Aggregated News

CREDO Confirms It’s at Center of Long-Running Legal Fight Over NSLs

eff.org - Thu, 01/12/2016 - 07:12
Mobile Provider Battled Gag Order That Forced It to Keep Customers in the Dark

San Francisco - CREDO Mobile representatives confirmed today that their company was at the center of the long-running legal battle over the constitutionality of national security letters (NSLs), and published the letters the government sent three years ago.

The Electronic Frontier Foundation (EFF) has represented CREDO in this matter since 2013—and the case, bundled with two other NSL challenges, has reached the United States Court of Appeals for the Ninth Circuit. Until now, CREDO was under a gag order, preventing CREDO officials from identifying the company or discussing their role in the case. In March, a district court found that the FBI had failed to demonstrate the need for this gag, and struck it down pending an appeal by the government. But earlier this month, the government decided to drop its appeal of that order, leaving CREDO free to talk about why the legal challenge is important to the company and its customers.

“A founding principle of CREDO is to fight for progressive causes we believe in, and we believe that NSLs are unconstitutional. These letters, and the gag orders that came with them, infringed our free speech rights, blocking us from talking to our members about them or discussing our experience while lawmakers debated NSL reform,” said Ray Morris, CREDO CEO. “We were proud to fight these NSLs all these years, and now we are proud to publish the letters and take full part in the ensuing debate.”

The NSLs statutes have been highly controversial since their use was expanded dramatically by the PATRIOT Act in 2001. Soon after that, internal reviews by the Department of Justice found that they had been widely misused. With an NSL, the FBI—on its own, and without court approval—can issue a secret letter to a communications provider, demanding information about its customers, nearly always accompanied by a gag order. That prevents recipients from notifying users about the NSL or even discussing the letter at all.

While the government has stopped pursuing the NSL gag orders on CREDO in this case, EFF’s two other NSL challenges are still being litigated in the appeals court. EFF’s clients—who still must remain secret—argue that they are being unconstitutionally barred from discussion and debate about government use of NSLs and surveillance reform.

“The FBI issues NSL demands for customer information without a warrant or any court supervision, and slaps on a gag order to make it hard for anyone to complain,” said EFF Staff Attorney Andrew Crocker. “The years-long fight in this case demonstrates the difficulty of challenging these orders, and we’re grateful to CREDO for stepping up for its customers and the public to fight these NSLs.”

CREDO Mobile has been in business for 31 years, originally as Working Assets. CREDO believes in bringing social change through every day acts of commerce. Since its founding, it’s donated $81 million to progressive causes.

For the NSLs to CREDO:
https://www.eff.org/document/redacted-national-security-letter-1
https://www.eff.org/document/redacted-national-security-letter-2

For more on this case:
https://www.eff.org/cases/re-national-security-letter-2013-13-80089

Contact:  AndrewCrockerStaff Attorneyandrew@eff.org CREDOMobilepress@credoaction.com
Share this: Join EFF
Categories: Aggregated News

Stupid Patent of the Month: Movies From the Cloud

eff.org - Thu, 01/12/2016 - 06:24

The Onion once ran a piece titled “I invented YouTube back in 2010.” The joke, of course, is that YouTube launched in 2005. This month’s Stupid Patent of the Month is just as ridiculous. US Patent No. 8,856,221, titled ‘System and method for storing broadcast content in a cloud-based computing environment,’ claims a mundane process for delivering media content from remote servers. This might have been a somewhat fresh idea in, say the mid-1990s, but the application for this patent was filed in 2011.

The patent suggests using “at least one server” that should have “a memory that stores media content and a processor.” The server then communicates with “a consumer device” that can send messages and receive content. Aside from these prosaic details, the patent makes only a half-hearted effort to distinguish its supposed invention from the massive array of cloud-based media services that already existed when it was filed. For example, the description suggests that existing services were inadequate because customers might pay a flat monthly fee yet make few downloads. The patent recommends tailoring customer cost to the content actually downloaded. But even if that was a new idea in 2011 (and it wasn’t), routine pricing practices should not be patentable.

Overall, the ’221 patent contains little more than rote recitations of long-existing technologies (“[a] list of media content may be provided to the consumer and displayed on consumer device display, e. g., via a website displayed in a web browser”) and pricing models (“[t]he cost amount may be based on factors such as playback time”). The patent’s claims, which describe the formal boundaries of the invention, merely list steps for using this conventional technology.

In addition to being obvious, the claims of the ’221 patent are invalid as abstract under the Supreme Court’s decision in Alice v. CLS Bank. Under that case, an idea does not become eligible for a patent simply by being implemented on conventional computer. In fact, the ’221 patent goes out of its way to emphasize that “any kind of computing system” is suited to perform the claimed functions. In our view, it would not survive a challenge under Alice.

The ’221 patent is owned by Rothschild Broadcast Distribution Systems, LLC (“RBDS”). We were unable to find any sign that RBDS engaged in any business other than patent litigation. It is based in, you guessed it, the Eastern District of Texas. Court records show that RBDS has sued about 25 companies, ranging from startups to The Walt Disney Company.

The inventor of the ‘221 patent also won the August 2015 Stupid Patent of the Month for a patent on a drink mixer connected to the Internet. That patent, which had claims so broad it arguably covered the entire Internet of Things, is owned by a company called Rothschild Connected Devices Innovations, LLC (“RCDI”). After one of defendants went to the expense of challenging the validity of the drink mixer patent, RCDI dismissed the case without collecting a cent. This is classic troll behavior, forcing defendants to choose between paying the high cost of defense or a license fee that the patent owner does not deserve. We believe that RBDS’s litigation similarly has only nuisance value.

We need broad patent reform (including venue reform) to stop this wasteful patent trolling. We also need reform at the Patent Office so that it doesn’t issue terrible patents like this in the first place. Contact your Senators and tell them to pass patent reform.

Tell the Senate to end venue abuse in patent lawsuits.


Share this: Join EFF
Categories: Aggregated News

We Won’t Let You Forget It: Why We Oppose French Attempts to Export the Right To Be Forgotten Worldwide

eff.org - Wed, 30/11/2016 - 09:05

One country’s government shouldn’t determine what Internet users across the globe can see online. But a French regulator is saying that, under Europe’s “Right to be Forgotten,” Google should have to delist search results globally, keeping them from users across the world. That’s a step too far, and would conflict with the rights of users in other nations, including those protected by the laws and Constitution of the United States.

EFF joined Article 19 and other global free speech groups in a brief to the Conseil d'Etat asking it to overturn that ruling by France’s data protection authority, the Commission Nationale de l'Informatique et des Libertés' (CNIL). The brief, filed Nov. 23, 2016, argues that extending European delisting requirements to the global Internet inherently clashes with other countries’ laws and fundamental rights, including the First Amendment in the U.S.

The European Union’s Court of Justice ruled in 2013 that Europeans have the right to demand that certain links be taken out of search engine results. But the French CNIL vastly expanded the effect of these requests when it said in 2015 that Google must remove links from not just search results returned within the EU, but from search results for everyone, anywhere in the world. This interpretation of the Right to be Forgotten runs contrary to policy and practice outside Europe, will harm the global Internet, and inherently undermines global rights, including those protected by the Constitution in the United States. For an in depth analysis, read our legal background document.

As we wrote in the brief, “delisting (particularly when it is conceived in as extensive a manner as CNIL’s approach) appears incompatible with the [U.S.] First Amendment” which protects “the right to publish information on matters of public interest that [publishers and speakers] acquire legally, even in the face of significant interests relating to the privacy of the interested parties.”

This ruling would trample not only on the free speech rights of Google and others who post search results, but also on Internet users’ right to receive information. U.S. courts have consistently upheld that the First Amendment’s protections for expression, petition, and assembly necessarily also protect the rights of individuals to gather information to fuel those expressions, petitions, and assemblies. As Ninth Circuit Chief Judge Mary Schroeder wrote in a 2002 ruling protecting the right of patients to learn about medical marijuana, “The right to hear and the right to speak are flip sides of the same coin.”

The ruling also contradicts another tenet of laws governing online speech: in the United States, intermediaries like Google are generally not held legally responsible for publishing or hosting information created by others. Section 230 of the Communications Decency Act gives Internet platforms broad protections from liability resulting from publication as long as the platform didn't play a role in creating the content. Lawmakers put that protection in place because, without it, Internet platforms from Yelp to individual bloggers would have to police every search snippet, comment, or other pieces of user-generated content to avoid facing the kind of fines that could put an Internet platform out of business. Intermediary liability protections are a feature of the Internet across the world, and a vital part of protecting the rights of intermediaries and their users online.

Europe’s “Right to be Forgotten” is also at odds with a broader right in other countries to publish information about official government activities, including information about things like arrest records, which have been at the center of high-profile Right to be Forgotten cases in Europe. Most U.S. states have recognized a Fair Report Privilege, which protects those who report accurately about government activity from legal claims, including invasion of privacy. That right is trampled on if companies like Google are forced to universally delist search results about government activities.

These free speech rights apply when people in the U.S. use the Internet; neither the U.S. nor the French government should interfere with them. As our colleagues in our submission explain, France’s unilateral declaration of universal jurisdiction would impact rights in the rest of the world. If the CNIL decision stands when the Conseil d'Etat considers our appeal next spring, it would not just permit France’s rules to trump those of any other nation, it would also open the floodgates for every country to enforce its own limits on free expression and freedom to receive information globally. In that race to the bottom, everyone will lose.


Share this: Join EFF
Categories: Aggregated News

Support the SMDH Act and Give Congress Time to Debate New Government Hacking Powers

eff.org - Wed, 30/11/2016 - 08:15

The clock is ticking. If Congress doesn’t act now, the government will soon be able to use a search warrant to hack an untold number of computers located around the world.

Lawmakers are rightfully pushing to postpone the new hacking powers, arguing that Congress has not had sufficient time to debate these new powers and their privacy and security implications. We’ve supported previous delay efforts, and more than 35,000 of your spoke out against global warrants. Now we’re asking Congress to pass the Stalling Mass Damaging Hacking Act (the SMDH Act), which gives Congress until April 1 to consider these new hacking powers.

Earlier this year, the Justice Department proposed a change to the rules governing search warrants—Rule 41 of the Federal Rules of Criminal Procedure—that would let law enforcement obtain warrants to search computers regardless of where they’re located in cases where the computers are part of a bot-net or investigators can’t pinpoint the location of the computer.

That rule change is set to go into effect on December 1 despite the fact that Congress has not yet weighed in or even held a single hearing. The fight will continue after December 1, since Congress has the ability to roll back the rule change once it goes into effect. It's crucial that Congress pass the SMDH Act as soon as possible and delay the rule change and take the time to hold hearings about a change that would significantly open up the government's hacking authority.

Despite lawmakers’ questions—and some less than helpful answers from the Justice Department—we still don’t know enough about how the government plans to use these new hacking powers, whether there are any privacy or security protections in place, and how government hacking can open up Internet users’ devices and networks to attacks from non-government hackers.

These are crucial questions about the basic the privacy and security concerns of Americans and the members of Congress who represent them. Congress needs more time to consider these questions and get more information in hearings before the new hacking powers go into effect. Call your senator today and tell them to support the Stalling Mass Damaging Hacking Act to give Congress that time.


Share this: Join EFF
Categories: Aggregated News

Law Enforcement’s Secret “Super Search Engine” Amasses Trillions of Phone Records for Decades

eff.org - Wed, 30/11/2016 - 05:12
EFF Fights For More Disclosure About Hemisphere Program

Although the government still hides too much information about a secret telephone records surveillance program known as Hemisphere, we have learned through EFF’s Freedom of Information Act (FOIA) lawsuits that police tout the massive database of private calls as “Google on Steroids" [pdf].

Hemisphere, which AT&T operates on behalf of federal, state, and local law enforcement, contains trillions of domestic and international phone call records dating back to 1987. AT&T adds roughly four billion phone records to Hemisphere each day [.pptx], including calls from non-AT&T customers that pass through the company’s switches.

The Drug Enforcement Agency (DEA) and other federal, state and local police use Hemisphere to not only track when and who someone is calling, but to perform complicated traffic analysis that can dynamically map people’s social networks and physical locations. This even includes knowing when someone changes their phone number.

And federal officials often do it without first getting permission from a judge.

Indeed, Hemisphere was designed to be extremely secret, with police instructed to do everything possible to make sure the program never appeared in the public record. After using Hemisphere to obtain private information about someone, police usually cover up their use of Hemisphere by later obtaining targeted data about suspects from phone providers through traditional subpoenas, a process the police call “parallel construction” and that EFF calls “evidence laundering.”

Government Treats Same Information Differently in FOIA Cases

Government secrecy about Hemisphere has extended to refusing to disclose basic records about the program, and EFF has had to sue federal and California law enforcement to win access to this critical information. EFF filed another round of briefing in federal court in November calling on the government to provide records as soon as possible, given that we made our FOIA request almost two years ago. The delayed resolution in federal court has stalled a related lawsuit EFF brought against California law enforcement agencies for access to their records about Hemisphere.

We aren’t the only ones suing: the Electronic Privacy Information Center filed similar litigation, which has allowed us to learn even more about Hemisphere, including how the federal government has used inconsistent arguments to avoid public scrutiny of the program.

In EFF’s case earlier this month, the government filed a list of Hemisphere records that the government is withholding from both EFF and EPIC. This list shows the government treated the two requesters differently.  Specifically, the chart shows that out of the 161 pages common to both lawsuits, the government claimed more than twice as many legal reasons to withhold the majority of pages from EFF. The government withheld 151 pages from EFF (but not EPIC) on the grounds that disclosure could interfere with an ongoing law enforcement investigation. And it withheld 107 pages from EFF (but not EPIC) because disclosure would supposedly out confidential informants.

The government has yet to explain why it treated the exact same information so differently in EFF’s and EPIC’s respective FOIA requests. Absent any explanation, the disparate treatment appears highly arbitrary. Moreover, it highlights the large power imbalance between the government and FOIA requesters seeking records.

Agencies know exactly what the documents contain and are in the best position to use or abuse FOIA’s exemptions to withhold them. This asymmetry is often to the government’s advantage. The government’s inconsistent treatment of EFF’s and EPIC’s FOIA requests show why FOIA should better limit officials’ discretion to treat requesters so differently, and better ensure judicial oversight over the entire FOIA process.

Disclosed Docs Show Police View Hemisphere as a “Super Search Engine”

Before the Hemisphere Program came to light in 2013, when a presentation was inadvertently released to a privacy activist, the public knew nothing about the massive phone records dragnet.

Through the program, AT&T assists federal and local law enforcement—often by stationing company staff in police “Fusion Centers”—in accessing and analyzing AT&T’s massive database of call detail records (CDRs). This information includes phone numbers dialed and calls received, as well as the time, date, and length of the call, and sometimes location information.  This information isn’t limited to AT&T customers either.

From the records that have been disclosed in EFF’s lawsuits, we’ve learned that police view the astonishing size and scope of the database as an asset, referring to it as the “Super Search Engine” and “Google on Steroids.” Such descriptions confirm EFF’s worst fears that Hemisphere is a mass surveillance program that threatens core civil liberties.

The program poses severe Fourth Amendment concerns because police are obtaining detailed private information from the call records and learning even more about people’s social connections and physical movements based on pattern analysis. Federal officials do all of this without a warrant or any judicial oversight.

But beyond the Fourth Amendment problems, Hemisphere also poses acute risks to the First Amendment rights of callers caught in the program’s dragnet. Specifically, Hemisphere allows police to see a person’s associations, shedding light on their personal connections and political and social networks. It’s not hard to see such a tool being trained on activists and others critical of law enforcement, or being used by the government to identify entire organizations. We know that law enforcement officials have subjected Black Lives Matter activists to automated social media monitoring, and subjected attendees at gun shows to surveillance by automated license plate readers. Government officials can easily use Hemisphere in similar ways.

The Hemisphere program could not operate without AT&T’s full cooperation. It’s time for AT&T to reconsider its responsibility not only to its customers, but to all Americans who pick up the phone.

Related Cases: Hemisphere: Law Enforcement's Secret Call Records Deal With AT&T
Share this: Join EFF
Categories: Aggregated News

A Chance to Invest Millions in the News and Information People Need

freepress.net - Tue, 29/11/2016 - 03:40
A Chance to Invest Millions in the News and Information People NeedMike RispoliCraig AaronNovember 28, 2016There’s a once-in-a-lifetime opportunity right now to reinvent how our communities and newsrooms interact with each other.
Categories: Aggregated News

E-Voting Machines Need Paper Audits to be Trustworthy

eff.org - Thu, 24/11/2016 - 08:26

Election security experts concerned about voting machines are calling for an audit of ballots in the three states where the presidential election was very close: Michigan, Wisconsin and Pennsylvania. We agree. This is an important election safety measure and should happen in all elections, not just those that have a razor-thin margin.

Voting machines, especially those that have digital components, are intrinsically susceptible to being hacked. The main protection against hacking is for voting machines to provide an auditable paper trail.

However, if that paper trail is never audited, it's useless.

EFF worked hard, alongside many others, to ensure that paper trails were available in many places across the nation. While there are still places without them, we have made great strides. Yet this election was a forceful reminder of how vulnerable all computer systems are. 

We not only need elections to be auditable, we need them to be audited.

We should use this opportunity to set a precedent of auditing electronic voting results to strengthen confidence—not only in this election, but in future ones.

There is precedent for hackers attempting to influence elections by tampering with voting infrastructure: Ukraine's 2014 election came under attack from pro-Russian hackers, and this spring Bloomberg reported on how a team of hackers targeted elections throughout Latin America. There was also plenty of hacking related to the 2016 US election, with two separate major dumps of political emails and several reports of attempted attacks on election systems. These attacks tell us that hacking groups, some of whom may be nation states, were particularly interested in affecting this election's outcome.

Of course, there is good reason to believe US voting machines are vulnerable; for years, EFF along with hundreds of security experts nationwide and even worldwide sounded the alarm about the risk posed by insecure voting machines. EFF handled many cases arising from problems with the machines.  In 2004, California decertified many voting machines due to serious security flaws.

Most e-voting machines are not connected to the Internet, but disconnection isn't a sufficient defense against hacking. Malware can be engineered to cross a so-called air gap by riding on removable storage media like thumb drives and SD cards. The Stuxnet worm is a remarkable example of this in action. It was designed to infect internet-connected workstations and then copy itself over whenever a thumb drive was plugged into those workstations. Once an infected thumb drive was plugged into an air-gapped system, the worm would install itself and begin its work. The voting machines used in America are updated using removable storage that is at some point plugged into a regular computer in a government office. Hackers need only compromise that computer, and they can use that toehold to copy a Stuxnet-like worm onto all removable storage that comes into contact with it and matches a certain profile. Once plugged into a voting machine, that worm could alter the machine's software to subtly change the vote. A particularly well-written worm would automatically reverse those changes after the election to cover its tracks.

There's a defense against the possibility of hacked voting machines: good, old-fashioned paper. Thanks to tireless advocacy by EFF and other voting security experts, many e-voting machines record a paper copy of all votes. But, like a seat belt, these paper records only work if you use them. Currently, U.S. states need far more buckling up.

That could change. Candidates can petition for a recount. The deadlines for such a petition are coming up fast: Friday in Wisconsin, Monday in Pennsylvania, and Wednesday in Michigan. It's especially worth auditing the vote in these states, because they had some of the closest margins in the presidential election and therefore are the most interesting targets for hackers looking to swing the election.

Counting the paper ballots isn't just good for increasing voter confidence in this year's election, it's good electoral hygiene and a basic safety measure. We hope that audits this year can serve as a guiding example for states to improve their election systems for future years: by replacing paperless voting machines with optical scan systems and adopting inexpensive risk-limiting audits as a routine matter.

With concerns about election hacking higher than ever, this is a turning point in securing our election systems. We ask the Clinton campaign: call for for recounts in Wisconsin, Pennsylvania, and Michigan. Even if you think an election-changing result is unlikely, it is a vital step on the road to securing our democracy.

Related Cases: White v. Blackwell: Creating True Verifiability in a Battleground StateSarasota County Re-vote FilingNational Federation of the Blind v. Volusia CountyDiebold v. North Carolina Board of Elections
Share this: Join EFF
Categories: Aggregated News

Who Has Your Back in Colombia? A New Report Shows Telecom Privacy Slowly Improving

eff.org - Wed, 23/11/2016 - 23:41

Fundacion Karisma—the leading Colombian digital rights organization—has published the 2016 ¿Dónde están mis datos? report, which evaluates how well Colombian telecommunications companies protect their customers’ privacy.

Karisma’s second annual report examines publicly-available policies on government surveillance transparency, data protection, privacy, and free expression from five of the biggest telecommunications companies: Claro, Tigo-UNE, Telefónica-Movistar, ETB (Empresa de Telecomunicaciones de Bogotá), and DirecTV.

The report shows that Colombian telecommunication companies have not yet stepped up to meet tech industry best practices related to privacy and transparency reporting. Nonetheless, two key members of Colombia’s telecommunications industry—ETB and Telefónica-Movistar—have improved their practices, with ETB leading the way.

ETB not only attained the best result of the companies evaluated, but also made the biggest improvements in practices compared to 2015. We applaud ETB’s commitments and urge the company to adopt all the recommended standards next year. However, all the companies still have a long way to go, and the other companies risk being left behind.

Telefónica-Movistar has also made positive changes, and Telefónica-Movistar and DirecTV are now tied for second place in this year’s report. Two major telecom companies—Claro and UNE—received especially poor results, lagging behind the industry in protection of their customers.

The Context

Nations emerging from long-term conflicts have an important opportunity to examine their commitments to human rights. As Colombia grapples with its path toward ending a decades-long civil war and insurgency, it faces questions on many levels about its future and the institutional and social tolls the conflicts have taken. At the same time, Edward Snowden’s disclosures have illustrated the ways that technology companies can be on the front lines when it comes to defending users’ data and privacy: sometimes protecting these rights, sometimes utterly failing to do so.

While Colombia’s digital world continues to advance with 21st century technologies, the country’s privacy law has not kept pace. Colombia’s intelligence and criminal laws do not compel the state to report on the number of surveillance requests it makes each year. Companies are not legally obligated to notify their users of decisions authorizing communications surveillance. Colombia does have data protection laws that compel companies to publish their privacy policies, but these privacy policies are often vague and opaque.

That’s why, in response to Colombia’s loose electronic privacy laws and lack of accountability measures, Fundacion Karisma and EFF have turned to Colombian telecommunication companies to encourage them to voluntarily enact the strongest possible policies to protect their user’s rights.

Karisma’s report ranked the companies’ policies and practices against a set of criteria, and awarded batteries to companies for each category they successfully fulfilled. A full battery indicates that the telecommunications company met the criterion, while a half battery indicates that only a portion of the criterion was met. In some cases, a quarter battery was awarded to companies that are working towards better policies, but aren’t quite there yet. Empty batteries indicate that there was no information available to determine whether the company had fulfilled the criterion, or the information that was available was not sufficient.

1. On Transparency

Karisma asked the companies to provide regular transparency reports that include at least aggregate information on the specific number of requests approved and rejected, a summary of the requests by service provider and by investigation authority, type, and purpose, and the specific number of individuals affected by each.

None of the companies fully met this standard. Most of the industry, Karisma noted, associate transparency primarily with economic and financial reporting for anti-corruption purposes. “It is only in this context that companies published transparency reports,” Karisma said.

As a result, the general public has little insight into how often the government is pressuring telecommunication companies for access to user data. This is a serious concern: one way to allow surveillance without due process to grow worse is to allow it to happen entirely in secret. Publicizing reports of law enforcement access requests can help illuminate patterns of overzealous policing, shine a light on efforts by companies to resist overbroad requests, and perhaps give pause to law enforcement officials who might otherwise seek to grab more user data than they need for an investigation. We hope that next year’s ¿Dónde están mis datos? will show a trend in the Colombian telecom industry toward publishing surveillance transparency reports.

Despite that, ETB obtained a quarter of a credit for publishing centralized information about the process for wiretapping, for blocking of content, and its law enforcement guidelines for data requests. This is a positive first step. We hope that next year ETB will also reveal how many requests it received from authorities.

DirecTV, a subsidiary of the US company AT&T, should follow the example of its parent company, which published both law enforcement guidelines and transparency reports at home in the United States.

2. On Data Protection

Karisma awarded a battery to companies for publishing their privacy policy in a clear and accessible way.

As in 2015, DirecTV was the only company given a full battery for its privacy policy. Unfortunately, ¿Dónde están mis datos? showed that DirecTV’s practice is the exception to the rule—most ISPs’ privacy policies are difficult for users to find and vague on specifics. In particular, Karisma’s report showed that Claro’s privacy policy is not only hard to find but difficult to search; it lacks accessibility features to let customers to find or search for specific information quickly.

3. On User Notification

Karisma asked companies to adopt the technology industry best practice of notifying their customers about any government request for information (when allowed by law).  However, Karisma found that the Colombian telecommunication companies haven’t caught up with the rest of the industry. All ISPs should recognize the central role they play in defending the privacy of those who contract for their services, and prioritize protecting users.

While DirecTV does not specifically discuss its legal obligation to provide personal data in response to a government data request, nor give details of the procedure used when this happens, its privacy policy made clear that it will notify those who contract its services if DirecTV hands over its customers’ data. At the other end of the spectrum, UNE’s policy is totally silent about this standard.

4. Privacy - On government data retention practices

Karisma evaluated two important disclosures to users: whether the company disclosed that the company is compelled by law to retain its customers’ data, and that it is obliged to comply with a prosecutor’s legitimate requests to access content, subscriber and metadata in the context of a criminal investigation.

Telefónica-Movistar is the only company which discloses data retention policies to its customers. However, its privacy policy itself is not especially privacy-protective. Fundación Karisma noted that Telefónica-Movistar Colombia databases have an “indefinite validity,” an admission of poor data collection practices. Karisma then contrasted those policies with those of Telefonica’s parent company, finding that Telefonica headquarters has better privacy policies than its Colombian subsidiary. The parent firm specified that it retained the data only for the required time established by law or to achieve a legitimate business aim, and that it is willing to respond to data protection requests that oppose the processing of personal data that is not necessary for the purpose of the service.

ETB is the only company that discloses its obligation to comply with a prosecutor’s legitimate requests. ETB disclosed this on its new central Transparency and Access to Information page, which discusses the procedures for legal interception and government data requests in Colombia. By contrast, Telefónica-Movistar and Tigo-UNE do not mention at all who can request information and what information can be requested according to law. For their part, Claro and DirecTV indicate quite broadly that they can share information with public or administrative authorities in the exercise of their legal functions or by court order. This is concerning, since the legal norms in Colombia are much more specific about who can ask for information and what information can be requested.

5. Freedom of Expression - On transparency regarding ISPs’ blocking or removing content

In this category, Karisma evaluated the industry’s transparency regarding their processes for filtering, taking down, or blocking content, and canceling and suspending internet service.

Karisma saw improvement from Telefónica-Movistar and ETB compared to their practices in 2015. Those companies now have codes of conduct that provide certain guidelines regarding the behaviors that are allowed by the ISPs, so that users can understand how to avoid sanctions. Karisma’s evaluation only assesses whether these practices are adequately codified publicly disclosed; here, it does not examine if those practices are good or bad.

We recognize that shifts in industry can take time. It took several years before EFF saw widespread changes in tech giants’ policies in response to EFF’s annual Who Has Your Back report. We hope that next year’s Karisma’s ¿Dónde están mis datos? report will find more of these companies adopting these best practices and standing by their users.


Share this: Join EFF
Categories: Aggregated News

¿Quién cuida tu espalda? Nuevo informe muestra lenta mejoría de la privacidad de las telecomunicaciones

eff.org - Wed, 23/11/2016 - 20:08

La Fundación Karisma - la principal organización colombiana de derechos digitales - ha publicado durante 2016 el informe ¿Dónde están mis datos?, Que evalúa hasta que grado las compañías de telecomunicaciones colombianas protegen la privacidad de sus clientes.

Este segundo informe anual de Karisma examina las políticas públicas de transparencia, protección de datos, privacidad y libre expresión de cinco de las principales empresas de telecomunicaciones de Colombia: Claro, Tigo-UNE, Telefónica-Movistar, ETB (Empresa de Telecomunicaciones de Bogotá) y DirecTV.

El informe muestra que las empresas colombianas de telecomunicaciones aún llegan a cumplir con las mejores prácticas de la industria de la tecnología relacionadas con la información sobre privacidad y transparencia. No obstante, dos miembros clave de la industria de telecomunicaciones de Colombia - ETB y Telefónica-Movistar - han mejorado sus prácticas, con ETB a la cabeza.

ETB no sólo obtuvo el mejor resultado de las empresas evaluadas, también implementó las mejoras más significativas en sus prácticas en relación al 2015. Aplaudimos los compromisos de ETB e instamos a la empresa a adoptar todas las normas recomendadas el próximo año. Sin embargo, todas las empresas todavía tienen un largo camino por recorrer, y las otras empresas corren el riesgo de rezagarse.

Telefónica-Movistar también ha hecho cambios positivos, y ahora está empatada con DirecTV por el segundo lugar en el informe de este año. Otras dos grandes empresas de telecomunicaciones; - Claro y UNE – arrojaron resultados especialmente pobres, rezagándose respecto a sus competidores en cuanto a protección de sus consumidores.

El Contexto

Las naciones que han atravesado largos conflictos tienen una oportunidad importante para examinar sus compromisos con los derechos humanos. A medida que Colombia transita su camino hacia el fin un proceso de guerra civil e insurgencia que abarcó décadas, se enfrenta a muchas interrogantes sobre su futuro y los peajes institucionales y sociales que los conflictos han producido. Al mismo tiempo, las revelaciones de Edward Snowden han ilustrado las maneras en que las empresas de tecnología pueden estar a la vanguardia cuando se trata de defender los datos y la privacidad de los usuarios: a veces protegen estos derechos, a veces no lo hacen.

Es por eso que, en respuesta a una vaga legislación de privacidad electrónica de Colombia y a la ausencia de medidas de rendición de cuentas, la Fundación Karisma y la EFF se han dirigido a las empresas de telecomunicaciones colombianas para animarlas a adoptar, voluntariamente, las políticas más fuertes posibles para proteger los derechos de sus usuarios.

El informe de Karisma clasificó las políticas y prácticas de las compañías en función de un conjunto de criterios y entregó baterías a las empresas por cada categoría que cumplieran con éxito. Una batería completa es una señal de que la compañía de telecomunicaciones cumplió con el criterio, mientras que una batería a medias indica que lo cumplió parcialmente. En algunos casos, se dio una cuarta parte de la batería a las empresas que están trabajando para mejorar las políticas, pero todavía no lo logran. Las baterías vacías indican que no había información disponible para determinar si la empresa había cumplido el criterio, o que la información disponible no era suficiente.

1. En Transparencia

Karisma pidió a las compañías que emitan reportes de transparencia regularmente, que incluyan o al menos información detallada sobre el número especifico de peticiones aprobadas y rechazadas, un resumen de las solicitudes por parte del proveedor de servicios, por la autoridad que investiga, el tipo y el propósito de la investigación y el número específico de personas afectadas por cada una de estas solicitudes.

Ninguna de las empresas cumplió plenamente con este estándar. La mayor parte de la industria, señaló Karisma, asocian la transparencia principalmente a la información económica y financiera con fines anticorrupción. "Sólo en este contexto las compañías publicaron informes de transparencia", dijo Karisma.

Como resultado, el público en general tiene poca idea de la frecuencia con que el gobierno presiona a las empresas de telecomunicaciones para acceder a los datos de los usuarios. Esta es una preocupación seria: una manera de permitir que la vigilancia sin el debido proceso vaya a peor es permitir que suceda en completo secreto. Dar publicidad a los informes de las solicitudes de acceso por parte de la autoridad puede ayudar a iluminar los patrones de excesivo celo en el control, resaltar los esfuerzos de las empresas para resistirse a peticiones excesivas y, quizás, hacer una pausa a los funcionarios encargados de hacer cumplir la ley que, de otra manera, podrían buscar más información de los usuarios de lo que necesitan para una investigación. Esperamos que el próximo año ¿Dónde están mis datos? Mostrará una tendencia en la industria de telecomunicaciones colombiana hacia la publicación de informes de transparencia de vigilancia.

A pesar de eso, ETB obtuvo un cuarto de batería por publicar información centralizada sobre el proceso de escuchas telefónicas,el bloqueo de contenido y las directrices de aplicación de la ley para las solicitudes de datos. Este es un primer paso positivo. Esperamos que el próximo año ETB también revelará cuántas solicitudes recibió de las autoridades.

DirecTV, filial de la empresa estadounidense AT&T, debe seguir el ejemplo de su casa matriz, que publicó tanto las directrices de cumplimiento de la ley como los informes de transparencia en su país de origen.

2. Sobre protección de datos

Karisma premió con una batería a las empresas por publicar sus políticas de privacidad en una forma clara y accesible.

Como en 2015, DirecTV fue la única compañía que recibió una batería completa por su política de privacidad. Desafortunadamente, ¿Dónde están mis datos? Mostró que la práctica de DirecTV es la excepción a la regla, la mayoría de las políticas de privacidad de los ISPs son difíciles de encontrar y vagas en especificidades. En particular, el informe de Karisma mostró que la política de privacidad de Claro no sólo es difícil de encontrar sino difícil de buscar; Carece de las características de accesibilidad que permitan a sus clientes encontrar o buscar la información específica, rápidamente.

3. Sobre la notificación a los usuarios

Karisma pidió a las compañías que adoptaran la mejor práctica de la industria tecnológica; notificar a sus clientes sobre cualquier solicitud gubernamental de información (cuando lo permita la ley). Sin embargo, Karisma encontró que las empresas de telecomunicaciones colombianas no han alcanzado al resto de la industria. Todos los ISP deben reconocer el papel central que desempeñan en la defensa de la privacidad de aquellos que contratan por sus servicios, y priorizar la protección de los usuarios.

Mientras DirecTV no discute específicamente su obligación legal de proporcionar datos personales en respuesta a una solicitud de datos del gobierno, ni detalla el procedimiento utilizado cuando esto ocurre, su política de privacidad dejá claro que notificará a aquellos que contratan sus servicios, en caso que DirecTV entregue los datos de sus clientes. En el otro extremo del espectro, la política de UNE es totalmente silenciosa sobre esta norma.

4. Privacidad - Sobre las prácticas gubernamentales de retención de datos

Karisma evaluó dos importantes revelaciones a los usuarios: si la empresa reveló que la empresa está obligada por ley a retener los datos de sus clientes y que está obligada a cumplir con las legítimas peticiones del fiscal para acceder al contenido, suscriptores y metadatos en el contexto de un investigación Criminal.

Telefónica-Movistar es la única empresa que divulga sus políticas de retención de datos a sus clientes. Sin embargo, su política de privacidad en sí protege especialmente la privacidad. Fundación Karisma señaló que las bases de datos de Telefónica-Movistar Colombia tienen una "validez indefinida", una admisión de malas prácticas de recopilación de datos. Karisma entonces contrastó esas políticas con las de la matriz de Telefónica, encontrando que la sede de Telefónica tiene mejores políticas de privacidad que su filial colombiana. La empresa matriz especificó que retenía los datos sólo por el tiempo requerido establecido por la ley o para lograr un objetivo comercial legítimo y que está dispuesta a responder a solicitudes de protección de datos que se opongan al tratamiento de datos personales que no sea necesario para el propósito del servicio.

ETB es la única empresa que declara su obligación de cumplir con las solicitudes legítimas de un fiscal. ETB reveló esto en su nueva página central deTransparencia y Acceso a la Información, que discute los procedimientos para la interceptación legal y las solicitudes de datos gubernamentales en Colombia. Por el contrario, Telefónica-Movistar y Tigo-UNE no mencionan en absoluto quién puede solicitar información y qué información puede solicitarse de acuerdo con la ley. Por su parte, Claro y DirecTV indican de manera vaga que pueden compartir información con autoridades públicas o administrativas en el ejercicio de sus funciones legales o por orden judicial. Esto es preocupante, ya que las normas legales en Colombia son mucho más específicas sobre quién puede pedir información y qué información puede ser solicitada.

5. Libertad de expresión - Sobre la transparencia en relación con el bloqueo o eliminación de contenido de los ISP

En esta categoría, Karisma evaluó la transparencia de la industria con respecto a sus procesos de filtrado, eliminación o bloqueo de contenido, cancelación y suspensión del servicio de Internet.

Karisma vio mejoras en Telefónica-Movistar y ETB en comparación con sus prácticas en el 2015. Estas compañías ahora tienen códigos de conducta que proporcionan ciertas pautas sobre los comportamientos permitidos por los ISPs, para que los usuarios puedan entender cómo evitar sanciones. La evaluación de Karisma sólo evalúa si estas prácticas están codificadas públicamente de manera adecuada; Aquí, no examina si esas prácticas son buenas o malas.

We recognize that shifts in industry can take time. It took several years before EFF saw widespread changes in tech giants’ policies in response to EFF’s annual Who Has Your Back report. We hope that next year’s Karisma’s ¿Dónde están mis datos? report will find more of these companies adopting these best practices and standing by their users.

Reconocemos que los cambios en la industria pueden tomar tiempo. Tomó varios años antes de que el EFF viera cambios extensos en las políticas de los gigantes de la tecnología en respuesta al informe anual del EFF: ¿Quién cuida tu espalda. Esperamos que el informe de Karisma ¿Dónde están mis datos? del próximo año muestre que más de estas empresas estén adoptando estas mejores prácticas y tomen partido por sus usuarios.


Share this: Join EFF
Categories: Aggregated News

Obama Can Still Boost Transparency, Accountability Before Trump Takes Office

eff.org - Wed, 23/11/2016 - 06:11

There are fewer than 60 days until President-elect Donald Trump is sworn in, but President Barack Obama can still take steps to improve transparency—and therefore government accountability.

In a letter to the Obama administration this week, EFF and other civil liberties groups—including Demand Progress and OpenTheGovernment.org—are asking that he shed some much-needed light on government actions that impact civil liberties ahead of his departure.

“As your administration winds down and our democracy faces strong headwinds, we urge you to take the following important steps to empower citizens, Congress, and the courts to protect our system of separated powers and make sure that our government continues working as the founders intended,” the letter says.

Specifically, the groups are asking Obama to declassify and release significant Foreign Intelligence Surveillance Court opinions, regardless of whether they were issued before the passage of the USA FREEDOM Act in 2015 (something EFF is suing the government to do right now); to release information about opinions from the Justice Department’s Office of Legal Counsel opinions, especially those related to national security and civil liberties; and to preserve and release at least limited information about the 2012 Senate report on CIA interrogation.

Obama should also release information about national security- and civil liberties-related Inspector General reports, information about the scope of surveillance of U.S. persons under Section 702 of the Foreign Intelligence Surveillance Act, and guidance on how the government considers constitutional concerns surrounding parallel construction or the law enforcement practice of finding alternative evidence to bring a case that was built on inadmissible information gathered through intelligence operations.

The letter also calls on Obama to brief Congress and the Privacy and Civil Liberties Oversight Board to help inform their oversight, direct a government-wide review of whether and how agencies are disposing of information about U.S. persons collected through surveillance, publicly acknowledge the lack of whistleblower protections for government contractors, and declare a federal Fred Korematsu Day, in remembrance of victims of the U.S. internment of Japanese-Americans during World War II.

Obama may be on his way out of the White House, but these are specific, concrete things he can do to ensure that the public, our representatives, and the courts are equipped with as much information as possible to provide a check on future administrations.

As the letter says, “No less than our shared legacy of a vibrant democratic government is at stake.”


Share this: Join EFF
Categories: Aggregated News

Malware and Mysteries: Secret Surveillance in Argentina

eff.org - Wed, 23/11/2016 - 05:25

This post is part of the series “Unblinking Eyes: The State of Communications Surveillance in Latin America,” a collaborative project conducted with digital rights partners in Latin America, which documents and analyzes surveillance laws and practices in twelve countries: Argentina, Brazil, Chile, Colombia, El Salvador, Guatemala, Honduras, Peru, Mexico, Nicaragua, Paraguay, and Uruguay. In addition to the individual country reports, EFF produced a comparative legal analysis of the surveillance laws in those twelve countries, as well as a regional legal analysis of the 13 Necessary and Proportionate Principles written with Derechos Digitales, and an interactive map that summarizes our findings.

In 2004, when Argentinean lawyer Alberto Nisman was appointed by then President Nestor Kirchner to investigate the deadliest bombing in Argentina's history, few suspected that Nisman himself would become a fatality. The story of Alberto Nisman reflects the shadier parts of modern Argentina, including a still-mysterious use of digital surveillance against the rule of law.

Nisman was in charge of investigating the 1994 terrorist attack in Buenos Aires that targeted a Jewish Center, the Asociación Mutual Israelita Argentina (AMIA), killing 85 people. Two years after being appointed lead prosecutor, Nisman publicly accused Iran of directing the attack. Nisman eventually indicted seven Iranian government officials. With five international arrest warrants secured, the Argentinean government publicly urged Iran to extradite the suspects. The government of Iran refused.

Over the years, the case left the two countries at an impasse. Nisman forged ahead. His investigation was largely supported by Cristina Fernández de Kirchner who became Argentina's president after her husband stepped down in 2007. That is until rumors of closed-door negotiations between her and the Iranian government led Nisman to accuse President Fernández of making a secret deal between Argentina and Iran that would cover up any involvement in the bombing.

On January 18, 2015, the evening before Nisman was scheduled testify in Congress against the president and her foreign minister, he was found dead in his home.

An investigation subsequently conducted by security expert Morgan Marquis-Boire for The Intercept, indicated that Nisman had downloaded malware on his cellphone shortly before his death. Marquis-Boire explains that the software was hidden in a PDF marked “confidential,” and was intended to infect Nisman's Windows computer. Because Nisman opened the file on his Android phone, the spyware was not properly deployed. No one knows whether Nisman ultimately opened the file on his primary computer and infected it with spyware, but Marquis-Boire is confident that this malware attack was not an isolated event. Whoever was behind Nisam's final spyware appeared to use similar surveillance tools on other subjects, including the Argentine journalist, Jorge Lanata. Attribution of spyware is difficult, but Marquis-Boire believes there are strong indications that a government actor was behind these attacks.

Argentina has a long history of government secrecy and surveillance. One of the country's biggest surveillance scandals, unveiled during Cristina Fernández de Kirchner’s presidency, was the uncovering of Project X—a national police database that contained intelligence information on union leaders and members of the opposition, collected without a warrant. Project X clearly violated the country's national intelligence law and the law on personal data protection. Illegal wiretapping is not unknown in the country—the current president Mauricio Macri was under investigation for five years for his alleged participation in one such case. Although acquitted in December 2015, Macri has blurred the separation of powers by nominating a close friend as chief of the federal intelligence agency (AFI), and a party official with close ties to the intelligence community as deputy director. Argentina civil society has harshly criticized the nominees for their lack of suitability, however the Senate confirmed their appointments in August, 2016—a signal which may suggest the intelligence agencies are becoming less autonomous and reverting back to old practices.

These known reports of unchecked surveillance prompted EFF, along with our partners in Argentina at the Center for Studies on Freedom of Expression and Access to Information (CELE), Verónica Ferrari and Daniela Schnidrig, to write “State Communications Surveillance and the Protection of Fundamental Rights in Argentina,” a report that analyzes surveillance law in Argentina and provides recommendations. This report is part of the larger project “Unblinking Eyes: The State of Communications Surveillance in Latin America.” Here are some of its main findings:

Surveillance in Argentina Today

Argentina has ratified several human rights treaties that protect the right to privacy, such as the American Convention on Human Rights (ACHR). All the treaties that Argentina has ratified are binding and applicable in domestic law.

However, there is a lack of clarity in the privacy safeguards that Argentina's laws provide. The country's legal framework uses broad definitions in its legal provisions, and its intelligence framework allows for significant exceptions to constitutional privacy protections in “states of emergency,” (a phrase that is not adequately defined).

On Transparency

There are no legal obligations to submit transparency reports on communications interceptions for criminal matters in Argentina. However, intelligence agencies must submit annual reports on their activities to the Bicameral Commission on the Supervision of Intelligence Bodies and their Activities. They are confidential.

In September 2016, the Argentinian House of Representatives adopted the Access to Public Information Act. The new law allows Argentinians to request information from the General Prosecutor and any judge of the Judicial branch. The law contains national security exceptions; information will not be provided in circumstances where a criminal investigation could be jeopardized.

On User Notification

There is no legal obligation compelling companies or the state to notify a person when they have been the subject of surveillance. There’s a chance a person may learn they have been surveilled if the information gathered on them is used as evidence in a criminal procedure. But there is no obligation requiring public officials to disclose where they obtained such evidence. However, citizens do have the right to request access to the information that has been gathered on them by intelligence agencies.1

On Public Oversight

The Bicameral Commission on the Oversight of Intelligence Bodies and Activities is the country's legislative control mechanism. By law, it oversees and controls the activities of the National Intelligence System, Argentina's intelligence service, to ensure it complies with legal and constitutional regulations. The Commission should also weigh in on any legislation that concerns intelligence activities. However, the overall effectiveness of the Commission is greatly undermined by several factors.

  1. The Executive branch decides what information the Commission may access. Because the law imposes a general restriction on information concerning intelligence and counterintelligence activities, the Commission must receive authorization from the President or an appointed official in order to access any of this type of information.
  2. The Commission largely operates in secret. Civil society groups have tried requesting information about the operational activities of the Bicameral Commission, but have received no response.2
  3. The Commission must submit an annual report on the operational effectiveness of the National Intelligence System to the National Executive and the National Congress. The report, however, is confidential which makes it impossible for the general public to verify its accuracy.

The Asociación por los Derechos Civiles (ADC), a civil liberties NGO in Argentina, concluded that the Bicameral Commission is shrouded in such secrecy that it is impossible to assess its operation. In fact, testimony gathered during the investigation surrounding the death of Alberto Nisman suggests that the Commission is not operating at all. Veronica Ferrari, former Internet policy and human rights researcher and coordinator at the Center for Studies on Freedom of Expression and Access to Information (CELE) states,

The [t]radition of secrecy around intelligence in Argentina should be reversed. It's the government's prerogative to conduct intelligence, but the effective implementation of public oversight mechanisms, such as the Bicameral Commission, is essential to ensuring that human rights are not affected.

Daniela Schnidrig, former researcher at Center for Studies on Freedom of Expression and Access to Information (CELE), and a current staffer at Global Partners Digital adds,

In the upcoming months and years ahead, President Macri should focus his attention on developing robust transparency and accountability mechanisms to ensure that any surveillance of communications is conducted in a manner that respects human rights standards.

We’ve seen the consequences of unchecked governments that operate in secret. Politicians and judges in Argentina must incorporate better transparency measures and oversight mechanisms into their legislation in order to avoid any future abuses of power, internal corruption, and human rights violations on their people.

  • 1. Supreme Court of Argentina. Ganora s/ hábeas corpus. Decision of September 16, 1999.
  • 2. Ramiro Álvarez Ugarte and Emiliano Villa. Who is Watching the Watchers? Privacy International, Asociación por los Derechos Civiles – ADC. https://www.privacyinternational.org/sites/default/files/Who's%20Watching%20the%20Watchers_0.pdf

Share this: Join EFF
Categories: Aggregated News

Tech Companies, Fix These Technical Issues Before It’s Too Late

eff.org - Fri, 18/11/2016 - 11:38

The results of the U.S. presidential election have put the tech industry in a risky position. President-Elect Trump has promised to deport millions of our friends and neighbors, track people based on their religious beliefs, and undermine users’ digital security and privacy. He’ll need Silicon Valley’s cooperation to do it—and Silicon Valley can fight back.

If Mr. Trump carries out these plans, they will likely be accompanied by unprecedented demands on tech companies to hand over private data on people who use their services. This includes the conversations, thoughts, experiences, locations, photos, and more that people have entrusted platforms and service providers with. Any of these might be turned against users under a hostile administration.

We present here a series of recommendations that go above and beyond the classic necessities of security (such as enabling two-factor authentication and encrypting data on disk). If a tech product might be co-opted to target a vulnerable population, now is the time to minimize the harm that can be done. To this end, we recommend technical service providers take the following steps to protect their users, as soon as possible:

1. Allow pseudonymous access.

Give your users the freedom to access your service pseudonymously. As we've previously written, real-name policies and their ilk are especially harmful to vulnerable populations, including pro-democracy activists and the LGBT community. For bonus points, don't restrict access to logged-in users.

2. Stop behavioral analysis.

Do not attempt to use your data to make decisions about user preferences and characteristics—like political preference or sexual orientation—that users did not explicitly specify themselves. If you do any sort of behavioral tracking, whether using your service or across others, let users opt out. This means letting users modify data that's been collected about them so far, and giving them the option to not have your service collect this information about them at all.

When you expose inferences to users, allow them both to remove or edit individual inferences and to opt out entirely. If your algorithms make a mistake or mislabel a person, the user should be able to correct you. Furthermore, ensure that the internal systems mirror and respect these preferences. When users opt out, delete their data and stop collecting it moving forward. Offering an opt out of targeting but not out of tracking is unacceptable.

3. Free up disk space and delete those logs.

Now is the time to clean up the logs. If you need them to check for abuse or for debugging, think carefully about which precise pieces of data you really need. And then delete them regularly—say, every week for the most sensitive data. IP addresses are especially risky to keep. Avoid logging them, or if you must log them for anti-abuse or statistics, do so in separate files that you can aggregate and delete frequently. Reject user-hostile measures like browser fingerprinting.

4. Encrypt data in transit.

Seriously, encrypt data in transit. Why are you not already encrypting data in transit? Does the ISP and the entire internet need to know about the information your users are reading, the things they're buying, the places they're going? It's 2016. Turn on HTTPS by default.

5. Enable end-to-end encryption by default.

If your service includes messages, enable end-to-end encryption by default. Are you offering a high-value service—like AI-powered recommendations or search—that doesn’t work on encrypted data? Well, the benefits of encrypted data have just spiked, as has popular demand for it. Now is the time to re-evaluate that tradeoff. If it must be off by default, offering an end-to-end encrypted mode is not enough. You must give users the option to turn on end-to-end encryption universally within the application, thus avoiding the dangerous risk of accidentally sending messages unencrypted.


Share this: Join EFF
Categories: Aggregated News

Give Congress Time to Debate New Government Hacking Rule

eff.org - Fri, 18/11/2016 - 09:21

If Congress doesn’t act soon, federal investigators will have access to new, sweeping hacking powers due to a rule change set to go into effect on Dec. 1.

That’s why Sens. Chris Coons, Ron Wyden, Mike Lee, and others introduced a bipartisan bill today, the Review the Rule Act, which would push that rule change back to July 1. That would give our elected officials more time to debate whether law enforcement should be able to, with one warrant from one judge, hack into an untold number of computers and devices wherever they’re located.

We’ve long expressed concerns that the proposed changes to Rule 41 of the Federal Rules of Criminal Procedure threatens privacy and security, and we hope Congress acts on this new bill to give this issue the time and consideration it deserves.

Speaking on the Senate floor this morning, Coons—who sits on the Senate Judiciary Committee, a committee of jurisdiction on the issue—and Wyden called for more time to let Congress weigh in. "Neither the Senate nor the House held a hearing or a markup on the relevant committees to evaluate these changes," Coons said. "The body of government closest to the people has failed to weigh in at all on an issue that immediately and directly impacts our constituents’ rights."

Wyden countered the defense of the rule change we often hear from law enforcement officials that letting investigators hack into computers around the world is only small, procedural tweak. Instead Wyden called it "an enormous policy shift."

The pair of lawmakers also stressed the fact that the bipartisan push for further consideration of the rule change started before Donald Trump won the presidential election this month. Wyden, Coons, and 21 other members of Congress sent a letter in late October asking U.S. Attorney General Loretta Lynch for more information about how the government plans to operate once the rule change goes into effect.

"This was alarming before Nov. 8," Wyden said. "Now we need to consider the prospects of an administration lead by someone who openly said he wants the power to hack his political opponents."

We’re encouraged that the bill has bipartisan support in both the Senate and the House, where Reps. John Conyers and Ted Poe introduced a companion bill, and we hope Congress gives itself more time to hold hearings and fully debate whether to give law enforcement these sweeping computer hacking powers.

Related Cases: The Playpen Cases: Mass Hacking by U.S. Law Enforcement
Share this: Join EFF
Categories: Aggregated News

TPP: un post-mortem

eff.org - Fri, 18/11/2016 - 05:22

La muerte del Tratado de Asociación Transpacífico (TPP) a la que EFF se refirió la semana pasada ha sido confirmada desde entonces por funcionarios de la Casa Blanca. Esto marca el final de una larga campaña contra el acuerdo secreto que EFF comenzó en 2012.

No hay que equivocarse; aunque la causa inmediata de la desaparición del TPP fue el resultado de las elecciones presidenciales de Estados Unidos, el TPP enfrentaba pronósticos adversos en el Congreso, incluso si los resultados de las elecciones hubieran sido otros. Esto a su vez se debió a una amplia oposición al acuerdo de muchos sectores de la sociedad de manera transversal, incluyendo los miembros de la comunidad de derechos digitales. Así que mientras examinamos las consecuencias de la desaparición del TPP, EFF y sus aliados tienen derecho a sentirse orgullosos por la parte que jugamos.

Implementación del TPP en otros países

Pero tal como informamos sobre la muerte del TPP, ello no significa que los otros países del TPP estén fuera de peligro. De hecho, hoy el Parlamento de Nueva Zelanda aprobó la legislación de implementación necesaria para ratificar el TPP, incluida una legislación que extendería el plazo de los derechos de autor en Nueva Zelanda de 50 a 70 años después de la muerte del autor.

Lo más desalentador de esto es que los legisladores neozelandeses no ignoraban el hecho que lo estaban haciendo unilateralmente y sin ningún propósito. Lo sabían, y lo hicieron de todos modos. Este pasaje de la transcripción oficial del discurso de la tercera lectura del miembro del Partido Laborista Rino Tirikatene refleja nuestra propia frustración con el proceso:

Estamos perdiendo el tiempo de la Cámara. No sé dónde ha estado el Gobierno Nacional durante las últimas 24 horas, pero ha habido elecciones en Estados Unidos, y hay un nuevo Presidente electo, Trump, y él ha esbozado que en sus primeros 100 días retirará a Estados Unidos del Tratado de la Asociación Transpacífico (TPP), un retiro completo. No sé por qué estamos aquí en una especie de autoengaño sintiendo que al aprobar esta legislación, el TPP entrará milagrosamente en vigor, porque no lo hará. Está muerto.

El aspecto positivo de esto es que las enmiendas introducidas por el proyecto de ley de implementación entrarán en vigor sólo a partir de la fecha en que el TPP entre en vigor para Nueva Zelanda. Si eso nunca sucede, entonces la legislación nunca tendrá efecto.

Japón, también, se ha acercado más a ratificar el TPP desde que escribimos por última vez sobre el tema. Su proyecto de ley de ratificación ya pasó a la Cámara Baja, y entrará automáticamente en vigor el 9 de diciembre si la Cámara Alta no actúa antes sobre el proyecto de ley. A diferencia de Nueva Zelandia, muchos de los cambios introducidos en la legislación japonesa, incluida la extensión de los derechos de autor, no están condicionados a que el TPP entre en vigor.

Esto coloca a Japón en un riesgo aún mayor que Nueva Zelanda de sufrir daño autoinfligido del TPP que nunca se compensará a través de un mayor acceso a los mercados de Estados Unidos. La japonesa Aozora Bunko (literalmente Blue Sky Library, un repositorio de obras de dominio público) es una institución nacional que será particularmente afectada.

El primer ministro Shinzo Abe declaró que el compromiso de su gobierno con la implementación del TPP "mostraría al mundo nuestra capacidad para producir un resultado", e incluso está empujando a otros países a acelerar sus propios esfuerzos de implementación. Cabe señalar que Japón es también el único país que ha ratificado el fracasado Acuerdo Comercial de Lucha contra la Falsificación (ACTA).

El otro país que está más cerca de ratificar e implementar el TPP, Malasia, ha publicado hoy un comunicado de prensa [PDF] que reconoce que el TPP ha fracasado, pero no descarta categóricamente continuar su propio progreso hacia la implementación de los mandatos del TPP a través de legislación nacional. Vietnam y Australia están en una posición similar.

Estos países, junto con Brunei, México, Singapur, Perú y Chile, deben aceptar la realidad y proporcionar a sus ciudadanos cierta seguridad mediante la anulación formal de sus planes de implementación. Si ven algo de valor simbólico en continuar con su implementación, entonces al menos deben hacer lo que Nueva Zelanda ha hecho y condicionar su implementación a que el convenio existente entre en vigor.

Implicaciones para otros acuerdos comerciales

En lugar de hacer esto, los restantes países del TPP, ahora encabezados por México y Japón, utilizarán la reunión de la APEC de esta semana en Lima,  para discutir la idea de concluir un acuerdo sin Estados Unidos. Dado que la participación de este último país proporcionó gran parte del valor del acuerdo y la base de muchas de las compensaciones hechas por las otras partes, es difícil dar sentido a esta propuesta sin una renegociación significativa del texto.

Paralelamente, China está promoviendo la idea de expandir la Asociación Económica Regional Amplia (RCEP) en una Zona de Libre Comercio más amplia del Pacífico Asiático (FTAAP), que abarque a los 21 miembros del grupo de Cooperación Económica Asia-Pacífico (APEC).

Es difícil evaluar lo que esto significaría para los derechos digitales, pero no vemos que sea bueno. El RCEP en su forma actual contiene algunas disposiciones sobre derechos de autor, que en su mayor parte no son tan malas como las del TPP, pero esto puede cambiar antes que el acuerdo se cierre. Dado que el proceso de negociación del RCEP es tan cerrado y opaco como el del TPP, es posible que no nos enteremos de cómo se están negociando los derechos de los usuarios hasta que sea demasiado tarde.

En cuanto a los futuros acuerdos comerciales que incluyen a Estados Unidos, el próximo presidente estadounidense, Donald Trump, ha manifestado su intención de hacer más hincapié en acuerdos bilaterales que en acuerdos multilaterales, así como en la aplicación de los acuerdos existentes. No estamos seguros de las implicaciones de esto para el Acuerdo de Comercio de Servicios (TISA), pero no se ven bien para sus patrocinadores.

El problema de un enfoque renovado en las negociaciones bilaterales es que un solo país en negociación con Estados Unidos es mucho más probable que acepte desequilibradas demandas de derechos de autor de lo que sería si tuviera el apoyo de otros diez países, como lo hicieron los países bajo el TPP. Por ejemplo, los acuerdos bilaterales previos de libre comercio de Estados Unidos han obligado a sus socios comerciales a extender la protección del derecho de autor a copias temporales en la memoria de la computadora; una venenosa píldora  para los innovadores que los países que negociaron el TPP rechazaron con razón.

Por lo tanto, hay mucha incertidumbre en el futuro en torno a los acuerdos comerciales digitales, y EFF todavía no pretende tener todas las respuestas. Pero podemos estar seguros de al menos dos cosas: que el TPP no entrará en vigor en su forma actual y que, en consecuencia, no hay razón racional para que ninguno de los países que lo negociaron cambie sus leyes para que se ajusten al acuerdo.

Si usted es de Japón, es especialmente importante que se involucre con activistas locales que estan en la mejor posición de hacer que el gobierno retroceda en su equivocada misión de implementar este mal acuerdo. Si usted es de Australia, Canadá, México, Perú, Chile, Singapur, Malasia, Brunei o Vietnam, también puede hacer una diferencia escribiendo a su periódico local sobre por qué la implementación de TPP es una mala idea. Aquí hay algunos enlaces para empezar:


Share this: Join EFF
Categories: Aggregated News

Digital Security Tips for Protesters

eff.org - Thu, 17/11/2016 - 13:30

After the election, individuals took to the streets across the country to express their outrage and disappointment at the result of the U.S. presidential election. Many protesters may not be aware of the unfortunate fact that exercising their First Amendment rights may open themselves up to certain risks. Those engaging in peaceful protest may be subject to search or arrest, have their movements and associations mapped, or otherwise become targets of surveillance and repression. It is important that in a democracy citizens exercise their right to peaceably assemble, and demonstrators should be aware of a few precautions they can take to keep themselves and their data safe. Here we present 10 security tips for protesting in the digital age.

  1. Enable full-disk encryption on your device

Full-disk encryption ensures that the files across your entire device are encrypted. This is a form of encryption that protects data at rest, as compared to in-transit encryption, which protects data that is transferred over the Internet. Full-disk encryption protects everything from your local database of text messages to the passwords you have stored in your browser. This is useful in case your device is confiscated by police, but also protects you in situations where the device is lost or stolen. Protest situations are often unpredictable, so losing your phone is distinct possibility.

Recent versions of Android and iOS require full-disk encryption capabilities to be built into devices. These should be protected by a strong password: 8-12 random characters that are nonetheless easy to remember and type in when you unlock your device. If devices are not protected by a strong password, the encryption may be easier to break using a brute force attack. Recent editions of the iPhone have employed specialized hardware to protect against this type of attack, but a complex password is still advisable.

  1. Remove fingerprint unlock

In the past, iOS and Android used the same password to both boot your phone and to unlock it. Recently, both iOS and Android introduced a mechanism to allow you to unlock your device with your fingerprint. This is a convenient way to ensure that you enjoy the benefits of full-disk encryption without sacrificing convenience. However, in protest situations we suggest you turn this functionality off. A police officer can physically force you to unlock your device with your fingerprint. And as a legal matter, while the state of the law is in flux, there is currently less protection against compelled fingerprint unlocking than compelled password disclosure. You can always add your fingerprint back to the device after you’ve left the protest.

In iOS, you can disable this by going into Settings -> Touch ID & Passcode and removing each of the fingerprints in this menu.

In Android, disabling this feature may depend on your device manufacturer. For Nexus devices, go into Settings -> Security -> Nexus Imprint and delete the fingerprints from this menu.

  1. Take photos and videos without unlocking your device

Catching that perfect shot is something you want to be ready for, and powerful images can help bolster the cause. If you've chosen a strong password, entering it into the device takes precious time, and you risk the moment passing before you're able to take the shot. Luckily, newer versions of iOS and Android allow you to take photos and videos without unlocking your device, giving you the time to capture the moment.

With Android Nexus devices, double-press the power button.

At the iOS lock screen, you can swipe to the left.

  1. Install Signal

Signal is an app available on both iOS and Android that offers strong encryption to protect both text messages and voice calls. This type of protection is called end-to-end encryption, which secures your communications in transit (as discussed in tip #1). Other apps, such as WhatsApp, have implemented underlying cryptography. But we believe Signal is the better option because it implements best practices for secure messaging.

In addition to encrypting one-to-one communication, Signal enables encrypted group chats. The app also recently added the functionality of having messages disappear anywhere from 10 seconds to a week after they are first read. In contrast to some other services like SnapChat, these ephemeral messages will never be stored on any server, and are removed from your device after disappearing.

Recently, a grand jury in the Eastern District of Virginia issued a subpoena to Open Whisper Systems, the maintainers of Signal. Because of the architecture of Signal, which limits the user metadata stored on the company’s servers, the only data they were able to provide was "the date and time a user registered with Signal and the last date of a user's connectivity to the Signal service."

  1. Read our Surveillance Self Defense (SSD) guide for street-level protests

Know your rights when attending protests with our SSD module on the topic: https://ssd.eff.org/en/module/attending-protests-united-states

  1. Use a prepaid, disposable phone

If you're really concerned about the data stored on your device, don't bring it at all and pick up a prepaid mobile phone. These lower-end devices can be purchased along with a SIM card at most large retail stores, and current federal regulation does not require you to show your ID (but your state may). Let your friends know your temporary number, and use this to coordinate activities. Remember that the location of mobile devices can be determined by the cell towers they connect to, so if you don't want your identity known, turn off your prepaid device before going home or anywhere that might lead to your identity. Using GPS should be safe, since GPS is a receiver and does not transmit any information, but your device may store your coordinates. For this reason, we suggest you turn off location services. When you're done with the phone, it can be safely recycled or discarded from a location that is not linked to you. Keep in mind that if you carry both your regular device and a prepaid one with you, the location of these devices can be correlated as a way to compromise your anonymity.

  1. Back up your data

Take precautions to limit the possible costs that can be incurred by the loss of a device. Backing up your data regularly and storing that backup in a safe place can save you a headache later on.

  1. Consider biking or walking to the protest

Automated License Plate Reader Systems (ALPRs) automatically record the license plates of cars driving through an area, along with the exact time, date, and location they were encountered. This technology is often used by law enforcement, or employed by private companies such as Vigilant and MVTrac who then share license plate data with law enforcement and other entities. Amassed in huge databases, this data is retained for an unknown period of time. These companies have lobbied and litigated vigorously against statutes that would ban the private collection of license plate data or otherwise regulate ALPRs. Effectively, your location can be tracked over time by your driving habits, with very few legal limits in place as to how this data can be collected and accessed.

Consider using alternative means of transportation if you would prefer that your movements and associations remain private.

Read more in our Street Level Surveillance guide on ALPRs.

  1. Enable airplane mode

Airplane mode ensures that your device will not be transmitting for the duration of your time at the protest, and prevents your location from being tracked. Unfortunately, this also means that you won't be able to message or call your friends, so plan accordingly. You may want to select a nearby meet-up spot where you and your friends can rendez-vous if you get separated. You may also want to turn off location services (as discussed in tip #6).

  1. Organizers: Consider alternatives to Facebook and Twitter

Facebook and Twitter provide a large user base for you to promote your cause, but these popular social media platforms also carry risks. Viewing an event page, commenting on the event, and stating your intention to attend are all actions viewable by law enforcement if the pages and posts are public, and sometimes even if the pages aren't (subject to a court order). For actions that require a more cautious approach, consider forming a group chat via Signal as described above.

Update 11/17: In tip #3, changed "swipe to the right" to "swipe to the left" for iOS.


Share this: Join EFF
Categories: Aggregated News

Censorship in Social Media Leaves Users in Frustration

eff.org - Thu, 17/11/2016 - 01:44
EFF and Visualizing Impact Analyze Reports of Content Moderation Gone Awry

San Francisco - User reports of censorship of social media posts show a deep frustration with companies’ content moderation policies, according to an analysis by Onlinecensorship.org, a project of the Electronic Frontier Foundation (EFF) and Visualizing Impact.

In “Censorship in Context: Insights from Crowdsourced Data on Social Media Censorship,” researchers analyzed reports of content takedowns received from users of Facebook, Google+, Instagram, Twitter, and YouTube from April to November of 2016. At a time when many are asking for more content moderation—like calls for Facebook to crack down on “fake news”—election-related censorship complaints focused on the desire of users to speak their minds and share information about a tight election without worrying that their posts will disappear.

“Social media is where we receive news, debate, and organize. These companies have enormous impact on the public sphere, yet they are still private entities with the ability to curate the information we see and the information we don’t see at their sole discretion,” said Jillian C. York, EFF Director for International Freedom of Expression and co-founder of Onlinecensorship.org. “The user base is what powers these social media tools, yet users are feeling like they don’t have any control or understanding of the system.”

“Censorship in Context” recommends best practices for social media content moderation, including transparency in how company policies are enforced and any available remedies. The researchers also urge strengthening systems of redress when content is removed in error, and doing a better job of educating users about what is acceptable on a given platform and what isn’t.

“Many people depend on Facebook to talk to friends, family, clients, and fans, and to debate the issues of the day,” said Project Strategist Sarah Myers West. “While these companies have the right to set their own rules, the least they can do is to tell everyone how they’re enforced.”

Onlinecensorship.org was launched in November of 2015 to spot trends in content removals and learn how these takedowns impact different communities. The site also includes a guide to appealing a content takedown and hosts a collection of news reports on content moderation practices.

For the full whitepaper:
https://onlinecensorship.org/news-and-analysis/onlinecensorship-org-launches-second-report-censorship-in-context-pdf

Contact:  Jillian C.YorkDirector for International Freedom of Expressionjillian@eff.org
Share this: Join EFF
Categories: Aggregated News

TPP: A Post-Mortem

eff.org - Wed, 16/11/2016 - 10:25

The death of the Trans-Pacific Partnership that EFF called last week has since been confirmed by White House officials. This marks the end of a long-running campaign against the secretive agreement that EFF began back in 2012.

Make no mistake; although the proximate cause of the TPP's demise was the U.S. Presidential election result, the TPP faced long odds in Congress even if the election had gone the other way. This in turn was due to broad opposition to the agreement from many sectors of society across the political divide, including from members of the digital rights community. So as we survey the fallout from the TPP's demise, EFF and its supporters are entitled to feel proud of the part we played.

Implementation In Other TPP Countries

But as we mentioned when breaking news of the death of the TPP, this doesn't mean that the other TPP countries are out of danger yet. In fact only today New Zealand's Parliament passed the implementing legislation required to ratify the TPP, including legislation that would extend the copyright term in New Zealand from 50 to 70 years after the death of the author.

The most dispiriting thing about this is that New Zealand's lawmakers were not ignorant of the fact that they were doing this unilaterally and with no purpose. They knew it, and they did it anyway. This passage from the official transcript of the third reading speech from Labour party member Rino Tirikatene reflects our own frustration with the process:

We are wasting the House's time. I do not know where the National Government has been for the past 24 hours, but there has been an election in the United States, and there is a new President-Elect, Trump, and he has outlined that in his first 100 days, he is withdrawing the US from the Trans-Pacific Partnership (TPP) agreement—a complete withdrawal. I do not know why we are here in some sort of deluded sense that by passing this legislation, the TPP is miraculously going to come into force, because it will not. It is dead—over.

The silver lining in this is that the amendments introduced by the implementation Bill will take effect only from the date that TPP enters into force for New Zealand. If that never happens, then the legislation will never take effect.

Japan, too, has moved closer to ratifying the TPP since we last wrote on the subject. Its ratification bill passed the lower house already, and will automatically take effect on December 9 if the upper house does not act on the bill sooner. Unlike in New Zealand, many of the changes made to Japanese law, including the copyright term extension, are not conditional on the TPP taking effect.

This places Japan at an even higher risk than New Zealand of suffering self-inflicted damage from the TPP that it will never offset through increased U.S. market access. Japan's Aozora Bunko (literally Blue Sky Library, a repository of public domain works) is one national institution that will be particularly hard hit.

Prime Minister Shinzo Abe declared that his government's quixotic commitment to the implementation of the TPP would “show to the world our ability to produce an outcome”, and is even pushing other countries to hasten their own implementation efforts. It may be worth noting that Japan is also the only country that ever ratified the failed Anti-Counterfeiting Trade Agreement (ACTA).

The other country that is closest to ratifying and implementing the TPP, Malaysia, has today released a press statement [PDF] that acknowledges that the TPP has failed, yet does not categorically rule out the continuation of its own progress towards implementing the TPP's mandates through domestic legislation. Vietnam and Australia are in a similar position.

These countries, along with Brunei, Mexico, Singapore, Peru and Chile, ought to accept reality and provide their citizens with some certainty by formally shelving their implementation plans. If they see some symbolic value in continuing with their implementation, then at the very least they should do as New Zealand has done and make this conditional upon the existing TPP agreement coming into effect.

Implications for Other Trade Agreements

Instead of doing this, the remaining TPP countries now led by Mexico and Japan will be using this week's APEC meeting in Lima, Peru to discuss the idea of concluding a TPP agreement without the United States. Since U.S. involvement provided much of the value of the agreement, and the basis for many of the tradeoffs made by the other parties, it is difficult to make sense of this proposal without a significant renegotiation of the text.

In parallel, China is promoting the idea of expanding the Regional Comprehensive Economic Partnership (RCEP) into a broader Free Trade Area of the Asia Pacific (FTAAP), covering all 21 members of the Asia-Pacific Economic Cooperation (APEC) group.

It is difficult to assess what this would mean for digital rights, but we can't see it being good. The RCEP in its present form does contain some provisions on copyright, which are for the most part not as bad as those in the TPP, but this may change before the agreement is done. Since the process of negotiation of RCEP is every bit as closed and opaque as the TPP, we may not find out about how users' rights are being traded away until it is too late.

As for future trade agreements that do include the United States, the next U.S. President Donald Trump has indicated his intention to place more emphasis on concluding bilateral rather than multilateral agreements, as well as on the enforcement of existing agreements. We are unsure of the implications of this for the Trade in Services Agreement (TISA), but they don't look good  for its backers.

The problem with a renewed focus on bilateral negotiations is that a single country in negotiation with the United States is far more likely to accept unbalanced copyright demands than it would be if it had the support of ten other countries, as countries did under the TPP. For example, previous bilateral U.S. free trade agreements have required trading partners to extend copyright protection to temporary copies in computer memory; a poison pill for innovators that the TPP countries rightly rejected.

Thus there is much uncertainty in the future around digital trade agreements, and EFF doesn't yet claim to have all the answers. But we can be certain about at least two things: that the TPP will not come into force in its present form, and that in consequence there is no rational reason for any of the countries that negotiated it to change their laws to conform with the agreement.

If you come from Japan, it is especially important for you to get involved with local activists who have the best chance of turning the government back from its misguided mission to implement this doomed agreement. If you come from Australia, Canada, Mexico, Peru, Chile, Singapore, Malaysia, Brunei, or Vietnam, then you can also make a difference by writing to your local newspaper about why TPP implementation is such a bad idea. Here are some links to get you started:


Share this: Join EFF
Categories: Aggregated News

Grassroots Digital Rights Alliance Expands Across U.S.

eff.org - Wed, 16/11/2016 - 09:43

Observers around the world are scrutinizing the President-elect’s transition team and prospects for digital rights under the incoming administration. Trump’s campaign statements offered few reasons to be optimistic about the next administration’s commitments, making the unrestrained domestic secret surveillance regime that President Trump will inherit an even greater threat not only to privacy, but also dissent, individual autonomy and freedom of conscience, and—ultimately—our democracy.

At EFF, we have committed ourselves to redoubling our efforts to defend digital rights. We know, however, that it will take the concerted actions of our supporters to help our goals find their reflection in law, policy, technology, and culture.

That’s why we launched the Electronic Frontier Alliance (EFA), a network of grassroots groups taking action in their local communities to promote digital rights.

Training neighbors

In places like Brooklyn, Baltimore, Chicago, Denver, and Los Angeles, local organizers have hosted workshops to train social movement activists how to incorporate encryption into their communication practices.

Their work not only helps encrypt the web—ensuring that privacy and dissent can survive, however the legal regime may empower intelligence agencies. It also enables and cultivates alliances with local communities and neighbors responding to underlying social issues from state violence and climate change to domestic violence and the rights of refugees.

Restraining police

In other places, such as San Jose, Oakland, St. Louis, and New York, grassroots groups in the EFA have advocated in coalition with local allies for legal protections at the municipal level to ensure that police departments can no longer buy or use military surveillance equipment in secret.

Those campaigns help their neighbors stay safe from the secret and unaccountable use of surveillance devices that state & local authorities have used around the country—in some cities, thousands of times—for reasons including suppressing dissenting voices. They also help create opportunities for future policymakers, journalists, and activists by forcing a democratic decision-making process on what has otherwise been a secret metastasis of domestic surveillance, as thousands of agencies across the U.S. have been transformed under our feet from police departments into local spy centers.

Defending innovation

Meanwhile, groups from Atlanta to Austin are pressing university administrations to consider the public interest when licensing patents to monetize scientific research.

Their work helps protect access to science, and ensure that discovery enables innovation, rather than financial opportunism by parasitic patent trolls using the courts as a tool at the public’s expense. It also builds a voice on campuses to challenge the orthodoxy of corporate rightsholders that have increasingly restricted access to culture and the right to tinker by, for example, forcing on device owners digital locks backed up by vicious and unreasonable legal penalties that treat innovators like criminals.

If you're concerned about the future of digital rights and working with a local group like a hacker space, a student organization, or community coalition, we want to hear from you. If you're not yet organizing locally, join our next EFA teleconference to connect with the dozens of allied groups around the country who already are and learn how to follow their lead.

Dissent and resistance grow only more meaningful in times of crisis. And if the days to come prove as dark as some fear, we—not only EFF, but also you, the Internet, your rights, and our democracy—will need all the allies we can find.


Share this: Join EFF
Categories: Aggregated News

Resist. Rethink. Rebuild.

freepress.net - Wed, 16/11/2016 - 05:24
Resist. Rethink. Rebuild.Craig AaronNovember 15, 2016At Free Press, we refuse to enable, legitimize or normalize Trump’s neo-fascist, racist, misogynist, xenophobic and dangerous actions.
Categories: Aggregated News

Users Around the World Reject Europe's Upload Filtering Proposal

eff.org - Fri, 11/11/2016 - 03:08

Users around the world have been outraged by the European Commission's proposal to require websites to enter into Shadow Regulation agreements with copyright holders concerning the automatic filtering of user-generated content. This proposal, which some are calling RoboCopyright and others Europe's #CensorshipMachine, would require many Internet platforms to integrate content scanning software into their websites to alert copyright holders every time it detected their content being uploaded by a user, without any consideration of the context.

People are right to be mad. This is going to result in the wrongful blocking of non-infringing content, such as the fair use dancing baby video. But that's only the start of it. The European proposal may also require images and text—not just video—to be automatically blocked on copyright grounds. Because automated scanning technologies are unable to evaluate the applicability of copyright exceptions, such as fair use or quotation, this could mean no more image macros, and no more reposting of song lyrics or excerpts from news articles to social media.

Once these scanning technologies are in place, it will also become far easier for repressive regimes around the world to demand that Internet platforms scan and filter content for purposes completely unrelated to copyright enforcement—such as suppressing political dissent or enforcing anti-LGBT laws. Even when used as originally intended, these automated tools are also notoriously ineffective, often catching things they shouldn't, and failing to catch things they intend to. These are among the reasons why this new automatic censorship mechanism would be vulnerable to legal challenge under Europe's Charter of Fundamental Rights, as we explained in our last post on this topic.

A Filtering Mandate Infringes the Manila Principles on Intermediary Liability

Two years ago, well before the current European proposal was placed on the table, EFF and our partners launched the Manila Principles on Intermediary Liability. Despite not being a legal instrument, the Manila Principles have been tremendously influential. It has been endorsed by over 100 other organizations and referenced in international documents, such as reports by United Nations rapporteurs and the Organization for Security and Co-operation in Europe (OSCE), along with the Global Commission on Internet Governance's One Internet report.

According to the Manila Principles (emphasis added):

Intermediaries should be shielded from liability for third-party content

  1. Any rules governing intermediary liability must be provided by laws, which must be precise, clear, and accessible.
  2. Intermediaries should be immune from liability for third-party content in circumstances where they have not been involved in modifying that content.
  3. Intermediaries must not be held liable for failing to restrict lawful content.
  4. Intermediaries must never be made strictly liable for hosting unlawful third-party content, nor should they ever be required to monitor content proactively as part of an intermediary liability regime.

Forcing Internet platforms (i.e., intermediaries) into private deals with copyright holders to automatically scan and filter user content is, effectively, a requirement to proactively monitor user content. Since sanctions would apply to intermediaries who refuse to enter into such deals, this amounts to an abridgment of the safe harbor protections that intermediaries otherwise enjoy under European law. This not only directly contravenes the Manila Principles, but also Europe's own E-Commerce Directive.

The Manila Principles don't ban proactive monitoring obligations for the sake of the Internet intermediaries; the ban is to protect users. When an Internet platform is required to vet user-generated content, it has incentive to do so in the cheapest manner possible, to ensure that its service remains viable. This means relying on error-prone automatic systems that place copyright holders in the position of Chief Censors of the Internet. The proposal also provides no recourse for users in the inevitable cases where automated scanning goes wrong.

That doesn't mean there should be no way to flag copyright-infringing content online. Most popular platforms already have systems in place that allow their users to flag content—for copyright infringement or terms of service or community standards violations. In Europe, the United States, and many other countries, the law also requires platform operators to address infringement notices from copyright owners; even this is the subject of considerable abuse by automated systems. We can expect to see far more abuse when automated copyright bots are also put in charge of vetting the content that users upload.

Europe's mandatory filtering plans would give far too much power to copyright holders and create onerous new barriers for Internet platforms that seek to operate in Europe. The automated upload filters would become magnets for abuse—not only by copyright holders, but also governments and others seeking to inhibit what users create and share online.

If you're in Europe, you can rise up and take action using the write-in tool below, put together by the activists over at OpenMedia. This tool will allow you to send Members of the European Parliament your views on this repressive proposal, in order to help ensure that it never becomes law. 


Share this: Join EFF
Categories: Aggregated News

Advertising

 


Advertise here!

Syndicate content
All content and comments posted are owned and © by the Author and/or Poster.
Web site Copyright © 1995 - 2007 Clemens Vermeulen, Cairns - All Rights Reserved
Drupal design and maintenance by Clemens Vermeulen Drupal theme by Kiwi Themes.
Buy now