the Electronic Frontier Foundation

Subskrybuj zawartość
The Electronic Frontier Foundation: Defending your rights in the digital world.
Zaktualizowano: 8 lat 25 tygodni temu

EFF Mourns the Loss of Steve Jobs

Czw, 2011-10-06 21:44

EFF joins millions around the world in mourning the passing of Steve Jobs. Steve was an extraordinary innovator who changed how we think about, develop, use, and experience new technologies, music, and ideas. While we've sometimes found ourselves frustrated with some of Apple's business strategies, we here at EFF have always had tremendous respect for Steve's creative genius and commitment to making products that were powerful, accessible, and elegant. His imagination and vision changed the world. He will be missed.

EU Parliament Takes the First Step to Prevent Sales of Surveillance Equipment Used to Violate Human Rights

Czw, 2011-10-06 18:12

The European Parliament today formally recognized what has become increasingly clear: some European tech companies have been selling to repressive governments the tools used to surveil democracy activists. In response, it passed a resolution to bar overseas sales of systems that monitor phone calls and text messages, or provide targeted Internet surveillance, if they are used to violate democratic principles, human rights or freedom of speech.

According to Bloomberg, the decision came after a Bloomberg report in August that "a monitoring system sold and maintained by European companies had generated text-message transcripts used in the interrogation of a human-rights activist tortured in Bahrain." The legislation reportedly leaves enforcement to the EU’s 27 member nations.

But European companies aren't the only ones. Recently Narus, a Boeing subsidiary based in Silicon Valley, was revealed to have sold to Egypt sophisticated equipment used for surveillance. (Note: EFF watchers will recognize Narus as one of the companies whose equipment is in AT&T “secret room” used to help the NSA conduct warrantless surveillance in the U.S. at the heart of our Jewel and Hepting cases).

And it's not just a problem in the Middle East. Cisco Systems is facing litigation in both Maryland and California based on their sales of surveillance equipment used by China to allegedly track, monitor and otherwise facilitate the arrest, detention or disappearance of human rights activists and religious minorities who have been subjected to gross human rights violations.

Despite the “head in the sand” approach of some tech companies, this concern is real and is not going away. Members of the U.S. Congress, such as Republican Representatives Chris Smith and Mary Bono and Democratic Senator Richard Durbin, are also watching closely.

It’s time for tech companies to step up and ensure that they aren’t wittingly or unwittingly assisting in the commission of gross human rights violations. While there may be many ways to accomplish this, a simple step would be for companies to voluntarily adopt a robust "know your customer" approach. First, companies selling these specialized surveillance technologies to repressive foreign governments need to take affirmative steps to know who they are selling to and what the technology will be used for, especially when they are providing ongoing service or customization of the systems. The U.S. State Department already publishes annual human rights reports about countries around the world and other objective resources are readily available, including EFF. This wouldn't be much more of a burden than what these sophisticated companies already must do to comply with laws like the Foreign Corrupt Practices Act and the the U.S. export restrictions. Second, companies need to refrain from participating in transactions where there is either objective evidence or credible concerns that the technologies or services are being used, or will be used, to facilitate human rights violations.

We'll be writing more about this. But the message from the EU Parliament is clear: Tech companies need to stop participating in human rights abuses around the world by selling tools that repressive governments need to commit them. Tech companies need to stop serving as "repression's little helpers."

Safeconnect, Universities, P2P, Network Security and Risk: The Tangled World of "Policy Enforcement" on Other People's Computers

Czw, 2011-10-06 15:47

By Cindy Cohn and Seth Schoen

After months of work, and spurred by an initial report1 by Professor Ted Byfield of New School University's Parsons New School for Design, we’re happy to report a security vulnerability fix in a product called Safe•Connect.

While the immediate story is good, the underlying context should raise real concerns about the dangers inherent in the ongoing obsession of Congress and the content industry with pressuring intermediaries, especially universities, to use their status as network operators to require individuals to install monitoring software like Safe•Connect on their computers in order to appease the content industry. As Stewart Baker, then the Department of Homeland Security’s policy czar warned during a similar incident involving the Sony Rootkit: "It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days."

Background

Network administrators have been interested for years in software meant to enforce rules on other people's computers connected to a network – a technology called Network Access Control (NAC). NAC software runs as an agent on behalf of the network administrator, reporting back information about how the computer is configured, examining its security policies, and, in some cases, making changes. We might describe such software as spyware that network operators ask users to install on their computers, although the Safe•Connect system does not appear to be configured to report back on the content a user stores on his or her computer. Why do network operators want this power? There are many possible reasons, but, most often, it's aimed at making sure the network users have taken security precautions and applied software updates that the network operator considers necessary. Such enforcement software sometimes requires administrative privileges on the users' computer, and in any case its use raises serious questions about computer users' autonomy and right to control and make decisions about their own computers.

In an academic environment, the use of this software on non-university-owned computers — like the personal machines owned by students, teachers and campus visitors — is sometimes controversial. Although it might be used largely in users' own interest, especially when it helps remind less-sophisticated users to apply software upgrades they might otherwise neglect, it can also introduce security and privacy threats of its own. At a minimum, schools should examine this type of software skeptically and should give sophisticated users a way to opt out of installing it. Unfortunately, one source of pressure overshadowing universities' decision-making in this area lately has been Congressional attention to copyright enforcement.

While the RIAA has abandoned its ineffective litigation campaigns, it and the MPAA have increased their efforts to lobbying Congress, pressure intermediaries, and lobby Congress to pressure intermediaries to take every more draconian steps to try to stop copyright infringement. In particular, colleges and universities have always been popular targets for both Big Content and Congress. In addition to threatening letters, ill-advised lawsuits, and propaganda campaigns, anti-P2P zealots have embraced technological “solutions” such as Audible Magic’s CopySense. EFF’s technologists believe these technologies are fundamentally flawed: they are expensive, easily circumvented, and ultimately ineffective. However, the drumbeat coming from Congress may be deterring some universities from looking critically at these technologies, instead encouraging them to adopt quick fixes.

Safe•Connect Security Vulnerability

Enter Safe•Connect, a product developed by Impulse Point, LLC. Safe•Connect is one of a breed of NAC products, designed to keep private networks—particularly college and university networks— “clean.” Impulse Point markets Safe•Connect as capable of enforcing compliance with security policies set by the school’s network administrators. In addition to keeping student’s, teachers’ and campus visitors’ anti-virus software updated and their operating systems patched (security measures that users might be neglecting), the technology is marketed, and in some cases used by schools, to prevent those on campus from running certain peer-to-peer software over the school’s network resources. In other cases, the technology “warns” those on campus that are running P2P software, making sure they know that Big Brother is watching.

It was New School University’s requirement that students and faculty install Safe•Connect on their own computers that led Professor Byfield, a professor of Art, Media and Technology, to raise his initial concerns. Starting with Professor Byfield’s work, and especially curious about Impulse Point’s claimed ability to notify users about and block peer-to-peer systems, EFF and researchers at the University of Michigan started investigating. We obtained a copy of the Policy Key, the application from Safe•Connect that universities require each student, faculty or visitor to install on her personal computer before she is allowed access to the Internet over the university network. After a bit of reverse engineering, the researchers found that an older but widely-distributed version of the Policy Key would accept purported “updates” from a local server with no authentication. So a knowledgeable attacker, even on a non-university network, could pretend to be this server and substitute malicious software of their choice, disguised as Policy Key updates. That means users who ran this version of the Policy Key on their systems could be vulnerable to attacks from strangers even after leaving the universities that originally asked them to install it. This goes to show that asking people to install software just to be allowed onto a network can come with its own set of security risks, since bugs in that software constitute new ways onto users' machines. (The MacOS X Policy Key version also ran as root with improperly-set file permissions, which would let any other software on a MacOS system with the Policy Key installed gain administrative privileges and take over the system.)

Concerned about the thousands of students, faculty and campus visitors who—whether in the name of network security or intellectual property protection—were required to install and run vulnerable software, EFF and the researchers contacted Impulse Point. To their credit, the Safe•Connect developers responded promptly. They pointed out that the vulnerabilities had already been fixed in newer versions for returning students and staff, and they then delivered the security patch to their university network and other customers for those with past versions of the software that were still on their university networks. Impulse Point is also committed to implementing a plan to address those (such as graduating seniors, staff who have left and campus visitors) who were not otherwise likely to get automatic updates.

Bullet Dodged, But Underlying Problems Remain

Overall, we were pleased with Impulse Point’s openness, willingness to respond and speed with which they responded to us. It was a refreshing change from the hostility with which some technology companies respond to security vulnerabilities. We also have no reason to believe any of the identified vulnerabilities were ever exploited in the wild.

But the underlying problem remains: Big Content’s relentless crusade against P2P technology has unintended consequences. Just as the RIAA’s lawsuits embroiled a number of innocent people in expensive litigation and Congress’ DMCA takedown procedures often chill speech protected by fair use, these technological “solutions” can cause collateral damage. The pressure to require students, professors and campus visitors to install and run software on their computers as a way to “protect” the content industry is wrong, and can be dangerous. Even in the context of protecting network security, requiring everyone on campus to run programs that either run as root or can be adapted or manipulated from afar is troubling, but as a quixotic attempt to deter copyright infringement, it definitely goes too far.

  1. 1. Professor Byfield's report can be found here; Impulse Point contends that it contains inaccuracies. We provide this link for historical purposes and have not confirmed all of the assertions in the report.

Courts Call Out Copyright Trolls' Coercive Business Model, Threaten Sanctions

Czw, 2011-10-06 06:14

A Virginia district court is the latest to call out a copyright troll for using a business model designed to be little more than a shakedown operation to extract quick and easy settlements from hundreds of thousands of John Doe defendants. Judge Gibney says it far better than we could:

The Court currently has three similar cases before it, all brought by the same attorney. The suits are virtually identical in their terms, but filed on behalf of different film production companies. In all three, the plaintiffs sought, and the Court granted, expedited discovery allowing the plaintiffs to subpoena information from ISPs to identify the Doe defendants. According to some of the defendants, the plaintiffs then contacted the John Does, alerting them to this lawsuit and their potential liability. Some defendants have indicated that the plaintiff has contacted them directly with harassing telephone calls, demanding $2,900 in compensation to end the litigation. When any of the defendants have filed a motion to dismiss or sever themselves from the litigation, however, the plaintiffs have immediately voluntarily dismissed them as parties to prevent the defendants from bringing their motions before the Court for resolution.

This course of conduct indicates that the plaintiffs have used the offices of the Court as an inexpensive means to gain the Doe defendants' personal information and coerce payment from them. The plaintiffs seemingly have no interest in actually litigating the cases, but rather simply have used the Court and its subpoena powers to obtain sufficient information to shake down the John Does. Whenever the suggestion of a ruling on the merits of the claims appears on the horizon, the plaintiffs drop the John Doe threatening to litigate the matter in order to avoid the actual cost of litigation and an actual decision on the merits.

The plaintiffs' conduct in these cases indicates an improper purpose for the suits. In addition, the joinder of unrelated defendants does not seem to be warranted by existing law or a non-frivolous extension of existing law.

The Virginia court ordered the plaintiff to show why it should not be sanctioned for this behavior, and also ordered it to “immediately” notify the subpoena recipients (the ISPs) that the subpoenas have been quashed and all defendants but one severed from the case. Also of note, the court ordered the plaintiff to file (under seal), copies of all notices sent to all defendants. It’s unclear what, if anything, the court will do with that information, but we’re hopeful it will help notify the Doe Defendants that they’ve been severed from the suit.

The Eastern District of Virginia orders join a couple of other positive recent rulings. In Texas, repeat plaintiff’s lawyer Evan Stone was scolded by Judge McBryde for not “display[ing] the slightest degree of candor” by failing to disclose that he has:

filed at least sixteen lawsuits similar to the instant action in [another] division of this court, that each of those lawsuits was summarily dismissed, principally for improper joinder of the defendants, and that discovery of the kind, and under the conditions, sought by, and granted to, plaintiff in this action was inappropriate.

And in the Northern District of California, Magistrate Judge Grewal severed all but one of 5,041 Doe Defendants, stating that,

As the court has come to learn in yet another of the recent “mass copyright” cases, subscriber information appears to be only the first step in the much longer, much more intrusive investigation required to uncover the identity of each Doe Defendant. The reason is simple: an IP address exposed by a wireless router might be used by the subscriber paying for the address, but it might not. Roommates, housemates, neighbors, visitors, employees or others less welcome might also use the same address.

We applaud these judges for calling these cases what they really are – little more than a shakedown scheme – and for stopping plaintiffs from running roughshod over due process in order to extort settlements.

Party Like It's 1986 - Demand Privacy Like It's 2011

Czw, 2011-10-06 02:13

In 1986, Falco’s Rock Me Amadeus topped the charts, Madonna dedicated her hit single Papa Don’t Preach to Pope John Paul II, and a ruffle-clad David Bowie crooned along with funky Muppet goblins in Labyrinth. Meanwhile, although the World Wide Web didn’t even exist yet and cell phones were an expensive rarity, Congress was working on a new law to better protect our digital privacy by regulating when the government could access our private communications. That law, the Electronic Communications Privacy Act (ECPA), was signed on October 21, 1986.

Streaming music + ECPA reform party = epic win

Here’s a mix of hot tunes from 1986 to help you get in the mood for updating weak 80s-era privacy law:
1986 New Wave/Alternative Mix

After 25 years, ECPA is in dire need of an upgrade to reflect changing technology and ensure that the government can’t read our emails, track our cell phones, or watch where we go on the Web without first going to court and getting a search warrant. To help support the effort to reform ECPA, and in commemoration of the 25th anniversary of ECPA’s signing, EFF is joining Google, CDT, ACLU, CEI, TechFreedom, CCIA, and Americans for Tax Reform to throw the capital's most awesome party - Party Like It's 1986.

If you’re in Washington D.C., join us the evening of October 20th on Capitol Hill for an 80s-themed celebration of digital privacy: RSVP now!

EFF is also traveling to DC with a “Retro Tech Fair” which will be on display during the Party Like It’s 1986 events. We’ll be setting up an exhibit for partygoers to take a trip down memory lane and see examples of computers, walkmen, cell phones, and video games from the mid to late 1980s. We’re particularly thankful for contributions of advice and technology by Marc Weber of the Computer History Museum, the DigiBarn Computer Museum, Erik S. Klein of Vintage-Computer.com, John Gilmore, Eugene Miya, the Mid-Atlantic Retro Computing Hobbyists (MARCH), CDT, Intel, Google, ATSI, and many others.

We hope to see you in DC, but even if you can’t be there in person you can urge Congress to update privacy law by signing our petition.

Human Rights and Digital Freedom Groups Call for Release of Blogger

Wto, 2011-10-04 19:09

Today, EFF joined nine human rights and digital freedom organizations from around the world in sending a letter to the government of Vietnam calling for the release of blogger and human rights defender Pham Minh Hoang.

Readers may remember Pham Minh Hoang from a https://www.eff.org/deeplinks/2011/08/eff-calls-release-vietnamese-blogger-hoang">blog post we wrote in August. Mr. Hoang is a university professor with dual French and Vietnamese citizenship who has been sentenced to three years in prison and an additional three years under house arrest, for trying to "overthrow the government." His crime was exercising a right held dear by much of the world: using the Internet to speak out. EFF, the Committee to Protect Journalists, ARTICLE 19, Reporters without Borders, and the other rights organizations are calling for the Vietnamese government to recognize Mr. Hoang's rights to free expression and release him.

Concerned individuals should send their own letters to Prime Minister Nguyen Tan Dung and the French Foreign Ministry, addresses below, to showcase the global outcry against this attack on online free speech.

Letter text:

October 4, 2011

Nguyen Tan Dung
Socialist Republic of Vietnam
Office of the State
1 Bach Thao
Hanoi, Vietnam

CC:
French Foreign Ministry
Alain Juppé
Ministere des Affaires etrangeres
37, Quai d’Orsay
75351 Paris
France

Dear Prime Minister Nguyen Tan Dung,

We, international digital freedom and human rights organizations, call on the Government of Vietnam to release blogger, human rights defender, and lecturer Pham Minh Hoang.

Mr. Hoang, a dual French-Vietnamese citizen sentenced on August 10 to three years in prison and an additional three years house arrest, is a well-known blogger whose articles on education, the environment, and Vietnamese sovereignty in respect to China have been widely read. He is also a lecturer in applied mathematics at the Ho Chi Minh City Polytechnic Institute, an activist campaigning against bauxite mining by Chinese firms, and has participated in conferences on Vietnam’s sovereignty over the Paracel and Spratly Islands. Mr. Hoang has worked tirelessly to promote human rights and to empower and encourage civic participation among his pupils and peers.

At Mr. Hoang’s trial, Judge Vu Phi Long ruled that his writings had “blackened the image of the country” and were “aimed at overthrowing the people’s government.” Mr. Hoang, on the contrary, has claimed that he was exercising his free speech and was unaware that he had committed any crimes.

We would like to remind the Government of Vietnam that Mr. Hoang’s blogging activities, as well as his activism, are guaranteed by the Universal Declaration of Human Rights, the UN Declaration on Human Rights Defenders, and the International Covenant on Civil and Political Rights, to which Vietnam is a party to, as well as by Articles 35, 50, 53, and 69 of the Vietnamese Constitution.

We call on Vietnamese authorities to recognize Mr. Hoang’s right to expression, and to lift any charges or convictions related to his protected expressive activities, and—with these charges lifted—to ensure his release.

Signed,

ACAT-France (Action des chrétiens pour l'abolition de la torture - France)
ARTICLE 19
Committee of Concerned Scientists
Committee to Protect Journalists
Electronic Frontier Foundation
Front Line Defenders
Index on Censorship
PEN International
Reporters Without Borders
Scholars at Risk

Publication of the FCC’s Net Neutrality Rules Spawns a Flurry of Legal Challenges

Wto, 2011-10-04 01:40

Now that the FCC’s “Open Internet” net neutrality rules have been published in the Federal Register, opening the door to legal challenges, the lawsuits are piling on.

On Friday, Verizon appealed the order in the Washington, D.C., Court of Appeals, arguing that the FCC overstepped its authority in issuing its net neutrality order. Verizon had filed a related claim back in January shortly after the rules were first released, but the court held that suit prior to Federal Register publication was premature. MetroPCS at the time lost a similar challenge on this basis; it has yet to refile post-publication.

Earlier in the week, Free Press filed a petition in the First Circuit for review of the rules. However, Free Press argued that the order doesn’t go far enough, objecting foremost to the relaxed requirements for wireless as opposed to wireline providers. (We agree this distinction is unwarranted.) At least three other groups have also contended that the rules need to be strengthened, with challenges in the Third, Fourth and Ninth Circuits.

These are the same rules that EFF weighed in on when they were first issued by the FCC in December. While we wholeheartedly support net neutrality in principle, we were concerned on two fronts about the Commission’s efforts. We objected to the FCC’s alleged bases for jurisdiction, which would seem to give it more or less unbridled authority to regulate the Internet. We also objected to the substance of the rules, which are riddled with loopholes that would blunt their effect. These include exemptions to the no-blocking requirements for efforts “to address copyright infringement”—enabling traffic discrimination in the guise of protecting against unlawful content—and concessions for managed or special services, as well as the carve-outs for wireless operators. On the other hand, many noncommercial broadband Internet providers could be bound by the rules, discouraging public-minded Internet initiatives and innovation by imposing the burdens of FCC compliance.

The rules are due to go into effect November 20. But given past federal court rejection of similar FCC authority arguments and the legal challenges to date, we're not anticipating any quick resolutions.

GPS Inventor Joins EFF in Fight Against Warrantless GPS Tracking

Wto, 2011-10-04 01:00

Washington, D.C. - The principal inventor of the Global Positioning System (GPS) and other leading technologists have joined the Electronic Frontier Foundation (EFF) in urging the U.S Supreme Court to block the government from using GPS tracking without first getting a warrant, arguing that the massive collection of sensitive location data should require court oversight.

Roger L. Easton is considered the father of GPS as the principal inventor and developer of the Timation Satellite Navigation System at the Naval Research Laboratory. The current GPS is based on Timation, and its principles of operation are fundamentally identical. In an amicus brief filed with the Supreme Court Monday in United States v. Jones, EFF, Mr. Easton, along with other technology experts, pointed out the many ways in which GPS tracking is fundamentally different from and more invasive than other surveillance technologies the court has allowed before, and how law enforcement use of GPS without a warrant violates Americans' reasonable expectations of privacy.

"This is the first case where the Supreme Court will consider automatic, persistent, passive location tracking by law enforcement," said EFF Senior Staff Attorney Marcia Hofmann. "The government can use location information over time to learn where you go to church, what sort of doctors you go to, what meetings and activities you participate in, and much more. Police should not have blanket permission to install GPS devices and collect detailed information about people's movements over time without court review."

In Jones, FBI agents planted a GPS device on a car while it was on private property. Agents then used the GPS to track the position of the vehicle every ten seconds for a full month without obtaining a search warrant. An appeals court ruled that the surveillance was unconstitutional without a warrant, but the government appealed the decision.

"If police are allowed to plant GPS devices wherever they please, that's essentially blanket permission for widespread, ongoing police surveillance without any court supervision," said EFF Legal Director Cindy Cohn. "It's not hard to see how that kind of leeway would be abused. We hope the Supreme Court takes a close look at how this technology works and act to protect the Fourth Amendment rights of Americans."

The brief was authored by Andrew Pincus of Mayer Brown LLP and The Yale Law School Supreme Court Clinic. It was also signed by the Center for Democracy and Technology, Professor Matt Blaze of the University of Pennsylvania, Professor Andrew J. Blumberg of the University of Texas at Austin, and Professor Norman M. Sadeh of Carnegie Mellon University.

For the full amicus brief in U.S. v. Jones:
https://www.eff.org/files/filenode/US_v_Jones/10-1259bsac_eff_cdt_amicus...

For more on this case:
https://www.eff.org/cases/us-v-maynard

Contacts:

Marcia Hofmann
Senior Staff Attorney
Electronic Frontier Foundation
marcia@eff.org

Cindy Cohn
Legal Director
Electronic Frontier Foundation
cindy@eff.org

Freedom of Expression Under Attack in Mexico: Social Network Users and Bloggers Face Violence, Political Backlash

Wto, 2011-10-04 00:21

Chilling Speech Through Violence

Bloggers in the Mexican border town of Nuevo Laredo are being terrorized by the Los Zetas drug cartel, which is trying to silence citizens who speak out against drug-related violence. On the morning of September 24th, police found the headless and mutilated body of a woman with a note referencing an alleged pseudonym, “La Nena de Laredo” (“Laredo Girl”), which she had used to post on Nuevo Laredo en Vivo ("Nuevo Laredo Live"). The woman, who has been identified in some reports as Maria Macias and in others as Marisol Marcias Castaneda, was reportedly an administrative manager at the Prima Hoy newspaper, and also moderated a chat room on Nuevo Laredo en Vivo.

The murder of "La Nena de Laredo" is the second such incident in the border town in as many weeks. On September 14th, police found two bodies hanging from a pedestrian bridge. Signs hanging near the bodies indicated that the still-unidentified man and woman had been killed in retaliation for denouncing the cartel’s activities on a social network. Because the bodies remain unidentified, it is impossible to confirm that the victims really did post to the social networking site, but the message to would-be bloggers, citizen journalists, and whistleblowers is loud and clear.

Throughout Mexico, traditional media outlets are no strangers to threats, kidnappings, and violence against journalists; such threats have often had the effect of forcing journalists to refrain from coverage of violence stemming from the drug trade. In some parts of Mexico, websites such as Blog del Narco and Frontera al Rojo Vivo and social media sites such as Facebook and Twitter are able to provide news about drug-related violence that is not being covered in local newspapers or on television. Posters sometimes use nicknames or pseudonyms to protect their identities, but the murder of "La Nena de Laredo" suggests that such measures are insufficient.

Pseudonyms, Tor, and HTTPS

EFF recommends that bloggers who are concerned about their security and safety should post under a pseudonym, use Tor to prevent eavesdroppers from seeing the sites they visit and prevent websites from collecting data that might reveal their physical location, and use HTTPS to encrypt their private communications when possible.

Some social media sites, such as Facebook and Google Plus, have policies that forbid the use of pseudonyms. These policies do not prevent users from making pseudonymous accounts, but they leave users vulnerable to account suspension. Both Facebook and Google Plus will suspend accounts if other users report them as pseudonymous or fake; it only takes a trivial effort by malicious parties to silence the opposition or quash dissent. Google Plus has instituted a grace period before suspension takes effect, which gives users the opportunity to export their data, but Google may not always apply its grace period consistently. Pseudonymous Facebook users may find themselves suspended without warning and without the opportunity to export their content or social graphs. Twitter, on the other hand, allows pseudonyms.

The good news is that Facebook, Twitter, and Google Plus all support HTTPS. To be sure that your connection to these services is encrypted at all times, EFF suggests using the HTTPS Everywhere extension for the Firefox browser. Note that some third-party applications on Facebook can cause an encrypted connection to "break."

Many of the local forums and social networking sites that ordinary Mexicans use to exchange news about drug cartel violence offer limited support for HTTPS or do not support it at all. Users should be circumspect about posting to these sites, keeping in mind that their chat room conversations and login credentials may be intercepted and read. Administrators of such websites can help to protect their users by taking the following steps:

  • Support the use of pseudonyms in forums and chat rooms.
  • Encourage users to download the Tor browser bundle and use Tor when viewing or posting to your site.
  • Minimize logging. Do not log the IP addresses of visitors to your site.
  • Support HTTPS throughout your site.
  • Configure your site to use HTTPS by default.

It is unclear what level of technological sophistication the drug cartels have brought to bear against social media users at this time, but it is clear that the cartels have access to considerable resources.

Twitter Rumors Prompt Legislation

In the meantime, Mexican politicians are facing criticism for going after rumors of violence instead of pursuing the real thing. In August, Gilberto Martinez Vera and Maria de Jesus Bravo Pagola were arrested in the state of Veracruz after they used Twitter to spread rumors of kidnappings and shootings at a local school. The charges against them included terrorism and sabotage, crimes that carry penalties of up to 30 years in jail. The arrest prompted widespread protests from civil liberties and human rights groups, who pointed out that the charges were vastly disproportionate to the alleged crime. The two were eventually released and the charges dropped, but not before Veracruz passed legislation creating a new offense of “Public Disturbance,” carrying a prison sentence of 1 to 4 years and a fine. Because the new additional the penal code was made after the incident had already taken place, Vera and Pagola cannot be charged with the new crime. The state of Tabasco has passed a similar law, mandating up to two years in jail for provoking “chaos or social insecurity” through telephone calls or online postings.

For now, individuals in Mexico using online platforms to criticize, satirize, or shed light on drug cartel violence are facing grave threats. EFF will continue to watch these developing threats to online freedom of expression in Mexico, encourage sites to take steps to protect the privacy and security of their users, and help users take steps to protect themselves.

California's Reader Privacy Act Signed into Law

Pon, 2011-10-03 18:45

Sacramento, CA - California Governor Jerry Brown has signed the Reader Privacy Act, updating reader privacy law to cover new technologies like electronic books and online book services as well as local bookstores.

The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) were sponsors of the bill, authored by California State Senator Leland Yee. It had support from Google, TechNet and the Consumer Federation of California, along with the Internet Archive, City Lights Bookstore, and award-winning authors Michael Chabon and Ayelet Waldman. The Reader Privacy Act will become law on January 1, and will establish privacy protections for book purchases similar to long-established privacy laws for library records.

"This is great news for Californians, updating their privacy for the 21st Century," said EFF Legal Director Cindy Cohn. "The Reader Privacy Act will help Californians protect their personal information whether they use new digital book services or their corner bookstore."

Reading choices reveal intimate facts about our lives, from our political and religious beliefs to our health concerns. Digital books and book services can paint an even more detailed picture -- including books browsed but not read, particular pages viewed, how long spent on each page, and any electronic notes made by the reader. Without strong privacy protections like the ones in the Reader Privacy Act, reading records can be too easily targeted by government scrutiny as well as exposed in legal proceedings like divorce cases and custody battles.

"California should be a leader in ensuring that upgraded technology does not mean downgraded privacy," said Valerie Small Navarro, Legislative Advocate with the ACLU's California affiliates. "We should be able to read about anything from politics, to religion, to health without worrying that the government might be looking over our shoulder."

"California law was completely inadequate when it came to protecting one's privacy for book purchases, especially for online shopping and electronic books," said Yee. "Individuals should be free to buy books without fear of government intrusion and witch hunts. If law enforcement has reason to suspect wrongdoing, they should obtain a court order for such information."

Contacts:

Cindy Cohn
Legal Director
Electronic Frontier Foundation
cindy@eff.org

Rebecca Jeschke
Media Relations Director
Electronic Frontier Foundation
press@eff.org

On Newspapers, Public Discourse, and the Right to Remain Anonymous

Pią, 2011-09-30 22:12

by Jillian York and Trevor Timm

Update: A significant edit was made to the original piece on which this commentary is based. See * for additional information.

In a recent Washington Times editorial titled “Internet trolls, Anonymity and the First Amendment,” Gayle Falkenthal declared that “the time has come to limit the ability of people to remain anonymous” online.* She argued that any benefit to online pseudonyms has long since dissipated and anonymous commenters have polluted the Internet “with false accusations and name-calling attacks.” Newspapers, she wrote, should ban them entirely.

This argument is not only inaccurate, it's also dangerous: online anonymity, while allowing trolls to act with impunity, also protects a range of people, from Syrian dissidents to small-town LGBT activists and plenty of others in between.

Unfortunately, many newspapers have already banned anonymous comments, and while not all have offered an explicit reasoning for their policies, "civility" is often cited as justification in discussions on online anonymity.

Of course, online civil discourse is something to strive for. Anyone who’s spent time reading YouTube comment threads is aware of the vitriolic bile spewing from the keyboards of largely anonymous masses. And it is a truism that when people speak using their true identity, they are more likely to think about the consequences of their speech.

But while identification brings about a greater sense of safety for some, for others, it presents a great risk. Think, for example, of victims of domestic abuse, whose online safety is predicated on not revealing their identity or location. Or the small-town schoolteacher who fears revealing her political views to her local community but seeks solidarity online. Or the gay teenager who wants to explore communities online but isn’t quite ready to come out. Or the myriad other examples compiled by the Geek Feminism blog.

Contrary to Ms. Falkenthal’s assertion that “The First Amendment guarantees freedom of speech, but not anonymity,” the Supreme Court has made these same arguments about safety and anonymity for decades. In 1960, the Court explicitly upheld a speaker’s right to remain anonymous,

In Talley v. California, Justice Black wrote “Anonymous pamphlets, leaflets, brochures, and even books have played an important role in the progress of mankind. Persecuted groups and sects from time to time throughout history have been able to criticize oppressive practices and laws either anonymously or not at all.”

And in 1995, the Court upheld online speakers’ First Amendment right to remain anonymous, emphasizing, “protections for anonymous speech are vital to democratic discourse.” The court went on to say anonymous speech “exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation…at the hand of an intolerant society.”

These principles are, of course, nothing new and date back to our country’s birth. Yet Ms. Falkenthal says, “When our nation was being formed, Thomas Paine and Benjamin Franklin stood behind their incendiary, treasonous views in public even at the risk of being hanged for what they said,” implying that the Founding Fathers would be against online anonymity if they were alive today.

However, Ms. Falkenthal herself later admits that Paine actually wrote his most influential work Common Sense anonymously, just as Franklin got his start writing under a name that was not his own, the pseudonym “Mrs. Silence Dogood.”

But no example illustrates the importance of anonymity more than The Federalist Papers. The series of essays, published in the nation’s most popular newspapers in 1778 under the pseudonym “Publius,” were instrumental in the ratification of the Constitution. Yet it was not until after Alexander Hamilton’s death in 1804 that the public discovered the essays had been written by Hamilton, along with James Madison and John Jay.

Lest readers believe that the age of the pseudonym is dead, more recently, the right to anonymity was vital for protesters in the Arab Spring: Wael Ghonim, the Google executive who was detained for more than a week in the height of Egypt’s uprising, had anonymously created the Facebook page “We are all Khaled Saeed,” widely credited as the driving force behind the successful revolution.

Bloggers in Syria are now faced with the same risks as Ghonim amidst a brutal crackdown on anti-government protests.

The complex questions currently faced by newspapers have been addressed before. One event in the earlier, pre-social media days of blogging brought to the forefront a discussion around online civil discourse. Back in 1997, following anonymous death threats made to prominent blogger and game developer Kathy Sierra, publishing magnate Tim O’Reilly proposed a Blogger’s Code of Conduct to improve discourse in the blogosphere. Though the code would have prohibited anonymity, requiring users to sign up with an e-mail address, it allowed one to display publicly a handle or username in lieu of a "real" name.

Sierra recently weighed in on the debate, stating “I am for preserving pseudonymity, and believe that eliminating it will never stop the worst of the trolls, griefers, haters, and stalkers. There are far better ways to help reduce the worst of anonymity-fueled behavior online including plain old moderation.”

Indeed, comment moderation is a simple and low-resource method by which newspapers can ensure comments remain civil. Most newspapers with large online readership, from the New York Times, to the UK’s Guardian, implement comment moderation in some form.

There will always be those for whom a name is not a barrier toward acting abusively; for those with little to lose, there’s no reason to hide. Inversely, those who stand to lose a lot by identifying online are those who need pseudonyms the most, to speak their mind freely, without fear of retribution.

*Authors' Note: Since the Washington Times first published Ms. Falkenthal's article on September 26, she has since edited the meaning of this key sentence without noting the change in the body of the piece. In the comments section, she admits she added the words "on someone else's website" to the end of this sentence, claiming it was not her "intent in saying the First Amendment doesn't guarantee anonymity was NOT meant to be global." This change was prompted by commenters who noticed the error - many of whom, it should be pointed out, were completely anonymous.

Join EFF in Demanding a Digital Upgrade to 25-Year-Old Electronic Privacy Law

Pią, 2011-09-30 17:32

The year was 1986. Top Gun was the top movie, Super Mario Bros. 2 was the hot videogame, practically no one had ever heard of email, and mobile phones were clunky and expensive novelties the size of a brick.

On October 21st of that year, the President signed into law the Electronic Communications Privacy Act or "ECPA", to better protect our electronic privacy against unwarranted government snooping.

ECPA was forward-looking when Congress passed it, considering that the World Wide Web hadn't even been invented yet and that if you were savvy enough to have email you probably dialed up to a BBS to get it. But now, eons later in Internet time, technology has passed the law by.

ECPA has become outdated and the privacy standards that it applies to new technologies are unclear and often too weak. For example, the law doesn’t specifically address cell phone location tracking at all, and it allows the government to seize most emails without ever having to go to a judge. Meanwhile, no one is perfectly sure how it applies to newer online services like social networks and search engines. This gap between the law and the technology ultimately leaves everyone's privacy at risk.

Now, in the 21st century, when we store years-worth of our private emails in the Internet “cloud” and are all carrying tracking devices in our pockets in the form of our cell phones, we need an electronic privacy law upgrade that sends a clear message to law enforcement:

COME BACK WITH A WARRANT.

We at EFF have come together with a broad coalition of major Internet companies like Google and Microsoft and privacy organizations like the Center for Democracy & Technology and ACLU as part of the Digital Due Process coalition. The DDP coalition’s overriding goal is to transmit one simple message to Congress: If the government wants to track our cell phones, or see what web sites we’ve visited, or rummage through our Hotmail, or read our private messages on Facebook, or otherwise invade our electronic privacy, it should have to go to a judge and get a search warrant based on probable cause.

You can help us get that critical message to Congress just in time for ECPA’s 25th anniversary on October 21st. Join EFF, ACLU, CDT, the Bill of Rights Defense Committee, Americans for Tax Reform, the Competitive Enterprise Institute and TechFreedom in the fight to upgrade ECPA for the 21st century and sign our joint petition today.

And if you've already signed the petition, please remember to share it with your friends and social networking sites.

Announcing the Humble Frozen Synapse Bundle!

Śro, 2011-09-28 18:06

Just last year, the Humble Indie Bundle blazed onto the gaming scene with what seemed like an impossible business model: allow customers to pay what they want for DRM-free games, and let them choose how to distribute their contribution between the developers, the organizers, and two worthy tech charities. People supported EFF for online rights protection and Child's Play, which supplies games, toys, books, and cash to children’s hospitals. The result has been nothing short of miraculous, and we are happy to announce that the digital goodness is back with The Humble Frozen Synapse Bundle!

This iteration features the innovative tactical strategy game Frozen Synapse plus the game soundtrack. To sweeten the pot, customers who choose to give more than the average amount will also receive the entire Humble Frozenbyte Bundle suite, including Trine, Shadowgrounds: Survivor, Shadowgrounds, Splot, and Jack Claw!

We at EFF would like to extend our sincere gratitude to the generous gamers and forward-thinking indie game developers who have proven that a business can have a conscience, satisfy its customers, and thrive.

Righthaven's Losing Streak Continues in Colorado

Śro, 2011-09-28 15:05

In what is becoming a well-settled pattern, Righthaven again finds itself on the losing end of a motion, with its case thrown out and owing the defendant – here, Leland Wolf, proprietor of the It Makes Sense Blog – costs and attorneys' fees for bringing a baseless copyright case. The lawsuit, Righthaven v. Wolf, is also notable for being the leading case among more than 50 that were filed in Colorado. Pending a motion to dismiss, the Colorado court stayed the remaining cases. With this ruling, the court has hopefully rung the death knell for the other remaining live cases in that district (joining the Nevada cases that have also been dismissed.)

Some background: In March, Righthaven sued Mr. Wolf for alleging infringing a Denver Post photograph titled “TSA Agent performs enhanced pat-downs," by virtue of a parody of the photo posted on his blog. Mr. Wolf moved to dismiss the case for lack of subject matter jurisdiction; EFF filed an amicus brief supporting that motion, explaining that Righthaven lacks ownership of any exclusive right granted under Section 106 of the Copyright Act.

Judge John L. Kane agreed, holding that Righthaven assigned to the Denver Post’s parent “the bare right to sue for infringement – no more, no less.” As such, Righthaven was neither a “legal owner” nor a “beneficial owner” of the copyright, and consequently could not bring a suit under the Copyright Act.

To its credit, the court also recognized the enormous pressure the prospect of statutory damages (on top of the expense of litigation) can place on defendants, even those with meritorious defenses, and called out Righthaven’s business model for the settlement mill that it tried to be:

[A] party with a bare right to sue may file numerous infringement actions of questionable merit with the intention of extorting settlement agreements from innocent users. This possibility becomes even more likely when the financial viability of the entity filing suit depends upon the proceeds from settlement agreements and infringement suits. Even though copyright law expressly provides for an award of costs and reasonable attorney fees to a party prevailing in its defense of a meritless infringement action, the economic realities of securing counsel and paying in advance the costs of litigation turns this remedy into a Potemkin Village. Both fundamentally and practically, the reality is at odds with the constitutional prioritization of public access to copyrighted works.

The court’s opinion also highlighted the important balance that the copyright laws are intended to protect. Specifically,

[C]opyright law necessarily balances the derivative goals of rewarding the creative labor of authors of original works with the primary goal of promoting further creativity by allowing public access to copyrighted works.

We are pleased that the Court refused to allow Righthaven to proceed with a lawsuit based on a copyright that it never owned and never had any plans to exploit. Finding otherwise would frustrate the important balance the court highlighted, and “the public interest in access to copyrighted materials.” Well done, Judge Kane.

Who's Looking Over Your Digital Shoulder? A Reader Privacy Quiz for Californians

Śro, 2011-09-28 00:53

Books are books whether we read them in a library or on a Kindle or iPad, but California laws are lagging when it comes to protecting reader privacy in the digital age. That's why EFF is a supporter of the Reader Privacy Act, a bill that has passed the California legislature and is awaiting Governor Brown's signature to become law.

Who's looking over Californians' digital shoulder and why does it matter? You can take our quiz to find out what's at risk -- and how Californians can protect their private reading records. Then tell Governor Brown to sign the Reader Privacy Act to ensure Californians don’t have to compromise their privacy when downloading electronic books, using online book services or even buying books from their local bookstore.

Who's on the Intelligence Oversight Board? Government Won't Say

Wto, 2011-09-27 22:10

San Francisco - The Electronic Frontier Foundation (EFF) filed suit today against the Office of the Director of National Intelligence (ODNI) demanding records of who is on the Intelligence Oversight Board (IOB) -- the presidentially appointed, civilian panel in charge of reviewing all misconduct reports for American intelligence agencies.

The IOB is supposed to alert the president and attorney general when it spots behavior that is unlawful or contrary to executive order. However, in his nearly three years in office, President Obama has not yet announced any appointments to the IOB. EFF's suit comes after the ODNI refused to respond to a Freedom of Information Act (FOIA) request for membership, vacancies, and other information about the IOB made earlier this year.

"The IOB has a critically important mission – civilian oversight of America's intelligence activities. The board exists to make sure government agencies are not overstepping their authority and abusing citizens' rights," said EFF Open Government Legal Fellow Mark Rumold. "History has shown that intelligence agencies overseeing their own behavior is like the fox guarding the henhouse. If the IOB is ineffective, impaired, or short-staffed, that's information Americans need to know."

EFF's ongoing FOIA litigation work has already uncovered widespread violations in intelligence investigations. Most recently, EFF revealed that the U.S. Army issued three National Security Letters (NSLs) for phone records, even though the law authorizes only the FBI to make these extraordinary requests for information. EFF also obtained documents detailing how the Army improperly attempted to investigate participants at a law school conference on Islamic law.

"We're trying to create a picture of the federal government's intelligence violations as Congress considers updates and changes to current surveillance law and oversight," said EFF Staff Attorney Jennifer Lynch. "Part of that picture is who is on the IOB. We're asking the government to follow the law and release the records on IOB membership."

For the full complaint in EFF v. ODNI:
https://www.eff.org/files/filenode/FOIA_IOB/ODNIIOBComplaint_92711.pdf

For more on the Defense Department intelligence violations:
https://www.eff.org/foia/intelligence-agencies-misconduct

Contacts:

Mark Rumold
Open Government Legal Fellow
Electronic Frontier Foundation
mark@eff.org

Jennifer Lynch
Staff Attorney
Electronic Frontier Foundation
jlynch@eff.org

Stop the Piecemeal: Obama Administration Should Fully Free Communications Tech Exports to Syria (& Companies Should Help)

Pon, 2011-09-26 18:00
Co-authored by Cindy Cohn

EFF has long complained about export restrictions by the U.S. Departments of Treasury and Commerce that deny citizens access to vital communications tools. In the past, this has affected, among others, Zimbabwean activists trying to obtain hosting providers, Syrian businesspeople networking on LinkedIn, and ordinary Iranians trying to download web browsers.

The government has been responding, albeit in piecemeal fashion: in 2010, technology companies were granted a general license from the Department of Treasury’s Office of Foreign Assets Control (OFAC) to export communications tools that could “boost Internet-based communication” and the “free flow of information” Iranian, Sudanese, and Cuban citizens – but since then we’ve seen a wave of democracy activism reach Syria too, something EFF commented upon in July.

Syria Two-Step

Now we've seen some movement on Syria, but not enough. On August 18, amidst increasing regime violence toward opposition forces, the White House issued an Executive Order blocking a new range of transactions, including (Section 2(b)) “the exportation, re-exportation, sale, or supply, directly or indirectly, from the United States, or by a United States person, wherever located, of any services to Syria,” in light of the Syrian government’s escalating violence against civilians. This seemed like very bad news for Syrians who want to use communications tools to help with the protests.

Fortunately, recognizing the importance of communications tools and social networks to Syrian activists, the State Department’s Office of Foreign Assets Control (OFAC) quickly issued a general license allowing the export of “certain services incident to Internet-based communications.” The license specifically notes that transactions that are not otherwise exempt from certain earlier prohibitions, and that are related to the exchange of personal communications over the Internet, are permitted. Examples specifically laid out in the license include instant messaging, chat and email, social networking, photo- and video-sharing, web browsing, and blogging. The license also lays out what is not authorized for exportation, and while the language is a little unclear, it appears to allow export of technologies and services for all purposes other than those for commercial endeavors – so democracy activists should be in the clear.

But the story doesn’t end there. Restrictions from the Department of Commerce’s Bureau of Industry and Security (BIS) still appear to prevent communications tools and services from being exported to Syrians without a license. We think that because of these restrictions, Syrians still cannot access Google products Chrome and Earth, cannot download Java, among various other tools, and cannot use hosting services like Rackspace, SuperGreenHosting and others.

So the Treasury Department’s OFAC is out of the way, but the Commerce Department’s BIS restrictions remain, meaning that companies are still blocking certain communications tools from getting to Syrians. And until the government makes the bigger step of stopping the piecemeal nature of their relaxation of restrictions, we’ll have the same problems we’ve long complained about. These sorts of export restrictions are overbroad and contain elements which have no effect on the Syrian regime, while preventing Syrian citizens from accessing a wealth of tools that are available to their activist counterparts in neighboring countries and around the world. Furthermore, the penalties that result in violations of the regulations can be severe, so amidst confusing regulations, companies appear to be implementing broad restrictions on their services rather than run any risk. This happened recently when the open-source platform SourceForge blocked the IP addresses of users in five sanctioned countries.

What Needs to Happen

Two things ought to be done here, as soon as possible. First, and most importantly, the government -- the whole government -- should remove the license requirements and restrictions for communications technologies used by democracy activists. In the short term this should happen for Syria, in light of the ongoing struggle there. In the longer term, it’s time for the U.S. to stop this piecemeal approach and affirmatively allow unlicensed distribution of communications tools and services to people in all countries of the world.

Second, companies hesitant about allowing Syrians to use communications tools and services should take the simple steps necessary to seek a BIS license. While we don't think that such licenses should be required, the process is in fact quite simple, and frankly, the Syrians cannot wait. A company that wishes to export to Syria can file an online application with the Commerce Department’s Bureau of Industry and Security (BIS) for a license, which then should be resolved within 90 days. While registration is required before applying, any company that has ever gotten an export license before is likely already registered. Alternatively, companies may also request “interpretative guidance” as to whether or not they require a license from BIS, which takes only 30 days.

EFF Wants to Help

Given the situation on the ground in Syria, we need to focus there first. We reiterate our call for the Obama administration to affirmatively make clear throughout its various agencies that providing digital communications and information tools to citizens around the world, especially those under repressive governments, is not only legal, but encouraged. And in the meantime, we challenge those companies who are concerned about the BIS restrictions to take the simple steps necessary to apply for a license. In fact, we think this is so important that EFF would be willing to help a company that wants to take these steps but doesn’t have the resources to do it. Companies should contact EFF's Legal Director, Cindy@eff.org, if you'd like our help.

Don't Let Privacy Law Get Stuck in 1986: Demand a Digital Upgrade to the Electronic Communications Privacy Act

Pon, 2011-09-26 06:57

Sign now and we will add your name to this petition and also send a letter to your Representatives and Senators in time for the 25th anniversary of ECPA being signed into law:

Petiton language:
The government should be required to go to a judge and get a warrant before it can read our email, access private photographs and documents we store online, or track our location using our mobile phones. Please support legislation that would update the Electronic Communications Privacy Act of 1986 (ECPA) to require warrants for this sensitive information and to require the government to report publicly on the use of its surveillance powers.

ECPA was forward-looking when it was signed into law in October of 1986, considering that the World Wide Web hadn't even been invented yet. But now, ECPA has become outdated. The privacy standards that it applies to new technologies are unclear and weak. For example, the law doesn't specifically address cell phone location tracking at all, and it allows the government to seize most emails without ever having to go to a judge. Meanwhile, no one is perfectly sure how it applies to newer online services like social networks and search engines.

This gap between the law and the technology ultimately leaves us all at risk. Add your name now to sign the petition supporting ECPA reform, and feel free to add a personalized intro to the text below that will be sent to your legislators before the 25th anniversary of ECPA.