Three years ago now, EFF’s client Kyle Goodwin, a sports videographer, asked the court to allow him to retrieve the files he stored in an account on the cloud storage site Megaupload. When the government seized Megaupload’s assets and servers in January 2012, Mr. Goodwin lost access to video files containing months of his professional work. Today, EFF filed a brief on behalf of Mr. Goodwin asking, once again, for the return of the files.
We originally asked the court for help back in 2012. The U.S. District Court for the Eastern District of Virginia took briefing, and even held a hearing. Unfortunately, since that time not much has happened. The U.S. government has continued pursuing a criminal case and a civil forfeiture case against Megaupload and its owners, but the data stored by millions of Megaupload customers, including material like Mr. Goodwin’s sports videos that had nothing to do with the alleged copyright infringement that Megaupload is accused of, languished in a warehouse on hundreds of servers owned by Carpathia Hosting, Megaupload’s former contractor.
Recently, however, a new company took control of Carpathia. This new company, QTS Realty Trust, took the opportunity to remind the court that it’s still paying to store and preserve the servers that it can’t dispose of. EFF and the firm of Williams Mullen, on behalf of Mr. Goodwin, took this opportunity to remind the court that Mr. Goodwin, and those like him, still need to get their files back.
Kyle Goodwin, and others like him, did nothing but legitimately use a cloud storage service to house legal files. In Kyle’s case, it was business files, but many others lost access to personal and private information as well. We believe the time has come for those folks to get their data back. We hope the court agrees.Related Issues: Fair Use and Intellectual Property: Defending the BalanceRelated Cases: Megaupload Data Seizure
Share this: || Join EFF
Right before Congress left for its annual summer vacation the Obama Administration endorsed the Senate Intelligence Committee's Cybersecurity Information Sharing Act (CISA). EFF opposes the bill because its vague definitions, broad legal immunity, and new spying powers allow for a tremendous amount of unnecessary damage to users' privacy. Just last week the Department of Homeland Security agreed and criticized CISPA for its lack of privacy protections. More importantly, CISA fails to address the causes of the recent highly publicized data breaches.
The Obama administration's endorsement is a complete reversal from its previous stance on privacy-invasive cybersecurity bills. In 2012, the White House published a detailed two-page veto threat against CISA's antecedent, the Cybersecurity Information Sharing and Protection Act (CISPA). In the letter the Administration noted CISPA:
lacks sufficient limitations on the sharing of personally identifiable information between private entities
and that it would
inappropriately shield companies from any suits where a company's actions are based on cyber threat information identified, obtained, or shared under this bill, regardless of whether that action otherwise violated Federal criminal law or results in damage or loss of life.
The same is true of CISA, which is why the Administration should've vetoed the bill. Like CISPA, CISA
- Adds a new authority for companies to monitor information systems to protect an entity's hardware or software.
- Fails to mandate companies and the government remove unrelated personal information before sharing it with government agencies like the NSA.
- Grants broad legal immunity to companies for sharing more private information with the government than they’re currently permitted to do.
Lastly, CISA, like CISPA, doesn't address problems identified by recent data breaches like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.
The administration has invested immense capital into looking strong on cybersecurity since January. And instead of publishing another veto threat, the White House Press Secretary urged the Senate to pass CISA. There was no deep analysis as in 2012. There was no explanation about CISA's own privacy problems. And there was no acknowledgement about the White House's sudden change in position.
Even though the President wants to sign the bill, the Senate must pass CISA first. Privacy advocates have defeated these "cybersecurity bills" five times in the past five years. In July, users and privacy advocates postponed a vote on CISA after sending over 6 million faxes opposing CISA to Senators during a Week of Action. Unfortunately, the vote was only postponed to mid-September when Congress gets back from vacation.
We must continue the pressure on the Senate to stop this bill. Please join us in continuing to tell our Senators to say no to CISA.
Share this: || Join EFF
On July 27, Peru’s executive branch adopted a legislative decree (DL 1182) that allows warrantless access to Peruvians' location data, in cases of flagrante delicto. The decree has been dubbed "Ley Acosadora," or in English, "the Stalker Law," because of the way it creates a new power for the government to track the movements of vulnerable mobile and Internet users. The law requires telephone operators and Internet service providers to retain, for three years, data of millions of Peruvians who communicate via fixed, mobile, and/or computers. The retained data is accessible by law enforcement agencies with a court order at anytime in the future. This decree was adopted without public consultation, one day before Peru’s independence day, and may take effect by September according to statements made by the Peruvian deputy minister of justice.
However, the Peruvian Congressional Committee on Constitution and Regulations is set to review the decree adopted by the Executive branch in the coming weeks. During the review, the committee will decide to repeal, reform or agree to the decree. Regardless of the decision, the committee opinion will pass through Congress in plenary sitting; if there are any changes, they will be voted on and adopted or rejected.
The data retention requirements of this decree alone would drastically change how state surveillance of communications are conducted in Peru. Instead of retaining data from suspected individuals, the law will reverse the presumption of innocence and oblige operators to retain communications data of an entire population, including those who are not suspected of any crime.
Together with our partners, Hiperderecho.org, we’ve launched an online campaign to tell members of the Congressional Committee in Peru to protect our privacy and security in the digital age. Government-mandated data retention impacts millions of ordinary users. It compromises online anonymity, which is crucial for whistle-blowers, investigators, journalists, and those engaging in political speech. National data retention laws are invasive, costly, and damaging to the right to privacy and free expression. (To learn more about the danger of the bill read here, here and here)
Take Action: The Stalker Law Affects Our Privacy and Creates Insecurity
If you are Peruvian, you need to make your voice heard. Using EFF's action center, you can communicate via Twitter with the members of the Constitutional Commission in Peru to suggest the prompt review of DL 1182. Choose a congressman, select a tweet, and post it through your Twitter account using our Action Center. Tell your friends and family, too!
Lawmakers read your tweets, and if more Peruvians express concern about the Stalker Law, we can make a positive change to protect privacy and start a public discussion on how to effectively solve the problems of public safety. Insecurity, one of the arguments used to adopt the bill, will not be efficiently fought by violating the fundamental human rights of millions of innocent Peruvians.
Stalker Law Post on your website or on social networks
We invite you to write about the dangers of this decree. On Twitter using the hashtag #LeyStalker, on other social media, or on your blog. Spread the news by sending links to articles, such as those written by Hiperderecho. We need every Peruvian to know what's going on.
Follow Hiperderecho and EFF for updates
As DL 1182 passes through the Constitutional Committee, take action and inform our allies about the problems with this dangerous legislation. To stay up-to-date on the status of the decree, follow Hiperderecho.org on Twitter, or Facebook. We will also be covering the latest developments on #LeyStalker here at EFF.Related Issues: InternationalMandatory Data RetentionSurveillance and Human Rights
Share this: || Join EFF
A federal judge in Los Angeles has given our clients, Human Rights Watch, the go-ahead to take discovery from the government in our ongoing lawsuit challenging the constitutionality of the DEA’s bulk surveillance program. Friday's decision is rare, and it's a decisive victory—both for HRW and for the general public. EFF is not aware of any other case where discovery has been allowed into a government mass surveillance program. And the order forces the government to answer questions, under oath, about the steps it took to ensure that all illegally collected records have been fully purged from all government systems.
The case stems from the DEA’s disclosure in January of this year that it had secretly collected Americans’ international call records in bulk for over two decades. News reports described the program as massive—sweeping in billions of records of Americans’ calls to more than 100 countries around the globe, including Canada, Mexico, India, and Italy. The DEA relied only on an obscure administrative subpoena statute to obtain the records in bulk. That means, unlike the NSA’s bulk surveillance program, there was no judicial involvement whatsoever. Making matters worse, reports confirm that multiple agencies searched the illegally collected records for all kinds of cases—from terrorism, to drug trafficking, to export violations.
In April, immediately following a lengthy report in USA Today, EFF filed suit on behalf of Human Rights Watch against the DEA, DHS, FBI, and various unnamed agencies. The lawsuit challenges the constitutionality of the program, and seeks to ensure that the program is permanently stopped rather than merely suspended as claimed by DEA. The suit further asks the court to ensure that all illegally collected records are accounted for and destroyed.
The government, instead, asked the judge to dismiss the case. DEA had previously said that it had “suspended” collecting records in bulk in September 2013. Now, it submitted an additional four-paragraph declaration from a DEA agent that said the DEA’s illegally collected records had been “quarantined” and “purged.” That, the government argued, required the court to dismiss the case. The government was trying to sweep two decades worth of unconstitutional activity under the rug with a single, four-paragraph declaration.
We pushed back. We’ve seen enough government double-speak concerning surveillance programs to know that there was more to the story. We argued that the government’s four-paragraph, summary declaration wasn’t enough to establish that all of the billions of records it collected, over a twenty-year span, had been accounted for and purged. Instead, we asked the court to allow HRW to take discovery—basically, a process by which one party to a lawsuit can compel the other side to provide information—from the government about the surveillance program.
Although the court narrowed the scope of the discovery HRW can take, the decision is still a victory. It will provide some much needed insight into the government’s surveillance program and whether or not the government continues to retain and use those illegally collected records. And we'll keep fighting for more information about the program and to ensure that the program is stopped, once and for all.
Share this: || Join EFF
As far as secret, corporate-driven trade agreements go, the Trans-Pacific Partnership (TPP) is a particularly terrible deal for users, not least because it empowers Hollywood and other big publishers at the expense of everyone else. But there seems to be a glimmer of hope that one critical part of it could be improved. Some tech companies and policymakers are lobbying hard to increase the flexibility of the TPP's language on exceptions and limitations to copyright. According to reports, lobbyists representing companies like Google and other members of the Internet Association and lawmakers like Sen. Ron Wyden have been working behind the scenes to pressure the U.S. Trade Representative (USTR) to reopen the text for amendment.
The USTR first introduced copyright exceptions and limitations language in the TPP in 2012. At that time we called out the proposal as being too weak, noting that it could actually restrict rather than encourage the broader adoption of fair use around the world. A few years and more than a dozen negotiation rounds later, we've been proved right. The provisions that U.S. trade officials first lauded as a huge step towards bringing balance to its copyright proposals will in fact do little to promote new safeguards for user rights.
First, according to the most recently leaked text, the provision is merely a suggestion that TPP nations' copyright rules should balance the needs of rightsholders and the public interest. The language says that countries only "shall endeavor" to achieve a balance in their copyright rules. In every other part of the agreement, countries are actually required to adopt certain rules, or at least provide for the passage of stricter copyright rules.
Second, the framework for nations to be able to enact new user rights in copyrighted work—such as for security research, accessibility, or remixing—is very restrictive. It uses a framework called the three-step test [.pdf]. That test is often used in international copyright agreements and has consistently limited the creation of new usage rights of copyrighted works. Through the TPP, the three-step test could undermine efforts to enact fair use in all the other 11 TPP countries.
As of last month, it seemed that all of the TPP countries had agreed to this language. In late July, however, tech companies' renewed pressure seemed to have changed the game. The USTR offered to go back in and revise these provisions ahead of the last negotiation round. According to a spokesperson for the U.S. Chamber of Commerce, in exchange for support for the controversial Fast Track legislation, the USTR promised to make the TPP's exceptions and limitations language more permissive and be a requirement, rather than being purely a suggestion, for all TPP countries.
That's when Hollywood began to throw a fit.
According to Inside U.S. Trade, rightsholder groups like the Motion Picture Association of America (MPAA) are "livid" about the USTR's move to revisit the language on exceptions and limitations. They're pushing back hard, urging members of Congress—including every House member from California—to pressure the USTR not to touch these closed provisions. Why? Probably not because revisiting the language will actually cause any real harm to creators. The more likely explanation is that the copyright maximalists are worried that their tight grip over the USTR is slipping.
The big media lobbyists' theatrics over this minor amendment are embarrassing, but they do raise one important issue: our trade negotiators are a lot less interested in the needs of ordinary users and creators than the needs of powerful companies. Why else was a last-minute intervention by Google sufficient to bring the USTR back to the negotiating table on this topic, where the sustained interventions of EFF and 10 other major public interest groups from around the world were not?
That said, we're glad that the tech companies are doing what they can to improve the text in a way that will help protect and empower users. What they're advocating for is completely reasonable language that would enable people to use and modify copyrighted works and content in ways that don't harm the commercial interests of the copyright holders. Of course tech policy should not be driven by competing powerful corporate interests—but in the absence of legitimate, transparent, public-interest policymaking, the tech industry's challenge to big copyright's control over U.S. trade policy is a welcome change. At the very least, it forces officials to question the prerogatives of entrenched legacy industries.
Hollywood groups, for their part, are behaving like spoiled children: if they don't get exactly what they want, they'll whine to policymakers until they do. Ironically enough their complaints may actually undermine their own long-term interests. After all, creative artists of all kinds depend on fair use to make new works—from blockbuster pictures to music to fiction.
The USTR and Members of Congress ought to wake up to Hollywood's antics. Innovation, creativity, and free speech depend on limitations and exceptions like fair use. Making those exceptions and limitations as strong as possible benefits everyone, including Hollywood.
Share this: || Join EFF
El pasado 27 de Julio, el Poder Ejecutivo del Perú aprobó el Decreto Legislativo 1182 que permite al Estado acceder, en casos de flagrancia, a los datos de tu ubicación sin una orden judicial. Además obliga a las empresas operadoras de telefonía e Internet a retener los datos de millones de peruanos que se comunican a través de teléfonos fijos, móviles y/o computadoras por tres años. Los datos estarían disponibles por el Estado previa orden judicial para un posible uso futuro. La norma fue aprobada sin consulta pública y entraría en vigencia a partir de septiembre según declaraciones del viceministro de Justicia.
Sin embargo, en las próximas semanas, la Comisión de Constitución y Reglamento del Congreso del Perú revisará el documento enviado por el Ejecutivo. En esta etapa, el Congreso puede elegir derogar, reformar o dar su conformidad a la norma. Cualquiera sea la conclusión, este dictamen pasará al pleno del Congreso y de existir algún cambio, estos serán votados y convertidos en un cambio legal directo.
La Comisión debería tener en cuenta la preocupación del pueblo peruano por la seguridad ciudadana y adoptar medidas que busquen solucionar eficazmente este problema social, en vez de adoptar normas que pretenden dar una ilusión de seguridad pero terminan realmente afectando severamente nuestra privacidad.
Para hacerlo sencillo: las disposiciones de conservación de datos de tus comunicaciones, realizan un cambio mayor en el sistema legal de vigilancia de las comunicaciones. En vez de retener los datos de aquellos sospechosos de delito alguno, la norma invierte la presunción de inocencia y obliga a las empresas operadoras a retener masivamente los datos de la población entera, inclusive de aquellos que no son sospechosos de delito alguno.
La “Ley Acosadora” o “Ley Stalker” en idioma inglés, describe a una persona que utiliza la tecnología para espiar los movimientos en línea de otro. Junto con la ONG Hiperderecho, proponemos una acción para que llames la atención de los miembros de la Comisión de Constitución y Reglamento del Congreso peruano para que actúen y reformen la norma:Action Center: La Ley Stalker afecta nuestra privacidad y crea inseguridad
A través de esta herramienta, puedes comunicarte vía Twitter con los miembros de la Comisión de Constitución para sugerirles la pronta revisión del DL 1182. Elige al congresista, selecciona un tuit y publícalo en tu cuenta a través del Action Center. Comparte la herramienta con tus amigos, tu familia, o con quien quieras.
Los congresistas podrán leer tus tuits, y si más ciudadanos expresan su preocupación sobre la Ley Stalker, podremos lograr un cambio positivo que proteja la privacidad mientras facilitamos una discusión pública que busquen resolver efectivamente los problemas de seguridad ciudadana.
Si eres peruano, únete a la campaña para que la Ley Stalker no pase por encima de nadie, porque la inseguridad, uno de los argumentos utilizados para crearla, no se combate eficientemente violando derechos fundamentales de millones de personas inocentes.Publica sobre la Ley Stalker en tu sitio web o en las redes sociales
Te invitamos a escribir sobre los peligros de esta ley. En Twitter con el hashtag #LeyStalker, en Facebook, un post en tu blog, todas las opciones son válidas. Puedes compartir varios enlaces como el artículo de Hiperderecho en el cual se ve el plagio de textos que fueron utilizados para crear el DL 1182, o nuestro post que describe la problemática de la Ley Acosadora.Sigue a Hiperderecho y EFF para más actualizaciones
Conforme el DL 1182 pase a través de la Comisión de Constitución, nuestros aliados del Perú informarán lo que suceda con esta peligrosa normativa. A través del sitio oficial de Hiperderecho.org, Twitter o Facebook. Desde EFF también iremos actualizando con las últimas novedades sobre la #LeyStalker.Related Issues: InternationalMandatory Data RetentionSurveillance and Human Rights
Share this: || Join EFF
We've been thrilled to work with members of EFF's amazing community to find new ways to reach out, collaborate, and celebrate digital rights. Recently, the fine folks at Cards Against Humanity in Chicago showed just how awesome the ORD geeks are by hosting a comedy fundraiser for EFF.
Thanks to the cohosts:
...and the comics:
- Rabbit Rabbit (Chicago Sketchfest)
- The Blue Angels (iO)
- Mike Gifford (Your Stories)
- Cleveland Anderson (Shit Hole)
...and all the fine folks who came out to laugh and share their love of digital civil liberties. It was a great night!Max Temkin introduces Cindy Cohn Cindy Cohn speaks with supporters
Share this: || Join EFF
Australian Court Bans “Surreal” Copyright Demands from Dallas Buyers Club, Case Shows Need For Reform of US Copyright Law
Last week, an Australian court issued an encouraging ruling pushing back against extreme copyright demands. A company called Dallas Buyers Club LLC (DBC) has been chasing thousands of alleged file sharers around the world. In the United States, these cases often lead to Internet users being shaken down for thousands of dollars each. In contrast, the Australian court is insisting that DBC’s money demands bear some sensible relationship to the harm it has suffered. If this becomes standard practice, it may protect Australian Internet users from the kind of abusive copyright trolling that has become too common in the United States.
Mass copyright litigation tends to follow a pattern. First, the copyright owner goes to court seeking the subscriber details for IP addresses that may be associated with file sharing. In some cases, copyright owners have improperly sued thousands of users at once without making any demonstration that the defendants had ties to the court or each other. Once the purported copyright holder gets its hands on IP addresses, it starts contacting subscribers (who, of course, are not necessarily the person who engaged in copyright infringement) to demand a settlement. In many cases, the copyright holder demands thousands of dollars for downloading a single work.
DBC, owned by Voltage Pictures, has been among the most aggressive practitioners of mass copyright litigation. Data from Lex Machina shows it filed over 250 cases in United States courts. Once it gets subscriber details, DBC demands as much as $5,000 per torrented file. Obviously, this amount bears little relationship to the actual harm it has suffered (the movie is available on iTunes for $14.99). But DBC is able to use the expense of litigation, and the threat of statutory damages, to extract settlements hundreds of times higher than the cost of its movie.
Last year, DBC decided to take its litigation campaign on tour. It filed suit in the Federal Court of Australia demanding that local ISPs, like iiNet and Dodo, turn over the subscriber information for nearly 5,000 Internet users. The ISPs fought back, arguing that DBC provided insufficient evidence of infringement. But the Federal Court ruled that DBC should be given subscriber information.
In a silver lining, the court said that it would require any communications with Internet users to be approved by the court before it would allow subscriber information to be handed over. This meant that, unlike in most US cases, DBC could not immediately start contacting subscribers to demand thousands of dollars. The court seemed concerned that DBC had engaged in “speculative invoicing” in the United States and wanted to ensure that it would not make unreasonable demands of Australian Internet users. The court wrote that it was not “going to open the sluice gates until it saw the proposed correspondence and until DBC satisfied the Court that it was that approved correspondence, and not something else, such as a dead cat, that DBC was going to send to account holders.”
Though DBC may not have planned to mail anyone a dead cat, its proposed correspondence was extreme, and seemed to be part of a shakedown. Although the exact text is not available (the proposed letter and telephone script were filed under seal), we know that DBC included a number of unusual and aggressive details. For example, it planned to ask Internet users to tell it how much they earn and how many other films they have torrented. In addition to damages for the copy the user actually downloaded, DBC would demand a separate license fee for every packet shared over BitTorrent. In addition, it would ask for punitive damages founded on the sharing of movies that DBC doesn’t even own. We don’t know the final amount, but the court suggested the settlement demand was “substantial.”
Last Friday, in an entertaining and strongly-worded opinion, the court rejected DBC’s proposals. The court said that DBC’s theory that individual users should pony up cash for every single BitTorrent packet was “surreal.” The court also rejected DBC’s theory that it could collect punitive damages based on alleged infringement of other people’s copyright. Such a claim would be “summarily dismissed” under Australian law.
The court ruled that DBC could only ask for damages for the actual copy uploaded, and for damages relating to costs of acquiring the subscriber’s information. The Court seemed concerned that, given its prior record, DBC might not limit itself to these more modest demands. So, before it would allow subscriber details to be handed over, the court required DBC to post a $600,000 bond. This sends a strong message to DBC: limit yourself to settlement demands permitted by the court or face a penalty for contempt.
Although it does not shut down DBC’s campaign, Justice Perram’s ruling at least prevents it from engaging in the kind of egregious trolling that has become common in the United States. Why do we see this difference? The answer is straightforward: Australia does not have statutory damages for copyright infringement. This allowed the court to tie damages to the actual harm DBC suffered. In contrast, U.S. copyright law provides statutory damages of up to $150,000 per work and does not require any showing of harm. Excessive penalties are baked into the U.S. system which encourages trolling and abuse. Ultimately, we need fundamental reform of statutory damages to bring fairness to the US copyright system.Related Issues: Fair Use and Intellectual Property: Defending the BalanceCopyright TrollsInnovation
Share this: || Join EFF
Back in 2011, This American Life toured an office building in Marshall, Texas, and found eerie hallways of empty offices that serve as the ‘headquarters’ of patent trolls. For many, that was the first introduction to the strange world of the Eastern District of Texas, its outsized role in patent litigation and especially its effective support of the patent troll business model. Trolls love the Eastern District for its plaintiff-friendly rules, so they set up paper corporations in the district as an excuse to file suit there. Meanwhile, defendants find themselves dragged to a distant, inconvenient, and expensive forum that often has little or no connection to the dispute.
The remote district’s role has only increased since 2011 and the latest data reveals that the Eastern District of Texas is headed to a record year. An astonishing 1,387 patent cases were filed there in the first half of 2015. This was 44.4% of all patent cases nationwide. And almost all of this growth is fueled by patent trolls.
Happily, lawmakers have finally moved to restore some balance. The latest version of the Innovation Act in the House includes language that would make it much harder for trolls to file in the Eastern District of Texas. The proposal goes under the decidedly mundane name of “venue reform” but it could actually be crucial to the effort fix our broken patent system.
The Luckiest Court in the Universe
The Eastern District of Texas is a federal court district running along the Texas-Louisiana border. The district covers a largely rural area without much of a technology industry. It is just one of 94 federal district courts. (Some states, like Vermont, have a single federal district, while others, like Texas and California, have as many as four.) If patent cases were distributed evenly among the federal district courts, each one would have received about 33 cases so far this year – a far cry from the 1,387 filings in the Eastern District of Texas.
Accident? We don’t think so. In fact, we ran a calculation to see how likely it is that at least 1387 of 3122 patent cases might end up there by chance. This was the result:
This probability is so vanishingly small that you’d be more likely to win the Powerball jackpot 200 times in a row. Obviously, something other than chance is attracting trolls to this remote district.
Now that folks are taking notice, some Eastern District of Texas jurists are feeling a bit defensive. Former Judge Leonard Davis, for example, recently said: “To say the Eastern District is responsible [for the patent troll problem] is to say that the Southern District of Texas is responsible for immigration problems.” This is nonsense. The Southern District of Texas gets immigration cases because it sits on the U.S.-Mexico border. There is no equivalent reason for the Eastern District of Texas to be a hotbed of patent litigation. To understand why the district sees so much patent trolling, we need to look deeper.
How We Got Here
The Eastern District of Texas was not always so popular. In 1999, only fourteen patent cases were filed there. By 2003, the number of filings had grown to fifty-five. Ten years later, in 2013, it was 1,495.
This massive rise in litigation followed the appointment of Judge T. John Ward in 1999, and his drive to create local patent rules. Judge Ward’s rules, while similar to patent rules in other federal districts, had some additional plaintiff-friendly features such as a compressed discovery schedule and a short timeline to trial. This so-called “rocket docket” attracted patent plaintiffs eager to use the compressed schedule to pressure defendants to settle. For those cases that went to trial, the district got a reputation for huge patent verdicts. As one commentator explained, the Eastern District’s “speed, large damage awards, outstanding win-rates, likelihood of getting to trial, and plaintiff-friendly local rules suddenly made [it] the venue of choice for patent plaintiffs.”
The explosion in patent litigation promptly led to a burst of new economic activity in East Texas. As the BBC wrote, Marshall is a “sleepy town kept busy with patent cases.” The patent litigation boom creates business for hotels, restaurants, trial graphics services, copying, expert witnesses, jury consultants, court-appointed technical advisers, and, of course, lawyers. In other words, patent litigation has become important to the economic health of the communities surrounding the courthouse. But the federal courts don’t exist to generate business for a particular region.
Tipping The Scales on Both Procedure and Substance
So why are these plaintiff-friendly rules so important? First, the rules impose particular burdens on defendants. If a patent case proceeds to discovery—the process whereby parties hand over information potentially relevant to the case—it will usually be more expensive in the Eastern District of Texas. This is because the local discovery order in patent cases requires parties to automatically begin producing documents before the other side even requests them. In patent troll cases, this imposes a much higher burden on defendants. Operating companies might be forced to review and disclose millions of documents while shell-company patent trolls tend to have very few documents. Trolls can exploit this imbalance to pressure defendants to settle.
Second, the rules make it harder to eliminate cases early. The Supreme Court’s decision in Alice v CLS Bank invalidated many of the low-quality software patents favored by patent trolls. But this only helps defendants if they are able to get a ruling to that effect from the judge overseeing their case. Judges Rodney Gilstrap and Robert Schroeder recently indicated that they would require patent defendants to ask permission before they can file a motion to dismiss raising Alice. This means that defendants in the Eastern District of Texas will more often be forced to go through expensive discovery.
When judges in the Eastern District do issue rulings on challenges raising Alice, their decisions are very different from jurists in other parts of the country. Recent data from Docket Navigator analyzed all challenges under 35 USC § 101 so far this year:
- Nationwide: 71% granted or partially granted; 29% denied (76 decisions)
- Northern District of California: 82% granted or partially granted; 18% denied (11 decisions)
- District of Delaware: 90% granted or partially granted; 10% denied (10 decision)
- Eastern District of Texas: 27% granted; 73% denied (11 decisions)
While each challenged patent claim is different, the overall trend suggests judges in the Eastern District of Texas are applying Alice in a way that is far more favorable to patent owners.
The Alice decision, and its companion, Octane Fitness v. Icon Health & Fitness gave judges additional tools for quickly dismissing meritless patent cases and holding unscrupulous plaintiffs to account. This means that patent trolls—particularly those that bring weak cases hoping to use the cost of defense to extort a settlement—now need a favorable forum more than ever. Small wonder we’ve seen a spike in EDTX filings.
We have also written about unfair rules that make it harder for patent defendants to file for summary judgment in the Eastern District of Texas. These rules have a real impact. A recent study found that judges in the Eastern District granted only 18% of motions for summary judgment of invalidity while the national grant rate is 31%. And that statistic, of course, does not include all the summary judgment motions that would have been filed had the defendant been given permission.
Judges in the Eastern District of Texas have also harmed defendants by delaying rulings on motions to transfer (these are motions where the defendant asks for the case to be moved to a more sensible location). Delay prejudices defendants because they are stuck litigating an expensive case in a remote forum while the judge sits on the motion. (The judges’ rules make clear that a pending motion to transfer or a motion to dismiss is not grounds to stay discovery in a case). The Federal Circuit recently issued a stern order (PDF) finding that an Eastern District magistrate judge had “arbitrarily refused to consider the merits” of a transfer motion. When that transfer motion was finally considered, it was granted (PDF), but not until after extensive litigation had already occurred, and requiring the parties to pay for a court-appointed technical advisor (PDF). More generally, studies have also found the Eastern District of Texas is reversed by the Federal Circuit at a higher rate compared to other districts.
Venue Reform Can Fix the Mess
It’s time for Congress to act. Although the Federal Circuit has overruled some of the Eastern District of Texas’ most egregious venue decisions, it has failed to bring basic fairness to where patent cases are litigated. We need new legislation to clarify that patent cases belong in forums with a real connection to the dispute.
Fortunately, Congress is looking at the problem. Representative Darrell Issa recently offered an amendment (PDF) to the Innovation Act that would tighten venue standards in patent cases. On June 11, the House Judiciary Committee approved the amendment. If this bill becomes law, shell company patent trolls will no longer be able to drag out of state operating companies all the way to Eastern Texas.
It’s long past time for Congress to bring fairness to where, and how, patent cases are litigated. Contact your representative and tell them to pass the Innovation Act and to ensure that any final bill includes meaningful venue reform.Related Issues: PatentsPatent TrollsInnovation
Share this: || Join EFF
The following comment was written by Canadian filmmaker, Andrew Hunter, sent to party leaders asking them to come out against the 20-year copyright term extension in the Trans-Pacific Partnership (TPP) and stand for fair and balanced innovation policy. He emailed this comment as part of our TPP's Copyright Trap campaign.
I am writing to express my serious concern that the Trans-Pacific Partnership agreement's intellectual property chapter may extend Canada's current length of copyright.
I'm a filmmaker, cinematographer and camera assistant by trade. Copyright is the foundation of how I earn a living. However I see the policy of copyright maximalism that is espoused by dominant players in both Hollywood and Canada as being detrimental to the health of our industry.
Copyright law should uphold a carefully crafted balance of public and private rights that encourages creation, while providing incentives for innovation and access for education, libraries, and other socially beneficial purposes. Excessive copyright term lengths undermine this objective. The foundations of culture is our ability to share, re-tell and rework stories.
Copyright maximalism is the belief that:
- All of one's work is original.
- Copyright is an innate right similar to human rights, which should be protected and expanded at any opportunity.
This is ironic as we in the film industry utilize references, be they visual, audio or written word, to communicate ideas and intent before we are "on the day" and actually have to execute the plan. Culture is the sum of the modulation of different mediums to convey human expression. Copyright maximalists do not acknowledge this contradiction, as it serves their interests.
In Canada, as in most countries of the world, the term lasts the lifetime of the creator plus 50 years after their death, or 70 years from the date of publication. The TPP however, threatens to override this and extend our terms by at least another 20 years, even for works that have already entered the public domain.
Extending copyright does not help artists, creatives and those people who rely on *creating*, rather than exploiting, copyrightable work for a living. Like fashion, much of the work that puts food on my table in fact encourages sharing and copying, as it is work meant to be disseminated as far and wide as possible.
Those who do stand to gain from an copyright extension are those who profit from the importation of foreign works for distribution in Canada or those who posses the rights to already profitable properties.
Do not for a moment believe that it will help emerging filmmakers like myself, or my colleagues, become successful. There are much greater hurdles to just creating a work for someone like myself to be concerned than whether an extra 20 years after my death my descendants will help them.
Do not trot out the Canadian old boys club of "artists" to promote what benefits the people they sold their rights to.
Our country has long resisted previous efforts by to lengthen its terms beyond what is required by existing international law, namely, the Berne Convention; most recently during the comprehensive consultations that led to the passage of the Copyright Modernization Act in 2012.
That's why I urge you to stand up for Canadians' right to fair and balanced innovation policy, and speak out against this unwarranted copyright term extension in the TPP. It is not in the interests of film technicians, producers or the general public.
Thank you for your attention.
If you are a Canadian, we urge you to email party leaders and call on them to speak out against the copyright term extension in the TPP.
You can also read our previous guest post by Michael Geist, "Is Canada Set to Cave on Copyright Term Extension in the TPP?"
Check out our TPP's Copyright Trap page where we link to more articles about how the threat of copyright term extension under the TPP impacts users around the world.Related Issues: InternationalTrans-Pacific Partnership AgreementTPP's Copyright Trap
Share this: || Join EFF
San Francisco—The Electronic Frontier Foundation (EFF) filed a Freedom of Information Act (FOIA) lawsuit against the Department of Justice (DOJ) and the FBI to gain access to documents revealing the government’s plans to use Rapid DNA. The FBI said it found no records responsive to EFF’s FOIA requests, even though it’s been working to roll out Rapid DNA and lobbying Congress to approve nationwide use for more than five years.
Rapid DNA analyzers—laser printer-sized, portable machines that allow anyone to process a DNA sample in as little as 50 minutes—are the newest frontier in DNA collection and profiling in law enforcement. With Rapid DNA, the police can collect a a DNA sample from a suspect, extract a profile, and match that profile against a database in less time than it takes to book someone—and it’s all done by non-scientists in the field, well outside an accredited lab.
“EFF has long been concerned about the privacy risks associated with collecting, testing, storing and sharing of genetic data. The use of Rapid DNA stands to vastly increase the collection of DNA, because it makes it much easier for the police to get it from anyone they want, whenever they want. The public has a right to know how this will be carried out and how the FBI will protect peoples’ privacy,” said Jennifer Lynch, EFF senior staff attorney. ‘’Rapid DNA can’t accurately extract a profile from evidence containing commingled body fluids, increasing the risk that people could be mistakenly linked to crimes they didn’t commit.’’
The FBI has been working with manufacturers for years on a program to develop Rapid DNA and incorporate Rapid DNA profiles into a national DNA database used by crime labs and law enforcement agencies across the country. While some local police stations are already using Rapid DNA, the FBI can’t allow Rapid DNA profiles generated outside accredited laboratories into the database or the Combined DNA Index System (CODIS) until lab validation rules are modified and Congress amends DNA laws—something the agency and Rapid DNA technology makers have been lobbying lawmakers for.
Despite briefing Congress and discussing plans at biometric conferences, the FBI hasn’t disclosed full information about its Rapid DNA project. EFF filed FOIA requests with the FBI seeking documents from 2012 to the present about these plans.
“Incredibly, the FBI told us it found no records responsive to our requests. Even though it has been funding and working with manufacturers to develop the technology, and has a whole webpage devoted to the subject, the FBI said it couldn’t local a single document about this major effort to use Rapid DNA,” said Lynch. “The FBI shouldn’t be allowed to hide its plans to develop a technology that could have a huge impact on genetic privacy. We are asking a court to order DOJ to turn over documents we requested so we and the communities where Rapid DNA is being deployed can review the program.”
For this complaint:
For more on DNA collection:
Share this: || Join EFF
We're still sifting through the documents released as part of the recent bombshells in the press discussing AT&T's "extreme willingness to help" the NSA in its mass spying programs. One area where the new documents add detail is the division of labor between AT&T and the NSA—according to the New York Times, at times "telecoms have done the sifting and forwarded messages the government believes it may legally collect." To some, including Lawfare's Timothy Edgar, this new information somewhat contradicts claims that critics have been making for years that the NSA has direct access to all the data transiting the Internet backbone. We disagree that this is what the documents actually show: for instance there's the SSO Unilateral tap shown on page 39 of the slides that has the NSA tapping right into the backbone cables.
Regardless, we do agree with Mr. Edgar that the reason this story is important is because the government continues to try to kill litigation like EFF's Jewel v. NSA on behalf of AT&T's customers by claiming that the involvement of AT&T is a state secret. Edgar notes, "the government bears much blame, as it continues to maintain the pretense such banal facts can or should be kept secret. Perhaps there could be a new marking – “still officially classified but blindingly obvious” – to cover situations like this."
But even if AT&T is doing some of the surveillance itself and handing what if finds over to the government, it doesn't absolve the NSA of legal responsibility for the surveillance acts done by AT&T.
First some law: the Fourth Amendment applies whenever a "private party acts as an ‘instrument or agent’ of the government." This rule is clear. In the Ninth Circuit, where our Jewel v. NSA case against mass spying is pending, it has been held to apply when an employee opens someone's package being shipped in order to obtain a DEA reward (US v. Walther), when a hotel employee conducts a search while the police watch (US v. Reed), and when an airline conducts a search under a program designed by the FAA (United States v. Davis), among others.
The concept behind this rule is straightforward: the government cannot simply outsource its seizures and searches to a private party and thereby avoid protecting our constitutional rights. It seems that the NSA may have been trying to do just that. But it won't work.
Saturday's stories about AT&T's cozy relationship with the NSA confirm that, for purposes of tapping into the Internet backbone, AT&T was acting as the agent of the government. For its part, AT&T denied that it engaged in any surveillance voluntarily, noting: "We do not voluntarily provide information to any investigating authorities other than if a person's life is in danger and time is of the essence." So AT&T is certainly not claiming that it acted on its own agenda. This is consistent with the funding numbers -- $188 million in 2011 and $232 million in 2010 (page 26 of the NYT release).
As the legal cases cited above explain, this means that the Fourth Amendment violations caused by the surveillance rest with the NSA regardless of who actually did the technical work of spying. The slides disclosed by the New York Times make this very clear, showing that the NSA viewed these structures as a coherent whole. For instance, while the Fairview (aka AT&T) Dataflow Diagrams on pages 47-53 of the NYT release indicate that some of the spying was "partner controlled" (marked in orange) and some "NSA controlled" (marked in yellow), both pieces are part of the NSA's overall collection and analysis schemes:
The slides even helpfully explain why in a bullet point on page 5:
We're not sure what the "legal authorities" reference means, but to the extent the NSA thought it could escape responsibility by getting AT&T to do its dirty work, that's a dodge that has been tried before. And it won't work.Related Issues: NSA SpyingRelated Cases: Jewel v. NSA
Share this: || Join EFF
Reports today in the New York Times and ProPublica confirm what EFF’s Jewel v. NSA lawsuit has claimed since 2008—that the NSA and AT&T have collaborated to build a domestic surveillance infrastructure, resulting in unconstitutional seizure and search of of millions, if not hundreds of millions, of Americans' Internet communications.
“These documents not only further confirm our claims in Jewel, but convincingly demolish the government’s core response—that EFF cannot prove that AT&T’s facilities were used in the mass surveillance,'' said EFF Executive Director Cindy Cohn. ''It’s long past time that the NSA and AT&T came clean with the American people. It's also time that the public U.S. courts decide whether these modern general searches are consistent with the Fourth Amendment’s guarantee against unreasonable search and seizure.”
The reports provide detailed accounts of both the breadth of the NSA’s access to AT&T’s networks and the evidence that definitively establishes that AT&T is one of the “corporate partners” referenced in the NSA’s documents.
The documents note AT&T’s “extreme willingness to help” with NSA’s surveillance within the United States, some of which appears to be done in “partnership,” rather than required by law. Here’s how the Times describes the breadth of NSA’s access to AT&T’s networks:
AT&T’s cooperation has involved a broad range of classified activities, according to the documents, which date from 2003 to 2013. AT&T has given the N.S.A. access, through several methods covered under different legal rules, to billions of emails as they have flowed across its domestic networks. It provided technical assistance in carrying out a secret court order permitting the wiretapping of all Internet communications at the United Nations headquarters, a customer of AT&T.
The link to AT&T isn’t directly obvious from the documents themselves, because the documents rely on NSA’s codename for the AT&T partnership—Fairview. However, ProPublica’s companion report describes in detail the evidence that ties Fairview to AT&T, including an internal NSA’s document describing damage to a transpacific cable owned by AT&T following the massive 2011 earthquake in Japan and the United Nations information.
These reports are just the latest in a long line of evidence demonstrating AT&T’s deep involvement in the NSA’s surveillance programs. Although the cat has been out of the bag for years now, the government still pretends that AT&T’s participation in its programs is a classified “state secret,” and has used that claim to repeatedly attempt to try to convince the courts to dismiss Jewel, EFF’s lead case against the Internet surveillance. Jewel is now on appeal to the Court of Appeals for the Ninth Circuit, and these reports show once again the futility of the government's efforts to delay consideration of the NSA's activities. We look forward to the court ruling soon.
The documents published today also include other revelations about the NSA's activities, and we'll have more in-depth discussion of those on Monday.Related Issues: NSA SpyingTransparencyRelated Cases: Jewel v. NSA
Share this: || Join EFF
In our campaign against the TPP's Copyright Trap, we are fighting back against a proposal to extend the term of copyright in six countries around the Pacific rim from 50 to 70 years after the death of the author. But there is one country that is currently proposing to extend the copyright term to last even a bit longer than that. To be precise, as part of a wholesale review of its Copyright Act, South Africa is proposing that copyright should last... forever. This goes one better than Jack Valenti of the MPAA asked for—he only asked Congress to extend copyright to last forever less one day.
Admittedly, under this proposal the royalties for use of public domain works will not go to the original copyright owner, but to the government. Although unusual, this isn't entirely unheard of. Elsewhere in Africa, there are similar provisions bestowing a copyright-like right in public domain works upon the government—for example Uganda, Egypt and Senegal [PDF] all require payment of a license fee to use public domain material commercially. Even in the United Kingdom, the Hospital for Sick Children, Great Ormond Street, London, has been given a perpetual right to royalties for the performance of Peter Pan.
But South Africa proposes to go even further, not only granting the government copyright over public domain works, but even over orphan works, which are works which remain in copyright but for which the creator of the work or their successor in title cannot be located:
Ownership of any copyright whose owner cannot be located, is unknown, or is deceased shall vest in the state ... the term of such copyright shall be perpetual.
This is absurd. We fully support the development of creative solutions to the orphan works problem, and transferring copyright in such works to the government may be one way to implement such a solution. But even if so, making that copyright perpetual is completely unnecessary, and more than that, abhorrent to the very nature of copyright as a limited monopoly right.Fair Use... If We Agree
As most of the copyright content that we consume has shifted into the digital realm, the piecemeal copyright limitations and exceptions found in many countries cannot keep up. Fair use doesn't have the same problem, because by its nature it can adapt to changes in technology. Thus fair use is slowly but surely making its way around the world, and South Africa is the latest country to consider adopting it into its copyright law.
Although this is good news, the proposed South African fair use right contains so many carve-outs, that it ends up full of holes. The most significant carve-out is educational use of written material published online, apparently because there is an existing (but comparatively complex and costly) procedure allowing educational users to apply for a license for such material from South Africa's Intellectual Property Tribunal. For other educational uses, such as of multimedia material, the draft law requires the user to seek the permission of the copyright owner in order to exercise the "fair use" (of course, fair use with permission is no fair use at all; it's just an ordinary copyright license).
Libraries and archives are given much the same treatment: they are allowed to shift the format of works in their collections, but only if they ask permission first. If they make a reasonable attempt to secure permission but can't obtain it, then they are allowed to go ahead anyway, and it is an offense for the rightsholder to unreasonably refuse permission; but this is a charade that ought to be unnecessary to begin with. There is no circumstance in which a rightsholder ought to be entitled to prevent a library or archive from making a preservation copy of a work in its collection, no matter whether the format is shifted or not. This undermines the benefit of fair use, since mass digitization can involve millions of works and quickly becomes impractical if it requires asking permission of every copyright owner.
Apart from educators, libraries and archives, most other cases of fair use don't appear to require the user to seek rightsholders' permission, but the Act limits most of these cases (including criticism, comment, news reporting, judicial proceedings, professional advice, and teaching) to non-commercial use. Although whether use is commercial is an important factor in weighing up a fair use claim, it should never be determinative. For example, fair use would be next to worthless for journalists and for professional advisers if they could only make use of it in non-commercial activities.Beating the DRM Drum
So far, the proposed amended South African Copyright Act stacks up rather poorly against U.S. copyright law. But there are some gems hidden away in the text that greatly improve on U.S. law. One of the simplest of these is a section that makes it unlawful for copyright owners to steal back rights that the Copyright Act grants to users, for example by small print in a license agreement. Even without such a stipulation it is far from certain that a court would enforce a license condition that prevented you from exercising your fair dealing rights, but this proposal for the South African Copyright Act puts it beyond doubt.
Another respect in which this proposal improves on U.S. law is in the treatment of DRM. The DMCA instituted a regime in which it was usually unlawful to circumvent DRM even in order to exercise your fair use rights (unless an exception had been authorized under the triennial rulemaking process), and even prevented third parties from providing the tools or services that you might need to help you to perform such circumvention.
In contrast the South African Act, as proposed to be amended, explicitly authorizes DRM circumvention for any purpose that is allowed by a copyright exception (though the fair use right isn't explicitly included, which we'd like to see fixed). The offense of supplying tools or services for DRM circumvention is new to the proposed amended Act, and although we oppose its inclusion at all, it is still narrower than the U.S. equivalent, being limited to cases where the supplier knows or has reason to believe that they will be assisting in copyright infringement.
Given these relatively favorable provisions, it is perturbing to find one proposed section that goes in the opposite direction; potentially requiring libraries to add DRM to works that they supply to patrons in digital form, in order that those works "cannot be altered or modified". We have drafted a submission [PDF] to the South African lawmakers drawing their attention to this adverse provision, and to all of the other provisions described above, amongst others.
The public consultation on the South African Copyright Act amendments, which has already attracted intense interest from local stakeholders, remains open until August 27. If you are South African, now is the time to speak up in support of the ambitious and overdue reforms that the review heralds—such as the fair use right and the new orphan works regime—but also to caution the government against the dangerously defective manner in which these reforms are currently implemented in the language of the draft bill.Files: EFF's submission to the South African copyright reviewRelated Issues: Fair Use and Intellectual Property: Defending the BalanceInternational
Share this: || Join EFF
Readers of these pages will be familiar with the debate going on between government officials and technologists around the world about law enforcement’s perceived need to access the content of any and all encrypted communications.1
In this in-depth post, we’ll discuss why—in order to be effective—any legal mandate requiring cryptographic communications systems to be designed to retain the ability to provide law enforcement “exceptional access” to encrypted content would violate the First Amendment.
Last month, the Washington Post’s editorial board doubled down on the side of exceptional access, suggesting that Silicon Valley’s “paragons of innovation” ought to more clearly “acknowledge the legitimate needs” of law enforcement—and presumably give the FBI exactly what it’s asking for. That suggestion came even after the editorial board acknowledged that both industry and academic experts uniformly tell us that giving the government exceptional access to our data would be a dangerous idea from a cryptographic perspective, putting our security at significant risk.
And just this week, in the New York Times, law enforcement officials from New York, London, Paris, and Madrid published a similarly flawed op-ed discussing device encryption, using misleading anecdotes in an attempt to frighten the public into accepting their vision of total surveillance through undermined crypto.
But a mandate that developers weaken encryption systems to suit the whim of law enforcement isn’t just a technically bad idea; any such mandate would necessarily be either ineffective or unconstitutional.
What would an “exceptional access” mandate actually mean?
Although no legislation has yet been proposed, government officials such as FBI director James Comey have repeated their position enough over the last several months to make it clear, if not logically consistent: the FBI says its supports “strong encryption,” but it wants the ability to read any and all encrypted messages if it has the proper legal authority.
If the government really is serious about creating a legislative requirement that law enforcement always be able to access the content of a communication, simply requiring companies like Apple to redesign their systems won’t be enough. Why? Because every terrorist, pedophile, mafioso, and run-of-the-mill crook will be able to simply stop using iMessage or WhatsApp and turn instead to one of the many apps that implement end-to-end cryptography without the FBI’s hypothetical golden key. Or they could simply use strong encryption protocols like OTR2 on top of other messaging services.
Back in the 1990s when Congress passed CALEA, the overwhelming majority of our communications went through centralized service providers—mostly phone companies. CALEA’s mandate that phone companies make it possible for law enforcement to wiretap their customers was in large part effective, because there wasn’t much else people could use to communicate.
But the app economy has changed all that. Today, centralized service providers aren’t the only option for communications applications; instead you often have a range of options for communicating on a given service or platform. Take for example ChatSecure, a mobile app that implements OTR. ChatSecure, like nearly every OTR implementation, doesn’t depend on any specific service provider and indeed is designed to add end-to-end encryption to other providers’ unencrypted chat services. A mandate that the provider of the chat service, e.g., Google Chat, be able to provide plaintext on demand would be rendered meaningless for anyone using ChatSecure. There is no way that such providers can do so, because they don’t have access to the keys.
As Stanford computer scientist, lawyer, and former EFF intern Jonathan Mayer put it:
In order to believe that [exceptional access] will work, we have to believe there is a set of criminals . . . not smart enough to do any of the following:
· Install an alternative storage or messaging app.
· Download an app from a website instead of an official app store.
· Use a web-based app instead of a native mobile app.
It’s difficult to believe that many criminals would fit the profile.
Meanwhile, members of the technical community have been clear that government calls for exceptional access are exceptionally dangerous from a cryptographic perspective. Any system that allows the government access to encrypted communications would entail the need for third parties to hold cryptographic materials or the plaintext of messages. As a recent paper by an all-star cast of computer scientists and security researchers explained, this is highly risky because it increases system complexity and provides juicy targets for attackers.
The technological problems with safely implementing escrowed or split-key crypto should be enough to end this so-called debate now. However, from a legal perspective, an exceptional access mandate is more objectionable for what it would do to the cutting edge of cryptographic development: stop it dead.
What does the First Amendment have to say about a crypto mandate?
In spite of all the fervent op-eds, the government seems reluctant to actually put forward a proposal for an exceptional access mandate. That may well be because this law would act as what’s known as a “prior restraint.” Prior restraints are almost never permissible under the First Amendment, so a crypto mandate would be highly vulnerable to constitutional challenge. EFF has worked to establish and strengthen First Amendment protections for encryption, and we’d welcome the opportunity to take that case. In the rest of this section, we’ll explain why we think we’d win.
What is a prior restraint?
A prior restraint is a government action that prevents people from speaking or publishing before they have a chance to do so. (That’s in contrast to a punishment imposed after someone speaks. Think of a lawsuit for defamation that results in a defendant paying a monetary judgment for something she said about the plaintiff.) Prior restraints have an important place in the history of the First Amendment. In the seventeenth century, operators of printing presses in England were required to obtain licenses from the government in order to publish. As the U.S. Supreme Court explained in 1931 in Near v. Minnesota, the drafters of the Bill of Rights, including notably James Madison, were deeply worried that the new American government might pass similar laws, which the Court called “the essence of censorship.” This is one of the main concerns that led to the First Amendment’s guarantee of freedom of the press, which in the modern era extends beyond the operators of printing presses to all speakers.
Because prior restraints are central to the motivating purpose of the First Amendment, the Supreme Court has been extremely hostile to laws that restrict speech in advance. In fact, no prior restraint considered by the Supreme Court has ever been upheld. Most famously, the Court struck down a lower court’s injunction against the publication of the so-called Pentagon Papers by the New York Times and the Washington Post in 1971 despite the government’s claim that the publication would cause grave harm to national security. Coming out of these cases, prior restraints are said to bear a “heavy presumption” against their constitutionality. Courts often employ a hard-to-meet checklist, under which prior restraints must be (1) necessary to prevent a harm to a governmental interest of the highest order; absent which (2) irreparable harm will definitely occur; (3) no alternative exists; and (4) the prior restraint will actually prevent the harm.
Why is a crypto mandate a prior restraint?
To recap, laws that prevent authors from publishing are almost always unconstitutional. So if we can show that a crypto mandate acts to prevent publication or speech, it’s probably toast. What’s left is the connection between encryption software and free speech. Fortunately, the legal principle that code is speech is near and dear to EFF’s heart. In the 1990’s, we successfully argued Bernstein v. DOJ to the Ninth Circuit Court of Appeals on behalf of cryptographer Daniel J. Bernstein, establishing that laws prohibiting the export of cryptography software without a license were prior restraints, and that software code is expression protected by the First Amendment.3
Because there’s no proposal for a crypto mandate yet on the table, we have to guess at what it might look like. It might be something like CALEA, requiring service providers to architect their systems in such a way as to make exceptional access possible. Some would argue that this might not be a prior restraint, since it only affects what services providers can offer. But this is where the issue of effectiveness becomes paramount. As we described above, it’s naive to think that a mandate aimed only at service providers would prevent criminals from using strong encryption; they’d simply use apps that offer it on top of insecure messaging services, for example.
That’s why in order to be effective, a mandate would have to also sweep in the developers of apps that offer end-to-end encryption, though the government has been reluctant to say that outright. But requiring developers to maintain the capability to provide law enforcement access to all encrypted communications would halt the state of the art of development in end-to-end encryption. For instance, because Moxie Marlinspike and Trevor Perrin’s advanced Axolotl cryptographic ratchet implements forward secrecy and future secrecy, no system implementing that protocol as intended could be permitted.
Put another way, the government would be telling developers they cannot produce software (and publish open source code) that implements features incompatible with exceptional access. To see why that’s a clear prior restraint, imagine the government restricted use of certain emoji. The cactus is cool, but the smiling pile of poop is verboten. Like emoji, code is a form of speech, and publishing code that has certain features would be outlawed.
In light of this simple equation, a law requiring exceptional access would be on very thin ice. The government would have to show that not having the mandate will “result in direct, immediate, and irreparable damage” to national security or safety, in the words of Justice Stewart in the Pentagon Papers case. Many apps offer such features today, so it’s hard to imagine a court seeing this necessity. What’s more, prior restraints must be effective—they must actually work—in order to be constitutional. But given the nature of open source development, even a crypto mandate that applied to apps offering end-to-end encryption would fail to take down every fork of every project, particularly those developed outside the United States.4
Any mandate that would require developers to permit law enforcement “exceptional access” would either be an unconstitutional prior restraint or entirely ineffective.
FBI Director Comey has been crystal clear in one respect: he wants a valid search warrant to result in the return of plaintext, every time, no matter what. He doesn’t particularly care how developers get there; all he knows is he wants the goods. But unlike the last time around when CALEA was passed, secure communications no longer depend on tools developed by service providers. If Apple is forced to backdoor iMessage, everyone interested in privacy and security—including the criminals who most worry Comey—will simply switch to something like OTR, and he will be out of luck. And because banning OTR (or forcing the developers to implement any kind of exceptional access) would amount to a prior restraint, we urge Congress to reject law enforcement’s call for sweeping legislation. But if Congress fails to listen to reason and passes an exceptional access mandate, you can expect to see us challenge it in court.
- 1. This debate often combines and indeed confuses encryption of devices and storage with encryption of communications, which may raise different issues. This post focuses on issues specific to encrypted communications
- 2. OTR, short for “off-the-record,” is a protocol that allows people to have truly end-to-end encrypted communications over otherwise unencrypted channels like Google Chat or Facebook Messenger.
- 3. Although the Ninth Circuit later withdrew its opinion in Bernstein, the lower court’s opinion remains good law, and the Sixth Circuit reached similar conclusions in 2000 in Junger v. Daley.
- 4. A similar analysis would also apply to an argument that a crypto mandate is a so-called content-based restriction on speech that fails strict scrutiny.
Share this: || Join EFF
Update: This hearing has been vacated. In an order issued late Thursday, the judge indicated he would decide the government's motion based on the parties' briefs.
Los Angeles - On Monday, August 17, at 1:30 pm, the Electronic Frontier Foundation (EFF) will urge a federal district court in Los Angeles to allow Human Rights Watch to proceed with its lawsuit against the Drug Enforcement Agency (DEA) for illegally collecting records of its telephone calls to certain foreign countries.
As a nonpartisan organization fighting human rights abuses, Human Rights Watch’s work often requires communicating by telephone with its sources around the world. Those sources, who are often victims or witnesses of human rights abuses, often put themselves at risk simply by speaking to an international human rights organization.
Earlier this year, the organization learned from government statements and news reports that the DEA had collected records of HRW’s international calls for over two decades, along with those of millions of other Americans. The DEA’s bulk collection of call records reached into the billions, covering calls to over a hundred countries—occurring without judicial oversight or approval or the public’s knowledge. News reports suggested the DEA’s bulk collection program even served as the model on which the NSA’s call records program was based.
While the DEA’s program began as an effort in the “war on drugs,” it grew to reach far beyond drug prosecutions. News reports further revealed that Americans’ calling records were searched and shared with other law enforcement agencies, including the FBI and the Department of Homeland Security. In fact, the DEA’s massive telephone records collection was revealed in an export restriction prosecution having nothing to do with drugs.
Human Rights Watch filed suit in April, seeking an injunction against any future operation of the program and the destruction of all illegally collected records. The DEA asked the court to dismiss the case in June, claiming that the program was over, so the court need not review it. In the hearing Monday, EFF Staff Attorney Mark Rumold will argue that the case must continue in order to ensure that all of the call records are fully purged from all of the government’s systems.
HRW v. DEA
Monday, August 17
Edward R. Roybal Federal Building and United States Courthouse
255 East Temple Street
Los Angeles, CA 90012-3332
For more on this case:
Share this: || Join EFF
San Diego’s Facial Recognition Program Shows Why We Need Records on Police Use of Mobile Biometric Technology
The New York Times has a story out on how San Diego police use mobile facial recognition devices in the field, including potentially on non-consenting residents who aren’t suspected of a crime. One account from a retired firefighter is especially alarming:
Stopped by the police after a dispute with a man he said was a prowler, he was ordered to sit on a curb, he said, while officers took his photo with an iPad and ran it through the same facial recognition software. The officers also used a cotton swab to collect a DNA sample from the inside of his cheek…
“I was thinking, ‘Why are you taking pictures of me, doing this to me?’ ” said Mr. Hanson, 58, who has no criminal record. “I felt like my identity was being stolen. I’m a straight-up, no lie, cheat or steal guy, and I get treated like a criminal.”
The story confirms concerns EFF raised two years ago, when we obtained a stack of records from the San Diego Association of Governments (SANDAG) about the regional facial recognition program it manages called “Tactical Identification System” or TACIDS, for short. Under a federally funded pilot program, law enforcement agencies around San Diego County were provided with smartphones that could run photos taken in the field against the sheriff’s mugshot database. Although the draft policy called for police to obtain consent before taking a photo, anecdotal testimony indicated that officers may be using it on certain people simply because their “spidy senses” [sic] were tingling. The latest version of the policy, which was finalized in February 2015 [PDF], does not even mention the issue of consent, saying that police should primarily use it when they believe someone who is lawfully detained is being deceptive or evasive about their identity.
On Twitter, San Diego Police Department immediately challenged many elements reported by the New York Times, which in turn updated the piece with some corrections. However, there is one way to get the facts: SDPD can move quickly to respond to a public records request filed last week for a long list of documents associated with this program.
San Diego’s facial recognition system is one of many programs around the country that we are targeting through a crowd-sourced information-gathering endeavor. As part of EFF’s new Street Level Surveillance project, EFF has teamed up with MuckRock to file public records requests around the country regarding law enforcement use of mobile biometric technology, including face recognition, fingerprint analysis, iris scanning, Rapid DNA, and tattoo identification.
We are in the process of submitting more than 200 requests around the country with agencies nominated by our supporters, including several in San Diego County. We have already received records from two agencies elsewhere in the country:San Jose Police Department
In 2008, the San Jose Police Department signed a $961,000 contract with 3i Infotech to develop a mobile identification technology system that would include fingerprint analysis and mugshot database searches. Two purchase orders show that SJPD paid another company, Mobizent, $195,000 for 22 mobile fingerprinting devices in 2010-2011.Denver Police Department
Denver police provided us with a report [PDF] dated February 2015 that provides an overview of a mobile fingerprinting pilot project. According to the report, the technology worked with 99% accuracy, provided verification in under 30 seconds, and police only required an hour of training to become proficient with the devices. “Officers firmly stated they did not want us to take the readers away from them,” the said report sand and listed several case studies in which police were able to identify gang members, car thieves, and a sex offender.
Denver’s policies, as of 2014, state that if a person has not been arrested or otherwise lawfully detained, police need to obtain consent before using the fingerprint reader. The policies also forbid use in “random or general investigative or intelligence gathering,” or during the issuance of a civil marijuana citation. Police are also not allowed to use the technology on people they believe to be juveniles.
We’re filing new requests every day and expect responsive documents (and request rejections) to steadily stream in over the next few weeks. You can still nominate an agency through our online form, file your own request, or follow requests already being processed through MuckRock’s page.Related Issues: PrivacyTransparencyRelated Cases: FBI's Next Generation Identification Biometrics Database
Share this: || Join EFF
This summer EFF unveiled the sixth limited edition member's t-shirt for the 23rd annual DEF CON, the premier world hacker conference in Las Vegas. This year’s design, like the shirts we produced in 2013 and 2014, includes a puzzle that involves the use of encryption.
The front of this year’s shirt features a long cipher text, displayed in a 1940s typeface:
Here's the string for those following along at home:
In keeping with DEF CON's “film noir” theme for this year, the back of the shirt features an illustration of a fatale-istic detective surrounded by clues. Unpack the clues correctly, and you can decode the cipher text to uncover a secret message!
The detective is seated in front of a device that may be familiar to history buffs. It’s not a typewriter, but rather an Enigma machine, used by the Nazis in WWII to encrypt military communications. The Allies eventually broke the Enigma code with the help of Alan Turing, father of modern computing — a story told recently in the the film The Imitation Game. (Which side is our detective working for? A hint is provided by the inclusion of the Croix de Lorraine on her lapel.)
The original Enigma machine had three rotors with changeable settings, each with three digits. Not coincidentally, a trio of three-digit clues printed in glow-in-the-dark ink becomes apparent when the garment is viewed under a blacklight or in a darkened room:
II - III - IV
The glow also reveals another cipher text, (WUTZABRN), floating in the steam emerging from a coffee cup marked with a key.
Using an online Enigma emulator, a clever detective can use the three Enigma settings to descramble the key, which reveals the following:
The “DES” on the wall was also a clue for the front cipher text, which decrypted (using the key in Electronic Codebook mode) and the “BACKDOOR" key to “Join the resistance. VHTWCMZTYOGZIJRDAUB.” Running this new cipher text back through the Enigma yielded “ENCRYPTALLTHETHINGS” — Encrypt all the things.
Congratulations to our three winners CryptoK, pseudoku, Elegin who successfully solved the puzzle with only minutes left of the conference! Notably, they found that if you swap rotor 2 and 3 in our puzzle you get ISRTPNHW which is an anagram for PWNSHIRT. This seasoned team also solved EFF's 2013 shirt, and won the DEF CON badge challenge for three consecutive years. Nothing brings people together quite like encryption and digital freedom. Join the resistance—encrypt all the things.Related Issues: Coders' Rights Project
Share this: || Join EFF
The United States Court of Appeals for the Ninth Circuit today rejected the government’s latest attempt to delay consideration of whether the NSA’s tapping into the Internet backbone is legal in Jewel v. NSA, clearing the path for the first appellate court decision on whether this formerly secret mass surveillance program violates the Fourth Amendment.
At issue is one of the most controversial NSA programs, involving both seizing of Internet traffic as it passes through key switches online and the full-text content searches of a huge amount of the communications seized. The government admits this includes many communications between Americans inside the U.S. and people abroad, as well as messages that indicate that a crime has been committed (with no limitations on how serious or what type of crime) and all encrypted messages, all of which have full Fourth Amendment protection. More on the arguments here.
The government’s foot-dragging on this case is longstanding, and this marked the third time since February that it has tried to block this appeal, arguing that the Internet backbone surveillance cannot be considered until all of the many other issues in the Jewel case have been finally decided by the district court.
The Ninth Circuit didn’t reject the government’s claim entirely, however. Instead it deferred it to the full panel consideration of the surveillance. It also ordered that the hearing be held as soon as the full briefing is finished in the case, which should be completed in early October.Related Cases: Jewel v. NSA
Share this: || Join EFF
Yesterday, Manhattan District Attorney Cyrus Vance, Jr. and law enforcement officials from Paris, London, and Madrid published an anti-encryption op-ed in the New York Times—an op-ed that amounts to nothing more than a blatant attempt to use fear mongering to further their anti-privacy, anti-security, and anti-constitutional agenda. They want a backdoor. We want security, privacy, and respect for the Fourth Amendment’s guarantee that we be “secure” in our papers. After all, the Founding Fathers were big users of encryption.
The government’s use of horror stories to convince us that we should unlock our doors and give it free reign to pry inside our lives is nothing new. FBI Director James Comey is notorious for his examples of how cell-phone encryption will lead law enforcement to a “very dark place.” Yesterday’s op-ed adopts Comey’s signature tactic, focusing on the fatal shooting of a man in Illinois in June of this year and suggesting—without any evidence—that but for encryption built into both of the victim’s two phones (both found at the crime scene), police would have been able to track down the shooter. Never mind that of the two devices mentioned in the article, one of them (the Samsung Galaxy S6) isn’t actually encrypted by default.
The op-ed goes on to cite numerous other “examples,” again divorced from any actual facts, of cases in which encryption supposedly “block[ed] justice”—including 74 occasions over a nine-month period in which the Manhattan district attorney’s office encountered locked iPhones. Vance has touted this statistic before. But a spokesperson for his office told Wired last month that the office handles approximately 100,000 cases in the course of a year, meaning that officials encountered encryption in less than 0.1% of cases. And Vance has never been able to explain how even one of these 74 encrypted iPhones stood in the way of a successful prosecution.
The op-ed faults Apple and Google for attempting to offer their customers strong, user-friendly encryption. An iPhone with iOS8 automatically encrypts text messages, photos, contacts, call history, and other sensitive data though the use of a passcode. But contrary to the suggestion of the op-ed’s authors, Google has already backed off its promise to offer its users encryption by default, and the data on a stock Samsung S6 is accessible to law enforcement via forensic analysis tools.
But what’s more important than the op-ed’s shortage of facts is how out of touch it is with not only the fundamental importance of encryption and how encryption works, but also the U.S. Constitution.
The op-ed calls for an “appropriate balance between the marginal benefits of full-disk encryption and the need for local law enforcement to solve and prosecute crimes.” This single sentence demonstrates the numerous ways in which the authors are untethered from reality.
First, the benefits of encryption are in no way “marginal”—unless you view ensuring the privacy and security of innocent individuals across the globe as trivial goals. The authors here reveal their failure to appreciate the need for encryption to protect against not only security breaches, but also criminals (the folks they are supposed to be protecting us from) and of course pervasive and unconstitutional government surveillance.
Second, when the authors say they want an “appropriate balance,” what they are really asking for is a backdoor—or golden key—to allow government officials to decrypt any encrypted messages. As The Intercept explained in an article outlining the many things wrong with the op-ed, Vance and his counterparts in Paris, London, and Madrid are “demand[ing]—in the name of the ‘safety of our communities’—a magical, mathematically impossible scenario in which communications are safeguarded from everyone except law enforcement.”
We’ve said it before and we’ll say it again: It is technologically impossible to give the government an encryption backdoor without weakening everyone’s security. Computer scientists and cybersecurity experts agree, and have been telling the government as much for nearly two decades. And earlier this year, one Congressman with a technical background called encryption backdoors “technologically stupid." Everyone who understands how encryption works agrees.
Third, law enforcement isn’t currently and won’t in the future “go dark” as a result of encryption. The government voiced the same concerns over encryption stifling criminal investigations during the Crypto Wars of the 1990s—i.e., Crypto Wars, Part I—which saw efforts by the government to prevent the development and distribution of strong consumer encryption technologies. (Protecting your ability to use strong encryption was one of EFF’s very first victories.) Such concerns have proven to be unfounded in the past. Just a few weeks ago, former NSA director Mike McConnell, former Homeland Security director Michael Chertoff, and former deputy defense secretary William Lynn—in a Washington Post op-ed in support of ubiquitous encryption—remarked that despite losing Part I of the Crypto Wars,
[T]he sky did not fall, and we did not go dark and deaf. Law enforcement and intelligence officials simply had to face a new future. As witnesses to that new future, we can attest that our security agencies were able to protect national security interests to an even greater extent in the ’90s and into the new century.
The same is true today. And as the former national security officials recognize, “the greater public good is a secure communications infrastructure protected by ubiquitous encryption at the device, server and enterprise level without building in means for government monitoring.”
At its core, yesterday’s op-ed demonstrates a fundamentally different vision for the future than the one we have here at EFF. Our vision is for a world where the privacy of communications are protected and where we can use the best tools possible to protect it. The vision of Vance, Comey, and others in the anti-encryption camp is for a world where no one is secure and where everyone is vulnerable. Their vision is not consistent with reality. And we hope the public is not swayed by their fear tactics.
Correction: An earlier version of this post stated that Google would have been able to unlock the specific model of Samsung phone at issue in the Illinois example. While it is not the case that Google could have unlocked the phone (regardless of whether or not it was encrypted), the data on the phone at issue, unless its settings were modified, would have been accessible via forensic analysis tools commonly sold to law enforcement.Related Issues: PrivacyLaw Enforcement AccessSecurity
Share this: || Join EFF