Scary news from California's Contra Costa County — school officials there have reportedly decided to track some preschoolers with RFID chips, thanks to a federal grant supplying the funding.
According to a story from the Associated Press, the students will wear a jersey at school that has the RFID tag attached. The tag will track the children's movements and collect other data, like if the child has eaten or not. According to a Contra Costa County official, this is a cost-savings move, as teachers used to have to manually keep track of a child's attendance and meal schedule.
But of course, an RFID chip allows for far more than that minimal record-keeping. Instead, it provides the potential for nearly constant monitoring of a child's physical location. If readings are taken often enough, you could create an extraordinarily detailed portrait of a child's school day — one that's easy to imagine being misused, particularly as the chips substitute for direct adult monitoring and judgment. If RFID records show a child moving around a lot, could she be tagged as hyper-active? If he doesn't move around a lot, could he get a reputation for laziness? How long will this data and the conclusions rightly or wrongly drawn from it be stored in these children's school records? Can parents opt-out of this invasive tracking? How many other federal grants are underwriting programs like these?
These are questions that desperately need answers. California is in the middle of a terrible budget crunch, but the solution is not federally funded surveillance of children who are too young to understand the implications.
Hari Prasad, the Indian security researcher arrested for allegedly stealing an electronic voting machine, has been released on bail.
Earlier this year, an anonymous source gave the machine to Prasad and a team of researchers, who discovered critical security flaws. Under questioning by authorities last weekend, Prasad refused to divulge the identity of the source who gave them the machine. He was then arrested and reportedly charged with theft and trespass on the theory that he stole the machine himself.
According to the Indian news agency PTI, the magistrate who released Prasad on bail noted that "no offence was disclosed with Hari Prasad's arrest and even if it was assumed that [the electronic voting machine] was stolen it appears that there was no dishonest intention on his part...he was trying to show how [electronic voting] machines can be tampered with."
The court reportedly also asked the Election Commission of India to confirm or disprove Prasad's claim that the country's electronic voting machines can be compromised. If Prasad's claims are false, action could be taken against him, the magistrate said.
Just a few weeks after his interview with EFF Legal Director Cindy Cohn, American hero Stephen Colbert has returned to the subject of digital rights. And in his show on Tuesday, he came up with a great solution to the problem of privacy and online social networks: Control-Self-Delete.
The Colbert Report Mon - Thurs 11:30pm / 10:30c The Word - Control-Self-Delete www.colbertnation.com Colbert Report Full Episodes 2010 Election Fox NewsAs Colbert suggests, the CEOs of Google and Facebook can be astonishingly tone deaf when it comes to the question of the privacy of their customers. As these experts in social media ought to know, the fact that a person chooses to share some information about themselves online is no indication that they prefer to share everything — nor does it indicate that control of personal data is not something they care deeply about. ">Study after study has shown the opposite to be true: users care about privacy, and demand control of their own data.
We like Colbert's basic point, saved for the end of this clip: if anyone should change their behavior to address the problem of online privacy, it isn't young people who have uploaded some racy pics — it's the companies that have made themselves the guardians of our personal data.
Facebook is facing down another embarrassing episode of censorship this week after refusing to show ads submitted by the Just Say Now marijuana legalization campaign. The gag is an important reminder that social networks like Facebook — while useful, interesting, and pretty — are "walled gardens" with overseers whose interests can overwrite free speech, open communication, and in this case, essential political debate. (In this they have something in common with Apple.)
Most recently, Facebook was caught censoring mentions of Power.com, an online tool designed to help users collect their information from Facebook to facilitate migration to other social networks. To this day, users are still blocked from sending messages or posting status updates containing the word "Power.com," preventing users from spreading the word about a convenient way to "make the move" to Orkut, or LinkedIn, or any other social networking service that may crop up to compete. The block even stopped law professor Eric Goldman from commenting on Facebook’s lawsuit against Power.com (Disclosure: EFF filed an amicus brief in support of Power in that case).
Facebook's censorship for anticompetitive reasons is petty and lame to be sure, but silencing Just Say Now's marijuana legalization ad campaign is even worse. Voters in various districts nationwide will have to make important political decisions about marijuana this year (California's Proposition 19 is one example). Facebook's decision, reportedly an attempt to be consistent with its ad policies restricting smoking and/or marijuana-related content, is instead primarily silencing an important, motivated voice in a politically significant debate.
Facebook should lift the ban and show Just Say Now's political ads. For better or worse, Facebook has become a important means of communication and organization for candidates and political campaigns. In this role, Facebook functions best as a neutral platform, hosting the debate without entering it. Whether or not Facebook wants to restrict depictions of smoking in commercial ads, it should not prohibit the open and robust political debate central to the value and promise of the Internet.
Music lovers take note: the classical music archive Musopen needs your help to liberate some classic symphonies from copyright entanglement. Museopen is looking to solve a difficult problem: while symphonies written by Beethoven, Brahms, Sibelius, and Tchaikovsky are in the public domain, many modern arrangements and sound recordings of those works are copyrighted. That means that even after purchasing a CD or collection of MP3s of this music, you may not be able to freely exercise all the rights you'd associate with works in the public domain, like sharing the music using a peer-to-peer network or using the music in a film project.
To fix this, Musopen is asking backers to join an effort to hire a world-class orchestra to record sublime digital performances of the symphonies by the composers mentioned above. Musopen will then relinquish all rights to the recordings, giving the public the freedom to experience these works in full: to download, share, derive, and remix without limit. The fundraising campaign is taking place on Kickstarter, a site where users can pledge money to various creative projects. (Users pledge an amount towards a project, but the money doesn't actually go to the project unless the specified funding goal is reached. Kickstarter has a great explanation for their "all-or-nothing funding" design on their FAQ.)
It’s too bad such seminal, cultural works have been effectively buried by copyright interests — despite their age, ubiquity, and importance. (Note problems like this are exacerbated by discrepancies in international laws that create different "public domains" that copyright owners can exploit to stop online archives.) The Musopen campaign presents a creative solution that could help ensure that such essential music is preserved and shared for generations to come. Music lovers and copyfighters — vote with your wallet and support Museopen's work!
We're pleased to announce that EFF's Legal Director, Cindy Cohn, has won a 2010 Intellectual Property Institute Vanguard Award from the State Bar of California.
Cindy was one of four legal professionals honored for spearheading new developments in the world of intellectual property. We're proud to see the work that we do to preserve balance in copyright, trademark, and patent law recognized, and we'll continue to fight for the fans, the tinkerers, independent journalists and bloggers, and consumers.
The 2nd Annual IP Vanguard Award will be presented to Cindy during an awards Luncheon on Friday, October 29, at the 2010 Annual IP Institute meeting in Napa, California.
The Electronic Frontier Foundation is seeking to assist defendants in the Righthaven copyright troll lawsuits. Righthaven, founded in March of 2010, files hundreds of copyright infringement lawsuits on behalf of newspaper publishers against bloggers who make use of news content without permission. To that end, Righthaven searches the internet for stories and parts of stories from the newspapers that they represent. Once they find content that has been re-published, Righthaven purchases the copyright to the article and sues the owner of the blog.
Just like the US Copyright Group shakedowns, and the RIAA shakedowns of the recent past, Righthaven relies on the threat of enormous statutory damages associated with the Copyright Act to scare defendants, often individual bloggers operating non-commercial websites, into a quick settlement, reportedly ranging from two to five thousand dollars. The Righthaven lawsuits are of particular concern because they sometimes target the operators of political websites who re-publish newspaper stories, chilling political speech. Righthaven has also targeted the newspaper's source for the very articles allegedly infringed.
If you are the target for a Righthaven lawsuit in need of representation, please contact Eva Galperin at eva@eff.org. Please understand that we have a relatively small number of very hard-working attorneys, so we do not have the resources to defend everyone who asks, no matter how deserving. However, if we cannot represent you directly, we will make every effort to put you in touch with attorneys who can.
Good news in the fight against bad software patents: a jury in the Eastern District of Texas recently found the Firepond/Polaris patent (U.S. Patent No. 6,411,947) invalid. This patent was on EFF's "Most Wanted" list, targeted because it claimed nothing more than a system using natural language processing to respond to customers' online inquires by email.
EFF was not involved in this case, in which Bright Response, LLC — the technical owner of the patent — sued Google, Inc., Yahoo!, Inc. and eight other companies, alleging that Google's AdWords and Yahoo!'s Sponsored Search infringes the Firepond/Polaris patent. The jury found three of the patent's claims invalid based on the public use bar, obviousness, and for lacking written description. The jury also found that neither Google nor Yahoo! infringed those claims. Finally, the jury found the entire patent invalid due to improper inventorship.
In addition to the jury's findings, the Patent and Trademark Office is nearing completion of a reexamination of the patent, instituted by Google, that narrows the scope of that patent's claims.
"This is a great outcome and good news for people and developers who create new products related to customer service or email," said Patrick King, one of the attorneys assisting EFF on this matter.
Because the court has not yet entered a final judgment, Bright Response could still, in theory, attempt to prohibit others from using the basic natural language processing technology in its patent. EFF is on the lookout for this threatening behavior, so please make sure to let us know if you hear of any. EFF will continue to monitor this case — and the corresponding reexam — and will take action as necessary to fight any additional efforts to use the Firepond/Polaris patent to quash competition and hurt innovation.
"We are still waiting for the court case to finish up and to see if Bright Responses will appeal the decision. If any of the patent is still alive after that, we will do whatever we can to invalidate it, and allow competitors to use this simple technology, which was well known prior to the patent filing," said Gina M. Steele, another attorney assisting EFF with this matter.
The Firepond/Polaris patent was one of the ten original Top Ten Patents targeted by EFF’s Patent Busting Project, which combats the chilling effects of bad patents on the public and consumer interests. So far nine patents targeted by EFF have been busted, invalidated, narrowed, or had a reexamination granted by the Patent Office.
It looks like Apple, Inc., is exploring a new business opportunity: spyware and what we're calling "traitorware." While users were celebrating the new jailbreaking and unlocking exemptions, Apple was quietly preparing to apply for a patent on technology that, among other things, would allow Apple to identify and punish users who take advantage of those exemptions or otherwise tinker with their devices. This patent application does nothing short of providing a roadmap for how Apple can — and presumably will — spy on its customers and control the way its customers use Apple products. As Sony-BMG learned, spying on your customers is bad for business. And the kind of spying enabled here is especially creepy — it's not just spyware, it's "traitorware," since it is designed to allow Apple to retaliate against you if you do something Apple doesn't like.
Essentially, Apple's patent provides for a device to investigate a user's identity, ostensibly to determine if and when that user is "unauthorized," or, in other words, stolen. More specifically, the technology would allow Apple to record the voice of the device's user, take a photo of the device's user's current location or even detect and record the heartbeat of the device's user. Once an unauthorized user is identified, Apple could wipe the device and remotely store the user's "sensitive data." Apple's patent application suggests it may use the technology not just to limit "unauthorized" uses of its phones but also shut down the phone if and when it has been stolen.
However, Apple's new technology would do much more. This patented device enables Apple to secretly collect, store and potentially use sensitive biometric information about you. This is dangerous in two ways: First, it is far more than what is needed just to protect you against a lost or stolen phone. It's extremely privacy-invasive and it puts you at great risk if Apple's data on you are compromised. But it's not only the biometric data that are a concern. Second, Apple's technology includes various types of usage monitoring — also very privacy-invasive. This patented process could be used to retaliate against you if you jailbreak or tinker with your device in ways that Apple views as "unauthorized" even if it is perfectly legal under copyright law.
Here's a sample of the kinds of information Apple plans to collect:
In other words, Apple will know who you are, where you are, and what you are doing and saying and even how fast your heart is beating. In some embodiments of Apple's "invention," this information "can be gathered every time the electronic device is turned on, unlocked, or used." When an "unauthorized use" is detected, Apple can contact a "responsible party." A "responsible party" may be the device's owner, it may also be "proper authorities or the police."
Apple does not explain what it will do with all of this collected information on its users, how long it will maintain this information, how it will use this information, or if it will share this information with other third parties. We know based on long experience that if Apple collects this information, law enforcement will come for it, and may even order Apple to turn it on for reasons other than simply returning a lost phone to its owner.
This patent is downright creepy and invasive — certainly far more than would be needed to respond to the possible loss of a phone. Spyware, and its new cousin traitorware, will hurt customers and companies alike — Apple should shelve this idea before it backfires on both it and its customers.
An Indian computer scientist was arrested this weekend when he refused to disclose an anonymous source who provided an electronic voting machine to a team of security researchers.
Hari Prasad is the managing director of Netindia Ltd., an Indian research and development firm. He and other researchers have long questioned the security of India's paperless electronic voting machines. Despite repeated reports of election irregularities and concerns about fraud, the Election Commission of India insists that the machines are tamper-proof.
In 2009, the commission publicly challenged Prasad to show that India's voting machines could be compromised, but refused to give him access to the machines to perform a review. Earlier this year, an anonymous source provided an Indian voting machine to a research team led by Prasad, Alex Halderman, and Rop Gonggrijp. The team exposed security flaws that could allow an attacker to change election results and compromise ballot secrecy. They published a paper detailing their findings, which you can read here.
According to Halderman, Prasad was questioned Saturday morning at his home in Hyderabad by authorities who wanted to know the identity of the source who gave the voting machine to the research team. Prasad was ultimately arrested and taken to Mumbai, though reportedly hadn't been charged with a crime.
This turn of events is deeply troubling. Prasad is a respected researcher who helped to discover a critical flaw in India's voting system. He and his fellow researchers would never have been able to document the weaknesses in India's voting machines without the help of their anonymous source. This is precisely why anonymity is important: it allows people to make important contributions to the public dialogue without fear of retribution.
The Election Commission of India should have given researchers access to the voting machines in the first place. Rather than attempting to persecute Prasad and the anonymous source, the government should be focusing its attention and resources on the real problem: electronic voting machines with no mechanism for accountability.
UPDATE: According to the Times of India and Reuters, Prasad has been charged in connection with the alleged theft of the voting machine studied by the research team. He has been remanded to police custody until Thursday, August 26.
A bill that could undermine a new and important form of online activism has quietly worked its way through the California legislature. If signed by the governor, the new law would make it a crime to impersonate someone online in order to “harm” that person. In other words, it could be illegal to create a Facebook or Twitter account with someone else’s name, and then use that account to embarrass that person (including a corporate person like British Petroleum or the U.S. Chamber of Commerce, or a public official).
Here’s the problem: temporarily "impersonating" corporations and public officials has become an important and powerful form of political activism, especially online. For example, the Yes Men, a group of artists and activists, pioneered “identity correction,” posing as business and government representatives and making statements on their behalf to raise popular awareness of the real effects of those entities’ activities, like the failure to Dow to adequately compensate victims of the Bhopal disaster and the U.S. government’s destruction of public housing units in New Orleans. These sorts of actions regularly receive widespread media coverage, sparking further public debate. Last year, the activists staged a thinly veiled hoax, presenting themselves at a press conference and on a website as the Chamber of Commerce and, in direct opposition to the Chamber’s actual position, promising to stop lobbying against strong climate change legislation. (Not amused, the Chamber promptly sued the Yes Men based on a trumped-up trademark complaint; EFF is defending the activists.)
Others have taken a similar approach, using spoof sites and identity correction to raise awareness about community issues, environmental threats, and, most recently, the historical roots of Haiti’s economic problems. Unfortunately, the targets of the criticism, like the Chamber, have responded with improper legal threats and lawsuits. It would be a shame if Senator Simitian’s bill added another tool to their anti-speech arsenal.
Proponents of the bill insist that there is no free speech problem because the new law would only apply to “credible” impersonations. That argument misses the point – identity correction depends on initial credibility, just as it also depends on prompt exposure.
What is worse, the bill is not needed. Sponsors of the bill say that victims of online harassment and defamation have little legal recourse. That’s simply not true. Laws against fraud and defamation are already on the books, and they apply online as well as offline. Moreover, judges and juries applying those laws have the benefit of an extensive body of jurisprudence aimed at limiting their impact on legitimate free speech.
We urge Governor Schwarzenegger not to sign this dangerous bill.
Yesterday, Facebook introduced Places, a new location feature that competes with popular services like Foursquare, Google Latitude, Loopt, and Gowalla. Places allows Facebook users to 'check in' to real world locations and to tag their friends as present (similar to how Facebook allows tagging in photos). Everyone who is checked in to the location can see who else is listed as "Here Now" for a few hours after they check in. Once you are checked in to a location, Places also creates a story in your friends' News Feeds and places a notice in the location's page's Recent Activity section. The product will roll out over the next few days.
Like all location products, the new application publishes potentially sensitive information, since a stream of information on location can provide a detailed picture of your life. Some locations might appear cool at one moment, and yet become something you'd rather forget the next. Your Facebook friends may include prolific bloggers, business competitors, and former lovers. For business and personal reasons, you might need to keep your location private from them. And, as pleaserobme.com effectively illustrated, revealing your location can also reveal sensitive information about where you are not.
To its credit, by default, only your Facebook friends can see when you are tagged in a location, unless you opted for the "Everyone" master setting on the privacy controls. (EFF recommends against using the "Everyone" master setting; see how to maximize your privacy on Facebook). To further protect your privacy, you can use friend lists to exercise a more fine-tuned control over who can see your check-ins. If you don't want a location to go down on your permanent record, you need to manually delete the check in.
If your friend attempts to check you in and you have not opted into Places, you will receive a notification that gives you two options: (1) “allow check-ins," which opts you in to the program or (2) "not now" which only disallows that particular check in. Once you are opted in, you will not receive further notices before being checked in by friends. If you want to have complete control over whether you are listed at a location, you have to permanently disallow check-ins by your friends by disabling "Friends can check me in to Places" on the customize privacy settings page. This is the most privacy protective option, since you will only be listed at a location if you affirmatively choose to check in.
"Here Now" broadcasts a list of those checked in to everyone else who is checked in, regardless of whether they are "friends." Sometimes you may not want every Places user in the same location to be able to see you, since the location might be large like a ballpark or an outdoor music festival. You can opt out of the Here Now feature by unchecking the "Include me in 'People Here Now' after I check in" privacy control. However, Facebook does not offer the ability to limit Here Now visibility to subsets of your friends.
Places is designed to limit your location options to places that are actually near you, as reported by the geolocation features of your mobile device. Sometimes, however, you may have personal or professional reasons to report a different location. For example, you might want to report your location as being at a cafe, when you are really at an HIV clinic or a domestic violence shelter. While you can have a friend check you in anywhere they are, or spoof your geolocation if you have sufficient technical chops, Facebook should allow arbitrary locations.
Note that location data can be a tempting target for law enforcement. We urge Facebook to follow the lead of other location service providers like Google and Loopt, and provide the strongest protection for its users by requiring a wiretap order before tracking a Places user's location for law enforcement. Update: In response to this post, Facebook tells us that "We consider our Places product to generate content of communications, and would require a search warrant for prior generated content or a wiretap to capture forward generated content."
If you start to use Places, Facebook apps can also use your location data, and your friends can authorize the disclosure of your location data. The ACLU's DotRights has provided a helpful guide to managing your location privacy settings, including how to prevent your friends' apps from seeing your location information. (Facebook responded to ACLU's criticisms in Techcrunch).
Places is Facebook's most significant product launch since the controversial introduction of Connections and Instant Personalization. We had a number of constructive conversations with Facebook leading up to this launch, and appreciated the opportunity to provide feedback. Not everything resulted in changes, but overall it was a positive process. While the product is not perfect and could use some important changes, as noted above, the privacy settings and defaults represent a substantial improvement over those earlier launches. However, the settings are only good if users understand them intuitively and use them effectively. As the product rolls out to millions of Facebook users, we will be looking closely at its implementation and effects on locational privacy.
This is part two of a two part series. Read part one.
In the midst of recent controversies over Facebook’s privacy settings, it’s easy to forget how much personal information is available from other sources on the Internet. But the government remembers. EFF recently received a number of documents from the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI) highlighting the government’s ability to scour not only social networks, but record each and every corner of the Internet. These documents were released in the second of a series of government disclosures resulting from EFF’s Freedom of Information Act (FOIA) lawsuit in which EFF, with the help of UC Berkeley’s Samuelson Clinic, sought information on the procedures and guidelines employed by government agencies when conducting social network monitoring or investigations.
As an example of the government’s substantial information collection capability, several documents [PDF] in the CIA’s disclosure discuss the CIA’s so-called Open Source Center, established in 2005, which has been collecting information from publicly accessible Internet sources such as blogs, chat rooms and social networking sites, in addition to monitoring radio and television programs. The Open Source Center’s website, opensource.gov, bills itself as the “US Government's premier provider of foreign open source intelligence.” It is accessible to almost 15,000 local, state, and federal government employees and offers products ranging from reports and analysis on publicly available information dating back to the mid-90s, video reports and internet clips, translations, and media mapping and hot spot analysis.
In the other document [PDF] included in this release, FBI emails reveal the FBI’s interest in the University of Arizona’s Dark Web Project, an attempt by computer scientists to “systematically collect and analyze all terrorist-generated content on the Web.” Information in the document describes the Dark Web Project as especially effective in employing spiders to search Internet forums and find hidden web sites in the “corners of the Internet.” In addition to being able to search the Internet for content, the Dark Web Project is developing a tool called Writeprint that claims to help identify the creators of anonymous online content. The FBI emails reveal an interest in applying the Dark Web Project’s tools to the FBI’s own “operational analysis and exploitation of data, including web forums.”
As EFF and the Samuelson Clinic continue to seek information about law enforcement investigation techniques used on the Internet, we hope to learn more about how the government uses this information and especially how long it plans to keep it. In the meantime, however, it is clear that government investigators are collecting a wealth of information though the Internet in general and outside of the law enforcement context. It is also a good reminder that while social networks and other websites have privacy settings, the Internet does not. Stay tuned here for the next release.
This is part two of a two part series. Read part one.
EFF today asked the Ninth Circuit Court of Appeals to reinstate its landmark case against the federal government for warrantlessly wiretapping millions of ordinary Americans. The case, called Jewel v. NSA is part of EFF's ongoing efforts to Stop the Spying.
In January, the District Court dismissed the case on the incorrect argument that, because so many Americans have had their communications and communications records illegally obtained by the government, no single person has legal "standing" to challenge the ongoing program of government surveillance. This is incorrect because the number of people harmed — here the number of people whose personal communications and communications records were improperly obtained by the government — simply has nothing to do with whether the case can or should be adjudicated.
EFF's brief says:
Unless corrected, the District Court’s ruling risks creating a perverse incentive for the government to violate the privacy rights of as many citizens as possible in order to avoid judicial review of its actions. Neither the Constitution nor the settled statutory structure protecting the privacy of Americans’ communications allows such a result. The District Court’s dismissal of Plaintiffs’ claims must be reversed.
EFF points out that three longstanding statutes protect the privacy of Americans' communications from wholesale, unwarranted government surveillance: Title III (Wiretap Act), Foreign Intelligence Surveillance Act and the Stored Communications Act. It also notes that the Constitution forbids such surveillance. Like EFF's earlier case, Hepting v. AT&T, the Jewel case relies in part on the whistleblower evidence uncovered by former AT&T technician, Mark Klein, detailing a secret facility at the Folsom Street office of AT&T in San Francisco where copies of private customer communications are routinely given to the NSA.
The brief points out that the District Court's dismissal of the case is inconsistent with long-settled law:
The Supreme Court has made clear that the fact that a harm is widely shared does not undercut a plaintiff’s claim to standing: “Once it is determined that a particular plaintiff is harmed by the defendant, and that the harm will likely be redressed by a favorable decision, that plaintiff has standing—regardless of whether there are others who would also have standing to sue.” Clinton v. City of New York, 524 U.S. 417, 435-36 (1998). To hold otherwise “would mean that the most injurious and widespread Government actions could be questioned by nobody.” Massachusetts v. EPA, 549 U.S. 497, 526 n.24 (2007) (quoting United States v. Students Challenging Regulatory Agency Procedures (SCRAP), 412 U.S. 669, 687-88 (1973)) (italics omitted).
EFF's other case arising from the warrantless surveillance, Hepting v. AT&T, brought against telecom giant AT&T, is also up on appeal.
The law firm of Keker and Van Nest, the Law Offices of Richard Wiebe and the Moore Law Group all work with EFF on the Jewel v. NSA case.
EFF will soon be launching the SSL Observatory project, an effort to monitor and secure the cryptographic infrastructure of the World Wide Web. There is much work to be done, and we will need the help of many parties to make the HTTPS-encrypted web genuinely trustworthy. To see why, you can read the following letter, which we are sending to Verizon today:
(there is also a story in the New York Times)
Dear Verizon,
We are writing to request that Verizon investigate the security and privacy implications of the SSL CA certificate (serial number 0x40003f1) that Cybertrust (now a division of Verizon) issued to Etisalat on the 19th of December, 2005, and evaluate whether this certificate should be revoked.
As you are aware, Etisalat is a telecommunications company headquartered in the United Arab Emirates. In July 2009, Etisalat issued a mislabeled firmware update to approximately 100,000 of its BlackBerry subscribers that contained malicious surveillance software [1]. Research In Motion subsequently issued patches to remove this malicious code [2].
More recently, the United Arab Emirates Telecommunications Regulatory Authority and Etisalat threatened to discontinue service to BlackBerry users, claiming that these devices "allow users to act without any legal accountability, causing judicial, social and national security concerns for the UAE", apparently on account of Research In Motion's refusal to offer surveillance back doors in its encryption services [3].
These events clearly demonstrate that Etisalat and the UAE regulatory environment within which it operates are institutionally hostile to the existence and use of secure cryptosystems. It is therefore of great concern to us that Etisalat is in possession of a trusted SSL CA certificate and the
accompanying private key, which effectively functions as a master key for the encrypted portion of the World Wide Web. Etisalat could use this key to issue itself valid HTTPS certificates for verizon.com, eff.org, google.com, microsoft.com, or indeed any other website. Etisalat could use those certificates to conduct virtually undetectable surveillance and attacks against those sites. Etisalat's keys could also possibly be used to obtain access to some corporate VPNs.
We believe this situation constitutes an unacceptable security risk to the Internet in general and especially to foreigners who use Etisalat's data services when they travel.
We do not know whether Etisalat is willing to use its SSL CA keys for surveillance; however, the malicious code that Etisalat distributed last year had been signed by cryptographic keys that gave it access to various security-sensitive parts of the BlackBerry's API [4][5], indicating a willingness on Etisalat's part to use other keys for the wholesale subversion of security measures intended to protect users' privacy.
Because Microsoft, Mozilla, and other browser vendors have chosen to delegate certificate issuing authority to Verizon/Cybertrust, and because Cybertrust in turn chose to delegate this authority to Etisalat, Verizon is now the only party in a position to mitigate this risk to Internet security in a manner that is prompt and minimizes side-effects. We therefore request that Verizon reevalute whether Etisalat is a trustworthy Certificate Authority, and determine whether may be appropriate to issue a new CRL revoking Etisalat's CA certificate.
EFF is pleased to announce the hiring of our newest staff member: staff attorney Julie Samuels. Julie will be working on intellectual property issues, with a focus on stopping abuse of software patents.
Before joining EFF, Julie litigated patent and copyright cases in Chicago at Loeb & Loeb and Sonnenschein Nath & Rosenthal. Prior to becoming a lawyer, Julie worked with the Media Coalition in New York and as an assistant editor at the National Journal Group in D.C. She was also an intern at the National Center for Supercomputing Applications. Welcome Julie!
EFF is also looking to round out its intellectual property legal team by hiring a senior-level copyright attorney. The right candidate will have at least five years of experience working in copyright law, including an in-depth knowledge of the Digital Millennium Copyright Act (DMCA). Litigation experience is desired, including significant experience managing both overall case strategy and day-to-day projects and deadlines. But responsibilities will also include public speaking, blogging, media outreach, and legislative and regulatory matters related to a variety of high technology legal issues. This lawyer will be on the front lines of the fight for digital civil liberties -- in the courts, in policy forums, at conferences and in the media, and around the world. If you have the background and the passion, we would love to hear from you.
As the initial furor over the 2009 (in fact delayed until 2010) DMCA rulemaking subsides, a number of questions have been raised about the nature and scope of the exemptions. We’ve gotten a lot of inquiries about two cell-phone related exemptions that EFF championed: one to clarify the legality of cell phone "jailbreaking" — software modifications that liberate iPhones and other handsets to run applications from sources other than those approved by the phone maker – and another to renew a 2006 rule exempting cell phone unlocking so handsets can be used with other telecommunications carriers. Both exemptions were granted.
Of these, the jailbreaking exemption has received the most attention. More than a million iPhone owners are said to have "jailbroken" their handsets in order to change wireless providers or use applications obtained from sources other than Apple's own iTunes "App Store," and many more have expressed a desire to do so. But the threat of DMCA liability had previously endangered these customers and alternate applications stores.
What was the basis for the jailbreaking exemption?
The Copyright Office squarely rejected Apple's claim that copyright law (other than the anti-circumvention provisions) forbids people from installing unapproved programs on iPhones. Why? Fair use:
When one jailbreaks a smartphone in order to make the operating system on that phone interoperable with an independently created application that has not been approved by the maker of the smartphone or the maker of its operating system, the modifications that are made purely for the purpose of such interoperability are fair uses.
Just so. Given how often copyright claims are misused to stifle speech and everyday user activities, it’s worth noting that the Register stressed that Apple’s objections to jailbreaking were not based on any copyright harm, i.e., any harm stemming from people making unauthorized copies. That's because a jailbreaker is, by definition, a person who has already bought an authorized copy of the Apple firmware. Apple complained that jailbreaking would lead to use of unauthorized apps, which could lead to a “degraded experience” for jailbreakers. In a victory for end-user choice, the Register decided that the DMCA shouldn’t stop phone buyers from taking that risk. If Apple is concerned about harm to its reputation, not its copyrights, that’s not a harm the DMCA was designed to address.
Does the exemption apply to toolmakers, the people who make and distribute the software that will allow you to jailbreak your phone?
No. There is no process for granting exemptions to those who make and distribute tools that allow users to circumvent copy or access controls. Yes, you read that right: the Copyright Office thinks jailbreaking your iPhone is fair use, but the DMCA may nevertheless prevent you from helping others do the same. Courts that have faced this paradox have increasingly rejected DMCA liability under these circumstances. Thus, there’s a growing body of case law holding that the circumvention has to be connected to infringing activity before it can violate the DMCA anticircumvention provisions.
Does that mean Apple has no way to stop me from jailbreaking?
No. Apple can still seek to hinder your freedom of choice through technical and contractual restrictions. But losing the DMCA threat means Apple has lost the biggest weapon in its “anti-consumer-choice” arsenal.
What about cell phone unlocking?
On EFF's request, the Librarian of Congress also granted an exemption for cell phone unlocking. Digital locks on cell phones make it harder to resell, reuse, or recycle the handset, prompting EFF to ask for renewal of this rule on behalf of our clients, The Wireless Alliance, ReCellular and Flipswap. In the report supporting the exemption, the Register noted that, as with jailbreaking, cell phone unlocking was simply not a copyright problem, and therefore copyright law had no business hampering it:
It seems clear that the primary purpose of the locks is to keep consumers bound to their existing networks, rather than to protect the rights of copyright owners in their capacity as copyright owners.
So I can unlock my phone tomorrow?
Yes and no. You can unlock your used phone without fear of being hit with a DMCA claim, though the rulemaking pretty clearly did not want to exempt people who bulk purchase and unlock new phones. You may still be under a service agreement with your provider, however, and the exemption doesn’t excuse you from these contractual obligations. For companies in the business of recycling used phones, this means they are able to keep more handsets out of landfill, which is good news for everyone.
The panel picking process has begun for SXSW 2011, which runs March 11-20 in Austin, Texas. This is your chance to vote for the panels you want to see at SXSW Music, Film, and Interactive. EFF has proposed several panels this year, including The Epic Fail of BitTorrent Indie Film Lawsuits, Legal Bootcamp: Electronic Privacy Law for Internet Startups, Identity Correction: Fair Use or Fraud?, I Can Has Appz and Privacy Too? and Big Brother on a Big Screen.
SXSW represents one of EFF's greatest opportunities to reach out directly to the filmmakers, writers, musicians, and software engineers who create online content, as well as the fans who want to post, critique, and remix that content. Every vote takes us one step closer to bringing EFF issues to SXSW. Vote now, because voting closes on Friday, August 27th.
Last month, we wrote about a New Jersey case in which the former publisher of a magazine and dating website for gay youth had declared bankruptcy. He and his former business partners were fighting over ownership of various business assets of XY Magazine and XY.com, including extensive personal information about more than a million customers. XY's privacy policies, however, had promised customers that their personal information would never be given to anybody.
The Federal Trade Commission warned (pdf) that any transfer or further use of the data would not only violate the privacy promises that XY had made to consumers, but would also likely be unlawful under the Federal Trade Commission Act, which prohibits unfair and deceptive acts and practices. The Commission suggested that the data be destroyed, which we agreed would be the best course of action.
We're happy to report that this potential privacy fiasco has ended well for XY's customers. The parties reached an agreement (pdf) under which the publisher is required to destroy all personally identifiable information about XY's customers. He may keep a limited amount of data for a short time to authenticate the identities of customers who have ordered back issues of the magazine, but he may not use that information to contact or locate any customers.
While this is a good outcome, the case highlights a problem that we're likely to see again and again. Companies provide services that rely on personal information supplied by consumers. Some of those companies will be sold or go out of business. The information that they've collected from their customers is a valuable asset, and its possible sale to the highest bidder will implicate the privacy of millions of people.
XY's customers were fortunate that the parties reached an agreement to destroy their personal data, but the Bankruptcy Code itself doesn't handle this scenario very well. Companies that possess customers' personal information are likely -- through their own privacy policies -- to give themselves permission to sell that information if they go out of business or have a change in ownership. And in the rare case where a company promises its customers that their personal information will never be disclosed to anyone, a bankruptcy court can still allow the data to be leased or sold if that transfer wouldn't otherwise violate the law.
Ultimately, Congress should update the Bankruptcy Code to better protect consumers whose personal information is treated as an asset in a bankruptcy proceeding. Bankruptcy courts should enforce privacy commitments that companies have made to their customers. And where a privacy policy permits transfer of customer information, those who buy the data should be required to obtain consumer consent to the transfer, and should not be allowed to use it for purposes different from those for which it was originally collected.
Efforts to protect net neutrality that involve government regulation have always faced one fundamental obstacle: the substantial danger that the regulators will cause more harm than good for the Internet. The worst case scenario would be that, in allowing the FCC to regulate the Internet, we open the door for big business, Hollywood and the indecency police to exert even more influence on the Net than they do now.
On Monday, Google and Verizon proposed a new legislative framework for net neutrality. Reaction to the proposal has been swift and, for the most part, highly critical. While we agree with many aspects of that criticism, we are interested in the framework's attempt to grapple with the Trojan Horse problem. The proposed solution: a narrow grant of power to the FCC to enforce neutrality within carefully specified parameters. While this solution is not without its own substantial dangers, we think it deserves to be considered further if Congress decides to legislate.
Unfortunately, the same document that proposed this intriguing idea also included some really terrible ideas. It carves out exemptions from neutrality requirements for so-called "unlawful" content, for wireless services, and for very vaguely-defined "additional online services." The definition of "reasonable network management" is also problematically vague. As many, many, many have already pointed out, these exemptions threaten to completely undermine the stated goal of neutrality.
Here's a more detailed breakdown of our initial thoughts:
Limited FCC Jurisdiction — Good:
Those who have followed EFF’s position on net neutrality will know that, while we strongly support neutrality in practice, we are opposed to open-ended grants of regulatory authority to the FCC. On that score, the Google/Verizon proposal takes a promising new approach. It would limit the FCC to case-by-case enforcement of consumer protection and nondiscrimination requirements and prohibit broad rulemaking. In essence, it tries to limit the FCC to the type of authority that the FTC has — the authority to investigate claims as they are made.
This limitation, if enforced, could help avoid many of the problems we’ve been concerned about, such as the possibility that a future FCC might decide to take on the role of “Internet indecency” police or, as a result of regulatory capture, might become an innovation gatekeeper, blocking new ideas by small innovators in order to protect the interests of big dinosaurs.
The proposal also rightly exempts software applications, content and services from FCC jurisdiction. Suggestions that the content layer should be directly regulated by the FCC were among the most wrong-headed in past debates about this issue.
The provision does suggests the use of “private non-governmental dispute resolution processes,” which is somewhat troubling — we’ve seen how such processes can be gamed by repeat players.
Standard-Setting Bodies — Interesting:
The proposal also has an interesting suggestion for handling concerns about politicization of the FCC processes and the need for a deep technological understanding to make good decisions in this area: standard-setting bodies. It suggests that “reasonable network management” should be “consistent with the technical requirements, standards or best practices adopted by an independent, widely recognized Internet community governance initiative or standard-setting organization.”
This idea is intriguing, but there are some reasons to be wary. Standard-setting bodies can sometimes do a better job of recognizing and resisting bad technological arguments than political or agency bodies. And technical bodies successfully developed many of the standards that make the Internet great. But as we well know at EFF, standards bodies are not immune to bad ideas. We spent years fighting anti-consumer efforts in various standard-setting fora around DRM and trying to correct some bad standards that had been set in the area of evoting. In those instances, we found that allegedly "independent" standards bodies were often closed to the voices of consumers and small innovators, wrapped in secrecy, and lacking basic mechanisms needed to ensure accountability. If standards bodies are to be introduced as part of a network neutrality oversight scheme, that language needs to guarantee that the processes are completely transparent and representative of the interests of user and independent developer communities.
Reasonable Network management, Additional Online Services — Troubling:
The definition of “reasonable network management” needs to be clarified and refined. While we think the way that standard-setting organizations are included in the definition is interesting and potentially constructive, the language on what makes some network management ”reasonable” is extremely unclear. For EFF, the first test for a network neutrality proposal is this: would it have clearly prevented Comcast from interfering with BitTorrent? In the Google/Verizon proposal, because of ambiguous exceptions like the one that allows an ISP “otherwise to manage the daily operation of its network“, we can't be sure that that's true.
The cutout for “additional online services” is also very disturbing. Many have pointed out that it could be the exception that swallows the nondiscrimination rule. After all, much of the innovation we expect to occur in the future will involve services “distinguishable in scope and purpose from broadband Internet access service, but could make use of or access Internet content, applications or services." If discrimination is allowed for all such things, then there could easily be little left on the “neutral” part of the Internet in a few years. There may be some services that need traffic prioritization, such as urgent medical services, but the approach in the proposal creates no real limits on what could be allowed as an “additional online service.” It would be much better if space for these services was addressed through waivers or other processes that put the burden on the company suggesting such services to prove that they are needed. And such processes must be fully transparent — not just consumers but the FCC must be in a position to know how these services work and what impact they are having. They must also be open to real debate and opposition.
“Lawful” Content and Wireless Exclusions — Fail:
The proposal essentially ignores some of the key problems that EFF and others have had with previous network neutrality proposals. These loopholes could undermine the goals of neutrality, or lead to unanticipated and regrettable outcomes.
We share these initial thoughts in order to surface some details that may be lost in the controversy sparked by this proposal. Others are weighing in with valuable comments as well, and we are paying close attention to their views. We urge policymakers to do the same.
