The worst patent trolls bring weak cases and use the cost of defending a lawsuit as leverage to force settlements. A company called Joao Bock Transaction Systems LLC (“JBTS”) has elevated this business model to an art form. The company is associated with patent attorney and prolific “inventor” Raymond Joao. Apparently not content with drafting patents on behalf of others, Joao began to file his own patents. His companies have since launched dozens of lawsuits against technology ranging from streaming video to financial transactions. Of course, if you talk to the people who actually pioneered real-world technology, they’ve never heard of Joao or his companies. From all indications, Joao is solely in business of filing paper patents and forming companies to sue.
While all of Joao’s patents are contenders, we’ve chosen US Patent No. 7,096,003 (the ’003 patent), titled “Transaction Security Apparatus,” as our Stupid Patent of the Month. This patent, part of a family that includes US Patent No. 6,529,725 (the ’725 patent), relates to electronic financial transactions. The patent purports to describe a new system for secure transactions that includes a step of obtaining authorization from the account owner. The claims are drafted in vague, functional terms with language like “a processing device” that “processes information regarding a banking transaction” and “generates a signal containing information for authorizing or disallowing the transaction.” JBTS has been asserting the patent against dozens of banks and financial services companies, essentially saying that the patent covers any electronic transaction with a confirmation step.
What makes Joao’s patent extra special, however, is the staggering number of patent claims. All patents end with at least one claim (the claims are the part of the patent that are supposed to alert the public to the boundaries of the invention). The average number of claims per patent is around 20. The ’003 patent, however, has an astonishing 424 claims: a seemingly endless list of small, indeed mostly trivial, variations on the same idea. The related ‘725 patent has another 340 claims, bringing the total to over 750 claims all based off the same application.
We do not believe there is any legitimate reason for Joao to include so many claims in his patent applications. In fact, it appears this is done solely to allow him to game the system. First, it allows him to raise the cost of defending a lawsuit—for example, in its complaints, JBTS doesn’t identify a single claim that’s allegedly infringed, likely to prevent a motion to dismiss. More disturbingly, JBTS has used the duplicative claims to continue asserting the patents despite multiple defeats in court. Each time the company loses, it picks out some new claims and asserts those, even though they are largely identical to claims already thrown out.
Take the story of Jack Henry & Associates. In 2010, Jack Henry went all the way to trial against Joao Bock Transaction Systems and convinced a jury to invalidate claims from the ’725 patent. It subsequently prevailed on appeal. But Joao was not done. JBTS sued Jack Henry again asserting very similar claims from the ’003 patent. (Arguably, collateral estoppel should have applied, but the judge held the claims were sufficiently different.) In December of this year, Jack Henry won again, with the judge ruling that the asserted claims of the ’003 patent are invalid as abstract under Alice v. CLS Bank.
Remarkably, Joao’s company is still asserting claims from the ‘003 patent, even though the logic of the latest court decision clearly applies to all the claims. Last week, Fidelity National Bank filed a motion for sanctions outlining this history in detail. We hope the judge in that case imposes sanctions. The gamesmanship will only continue for as long as judges allow it.
We also hope that the Patent Office finally puts a stop to Joao’s patent “factory.” He still has at least one application from the same family pending (application no. 11/091,200). The Alice decision should prevent him from getting yet more claims on the same abstract idea.
Finally, it is worth noting that many of the changes proposed in the Innovation Act would make it harder for JBTS to abuse the system. Heightened pleading would require it to identify at the outset of litigation which claims it is asserting. Currently, defendants are left to wonder which of hundreds of claims will be at issue. Discovery reform will making harder for plaintiffs like JBTS to run up costs. And fee shifting will make the business model much less viable. Tell your lawmaker: Let's stop patent trolls. Pass the Innovation Act!Files: robinson_opinion_joao_v_henry.pdf fidelity_national_motion_for_sanctions.pdfRelated Issues: PatentsPatent TrollsInnovation
Share this: || Join EFF
EFF submitted an amicus brief to the Supreme Court yesterday in Commil v. Cisco, a patent case that asks whether having a “good-faith belief” that a patent is invalid means that someone can’t induce infringement of a patent.
The issue of what it means to “induce infringement” is a complex, esoteric area of patent law. Generally, inducement liability is where the person accused of infringement didn’t actually carry out infringing acts herself, but instead encouraged other people to do them. For example, telling someone “hey, use this product to infringe this patent” might be inducement, whereas just making a product without any knowledge of a patent on its use would not be.
That’s because the law requires that the inducer have knowledge of the patent in order to be liable. But what if you have knowledge of the patent and you think that it is invalid because it’s not clear what the invention is, or that you don’t infringe because you don’t think the patent covers what your customers do? A court may later determine that you were wrong, but agree with you that you had a reasonable belief that you were right. Should the law make you pay for encouraging something you reasonably thought you were allowed to do?
In our brief, we argue that inducement requires intent to infringe and if you think you’re not infringing (because either the patent is invalid or because you don’t think the acts you cause are covered by the patent), you shouldn’t be considered an inducer.
A contrary ruling would encourage patent holders to avoid clearly describing their inventions in a patent which would exacerbate the problem we already have with vague and overbroad software patents. Patent applicants could hide the ball from the Patent Office (making it more difficult and time consuming to do a good job reviewing the application) and the public (who may not understand the rights claimed by the patent holder), and still claim someone should have known that what they were doing was causing other people to infringe.
Patents serve a public notice function: they are supposed to reasonably inform the public of what is claimed and what is left free for others to do. But the rule the patent owner argues for in this case would make the public notice function of patents almost meaningless. For example, someone reading the patent may not think it applies to acts they cause, but because the court would only look to what the patent owner thinks (an opinion that doesn’t have to actually be stated in the patent), reading the patent may give no clue as to whether you’ll be accused of inducement. The Supreme Court should not allow patent owners to set even more traps for those who have no intention of infringing any valid patent.
Share this: || Join EFF
The Trans-Pacific Partnership (TPP) talks are stalling while the White House assures its trading partners that this secret trade agreement won't be amended when it comes back to Congress for ratification after the President signs the deal. That's why the Executive is scrambling to get its allies in Congress to pass Fast Track. If they succeed, the U.S. Trade Representative can block remaining opportunities for the examination of the TPP's provisions by lawmakers who could ensure that this secret deal does not contain expansive copyright rules that would lock the U.S. into broken copyright rules that are already in bad need of reform.
The Fast Track bill is likely going to be introduced as early as next week—so it's time to speak out now. Congress needs to hear from their constituents that we expect them to hold the White House accountable for the TPP's restrictive digital policies. Unless this opaque, undemocratic process is fixed, and state officials uphold the interests of users rather than trampling our rights, we have no choice but to fight trade deals like the TPP.
You can get in touch with your elected representatives and call on them to oppose Fast Track trade authority for the TPP and other secretive, anti-user trade deals. We have also created a new tool for Twitter users to ask three key congressional leaders to come out against Fast Track. They are Sen. Ron Wyden, Rep. Nancy Pelosi, and Rep. Steny Hoyer. Here's why we are targeting these three Congress members in particular.Target #1: Sen. Ron Wyden
Sen. Wyden is one of the leading defenders of users' rights and a staunch fighter for the free and open Internet in Congress. For the past several years, he has been one of the most outspoken lawmakers denouncing the secretive TPP negotiations, and has consistently raised concerns about the agreement's threat to users. As Ranking Member of the Senate Finance Committee, where the Senate bill will be introduced, he has a significant amount of influence over the outcome of Fast Track. We need to call on him to continue to stand with users and fight back against any version of this bill that does not address critical problems in the trade negotiation process.
House Minority Leader, Nancy Pelosi, has proven to be an outspoken defender of the free and open Internet this year, as she was one of the most vocal proponents to defend net neutrality. However, she has unfortunately been wishy-washy on Fast Track and the TPP. She needs to hear from users that the TPP also puts the Internet at risk from oppressive regulations. If she were to come out against Fast Track, that would be a strong signal for other House Democrats to follow her lead.
His voting record for digital rights has been pretty spotty, and so far Rep. Hoyer has been supportive of Fast Track. But as House Minority Whip, his opposition to Fast Track would also be hugely influential for Democrats in the House to come out against it as well.
Let them know that we're counting on them to defend the Internet from the White House's secret, anti-user deals. Once you're done tweeting at them (which you can of course do more than once!), remember to share these actions through your social networks. We can defeat this massive, anti-user trade deal, but we're going to need all the help we can get.Fair Use and Intellectual Property: Defending the BalanceInternationalTrade AgreementsTrans-Pacific Partnership Agreement
Share this: || Join EFF
At a congressional hearing today, EFF Staff Attorney Vera Ranieri gave formal testimony about patent demand letters and the harm these letters cause to legitimate businesses. Ranieri outlined the discouraging process that allows demand letters to thrive: the Patent Office issues vague and overbroad patents; patent trolls acquire these bad patents and send unfair and deceptive demand letters; and legitimate businesses, without the resources to fight back, end up paying unjustifiable licensing fees. It’s long past time to reform this severely broken system, and we’re pleased that lawmakers seemed ready to tackle this complex problem.
EFF has been fighting abuse of the patent system for years—doing everything from getting bad patents invalidated, to working to stop bad patents from issuing in the first place, to trying to fix imbalances in the law. In just the last few weeks, EFF announced that it’s representing a photo hobbyist attacked by a patent bully that wanted a license fee for running an online “vote-for-your-favorite-picture” poll and released its “Defend Innovation” whitepaper—two-and-a-half years' worth of research on the challenges facing innovators under the current patent regime, along with concrete suggestions of measures policymakers should take in the coming year.
It seems that conventional wisdom is finally catching up to something that innovators have known for a long time: our patent system isn’t serving creators, it’s hurting them. Join and tell Congress to take action and pass desperately needed reforms today.Related Issues: PatentsLegislative Solutions for Patent ReformPatent TrollsInnovation
Share this: || Join EFF
Today the FCC voted three to two to reclassify broadband Internet access as a common carrier service under Title II of the Communications Act, and forbear from the parts of the Act that aren’t necessary for net neutrality rules. This reclassification gives the FCC the authority to enact (and enforce) narrow, clear rules which will help keep the Internet the open platform it is today.
As expected, the FCC’s new rules forbid ISPs from charging Internet users for special treatment on their networks. It will also reach interconnection between ISPs and transit providers or edge services, allowing the FCC to ensure that ISPs don’t abuse their gatekeeper authority to favor some services over others.
That’s great for making sure websites and services can reach ISP customers, but what about making sure customers can choose for themselves how to use their Internet connections without interference from their ISPs? To accomplish this, the FCC has banned ISPs from blocking or throttling their customers’ traffic based on content, applications or services—which means users, hackers, tinkerers, artists, and knowledge seekers can continue to innovate and experiment on the Internet, using any app or service they please, without having to get their ISP’s permission first.
Even better, the rules will apply to wireless and wired broadband in the same way, so you don’t have to worry that your phone switching from Wi-Fi to a 4G network will suddenly cause apps not to work or websites to become inaccessible. Lots of people use mobile devices as their primary way of accessing the Internet, so applying net neutrality rules to both equally will help make sure there is “one Internet” for all.
So congratulations, Team Internet. We put the FCC on the right path at last. Reclassification under Title II was a necessary step in order to give the FCC the authority it needed to enact net neutrality rules. But now we face the really hard part: making sure the FCC doesn’t abuse its authority.
For example, the new rules include a “general conduct rule” that will let the FCC take action against ISP practices that don’t count as blocking, throttling, or paid prioritization. As we said last week and last year, vague rules are a problem. The FCC wants to be, in Chairman Wheeler’s words, “a referee on the field” who can stop any ISP action that it thinks “hurts consumers, competition, or innovation.” The problem with a rule this vague is that neither ISPs nor Internet users can know in advance what kinds of practices will run afoul of the rule. Only companies with significant legal staff and expertise may be able to use the rule effectively. And a vague rule gives the FCC an awful lot of discretion, potentially giving an unfair advantage to parties with insider influence. That means our work is not yet done. We must stay vigilant, and call out FCC overreach.
The actual order is over 300 pages long, and it’s not widely available yet. Details matter. Watch this space for further analysis when the FCC releases the final order.Related Issues: Net NeutralityTransparencyRelated Cases: Net Neutrality Lobbying
Share this: || Join EFF
New Report Shows European Data Protection Authorities are Taking Facebook’s Questionable Terms of Service Seriously
Grumblings about changes in Facebook’s layout and policies are standard practice for everyone familiar with the social media giant. But some European governments are taking Facebook’s practices more seriously. This week, interdisciplinary scholars and researchers in Belgium issued a draft report entitled “From social media service to advertising network: A critical analysis of Facebook’s Revised Policies and Terms.” The report is provisional, and “will be updated after further research, deliberation and commentary.”
The report was based on an “extensive analysis of Facebook’s revised policies and terms,” conducted “at the request of the Belgian Privacy Commission.” The Commission is part of a task force of European Union (EU) data protection authorities created specifically to address Facebook’s shifting policies, which also includes Germany and the Netherlands.
This thorough analysis is useful both because it provides an in-depth explanation of items of note in the newly revised 2015 terms and because it explains how the terms fit in with European law. To be fair, it’s not all bad, and the report reiterates some long-standing concerns, that have not been affected by recent changes. The report also notes that Facebook has improved the degree of clarity around how it uses data, though rather large holes remain.
Facebook’s data processing capabilities have increased both horizontally and vertically. By horizontal we refer to the increase of data gathered from different sources. Vertical refers to the deeper and more detailed view Facebook has on its users.
In particular, this expansion has happened because Facebook has acquired new companies like Instagram and Whatsapp, and because more and more websites use Facebook plug-ins and other services. The report also noted that much of how Facebook uses data is simply opaque.
Although Facebook’s privacy settings haven’t changed, the report notes that:
users are able to choose from several granular settings which regulate access by other individuals, but cannot exercise meaningful control over the use of their personal information by Facebook or third parties. This gives users a false sense of control.
That false sense of control is key, since the report emphasizes the many ways in which users cannot actually limit use of their data. What’s more, Facebook’s default settings for “behavioural profiling and advertising” do not constitute legally valid consent because “consent cannot be inferred from the data subject’s inaction,” and this concept of explicit consent, taken from applicable EU law, recurs throughout the report.
To be legally valid under European Union law, consent to processing and use of user generated data must be “freely given”, “specific”, “informed” and “unambiguous.” The report stresses, “it is highly questionable whether Facebook’s current approach satisfies these requirements.”
Facebook’s practices with regards to how it combines data from a variety of sources, and shares data with other parties are also of questionable legality, according to the report. For example, the report describes a use case in which Facebook combines its own data with data from third-party data brokers. The report notes “Facebook only offers an opt-out system for its users in relation to profiling for third-party advertising purposes,” which in the authors’ view, is insufficient to meet legal requirements.
Facebook’s use of user-generated content, such as photos, is also problematic. Facebook’s terms grant “a non-exclusive, transferable, sub-licensable, royalty- free, worldwide license” to Facebook to use such content. The report notes that this may contradict EU and Belgian law, and has been held “invalid and therefore not enforceable under German Law.” Similarly, “[i]ndividuals have the right control use of their image,” but the lack of clarity in Facebook’s terms and settings makes this hard to do. That’s why the report recommends that users should be specifically required to opt-in to using their images for ads.
Unfair Contract Terms
In addition to the concerns noted above with how Facebook utilizes user data, the report indicates that some portions of Facebook’s terms may violate European consumer protection law, in particular the Unfair Contract Terms Directive (UCTD).
One stands out: Facebook’s right to stop providing access to Facebook without warning. Although the terms indicate that Facebook will notify users by email or the next time a user tries to log in, under the UCTD, “terms that enable ‘the seller or supplier to terminate a contract of indeterminate duration without reasonable notice except where there are serious grounds for doing so’ may be unfair.
As we’ve noted before, Facebook has terminated or suspended many accounts under its names policy. One of the things that users find especially frustrating is the experience of attempting to log in and not being able to access content they may have spent years amassing—all because they weren’t given a warning. Under European law, Facebook’s method of dealing with name violations may not be simply unfair. It may actually be illegal.
In addition to concerns about termination, the report several other problematic terms. It points out that Facebook's terms require disputes to be settled in California, under California law, even though the company has offices in three EU member states.This is likely unlawful under European Parliament regulations. Also, under the UCTD, the terms that limit Facebook's liability to $100, disclaim any warranty for content and software, and reserve the right to unilaterally change the terms themselves, are all likely unlawful. Lastly, the clause that "obliges users to indemnify Facebook for any expenses incurred, including legal fees, as a result of a violation of the terms of service" is unlawful in some EU countries.
Tracking and location data
Finally, the report notes that Facebook has increased the ways in which it collects data from users beyond cookies, and collects locational data from a wide variety of sources.
Although Facebook is more explicit in the 2015 terms about gathering locational data, it remains “vague and broad” in its description of what it will do with that data. And that’s a big gap. Users have only the choice to turn access to location data like GPS and WiFi off or on once in the mobile app; they can’t share location data for some purposes but not others. What’s more, Facebook may collect location data not only through explicit means like GPS, but also through other means like the location data in a photograph—and there are no settings that address this. The report recommends offering “granular in-app settings for sharing of location data, with all parameters turned off by default,” and minimizing collection of location data in the first place.
When it comes to tracking, Facebook tracks users through several means, including social plug-ins, fingerprinting, and mobile apps. Social plug-ins are things like Facebook’s “like” button on a news organization’s page. While outside websites can limit the degree of tracking done by plug-ins, the report concludes that Facebook’s current scheme doesn’t provide for legal consent, and that “Facebook should design its social plug-ins in way which are privacy-friendly by default.”
Other forms of tracking are also of questionable legality. Facebook’s practice of fingerprinting (using a different information like operating system and browser settings to create a “fingerprint” of a device) requires collection and use of device information that is likely not legal under article 5(3) of the e-Privacy Directive. And because tracking through apps can only be controlled by opting-out, like other areas where this is the only option, the report concludes that Facebook’s terms don’t “provide for legally valid consent” in this area, either.
Facebook isn’t going away anytime soon, but users should be clear on how the social media giant really operates. You can read the entire report here [PDF]. Hopefully Facebook is reading it too, and plans to address the serious issues raised. We've already given them a few suggestions on how to do so.
- 1. Specifically, the report noted the Unfair Contract Terms Directive, the work of the Article 29 Working Party, and the e-Privacy Directive.
Share this: || Join EFF
On April 24, 2014, Brazil’s President, Dilma Rousseff, signed Marco Civil Da Internet, a civil-rights based framework for the Internet which Brazilian activists have long fought. Dubbed the “Internet Constitution,” the law seeks to reinforce the protection of fundamental freedoms in the digital age. The law was developed through a participatory process, but not without getting caught in the traditional horse-trading of the legislative process, which resulted in several concessions. One of the most damaging concessions, fiercely opposed by digital rights activists, was a data retention mandate that compels the collection and storage of connections logs of any innocent individual.
Brazil is now in the midst of rolling out the Marco Civil’s secondary legislation, together with a comprehensive data protection law that will heavily influence how online companies and governments can treat personal data in the country. The Ministry of Justice has announced a public online consultation over these two pieces of legislation in the style of the Marco Civil’s process, where all the stakeholders can contribute to the development of the bills. These results of these consultations will determine how Marco Civil is enforced in practice, as Dennys Antonialli, executive director of InternetLab, an independent research center working in the fields of law and technology in Sao Paulo, explains:
"Both consultations intend to gather inputs about the way these laws should be shaped. Although Marco Civil establishes a number of rights for internet users in Brazil, many of its provisions still depend on further regulation, such as zero rating plans and limits for data retention. This is the time to voice concerns to policymakers and make sure they will be addressed properly. The same goes for the draft of the Data Protection Bill, which will serve as a baseline privacy legislation in the country and complement Marco Civil in various ways.”
(InternetLab’s weekly newsletters on the Brazilian consultation are a great resource for anyone attempting to keep up with the process, incidentally.)
If the data protection law passes Congress, Brazil will join more than 100 countries with privacy laws that restrict the collection, use, and disclosure of personal data. As of now, as with the United States, Brazil has limited sectoral laws in some areas. More general data protection principles can be effective in protecting personal data, but successfully enforcing those principles, while reconciling them with other rights, including free expression, requires careful drafting, especially in a fast-moving digital environment.
Marco Civil in Practice: Net Neutrality
Another report issued by ARTICLE 19 Brazil analyzes how effective Marco Civil has been during its first six months of implementation. In its report, ARTICLE 19 draws attention to the "Whatsapp and TIM" network neutrality case. In 2014, the telecom company TIM (the Brazilian subsidiary of Telecom Italia Mobile), in partnership with Whatsapp, released a zero rating plan that allowed subscribers to use the app for "free,” meaning it would not drain subscribers’ data allowances. The zero rating proposal generated discussions about a possible violation of the net neutrality provision of Marco Civil. Marcelo Bechara, the counselor of the National Telecommunications Agency (ANATEL), believes the proposal is a matter of the free market, while others argue that the gratuity of the app generates an asymmetry in traffic (since many users will choose to use this particular app) thus limiting and inhibiting the emergence of new applications and innovations.
According to the InternetLab, the most discussed topic in the Marco Civil’s consultation is "Net neutrality". The main discussion involves "zero rating" plans and the following question: "Can the mobile operators perform this type of discrimination in favor of one application in spite of its competitors?” Join the discussion here.
Marco Civil in Practice: Anonymity
In Brazil, the Constitution prohibits anonymous speech. The intention behind the prohibition is to keep the possibility of identifying anyone who expresses any opinions, beliefs or comments, both in the online or in the offline world. Anonymity is crucial for the exercise of our fundamental freedoms, which makes it possible for individuals to express themselves freely and without fear of retaliation. By not allowing Brazilian citizens to engage in anonymous speech, the Constitution imposes significant obstacles to their ability to report abuses of power or express unpopular opinions. Nevertheless, that prohibition does not extend to the protection of privacy.
Limited by these significant Constitutional obstacles, the Marco Civil reinforces that freedom of speech is a foundational principle for Internet users in Brazil. However, this provision has to be construed under limitations imposed by the Brazilian Constitution, leaving very little room for interpretations that could allow anonymity for free expression purposes. Marco Civil also establishes that Brazilian law should be applicable to any products or services used by individuals located in Brazil. This provision has empowered public prosecutors and law enforcement officials to claim that the constitutional ban on anonymous speech should also prevent the use of Internet applications that allow anonymous expression.
A recent example of this restriction is the ban imposed to “Secret,” an Internet application that markets itself as a “safe place to say what’s on your mind anonymously.” Invoking the Brazilian constitution’s prohibition, the public prosecutor’s office brought a lawsuit against the service, which had quickly become extremely popular in Brazil. Although later overturned, an injunction was granted to ban “Secret” from online application stores (Google and Apple) in Brazil and to have it remotely removed from devices where it had already been installed.
This high-profile case points to a potential danger of broadening the scope of the constitution’s prohibition and applying it to prevent the use of privacy enhancing technologies, which would also bring undesirable repercussions to the rights of reading and browsing anonymously. (Check EFF’s policy paper on Anonymity and Encryption).
The Marco Civil remains one of the best-crafted and democratically debated expressions of rights online to acquire the force of law in the world. But it’s not the end of the story. Like every foundational document, from any Constitution to the Universal Declaration of Human Rights, the real challenges come in interpretation and enforcement. It’s up to Brazil’s engaged citizens to make sure that the law and upcoming legislation upholds the high standard its creators set.Related Issues: Free SpeechInternational Privacy StandardsMandatory Data RetentionSurveillance and Human Rights
Share this: || Join EFF
Over the past week many more details have emerged about the HTTPS-breaking Superfish software that Lenovo pre-installed on its laptops for several months. As is often the case with breaking security incidents, most of what we know has come from security engineers volunteering their time to study the problem and sharing their findings via blogs and social media.
Unfortunately, the security implications have gone from bad to worse the more we’ve learned. For instance, researchers have determined that the software library Superfish uses to intercept traffic—developed by a company known as Komodia—is present in more than a dozen other software products, including parental control software and (supposed) privacy-enhancing/ad-blocking software. All of these products have the same vulnerability that Superfish does: anyone with a little technical know-how could intercept and modify your otherwise secure HTTPS traffic.
What’s worse is that these attacks are even easier than researchers originally thought, because of the way Komodia’s software handles invalid certificates: it alters the part of the certificate which specifies what website the certificate is for—for example changing www.eff.org to verify_fail.www.eff.org—and then signs the certificate and sends it on to your browser. Since the website listed on the certificate (verify_fail.www.eff.org) doesn’t match the website the user is actually visiting (www.eff.org), the browser shows a warning to the user.
But certificates have another field, called the Subject Alternative Name, which is used to list alternative domain names for which the certificate can be used (so that website operators can re-use the same certificate across all of their domain names). EFF, for example, uses the same certificate for eff.org, www.eff.org, and *.eff.org. Even if the “main” domain name listed in the certificate doesn’t match the domain name of the website the user is browsing, the certificate will still be accepted as long as one of the alternative names match. And because Komodia’s software signs the certificate (and tells your browser that it should trust certificates it signs if they’re otherwise valid), the certificate will pass all the browser’s checks, and come up smelling like roses.
This means that an attacker doesn’t even need to know which Komodia-based product a user has (and thus which Komodia private key to use to sign their evil certificate)—they just have to create an invalid certificate with the target domain as one of the alternative names, and every Komodia-based product will cause it to be accepted.
Evidence of Man-in-the-Middle Attacks in the Decentralized SSL Observatory
We searched the Decentralized SSL Observatory for examples of certificates that Komodia should have rejected, but which it ended up causing browsers to accept, and found over 1600 entries. Affected domains included sensitive websites like Google (including mail.google.com, accounts.google.com, and checkout.google.com), Yahoo (including login.yahoo.com), Bing, Windows Live Mail, Amazon, eBay (including checkout.payments.ebay.com), Twitter, Netflix, Mozilla’s Add-Ons website, www.gpg4win.org, several banking websites (including mint.com and domains from HSBC and Wells Fargo), several insurance websites, the Decentralized SSL Observatory itself, and even superfish.com.1
While it’s likely that some of these domains had legitimately invalid certificates (due to configuration errors or other routine issues), it seems unlikely that all of them did. Thus it’s possible that Komodia’s software enabled real MitM attacks which gave attackers access to people’s email, search histories, social media accounts, e-commerce accounts, bank accounts, and even the ability to install malicious software that could permanently compromise a user’s browser or read their encryption keys.
To make matters worse, Komodia isn’t the only software vendor that’s been tripped up by this sort of problem. Another piece of software known as PrivDog is also vulnerable. Ostensibly, PrivDog is supposed to protect your privacy by intercepting your traffic and substituting ads from “untrusted sources” with ads from a “trusted” source, namely AdTrustMedia. Like Komodia’s software, PrivDog installs a root certificate when it’s installed, which it then uses to sign the certificates it intercepts. However, a bug in certain versions of PrivDog cause it to sign all certificates, whether they’re valid or not. Simply put, this means that any certificate your browser sees while PrivDog is installed could be the result of a man-in-the-middle attack, and you’d have no way of knowing. The Decentralized SSL Observatory has collected over 17,000 different certificates from PrivDog users, any one of which could be from an attack. Unfortunately, there’s no way to know for sure.
So what can we learn from this Lenovo/Superfish/Komodia/PrivDog debacle? For users, we’ve learned that you can’t trust the software that comes preinstalled on your computers—which means reinstalling a fresh OS will now have to be standard operating procedure whenever someone buys a new computer.
But the most important lesson is for software vendors, who should learn that attempting to intercept their customers’ encrypted HTTPS traffic will only put their customers’ security at risk. Certificate validation is a very complicated and tricky process which has taken decades of careful engineering work by browser developers.2 Taking certificate validation outside of the browser and attempting to design any piece of cryptographic software from scratch without painstaking security audits is a recipe for disaster.
Let the events of the last week serve as a warning: attempting to insert backdoors into encryption as Komodia attempted to do (and as others have called for in other contexts) will inevitably put users’ privacy and security at risk.
- 1. Based on the “verify_fail” pattern, we also found certificates that purport to be from five pieces of software which, to our knowledge, haven’t yet been identified as using Komodia’s proxy software. The issuer fields for these certificates were: "O=Sweesh LTD, L=Tel Aviv, ST=Tel Aviv, C=IL, CN=Sweesh LT", "O=Kinner lake Gibraltar, L=My Town, ST=State or Providence, C=GI, CN=Kinner lake Gibraltar", "C=US, ST=California, L=SanDiego, O=EdgeWave.com, OU=Security, CN=EdgeWave.com/emailAddressfirstname.lastname@example.org", "O=NordNet/emailAddressemail@example.com, L=HEM, ST=HEM, C=FR, CN=Nordnet.fr", and "O=PSafe Tecnologia S.A./emailAddressfirstname.lastname@example.org, L=Rio de janeiro, ST=Rio de janeiro, C=BR, CN=PSafe Tecnologia S.A.". While we were unable to identify any organizations associated with the first two certificates, EdgeWave, NordNet, and PSafe appear to sell antivirus or web filtering products.
- 2. Just last year, for example, researchers found a number of bugs in certificate validation libraries [PDF] through fuzz testing.
Share this: || Join EFF
The Internet is celebrating Fair Use Week, and it’s a great time to look at what Congress might do this year to help or hurt the fair use rights of artists, innovators, and citizens. After nearly two years of U.S. House Judiciary Committee hearings and vigorous conversations within government, industry, and the public, it seems like we might see some real proposals. But other than a few insiders, nobody knows for sure whether major changes to copyright law are coming this year, and what they might be.
Fair use is one of copyright’s essential safeguards for free speech, because it allows people to use copyrighted works without permission or payment in many circumstances. It’s critical to education, journalism, scholarship, and many, many uses of digital technology. Because copyright applies to trillions of files and streams, whether trivial or profound, that flow through the Internet every day, and because nearly every transmission or use of digital data involves making a copy, copyright pervades the Internet. Now more than ever, limits like fair use are critical to protect Internet users from runaway copyright liability.
If Congress does take up copyright reform this year, there are changes that would strengthen fair use, and thereby strengthen freedom of speech. One is to fix copyright’s draconian, unpredictable civil penalties. As we explained in our 2014 whitepaper, copyright holders can seek “statutory damages” of up to $150,000 per work without providing any proof of actual harm. The law gives almost no guidance to judges and juries in selecting the right amount. That means that money damages awarded to winning plaintiffs in copyright lawsuits vary wildly, and can be shockingly large. Free Republic, a nonprofit conservative commentary website, was penalized $1 million for posting copies of several Washington Post and Los Angeles Times articles in an effort to illustrate media bias. And a firm sued for making copies of 240 financial news articles for internal use was ordered to pay $19.7 million, or $82,000 per article. It’s hard to see any connection between these massive penalties and any actual harm suffered by the copyright holders. They are far above even the sort of reasonable “punitive damages” multiplier that sometimes gets applied in personal injury cases.
High and unpredictable penalties can make relying on fair use a game of financial Russian roulette for artists and innovators. Although many fair uses are clear and obvious, brave artists and innovators often use copyrighted works in ways that no court has ever considered – and that means a risk of lawsuits. When a loss could mean bankruptcy, many won’t take the risk, even if a court might ultimately confirm their fair use. Copyright’s penalty regime is a major reason why filmmakers must spend months, and thousands of dollars, obtaining licenses for trivial or incidental video and music clips that appear in their films – even when those appearances are likely to be fair use.
Congress could help fix these problems by clarifying that statutory damages should never apply to a copyright user who relies on a fair use defense in good faith, even if the defense is unsuccessful. That would make relying on fair use a predictable, manageable risk that more artists and innovators will be able to take.
Another way that Congress could strengthen fair use is to fix Section 1201, the anti-circumvention provision of the Digital Millennium Copyright Act. Section 1201 prohibits breaking or bypassing DRM and other digital locks that control access to creative works, including the software in many personal devices. This law is a major roadblock for fair use because it can make breaking or bypassing DRM illegal even when we need to break DRM to make fair use of the locked-up material. Essentially, DRM and Section 1201 can take away fair use for artists, innovators, and consumers.
The Copyright Office can grant three-year exemptions to Section 1201. EFF is asking for new exemptions for amateur video, mobile device and car owners, and video game enthusiasts. But exemptions don’t completely fix the harms to fair use. They are difficult to get, are often written narrowly, and they don’t protect people who make tools that enable fair use by others. Any fix for copyright law should include making it legal to bypass digital locks to make fair uses of creative work.
There are also aspects of today’s copyright law that Congress shouldn’t change. One of the most important features of fair use is its adaptability to new technologies and uses that no legislature or expert could foresee. Because this adaptability is so important, Congress should reject calls to replace fair use with specific categories of exceptions to copyright for education, commentary, and the like (a “fair dealing” approach like that used in some other countries). Without a flexible fair use doctrine that lets courts apply copyright’s principles to new situations, artists and innovators would need to ask Congress for permission before they create.
Congress should also reject the disastrous notion of requiring Internet intermediaries like ISPs and websites to filter user-posted content for allegedly infringing material. As we’ve seen over and over again with voluntary filters, filtering software is terrible at recognizing fair uses—and it always will be. Proposals to replace the DMCA’s safe harbors for Internet intermediaries with a regime that requires proactive blocking or filtering based on infringement accusations will inevitably catch many more fair use “dolphins” in the infringement “tuna driftnet.”
Will there be comprehensive copyright reform this year? The answer’s not clear. Major changes take time, and that’s often a good thing. What’s for sure is that any changes must help, and not hurt, fair use.
Related Issues: Fair Use and Intellectual Property: Defending the BalanceDMCAFixing Copyright? The 2013-2014 Copyright Review Process
Share this: || Join EFF
Washington, D.C. - Electronic Frontier Foundation (EFF) Staff Attorney Vera Ranieri will testify Thursday at a congressional hearing on patent demand letters. Lawmakers will consider what they should do to reform the flawed patent system, which currently allows unscrupulous patent assertion entities, or trolls, to use unfair and deceptive demand letters to extort undeserved settlements from legitimate businesses.
Armed with vague and overbroad patents that never should have issued, patent trolls pressure small businesses to pay unjustifiable licensing fees. Businesses receiving these demand letters often lack the resources to fight back or to coordinate with others faced with similar demands. In her testimony Thursday, Ranieri will urge Congress to enact measures to protect small businesses from abusive and deceptive demand letters, including enacting disclosure requirements that would help both lawmakers and the public to understand the damage patent trolls do to America's economy.
Thursday's testimony is part of EFF's long-running activism against bad patents and abuse of the patent system. Earlier this week, EFF released its “Defend Innovation” whitepaper, explaining two-and-a-half years' worth of research on the challenges facing innovators under the current patent regime, along with concrete suggestions of measures policymakers should take in the coming year.
The patent demand letter hearing is scheduled to be webcast at http://energycommerce.house.gov/hearings.
WHAT: Congressional hearing: "Update: Patent Demand Letter Practices and Solutions" House Committee on Energy and Commerce, Subcommittee on Commerce, Manufacturing, and Trade
EFF Staff Attorney Vera Ranieri
Thursday, February 26
10:15 am ET
2322 Rayburn House Office Building
For the Defend Innovation whitepaper:
Electronic Frontier Foundation
Media Relations Director
Electronic Frontier Foundation
Share this: || Join EFF
As the White House doubles down on its attempt to pass legislation to fast track secret trade agreements like the Trans-Pacific Partnership (TPP) agreement, their oft-repeated refrain about these deals' digital copyright enforcement provisions is that these policies would not alter U.S. law. In a 2013 interview, US Trade Representative said this about the TPP's copyright provisions:
what we have in there are things that are already in U.S. law about making sure, whether it is copyright or other protections, are fully enforced around the world.
But such claims are very misleading. Leaked texts have confirmed again and again that the TPP contains Hollywood's wish list of anti-user policies—the result of years of lobbying and schmoozing with trade delegates. What they want is the most restrictive interpretation of U.S. policy to become the international "norm" by which all other TPP countries will be forced to conform their national laws. This does not mean that the TPP exactly mirrors the language of U.S. copyright rules, namely, the Digital Millennium Copyright Act (DMCA). It's that the policies are abstracted enough so that U.S. law could still be compliant with them, while the other nations could be pressured to enact harsher restrictions.
What the White House never seems to mention is how U.S. lawmakers are in the process of conducting a comprehensive review of its own innovation policies. Congress, led by Rep. Bob Goodlatte, has held hearings on various aspects of U.S. copyright rules for close to two years. This followed a speech by the Register of Copyrights, Maria Pallante, who recommended various reforms to U.S. copyright rules, including shortening the term of copyright by twenty years (unless the copyright is renewed). President Obama, meanwhile, is still proposing provisions in the TPP that would lock us into existing, broken rules.
Let's check out some of the provisions from the latest leaked version of the TPP's Intellectual Property chapter, and identify some of the language that could be expanded to become more restrictive, or simply lock us into rules that are in serious need of reform.Excessive Copyright Terms
TPP will require all signatory nations to adopt at least the United States' current copyright term, which is the life of the author plus 70 years—the term created by the Sonny Bono Copyright Term Extension Act of 1998. As we mentioned above, U.S. officials are already calling to shorten the automatic term of protection to the length outlined in the Berne Convention, passed in 1886, which set it at a minimum of the life of the author plus 50 years. So the TPP's requirements go beyond the Berne Convention’s requirement. If adopted in the final agreement—which seems very likely—countries will be forced to mirror the United States' excessive lengths that resulted from heavy lobbying from Hollywood (particularly Disney). And Congress could be dissuaded from reducing copyright terms. It is wrong for the White House to push for these terms when we may have the chance to shorten them, especially in light of growing evidence that such long terms harm people's ability to access to knowledge and culture.Criminalizing DRM Circumvention
The TPP almost completely mirrors US law criminalizing acts of getting around DRM (aka technological protection measures, which is what it's called in international legal instruments). As we know from years of experiencing the adverse effects of DRM anti-circumvention rules, our system needs drastic reform here in the United States for a raft of reasons—including allowing users full access to content they have paid for, allowing archival of our digital heritage, and ensuring that users can repair their devices and keep them secure. It would be a huge mistake to lock us into policies that harm free speech, innovation, privacy, and access to knowledge.Internet Service Providers (ISP) Liability
This portion of the agreement is still controversial (at least it was in May 2014 when the last leaked draft was written) so it's hard to say what the final provisions will look like. U.S. safe harbor rules, which limit the liability that intermediaries like ISPs and websites shoulder for their users, have been crucial to enabling new platforms and services to thrive in the United States. However, the safe harbor rules have not been without problems. Our Takedown Hall of Shame documents just a few examples of Internet services that have been forced to take down, block, or filter important and legal content, because they fear the consequences of not going far enough to respond to infringement accusations. This is another area where we ought to learn from the deficiencies of the U.S. system to inform us and pass better rules, and yet again, the White House is seeking to lock us into a flawed system.Criminal Penalties for File Sharing
Like U.S. law, the TPP has a dangerously low threshold for criminal copyright infringement where even non-commercial acts can be criminally prosecuted. But the TPP's criminal penalty provisions diverges from U.S. law in several ways. The TPP calls for a vague requirement that prison sentences and monetary fines must be "sufficiently high" to deter people from infringing again. That provision could lead to pressure to increase already high penalties. Also, U.S. law has a more specific definition of property that can be subject to seizure, while the TPP would enable authorities to seize a broader category of "materials and implements" related to the alleged infringing activity.
Fair Use: The TPP does not contain rules like the United States' flexible fair use regime. Although the agreement now suggests a "three-step test" for copyright exceptions and limitations, that test might limit the scope of copyright exceptions The language in the TPP could even be used to constrain fair use, or discourage new specific exceptions and limitations passed legislatively or through court precedents.Criminalization of Investigative Journalism and Whistleblowing
The most recent leak of the TPP's Intellectual Property chapter revealed some of the most atrocious, human-rights-violating provisions we had seen yet. If it remains as written, these trade secret rules could be used to enact new laws to crackdown on whistleblowers and journalists. In many ways this echoes provisions in the Computer Fraud and Abuse Act (CFAA), which was used to charge Aaron Swartz with heavy-handed criminal penalties for accessing and downloading articles from the research database, JSTOR. EFF is already working to reform the CFAA, and yet the TPP contains trade secret provisions that could be used to expand state efforts to crack down on journalists using the Internet to expose corporate wrongdoing.
All of these examples illustrate that when the White House claims that the TPP's rules would not change US law, they are being disingenuous at best. Even where its provisions do not explicitly require U.S. lawmakers to pass new law, TPP is a scheme to make more restrictive rules the international standard. Lobbyists for entertainment companies use the secretive trade negotiation process to enact their vision of more draconian, anti-innovation copyright law, and then use those trade agreements to move domestic law and policy in the wring direction. This kind of shady, undemocratic international policy laundering scheme has been going on for over two decades. This is why we need to stop TPP and put an end to this copyright creep.
If you're in the US, take action to stop TPP and other anti-user trade deals from getting fast-tracked through Congress by contacting your lawmaker about trade promotion authority:Fair Use and Intellectual Property: Defending the BalanceInternationalTrade AgreementsTrans-Pacific Partnership Agreement
Share this: || Join EFF
Our friends at reddit made a generous promise at the beginning of 2014: "Today we are announcing that we will donate 10% of our advertising revenue receipts in 2014 to non-profits chosen by the reddit community." They are making good on that promise by collecting votes until tomorrow, February 25, at 10am Pacific. The top 10 non-profits selected will receive more than $82,000 each! You can support digital rights in a big way by taking a few moments to vote for EFF. (Of course, you should also vote for other worthy public interest organizations!)
We're grateful to have seen EFF mentioned in several comments about the charity drive. Moreover, we're proud to have worked with the reddit community to take action against major threats to Internet freedom. The reddit community took a leading stand against Internet censorship and in opposition to the NSA's mass surveillance. Whenever we're working on an issue—whether it's DMCA reform, open access, or fighting for digital privacy—talking it over with the reddit community gives us an essential look into what people know and want to know about these crucial concerns.
For nearly 25 years, EFF has fought for digital rights like privacy, free expression, and innovation. Support from our members—and from user-driven communities like reddit—strengthens technology users' rights and funds litigation, activism, and technology development. Please vote for EFF!
- 1. The user account must have been created before February 18, 2015.
Share this: || Join EFF
Every month, TorrentFreak reports on absolutely ridiculous takedown notices issued by copyright holders to Internet service providers related to allegedly infringing content, using the process created by the Digital Millennium Copyright Act (DMCA). This month, TorrentFreak tore apart a series of takedown notices sent to Google by the German-based Total Wipes Music Group targeting, among other things, an EFF webpage describing how to use PGP for Mac OS X—a webpage within our Surveillance Self-Defense guide.
TorrentFreak aptly dubbed Total Wipes’ latest streak of takedown requests as “the world’s most idiotic copyright complaint.”
Indeed, the notice that cites the EFF webpage as an “allegedly infringing URL” purports to protect an album called “Cigarettes” on Spanish music label Mona Records. But not one of the seven allegedly infringing URLs listed in the notice even refers to the album, let alone in an infringing way. Another notice issued by Total Wipes to Google two days earlier purports to target pirates of the album “In To The Wild – Vol.7? on music label Aborigeno Music. Again, not one of the 95 allegedly infringing URLs had anything to do with music, as TorrentFreak reported. The notice instead listed generic download pages for some of the world’s most popular online services, including Skype, Tor, Dropbox, LibreOffice, Python, and WhatsApp.
Total Wipes, which represents 800 international labels, stated in an email to Ars Technica that the recent notices were the result of a bug in their automated anti-piracy script. According to the email, “several technical servers [sic] problems” during the first week of February caused their automated system to send “hundreds” of DMCA notices “not related at all” to any of their copyrighted content.
But the bug is only part of the problem. Sending automated notices, without human review, is itself an abuse of the DMCA takedown process.
The Problem With Robots
According to the DMCA, a takedown notice must be based on a “good faith belief” that the targeted content’s use of copyrighted material is not authorized by law. The use of robots, without any human review, simply cannot satisfy this standard. Indeed, whether a use of copyrighted material constitutes a fair use protected by federal copyright law is often a question only a human can answer, after taking into account the context and purpose of the speech in question.
Total Wipes’ utterly laughable takedown notices illustrate the serious flaws in using robots to try to detect copyright violations. But even without bugs, robots cannot be relied upon to determine whether any given use of copyrighted material is lawful.
We have in the past criticized Warner Brothers Entertainment for using robots to issues thousands of infringement accusations, without any human review, based primarily on filenames and metadata rather than inspection of the files’ contents. Like Warner Brothers, Total Wipes is similarly using robots to abuse the DMCA takedown process.
According to Google’s Transparency Report, between May 28, 2014 and February 22, 2015, Total Wipes sent Google 41,321 requests to remove webpages from Google’s search results, with a median of 1,214 requests per week. Across those requests, the music group requested that Google remove a total of 196,963 URLs. And according to the Chilling Effects database—which collects and analyzes legal complaints and requests for removal of online materials in an effort to help Internet users know their rights and understand the law—Total Wipes sent Google over 12,000 takedown requests in the last month alone.
Seeing ridiculous takedown requests from Total Wipes is nothing new. Back in August, TorrentFreak reported on a month-long DMCA notice-sending spree in which the music company targeted, among other things, sites that utilized the word “coffee.”
Due to the lack of human review, automated takedown notices often result in censorship of perfectly legal content. Although Google has the wherewithal to analyze takedown notices and reject those that are unwarranted, it doesn’t always do that. And many other sites automatically take down allegedly infringing content upon receipt of a notice, even when the notice is clearly bogus. This is because so long as a service provider complies with the DMCA’s notice and takedown procedure, it is protected from monetary liability based on the infringing activities of third parties. Of course, unwarranted takedown requests would not subject a service provider to monetary liability, but not all service providers undertake even the moderate level of effort that Google does to assess whether content complained of should actually be taken down.
The Need for Transparency
TorrentFreak was only able to discover Total Wipes’ ridiculous DMCA takedown notices thanks to Google’s Transparency Report, which publishes takedown requests—and data regarding takedown requests—made by copyright owners or their representatives to remove web pages from Google’s search results. Google’s Transparency Report enables the public to spot potential abuses of the takedown process. And here, the Transparency Report enabled the discovery of the Total Wipes’ bug—a bug that otherwise would likely have resulted in thousands more unwarranted takedown requests.
Enabling the public to spot such potential abuse is crucial for preventing censorship. Indeed, some takedown notices amount to nothing more than blatant attempts to censor legal content. And as evidenced by the robo-takedowns of both Total Wipes and Warner Brothers, the law does not sufficiently deter abuse of the DMCA takedown process. As such, more Internet service providers should follow Google’s lead and provide transparency into the takedown notices they receive.Related Issues: DMCAContent Blocking
Share this: || Join EFF
In comments yesterday during a cybersecurity conference at the New America Foundation, the Director of the NSA, Admiral Mike Rogers faced vocal criticism from the tech community (including cryptography expert Bruce Schneier and Yahoo CISO Alex Stamos). The criticism focused on the Obama administration's insistence that it should have access to everyone's encrypted communications via a backdoor, sometimes called a "golden key." Security experts caution that such a magic key, usable only by the "good guys" is—like magic—not actually possible.
Nevertheless, the NSA continues to assert that technology companies have a responsibility to create a "framework" to allow them (and their analysts) access to our data and communications, even if we have chosen to encrypt them. Admiral Rogers would of course prefer that we not call the backdoor a "backdoor," because in his words, backdoors are, well, "kind of shady." Like others in the Obama administration, he focuses on changing the terminology, not the substance.
But no matter what you call it, technology experts have told the NSA over and over again that this approach simply will not work. Once you build a backdoor (even if you call it something else) you can't be sure who will walk through it. And there's plenty of evidence that governments, especially the Chinese government, target law enforcement backdoors in technology products in order to gain the same level of access to user data (without legal oversight) that the NSA is so keen to get for itself. The "golden key" that Admiral Rogers and FBI Director Comey are so eager to get their hands on will of course work no matter who's holding it.
Stamos challenged Admiral Rogers directly on this point, asking:
So, if we’re going to build defects/backdoors or golden master keys for the US government, do you believe we should do so — we have about 1.3 billion users around the world — should we do for the Chinese government, the Russian government, the Saudi Arabian government, the Israeli government, the French government? Which of those countries should we give backdoors to?
Admiral Rogers punted by responding that this should be done within a (presumably-legal) "framework" and while "...I’m the first to acknowledge there are international implications. I think we can work our way through this." If the tech companies give Rogers the backdoor that he's asking for, why should we believe that other countries would follow that legal framework and not simply ignore that framework and attack the law enforcement access point?
Our Ethiopia case is an example of a country deciding not to play by the rules, unleashing the Ethiopian national security apparatus on a dissident living in the United States. Ethiopia did not choose to abide by the legal lawful intercept "framework," but instead chose to spy on an Ethiopian American named Mr. Kidane outside the law. We sued the government of Ethiopia on behalf of Mr. Kidane's after he discovered traces of a sophisticated spyware product called FinSpy on his computer which its maker claims is sold exclusively to governments and law enforcement.
A forensic examination of his computer showed that the Ethiopian government had been recording Mr. Kidane’s Skype calls, as well as monitoring his web and email usage. The monitoring, which occurred without any court order or judicial oversight, violates both the federal Wiretap Act and Maryland state law, was accomplished entirely outside the existing legal system, known as the mutual legal assistance treaty (MLAT) framework. Of course, Ethiopia is an American ally in the War on Terror. According to a slide made public in the Snowden revelations, in 2012, the United States gave almost $500,000 to the Ethiopian government to fund their surveillance efforts—enough money to buy plenty of licenses for the FinFisher software used to spy on our client.
If the rule of law is as important as we all apparently agree, this is a great opportunity for the Obama Administration tell the courts here that intercepts may only be accomplished with actual legal process. Until then, it's hard to take seriously the Administration's magical thinking: that a technological security hole—as Stamos put it, "like drilling a hole in the windshield"—can be protected by a "framework." The only thing we can trust is math, and the strong encryption that implements it.Related Issues: Free SpeechAnonymityInternationalSurveillance and Human RightsPrivacySecurityState-Sponsored MalwareRelated Cases: Kidane v. Ethiopia
Share this: || Join EFF
Copyright policy is not something that should be rushed into without adequate evidence and consultation. Yet since only last December, the Australian government has sent stakeholders scrambling to develop a new code of practice on copyright that would could change the lay of the land for the Internet industry for decades to come. The code is designed to force ISPs to adopt new “reasonable measures” to deter copyright infringement—measures that the Australian High Court had earlier decided that they were under no obligation to adopt. The results of that process have just been released in the form of a draft industry code, which is open for public comment until March 23, 2015.
We have seen a number of so-called “graduated response” schemes like this in other countries already; in fact, Australian academic, Rebecca Giblin, wrote a detailed critique of them last year, finding little evidence of such schemes being either successful or effective. Even since that study was released, the problems with graduated response schemes have continued to mount. In Canada, for example rightsholders have demanded that ISPs send notices to users that are quite simply fraudulent; falsely claiming that Canadian infringers can be made to pay American penalties, in an attempt to shake them down for an inflated settlement.
In comparison, the proposed Australian system, despite being conceived in such a rush, does look a little better. It would require an impartial body (a Copyright Information Panel or CIP) to write the notices that users receive, reducing the likelihood that they will spin the kind of fairy tales that claimants have produced in Canada. The CIP will include representatives from rightsholders, ISPs, and consumer groups, and be funded by rightsholders and ISPs jointly.
Further, under the Australian system, the notices must include an acknowledgment that the alleged infringement may not necessarily have been undertaken by the named user. And if the user believes that a mistake was made, they are entitled, after receiving a third notice, to mount a challenge before an independent Adjudication Panel, for a refundable $25 fee, which will effect a stay of any further action by the rightsholder. These safeguards add up to an improvement of the Australian proposal over the Canadian system now in force.
Another improvement of the Australian proposal, when compared with the similar United States Copyright Alert System, is that penalties cannot automatically be handed down by ISPs to users, for allegations of copyright infringement that haven't been proven in court. Instead, after a third notice is sent (and unless the user challenges it), the ISP will cooperate with the rightsholder if it chooses to seek a court order for disclosure of the user's identity as a preparatory step to legal proceedings for copyright infringement. The requirement that a court approve these steps is welcome.
Even so, the foundations of the system that leads to those notices remains deeply defective—by design, they are built on privatized snooping on what Internet users do online. Generally they would do this by way of rightsholder informants lurking on file sharing networks posing as users, where they sniff for data that looks like unauthorized file sharing, and record the IP addresses of the users involved. Although the Australian code would establish some vetting of the operation of these covert rightsholder systems, there would still be no need to check for possible fair use (or, in Australian law, fair dealing) claims before notices of claimed infringement are sent.
The draft code would also authorize the ISP to tamper with the user's Internet connection, by injecting code into the responses from websites that the user browses to display a intrusive pop-up notice that they have to acknowledge after the third and final notice is sent. This kind of content injection, which is characteristic of a malware attack, has significant security implications that the draft code fails to address.
Why the rush to institute these measures against Australian Internet users, when revenues of the Australian copyright industry are booming? As we have previously reported, it has something to do with the fact that free trade agreements that Australia has recently concluded, and others that remain underway, such as the Trans-Pacific Partnership (TPP), arguably require that ISPs be incentivized to act against copyright infringers. But why should Australia—or any country—be pushed into making such significant changes to its copyright laws by treaties that trade negotiators hash out behind closed doors?
By a happy coincidence, the public comment period for the graduated response industry code coincides with the tail end of the comment period for a government inquiry into Australia's treaty-making process. That inquiry, which ends this Friday, has already attracted a pile of comments critical of the lack of transparency and accountability of trade negotiation processes, that allows rightsholders to muscle through special interest laws that would never pass muster if debated in an open, democratic forum.
Meanwhile, as Australia fusses around with policing copyright against Internet users in a likely vain attempt to curtail piracy, it is missing the opportunity to make a much longer-term investment in the country's technological future. Back when Australia's Attorney General first began talking about instituting a graduated response regime, he also passed up the chance to embrace the Australian Law Reform Commission's recommendation that fair use be added to copyright law. In Fair Use Week, it bears asking—is the adoption of a copycat graduated response scheme that has failed elsewhere in the world really going to do more for homegrown creativity and innovation than embracing fair use?Related Issues: Fair Use and Intellectual Property: Defending the BalanceThe "Six Strikes" Copyright Surveillance MachineInternational
Share this: || Join EFF
For many months, EFF has been working with a broad coalition of advocates to persuade the Federal Communications Commission to adopt new Open Internet rules that would survive legal scrutiny and actually help protect the Open Internet. Our message has been clear from the beginning: the FCC has a role to play, but its role must be firmly bounded.
Two weeks ago, we learned that we had likely managed the first goal—the FCC is going to do the right thing and reclassify broadband as a telecommunications service, giving it the ability to make new, meaningful Open Internet rules. But we are deeply concerned that the FCC’s new rules will include a provision that sounds like a recipe for overreach and confusion: the so-called “general conduct rule.”
According to the FCC's own "Fact Sheet," the proposed rule will allow the FCC to review (and presumably punish) non-neutral practices that may “harm” consumers or edge providers. Late last week, as the window for public comment was closing, EFF filed a letter with the FCC urging it to clarify and sharply limit the scope of any “general conduct” provision:
[T]he Commission should use its Title II authority to engage in light-touch regulation, taking great care to adhere to clear, targeted, and transparent rules. A “general conduct rule,” applied on a case-by- case basis with the only touchstone being whether a given practice “harms” consumers or edge providers, may lead to years of expensive litigation to determine the meaning of “harm” (for those who can afford to engage in it). What is worse, it could be abused by a future Commission to target legitimate practices that offer significant benefits to the public . . .
Accordingly, if the Commission intends to adopt a “general conduct rule” it should spell out, in advance, the contours and limits of that rule, and clarify that the rule shall be applied only in specific circumstances.
Unfortunately, if a recent report from Reuters is correct, the general conduct rule will be anything but clear. The FCC will evaluate “harm” based on consideration of seven factors: impact on competition; impact on innovation; impact on free expression; impact on broadband deployment and investments; whether the actions in question are specific to some applications and not others; whether they comply with industry best standards and practices; and whether they take place without the awareness of the end-user, the Internet subscriber.
There are several problems with this approach. First, it suggests that the FCC believes it has broad authority to pursue any number of practices—hardly the narrow, light-touch approach we need to protect the open Internet. Second, we worry that this rule will be extremely expensive in practice, because anyone wanting to bring a complaint will be hard-pressed to predict whether they will succeed. For example, how will the Commission determine “industry best standards and practices”? As a practical matter, it is likely that only companies that can afford years of litigation to answer these questions will be able to rely on the rule at all. Third, a multi-factor test gives the FCC an awful lot of discretion, potentially giving an unfair advantage to parties with insider influence.
We are days away from a final vote, and it appears that many of the proposed rules will make sense for the Internet. Based on what we know so far, however, the general conduct proposal may not. The FCC should rethink this one.Files: EFFExParte.2.19Related Issues: Net Neutrality
Share this: || Join EFF
We didn't know how much copyright maximalists longed for the Trans-Pacific Partnership (TPP) agreement—until we saw this creepy "open love letter" to the TPP from one of the biggest, most powerful copyright lobby groups, the Global Intellectual Property Center. We couldn't have made this up if we tried. Here's one part of it:
You know, dear TPP, that I will drop to one knee and say “I do” for gold—no, diamond—standards for intellectual property. My creative and innovative talents need your protection. Without trade agreements like you, it would be a long, hard journey to jumpstart our economies.
If you didn't know about the harms the TPP would do to our digital rights, this would look like the copyright industry writing an amusing blog post that just turned out strange. But if you think about how this massive secret deal is a long-term scheme to undermine democratic rules and rights we have as users, it comes across as just plain vulgar. This is Hollywood lobbyists playfully celebrating their cozy relationship with secret trade negotiations and the hold they have on our state officials. Think about that.
Ever since we got the first leak of the secret TPP text in 2011, we've known that this massive 12-nation trade deal was being built as a trojan horse for Hollywood's wish list of anti-user policies. Every leaked draft of the TPP's Intellectual Property chapter has only confirmed these fears. The deal has continued to include strict copyright provisions, including those that ban the circumvention of DRM, incentivize Internet services to block and filter content, extend copyright term lengths, and further criminalize file sharing around the world.
The TPP really is Hollywood's ideal partner in its scheme to enact increasing restrictions on the Internet, and copyright industry lobbyists are completely shameless about it. We need to stop this cycle of secretive policy laundering, and prevent our policymakers from passing ever more draconian copyright rules that restrict our freedom.
If you're in the US, take action to stop TPP and other anti-user trade deals from getting fast tracked through Congress by contacting your lawmaker about trade promotion authority:Fair Use and Intellectual Property: Defending the BalanceInternationalTrade AgreementsTrans-Pacific Partnership Agreement
Share this: || Join EFF
Laura Poitras won an Academy Award for her documentary CITIZENFOUR. At the ceremony, she gave a brief speech thanking everyone who helped make the film as well as acknowledging the bravery of Edward Snowden and other whistleblowers.
Here is Poitras' acceptance speech:1Thank you so much to the Academy. I'd like to first thank the documentary community. It's an incredible joy to work among people who support each other so deeply, risk so much, and do such incredible work. We don't stand here alone. The work we do to (unveil?) what needs to be seen by the public is possible through the brave organizations that support us. We'd like to thank Radius, Participant, HBO, BritDoc, and the many, many, many organizations who had our back making this film. The disclosures that Edward Snowden reveals don't only expose a threat to our privacy but to our democracy itself. When the most important decisions being made affecting all of us are made in secret, we lose our ability to check the powers that control. Thank you to Edward Snowden for his courage, and for the many other whistleblowers. And I share this with Glenn Greenwald and other journalists who are exposing truth.
More on CITIZENFOUR:
- Laura Poitras' CITIZENFOUR Awarded Oscar for Best Documentary in 2014
- Snowden's Motivation: What the Internet Was Like Before It Was Being Watched, and How We Get There Again
- The 7 Privacy Tools Essential to Making Snowden Documentary CITIZENFOUR
Disclosures: I serve on the board of directors of Freedom of the Press Foundation, a nonprofit working to champion press freedom, along with filmmaker Laura Poitras, her colleague Glenn Greenwald, and whistleblower Edward Snowden.
- 1. I transcribed this as best I could, but if I made errors then they are wholly mine.
Share this: || Join EFF
San Francisco - The U.S. patent system is in crisis, but there are clear steps Congress and the White House can take to mitigate the impact of vague patents, patent trolls, and a weak legal process to protect competition and creativity, the Electronic Frontier Foundation (EFF) explains in a new report released today.
The "Defend Innovation" whitepaper is the culmination of two-and-a-half years worth of research, drawing from the stories, expertise, and ideas of more than 16,500 people who agree that the current patent system is broken. Split into two parts, the report covers both the challenges facing innovators under the current patent regime, as well as concrete measures that policymakers must take in the coming year.
"Fixing the current patent mess will require concerted action, but it can be done," EFF Staff Attorney and the Mark Cuban Chair to Eliminate Stupid Patents Daniel Nazer said. "Now more than ever, there is both the need and the will for real and lasting reform."
In the first part of the report, EFF provides in-depth analysis of how overbroad and vague software patents, combined with an insufficient review process by the U.S. Patent and Trademark Office, have hindered rather than supported innovation. This broken regime has created an environment ripe for abuse by patent trolls, also known as "patent assertion entities," that sue or threaten to sue businesses for patent infringement, even though these entities don't make or sell a product themselves. The explosion in software patents has also led to a patent arms race, in which companies acquire broad patents for defensive purposes.
"The U.S. Patent and Trademark Office is issuing far too many weak and overbroad patents, particularly on software," EFF Staff Attorney Vera Ranieri said. "Instead of promoting innovation, these patents become hidden landmines for companies that bring new products to market."
In the second part of the report, EFF prescribes six legislative reforms that would begin to fix the patent system. These include:
- Ensuring there are inexpensive and efficient tools for challenging the validity of issued patents
- Passing a comprehensive patent reform bill, such as the Innovation Act
- Ending the Federal Circuit's exclusive jurisdiction over patent cases
- Passing legislation to discourage bad actors from sending frivolous demand letters
In addition, EFF is calling on private companies to adopt alternative patent licensing schemes that can help prevent patent abuse.
"All three branches of government, as well as individuals and companies, have a part to play when it comes to patent reform," EFF Activist Adi Kamdar said. "Right now, we need legislation that clamps down on litigation abuse by patent trolls and bad actors, and empowers those on the defensive end of frivolous lawsuits to fight back swiftly and cheaply."
The "Defend Innovation" report is one part in EFF's multifaceted campaign to reform the patent system, which also includes the website TrollingEffects.org, the "Stupid Patent of the Month" blog series, and legal effort to invalidate the so-called "podcasting patent."
For the full report visit: https://www.eff.org/document/defend-innovation-how-fix-our-broken-patent-system
For more information on EFF's Defend Innovation project: https://defendinnovation.orgContacts:
Electronic Frontier Foundation
Staff Attorney and the Mark Cuban Chair to Eliminate Stupid Patents
Electronic Frontier Foundation
Share this: || Join EFF
CITIZENFOUR, Laura Poitras' riveting documentary about Edward Snowden's efforts to shed light on gross surveillance abuses by the United States government and its partners, just won the 2014 Academy Award for Best Documentary Feature. Tonight's Oscar win recognizes not only the incredible cinematography of Poitras, but also her daring work with a high-stakes whistleblower and the journalism that kick-started a worldwide debate about surveillance and government transparency. We suspect this award was also, as the New York Times pointed out, "a way for Academy members to make something of a political statement, without having to put their own reputations on the line."
We're thrilled to see Poitras take home this prestigious award. CITIZENFOUR distilled a multi-year battle against untargeted surveillance and delivered it to the world with a compelling human interest story. The work of Poitras, Snowden, and journalist Glenn Greenwald helped shape the political course of nations across the globe. That's worth at least an Oscar.
This award means that more people will be no doubt be watching CITIZENFOUR, and thus learning about both Snowden's sacrifice and the surveillance abuses by the United States government. For those watching the movie for the first time, there's often a sense of urgency to get involved and fight back against mass untargeted surveillance. Here are some suggestions for getting started:
- Tell President Obama to amend Executive Order 12333, which is the primary legal authority the NSA uses to engage in surveillance of people worldwide.
- Start using encryption when communicating digitally.
- Speak out against reauthorization of a much-abused section of the Patriot Act which is set to expire this summer.
And as always, help promote freedom online by becoming a member of EFF.
We extend our congratulations to Laura Poitras and everyone who helped create CITIZENFOUR.
More on CITIZENFOUR:
- Snowden's Motivation: What the Internet Was Like Before It Was Being Watched, and How We Get There Again
- The 7 Privacy Tools Essential to Making Snowden Documentary CITIZENFOUR
Disclosures: I serve on the board of directors of Freedom of the Press Foundation, a nonprofit working to champion press freedom, along with filmmaker Laura Poitras, her colleague Glenn Greenwald, and whistleblower Edward Snowden.Related Issues: PrivacyNSA Spying
Share this: || Join EFF