.e. our Internet provider. In the past, Internet providers have installed spyware like Carrier IQ on phones, claiming it was only to “improve wireless network and service performance.” After a huge blowback, many Internet providers backed down on using Carrier IQ. But given that software like Carrier IQ could record what websites you visit and what search terms you enter, it would be pretty tempting for Internet providers to resurrect that spyware and use it for advertising purposes. So where’s the cybersecurity risk?

As we’ve explained before, part of the problem with Carrier IQ was that it could be configured to record sensitive information into your phone’s system logs. But some apps transmit those logs off of your phone as part of standard debugging procedures, assuming there’s nothing sensitive in them. As a result, “keystrokes, text message content and other very sensitive information [was] in fact being transmitted from some phones on which Carrier IQ is installed to third parties.” Depending on how that information was transmitted, eavesdroppers could also intercept it—meaning hackers might be able to see your username or password, without having to do any real hacking.

But the even bigger concern is that for spyware like Carrier IQ to function effectively, it has to have fairly low-level access to your phone’s systems—which is engineer-speak for saying it needs to be able to see and access all the parts of your phone’s operating system that would usually be secure. Thus, if hackers can find a vulnerability in the spyware, then they can use it as a sort of tunnel to get access to almost anything in your phone.

 

In the end, the cybersecurity implications of repealing the FCC’s privacy rules come from simple logic. If the privacy rules are repealed, Internet providers will resume and accelerate these dangerous practices with the aim of monetizing their customers’ browsing history and app usage. But in order to do that, Internet providers will need to record and store even more sensitive data on their customers, which will become a target for hackers. Internet providers will also be incentivized to break their customers’ security, so they can see all the valuable encrypted data their customers send. And when Internet providers break their customers’ security, you can be sure malicious hackers will be right on their heels.

The net result is simple: repealing the FCC’s privacy rules won’t just be a disaster for Americans’ privacy. It will be a disaster for America’s cybersecurity, too.

Take part in the action!

  • 1. The mechanisms that can be broken by ad injection include: the Same Origin Policy; the correctness of non-browser applications that use HTTP as a transport mechanism (including many Internet of Things protocols, and software update mechanisms that rely on signatures but not TLS for security); certain uses of Content Security Policy headers.

Share this: Join EFF
Categories: Aggregated News

We Have 24 Hours to Save Online Privacy Rules

eff.org - Mon, 27/03/2017 - 12:30

This is our last chance to save critical online privacy protections.

Take part in the action!

We are one vote away from a world where your ISP can track your every move online and sell that information to the highest bidder. Call your lawmakers now and tell them to protect federal online privacy rules.

Last year the FCC passed a set of rules for how ISPs deal with their customers’ data. The commonsense rules updated longstanding federal protections for Internet users. Under the rules, ISPs would be required to protect your data and wouldn’t be allowed to do a host of creepy things, including sell your Internet browsing records without your consent.

Those rules were a huge victory for consumers. Of course, the ISPs that stand to make money off of violating your privacy have been lobbying Congress to repeal those rules. Unfortunately, their anti-consumer push has been working.

The Senate voted last week 50-48 on a Congressional Review Act (CRA) resolution to repeal the FCC’s privacy rules. Now the resolution heads over the House, where it’s scheduled to get a vote on Tuesday.

If the House passes it, you’ll be even more at the mercy of your ISP. Because Congress is using a CRA resolution, the FCC will be prohibited from writing similar rules in the future. And thanks to the current legal landscape, no other federal agency has the authority to protect you against privacy invasions by your ISP.

With a House vote scheduled for Tuesday, we have 24 hours to speak up and tell our representatives that they can’t put ISPs’ profits over our privacy.

Call your lawmakers today and tell them to oppose S.J. Res. 34, which would repeal the FCC’s broadband privacy rules.

Call Congress now!


Share this: Join EFF
Categories: Aggregated News

EFF Launches Community Security Training Series

eff.org - Sun, 26/03/2017 - 06:15

EFF is pleased to announce a series of community security trainings in partnership with the San Francisco Public Library. High-profile data breaches and hard-fought battles against unlawful mass surveillance programs underscore that the public needs practical information about online security. We know more about potential threats each day, but we also know that encryption works and can help thwart digital spying. Lack of knowledge about best practices puts individuals at risk, so EFF will bring lessons from its comprehensive Surveillance Self-Defense guide to the SFPL.

EFF has tailored this series for technology beginners who may be unaware of potential privacy dangers, but already use smart phones or computers. Library patrons are invited to bring their devices to EFF's introductory classes which include discussions of basic online security concepts and privacy tools. Lisa Wright and Willie Theaker, members of EFF's TechOps Team, will facilitate Digital Privacy and Security: A Beginner-to-Intermediate Workshop followed by Encryption Apps for your Phone: An Intermediate Workshop. There will be two opportunities to attend each class.

Event details are included in each link to the EFF calendar above. Space is limited and attendance is on a first-come, first-served basis so attendees should prepare to arrive early. We encourage all EFF supporters to help people in their circles learn more about online rights issues and how to keep themselves—and each other— safer.

At the end of April, EFF's spring Bay Area Members' Speakeasy will feature a more advanced workshop on email encryption and key generation open to EFF members and their guests—we encourage you to bring a friend! Following the workshop, all EFF members will be invited to join our PGP keysigning party to help bring the community together and further expand the web of trust. If you are a current Bay Area member accepting email, you will receive a personal invitation including event details. Not a member yet? Join today!

With the Surveillance Self-Defense project and these local events, EFF strives to help make information about online security accessible to beginners as well as seasoned techno-activists and journalists. We hope you will consider our tips on how to protect your digital privacy, but we also hope you will encourage those around you to learn more and make better choices with technology. After all, privacy is a team sport and everyone wins.


Share this: Join EFF
Categories: Aggregated News

Another Loss For Broadcast TV Streaming, And A Dangerous Shift Of Decision-Making Power

eff.org - Sat, 25/03/2017 - 08:21

Another court has ruled that streaming local broadcast TV channels to mobile devices is something that only traditional pay-TV companies can do—startups need not apply. The Ninth Circuit appeals court has ruled that FilmOn, an Internet video service, cannot use the license created by Congress for “secondary transmissions” of over-the-air TV broadcasts. That likely means that FilmOn and other Internet-based services won’t be able to stream broadcast TV at all. That’s a setback for local TV and the news, weather, local advertising, and community programming it carries.

The court’s harmful ruling is bad enough, and is made worse by the way it arrived at that decision. Instead of interpreting the Copyright Act according to its own independent judgment, the court deferred to the opinion of the Register of Copyrights, an official who has no authority to make or interpret laws on her own. And the Register has often acted as more of an advocate for the media and entertainment industries than a neutral authority. Ms. Pallante, the former Register, famously said that “copyright is for the author first and the nation second,” and has gone on to become the head of a trade association for publishers.

Can startups take advantage of the law that allows incumbent pay-TV services to carry broadcast TV?

The fight to send broadcast TV over the Internet has been a long one. For most people in the U.S., it’s hard if not impossible to watch local TV stations live over the Internet. Unlike other forms of video programming that are available in many different ways, local broadcasts usually require a TV set and a finicky antenna or an expensive cable subscription. Of course, the technology to send local broadcast TV to Internet-connected devices has been around for a while. Copyright law, not technology, has been the barrier.

Copyright applies when shows are transmitted “to the public.” That means cable operators need licenses from copyright holders. And since the Supreme Court’s Aereo decision, Internet-based services that “look like cable” to the customer also need licenses. The major difficulty is that the programs, commercials, and other material shown on TV channels have many different copyright holders. A service that wants to help viewers see those channels in more places and on more devices is faced with the difficult (in fact, often impossible) task of negotiating a license with each and every one of those owners before their material goes on the air. Fail to license even a single program or commercial and the would-be cable competitor risks lawsuits and ruinous copyright penalties.

But copyright law also includes a way for pay-tv systems to get the permissions they need by paying a set fee. That mechanism, known as Section 111, applies to any “facility” that “receives signals” from broadcast TV stations and “makes secondary transmissions” of those signals to paying subscribers. The law was passed long before Internet video streaming, but its core definition of a “cable system” is written broadly enough to include an Internet-based system like FilmOn’s.

Nope, because that law is unclear and the Register of Copyrights said it shouldn’t apply.

Major TV and movie studios have long opposed letting Internet-based services use the Section 111 license, and so did Maria Pallante, who was the Register of Copyrights (the head of the Copyright Office) until 2016. She wrote several letters and papers arguing that only traditional cable systems should be able to use the license.

In the studios’ case against FilmOn, one of several they filed around the country, the federal district court in Los Angeles ruled that Congress wrote Section 111 broadly enough to include Internet-based services. This week, the Ninth Circuit reversed that decision.

The court recognized that applying a complex 41-year-old law to today’s technology is not straightforward: “FilmOn and other Internet-based retransmission services are neither clearly eligible nor clearly ineligible for the compulsory license [Section] 111 makes available to ‘cable systems.’” At this point, the court could have grappled with the purposes of the law, its legislative history, and its effects on the TV market to reach a result. But it didn’t do this in any significant way. Instead, it “deferred” to the Register of Copyrights and treated her opinions on this question as the final word. The judges wrote that the Copyright Office “has a much more intimate relationship with Congress and is institutionally better equipped than we are to sift through and to make sense of the fact and heterogeneous expanse that is the [Copyright] Act’s legislative history.”

That’s a troubling conclusion. While the Copyright Office staff might be more familiar with this area of law than a federal judge, the Office doesn’t have the authority to make or interpret laws. Treating the Register of Copyrights’ opinions about the law as binding invades both Congress’s power to make laws and the courts’ role as interpreters of the law. While the Copyright Office serves important functions, including registering copyrights and keeping records of them, and growing the Library of Congress’s collection, it shouldn’t be given the powers of a court to issue binding interpretations of the law.

This decision leaves streaming services for broadcast TV in a double bind: they need to get permission from rightsholders, but they can’t get that permission using the streamlined method that Congress created. In practical terms, that means traditional pay-TV systems can retransmit broadcast TV to paying subscribers, but newer competitors that use streaming can’t. Protected against competition from streaming technology, cable subscription prices continue to climb, and broadcast TV continues to diminish as a source of local information and opinion.

Related Cases: WNET v. AereoFox v. Aereokiller
Share this: Join EFF
Categories: Aggregated News

Australia Stalls Copyright Safe Harbor Proposal

eff.org - Sat, 25/03/2017 - 06:18

Copyright safe harbors for Internet intermediaries are under attack from Big Media both in the United States and in Europe. Laying the blame for falling revenues on platforms such as YouTube and Facebook (despite that fact that revenues aren't actually falling at all), their aim is to impose new controls over how these platforms allow you to access and share content online. The control at the top of their wish-list is a compulsory upload filter, that would automatically screen everything that you upload. Such a requirement would be a costly imposition on smaller platforms and new innovators, and provide governments with a ready-built infrastructure for content censorship.

In Australia, the situation is a little different—because due to an oversight in implementation of the original U.S.-Australia Free Trade Agreement in 2005, they never had a copyright safe harbor system to begin with; or rather, a much narrower one which only applies to ISPs, but not to other Internet platforms, nor even to other Internet access providers such as libraries and educational institutions. This oversight was due to be remedied with the passage of new amendments to Australia's Copyright Act. (The TPP, had it passed, would also have required Australia to bring in this reform.)

Unfortunately pressure from copyright holders, including a well-orchestrated astroturf campaign, put the kibosh on that this week, when the safe harbor reforms were dropped from the copyright amendment Bill. What does this mean in practice? Essentially it translates into a huge potential legal liability for Internet platforms that allow users to upload content. Because they don't have any protection from liability for user content that infringes copyright, there is the risk that their services could be characterised by a court as inducing or contributing to copyright infringement, much in the same way that file sharing software was accused of doing so in a rash of U.S. lawsuits in the early 2000s.

While much of that file sharing software was driven into extinction, the same fate did not befall America's user generated content websites. This wasn't for lack of trying by Big Media. In the Viacom v. Youtube case, they argued that YouTube was liable for copyright infringements in the videos that its users uploaded. Thanks to the DMCA safe harbor Viacom lost the case (though an appeal was later settled), and to this day websites in the U.S. remain entitled to allow users to upload content of their choice, without taking on advance responsibility for the copyright status of that content. Instead, if a copyright infringement is alleged, the copyright holder issues a takedown notice to the website, which will remove it and leave the next steps up to the user and the copyright holder.

In Australia, a similar case might be decided differently, and content sharing platforms could be shut down in the absence of an adequate safe harbor protection. This leaves platforms with the stark choice to run the risk of being required to pay enormous penalties to copyright holders, or preemptively enter into agreements with copyright holders to pay license fees for all user uploaded content, or exit the Australian market altogether. In short, Australian online innovators face a lot more risk and uncertainty for as long as they lack adequate copyright safe harbor protection.

Australia had the opportunity to bring its laws into line with equivalent laws from the U.S. and Europe, and international standards as encapsulated in the Manila Principles on Intermediary Liability. This week, it squandered that opportunity by sending the proposal back to the drawing board, and it's Australian innovators, libraries, educational institutions, and their users who will suffer. We urge the Australian government to look beyond the copyright lobby to the broad sectors of Australian society who have expressed support for this important reform, and to reintroduce it at the earliest opportunity.


Share this: Join EFF
Categories: Aggregated News

House Schedules Vote on Eliminating Consumer Online Privacy Rights Next Week

eff.org - Sat, 25/03/2017 - 04:21
Majority Leader McCarthy Confirms House to Immediately Act on Behalf of the Cable and Telephone Industry Following the Senate Vote

Yesterday, the U.S. Senate by a razor thin margin of 50 to 48 voted to take away the privacy rights of Internet users as a favor to the cable and telephone industry. Now the House is planning to take up the legislation immediately next week before people can discover the damage they are about to inflict to consumer privacy online.

These Are Our Legal Rights To Privacy They Are Dismantling

Americans have enjoyed a legal right to privacy from your communications provider under Section 222 of the Telecommunications Act for more than twenty years. When Congress made that law, it had a straightforward vision in how it wanted the dominate communications network (at that time the telephone company) to treat your data, recognizing that you are forced to share personal information in order to utilize the service and did not have workable alternatives.

Take part in the action!

Now Congress has begun to reverse course by eliminating your communication privacy protections in order to open the door for the cable and telephone industry to aggressively monetize your personal information. Proponents of such a drastic course change in law would have you believe that a repeal of the Federal Communications Commission's updated privacy rules for broadband providers would still leave your privacy protections intact. This understates the gravity of what H.J. Res. 86 and S.J. Res 34 may do to consumer privacy. Make no mistake, if Congress decides to codify a repeal of consumer privacy under the Congressional Review Act (as opposed to simply amending the law or the FCC changing the privacy rules again), it can have a serious impact on your legal right to privacy in your communications over broadband.

Proponents of eliminating consumer privacy will go even further and say that it is the FCC's fault that they must harm the legal protections you have enjoyed for more than twenty years by stating it was the agency that overreached its legal authority and acted in a manner that was unconnected with the law. But when Congress actually wrote the law, the charge it gave the FCC seemed fairly clear.

The Senate Commerce Committee, for example, expressed a clear intent of specific legal obligations for the communications provider by stating the following:

“In general, a Bell company may not share with anyone customer-specific proprietary information without the consent of the person to whom it relates. Exceptions to this general rule permit disclosure in response to a court order or to initiate, render, bill and collect for telecommunications services.”

The House Commerce Committee in their own report indicated a similar line of thinking:

“This section defines three fundamental principles to protect all consumers. These principles are: (1) the right of consumers to know the specific information that is being collected about them; (2) the right of consumers to have proper notice that such information is being used for other purposes; and (3) the right of consumers to stop the reuse or sale of that information.”

In essence, the FCC has done the job Congress told it to do many years ago. However, the cable and telephone industry have sensed an opportunity to exploit the flurry of repeals Congress has taken up and laid out a series of misleading arguments to convince Congress to proactively do harm to your privacy. They were successful at convincing 50 U.S. Senators to go along with their plan. Now the fight has moved to the House of Representatives.

There is only one way to stop them from winning.

We must speak up and call our elected officials to reject H.J. Res 86 and S.J. Res 34 and preserve our legal rights to consumer online privacy.


Share this: Join EFF
Categories: Aggregated News

Senate Puts ISP Profits Over Your Privacy

eff.org - Fri, 24/03/2017 - 01:30

The Senate just voted to roll back your online privacy protections. Speak up now to keep the House from doing the same thing.

Take part in the action!

ISPs have been lobbying for weeks to get lawmakers to repeal the FCC’s rules that stand between them and using even creepier ways to track and profit off of your every move online. Republicans in the Senate just voted 50-48 (with two absent votes) to approve a Congressional Review Action resolution from Sen. Jeff Flake which—if it makes it through the House—would not only roll back the FCC’s rules but also prevent the FCC from writing similar rules in the future.

That would be a crushing loss for online privacy. ISPs act as gatekeepers to the Internet, giving them incredible access to records of what you do online. They shouldn’t be able to profit off of the information about what you search for, read about, purchase, and more without your consent.

We can still kill this in the House: call your lawmakers today and tell them to protect your privacy from your ISP.


Share this: Join EFF
Categories: Aggregated News

The Bill of Rights at The Border: The First Amendment and the Right to Anonymous Speech

eff.org - Thu, 23/03/2017 - 09:48

The U.S. border has been thrown into the spotlight these last few months, with border agents detaining travelers for hours, demanding travelers unlock devices, and even demanding passwords and social media handles as a prerequisite for certain travelers entering the country. As the U.S. government issues a dizzying array of new rules and regulations, people in the U.S. and abroad are asking: are there meaningful constitutional limits on the ability of border agents to seize and search the data on your electronic devices and in the cloud?

The answer is: Yes. As we’ll explain in a series of posts on the Bill of Rights at the border and discuss in detail in our border search guide, border agents and their activities are not exempt from constitutional scrutiny.

In this first post, we’ll focus on the First Amendment.

The First Amendment is meant to safeguard five fundamental rights: speech, assembly, religion, press, and petition to the government for redress of grievances. The First Amendment also protects the right to exercise these basic rights anonymously because, as Supreme Court Justice John Paul Stevens wrote:

Anonymity is a shield from the tyranny of the majority. . . . It thus exemplifies the purpose behind the Bill of Rights and of the First Amendment in particular: to protect unpopular individuals from retaliation . . . at the hand of an intolerant society.

But when border agents scrutinize the massive volume of sensitive information in our digital devices or in the cloud, they infringe on First Amendment rights in at least four distinct ways.

  • First, device searches may reveal your social media profile handles –  inclusive of pseudonymous accounts. This allows border agents to match those handles to your passport identity, which effectively unmasks you and prevents you from being able to speak anonymously online. The same is true if you comply with an agent’s demand that you tell them your social media handles.
  • Second, device searches may also chill your ability to associate with an expressive institution anonymously, like a political group. Border agents can use a device search or knowledge of your social media handles to unearth a variety of private associational ties that can be mapped and harvested for more personal information and connections. What is worse, the investigation may intrude upon your contacts’ privacy as well as your own.
  • Third, requiring you to let CBP review your web-browsing history violates your right to access and receive information anonymously. This intrusion also occurs when CBP scrutinizes your shopping histories to reveal your private decisions to acquire expressive materials, such as books and movies.
  • Finally, requiring journalists to unlock devices that contain confidential journalistic sources and work product inhibits their ability to shield the identity of their sources and undermines the integrity and independence of the newsgathering process.

Border searches of our digital devices and cloud data thus implicate core free speech rights. Therefore, border agents should at least be required to obtain a warrant supported by probable cause before any such search of our private digital information.

Indeed, the First Amendment requires even more. For example, when police officers demand purchasing records from booksellers (implicating the right to access information anonymously), the First Amendment requires not only probable cause, but a compelling need, the exhaustion of less restrictive investigative methods, and a substantial nexus between the information sought and the investigation. Given that a digital device search is far more invasive upon First Amendment rights than disclosure of what books a person buys at a single bookseller, border agents should be required to do the same.

And the government should take special care with respect to journalists. The Privacy Protection Act prohibits the government from searching or seizing a journalist’s materials without probable cause that the journalist has committed a crime. While the statute exempts border searches for the purpose of enforcing the customs laws, it does not exempt border searches for other purposes, such as a criminal investigation.

Unfortunately, so far, courts have refused to recognize the free speech implications of digital border searches. But we hope and expect that will change as courts are forced to weigh the increasing amount of sensitive information easily accessible on our devices and in the cloud, and the increasing frequency and scope of border searches of this information.

Without First Amendment protections at the border, the threat of self-censorship looms large. Travelers faced with the risk of border agent intrusion into such sensitive data are more prone to self-censorship when expressing themselves, when considering private membership in political groups, or when deciding whether to access certain reading or media material. This is especially true for people who belong to unpopular groups, who espouse unpopular opinions, or who read unpopular books or view unpopular movies.

Likewise, confidential sources that provide invaluable information to the public about government or corporate malfeasance may refrain from whistleblowing if they fear journalists cannot protect their identities during border crossings. This is why EFF is calling for stronger Constitutional protection of your digital information and urging people to contact Congress on this issue today.

We’re also collecting stories of border search abuses at: borders@eff.org

The good news is there’s a lot you can do at the border to protect your digital privacy. Take the time to review our pocket guides on Knowing Your Rights and Protecting your Digital Data at the border. And for a deeper dive into these issues, take a look at our Border Search Guide on protecting the data on your devices and in the cloud.


Share this: Join EFF
Categories: Aggregated News

Call Your Senators Thursday Morning to Save Your Privacy

eff.org - Thu, 23/03/2017 - 08:35

Congress is getting serious about taking away your online privacy. We have to get serious about stopping them.

The Senate is going to vote on Thursday on a measure from Sen. Jeff Flake that would repeal the broadband privacy rules passed by the FCC last year. According to at least one of the measure’s co-sponsors, it will likely have the votes it needs to pass in the Senate unless we take action right now.

Those rules were a huge win for consumers, and—if Congress doesn’t get in the way—they’ll protect Internet users from creepy tracking by their ISPs when they go into effect later this year.

As we’ve argued, repealing the FCC’s privacy rules is a bad move for consumers. If Congress repeals the rules, your ISP will be able to sell records about what you look at, what you purchase, and who you talk to online. The FCC may not be able to write new privacy rules, and, because of the current legal landscape, it’s not clear that any federal agency would be able to step in and protect consumers when ISPs violate their privacy.

Now is the time to act. Call your lawmakers and tell them to oppose the resolution to repeal the FCC’s privacy rules.


Share this: Join EFF
Categories: Aggregated News

Know About Digital Devices Searches in California Schools? Send a Report to EFF.

eff.org - Thu, 23/03/2017 - 08:32

Here in California, we’re in a tough battle over how and when the government can search through the digital devices of teachers and students. A terrible proposal—A.B. 165—seeks to strip over 6-million Californians of privacy safeguards baked into our state laws, giving the government a loophole to rifle through personal digital devices in schools without a warrant issued by a judge.

We’re looking for individuals in California’s public schools who can report on experiences with digital device searches. Are you a student who had a school administrator search your device without your consent? Are you a parent whose son or daughter was punished because of data found on their device? Are you a teacher who has seen or been part of questionable searches in the school context? We want to hear about it.

Types of stories that would be especially useful for us:

  • Examples in which digital device searches may have violated existing California law and resulted in negative consequences (embarrassment, administrative action, criminal investigation) for students or teachers;
  • Examples in which digital device searches in schools exposed sensitive details about students, teachers, or their families, including medical concerns; immigration status, economic status, sexual orientation, or political speech;
  • Other examples of digital devices searches in California schools that you found concerning.

Please report stories using our survey and share this request with your friends.

A.B. 165 is currently scheduled for a hearing before the Assembly Committee on Privacy and Consumer Protection on April 18. That means that right now is a very important time to make sure all our California legislators hear us. Please speak out now against A.B. 165

Speak out.

Not in California? You can still make a difference. Please reach out to your friends in California and ask them to speak out, and please share this blog post on social media.

Read more about how A.B. 165 will impact privacy in California and could be the first step toward rolling back privacy protections for other communities.


Share this: Join EFF
Categories: Aggregated News

Consumers Press the USTR Nominee on Trade Transparency

eff.org - Thu, 23/03/2017 - 06:37

Even before U.S. Trade Representative (USTR) nominee Robert Lighthizer takes office, he’s already feeling the heat from Congress and from public interest representatives about improving transparency and public access to trade negotiations.

In written answers given as part of Lighthizer’s confirmation hearing last week, Senator Ron Wyden asked him, “What specific steps will you take to improve transparency and consultations with the public?”. Lighthizer’s reply (which he repeated in similar form in response to similar questions from other Senators) was as follows:

If confirmed, I will ensure that USTR follows the TPA [Trade Promotion Authority, aka. Fast Track] requirements related to transparency in any potential trade agreement negotiation. I will also look forward to discussing with you ways to ensure that USTR fully understands and takes into account the views of a broad cross-section of stakeholders, including labor, environmental organizations, and public health groups, during the course of any trade negotiation. My view is that we can do more in this area to ensure that as we formulate and execute our trade policy, we receive fulsome input and have a broad and vigorous dialogue with the full range of stakeholders in our country.

Senator Maria Cantwell sought to drill down into more specifics, by having Lighthizer address the skewed Trade Advisory Committees that currently advise the USTR. In response to her question:

Do you agree that it is problematic for a select group of primarily corporate elites to have special access to shape US trade proposals that are not generally available to American workers and those impacted by our flawed trade deals?

Lighthizer replied:

It is important that USTR’s Trade Advisory Committees represent all types of stakeholders to ensure that USTR benefits fully from a diverse set of viewpoints in considering the positions it takes in negotiations. If confirmed, I will work to ensure that USTR’s Trade Advisory Committees are appropriately constituted in order to achieve this goal.

Cantwell also invited Lighthizer to commit to replacing the advisory system with a new process that invites the American public to help shape U.S. proposals for trade agreements and give input on negotiated texts, as well as to having all proposals and negotiated texts published online in a timely fashion so the workers and the broader public that will be impacted by these agreements have a full understanding of what is being negotiated.

He declined to do so, going only so far as to say that he would look forward to discussing “additional means for ensuring public input into U.S. trade negotiations”, as well as “ways to ensure that USTR fully understands and takes into account the views of all stakeholders during the course of a trade negotiation”.

This rather vague commitment certainly doesn’t close the door on the administration adopting the kind of reforms that EFF has demanded, but it also suggests that we will have to continue fighting hard for them to avoid yet another cop-out by the agency.

Trans-Atlantic Consumer Groups Speak Out

Thankfully, we’re not alone in that fight. EFF has just returned from the annual public forum of the Trans-Atlantic Consumer Dialogue (TACD), a forum of U.S. and European consumer groups, of which we are a member. This diverse group released a Positive Consumer Agenda for trade which includes the following demands:

Any regulatory cooperation dialogue and trade negotiation must be transparent. Agendas of the meetings and rounds must be made publicly available well in advance as well as negotiating documents and minutes of meetings and rounds. For trade negotiations, negotiations should not begin until all parties agree to publish their textual proposals as well as consolidated negotiating texts after each round on publicly available websites. …

US positions on trade deals can be formulated the way other US federal regulations are: through an on-the-record public process established under the Administrative Procedure Act to formulate positions, obtain comments on draft texts throughout negotiations, and seek comments on proposed final texts. In the European Union, the Commission should open a public consultation when drafting negotiating mandates to mirror the legislative process.

Trade Isn’t the Right Tool For Every Internet Problem

A third front in our battle to reform the USTR’s closed and opaque trade negotiation practices is in a submission to the U.S. International Trade Commission (ITC) that we submitted this week. The ITC was seeking public submissions in an enquiry on digital trade, to gather input into a report that it is writing to advise the USTR on the topic.

The submission reiterates our demands that the USTR publish its proposals, publish draft texts, have an independent transparency officer, open up proposals to notice and comments and a public hearing process, and open up Trade Advisory Committees to be more inclusive. But it also points out that the USTR shouldn’t consider trade negotiations as the right tool to regulate every aspect of the Internet that touches on trade:

Whereas the Commission aims to describe regulatory and policy measures currently in force in important markets abroad that may significantly impede digital trade, our bottom line is that not all such measures that impede digital trade are necessarily protectionist. … [They may] also have important non-trade justifications that serve broader social and economic needs such as freedom of expression and access to information, consumer safety and privacy, and preservation of the stability and security of Internet networks.

When the only tool you have is a hammer, every problem looks like a nail—and the USTR has been hammering away like mad at topics as diverse as net neutrality, domain names, encryption standards, and intermediary liability. But because there are many other dimensions of these issues besides the trade dimension, trade negotiations aren’t necessarily the best venue to address them; and certainly not while those negotiations remain as closed and opaque as they are at present.

As the renegotiation of NAFTA is around the corner, the need for USTR to reform its outdated practices is becoming increasingly urgent. With Congress, consumer groups, and international trade experts all demanding similar reforms from the next Trade Representative, we certainly hope that Robert Lighthizer is feeling the heat, and that he will rise to the challenge once he takes office.


Share this: Join EFF
Categories: Aggregated News

The New Laptop Ban Adds to Travelers' Lack of Privacy and Security

eff.org - Thu, 23/03/2017 - 03:26

It can be difficult to understand the intent behind anti-terrorist security rules on travel and at the border. As our board member Bruce Schneier has vividly described, much of it can appear to be merely "security theater"—steps intended to increase the feeling of security, while doing much less to actually achieve it.

This week the U.S. government, without warning or public explanation, introduced a sweeping new device restriction on travelers flying non-stop to the United States from ten airports in eight Muslim-majority countries, and nine airlines from those countries. Passengers on these flights must now pack large electronics (including tablets, cameras, and laptops) into their checked luggage.

Information is still emerging regarding the rationale behind the ban, which went into effect at 3:00 Eastern Time Tuesday morning. The United Kingdom on Monday joined the United States with a similar regulation aimed at a differing set of flights.

These new restrictions on the transport of digital devices that have provoked a growing sense of insecurity among personal and business travelers flying between America, the Middle East and Turkey, and rightly so. Travelers to and within the United States were already concerned over reports of increasing levels of warrantless inspection of their devices at the border of the United States. Earlier this month, U.S.  Customs and Border Protection revealed that there were more device searches in February alone than were conducted in the whole of the 2015 fiscal year.

One of the few consolations is that these invasive searches take place with your knowledge, during security searches of your body and personal items. As we recently described in our guide to digital searches at the border, and in our brief to the Fourth Circuit Federal Court of Appeals, the U.S. border is not a rights-free zone: searches should be noted, and if known about, can be challenged as unlawful. There is also the small compensation that, if officials do not demand access to your laptop, tablet or phone, you can at least be confident that your digital possessions have not been invasively searched.

Requiring digital devices to be checked as luggage removes those reassurances, and adds new concerns. If someone else has physical access to your device almost all information security guarantees are off the table. Data can be cloned for later examination. If you encrypt your stored data, you might limit how much direct data can be extracted—but even so, you cannot stop the examiner from installing new spyware or hardware. New software can be installed for later logging or remote control; protections can be disabled or manipulated.

Under these conditions, it's very hard to make any assurances about how safe your personal data can be in transit. Some security researchers have devised exotic ways to reveal physical tampering; others spend their time defeating those systems. But if your device is out of your possession, all bets are off.

This is not to assert that the new regulations are intended to enable these widespread, unaccountable searches. But given the content of the new regulation and the manner in which it was introduced, it's not surprising that rather than improving the confidence of travelers that their life and possessions remain safe and secure, it's led to even more doubt and uncertainty.

Because the United States authorities has provided little transparency into or notice of their decision, we have no idea what protection this regulation is attempting to provide. It is particularly unclear what the security benefit of limiting the ban to a few airlines and airports achieves. (Even if you believe, as officials within the Trump administration have stated, that some nationalities pose a particular threat, potential terrorists are surely smart enough to fly to an intervening nation which has not imposed the same controls, and take one of the multi-stop flights on which the United States still permits laptops as a carry-on.) At best, it seems like the real threat is so limited that the United States feels it not worth the cost to inconvenience other travelers. At worst, it adds to the sense that some crossing the border—for instance, citizens of these nations and American visitors to them—should have fewer protections and practical opportunities for legal defense against invasive searches at the border than others.

Security theater, or not, improving security at the border includes as a goal ensuring the sense of security and confidence that travelers have that their personal data and devices are safe from unlawful interference. To do that, the United States authorities needs to be more transparent in its reasoning, more protective of the highly personal information held on digital devices, and far less arbitrary in its search and treatment of different groups of travelers. A strong set of legal safeguards consistent governing digital device searches of every traveller—whether they are U.S. citizens, residents, or visitors—would be more secure, and safer for all.

For practical advice for protecting your data at the border, see our detailed new guide and printable border search pocket guide.


Share this: Join EFF
Categories: Aggregated News

Patents Are A Big Part Of Why We Can’t Own Nice Things: the Supreme Court Should Fix That

eff.org - Wed, 22/03/2017 - 09:40

Today, the Supreme Court heard arguments in a case that could allow companies to keep a dead hand of control over their products, even after you buy them.  The case, Impression Products v. Lexmark International, is on appeal from the Court of Appeals for the Federal Circuit, who last year affirmed its own precedent allowing patent holders to restrict how consumers can use the products they buy. That decision, and the precedent it relied on, departs from long established legal rules that safeguard consumers and enable innovation.

When you buy something physical—a toaster, a book, or a printer, for example—you expect to be free to use it as you see fit: to adapt it to suit your needs, fix it when it breaks, re-use it, lend it, sell it, or give it away when you’re done with it. Your freedom to do those things is a necessary aspect of your ownership of those objects. If you can’t do them, because the seller or manufacturer has imposed restrictions or limitations on your use of the product, then you don’t really own them. Traditionally, the law safeguards these freedoms by discouraging sellers from imposing certain conditions or restrictions on the sale of goods and property, and limiting the circumstances in which those restrictions may be imposed by contract.

But some companies are relentless in their quest to circumvent and undermine these protections. They want to control what end users of their products can do with the stuff they ostensibly own, by attaching restrictions and conditions on purchasers, locking down their products, and locking you (along with competitors and researchers) out. If they can do that through patent law, rather than ordinary contract, it would mean they could evade legal limits on contracts, and that any one using a product in violation of those restrictions (whether a consumer or competitor) could face harsh penalties for patent infringement.

Impression Products v. Lexmark International is Lexmark’s latest attempt to prevent purchasers from reusing and refilling its ink cartridges with cheaper ink. If Lexmark can use patent law to accomplish this, it won’t just affect the person or company that buys the cartridge, but also anyone who later acquires or refills it, even if they never agreed to what Lexmark wanted.

The case will turn on how the Supreme Court applies patent law’s “exhaustion doctrine.” As the Court explained in its unanimous Quanta v. LG Electronics decision, the exhaustion doctrine provides that “the initial authorized sale of a patented item terminates all patent rights.” Meaning, a patent holder can’t use patent rights to control what you can do with the product you’ve purchased, because they no longer have patent rights in that particular object. As we explained in a brief submitted along with Public Knowledge, Mozilla, the AARP, and R Street Institute to the Supreme Court, the doctrine protects both purchasers and downstream users of patented products. Without the exhaustion doctrine, patent holders would be free to impose all kinds of limits on what you can do with their products, and can use patent infringement’s severe penalties as the enforcement mechanism. The doctrine also serves patent law’s constitutional purpose—to promote progress and innovation—by ensuring that future innovators have access to, and can research and build on, existing inventions, without seeking permission from the patent holder.

This isn’t Lexmark’s first bite at the apple. The company first tried to argue that copyright law, and section 1201 of the DMCA (which prohibits circumvention of DRM), gave it the right to prevent re-use of its toner cartridges. In 2004, the Sixth Circuit roundly rejected Lexmark’s copyright claims. The court explained that even if Lexmark could claim copyright in the code at issue, and while it might want to protect its market share in cartridges, “that is not the sort of market value that copyright protects.” The Sixth Circuit also shot down Lexmark’s section 1201 claims, stating

[n]owhere in its deliberations over the DMCA did Congress express an interest in creating liability for the circumvention of technological measures designed to prevent consumers from using consumer goods while leaving copyrightable content of a work unprotected. In fact, Congress added the interoperability provision in part to ensure that the DMCA would not diminish the benefit to consumers of interoperable devices "in the consumer electronics environment."

Having lost on its copyright claims, Lexmark found a warmer welcome at the Federal Circuit, who last year held that so long as the company “restricted” the sale of its product (in this case through a notice placed on the side of the cartridge) Lexmark could get around patent exhaustion, and retain the right to control downstream users’ behavior under patent law.

The Federal Circuit’s ruling in Lexmark seriously undermines the exhaustion doctrine, allowing patent holders to control users’ behavior long after the point of purchase merely by including some form of notice of the restriction at the point of sale. As we’ve said before, this is especially troubling because downstream users and purchasers may be entirely unaware of the patent owner’s restrictions.

The Federal Circuit’s the ruling is also significantly out of step with how the majority of the law treats these kinds of restrictions. While sellers can use contract law to bind an original purchaser to mutually agreed-upon terms (with some limits) for hundreds of years, courts have disfavored sellers’ attempts to use other laws to control goods after a transfer of ownership. Courts and legal scholars have long acknowledged that such restrictions impair the purchasers’ personal autonomy, interfere with efficient use of property, create confusion in markets, and increase information costs. The Federal Circuit’s ruling is even out of step with copyright law, whose exhaustion principle is codified in the first sale doctrine.

We’re hopeful that the Supreme Court will reverse the Federal Circuit and bring patent law’s exhaustion doctrine back in line.


Share this: Join EFF
Categories: Aggregated News

Supreme Court: A Patent Owner Can Lie In Wait

eff.org - Wed, 22/03/2017 - 08:18

In a ruling today that will cheer up patent trolls, the Supreme Court said patent owners can lie in wait for years before suing. This will allow trolls to sit around while others independently develop and build technology. The troll can then jump out from under the bridge and demand payment for work it had nothing to do with.

Today’s 7-1 decision arrives in a case called SCA Hygiene v. First Quality Baby Products. This case involves a patent on adult diapers but has a much broader reach. The court considered whether the legal doctrine of “laches” applies in patent cases. Laches is a principle that penalizes a rightsholder who “sleeps on their rights” by waiting a long time to file a lawsuit after learning of a possible infringement. It protects those that would be harmed by the assertion of rights after a lengthy delay. For example, laches would work against a patent owner that saw an infringing product emerge yet waited a decade to sue, after significant investment of time and resources had been put into the product.

The ruling in SCA follows a similar decision in Petrella v. MGM holding that laches is not available as a defense in copyright cases. The Supreme Court has generally rejected “patent exceptionalism” and has often reversed the Federal Circuit for creating special rules for patent law. So today’s decision was not especially surprising. In our view, however, there were compelling historical and policy arguments for retaining a laches defense in patent law.

Together with Public Knowledge, EFF filed an amicus brief at the Supreme Court explaining the many ways that companies accused of patent infringement can be harmed if the patent owner sleeps on its rights. For example, evidence relevant to invalidity can disappear. This is especially true for software and Internet-related patents. In his dissent, Justice Breyer cited our brief and explained:

[T]he passage of time may well harm patent defendants who wish to show a patent invalid by raising defenses of anticipation, obviousness, or insufficiency. These kinds of defenses can depend upon contemporaneous evidence that may be lost over time, and they arise far more frequently in patent cases than any of their counterparts do in copyright cases.

The seven justices in the majority suggested that patent defendants might be able to assert “equitable estoppel” instead of laches. But that would likely require showing that the patent owner somehow encouraged the defendant to infringe. In most cases, especially patent troll cases, the defendant has never even heard of the patent or the patent owner before receiving a demand. This means estoppel is unlikely to be much help. Ultimately, today’s ruling is a victory for trolls who would wait in the shadows for years before using an obscure patent to tax those who do the hard work of bringing products and services to market.

Related Cases: SCA Hygiene v. First Quality Baby Products
Share this: Join EFF
Categories: Aggregated News

Hearing Wednesday: EFF Testifying Before House Committee That Use of Facial Recognition by Law Enforcement Poses Critical Threat to Privacy

eff.org - Wed, 22/03/2017 - 03:46
One Out of Two Americans Already in a Face Recognition Database Accessible to Law Enforcement

Washington, D.C.—On Wednesday, March 22, Electronic Frontier Foundation (EFF) Senior Staff Attorney Jennifer Lynch will testify at a hearing before the House Committee on Oversight and Government Reform about the FBI's efforts to build up and link together massive facial recognition databases that may be used to track innocent people as they go about their daily lives.

The FBI has amassed a facial recognition database of more than 30 million photographs and has access to hundreds of millions more. The databases include photos of people who aren’t suspected of any criminal activity that come from driver’s license and passport and visa photos, even as the underlying identification technology becomes ever more powerful. The government has done little to address the privacy implications of this massive collection of biometric information.

Lynch will testify that the use of facial recognition technology will allow the government to track Americans on an unprecedented level. The technology, like other biometric programs, such as fingerprint and DNA collection, poses critical threats to privacy and civil liberties. Lynch will tell the House committee that Congress has an opportunity to develop legislation that would protect Americans from inappropriate and excessive biometrics collection and use.

What: Full House Committee on Oversight and Government Reform Hearing: Law Enforcement’s Use of Facial Recognition Technology

Who: EFF Senior Staff Attorney Jennifer Lynch

When: Wednesday, March 22, 9:30 a.m.

Where: 2154 Rayburn House Office Building
           Washington. D.C.

For more information on facial recognition:
https://www.eff.org/foia/fbi-facial-recognition-documents

For more on biometric data collection:
https://www.eff.org/issues/biometrics

 

Contact:  JenniferLynchSenior Staff Attorneyjlynch@eff.org
Share this: Join EFF
Categories: Aggregated News

Advertising

 


Advertise here!

Syndicate content
All content and comments posted are owned and © by the Author and/or Poster.
Web site Copyright © 1995 - 2007 Clemens Vermeulen, Cairns - All Rights Reserved
Drupal design and maintenance by Clemens Vermeulen Drupal theme by Kiwi Themes.
Buy now