Last week, the Conseil Constitutionnel, the highest authority on the French Constitution, declared the provisions of a law permitting judicial and police use of a centralized national ID database to be unconstitutional. 200 members of the French Parliament referred the law to the Conseil following the law's adoption on March 6th. The Conseil determined that the use of the centralized database was incompatible with France's fundamental rights, including the right to privacy and the presumption of innocence.
The proposed legislation mandated compulsory civilian ID cards containing a chip designed to store personal and biometric information, including home address, marital status, eye colour, and fingerprints. Proponents argued that the biometric ID card would be used to stop “honest folk” from becoming the victims of identity fraud. In fact, the law would have enabled the "honest folk" database to be used for criminal and judicial purposes. The Conseil correctly determined that such uses constituted a serious incursion into the right to private life, disproportionate to the law’s stated objective.
Another provision in the law would have allowed for a second, optional chip to be used for online authentication in e-commerce transactions. The Conseil determined that such use would require too broad a range of personal data to be collected without any guarantees of security and confidentiality. Furthermore, it condemned the law’s vague conditions for authenticating individuals, especially minors. EFF welcomes the Conseil's decision to strike out substantial parts of the legislation to protect privacy. Nevertheless, the Conseil should explain their unmotivated reasoning behind leaving significant anti-privacy portions of the law intact, namely biometric data collection for the purpose of preventing ID fraud.
The argument for biometrics is predicated on the flawed assumption that a national biometric ID scheme will prevent identity fraud. Massive databases already invite security breaches and a biometrics database of this scale is a honeypot of sensitive data vulnerable to exploitation. Such a data breach is not just costly—it is irreversible, you cannot change your fingerprints or your irises.
In its decision, the Conseil emphasized that they are not ruling either for or against biometrics [PDF, in French] (p.21):
This decision of the Council's should not be interpreted as being either in favour of biometrics or against it. Nor is the Council expressing any opinion either in favour of a register of biometric data or against it. What the Council is saying is that the safeguards involved in the creation and deployment of this register are inadequate. In the circumstances, the Council is not in a position to over-ride the wishes of the legislature.
The Conseil’s ambivalent statement is politically understandable. Regulators tend to romanticize the security and accuracy of biometric systems. In fact, there is a lack of evidence to demonstrate the reliability and proportionality of this new technology. Jean Marc Manach, a blogger and journalist from Owni.fr, argues that biometrics has proven inaccurate and therefore ineffective in fighting identity fraud or anything else. As long ago as August 2009, The Register magazine suggested that our trust in biometric technology is a delusion.
Last year, a French report revealed that 10% of biometric passports were fraudulently obtained [French]. The introduction of biometrics is exacerbating the problem of identity fraud instead of solving it. The French government already has several powerful surveillance technologies available to track people's movements, including mobile phone logs, web usage logs and credit card usage logs. They must provide evidence first that they can use this technology to enhance security before spending taxpayer money on another National ID biometric scheme.
French smart card and biometrics companies have lobbied heavily for the “honest folks” law. Their trade association, GIXEL (Professional Association of Industry and Electronic Components) gained notoriety in 2004 when they won the infamous French “Big Brother” award, for their systematic attacks on the right to privacy. Ironically, GIXEL got the award for their proposal to "educate" children under 6 years old and their parents about the need for biometric “security.”
The proposed collection of this vast amount of biometric information gives governments too much unchecked power and opens the door for government abuse. In their referral to the Conseil, French parliamentarians quoted Martin Niemöller's chilling poem "First they came." They argued that had this kind of database existed during WWII, the Nazis and collaborators in Vichy France could have more easily arrested French Résistance fighters based on their fingerprints or facial scans.
EFF, as one of 80 civil liberties organizations, has requested the Council of Europe in 2011 to investigate if National ID biometrics laws in Europe comply with the Council of Europe Privacy Treaty and the European Convention on Human Rights.
In light of the long list of privacy concerns surrounding biometrics, and the guarantee of future security breaches, biometric national ID laws cannot be justified. As more nations continue to adopt and implement biometric ID laws, now is the time for the Council of Europe to comply with its duty to seriously confront all of these issues. Under our watch, we refuse to let states collect massive amounts of biometric data without regard to our privacy rights.Related Issues: InternationalBiometricsCouncil of EuropeEFF Europe
H.O.P.E. stands for Hackers On Planet Earth, one of the most creative and diverse hacker events in the world. HOPE Number Nine will be taking place on July 13, 14, and 15, 2012 at the Hotel Pennsylvania in New York City. If you haven't been before, this is the year to attend. For every ticket purchased in the month of April, conference organizers 2600: The Hacker Quarterly are donating 10% of the proceeds to EFF--so buy your tickets today!
For three full days and nights you can explore hackerspace villages, film festivals, art installations, vintage computers, electronic workshops, savor the country's biggest supply of Club-Mate, and attend the host of provocative talks that HOPE has become well-known for offering. Join thousands of hackers to hear this year's keynote on hacking corporations by famous troublemakers and EFF clients The Yes Men, as well as these exciting talks from EFF staffers:
- Staff Attorney Hanni Fakhoury will talk about the law on location data, and what the Supreme Court's recent U.S. v. Jones ruling means for the future of warrantless surveillance.
- Senior Staff Attorney Marcia Hofmann will talk about protecting your data from the cops.
- Activist Eva Galperin will talk about the Google+ Nymwars and the struggle to maintain a space for anonymity and pseudonymity on the Internet.
- Web Developer Micah Lee will give some privacy tips for web developers building activist websites.
Don't miss out, HOPE conferences happen only once every two years. Support EFF, indulge your curiosity, and we *hope* to see you there! Register at http://store.2600.com/hopenumbernine.html.Related Issues: Uncategorized
San Francisco - A small business owner who used Megaupload's cloud-based storage system as part of his daily operations has asked a federal court to establish a process that would allow him and other lawful Megaupload users to get their files back. The procedure would help rectify the collateral damage caused by the government's seizure of Megaupload.com as part of a copyright infringement investigation.
The Electronic Frontier Foundation (EFF) represents Kyle Goodwin, who runs a business reporting on high school sporting events in Ohio. Goodwin stored his video footage on Megaupload's servers as a backup to his hard drive. In January, the FBI shut down Megaupload.com and executed search warrants on the company's servers, locking out all Megaupload customers in the process. When Goodwin's hard drive crashed, he could not get access to any of his own video files, which he needed to conduct his business.
"The court can help make Mr. Goodwin – an innocent party here – whole again," said EFF Staff Attorney Julie Samuels. "With government seizures growing, we're likely to see more and more cases like this, where lawful customers of a cloud service lose property in a federal copyright case. We're hoping the court will set an important precedent to protect users from overzealous government agents."
Megaupload was leasing some of its servers from hosting company Carpathia, and after the government finished its examination of the servers, it told Carpathia it was free to delete the contents. This week, Carpathia moved for a protective order that would allow for an approved procedure for customers to retrieve their files before deletion. The brief EFF filed today was in support of that motion, urging the judge to expedite the return of rightful property to Goodwin and other lawful Megaupload users.
"Mr. Goodwin has suffered a significant loss to his business, through no fault of his own." said EFF Intellectual Property Director Corynne McSherry. "Megaupload's innocent users deserve an opportunity to get their important data back before it's destroyed forever."
EFF was assisted by co-counsel Abraham Sofaer of the Hoover Institution and John Davis of Williams Mullen.
For the full brief:
Intellectual Property Director
Electronic Frontier Foundation
Electronic Frontier Foundation
On Monday, a joint Commons and Lords committee published a report urging Google and other sites to take proactive steps to monitor their search results in order to protect the privacy of certain individuals. As a result, a committee of Parliamentary members has begun pushing for legislation to force search engines and social networks to censor themselves. The committee, set up by the prime minister, arose out of increasing controversies and injunctions to protect people’s online image.
Committee chair John Whittingale stated, "It is clear that media self-regulation under the [Press Complaints Commission] did not work. We therefore wish to see a stronger self-regulatory system that is seen to be effective and commands the confidence of the public." Citing the high cost of legal action, the committee claims that self-regulation by companies would be the optimal way of dealing with claims of privacy violation.
There have been an increasing number of censorship cases in the UK. In February, members of the UK Parliament concluded in a report that the Internet plays a major role in the radicalization of terrorists and called on the government to pressure Internet Service Providers in Britain and abroad to censor online speech. On a more local level, a small district court in Swansea sentenced a university student to jail for 56 days after admitting to have posted racially offensive comments on Twitter about soccer player Fabrice Muamba who had collapsed from cardiac arrest during a game in March. The district judge, after calling the comments “vile and abhorrent,” told the student, "I have no choice but to impose an immediate custodial sentence to reflect the public outrage at what you have done.”
Censorship is most alarming when states use state security or supposed social appropriateness to justify their action. The fact of the matter is that speech is speech. When governments and their courts are left to decide what kind of speech is “good” or “bad” for society, there's an increased threat that those authorities will abuse their power to silence anyone in the name of the public good.
United Arab Emirates
United Arab Emirates authorities briefly detained Islamic scholar and political activist, Mohammed Abdel-Razzaq al-Siddiq, on Sunday for comments he made on Twitter. Mohammed was arrested for criticizing a sheik of one of the emirates (city-states). He was arrested Sunday at dawn and was released by the end of the day.
Earlier this month, blogger and activist Saleh AlDhufair was arrested for criticizing repressive actions by state authorities on his Twitter account and blog. He remains imprisoned and could face up to 5 years in prisons under new far-reaching cyber crime laws. Last summer, Emirati authorities imprisoned five activists, who were subsequently pardoned by the president in November.
Pakistani authorities shut down mobile phone networks for a day in one of the state’s four provinces of Balochistan. The day was March 23, a national day known as Pakistan Day celebrating the first adoption of the constitution and its status as the first Islamic republic. The southern province was struck with chaos as people began to report blocked communications throughout the region, justified in the name of “national security.” As one of the poorest regions in the country, Balochistan has had a long history of conflict with the Pakistani government due to an ongoing separatist movement that began with their refusal to accede to the state.
EFF has continued to cover censorship policies in Pakistan, including their efforts to censor words from SMS text messages to their recent initiative to enact a national web filtering and blocking program. This recent cell phone ban demonstrates how Pakistani telecommunications companies are submitting to the demands of the state to censor its customers. Bytes for All, Pakistan condemned the companies and the state for allowing blanket cell phone ban to occur:
Such bans are gross violation of citizens’ consumer rights and Telcos should have put some pressure on the authorities to push back on such hegemonic decisions…We demand from the Government to uphold the fundamental rights of its citizens and stop playing the false alarms of “national security” to curb fundamental rights, especially freedom of expression, speech and opinion.
While the state undoubtedly has a responsibility to uphold its citizens’ free speech rights, companies providing the services also have a duty to respect its customer’s rights as well. Since the Pakistani Ministry of Information Technology backed out of its plans to subsidize a national filtering and blocking system, there is strong concern about the next steps the government will take to implement other forms of censorship of Internet and mobile communications.
A Bangladeshi court order from last week marks another recent incident of increased censorships efforts in the South Asian country. The court ordered the shutdown of five Facebook pages and a website for content deemed blasphemous against Islam, while demanding content hosts and creators to be brought to justice for “uploading indecent materials.” The most chilling aspect of the order is that the court expresses a desire to find ways of facilitating future blockage of website and pages.
Two university teachers initiated the takedowns when they filed a suit complaining about the pages and their supposed negative effects on “religious sentiments.” This latest move comes following Bengali authorities’ increased monitoring of Facebook for political expression. EFF will be monitoring future efforts in Bangladesh to block content online.Related Issues: Free SpeechBloggers Under FireInternational
Facebook has been a popular place for Syrian Internet activists to share their opposition to the Assad regime ever since the site was unblocked by the Syrian government in early 2011. While some interpreted the Assad regime's decision to allow access to Facebook as a positive sign, others feared that the government had made Facebook available for the purpose of entrapping Syrian activists.
In the past month, EFF has reported on several instances of pro-Syrian-government hackers targeting Syrian Internet activists using malware spread through chats and emails, as well as updates downloaded from a fake YouTube site. Most recently, we've seen reports from Syrian opposition networking specialists of a phishing attack aimed at Syrian activists, spread primarily on pro-revolution forums on Facebook.
The screenshot below shows the phishing link accompanied by the following text in Arabic: Urgent and critical.. video leaked by security forces and thugs.. the revenge of Assad's thugs against the free men and women of Baba Amr in captivity and taking turns raping one of the women in captivity by Assad's dogs.. please spread this.
The screenshot below displays the link in a comment under a pro-revolution video. The phishing link is accompanied by the following text in Arabic: Urgent. The thug Sharif Shihada was arrested by the Free Army. Captured by Ahrar Al Qlamoun battalion... please spread the video of him denouncing the Syrian Regime... Allahu Akbar, victory to our revolution and Free Army.
The screenshot below shows the fake Facebook login page. Note the non-Facebook URL in the URL bar of the browser.
Facebook users should be especially cautious about clicking on links in the comment sections of pro-Syrian-revolution forums, especially if they are accompanied by this text. Facebook users should beware of fake pages that resemble the Facebook login page. Always check the URL bar at the top of your browser to make sure it reads https://www.facebook.com. When in doubt, type https://www.facebook.com manually to get to Facebook.
This attack steals usernames and passwords and could potentially give an attacker access to all of the private information in your Facebook account. Syrian Facebook users should also be cautious about clicking on links sent over Facebook by their friends, whose accounts may have been compromised.
EFF is deeply concerned to see targeted attacks on Syrian Internet activists increasing in number and using increasingly diverse methods. We will continue to keep a close eye on developments.Related Issues: InternationalPrivacySocial NetworksSecurity
Last week, Forbes’ Andy Greenberg investigated a dangerous but largely underreported problem in Internet security: the sale of zero-day exploits to customers not intending to fix the flaws. Zero-day exploits are hacking techniques that take advantage of software vulnerabilities that haven’t been disclosed to the developer or the public. Some companies have built successful businesses by discovering security flaws in software such as operating systems and popular browsers like Google Chrome and Microsoft Internet Explorer, and then selling zero-day exploits to high-paying customers—which are often governments.
France-based VUPEN is one of the highest-profile firms trafficking in zero-day exploits. Earlier this month at the CanSecWest information security conference, VUPEN declined to participate in the Google-sponsored Pwnium hacking competition, where security researchers were awarded up to $60,000 if they could defeat the Chrome browser’s security and then explain to Google how they did it. Instead, VUPEN—sitting feet away from Google engineers running the competition—successfully compromised Chrome, but then refused to disclose their method to Google to help fix the flaw and make the browser safer for users.
“We wouldn’t share this with Google for even $1 million,” said VUPEN founder Chaouki Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” VUPEN, which also “pwned” Microsoft’s Internet Explorer, bragged it had an exploit for “every major browser,” as well as Microsoft Word, Adobe Reader, and the Google Android and Apple iOS operating systems.
While VUPEN might be the most vocal, it is certainly not the only company selling high-tech weaponry on the zero-day exploit market. Established U.S. companies Netragard, Endgame, Northrop Grumman, and Raytheon are also in the business, according to Greenberg. He has also detailed a price list for various zero-day exploits, with attacks for popular browsers selling for well over $100,000 each and an exploit for Apple’s iOS going for a quarter million.
But who exactly are these companies selling to? No one seems to really know, at least among people not directly involved in these clandestine exploit dealings. VUPEN claims it only sells to NATO governments and “NATO partners.” The NATO partners list includes such Internet Freedom-loving countries as Belarus, Azerbaijan, Ukraine, and Russia. But it’s a safe bet, as even VUPEN’s founder noted, that the firm’s exploits “could still fall into the wrong hands” of any regime through re-selling or slip-ups, even if VUPEN is careful. Another hacker who goes by the handle “the Grugq” says he acts as a middleman for freelance security researchers and sells their exploits to many agencies in the U.S. government. He implies the only reason he doesn’t sell to Middle Eastern countries is they don’t pay enough.
Regardless of who the buyers are, any security researcher selling zero-day exploits to those who take advantage of vulnerabilities rather than fixing the software is responsible for making the Internet less secure for users. The existence of a marketplace for such transactions does not legitimize the practice, and security researchers should never turn a blind eye to their ethical responsibility to help improve technology. We should help ensure the Internet promotes freedom and safety, and is not a system to control and oppress.
The governments who buy zero-day exploits also bear responsibility here. The administration has repeatedly warned of a crippling cyber-attack to our infrastructure and Congress is in the midst of debating an expansive new "cybersecurity" bill that, as EFF previously explained, will likely invade users’ privacy in the name of promoting Internet security. Yet the sale and use of exploits that leave ordinary users of popular software vulnerable—a real cybersecurity threat—remains unmentioned in this cybersecurity debate.
The U.S. government has the ability to make us more secure right now with no new legislation. Anyone—including the U.S. government—who has knowledge of security vulnerabilities should notify the affected companies and help fix the problems. Keeping flaws under wraps makes millions of Internet users less safe. If exploits are used to conduct attacks on network infrastructure, either in other countries or the U.S., those who sell exploits could be complicit in such acts.
A good cybersecurity discussion would address this issue head-on. If the U.S. government is serious about securing the Internet, any bill, directive, or policy related to cybersecurity should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within the government that do not further this goal. Unfortunately, if these exploits are being bought by governments for offensive purposes, then there is pressure to selectively harden sensitive targets while keeping the attack secret from everyone else, leaving technology—and its users—vulnerable to attack.
As EFF has stated previously, this is "security for the 1%," and it makes the rest of us less safe.Related Issues: Security
Issa Report Gives Federal Government C-minus on FOIA Processing
The US House Committee on Oversight and Government Reform, chaired by Darrell Issa (R-CA), released a report (pdf) that graded the federal government and its agencies on their ability to manage FOIA requests. We've documented extensively the lack of transparency in the current administration, and, for advocates following the issue, there was no surprise that the Committee's report gave the federal government a C-minus. In addition to the government's C-minus grade overall, the Department of Justice (DOJ), the Department of Defense (DOD), and the Department of Homeland Security (DHS) each individually received D’s.
To conduct the report, Rep. Issa sought information about the FOIA tracking systems of 100 federal agencies. In particular, Rep. Issa requested an electronic, sortable copy of the agency’s FOIA processing “logs,” containing various information on requests and the agency’s processing of those requests. Many agencies produced incomplete logs, produced logs that tracked FOIA requests inconsistently, or couldn’t produce logs in a sortable electronic format at all. The report concluded with an ominous warning: "When agencies cannot even produce FOIA logs with basic information to Congress, it raises serious concerns about their ability to meet their legal obligations to FOIA requesters."
Administration Officials Defend Against FOIA Faults
After the release of the above-mentioned report, on March 21 a subcommittee of the US House Committee on Oversight and Government Reform held a hearing titled, "FOIA in the 21st Century: Using Technology to Improve Transparency in Government." The hearing focused on the creation of a central FOIA website for citizens to access unified FOIA instructions, but also saw witnesses defending their FOIA stats. Witnesses included administration officials from the Department of Justice, the National Archives, and the Environmental Protection Agency. Melanie Pustay, the Director of DOJ’s FOIA office, defended the government's transparency record stating that the government released records in part or in full in response to 93.1% of requests where records were located and processed for disclosure. However, releasing records, and releasing meaningful records, are often two distinct things. EFF frequently receives records that disclose virtually nothing about the topic or that have such substantial (and often arbitrary) redactions that the records are meaningless.
While the centralized FOIA website is a step in a more transparent direction, DOJ should start by concentrating on making meaningful responses to FOIA requests.
Push for Transparency in Bradley Manning Court-Martial
On Thursday, Michael Ratner, president of the Center for Constitutional Rights and the lawyer who represents Wikileaks and Julian Assange, called (pdf) on the military court in Bradley Manning's case to release documents relating to Manning's military trial. Ratner pointed to the presumption in military law of public court martials and the public’s compelling interest in access to the trial and court documents.
Ratner's letter follows a March 12 letter, (pdf) spearheaded by the Reporters Committee For Freedom of the Press and signed by more than 40 news organizations, to the General Counsel of the Department of Defense requesting DOD implement measures that will allow media organizations to review documents relating to the Manning case. The organizations asked DOD to immediately post all filings, decisions, and transcripts that don't require full classification online; to post those that do need classification review within 15 days; and to adopt other measures that will enhance the public’s access to Manning’s court-martial.Related Issues: Free SpeechWikileaksTransparencyFOIA
The U.S. legislature has cybersecurity on the brain. In the coming months, Congress and the Senate will consider a confusing variety of cybersecurity bills--including H.R. 3523 (Rogers), H.R. 3674 (Lungren), S. 2105 (Lieberman), and S. 215 (McCain)--all of which purport to keep U.S. companies and infrastructure safe from “cyberattacks." But as Congress continues to weigh this legislation and negotiate potential amendments, users should ask some serious questions about how these proposals will affect civil liberties, and tell Congress that we won't stand for cybersecurity bills that undermine our civil liberties. Here are four hard questions that Congressmembers should be asking about these bills--the answers to which the bills disagree on or dodge entirely.Who will be in charge of cybersecurity?
The Rogers bill (H.R. 3523) proposes to put the military-intelligence community in charge of cybersecurity while the Lungren bill (H.R. 3674) keeps it under civilian control by putting it in the hands of the Department of Homeland Security. Given the National Security Agency’s history of secrecy and over-classification, military control of cybersecurity is a potentially disastrous outcome for those who are concerned with counter-balancing hysteria over “cyberwarfare” and “cybercrime” with respect for privacy and civil liberties. Civilian control over cybersecurity is essential if there is to be any degree of openness and transparency in U.S. cybersecurity policy.
Governmental cybersecurity programs must aim to achieve security through openness and the use of transparent, accountable processes. Governments have a special duty to their citizens to guard their privacy and civil liberties, as well as a duty to be accountable for their use of taxpayer dollars. Government programs are, by their very nature, not competing in a marketplace, where there are sometimes strong financial incentives for the clever use of secretive practices. Additionally, the sprawling nature of U.S. infrastructure decreases the likelihood of keeping secrets against adversaries and increases the potential benefits of constructive scrutiny from all corners. Simply put: open is better, and there is no way cybersecurity policy will be open under military control.What exactly is a “cybersecurity threat?”
At this time, most of the proposed cybersecurity bills grant the government broad powers in the event of a “cybersecurity threat.” Unfortunately, we don’t know what that means. EFF has raised detailed concerns about the potential harm this vague language could do if the existing legislative proposals are passed into law. In brief, broad definitions potentially implicate tools and behaviors that security experts would NOT reasonably consider to be cybersecurity threat indicators. Just using a proxy or anonymizing service such as Tor, encryption to protect your data, or measuring your ISP’s network performance could all be construed as “cybersecurity threats” in some of these legislative proposals. People who take measures to protect their own privacy and security online in ways that EFF regularly recommends and supports could potentially be treated like criminals. And even under a more generous reading of the language, legitimate security research would be targeted and security researchers could find themselves under perpetual scrutiny as potential “cybercriminals.”What does "information sharing" mean?
All of the proposed cybersecurity bills mandate some kind of “information sharing” or “government assistance” between the U.S. government and the private companies that have access to so much of our personal data, including email, web searches, GPS data, and our social graphs. Companies are encouraged to share information about “cyber threats” or incidents with the government, and to that end it provides them with immunity when sharing information about threats.
Some of the proposals balance this information-sharing with privacy oversight, to make sure that shared information does not impinge on individual privacy or civil liberties, but proposals such as the Rogers bill contain no such protective language. The Rogers bill gives companies a free pass to monitor and collect communications and share that data with the government and other companies, so long as they do so for “cybersecurity purposes.” Just invoking “cybersecurity threats” is enough to grant companies immunity from nearly all civil and criminal liability, effectively creating an exemption from all existing law. Additionally, the Rogers bill places almost no restrictions on what kinds of information can be collected and how it can be used, so long as the companies can claim it was motivated by “cybersecurity purposes.” S. 2105 (Lieberman) and S. 2151 (McCain) contain similarly dangerous provisions.
As if that wasn't bad enough, "information sharing" is often just a euphemism for surveillance and countermeasures, including monitoring email, filtering content, or blocking access to websites.Will the cybersecurity bills improve our security or not?
Ideally, cybersecurity legislation would benefit U.S. citizens by protecting government systems and infrastructure in a manner that is open, accountable, transparent, and respectful of citizens’ privacy and civil liberties. Unfortunately, there are aspects of the proposed cybersecurity bills that lead us to believe the American people will not be coming out on top.
There is little doubt that the Internet could stand to be a safer place. Major operating systems have security vulnerabilities, as do plenty of other commercial off-the-shelf software. The Internet could use more encryption, more secure protocols, and better authentication schemes. But the cybersecurity bills don't do any of these things. Instead of creating incentives for better defensive Internet security, the proposed bills take an offensive posture: more monitoring, more surveillance, and more disclosure of your private information. Not only will the cybersecurity bills fail to make us safer, they will put users' privacy and security at risk.
Help EFF stop the worst of the cybersecurity proposals by sending an email to Congress today.Related Issues: PrivacySecurityTransparency
Earlier today, the Federal Trade Commission (FTC) released its final report on digital consumer privacy issues after more than 450 companies, advocacy groups and individuals commented on the December 2010 draft report. The final report creates strong guidelines for protecting consumer privacy choices in the online world. The guidelines include supporting the Do Not Track browser header, advocating federal privacy legislation, and tackling the issue of online data brokers. We’re pleased by the flexible and user-centric nature of the privacy report, but we will continue to monitor how such principles are actually enacted.
Do Not Track & W3C
Echoing the support from the Obama Administration in its recent privacy white paper, the FTC praised the Do Not Track flag, which would provide an in-browser setting that users could use to tell companies that they do not want to be tracked around the web. While acknowledging the important steps media and advertising consortiums like the Digital Advertising Alliance have made toward better informing users about how behavioral advertising works, the FTC emphasized the World Wide Web Consortium’s (W3C) ongoing effort to craft meaningful standards to govern tracking in its multistakeholder process, which includes representatives from EFF. These meaningful standards will ensure that Do Not Track does not become a weakened "Do Not Target" standard. The Commission report stated: “The W3C group has made substantial progress toward a standard that is workable in the desktop and mobile settings, and has published two working drafts of its standard documents. The group’s goal is to complete a consensus standard in the coming months.”
The issue of Do Not Track versus Do Not Target is fundamental to online behavioral tracking. In a dissenting opinion, Commissioner J. Thomas Rosch raised questions about industry figures such as the Digital Advertising Alliance’s influence on W3C process: “It may be that the firms professing an interest in self-regulation are really talking about a “Do Not Target” mechanism, which would only prevent a firm from serving targeted ads, rather than a “Do Not Track” mechanism, which would prevent the collection of consumer data altogether.”
We share Commissioner Rosch’s concerns. EFF is working through the W3C process with the good faith belief that the consensus end-result will provide users with a meaningful form of protection from tracking, not just the display of targeted advertisements. By continuing to engage in this forum with both industry figures and other consumer advocates, EFF is committed to ensuring that a real Do Not Track mechanism is created and we’re sending representatives to Washington D.C. next month to fight for users and innovators in the next W3C meeting.
We were pleased that the FTC sang the praises of the HTTPS Everywhere Firefox Addon (developed by EFF and the Tor Project) as a mechanism to give users privacy and security when they browse the web. If you haven’t downloaded HTTPS Everywhere, you should do it now—it’s free in both senses of the word and we’ve even got a beta version available for Chrome.
Advocacy groups like the Privacy Rights Clearinghouse and the World Privacy Forum have done substantial work articulating the privacy concerns around data brokers. “Data brokers” is a loose term to describe a wide amalgamation of different companies who collect data on individuals through public, semi-public, and occasionally private sources in both the online and offline worlds and then repurpose this data for business purposes, such as selling data in bulk to large advertisers or creating websites that list individual profiles of individuals. As the FTC correctly noted, many consumers are unaware that these companies exist. As the Privacy Rights Clearinghouse explains on its site, companies in this largely unregulated industry may not offer users a way to opt out of having data included in broker lists, may charge fees to have data removed, and may repost data at a later date that was suppressed at a user’s request.
The FTC articulated the problems with data brokers and reaffirmed its support for legislation that would provide individuals with access to their personal data held by these companies. In addition, the FTC urged the data broker industry to create a central website that would explain the access rights and other options (e.g. opt out choices) available to consumers and links to exercising these choices. Notably, the Privacy Rights Clearinghouse has already gotten things started with its Online Data Vendors List.
We think this is a strong first step, but the FTC could easily have urged data brokers to provide a single website through which users can opt-out of having their data listed by any online data brokers. Right now, not all data brokers provide users with a method to opt-out of having their data personally display personal data listed. A user who wants her information removed from these sites has little legal weight to force companies to respect her choice. One exception to this is California’s recently passed Personal Information: Internet Disclosure Prohibition. Introduced by Senator Ellen Corbett, the law prohibits websites from intentionally posting the home addresses of individuals enrolled in California’s Safe at Home program (such as victims of stalking and domestic violence who enroll in the state-wide address protection program). Outside of this very narrow category of users, individuals have no right to have their data suppressed from publicly displayed data broker records.
In general, we’re pleased by the new privacy framework set forth by the Commission. We hope Congress, the Commerce Department, and industry figures will turn to it as they continue crafting policy around user data in coming years.Related Issues: PrivacyDo Not Track
You might remember that late last year, Congress passed the America Invents Act, a largely toothless law that fails to address many of the biggest problems facing the patent system. In implementing that new law, the Patent and Trademark Office issued proposed guidelines for certain supplemental examination procedures. The PTO also recommended a huge increase in fees for filing certain patent reexaminations. As you might guess, this is a terrible idea.
The reexam process is an essential part of the patent ecosystem. It forms the basis for our Patent Busting Project and allows us to attack dangerous and overbroad patents like those that are asserted against cash-strapped municipalities.
It's vitally important that public interest groups like EFF and small entities who may lack substantial resources be able to participate in reexams at the PTO. Raising the fees for filing reexams to $17,750 (for filing alone!) promises to discourage that important third-party participation, which the Patent Office claims to care much about. Today, we filed comments with the Patent Office saying as much, and urging the Office to reconsider the fee increase – or at least carve out an exception for public interest groups and other small entities. The Patent Office should use this opportunity to encourage the type of participation in the reexam process that benefits inventors, users, and an agenda that promotes innovation.
Related Issues: PatentsPatent Busting ProjectIntellectual PropertyFiles: EFF_comments_PTO-P-2011-0075.pdf
On Thursday, U.S. Attorney General Eric Holder signed expansive new guidelines for terrorism analysts, allowing the National Counter Terrorism Center (NCTC) to mirror entire federal databases containing personal information and hold onto the information for an extended period of time—even if the person is not suspected of any involvement in terrorism. (Read the guidelines here).
Despite the “terrorism” justification, the new rules affect every single American. The agency now has free rein to, as the New York Times’ Charlie Savage put it, “retrieve, store and search information about Americans gathered by government agencies for purposes other than national security threats ” and expands the amount of time the government can keep private information on innocent individuals by a factor of ten.
From the New York Times:
The guidelines will lengthen to five years — from 180 days — the amount of time the center can retain private information about Americans when there is no suspicion that they are tied to terrorism, intelligence officials said. The guidelines are also expected to result in the center making more copies of entire databases and “data mining them” using complex algorithms to search for patterns that could indicate a threat. (emphasis ours)
Journalist Marcy Wheeler summed the new guidelines up nicely saying, “So…the data the government keeps to track our travel, our taxes, our benefits, our identity? It just got transformed from bureaucratic data into national security intelligence.”
The administration claims that the changes in the rules for the NCTC—as well as for the Office of the Director of National Intelligence (DNI), which oversees the nation’s intelligence agencies—are in response to the government’s failure to connect the dots in the so-called “underwear bomber” case at the end of 2009, yet there was no explanation of how holding onto innocent Americans’ private data for five years would have stopped the bombing attempt.
Disturbingly, “oversight” for these expansive new guidelines is being directed by the DNI’s "Civil Liberties Protection Officer" Joel Alexander, who is so concerned about Americans’ privacy and civil liberties that he, as Marcy Wheeler notes, found no civil liberties concerns with the National Security Agency’s illegal warrantless wiretapping program when he reviewed it during President George W. Bush’s administration.
As other civil liberties organizations have noted, the new guidelines are reminiscent of the Orwellian-sounding “Total Information Awareness” program George Bush tried but failed to get through Congress in 2003—again in the name of defending the nation from terrorists. The program, as the New York Times explained, sparked an “outcry” and partially shut down Congress because it “proposed fusing vast archives of electronic records — like travel records, credit card transactions, phone calls and more — and searching for patterns of a hidden terrorist cell.”
The New York Times reported, the new NCTC guidelines “are silent about the use of commercial data — like credit card and travel records — that may have been acquired by other agencies,” but information first obtained by private corporations has ended up in federal databases before. In one example, Wired Magazine found FBI databases contained “200 million records transferred from private data brokers like ChoicePoint, 55,000 entries on customers of Wyndham hotels, and numerous other travel and commercial records.” The FBI would be one of the agencies sharing intelligence with the NCTC.
Despite Congress’ utter rejection of the “Total Information Awareness” program (TIA) in 2003, this is the second time this month the administration has been accused of instituting the program piecemeal. In his detailed report on the NSA’s new “data center” in Utah, Wired Magazine’s James Bamford remarked that the new data storage complex is “the realization” of the TIA program, as it’s expected to store and catalog “all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches.”
Unfortunately, the new NCTC guidelines are yet another example of the government using the word “terrorism” to infringe on the rights of innocent Americans. Aside from the NSA’s aforementioned warrantless wiretapping program, we have seen the Patriot Act overwhelmingly used in criminal investigations not involving terrorism, despite its original stated purpose. As PBS Frontline’s Azmat Khan noted in response to the new guidelines, investigative journalist Dana Priest has previously reported how “many states have yet to use their vast and growing anti-terror apparatus to capture any terrorists; instead the government has built a massive database that collects, stores and analyzes information on thousands of U.S. citizens and residents, many of whom have not been accused of any wrongdoing.”
This problem has been well documented for years, yet Congress and both the Bush and Obama administrations have continued to use terrorism as a justification for expansive laws, and Americans’ constitutional rights have become collateral damage.Related Issues: Privacy
Reps. Joe Baca and Frank Wolf have introduced a bill this week that would require game publishers to add a "clear and conspicuous" warning label to most new video games. HR 4204, the Violence in Video Games Labeling Act, is only the most recent in a series of legislative attempts to restrict or otherwise hinder speech in the form of interactive media.
EFF has put together an action alert that lets you to tell your Congressmember that you stand against the unnecessary and burdensome regulation of speech in video games, and that she should too.
Even though it is not required by law, many video game developers have been self-regulating games for age-level and content with Entertainment Software Ratings Board (ESRB) ratings since 1994. That system is widely understood in the marketplace, and allows consumers and parents to make informed decisions about their video game purchases.
But under the proposed law, a label that says "WARNING: Exposure to violent video games has been linked to aggressive behavior" would be a required addition for all games rated E (Everyone), E10+ (Everyone 10 and older), M (Mature), or A (Adult), regardless of the contents of the game. Only games released with an EC (Early Childhood) rating would be excluded from the labeling requirement. So games like Tiger Woods PGA Tour 13 or Carmen Sandiego Adventures in Math would require the warning, but you could get away without for Dora's Ballet Adventure.
Rep. Baca tries to cloak his anti-speech bill by the inapt comparison for tobacco warning labels in the press release announcing the bill. But while there is a wealth of proof that cigarettes are dangerous, studies simply haven't conclusively demonstrated a causal link between video games and aggressive behavior. One recent study, for example, indicated that "exposure to video game violence was not related to any negative outcomes." [pdf]
Further, in a recent Supreme Court decision to strike down a California law restricting the sale of violent video games to minors, the justices emphatically rejected studies that purport to show such a link: "California relies primarily on the research of Dr. Craig Anderson and a few other research psychologists whose studies purport to show a connection between exposure to violent video games and harmful effects on children. These studies have been rejected by every court to consider them, and with good reason."
Not only that, but the Court expressly affirmed the robust First Amendment protection due to video games: "Video games qualify for First Amendment protection. Like protected books, plays, and movies, they communicate ideas through familiar literary devices and features distinctive to the medium." (EFF joined the Progress & Freedom Foundation in filing a brief in that case.)
It's no surprise, then, that Baca's earlier similar proposals have been unsuccessful. The video game blog Kotaku has compared this new bill to the ones Baca introduced in 2009 and 2011 and found only minor differences. Most notable among them: this most recent proposal raises the stakes, covering a broader selection of games and specifying a harsher warning text.
The California law's Supreme Court defeat gives it the highest profile, but there have been other such laws don't make it as far as the Supreme Court. Every other state law that has been challenged on First Amendment grounds has failed lower court scrutiny. Similar laws have been struck down in Louisiana and Illinois, for example, and defeated in Massachusetts.
While these examples went further than Baca's proposal, beyond warning labels to actually restricting the sale of games, the courts have been clear: video games are legally protected speech, and can’t be singled out for special restrictions.
Rep. Baca needs to know that these repeated attempts at misguided legislation based on pseudo-science are not excusable just because they target a new medium. Video games may be a newer art form than the novel, the fairy tale, or the epic poem, but they are no less deserving of constitutional protection.
Tell your Representative today: it's time to stand against HR 4204. If we want to maintain the same level of cultural vibrancy in this new art form as we've enjoyed for all others, we must recognize and protect the freedom of expression embodied within.Related Issues: Free SpeechInnovationVideo Games
San Francisco - The Electronic Frontier Foundation (EFF) urged a federal appeals court Wednesday to block administrative subpoenas from the Securities and Exchange Commission (SEC) that would reveal the identities of three pseudonymous Gmail users without meeting the legal standards for identifying anonymous speakers.
In an amicus brief filed in the U.S. Court of Appeals for the Ninth Circuit, EFF argued that the SEC failed to support its subpoenas with sufficient evidence to demonstrate a compelling need for the information that would overcome the emailers' constitutional right to speak anonymously.
"The First Amendment provides a baseline level of protection for speakers who choose to communicate their messages to the world anonymously or pseudonymously," said EFF Senior Staff Attorney Matt Zimmerman. "Lawbreakers may not hide behind the First Amendment, but investigating agencies cannot force companies like Google to disclose the identities of their customers who are speakers without demonstrating the investigation is legitimate. Here, the SEC has failed to provide anything but speculation that a law was even broken."
The SEC's subpoenas are part of an investigation into a potential "pump and dump" scheme involving Jammin' Java, Inc. which saw its stock price soar and plummet within a short period of time in late 2010 and early 2011. The SEC has argued that "online newsletters" potentially containing "materially misleading information" were distributed around the time of the stock price fluctuation. However, the SEC has not explained why it has targeted the Gmail account holders, nor has it even identified any newsletters in question, much less link the users to any allegedly illegal activities. In Wednesday's amicus filing, EFF explained why it would be particularly dangerous to allow government agencies the ability to investigate speakers without demonstrating a legitimate need for the information.
"Agencies like the SEC wield enormous powers to intrude into the private lives of Americans," Zimmerman said. "Especially because such agencies can ordinarily issue subpoenas without the direct oversight of the courts, courts must ensure that First Amendment rights be given full effect."
For the full amicus brief:
For more on anonymity:
Senior Staff Attorney
Electronic Frontier Foundation