Deep Links

Subscribe to Deep Links feed
EFF's Deeplinks Blog: Noteworthy news from around the internet
Updated: 2 hours 10 min ago

Senate Puts ISP Profits Over Your Privacy

Thu, 03/23/2017 - 11:30

The Senate just voted to roll back your online privacy protections. Speak up now to keep the House from doing the same thing.

ISPs have been lobbying for weeks to get lawmakers to repeal the FCC’s rules that stand between them and using even creepier ways to track and profit off of your every move online. Republicans in the Senate just voted 50-48 (with two absent votes) to approve a Congressional Review Action resolution from Sen. Jeff Flake which—if it makes it through the House—would not only roll back the FCC’s rules but also prevent the FCC from writing similar rules in the future.

That would be a crushing loss for online privacy. ISPs act as gatekeepers to the Internet, giving them incredible access to records of what you do online. They shouldn’t be able to profit off of the information about what you search for, read about, purchase, and more without your consent.

We can still kill this in the House: call your lawmakers today and tell them to protect your privacy from your ISP.


Share this: Join EFF
Categories: Political Action

The Bill of Rights at The Border: The First Amendment and the Right to Anonymous Speech

Wed, 03/22/2017 - 19:48

The U.S. border has been thrown into the spotlight these last few months, with border agents detaining travelers for hours, demanding travelers unlock devices, and even demanding passwords and social media handles as a prerequisite for certain travelers entering the country. As the U.S. government issues a dizzying array of new rules and regulations, people in the U.S. and abroad are asking: are there meaningful constitutional limits on the ability of border agents to seize and search the data on your electronic devices and in the cloud?

The answer is: Yes. As we’ll explain in a series of posts on the Bill of Rights at the border and discuss in detail in our border search guide, border agents and their activities are not exempt from constitutional scrutiny.

In this first post, we’ll focus on the First Amendment.

The First Amendment is meant to safeguard five fundamental rights: speech, assembly, religion, press, and petition to the government for redress of grievances. The First Amendment also protects the right to exercise these basic rights anonymously because, as Supreme Court Justice John Paul Stevens wrote:

Anonymity is a shield from the tyranny of the majority. . . . It thus exemplifies the purpose behind the Bill of Rights and of the First Amendment in particular: to protect unpopular individuals from retaliation . . . at the hand of an intolerant society.

But when border agents scrutinize the massive volume of sensitive information in our digital devices or in the cloud, they infringe on First Amendment rights in at least four distinct ways.

  • First, device searches may reveal your social media profile handles –  inclusive of pseudonymous accounts. This allows border agents to match those handles to your passport identity, which effectively unmasks you and prevents you from being able to speak anonymously online. The same is true if you comply with an agent’s demand that you tell them your social media handles.
  • Second, device searches may also chill your ability to associate with an expressive institution anonymously, like a political group. Border agents can use a device search or knowledge of your social media handles to unearth a variety of private associational ties that can be mapped and harvested for more personal information and connections. What is worse, the investigation may intrude upon your contacts’ privacy as well as your own.
  • Third, requiring you to let CBP review your web-browsing history violates your right to access and receive information anonymously. This intrusion also occurs when CBP scrutinizes your shopping histories to reveal your private decisions to acquire expressive materials, such as books and movies.
  • Finally, requiring journalists to unlock devices that contain confidential journalistic sources and work product inhibits their ability to shield the identity of their sources and undermines the integrity and independence of the newsgathering process.

Border searches of our digital devices and cloud data thus implicate core free speech rights. Therefore, border agents should at least be required to obtain a warrant supported by probable cause before any such search of our private digital information.

Indeed, the First Amendment requires even more. For example, when police officers demand purchasing records from booksellers (implicating the right to access information anonymously), the First Amendment requires not only probable cause, but a compelling need, the exhaustion of less restrictive investigative methods, and a substantial nexus between the information sought and the investigation. Given that a digital device search is far more invasive upon First Amendment rights than disclosure of what books a person buys at a single bookseller, border agents should be required to do the same.

And the government should take special care with respect to journalists. The Privacy Protection Act prohibits the government from searching or seizing a journalist’s materials without probable cause that the journalist has committed a crime. While the statute exempts border searches for the purpose of enforcing the customs laws, it does not exempt border searches for other purposes, such as a criminal investigation.

Unfortunately, so far, courts have refused to recognize the free speech implications of digital border searches. But we hope and expect that will change as courts are forced to weigh the increasing amount of sensitive information easily accessible on our devices and in the cloud, and the increasing frequency and scope of border searches of this information.

Without First Amendment protections at the border, the threat of self-censorship looms large. Travelers faced with the risk of border agent intrusion into such sensitive data are more prone to self-censorship when expressing themselves, when considering private membership in political groups, or when deciding whether to access certain reading or media material. This is especially true for people who belong to unpopular groups, who espouse unpopular opinions, or who read unpopular books or view unpopular movies.

Likewise, confidential sources that provide invaluable information to the public about government or corporate malfeasance may refrain from whistleblowing if they fear journalists cannot protect their identities during border crossings. This is why EFF is calling for stronger Constitutional protection of your digital information and urging people to contact Congress on this issue today.

We’re also collecting stories of border search abuses at: borders@eff.org

The good news is there’s a lot you can do at the border to protect your digital privacy. Take the time to review our pocket guides on Knowing Your Rights and Protecting your Digital Data at the border. And for a deeper dive into these issues, take a look at our Border Search Guide on protecting the data on your devices and in the cloud.


Share this: Join EFF
Categories: Political Action

Call Your Senators Thursday Morning to Save Your Privacy

Wed, 03/22/2017 - 18:35

Congress is getting serious about taking away your online privacy. We have to get serious about stopping them.

The Senate is going to vote on Thursday on a measure from Sen. Jeff Flake that would repeal the broadband privacy rules passed by the FCC last year. According to at least one of the measure’s co-sponsors, it will likely have the votes it needs to pass in the Senate unless we take action right now.

Those rules were a huge win for consumers, and—if Congress doesn’t get in the way—they’ll protect Internet users from creepy tracking by their ISPs when they go into effect later this year.

As we’ve argued, repealing the FCC’s privacy rules is a bad move for consumers. If Congress repeals the rules, your ISP will be able to sell records about what you look at, what you purchase, and who you talk to online. The FCC may not be able to write new privacy rules, and, because of the current legal landscape, it’s not clear that any federal agency would be able to step in and protect consumers when ISPs violate their privacy.

Now is the time to act. Call your lawmakers and tell them to oppose the resolution to repeal the FCC’s privacy rules.


Share this: Join EFF
Categories: Political Action

Know About Digital Devices Searches in California Schools? Send a Report to EFF.

Wed, 03/22/2017 - 18:32

Here in California, we’re in a tough battle over how and when the government can search through the digital devices of teachers and students. A terrible proposal—A.B. 165—seeks to strip over 6-million Californians of privacy safeguards baked into our state laws, giving the government a loophole to rifle through personal digital devices in schools without a warrant issued by a judge.

We’re looking for individuals in California’s public schools who can report on experiences with digital device searches. Are you a student who had a school administrator search your device without your consent? Are you a parent whose son or daughter was punished because of data found on their device? Are you a teacher who has seen or been part of questionable searches in the school context? We want to hear about it.

Types of stories that would be especially useful for us:

  • Examples in which digital device searches may have violated existing California law and resulted in negative consequences (embarrassment, administrative action, criminal investigation) for students or teachers;
  • Examples in which digital device searches in schools exposed sensitive details about students, teachers, or their families, including medical concerns; immigration status, economic status, sexual orientation, or political speech;
  • Other examples of digital devices searches in California schools that you found concerning.

Please report stories using our survey and share this request with your friends.

A.B. 165 is currently scheduled for a hearing before the Assembly Committee on Privacy and Consumer Protection on April 18. That means that right now is a very important time to make sure all our California legislators hear us. Please speak out now against A.B. 165

Speak out.

Not in California? You can still make a difference. Please reach out to your friends in California and ask them to speak out, and please share this blog post on social media.

Read more about how A.B. 165 will impact privacy in California and could be the first step toward rolling back privacy protections for other communities.


Share this: Join EFF
Categories: Political Action

Consumers Press the USTR Nominee on Trade Transparency

Wed, 03/22/2017 - 16:37

Even before U.S. Trade Representative (USTR) nominee Robert Lighthizer takes office, he’s already feeling the heat from Congress and from public interest representatives about improving transparency and public access to trade negotiations.

In written answers given as part of Lighthizer’s confirmation hearing last week, Senator Ron Wyden asked him, “What specific steps will you take to improve transparency and consultations with the public?”. Lighthizer’s reply (which he repeated in similar form in response to similar questions from other Senators) was as follows:

If confirmed, I will ensure that USTR follows the TPA [Trade Promotion Authority, aka. Fast Track] requirements related to transparency in any potential trade agreement negotiation. I will also look forward to discussing with you ways to ensure that USTR fully understands and takes into account the views of a broad cross-section of stakeholders, including labor, environmental organizations, and public health groups, during the course of any trade negotiation. My view is that we can do more in this area to ensure that as we formulate and execute our trade policy, we receive fulsome input and have a broad and vigorous dialogue with the full range of stakeholders in our country.

Senator Maria Cantwell sought to drill down into more specifics, by having Lighthizer address the skewed Trade Advisory Committees that currently advise the USTR. In response to her question:

Do you agree that it is problematic for a select group of primarily corporate elites to have special access to shape US trade proposals that are not generally available to American workers and those impacted by our flawed trade deals?

Lighthizer replied:

It is important that USTR’s Trade Advisory Committees represent all types of stakeholders to ensure that USTR benefits fully from a diverse set of viewpoints in considering the positions it takes in negotiations. If confirmed, I will work to ensure that USTR’s Trade Advisory Committees are appropriately constituted in order to achieve this goal.

Cantwell also invited Lighthizer to commit to replacing the advisory system with a new process that invites the American public to help shape U.S. proposals for trade agreements and give input on negotiated texts, as well as to having all proposals and negotiated texts published online in a timely fashion so the workers and the broader public that will be impacted by these agreements have a full understanding of what is being negotiated.

He declined to do so, going only so far as to say that he would look forward to discussing “additional means for ensuring public input into U.S. trade negotiations”, as well as “ways to ensure that USTR fully understands and takes into account the views of all stakeholders during the course of a trade negotiation”.

This rather vague commitment certainly doesn’t close the door on the administration adopting the kind of reforms that EFF has demanded, but it also suggests that we will have to continue fighting hard for them to avoid yet another cop-out by the agency.

Trans-Atlantic Consumer Groups Speak Out

Thankfully, we’re not alone in that fight. EFF has just returned from the annual public forum of the Trans-Atlantic Consumer Dialogue (TACD), a forum of U.S. and European consumer groups, of which we are a member. This diverse group released a Positive Consumer Agenda for trade which includes the following demands:

Any regulatory cooperation dialogue and trade negotiation must be transparent. Agendas of the meetings and rounds must be made publicly available well in advance as well as negotiating documents and minutes of meetings and rounds. For trade negotiations, negotiations should not begin until all parties agree to publish their textual proposals as well as consolidated negotiating texts after each round on publicly available websites. …

US positions on trade deals can be formulated the way other US federal regulations are: through an on-the-record public process established under the Administrative Procedure Act to formulate positions, obtain comments on draft texts throughout negotiations, and seek comments on proposed final texts. In the European Union, the Commission should open a public consultation when drafting negotiating mandates to mirror the legislative process.

Trade Isn’t the Right Tool For Every Internet Problem

A third front in our battle to reform the USTR’s closed and opaque trade negotiation practices is in a submission to the U.S. International Trade Commission (ITC) that we submitted this week. The ITC was seeking public submissions in an enquiry on digital trade, to gather input into a report that it is writing to advise the USTR on the topic.

The submission reiterates our demands that the USTR publish its proposals, publish draft texts, have an independent transparency officer, open up proposals to notice and comments and a public hearing process, and open up Trade Advisory Committees to be more inclusive. But it also points out that the USTR shouldn’t consider trade negotiations as the right tool to regulate every aspect of the Internet that touches on trade:

Whereas the Commission aims to describe regulatory and policy measures currently in force in important markets abroad that may significantly impede digital trade, our bottom line is that not all such measures that impede digital trade are necessarily protectionist. … [They may] also have important non-trade justifications that serve broader social and economic needs such as freedom of expression and access to information, consumer safety and privacy, and preservation of the stability and security of Internet networks.

When the only tool you have is a hammer, every problem looks like a nail—and the USTR has been hammering away like mad at topics as diverse as net neutrality, domain names, encryption standards, and intermediary liability. But because there are many other dimensions of these issues besides the trade dimension, trade negotiations aren’t necessarily the best venue to address them; and certainly not while those negotiations remain as closed and opaque as they are at present.

As the renegotiation of NAFTA is around the corner, the need for USTR to reform its outdated practices is becoming increasingly urgent. With Congress, consumer groups, and international trade experts all demanding similar reforms from the next Trade Representative, we certainly hope that Robert Lighthizer is feeling the heat, and that he will rise to the challenge once he takes office.


Share this: Join EFF
Categories: Political Action

The New Laptop Ban Adds to Travelers' Lack of Privacy and Security

Wed, 03/22/2017 - 13:26

It can be difficult to understand the intent behind anti-terrorist security rules on travel and at the border. As our board member Bruce Schneier has vividly described, much of it can appear to be merely "security theater"—steps intended to increase the feeling of security, while doing much less to actually achieve it.

This week the U.S. government, without warning or public explanation, introduced a sweeping new device restriction on travelers flying non-stop to the United States from ten airports in eight Muslim-majority countries, and nine airlines from those countries. Passengers on these flights must now pack large electronics (including tablets, cameras, and laptops) into their checked luggage.

Information is still emerging regarding the rationale behind the ban, which went into effect at 3:00 Eastern Time Tuesday morning. The United Kingdom on Monday joined the United States with a similar regulation aimed at a differing set of flights.

These new restrictions on the transport of digital devices that have provoked a growing sense of insecurity among personal and business travelers flying between America, the Middle East and Turkey, and rightly so. Travelers to and within the United States were already concerned over reports of increasing levels of warrantless inspection of their devices at the border of the United States. Earlier this month, U.S.  Customs and Border Protection revealed that there were more device searches in February alone than were conducted in the whole of the 2015 fiscal year.

One of the few consolations is that these invasive searches take place with your knowledge, during security searches of your body and personal items. As we recently described in our guide to digital searches at the border, and in our brief to the Fourth Circuit Federal Court of Appeals, the U.S. border is not a rights-free zone: searches should be noted, and if known about, can be challenged as unlawful. There is also the small compensation that, if officials do not demand access to your laptop, tablet or phone, you can at least be confident that your digital possessions have not been invasively searched.

Requiring digital devices to be checked as luggage removes those reassurances, and adds new concerns. If someone else has physical access to your device almost all information security guarantees are off the table. Data can be cloned for later examination. If you encrypt your stored data, you might limit how much direct data can be extracted—but even so, you cannot stop the examiner from installing new spyware or hardware. New software can be installed for later logging or remote control; protections can be disabled or manipulated.

Under these conditions, it's very hard to make any assurances about how safe your personal data can be in transit. Some security researchers have devised exotic ways to reveal physical tampering; others spend their time defeating those systems. But if your device is out of your possession, all bets are off.

This is not to assert that the new regulations are intended to enable these widespread, unaccountable searches. But given the content of the new regulation and the manner in which it was introduced, it's not surprising that rather than improving the confidence of travelers that their life and possessions remain safe and secure, it's led to even more doubt and uncertainty.

Because the United States authorities has provided little transparency into or notice of their decision, we have no idea what protection this regulation is attempting to provide. It is particularly unclear what the security benefit of limiting the ban to a few airlines and airports achieves. (Even if you believe, as officials within the Trump administration have stated, that some nationalities pose a particular threat, potential terrorists are surely smart enough to fly to an intervening nation which has not imposed the same controls, and take one of the multi-stop flights on which the United States still permits laptops as a carry-on.) At best, it seems like the real threat is so limited that the United States feels it not worth the cost to inconvenience other travelers. At worst, it adds to the sense that some crossing the border—for instance, citizens of these nations and American visitors to them—should have fewer protections and practical opportunities for legal defense against invasive searches at the border than others.

Security theater, or not, improving security at the border includes as a goal ensuring the sense of security and confidence that travelers have that their personal data and devices are safe from unlawful interference. To do that, the United States authorities needs to be more transparent in its reasoning, more protective of the highly personal information held on digital devices, and far less arbitrary in its search and treatment of different groups of travelers. A strong set of legal safeguards consistent governing digital device searches of every traveller—whether they are U.S. citizens, residents, or visitors—would be more secure, and safer for all.

For practical advice for protecting your data at the border, see our detailed new guide and printable border search pocket guide.


Share this: Join EFF
Categories: Political Action

Patents Are A Big Part Of Why We Can’t Own Nice Things: the Supreme Court Should Fix That

Tue, 03/21/2017 - 19:40

Today, the Supreme Court heard arguments in a case that could allow companies to keep a dead hand of control over their products, even after you buy them.  The case, Impression Products v. Lexmark International, is on appeal from the Court of Appeals for the Federal Circuit, who last year affirmed its own precedent allowing patent holders to restrict how consumers can use the products they buy. That decision, and the precedent it relied on, departs from long established legal rules that safeguard consumers and enable innovation.

When you buy something physical—a toaster, a book, or a printer, for example—you expect to be free to use it as you see fit: to adapt it to suit your needs, fix it when it breaks, re-use it, lend it, sell it, or give it away when you’re done with it. Your freedom to do those things is a necessary aspect of your ownership of those objects. If you can’t do them, because the seller or manufacturer has imposed restrictions or limitations on your use of the product, then you don’t really own them. Traditionally, the law safeguards these freedoms by discouraging sellers from imposing certain conditions or restrictions on the sale of goods and property, and limiting the circumstances in which those restrictions may be imposed by contract.

But some companies are relentless in their quest to circumvent and undermine these protections. They want to control what end users of their products can do with the stuff they ostensibly own, by attaching restrictions and conditions on purchasers, locking down their products, and locking you (along with competitors and researchers) out. If they can do that through patent law, rather than ordinary contract, it would mean they could evade legal limits on contracts, and that any one using a product in violation of those restrictions (whether a consumer or competitor) could face harsh penalties for patent infringement.

Impression Products v. Lexmark International is Lexmark’s latest attempt to prevent purchasers from reusing and refilling its ink cartridges with cheaper ink. If Lexmark can use patent law to accomplish this, it won’t just affect the person or company that buys the cartridge, but also anyone who later acquires or refills it, even if they never agreed to what Lexmark wanted.

The case will turn on how the Supreme Court applies patent law’s “exhaustion doctrine.” As the Court explained in its unanimous Quanta v. LG Electronics decision, the exhaustion doctrine provides that “the initial authorized sale of a patented item terminates all patent rights.” Meaning, a patent holder can’t use patent rights to control what you can do with the product you’ve purchased, because they no longer have patent rights in that particular object. As we explained in a brief submitted along with Public Knowledge, Mozilla, the AARP, and R Street Institute to the Supreme Court, the doctrine protects both purchasers and downstream users of patented products. Without the exhaustion doctrine, patent holders would be free to impose all kinds of limits on what you can do with their products, and can use patent infringement’s severe penalties as the enforcement mechanism. The doctrine also serves patent law’s constitutional purpose—to promote progress and innovation—by ensuring that future innovators have access to, and can research and build on, existing inventions, without seeking permission from the patent holder.

This isn’t Lexmark’s first bite at the apple. The company first tried to argue that copyright law, and section 1201 of the DMCA (which prohibits circumvention of DRM), gave it the right to prevent re-use of its toner cartridges. In 2004, the Sixth Circuit roundly rejected Lexmark’s copyright claims. The court explained that even if Lexmark could claim copyright in the code at issue, and while it might want to protect its market share in cartridges, “that is not the sort of market value that copyright protects.” The Sixth Circuit also shot down Lexmark’s section 1201 claims, stating

[n]owhere in its deliberations over the DMCA did Congress express an interest in creating liability for the circumvention of technological measures designed to prevent consumers from using consumer goods while leaving copyrightable content of a work unprotected. In fact, Congress added the interoperability provision in part to ensure that the DMCA would not diminish the benefit to consumers of interoperable devices "in the consumer electronics environment."

Having lost on its copyright claims, Lexmark found a warmer welcome at the Federal Circuit, who last year held that so long as the company “restricted” the sale of its product (in this case through a notice placed on the side of the cartridge) Lexmark could get around patent exhaustion, and retain the right to control downstream users’ behavior under patent law.

The Federal Circuit’s ruling in Lexmark seriously undermines the exhaustion doctrine, allowing patent holders to control users’ behavior long after the point of purchase merely by including some form of notice of the restriction at the point of sale. As we’ve said before, this is especially troubling because downstream users and purchasers may be entirely unaware of the patent owner’s restrictions.

The Federal Circuit’s the ruling is also significantly out of step with how the majority of the law treats these kinds of restrictions. While sellers can use contract law to bind an original purchaser to mutually agreed-upon terms (with some limits) for hundreds of years, courts have disfavored sellers’ attempts to use other laws to control goods after a transfer of ownership. Courts and legal scholars have long acknowledged that such restrictions impair the purchasers’ personal autonomy, interfere with efficient use of property, create confusion in markets, and increase information costs. The Federal Circuit’s ruling is even out of step with copyright law, whose exhaustion principle is codified in the first sale doctrine.

We’re hopeful that the Supreme Court will reverse the Federal Circuit and bring patent law’s exhaustion doctrine back in line.


Share this: Join EFF
Categories: Political Action

Supreme Court: A Patent Owner Can Lie In Wait

Tue, 03/21/2017 - 18:18

In a ruling today that will cheer up patent trolls, the Supreme Court said patent owners can lie in wait for years before suing. This will allow trolls to sit around while others independently develop and build technology. The troll can then jump out from under the bridge and demand payment for work it had nothing to do with.

Today’s 7-1 decision arrives in a case called SCA Hygiene v. First Quality Baby Products. This case involves a patent on adult diapers but has a much broader reach. The court considered whether the legal doctrine of “laches” applies in patent cases. Laches is a principle that penalizes a rightsholder who “sleeps on their rights” by waiting a long time to file a lawsuit after learning of a possible infringement. It protects those that would be harmed by the assertion of rights after a lengthy delay. For example, laches would work against a patent owner that saw an infringing product emerge yet waited a decade to sue, after significant investment of time and resources had been put into the product.

The ruling in SCA follows a similar decision in Petrella v. MGM holding that laches is not available as a defense in copyright cases. The Supreme Court has generally rejected “patent exceptionalism” and has often reversed the Federal Circuit for creating special rules for patent law. So today’s decision was not especially surprising. In our view, however, there were compelling historical and policy arguments for retaining a laches defense in patent law.

Together with Public Knowledge, EFF filed an amicus brief at the Supreme Court explaining the many ways that companies accused of patent infringement can be harmed if the patent owner sleeps on its rights. For example, evidence relevant to invalidity can disappear. This is especially true for software and Internet-related patents. In his dissent, Justice Breyer cited our brief and explained:

[T]he passage of time may well harm patent defendants who wish to show a patent invalid by raising defenses of anticipation, obviousness, or insufficiency. These kinds of defenses can depend upon contemporaneous evidence that may be lost over time, and they arise far more frequently in patent cases than any of their counterparts do in copyright cases.

The seven justices in the majority suggested that patent defendants might be able to assert “equitable estoppel” instead of laches. But that would likely require showing that the patent owner somehow encouraged the defendant to infringe. In most cases, especially patent troll cases, the defendant has never even heard of the patent or the patent owner before receiving a demand. This means estoppel is unlikely to be much help. Ultimately, today’s ruling is a victory for trolls who would wait in the shadows for years before using an obscure patent to tax those who do the hard work of bringing products and services to market.

Related Cases: SCA Hygiene v. First Quality Baby Products
Share this: Join EFF
Categories: Political Action

Hearing Wednesday: EFF Testifying Before House Committee That Use of Facial Recognition by Law Enforcement Poses Critical Threat to Privacy

Tue, 03/21/2017 - 13:46
One Out of Two Americans Already in a Face Recognition Database Accessible to Law Enforcement

Washington, D.C.—On Wednesday, March 22, Electronic Frontier Foundation (EFF) Senior Staff Attorney Jennifer Lynch will testify at a hearing before the House Committee on Oversight and Government Reform about the FBI's efforts to build up and link together massive facial recognition databases that may be used to track innocent people as they go about their daily lives.

The FBI has amassed a facial recognition database of more than 30 million photographs and has access to hundreds of millions more. The databases include photos of people who aren’t suspected of any criminal activity that come from driver’s license and passport and visa photos, even as the underlying identification technology becomes ever more powerful. The government has done little to address the privacy implications of this massive collection of biometric information.

Lynch will testify that the use of facial recognition technology will allow the government to track Americans on an unprecedented level. The technology, like other biometric programs, such as fingerprint and DNA collection, poses critical threats to privacy and civil liberties. Lynch will tell the House committee that Congress has an opportunity to develop legislation that would protect Americans from inappropriate and excessive biometrics collection and use.

What: Full House Committee on Oversight and Government Reform Hearing: Law Enforcement’s Use of Facial Recognition Technology

Who: EFF Senior Staff Attorney Jennifer Lynch

When: Wednesday, March 22, 9:30 a.m.

Where: 2154 Rayburn House Office Building
           Washington. D.C.

For more information on facial recognition:
https://www.eff.org/foia/fbi-facial-recognition-documents

For more on biometric data collection:
https://www.eff.org/issues/biometrics

 

Contact:  JenniferLynchSenior Staff Attorneyjlynch@eff.org
Share this: Join EFF
Categories: Political Action

Border Agents Need A Warrant to Search Travelers’ Phones, EFF Tells Court

Mon, 03/20/2017 - 14:56
The Border Isn’t a Constitution-Free Zone

Richmond, Virginia—Border agents must obtain a warrant to search travelers’ phones, tablets, and laptops, which contain a vast trove of sensitive, highly personal information that is protected by the Fourth Amendment, the Electronic Frontier Foundation (EFF) told a federal appeals court today.

Searches of devices at the border have more than doubled since the inauguration of President Trump—from nearly 25,000 in all of 2016, to 5,000 in February alone. This increase, along with the increasing number of people who carry these devices when they travel, has heightened awareness of the need for stronger privacy rights while crossing the U.S. border. 

While the Fourth Amendment ordinarily requires law enforcement officials to get a warrant supported by probable cause before searching our property, in cases that predate the rise of digital devices, courts granted border agents the power to search our luggage without a warrant or any suspicion of wrongdoing.

But portable digital devices differ wildly from luggage or other physical items we carry with us to the airport because they provide access to the entirety of our private lives, EFF said in an amicus brief filed at the U.S. Court of Appeals for the Fourth Circuit in the border search case U.S. v. Kolsuz. In 2014 the Supreme Court noted that cellphones now hold “the privacies of life” for people, including highly personal, private information such as photos, texts, contact lists, email messages, and videos. Many digital devices can access personal records stored in the “cloud,” such as financial or medical information. Before smartphones were invented, that kind of information would be kept in our home offices, desk drawers, or basement storage. If law enforcement officers wanted to enter your home or lock box as part of a search, they’d need to go before a judge, prove probable cause that you’re involved in a crime, and get a warrant. 

“The border isn’t a constitution-free zone,” said Adam Schwartz, EFF senior staff attorney. “The U.S. Supreme Court ruled in 2014 that mobile phones are a window into our private lives and police need to show there’s probable cause that the people they arrest have committed crimes and obtain a warrant to search their phones. There should be no less protection for individuals who have not been arrested or shown to have committed any crime, but who instead simply want to enter the United States.”

It’s never been more important for courts to follow the standard set by the Supreme Court about cell phone searches and apply it to borders searches. Reports have surfaced of border agents searching the devices of innocent U.S. citizens, green card holders, and foreign visitors. While all kinds of travelers have suffered this intrusion, many reports involve journalists, Muslim-Americans, and Americans with Middle Eastern-sounding names. Asian Americans Advancing Justice-Asian Law Caucus, Brennan Center for Justice, Council on American-Islamic Relations and six of its chapters, and The National Association of Criminal Defense Lawyers joined EFF in filing the brief.

“Law enforcement officials should be required to meet the same standards for searching our cell phones wherever we are—in our cities, on the highway, at vehicle checkpoints, and at the border. Regardless of the location, when officials want to crack open the private information in someone’s phone, they must first obtain a warrant,” said Schwartz.

For the brief:
https://www.eff.org/document/us-v-kolsuz-eff-amicus-brief

For EFF’s new border guide:
https://www.eff.org/wp/digital-privacy-us-border-2017

For EFF’s new border pocket guide:
https://www.eff.org/document/eff-border-search-pocket-guide

Contact:  AdamSchwartzSenior Staff Attorneyadam@eff.org
Share this: Join EFF
Categories: Political Action

Hearing Wednesday: National Security Letters Violate the First Amendment

Mon, 03/20/2017 - 12:52
EFF to Argue NSL Gag Orders Are Unconstitutional in San Francisco Appeals Court

San Francisco – The Electronic Frontier Foundation (EFF) will urge an appeals court Wednesday to find that the FBI violates the First Amendment when it unilaterally gags recipients of national security letters (NSLs), and the law should therefore be found unconstitutional. The hearing is set for Wednesday, March 22, at 1:30pm in San Francisco.

EFF represents two communications service providers—CREDO Mobile and Cloudflare—that were restrained for years from speaking about the NSLs they received, including even acknowledging that they had received any NSLs. Early Monday, just days before the hearing, the FBI finally conceded that EFF could reveal that these two companies were fighting a total of five NSLs.

CREDO and Cloudflare have fought for years to publicly disclose their roles in battling NSL gag orders. Both companies won the ability to talk about some of the NSLs they had received several months ago, but Monday’s decision by the FBI allows them to acknowledge all the NSLs at issue in this case.

On Wednesday, EFF Staff Attorney Andrew Crocker will tell the United States Court of Appeals for the Ninth Circuit that these gags are unconstitutional restrictions on CREDO and Cloudflare’s free speech and that the FBI’s belated decision to lift some of the gags only underscores why judicial oversight is needed in every case. The gag orders barred these companies from participating in discussion and debate about government use of NSLs—even as Congress was debating changes to the NSL statute in 2015.

What:
In re National Security Letters

Who:
EFF Staff Attorney Andrew Crocker

Date:
March 22
1:30 pm

Where:
Courtroom 3, 3rd Floor Room 307
U.S. Court of Appeals for the Ninth Circuit
James R. Browning U.S. Courthouse
95 Seventh Street
San Francisco, CA 94103

For the FBI notice allowing the companies to identify themselves:
https://www.eff.org/document/notice-regarding-public-identification-nsl-recipients

For more on this case:
https://www.eff.org/issues/national-security-letters

Contact:  AndrewCrockerStaff Attorneyandrew@eff.org
Share this: Join EFF
Categories: Political Action

Five Creepy Things Your ISP Could Do if Congress Repeals the FCC’s Privacy Protections

Mon, 03/20/2017 - 02:05

Why are we so worried about Congress repealing the FCC’s privacy rules for ISPs? Because we’ve seen ISPs do some disturbing things in the past to invade their users’ privacy. Here are five examples of creepy practices that could make a resurgence if we don’t stop Congress now.

Call Congress and help keep creepy ISP practices a thing of the past!

5. Selling your data to marketers

Which ISPs did it before? We don’t know—but they’re doing it as you read this!

It’s no secret that many ISPs think they’re sitting on a gold mine of user data that they want to sell to marketers. What some people don’t realize is that some are already doing it. (Unfortunately they’re getting away with this for now because the FCC’s rules haven’t gone into effect yet.)

According to Ad Age, SAP sells a service called Consumer Insights 365, which “ingests regularly updated data representing as many as 300 cellphone events per day for each of the 20 million to 25 million mobile subscribers.” What type of data does Consumer Insights 365 “ingest?” Again, according to Ad Age, “The service also combines data from telcos with other information, telling businesses whether shoppers are checking out competitor prices… It can tell them the age ranges and genders of people who visited a store location between 10 a.m. and noon, and link location and demographic data with shoppers' web browsing history.” And who is selling SAP their customers’ data? Ad Age says “SAP won't disclose the carriers providing this data.”

In other words, mobile broadband providers are too afraid to tell you, their customers, that they’re selling data about your location, demographics, and browsing history. Maybe that’s because it’s an incredibly creepy thing to do, and these ISPs don’t want to get caught red-handed.

And speaking of getting caught red-handed, that brings us to…

4. Hijacking your searches

Which ISPs did it before? Charter, Cogent, DirecPC, Frontier, Wide Open West (to name a few)

Back in 2011, several ISPs were caught red-handed working with a company called Paxfire to hijack  their customers’ search queries to Bing, Yahoo!, and Google. Here’s how it worked.

When you entered a search term in your browser’s search box or URL bar, your ISP directed that query to Paxfire instead of to an actual search engine. Paxfire then checked what you were searching for to see if it matched a list of companies that had paid them for more traffic. If your query matched one of these brands (e.g. you had typed in “apple”, “dell”, or “wsj”, to name a few) then Paxfire would send you directly to that company’s website instead of sending you to a search engine and showing you all the search results (which is what you’d normally expect). The company would then presumably give Paxfire some money, and Paxfire would presumably give your ISP some money.

In other words, ISPs were hijacking their customers’ search queries and redirecting them to a place customers hadn’t asked for, all while pocketing a little cash on the side. Oh, and the ISPs in question hadn’t bothered to tell their customers they’d be sending their search traffic to a third party that might record some of it.

It’s hard to believe we’re still on the subtle end of the creepy spectrum. But things are about to get a whole lot more in-your-face creepy, with…

3. Snooping through your traffic and inserting ads

Which ISPs did it before? AT&T, Charter, CMA

This is the biggest one people are worried about, and with good reason—ISPs have every incentive to snoop through your traffic, record what you’re browsing, and then inject ads into your traffic based on your browsing history.

Plenty of ISPs have done it before—AT&T did it on some of their paid wifi hotspots; Charter did it with its broadband customers; and a smaller ISP called CMA did the same.

We don’t think this one requires much explaining for folks to understand just how privacy invasive this is. But if you need a reminder, we’re talking about the company that carries all your Internet traffic examining each packet in detail1 to build up a profile on you, which they can then use to inject even more ads into your browsing experience. (Or, even worse—they could hire a third-party company like NebuAd or Phorm to do all this for them.) That’s your ISP straight up spying on you to sell ads—and turning the creepiness factor up to eleven.2 And speaking of spying, we’d be remiss if we didn’t mention…

2. Pre-installing software on your phone and recording every URL you visit

Which ISPs did it before? AT&T, Sprint, T-Mobile

When you buy a new Android phone, you probably expect it to come with some bloatware—apps installed by the manufacturer or carrier that you’re never going to use. You don’t expect it to come preinstalled with software that logs which apps you use and what websites you visit and sends data back to your ISP. But that’s exactly what was uncovered when security researcher and EFF client Trevor Eckhart did some digging into Carrier IQ, an application that came preinstalled on phones sold by AT&T, Sprint, and T-Mobile.

This is even creepier than number three on our list (watching your traffic and injecting ads), because at least with number three, your ISP can only see your unencrypted traffic. With Carrier IQ, your ISP could also see what encrypted (HTTPS) URLs you visit and record what apps you use.

Simply put, preinstalled software like Carrier IQ gives your ISP a window into everything you do on your phone. While mobile ISPs may have backed down on using Carrier IQ in the past (and the situation led to a class action lawsuit), you can bet that if the FCC’s privacy rules are rolled back there’ll be ISPs be eager to start something similar.

But none of these creepy practices holds a candle to the ultimate, creepiest thing ISPs want to do with your traffic, which is…

1. Injecting undetectable, undeletable tracking cookies in all of your HTTP traffic

Which ISPs did it before? AT&T, Verizon

The number one creepiest thing on our list of privacy-invasive practices comes courtesy of Verizon (and AT&T, which quickly killed a similar program after Verizon started getting blowback).

Back in 2014 Verizon Wireless decided that it was a good idea to insert supercookies into all of its mobile customers’ traffic. Yes, you read that right—it’s as if some Verizon exec thought “inserting tracking headers into all our customers’ traffic can’t have a down side, can it?” Oh, and, for far too long, they didn’t bother to explicitly tell their customers ahead of time.

But it gets worse. Initially, there was no way for customers to turn this “feature” off. It didn’t matter if you were browsing in Incognito or Private Browsing mode, using a tracker-blocker, or had enabled Do-Not-Track: Verizon ignored all this and inserted a unique identifier into all your unencrypted outbound traffic anyway. According to the FCC, it wasn’t until “two years after Verizon Wireless first began inserting UIDH, that the company updated its privacy policy to disclose its use of UIDH and began to offer consumers the opportunity to opt-out of the insertion of unique identifier headers into their Internet traffic.”

As a result, anyone—not just advertisers—could track you as you browsed the web. Even if you cleared your cookies, advertisers could use Verizon’s tracking header to resurrect them, which led to something called “zombie cookies.” If that doesn’t sound creepy, we don’t know what does.

As you can see, there’s a lot at stake in this fight. The FCC privacy rules congress is trying to kill would limit all of these creepy practices (and even ban some of them outright). So don’t forget to call your senators and representative right now—because if we don’t stop Congress from killing the FCC’s ISP privacy rules now, we may end up with a lot more than five creepy ISP practices in the future.

Call Congress and help keep creepy ISP practices a thing of the past!

  • 1. To be absolutely precise, your ISP could track and record all your HTTP traffic, and the domain name you visit for HTTPS websites.
  • 2. We’ve heard some arguments that is just what Google or Facebook do, but there’s a big difference. You can choose not to use Google or Facebook, and it’s easy to install free tools that block their tracking on other parts of the web. EFF even makes such a tool, called Privacy Badger! But changing ISPs or paying for a VPN is hard (and some people don’t have more than one choice of ISP). For more, see our post on busting three ISP privacy rollback myths.

Share this: Join EFF
Categories: Political Action

Brazil Proposes New Digital Copyright Rules for the WTO

Fri, 03/17/2017 - 20:29

Copyright rules don't belong in trade agreements—so where do they belong? For the most part, the World Intellectual Property Organization (WIPO) is probably the right place; it's a fully multilateral body that devotes its entire attention to copyright, patent, and other so-called intellectual property (IP) rules, rather than including them as an afterthought in agreements that also deal with things like dairy products and rules of origin for yarn. Although we don't always like the rules that come out of WIPO, at least we can be heard there—and sometimes our participation makes a tangible difference. The landmark Marrakesh Treaty for blind, visually impaired and print disabled users provides a good example.

But there's another multilateral international body that can also lay claim to authority over international intellectual property rules—the World Trade Organization (WTO). When the WTO first covered copyright and patent rules in a dedicated agreement called TRIPS, it was decried by activists as being far too strict. Today, ironically, those same activists (even EFF) often tout TRIPS as a more appropriate baseline standard for global IP rules, in contrast to the stricter (or "TRIPS-plus") rules demanded for inclusion in preferential trade agreements such as the Anti-Counterfeiting Trade Agreement (ACTA) and the Trans-Pacific Partnership (TPP).

For those who believe in linking copyright and trade, the WTO is an obvious candidate to fill the vacuum left by the TPP's recent demise. At the most recent session of the WTO's TRIPS Council on March 1 and 2, Brazil circulated a paper [PDF] titled "Electronic Commerce and Copyright" to address issues around trade in copyright works in the digital age. This document didn't come out of the blue; it draws strongly upon an earlier discussion paper, also addressing the challenges of copyright in the digital environment, that Brazil and others in its GRULAC (Group of Latin American and Caribbean Countries) group introduced at WIPO in 2015.

Brazil's latest paper highlights three issues around electronic commerce and copyright that it believes belong on the WTO's agenda; not as the basis for a binding treaty, but for discussion and informal coordinated action by member states. These are:

  1. Transparency While copyright holder groups complain that Internet platforms don't pay enough for streaming copyright content (a so-called "value gap"), a big part of the perceived problem is that it's difficult for the creators of that content to know where the money is going. The music industry, in particular, is notorious for the opacity of the payment arrangements between intermediaries and creators such as songwriters and performers. Brazil identifies the need to improve the transparency of these payments, although it doesn't go into detail about how this should be accomplished. When EFF brought musician and entrepreneur Imogen Heap to WIPO, she explained the potential for blockchain technology to provide this much-needed transparency. But rather than invest in exploring this or other transparency initiatives, big media has continued to devote most of its attention to a failing war on piracy.
  2. Balance of rights and obligations The paper correctly identifies the need to maintain balance between the interests of copyright holders and those of users of copyright works, as technologies change and new ways of using such works emerge. But the paper goes off the rails when it suggests that it may be unlawful under the WTO's three-step test for countries to allow users to bypass DRM on copyright works, on the grounds that DRM is "essential for the normal exploitation of works in e-trade." Although we support the paper's bottom-line conclusion that "WTO Members should unequivocally assert the principle that exceptions and limitations available in physical formats should also be made available in the digital environment," we don't think this precludes rolling back penalties for the circumvention of DRM. On the contrary, circumvention is often the only way for users to gain access to content on the devices of their choice, and is imperative for preservation, archival, and reuse of such content.
  3. Territoriality of copyright The final issue addressed in Brazil's paper is the most fundamental one: the disconnect between the global nature of the Internet, and the territorial status of national copyright systems. The problem that Brazil identifies is that by using international credit cards, users can gain access to content through overseas content platforms, and thereby circumvent services based in their own home countries, which are subject to that country's copyright rules. It proposes that "Member states should make their best efforts to make their national copyright legislation applicable to trade relations where content is accessed from within their national borders." But if this means blocking or banning users from accessing overseas content services, we have serious concerns. Such measures are entirely unnecessary anyway, as the world already has a common set of copyright rules as standards for global trade—that's exactly what the WTO TRIPS agreement provides. Brazil hasn't made out a case for more.

So far, other WTO members have shown little appetite for the WTO to undertake new work on copyright rules, with the knowledge that such negotiations would be highly contentious. (This is also why Brazil has chosen to describe it as an "electronic commerce" proposal rather than as an "intellectual property" proposal.) However, the promulgation of "soft law" standards on copyright protection under the aegis of the WTO is a more tenable proposition, and Brazil's aim with this paper is to seed that process. That's why it's important to keep a watchful eye even on non-normative documents such as these, to ensure that if the WTO does take any new measures on global copyright rules, users' rights are preserved.


Share this: Join EFF
Categories: Political Action

If the Government Can't Get Domain Seizures Right, Why Would Big Pharma Do Better?

Fri, 03/17/2017 - 19:09

So far we've seen no response from the Domain Name Association (DNA) to our criticisms from earlier this month about its self-styled Registry/Registrar Healthy Practices [PDF]. Part of its plan is that domain registries ought to yank online pharmacy domains from the Internet without due process on Big Pharma's say-so.

But an interesting new data point about the wisdom of such a policy emerged this week. It has been reported that Immigration and Customs Enforcement (ICE), part of the United States Department of Homeland Security, had seized the domain vicodin.com, named after a common prescription pain medication. The problem? That domain actually belongs to the manufacturer and registered trademark holder for Vicodin. In other words, it seems that the domain should never have been seized.

We've never been fans of the ICE's domain name seizures. They have been used to violate free speech rights, without any meaningful opportunity for the owner or users of the domain to be heard before the domain is seized. But at least such seizures are issued under a warrant issued by a United States District Court judge, and there is a mechanism of redress (however slow and inconvenient) when a domain is seized wrongfully. That's what happened to the music blog Dajaz1, whose domain was seized by ICE and kept offline for over a year while the recording industry tried and failed to come up with evidence of copyright infringement. And it's what apparently happened today to vicodin.com

If responsibility for the seizure of domain names passes to domain name registries or registrars, at the direction of Big Pharma—as the DNA proposes—all bets are off. We can well imagine that if the DNA's proposal is accepted as an industry-wide practice the number of mistaken domain name seizures will skyrocket, and that its victims will have even less recourse than they have against an ICE seizure.

It's not just pharmacy domains that are at risk. Under a private policy of the registry operator Donuts, an architect of the Healthy Domains Initiative, the Motion Picture Association of America (MPAA) has similar powers as Big Pharma to call for the deletion or transfer of domain names that are alleged to host copyright-infringing material. Although EFF was able to defeat a proposal to make a similar policy into an industry-wide practice, we doubt we'll have heard the last of it. 

Domain Name Regulator ICANN met with its community this week in Copenhagen. Big Pharma and Big Content lobbyists were among those who descended on the gathering, to promote their vision of private Internet content enforcement through the domain name system; a privatized SOPA, if you will. So far, ICANN has resisted accepting any such enforcement role, and rightly so. Today's reminder that even the U.S. government can't get this method of enforcement right should send a further note of caution about this misguided approach.


Share this: Join EFF
Categories: Political Action

EFF, ACLU, and 45 Civil Rights, Immigration, and Health Advocacy Organizations Oppose AB 165, a California Bill Stripping Students and Teachers of Basic Privacy Protections

Fri, 03/17/2017 - 16:42
“Californians cannot afford to go back to the digital dark ages,” groups warn.

EFF and a diverse coalition of advocacy groups sent a letter to the California legislature urging elected officials to oppose A,B, 165. This bill would roll back privacy protections for students and teachers by exempting California public schools from the prohibition on warrantless digital searches lawmakers enacted two years ago. 

The letter calls for the legislature to protect the legal rights of the 6-million Californians who study and work in public schools. Signers included Transgender Law Center, Courage Campaign, Council on American-Islamic Relations, Health Connected, California Latinas for Reproductive Justice, the American Library Association, and many others. 

This attempt to strip away privacy protections comes during a tumultuous political moment in American history, where many political activists, immigrant families, and LGBTQ Americans are rightly fearful of federal policies that endanger their safety, privacy, and other civil liberties. The coalition letter called out these concerns specifically: 

"Students or staff from Muslim or immigrant communities are rightly concerned that they or their family members and friends would be at risk if their digital information were wrongfully obtained and misused. Half of California students have at least one immigrant parent – and more than half of these parents are not citizens. Members of the school community may fear reprisal for participating in online or real-world social or political activism that their school’s administration may not support. LGBTQ students or staff may have concerns about their personal and professional relationships and even their safety. And youth who live in poverty, for whom their cell phone may be their primary or only means of accessing the Internet and thus seeking information about health, sexuality, or other sensitive topics, are vulnerable to even greater exposure of their personal lives than other students with greater access to technology in the home."

Read the full letter. 

EFF urges concerned Californians to speak out against A.B. 165. If you live in California, please contact your elected officials today. 

And if you are a student or teacher who has witnessed a device search by a school official in California, please tell us about it

Not in California? You can still help by sharing this post on social media.

Speak out.


Share this: Join EFF
Categories: Political Action

One Step Closer to Reclaiming University Innovation From Trolls

Fri, 03/17/2017 - 13:16

Last year, EFF, along with our partner organizations, launched Reclaim Invention, a campaign to encourage universities across the country to commit to adopting patent policies that advance the public good. Reclaim Invention asks universities to focus on by bringing their inventions to the public, rather than selling or licensing them to patent assertion entities whose sole business model is threatening other innovators with patent lawsuits.

Now, thanks to Maryland State Delegate Jeff Waldstreicher, the project is taking a step forward. In February, Delegate Waldstreicher introduced H.B. 1357, a bill modeled on Reclaim Invention’s draft legislation, the Reclaim Invention Act.

Like the Reclaim Invention Act, H.B. 1357 would require Maryland state universities to adopt policies for technology transfer that commit them to managing their patent portfolio in the public interest, and outlines what that policy should include. The bill would also void any agreement by the university to license or transfer a patent to a patent assertion entity (or patent troll).

At a hearing earlier this month, the Maryland Assembly’s House Appropriations Committee heard testimony in support of the bill from Delegate Waldstrecher, Knowledge Ecology International (KEI)’s James Love, and data scientist Adam Kreisberg.  As KEI’s James Love explained, the bill would allow universities to continue to license or assign patent rights to companies, but would prohibit them from assigning patents “to organizations who are just suing people for infringement.” According to Love, when it comes to public universities, "you don’t want public sector patents to be used in a way that's a weapon against the public.”

EFF, with Public Knowledge, Creative Commons, and KEI [.pdf], and Yarden Katz, Fellow in Systems Biology at Harvard Medical School [.pdf] also submitted written testimony supporting the bill. Katz, who studies "the impact of commercialization on scientific research,” explains: 

[r]esearch has shown that university patents, including those produced by public universities, can end up in the hands of NPRs. For instance, as of 2016, the notorious NPA ‘Intellectual Ventures’ had nearly 500 patents that originated from American universities in its portfolio…including some from the University of Maryland.

If the Maryland legislature passes the bill, Katz states it would “set an example for other states by adopting a framework for academic research that puts public interests front and center.”

If you’re in Maryland you can urge your lawmakers to defend innovation and pass H.B. 1357.

Tell your state lawmakers: keep university patents away from trolls.

If you’re not in Maryland, you can take action to encourage your university to sign the Public Interest Patent Pledge and urge your state lawmakers to keep university patents out of the hands of trolls.


Share this: Join EFF
Categories: Political Action

Three Myths the Telecom Industry is Using to Convince Congress to Repeal the FCC’s Privacy Rules, Busted

Fri, 03/17/2017 - 12:52

Back in October of 2016, the FCC passed some pretty awesome rules that would bar your internet service provider (ISP) from invading your privacy. The rules would keep ISPs like Comcast and Time Warner Cable from doing things like selling your personal information to marketers, inserting undetectable tracking headers into your traffic, or recording your browsing history to build up a behavioral advertising profile on you—unless they can get your consent. They were a huge victory for everyday Internet users in the U.S. who value their privacy.

But since the restrictions also limit the ability of ISPs and advertisers alike to profit from the treasure trove of data ISPs have about their subscribers, powerful interests have come out in force to strip those protections away. Lobbyists in DC are pulling out all the stops trying to convince Congress that these straightforward, no-nonsense privacy rules are unnecessary, unfair, overly burdensome, or all of the above. EFF wrote a memo for congressional staffers that busts these myths.

And we’re sharing the content of that memo with you, Team Internet, so you can see the type of FUD  ISPs and their allies are pushing in order to take away your privacy.

(Fair warning: some of these are fairly wonky, so if you’re not the type that gets excited by telecom law, you can always skip to the part where you call your senators and representative and tell them not to repeal the FCC’s ISP privacy rules—because if we raise our voices together, we can stop Congress before it’s too late.)

Call Congress now and tell them not to repeal the FCC's privacy rules!

Myth 1: If the FCC’s privacy rules are repealed, state officials and the Federal Trade Commission will fill the gap—so customers’ privacy will still be protected.

Fact: Unfortunately, recent court decisions have limited the FTC’s ability to enforce privacy rules on ISPs. Plus, relying on each state to enforce its own laws to protect privacy would create a terrible patchwork of mismatched regulations. You’d think with all the uncertainty and bureaucracy that would create, the ISPs would actually prefer clear, bright-line rules at the national level. But you’d be wrong: at this point, they’ll say anything to block the FCC’s privacy-protective rules.

Extended Version:
The 2016 FTC v AT&T Mobility decision at the 9th Circuit eliminated the Federal Trade Commission’s authority to enforce privacy rules on ISPs in Arizona, Alaska, Hawaii, California, Idaho, Montana, Nevada, Oregon, and Washington. Other courts may do the same. And while some states’ Attorney Generals have brought actions against ISPs that mislead or deceive consumers about how the companies collect, share, and sell customer data, many other states have scaled back their enforcement on the premise that federal enforcement was sufficient and preferable.

What’s more, a state-by-state patchwork of consumer protection enforcement is bad for customers and telecoms. It leaves customers in states with weaker consumer protection statutes or less assertive Attorneys General without crucial safeguards from their ISPs. And it leaves ISPs subject to a bewildering array of regulations depending on where they operate.  That regulatory thicket will impede competition and innovation by discouraging service providers from entering new markets.

Myth 2: Even if Congress repeals the FCC’s recent privacy rules, the FCC still has authority to enforce consumer privacy protections more generally under Section 222 of the Communications Act.

Fact: Due to the way Congress plans to repeal the FCC’s privacy rules, there’s going to be a lot of legal uncertainty about whether or not the FCC will be allowed to do anything related to ISPs and privacy in the future. In other words, it’s not clear if you’ll be at the mercy of your ISP or not, and by the time the courts figure it out, your ISP will have already had the chance to do some pretty creepy things.

Extended Version:
Section 222 of the Communications Act is the underlying authorization for the rules the FCC has already adopted, but if Congress passes a Congressional Review Act (CRA) resolution to repeal the rules, whether or not the FCC can pass new rules using that authority will be an open question.

That’s because a CRA resolution would prohibit the FCC from issuing rules that are “substantially the same” in the future. If the FCC brings an action against an ISP under Section 222 for mishandling customer data, the ISP would likely try to challenge the action in court on the grounds that Congress preempted the agency with the CRA, creating uncertainty around ISP obligations and consumer privacy protections. 

Myth 3: The FCC’s privacy rules put Internet service providers at an unfair disadvantage when compared to Internet companies like Google who can profit off of consumers’ data.

Fact: Google doesn’t see everything you do on the Internet (neither does Facebook, for that matter, or any other online platform)—they only see the traffic you send to them. And you can always choose to use a different website if you want to avoid Google’s tracking. None of that is true about your ISP. You probably only have one, maybe two options when it comes to ISPs offering high-speed Internet, and your ISP sees everything—they have to, in order to send your traffic to the right place. That’s why we need the FCC’s privacy rules: ISPs are in a position of power, and they’ve shown they’re willing to abuse that power.

Plus, if you’re worried about creepy third-party tracking online, you can use free tools to protect yourself; the only way to protect your privacy from your ISP is to pay for a VPN.

Extended Version:
To begin with, it’s worth remembering that ISPs and companies like Google or Facebook see entirely different parts of your Internet activity; namely that Google or Facebook only see the traffic you send to their servers, while ISPs see all your traffic. Even when you take into account the fact that Google and Facebook have creepy third-party trackers spread across the web, they still only see a fraction of what your ISP sees. Being able to see all of your traffic gives your ISP an unprecedented view into your life (everything from what you’re shopping for, to who you talk to, to what your politics are, to what you read), which not even Google or Facebook can achieve.

There’s also another big difference between Comcast and Google: choice. While Internet users can choose between numerous online services for search, email, and more—including services that feature built-in privacy protections as a selling point—most consumers have few if any options when it comes to choosing an ISP. According to the FCC’s 2016 Broadband Progress Report, 51 percent of households have access to only one high-speed broadband provider. If that provider decides to sell their data, they can’t vote with their wallets and choose another ISP.

There’s one last difference: Internet users can prevent companies like Google from spying on them as they surf the web. If you want to do something online without being tracked, you can use a variety of free tools that even powerful companies like Google cannot overcome. But nothing short of paying to use a virtual private network—essentially having to pay a fee to protect your online privacy—will protect you from your ISP.

Now that you’ve heard the FUD ISPs and the advertising industry are spreading, take a moment and help us protect your privacy from data-hungry ISPs: call Congress today and tell your senators and representative not to repeal the FCC’s ISP privacy rules!

Call Congress now and tell them not to repeal the FCC's privacy rules!


Share this: Join EFF
Categories: Political Action

California Youth in Detention and Foster Care Deserve Internet Access

Thu, 03/16/2017 - 11:46

It’s 2017, and climbers can tweet from Mount Everest, astronauts can post YouTube videos from the International Space Station, and ocean explorers can live stream from the Mariana Trench.  Considering the ability for technology to overcome those harsh environments, we see no reason that California can’t develop a way to ensure that youth in our state have secure and supervised access to the internet in juvenile detention and foster care programs.

EFF is throwing its support behind A.B. 811, a California bill sponsored by Assemblymember Mike Gipson, that would establish that youth in custody have a right to “reasonable access to computer technology and the internet for the purposes of education and maintaining contact with family and supportive adults.” The bill would also establish the right of youth in foster care to have access to computers and the internet.

As EFF writes in its letter:

When youth are incarcerated, it is the government’s duty to ensure that they receive the necessary services for rehabilitation and successful integration back into the free world. Computer literacy and computer skills are crucial to development in the modern era, particularly when it comes to finding jobs. In addition, since many facilities are located in remote areas, placing youth far from their homes, accommodations should be made using modern technology to allow detainees to maintain meaningful relationships with their families to enhance the support structure for successful rehabilitation.

Similarly, youth in foster care must also have access to the same resources that most children receive through their schools, libraries, and homes.

Nearly 56,000 youth were in foster care in 2015, according to the Annie E. Casey Foundation. In addition, the California Department of Justice data [.pdf] reports that more than 23,000 youth were detained in secure facilities in 2014, with Hispanic youth representing more than half and Black youth representing roughly a quarter of youth in secure custody. We applaud Assemblymember Gipson for his efforts to ensure this significant at-risk population is provided with the tools they need to succeed. 


Share this: Join EFF
Categories: Political Action

Payment Processors are Still Policing Your Sex Life, and the Latest Victim is FetLife

Wed, 03/15/2017 - 12:06

Eighteenth century writer and philosopher the Marquis de Sade spent the last 13 years of his life in prison for his crimes of writing pornographic novels such as Justine and Juliette.

Today those who explore and write about similar sexual fantasies online—now known as BDSM and grounded in the consent of all participants—are suffering similar acts of censorship as the eponymous literary sadist who preceded them by two centuries. The biggest difference is that the church and state have been supplanted as chief censors by private companies such as payment service providers Visa, Mastercard, and PayPal.

Five years ago EFF defended the right of publishers such as Smashwords to publish written descriptions of transgressive sexual conduct, against PayPal's threat to cancel payment services unless they withdrew such works from sale. (Following our campaign, in which we were joined by more than two dozen other free speech groups, PayPal relented.) In the same year the Nifty Archives Alliance, which publishes erotic stories, had its donation page temporarily suspended by its payment processor for fear of violating Visa and Mastercard rules. Two years ago, Backpage.com had its payment services suspended by Visa and Mastercard for providing a platform to advertise sexual services.

This year it's the turn of adult social network FetLife, which just lost its ability to process credit card payments because it offers a platform for members to discuss and to post depictions of consensual BDSM practices. In this instance the ban appears to have come down from one of the credit card networks, which shut down both of the merchant accounts that FetLife used to process payments, justifying this to one merchant with complaints about "blood, needles, and vampirism" on the website, and to the other with the vague explanation of "illegal or immoral reasons".

If any illegal content were on the website that would indeed be cause for concern, but there is no evidence of this. The last time FetLife lost payment processing services in 2013, it was on the basis of complaints of illegal child pornography on the site. Yet on closer investigation, this turned out to amount to sexualized cartoon drawings of the Simpsons, which even if they may have been in poor taste, were constitutionally protected speech under U.S. law. Even so, the site clamped down on fantasy depictions or descriptions of underage sex and incest going forward, and its payment processing services were restored.

There is no further evidence of illegal content on FetLife today than there was back then. Nor does it seem obvious the card networks' content rules have been infringed; both networks prohibit imagery of "non-consensual sexual behavior" and "non-consensual mutilation of a person or body part", but consensual BDSM is neither of these. Nonetheless, the credit card ban has had its desired effect of further constricting the range of permissible speech on FetLife, with the site introducing new restrictions on a broad range of edgy sexual practices, including consensual non-consentrace play, drug and alcohol use, and scarification.

Despite all this, their payment services still haven't been reinstated, and it's unclear how they can be. In the meantime FetLife does still accept payments via Bitcoin, which due to its open and decentralized infrastructure, is much more resistant to censorship pressures. While there may one day be a future in which digital currencies like Bitcoin are so widely adopted that it's easy for many websites to thrive on them alone, today we live in a world where credit card oligopolies can effectively shut down digital speech they find annoying or offensive.

In the course of a round of buck-passing between PayPal and the credit card networks during the Smashwords dispute, Visa had written "Visa would take no action regarding lawful material that seeks to explore erotica in a fictional or educational manner. As you note in your letter, Visa is not in the business of censoring cultural product." While we don't know which of the card networks were responsible for the latest FetLife ban, such fine sentiments seem hard to square with it.

It's also difficult to discern what's behind this latest crackdown, but the least likely scenario is that it was a case of proactive self-policing by the credit card network. More likely, this is a case of Shadow Regulation in which the hand of government, or some third party acting as self-appointed morals campaigner, has reached a secret agreement with the payment network behind the scenes. In this context, it may be worth noting that Attorney-General Jeff Sessions recently indicated that he would consider reviving the Justice Department's Obscenity Prosecution Task Force.

Whatever the source of the pressure to which the payment network acceded, EFF remains deeply concerned that payment companies aren't doing enough to consistently push back against demands to privately censor lawful sexual content online. In an age where the 50 Shades movies are playing in mainstream cinemas across the country, society ought to have moved on from the days when pornographers such as de Sade were jailed and his books burned. The best way for payment companies to discern when online content has crossed the line into obscenity is to rely on courts to make that judgment.


Share this: Join EFF
Categories: Political Action

D.C. Circuit Court Issues Dangerous Decision for Cybersecurity: Ethiopia is Free to Spy on Americans in Their Own Homes

Tue, 03/14/2017 - 19:51

The United States Court of Appeals for the District of Columbia Circuit today held that foreign governments are free to spy on, injure, or even kill Americans in their own homes--so long as they do so by remote control. The decision comes in a case called Kidane v. Ethiopia, which we filed in February 2014.

Our client, who goes by the pseudonym Mr. Kidane, is a U.S. citizen who was born in Ethiopia and has lived here for over 30 years. In 2012 through 2013, his family home computer was attacked by malware that captured and then sent his every keystroke and Skype call to a server controlled by the Ethiopian government, likely in response to his political activity in favor of democratic reforms in Ethiopia. In a stunningly dangerous decision today, the D.C. Circuit ruled that Mr. Kidane had no legal remedy against Ethiopia for this attack, despite the fact that he was wiretapped at home in Maryland. The court held that, because the Ethiopian government hatched its plan in Ethiopia and its agents launched the attack that occurred in Maryland from outside the U.S., a law called the Foreign Sovereign Immunities Act (FSIA) prevented U.S. courts from even hearing the case.

The decision is extremely dangerous for cybersecurity. Under it, you have no recourse under law if a foreign government that hacks into your car and drives it off the road, targets you for a drone strike, or even sends a virus to your pacemaker, as long as the government planned the attack on foreign soil. It flies in the face of the idea that Americans should always be safe in their homes, and that safety should continue even if they speak out against foreign government activity abroad.  

Factual background

Mr. Kidane discovered traces of state-sponsored malware called FinSpy, a sophisticated spyware product which its maker claims is sold exclusively to governments and law enforcement, on his laptop at his home in suburban Maryland. A forensic examination of his computer showed that the Ethiopian government had been recording Mr. Kidane’s Skype calls, as well as monitoring his (and his family’s) web and email usage. The spyware was launched when Kidane opened an attachment in an email. The spying began at his home in Maryland.

The spyware then reported everything it captured back to a command and control server in Ethiopia, owned and controlled by the Ethiopian government. The infection was active from October 2012 through March 2013, and was stopped just days after researchers at the University of Toronto’s Citizen Lab released a report exposing Ethiopia's use of FinSpy. The report specifically referenced the very IP address of the Ethiopian government server responsible for the command and control of the spyware on Mr. Kidane’s laptop.

We strenuously disagree with the D.C. Circuit’s opinion in this case. Foreign governments should not be immune from suit for injuring Americans in their own homes and Americans should be as safe from remote controlled, malware, or robot attacks as they are from human agents. The FSIA does not require the courts to close their doors to Americans who are attacked, and the court’s strained reading of the law is just wrong. Worse still, according to the court, so long as the foreign government formed even the smallest bit of its tortious intent abroad, it’s immune from suit. We are evaluating our options for challenging this ruling.

Related Cases: Kidane v. Ethiopia
Share this: Join EFF
Categories: Political Action

Pages