Eletronic Frontier Foundation

Let's start with the obvious: The patent system is broken. Inventors are shutting down their businesses, small developers are removing their products from the U.S. market to avoid bogus legal threats, and industry groups are warning members that obvious technological improvements might draw lawsuits.

Last year, Congress passed patent reform legislation; it didn’t help. The courts, too, have failed to pick up the slack. The result?  A chill on innovation. American inventors—especially those who don’t often engage with the patent system until they’re facing a lawsuit—want to dedicate their resources to building the next great product or service, not fighting patent wars.

Now, here's the less obvious: We keep learning of more and more ways innovators can navigate the system and hack it to serve its original purpose. We’re particularly excited about the newest, the Defensive Patent License. Below we explain that and some other self-help options we’ve seen lately. Of course, some are better than others, but it’s fair to say that there’s an option for everyone.

The Defensive Patent License: Defensive patenting—acquiring patents to deter future litigation—is not a new idea. In fact, companies have been doing that for some time. Unfortunately, the practice has encouraged companies to seek patents for anything and everything, which—thanks to an overburdened Patent Office—has resulted in a generation of overbroad patents that, if the company folds, often end up in the hands of a patent troll. 

The idea behind not-yet-operational Defensive Patent License (“DPL”) takes the good from defensive patenting (attempts to stem litigation) and removes the bad (the risk that patents obtained defensively will be used downstream by a troll). The license would work like this: 

• DPL patent holders must offer a nonexclusive, royalty-free license for any patent they own to anyone who requests one, as long as the licensee agrees not to sue the licensor or any other member of the DPL community for patent infringement.
• The licensee must offer its patents under the DPL with the same conitions to anyone who requests one.
• The licenses remain in effect throught the patent's life, even if it is later sold.
• The licenses can only be revoked if an offensive patent suit is filed.

The DPL borrows heavily from the ethos surrounding the free and open source software community, honoring the important freedoms to operate and innovate openly. As such, it is those communities who will most likely use, and benefit from, the DPL.

The DPL represents an important answer to the fundamental problems with the patent system, but it’s not for everyone. For example, the DPL contemplates that a company will dedicate its entire patent portfolio to the license to avoid the problem of members only contributing their “junk” patents and holding on to their “crown jewels.” For various reasons, some companies may not be in a position to do that.

Luckily, the DPL is not the only self-help tool out there. 

Twitter’s Innovator’s Patent Agreement: Earlier this year, Twitter announced its Innovator’s Patent Agreement (“IPA”), an important tool for companies looking to do right by their engineers. The IPA, currently up on GitHub for comments, is simple: if you assign your patent to Twitter, Twitter promises it won’t use that patent to sue anyone, except for defensive purposes. 

Because the IPA doesn’t give any third party a license to the patents, it does not go quite as far as the DPL. Also, a party who adopts the IPA can chose to do so on a patent-by-patent basis. Importantly, however, the terms of the IPA will run with the patent, no matter to whom it gets sold. This means that if a patent ends up in the hands of a troll, that troll will be prohibited from using it offensively.

Open Source Licenses: The GNU General Public License (“GPL”), the most widely-used free software license, covers both copyright and patent rights. Its terms allow developers to use covered software for free, so long as those developers dedicate, free-of-charge, any changes or improvements to the public, also under GPL terms. The GPL is often cited as a crucial element in the successful rise of Linux.

Another important open source license that primarily protects Linux is the one at the heart of the Open Innovation Network ("OIN"). Founded by some of the largest Linux users, OIN allows any company to join the network, so long as it agrees to not use its patents offensively against Linux. By joining OIN, members get a license to the hundreds of patents OIN owns. As such, its mechanics are similar to the DPL, but its mission (and terms) are limited to Linux.

Other open source licenses, such as BSD licenses, the Apache License, and the Mozilla Public License, for example, cover various types of open source software. These licenses, each in its own way, ensure that important developments in open source software remain open. They do this job well, but unfortunately are limited to the software they specifically cover. 

Private Companies: Private, for-profit companies also provide various ways to navigate the patent system. For example, RPX allows companies to buy into its large patent portfolio, which it promises to never use offensively against its customers. Moreover, RPX constantly grows its portfolio to cover its members’ particular needs.

Article One Partners offers a different service, providing a platform for the award of cash prizes to those who provide prior art that may be used to invalidate patents. Article One’s clients request research, which third parties provide. The third party who provides the highest quality research wins a $5,000 reward, and may form a relationship to further work with the Article One client. (Peer to Patent is Article One’s important non-profit analog.) This type of service streamlines the process of invalidating bad patents, something we’ve long supported. 

This list is just the tip of the iceberg; other non-profit and for-profit organizations provide tools to help navigate a patent system gone awry, and we look forward to more joining the fray. None of these solutions is perfect, but each offers inventors of different sizes different ways to focus on innovating, and not fighting wasteful patent battles. The real solution is systemic: if software patents are here to stay, then the time to create a system that works for them is long overdue. EFF is working hard to make that happen.  In the meantime, we encourage innovators to adopt one of these solutions that works best for them.

Related Issues: Patents

The US Public Policy Council of the Association of Computing Machinery (ACM), representing ACM, came out against CISPA, the cybersecurity legislation recently passed by the US House. ACM is the world's largest organization for computer professionals. They are joining a diverse group of individuals and organizations opposing this bill, including a wide array of digital civil liberties organizations like EFF, computer scientists like Bruce Schneier and Tim Berners-Lee, and companies like the Mozilla Foundation.

CISPA is intended to protect America against cyberthreats, but destroys core privacy protections by providing vague definitions and unfettered access to personal communications by companies and government agencies. In one such example, ACM criticized the expansive definition for "cyberthreat information," which could "encompass everything from port scans to destruction of entire networks." We agree, and voiced identical concerns when CISPA was first released.

Vague definitions are accompanied by a vague standard for companies to make "reasonable efforts to limit the impact on privacy." Though the standard is well intended, ACM correctly identifies that the vague standard "fails to invoke any framework, standards, oversight, or controls to be used" for personal information. They also conclude that the bill creates "no meaningful support for collection minimization" and shares information that "could have nothing to do with cybersecurity"—problems that we have consistently highlighted in our commentary on CISPA. These large gaps in privacy protections highlight some of the core shortfalls we have voiced about CISPA.

Digital civil liberties groups, companies, and computer researchers are glad ACM joined the opposition to CISPA. The upcoming bills in the Senate share many similarities to CISPA and must be stopped. This is the reason why we vow to take the fight to the Senate, ask you to sign our petition against the Cyberspying Bills, and tweet your Congressmen.

 

Related Issues: PrivacyCyber Security Legislation | CISPA, SECURE IT, Cybersecurity ActFiles:  USACMCISPAStatement.pdf

Earlier this week, an Access2Research petition supporting open access — specifically free access over the Internet to academic articles arising from taxpayer-funder research — crossed its target of 25,000 signatures, two weeks ahead of schedule.1 The Obama administration has promised to respond to petitions that pass that threshold, so the issue of access to research should be firmly on the White House agenda.

As well it should be. The open access movement, which began well over a decade ago, is garnering more and more attention lately. Earlier this year, we saw the resounding defeat of the misguided Research Works Act, which would have severely restricted the amount of research that could be released under open access conditions. A group of researchers launched the "Cost of Knowledge" campaign responding to the proposal, and allowed other academics to publicly boycott the bill’s primary supporter, the publishing behemoth Elsevier. In response to that boycott and other pressure, Elsevier withdrew its support for the Research Works Act in February, effectively killing the bill.

Of course, open access has long had the support of many scholars and major universities. For example, Harvard is among a large and growing group of schools that requires open access as a matter of policy. And earlier this year, the Harvard Faculty Advisory Council went a step further, issuing a memo that said "major periodical subscriptions cannot be sustained," and urging all faculty to submit their work to specifically open access journals. That memo was a wakeup call: if even Harvard was worried about the cost of academic journals, imagine the impact that cost must be having on institutions that don't have access to the same level of resources.

But now non-academics are paying attention, too, as the 25,000 signatures on the Access2Research petition attest. That support may reflect increased attention to issues related to copyright since January's blackout protests against the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA). Traditional journals insist that scholars sign over the copyright to their work, and then leverage those rights to charge institutions and taxpayers exorbitant fees for subscriptions or single articles — even though these are the same institutions and and taxpayers who supported the original research. By contrast, open access journals allow any users to "read, download, copy, distribute, print, search, or link to the full texts of their articles, crawl them for indexing, pass them as data to software, or use them for any other lawful purpose, without financial, legal, or technical barriers other than those inseparable from gaining access to the internet itself."

Support for open access then, like opposition to bills like SOPA and PIPA, is a common-sense position that has traditionally been hampered by a concentrated lobby in Washington working against the diffuse public interest. Online activism campaigns are helping to focus and target that diffuse interest to make real change. What is more, we're moving from reacting to bad proposals toward promoting a positive copyright agenda. Open access should be central piece of that platform.

The fight for that positive agenda is far from over, but it’s exciting to see so many joining in. In a post responding to the 25,000th signature, Cameron Neylon of PLoS summed it up nicely:

We now know how much we can achieve when we work together with a shared goal. The challenge now is to harness that to a shared understanding of the direction of travel, if perhaps not the precise route. But if we, with all the diversity of needs and views that this movement contains, we can find the core of goals that we all agree on, then what we now know is that we have the capacity, the depth, and the strength to achieve them.

Well said.

• 1. The petition is still open for new signatures, in case you haven't signed and wish to.

Related Issues: Intellectual Property

Worried about the Lieberman-Collins Cybersecurity Act? You should be. As we've explained before, it poses serious threats to online rights. Here's a one-page handout you can use as a reference. It's great for sharing with friends, handing to Senate staffers, publishing online, or using as talking points when explaining the issue to someone for the first time. Download it here and please spread it around!

The Cybersecurity Act (S. 2105) Threatens Online Rights

The Cybersecurity Act (S. 2105), sponsored by Sen. Lieberman and Sen. Collins, compromises core American civil liberties in the name of detecting and thwarting network attacks. While Internet security is of the utmost importance, safeguarding our networks need not come at the expense of our online freedoms. That’s why civil liberties groups, security experts, and Internet users oppose this bill.

The Cybersecurity Act is fundamentally flawed and dangerous for online rights:

1. The bill uses dangerously vague language to define "cybersecurity threat indicators" (information that companies can share with the government), leaving the door open to abuse (intentional or accidental) in which companies share protected user information with the government without a judge ever getting involved.
2. Data collected under the Cybersecurity Act can be shared with law enforcement for non-cybersecurity purposes if it “appears to relate to a crime” either past, present, or near future. This is overbroad and contrary to the spirit of our Constitution. Senator Wyden, talking about a similar provision in CISPA, noted “They would allow law enforcement to look for evidence of future crimes, opening the door to a dystopian world where law enforcement evaluates your Internet activity for the potential that you might commit a crime.” The CSA suffers the same "future crime" flaw.
3. If companies overstep their authority, violating the privacy of Internet users for non-cybersecurity purposes or oversharing sensitive data with the government, it will be very difficult for individuals to hold these companies accountable by taking them to court. The bill puts incredibly high burdens on the plaintiff in such a case to prove that a company was not monitoring for the purpose of detecting cybersecurity threats and did not have a "good faith" belief that they were allowed to do it (whether they are right or wrong); or that they "knowingly" and "willfully" violated the restrictions of the law. Furthermore, the bill allows companies to bypass much of preexisting law designed to limit company disclosure of private communications – bedrock privacy law like the Wiretap Act and the Electronic Communications Privacy Act.
4. The Cybersecurity Act would allow sensitive private communications to flow to the NSA, a U.S. military agency — contrary to a long held value that military agencies should not be engaged in collecting data on American citizens.
5. This bill has been criticized by open government groups who rightly point out that the bill creates new exemptions to FOIA—making it that much harder for people to understand how much and what kind of data is being shared with the government and ensure that the government and companies do not abuse this authority.

There is much our country can and should do to safeguard our networks, but sacrificing the civil liberties of Internet users is neither desirable nor necessary for that goal. As a constituent and an Internet user concerned about my online rights, I urge my Senator to support privacy protective amendments and oppose the Cybersecurity Act.

 

Related Issues: PrivacyCyber Security Legislation | CISPA, SECURE IT, Cybersecurity ActFiles:  cybersecurity-act-handout.pdf

In an important ruling for free speech, the Court of Appeals for the Seventh Circuit today affirmed that a parody of a popular online video called "What What (In the Butt)" (NSFW, unless you happen to work at EFF!) was a clear case of fair use and that the district court's early dismissal of the case was correct.

South Park aired the "What What" parody in a 2008 episode critiquing the popularity of absurd online videos. Two years later, copyright owner Brownmark Films sued Viacom and Comedy Central, alleging copyright infringement.  Recognizing the episode was an obvious fair use, a federal judge promptly dismissed the case. Brownmark appealed, claiming that fair use cannot be decided on a motion to dismiss, no matter how obvious.  Viacom fought back, and EFF filed an amicus brief in support, explaining that being able to dismiss a case early in litigation—before legal costs can really add up—is crucial to protect free speech and discourage frivolous litigation.

The appeals court agreed, calling the district court’s decision “well-reasoned and delightful”: 

We hold that the district court could properly decide fair use on [an early motion] . . .  Despite Brownmark’s assertions to the contrary, the only two pieces of evidence needed to decide the question of fair use in this case are the original version of WWITB and the episode at issue.

The opinion joins a growing body of precedent affirming that it's proper to dismiss some copyright cases early, and that it's possible in appropriate cases to determine whether a use is noninfringing without engaging in lengthy discovery. These rulings are important not only to protect speech, but also in fighting back against copyright trolls.  Trolls depend on the threat of legal costs to encourage people to settle cases even though they might have legitimate defenses.  Citing EFF’s brief, Seventh Circuit acknowledged the problem:

[I]nfringement suits are often baseless shakedowns. Ruinous discovery heightens the incentive to settle rather than defend these frivolous suits.

Exactly.  We’re pleased to see another court strike a blow in favor of free speech and explicitly recognize the growing problem of abusive copyright claims.  Let’s hope future courts follow suit.

Related Issues: Free SpeechIntellectual PropertyCopyright TrollsFiles:  Brownmark v. Comedy Appeals Court Ruling

Once again, the federal government is trying its hardest to prevent the courts from determining whether it has broken (or is still breaking) the law through the NSA’s wiretapping program.

For nearly four years, the Obama Administration has followed in the Bush administration’s footsteps, invoking national security and a variety of procedural hurdles to shield itself from accountability in courts. In three separate lawsuits that have been churning in the federal courts, the government has used a menu of dodges to block the courts from considering the key underlying question — have they been breaking the law and violating the constitution by warrantlessly surveilling American citizens — over and over again. 

And now the Obama Administration wants Congress to extend the broader surveillance powers passed by Congress in 2008.

Al-Haramain v. Obama

The latest example occurred last Friday, in a hearing before the 9th Circuit Court of Appeals in Pasadena, CA during a government appeal of the long running case al-Haramain v. Obama. In 2009, a federal court awarded the two plaintiffs—American lawyers who represented the now defunct Islamic charity, al-Haramain—$20,000 each and $2.5 million in legal fees, in what remains the only warrantless wiretapping case decided on the merits.

The plaintiffs in al-Haramain originally filed suit when the government accidentally provided them with a classified document that showed they had been subject to warrantless surveillance. Despite the government convincing the court to declare the document a “state secret” and exclude it from evidence, Judge Walker granted judgment in favor of al-Haramain based solely on publicly available evidence.

Yet on appeal, as Wired’s David Kravets reported, DOJ claims the court should dismiss the case outright because the government is immune from being sued for breaching the Foreign Intelligence Surveillance Act under a concept known as “sovereign immunity.” Sovereign immunity generally prevents the federal government from being sued unless an act of Congress authorizes it. Through it's a complex, technical argument, the government is essentially asserting the only way to hold anyone accountable for future illegal national security wiretapping is to sue them in their individual capacities (and apparently requiring them to pay any damages out of their own pocket).  Given that the FISA was written in the midst of the uproar over rampant official government surveillance, this outcome would be outrageous. 

And even assuming the government wins on its argument, would it then let the case go forward against FBI Director Robert Mueller, the one federal official named in his individual capacity? No way. After a question from one judge, the government admitted to the Court that it would then invoke the “state secrets” privilege to stop even that case and also raised the specter of other immunities that would then apply to protect the individual defendants. The Justice Department essentially told the Court, “heads we win, tails they lose.”

The fact remains that the district court sided with plaintiffs – holding that FISA waives sovereign immunity, has national security protective procedures that overwrite the  state secret privilege here, and that plaintiffs had established a case, based purely on publicly available evidence, to satisfy their burden. We hope the 9th Circuit agrees.

Jewel v. NSA and Hepting v. AT&T

The state secrets privilege is also the first legal maneuver the government will likely try to use to prevent EFF’s own lawsuit against the government over warrantless wiretapping, Jewel v. NSA. In Jewel, based on evidence given to EFF by AT&T whistleblower Mark Klein, Congressional admissions, and countless media investigations, EFF has argued the NSA violated federal surveillance laws and the Constitution by acquiring untold numbers of Americans’ emails, phone calls, and communications records.

After a recent procedural victory at the 9th Circuit revived the case, Jewel is back before a federal district judge in San Francisco. However, in proceedings over the next few months, the government will likely try to again wall itself off from accountability by asserting that the state secrets privilege requires the case to be dismissed without a determination of whether the government’s actions are legal. Yet, in passing FISA, Congress expressly created a secure process by which the legality of surveillance must be determined by a court. We expect the next round of the fight will be, as previous ones were, a set of arguments by the government about why, despite that carefully considered (and never amended) process, the case should still be dismissed immediately regardless of whether the government is actually illegally surveiling millions of Americans.

Separately, in March, EFF filed a petition asking the Supreme Court (pdf) to hear Hepting v. AT&T – EFF’s lawsuit against AT&T for their role in the government’s warrantless surveillance program, where the companies and the Executive branch strong-armed Congress into granting the President the right to dismiss cases against the telecom companies. The government has asked for several extensions to reply to EFF’s petition, but the Supreme Court will likely decide whether or not it will hear the case by this Fall. 

Amnesty International v. Clapper

The ACLU is also challenging the legality of the FISA Amendments Act – the 2008 law which broadly expanded the government’s spying powers – in a separate suit, Amnesty International v. Clapper. Two weeks ago, the Supreme Court agreed to hear that case after the government appealled an appeals court decision ruling in the ACLU's favor.

The government has argued that the case should be dismissed completely on yet another procedural argument. It claims that because plaintiffs—a group of lawyers, journalists and human rights activists who reasonably expect their emails are being unconstitutionally monitored—don’t have “standing.” Like the government’s sovereign immunity argument in al-Haramain, the government is using a catch-22 argument in Amnesty: they say that plaintiffs have to prove they’re being monitored under the program for the suit even to begin, but, simultaneously, the only way they can prove this is if the government intentionally admits that it is surveilling them.  Since the government refusing to admit or deny the surveillance, plaintiffs cannot have standing to decide whether the surveillance is legal or, more importantly, to stop it. 

Despite the government’s arguments, the Second Circuit held that plaintiffs had established standing to sue based on their reasonable belief that they are being surveilled and the chilling affect that this illegal surveillance has on their communications. We hope the Supreme Court agrees.  

President Obama and FISA Amendments Act Renewal

What makes the administration’s stances in these cases particularly heartbreaking is that Senator and then candidate Obama was a vocal critic of warrantless wiretapping, yet once in office has chosen to reverse himself on all counts. Even before he was elected, he reneged on his promise to filibuster telecom immunity in the FISA Amendments Act in the midst of a presidential race. As a candidate, he also promised to curtail the use of the “state secret” privilege, only to turn around and claim it in all of  the wiretapping cases —along with many other lawsuits alleging constitutional violations.

All this serves as a backdrop to the current debate about whether portions of the FISA Amendments Act should be renewed by Congress when it expires at the end of the year. As we reported, a House Judiciary Committee recently held a hearing on the subject, where witnesses and members of Congress alike pointed to the fact that the law appears to allow for dragnet surveillance of Americans’ phone calls and emails without a warrant, something that has never been held to be constitutional by any court.

Unfortunately, Obama, who once insisted he would reform the law in the name of civil liberties as president—even after voting for it—has gone back on that promise as well. Renewing the Act with no changes is now his administration’s “top priority,” even as he continues his aggressive resistance to any judicial review.

It will be EFF’s top priority to oppose it.

Related Issues: NSA Spying

China: Weibo Ratchets Up Censorship for Tiananmen Square Anniversary; Google Helps Users Avoid Blocked Search Terms

Chinese social media outlets expanded their lists of censored words in anticipation of the 23rd anniversary of the Tiananmen Square protests. On June 4, the date of the anniversary, Twitter-clone Weibo went so far as to block searches of the characters for “today” (??) and “tomorrow” (??). Weibo also removed its candle emoticon and blocked searches for the character for candle (?) to prevent references to the annual candlelight vigil in Hong Kong’s Victoria Park. After users questioned the disappearance, Weibo’s parent company Sina announced that the icon was being “optimized” and replaced the emoticon with an Olympic torch.

Weibo also blocked all forms of the numbers eight, nine, six, and four, which resulted in accidental censorship of reports about the Shanghai Stock Exchange when the market index fell 64.89 points.

In the same week, Google added a search feature warning Chinese users when their terms are likely to produce blocked results. Searching a prohibited term in China will not only produce an official error message, but will also cut users’ connection to Google for a couple of minutes. Senior vice president Alan Eustace wrote, “By prompting people to revise their queries, we hope to reduce these disruptions and improve our user experience from mainland China." Chinese state censors do not normally disclose which terms are censored at any given time.

Libya: Anti-Sedition Laws Under Constitutional Review

Libya’s Supreme Court will review the constitutionality of Article 37, a series of laws which criminalize speech glorifying Gaddafi, insulting the revolution and Islam, or weakening the morale of Libyan citizens by questioning the country’s “people, slogan, or flag.” The National Transition Council passed these laws on May 2, prompting outrage from many Libyan legal experts and civil society organizations. Violations of Article 37 carries a maximum sentence of life imprisonment. Libya’s new deputy culture minister Atia Lawgali has called the law “a joke” and “a sign of weakness from the NTC.”

Article 37 clearly flies in the face of Libya’s transition towards democracy and the goals of the popular revolution. “When I looked at Article 37 I was pleased with the reaction… there was total agreement that this law is a disaster,” said Lawgali. The government defends that Article 37 is necessary to “re-establish the state” as Libya transitions towards elections this month, and that there will be little need for such laws afterwards.

Malaysia: Officials Backpedal on Promise of a Censorship-Free Internet

Malaysia’s commitment to freedom of expression on the Internet faces new challenges from government officials, past and present. Former Prime Minister Tun Dr Mahathir Mohamad has publically called for new online content regulations, saying: “When I said there should be no censorship of the Internet, I really did not realize the power of the Internet to create problems and agitate people.”

Information, Communications and Culture Minister Datuk Seri Dr Rais Yatim has echoed the former Prime Minister’s sentiments suggesting that bloggers and website-owners should regulate themselves so that only “facts” are posted online, and suggested that content should be of a “society-building nature” and not contain libel. The government has already amended the law so that Internet intermediaries are legally accountable for all seditious or libelous content that third parties may upload, so websites are already likely to discourage and delete politically or religiously sensitive material. Malaysia’s Internet has no national content filters at this time, though the government has tried to install them twice. Vigorous protest from Malaysian Internet users on both efforts forced the government to back down.

Kuwait Hands Down Ten Year Sentence for Twitter Criticism

In the small Gulf country of Kuwait a young man, Hamad al-Naqi, has just been handed a ten-year sentence for criticizing the kings of neighboring Saudi Arabia and Bahrain and allegedly "insulting" the Prophet Mohammed on Twitter. According to Human Rights Watch, Kuwait’s Court of First Instance sentenced Hamad al-Naqi, 26, on those charges on June 5, 2012.

Article 15 of Kuwait's National Security Law sets a minimum sentence of three years for spreading statements or rumors that "harm the national interests of the state" while Article 111 of the Penal Code prohibits mocking religion.

Al-Naqi's sentencing is just one instance in a series of repressive events the country has seen this year. In June, the Emir of Kuwait rejected parliamentary legislation that would have authorized the use of capital punishment or life imprisonment for anyone mocking "God, the prophets and messengers, or the honor of his messengers and wives." The veto can still be overriden by a two-thirds majority of members of parliament and cabinet ministers.

As a party to the International Covenant on Civil and Political Rights, Kuwait must protect the rights of freedom of expression. EFF joins Human Rights Watch in condemning Kuwait's increasing repression of speech.

Tunisia: Citizen Journalists Continue Hunger Strike

Tunisian citizen journalist Ramzi Bettaieb has been on a hunger strike since May 28 to defend press freedom in the country after last year’s revolution. Bettaieb, who writes for the activist blog Nawaat, said that soldiers confiscated his cameras when he tried to film the trial of ousted dictator Zine El Abidine Ben Ali and others who were involved in violently suppressing anti-regime protests in the towns of Thala and Kasserine. The army prohibited reporters from shooting more than three minutes of video footage during the trial.

Nawaat, which was blocked in Tunisia until January last year, was instrumental in channeling popular opposition to the Ben Ali regime and covering the protests that culminated in his removal. Bettaieb’s hunger strike is partly in order to show the world that the political revolution is not yet complete. He protests the new government’s lack of transparency in holding these important trials through a military tribunal rather than through public court or an independent commission. Bettaieb stated, “I demand that all cases be withdrawn from the military court. It is not independent, and is under constant pressure and threat… it is in conflict with the Ministry of Interior or at least with whatever corrupt body still lingers there.” Five other bloggers have joined Bettaieb’s hunger strike, and he also commands wide support from other regional journalists.

Related Issues: Free SpeechBloggers Under FireInternational

DNA is the most intimate and revealing part of the human body, with the potential to reveal a person -- and their family's -- medical history and predisposition to disease. Because it's so sensitive, we've filed an amicus brief (PDF) in the California Supreme Court urging it to rule that the Fourth Amendment prohibits the warrantless collection of DNA from individuals presumed innocent who are not yet convicted of a crime.

Over the last few years, the federal government has been building up a massive DNA database called CODIS that stores DNA samples collected by local, state, and federal law enforcement officials investigating crimes. While CODIS was initially concerned only with the collection of DNA of convicted felons, the government is quickly expanding its reach to cover two more populations: individuals entering the immigration system, and arrestees. There are now over 10 million DNA samples in CODIS from all over the country, and 17% of them are from California. 

We recently published a white paper explaining in detail biometric collection in the immigration system. And we've repeatedly warned courts across the country in numerous amicus briefs that the government's warrantless collection of DNA from arrestees -- individuals who have not yet been convicted of a crime -- is unconstitutional. While federal courts have upheld the practice, last summer the California Court of Appeal ruled in People v. Buza (PDF) that California's warrantless DNA collection, and the placing of the samples into CODIS, is unconstitutional. And earlier this year, the Maryland Court of Appeal found in King v. State (PDF) most warrantless arrestee DNA collection unconstitutional.

With the Buza decision now on review to the California Supreme Court, our amicus brief urges the affirmance of the lower court's decision. We note that advances in technology have made DNA collection cheaper, and thus easier and more widespread. And while the Fourth Amendment acknowledges that privacy rights of individuals convicted of a crime are diminished, expanding warrantless DNA collection to individuals merely arrested for a crime -- along with individuals in the immigration system who have no criminal record -- are steps on a course towards a future where everyone's DNA is collected and maintained by the government, whether they were ever suspected of anything at all.

We're optimistic that with the decisions in Buza and King, courts are beginning to fully grasp the ability of technology to shrink privacy -- and see that DNA collection should be narrowed, not expanded.

Related Issues: BiometricsSearch Incident to ArrestFiles:  EFF Amicus Brief in Support of Buza

We're happy to report that the California Location Privacy Act we're sponsoring with the ACLU of Northern California passed the California Senate on a bipartisan vote of 30 to 6, and is now headed on to the California Assembly.

SB 1434 protects the privacy of Californians by requiring law enforcement to get a search warrant before obtaining location information from any electronic device. The bill is an attempt to codify the Supreme Court's decision in United States v. Jones, which ruled that the warrantless installation of a GPS device on a car was an unlawful "search" under the Fourth Amendment. 

We're also glad to see little law enforcement opposition to what would be a good bill for them too. As the ACLU revealed in its coordinated FOIA request concerning cell phone tracking by local law enforcement agencies, different agencies throughout the country are using different standards to get location information. Requiring a search warrant creates an easy-to-remember rule for cops to follow: no warrant, no location information. And a search warrant protects privacy by ensuring the police can't get access to this data without convincing a judge that there is probable cause to believe the info will lead to evidence of a crime. 

Although the wireless industry's lobbying resulted in SB 1434 losing its reporting requirements -- a crucial part of the bill that would promote transparency -- we're happy to see members of Congress stepping up where the California legislature fell short. Both Representative Ed Markey (D-MA) (PDF) and Senator Al Franken (D-MN) (PDF) have demanded that the biggest wireless companies release information about the number of law enforcement requests they've received for location data, and how the companies comply with these requests.

Also in D.C., the GPS Act -- introduced more than a year ago -- finally got a hearing before the House Judiciary Committee on May 17. Sponsored by Senator Ron Wyden (D-OR) and Representative Jason Chaffetz (R-UT), the GPS Act would also require law enforcement to obtain a search warrant in order to obtain location tracking information. The hearing featured testimony from Catherine Crump (PDF) of the ACLU and University of Pennsylvania computer science professor Matt Blaze (PDF), who explained that the need for search warrants is becoming greater as technology has made cell phone location tracking almost as precise as GPS based surveillance. 

All this legislative action in both California and D.C. makes us optimistic that Justice Alito's comments in his Jones concurrence that "in circumstances involving dramatic technological change, the best solution to privacy concerns may be legislative" may soon bear fruit.

Related Issues: PrivacyCell TrackingLocational Privacy

Yesterday morning, the House Subcommittee on Communications and Technology held a hearing on "International Proposals to Regulate the Internet," focusing on the World Conference on International Telecommunications (WCIT), an important treaty-writing event set to take place in Dubai this December. The WCIT is organized by an UN agency called the International Telecommunication Union (ITU), a slow-moving and bureaucratic regulatory organization established in 1865 to oversee telegraph regulations. The ITU Member States adopted a legally binding set of telecommunication regulations in 1988, and now some countries are seeking to expand those regulations to cover the Internet.

Online anonymity, privacy and free expression are likely to be under attack under an ITU model. ITU officials have publically stated that anonymity shouldn't exist in the future. Moreover, countries like Russia and China, in particular, have been prominent advocates of codes of conduct that seek to protect national governmental powers over the Internet, including provisions that seek to censor the net.

It's worth noting though, that the threat posed by the ITU is not limited to an outright "takeover" by Russia or China. ITU's vision of Internet policy-making is more like "taking control" than the transparent and bottom-up multi-stakeholder process typically associated with Internet governance. The current negotiations, for example, consist of proposals being discussed under terms of secrecy, circumventing any transparent discussion. And much like the parties behind the unpopular IP regulations in trade agreements like ACTA and TPP, the ITU member states are also refusing to release documents that make up the amendments and preparatory materials that they will propose. We have also seen censorships and surveillance measures in the name of copyright enforcement or by authoritarian regimes, and both are a real problem.

To their credit, the witnesses at yesterday's hearing — including former Ambassador David Gross, Senior Manager of Public Policy for the Internet Society Sally Shipman Wentworth, and "father of the Internet" Vint Cerf — were all clear that the stakes were high, and that any process that decides the direction of the Internet must be based on a foundation of multistakeholderism.

Cerf, for example, was unequivocal in his testimony [pdf]:

I believe that the multi-stakeholder approach to Internet governance and technical management has been, and will continue to be, the best way to address the technical and policy issues facing the Internet globally.

Shipman Wentworth expressed similar doubts about the possibility that the treaty making process could produce a positive outcome [pdf]:

it is not clear to the Internet Society that the international treaty making process represents the most effective way to manage cross-border Internet communications, or that some of the proposals currently being floated are consistent – or even compatible – with the multistakeholder model of Internet governance that has emerged over the past 15 years.

With so much on the line, in terms of the power for the open Internet to spur permissionless innovation and significant advances in international freedom of expression, there can be no question that handing the keys to an organization incapable of engaging in multistakeholder discussions is a profoundly bad idea. Multistakeholder processes are the way to ensure the users' input is included, and not left by the wayside. And multistakeholder processes cannot be multistakeholder in name only: we remind all governments that a truly multistakeholder participation model requires equal footing for every relevant stakeholder including civil society, the private sector, the technical community, and participating governments. Any process that claims to be multistakeholder must respect human rights as a baseline for any policy dialogue. The users must be represented in the development of Internet policy because the future of the Internet is too important to be left to companies and governments alone.

That's why EFF has joined European Digital Rights, CIPPIC and CDT and a coalition of civil society organizations from around the world in demanding that the organization behind WCIT release all of its preparatory materials and treaty proposals for public review. We urge the ITU to ensure enough transparency that the outcomes of the WCIT and its preparatory process are in the interest of all stakeholders.

Related Issues: InternationalInternational Privacy StandardsInternet Governance Forum

The campaign to use social engineering to install surveillance software that spies on Syrian activists is growing ever more complex as violence in Syria has escalated. Since the beginning of the year, Syrian opposition activists have been targeted using several Trojans, including one disguised as a Skype encryption tool, which covertly install spying software onto the infected computer, as well as a multitude of phishing attacks which steal YouTube and Facebook login credentials.

The latest campaign contacts targeted Syrian activists over Skype and delivers a Trojan by getting the targets to download a fake PDF purporting to contain a plan to assist the city of Aleppo, where opposition protest has been growing steadily since a raid on Aleppo University dormitories resulted in the deaths of four students and a temporary shutdown of the state-run school earlier this month. Like many of the attacks we have reported on, this one installs a Trojan called DarkComet RAT, a remote administration tool that allows an attacker to capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more--and sends that sensitive information to the same Syrian IP address used in attacks described by TrendMicro, Symantec, Cyber Arabs, and in several of EFF's blog posts.

The attack is initiated over Skype with the following message in Arabic:

[29/05/2012 18:03:44] Aleppo Team || ...: ??? ????? ???? ??? ??? ??? ??????
[29/05/2012 18:03:46] Aleppo Team || ...: ???? ????? "??? ???????2.rar"

Roughly translated into English as:

[29/05/2012 18:03:44] Aleppo Team | | ...: Last modified plan Aleppo time for Jihad
[29/05/2012 18:03:46] Aleppo Team | | ...: Send the file "plan eventually 2.rar"

Extraction of the rar file creates a directory called:??? ??? or "Plan Aleppo," shown in the screenshot below.

Inside this is a file called: aleppo_plan_ ???_?????_??? cercs.pdf. The right-to-left text display makes this appear to be a PDF file, but is it an SCR, shown in the screenshot below.

The SCR file is malware.

The file that we have analyzed is aleppo_plan_ ???_?????_??? cercs.pdf, md5Sum bc403bef3c2372cb4c76428d42e8d188.

It displays a PDF while dropping the following files, shown in the screenshot below:

C:\Documents and Settings\Administrator\StartMenu\Programs\Startup\(empty).lnk
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\explorer.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Aleppo plan.pdf
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Firefox.dll

It runs explorer.exe, which installs DarkComet RAT and also opens a PDF which describes a plan to assist Aleppo in the revolution. The document includes a detailed discussion of logistics and would potentially be very interesting to Syrian dissidents and activists. Some of the content may be genuine, but there are also some aspects of the PDF that might raise the suspicions of a keen-eyed reader, including the flag across the top of the document, which is the flag of the Assad regime rather than the flag of the revolution.

As of May 29th, this version of DarkComet is not detectable by any anti-virus software. For a detailed discussion of how to find and remove DarkComet from your computer, see this blog post.

Syrian Internet users should be especially careful about downloading documents sent over Skype, even if the message purportedly comes from a friend.

Related Issues: Free SpeechAnonymityInternationalPrivacySecurity

Innovation for the win: A federal judge ruled today that Java's APIs are not copyrightable. The federal district judge in the widely reported Oracle v. Google case ruled in favor of innovation and interoperability, allowing software to use Application Programming Interfaces without paying a license fee. Judge Alsup's opinion is important news for software developers and entrepreneurs. 

To recap: Oracle, the current owner of Java, sued Google for, among other things, using Java APIs in its Android OS. Oracle claimed that Google infringed both its patents and copyrights. The Court disagreed, and Judge Alsup ruled that “Google and the public were and remain free to write their own implementations to carry out exactly the same functions of all methods in question.”

Earlier, the jury summarily disposed of Oracle's patent claims and also found that, assuming one could get a copyright on an API, Google might have infringed (the jury failed to answer whether Google’s use was a legal fair use). All of this left open arguably the most important question: whether APIs could be copyrighted.  As we previously explained, the answer must be "no" under current law, and extending copyright to APIs would have a disastrous effect on interoperability, and, therefore, innovation. We are glad to report that Judge Alsup agreed.

The court clearly understood that ruling otherwise would have impermissibly – and dangerously – allowed Oracle to tie up “a utilitarian and functional set of symbols,” which provides the basis for so much of the innovation and collaboration we all rely on today. Simply, where “there is only one way to declare a given method functionality, [so that] everyone using that function must write that specific line of code in the same way,” that coding language cannot be subject to copyright.

Judge Alsup, a coder himself, got it right when he wrote that “copyright law does not confer ownership over any and all ways to implement a function or specification of any and all methods used in the Java API.” It's a pleasure to see a judge so fundamentally understand the technology at issue; indeed the first part of the opinion reads like an Introduction to Java class (and, to be certain, if Oracle appeals, Judge Alsup's lesson will do a fantastic job teaching the appeals court how Java works). It's that fundamental understanding that allowed Judge Alsup to explain:

That a system or method of operation has thousands of commands arranged in a creative taxonomy does not change its character as a method of operation. Yes, it is creative. Yes, it is original. Yes, it resembles a taxonomy. But it is nevertheless a command structure, a system or method of operation — a long hierarchy of over six thousand commands to carry out pre-assigned functions. For that reason, it cannot receive copyright protection — patent protection perhaps — but not copyright protection.

Judge Alsup’s opinion implicitly recognizes that the copyright laws, mostly recently overhauled in the 1970s, simply were not intended to cover claims like those made by Oracle in this case. Here, Oracle poured through 15 million lines of Android code searching for infringment, and found only nine lines (one function!) that had been copied from Java, a circumstance the Court found “innocuous and overblown.” Such functionality may be subject to patenting, which has a shorter life span and more opportunities to challenge its validity, but Oracle’s attempts to shoehorn its upatented APIs into copyright law were met with the proper rejection.

It's not all good news for innovation: in yet just another example of an intellectual property system gone awry, this lawsuit has likely already cost each side millions (if not tens of millions) of dollars (and that’s before damages). Those resources, including the person-hours, can and should be dedicated to developing new technologies and business models, not improving a few law firms' bottom lines. Oracle v. Google is just the latest in a long line of cases that ratchet up high-stakes litigation surrounding intellectual property rights – whether it be software patents or copyrights. This dangerous trend creates insurmountable barriers to entry and harms innovation. If this process has taught us anything, it is that this practice needs to stop. This is why EFF will continue to fight for an intellectual property system that has the breathing room to allow for innovation.

And in the meantime, developers everywhere can breathe a sigh of relief – this judge got it right.

 

Related Issues: InnovationPatentsIntellectual PropertyFiles:  Alsup_api_ruling.pdf

The Senate is moving quickly to take up the issue of cybersecurity, with a potential vote looming in early June. This is a particularly dangerous situation because the Cyber Intelligence Sharing and Protection Act (CISPA) already passed the House, authorizing companies to spy on sensitive user content and pass that data to the government with few restrictions. Under CISPA, the government can use the information is receives for vaguely-defined “national security” purposes or share it with intelligence agencies like the NSA. 

There are several bills pending in the Senate. The first one to come up is the Cyber Security Act (Lieberman-Collins).  The bill is well over a hundred pages long and includes many components other than sections about sharing data with the government. Here’s a guide to help you understand the information sharing sections of the bill, the civil liberties concerns, and how you can speak out.

Will Internet companies be able to intercept and read my email?
Under this bill, how are “cybersecurity threats” defined?
How are “cybersecurity threat indicators” defined?
In addition to monitoring, what else can companies do?
What are countermeasures and how would they work?
How are “countermeasures” different from ordinary behavior already in widespread use by ISPs and companies to protect their networks?
Does this bill create new exemptions to the Freedom of Information Act?
Under the Cybersecurity Act, if a company improperly hands over my information to the government, do I have an effective remedy?
What is a “cybersecurity exchange” and how would it work?
Will the new “cybersecurity exchange” create new bureaucracies?
What safeguards are in place to ensure that this legislation won’t be used as a method of sharing data with the National Security Agency?
Can cyber security threat indicators collected under this legislation be used for other, unrelated purposes?
Whoa! Sharing what “appears to relate to a crime” is crazily broad, and surely will impinge on civil liberties.  Does the Cyber Security Act throw me a bone, with some sort of vague promise to maybe think about civil liberties in the future?
If the Cyber Security Act passes the Senate, will we have a chance to fight it in the House?
There are amendments pending on this bill. Will it get better or worse for civil liberties?
How can I speak out against this bill?

Will Internet companies be able to intercept and read my email?

Under the bill, the provisions for “monitoring” are very broad.  Companies (“any private entity”) are granted “affirmative authority” to “monitor information systems” and “information that is stored on, processed by, or transiting the information systems” for cybersecurity threats. A company could also monitor someone else’s network if it has been granted authority to do so, for example an outside consulting firm hired to help with network security.

The companies in question include both online service providers like Google or Facebook, as well as Internet Service Providers (ISPs) like Comcast. When you use a web-based service like Google, your communications pass through lots of intermediaries. Under the bill, it is not only Google that can monitor your traffic, but also any intermediary.

Under this bill, how are “cybersecurity threats” defined?

A cybersecurity threat, under the Cyber Security Act, is defined as “any action that may result in unauthorized access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information that is stored on, processed by, or transiting an information system.”

But the definition of cybersecurity threat indicator in the bill is much more important, since this determines the actual information that can be shared with the government.

How are “cybersecurity threat indicators” defined?

Cybersecurity threat indicators are the types of data that a company can share with the government (via a “cybersecurity exchange,” see below).  The bill defines a “cybersecurity threat indicator” as information that indicates or describes one or more of eight things:

1. “Malicious reconnaissance” which the bill defines as including “anomalous patterns of communication that reasonably appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat”
2. A method of defeating a technical control
3. A technical vulnerability
4. A method of defeating an operational control
5. A method of causing a user with legitimate access to an information system of information to “unwittingly” enable the defeat of a technical or operational control
6. Malicious cyber command and control
7. Actual or potential harm caused by an incident, including data exfiltrated as a result of subverting a technical control if it is necessary in order to identify or describe a cybersecurity threat
8. “Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law”

The last one– “any other attribute” – is very broad indeed! This type of language is dangerously vague, giving companies lots of wiggle room to make creative arguments.

However, there’s also one very important privacy protection to how the bill defines “cybersecurity threat indicators” – it insists that “reasonable efforts” must be made to “remove information that can be used to identify specific persons unrelated to the cybersecurity threat.”

In addition to monitoring, what else can companies do?

The act also allows companies to deploy "countermeasures" to protect a given network. Countermeasures include the ability to modify or filter Internet traffic. Even if you are an innocent user, if companies think you are engaging in a cyberthreat, they could filter or modify your Internet traffic.

What are countermeasures and how would they work?

The term “countermeasures” refers to actions to “modify or block data packets” associated with online communications, so long as it is done “with defensive intent” for the purposes of protecting information systems from cybersecurity threats. 

Under the Cyber Security Act, private entities are granted “affirmative authority” to operate countermeasures on their own information systems to “protect the information systems and the information that is stored on, processed by or transiting the information system.”  Companies can also operate countermeasures on third party networks, if the third party grants them lawful access.

How are “countermeasures” different from ordinary behavior already in widespread use by ISPs and companies to protect their networks?

The limits on the “countermeasures” allowed under this bill have not been established. If this bill passes, it could take judicial interpretation to establish those limits -- but only if cases make it to court. Companies already use firewalls to protect their networks. ISPs do filtering as well, for example disallowing end users from hosting certain services, or de-prioritizing certain types of traffic. But this bill makes no effort to restrict the definition of countermeasures to reasonable techniques in use today.

Does this bill create new exemptions to the Freedom of Information Act?

Yes. Under the Cyber Security Act, any cybersecurity threat indicator disclosed by a non-Federal entity (like a company) to a cybersecurity exchange is exempt from disclosure. A recent letter organized by OpentheGovernment.org and signed by dozens of civil liberties advocacy organizations criticized both the SECURE IT Act and the Cyber Security Act, stating:

“Unnecessarily wide-ranging exemptions [to FOIA] of this type have the potential to harm public safety and the national defense more than they enhance those interests; the public is unable to assess whether the government is adequately combating cybersecurity threats and, therefore, unable to assess whether or how to participate in that process, and to hold officials accountable.”

Under the Cybersecurity Act, if a company improperly hands over my information to the government, do I have an effective remedy?

Probably not. This legislation holds a very high standard for holding companies accountable through civil action.  Assuming that you know about the privacy invasion in the first place, you would need to prove that the company:

• Was not monitoring for the purpose of detecting cybersecurity threats and
• Did not have a "good faith" belief that they were allowed to do it (whether they are right or wrong); or
• "Knowingly" and "willfully" violated the restrictions of the law

What is a “cybersecurity exchange” and how would it work?

The Cyber Security Act would set up “cybersecurity exchanges” to receive and distribute cybersecurity threat indicators. There would be one Lead Federal Cybersecurity Exchange, appointed by the Department of Homeland Security, but other ones might also be created. Existing federal agencies can be designated as cybersecurity exchanges, including military and intelligence agencies like the National Security Agency. The Department of Homeland Security could appoint itself as the Lead Federal Cybersecurity Exchange. 

There is considerable debate in Washington over whether the lead agency should be the civilian DHS or the military (i.e. the NSA).  The bill punts on this question, but gives the edge to DHS for future bureaucratic fights.

Will the new “cybersecurity exchange” create new bureaucracies?

Of course. The Cyber Security Act’s extensive discussion of the creation of a federal exchange and potential civilian exchange involves coordination between an alphabet soup of agencies, including DHS, DOJ, ODNI, DOD and DOS. They have to make a lead exchange, consider others, consult with each other, and report to Congress.  The Cyber Security Act attempts to diffuse this the easy way: “Nothing in this section may be construed to authorize additional layers of Federal bureaucracy for the receipt and disclosure of cybersecurity threat indicators.”  At most, this will prevent people from calling the new layers of bureaucracy what they really are.

What safeguards are in place to ensure that this legislation won’t be used as a method of sharing data with the National Security Agency?

There are no provisions in the Cyber Security Act that would ensure this bill could not be used to funnel information to the National Security Agency. In fact, the National Security Agency could be designated as a “cybersecurity exchange” and receive great quantities of sensitive user information.

The ACLU has joined EFF in strongly criticizing a bill that allows the NSA to receive cybersecurity data, stating: “It is a long held American value that the military is not permitted to spy on Americans and their communications. Authorizing the NSA to turn its powerful spying apparatus on Americans would pose a significant threat to Americans’ privacy and would represent a major departure from American values about the role of the military on US soil.”

Can cyber security threat indicators collected under this legislation be used for other, unrelated purposes?

Yes. The data collected under the Cyber Security Act can be shared with law enforcement if it “appears to relate to a crime” either past, present, or near future. 

Senator Wyden, talking about a similar provision in CISPA, noted “They would allow law enforcement to look for evidence of future crimes, opening the door to a dystopian world where law enforcement evaluates your Internet activity for the potential that you might commit a crime.” The CSA suffers the same ‘future crime’ flaw.

Whoa! Sharing what “appears to relate to a crime” is crazily broad, and surely will impinge on civil liberties.  Does the Cyber Security Act throw me a bone, with some sort of vague promise to maybe think about civil liberties in the future?

Sure. Recognizing that the provision for sharing with law enforcement could impact privacy and civil liberties, the Cyber Security Act attempts to diffuse criticism by forming a committee to write “policies and procedures” at some future date that are supposed to “minimize the impact.” It also provides that the Privacy and Civil Liberties Oversight Board will look over the situation.  Unfortunately, there currently are no members of this board, and have not been since 2007.

Our civil liberties are too important to just have faith that future regulations will solve all the problems or to have oversight by a non-staffed board. 

If the Cyber Security Act passes the Senate, will we have a chance to fight it in the House?

Unfortunately, the House of Representatives has already passed a cybersecurity bill (CISPA). CISPA includes few privacy safeguards, allowing companies to spy on Internet communications and pass sensitive user content to the government. This means that if any cybersecurity bill passes the Senate – even one that has privacy protections – it will be conferenced with the House version of CISPA. The conferencing process is a backroom negotiations in which there’s a lot of compromising – and House backers of CISPA could well seek to remove any privacy protections we might put in place in a Senate bill. The conferencing process would almost undoubtedly be bad news for online civil liberties.

There are amendments pending on this bill. Will it get better or worse for civil liberties?

That’s a hard question. In early May, according to the Hill blog, Senate leadership was reportedly “quietly revamping cybersecurity legislation in an attempt to pick up Republican votes.”  This could mean any number of things – including the possibility that the legislation will be adjusted to remove regulatory aspects or reduce the existing privacy protections for Internet users. It’s also possible amendments could be presented that would add in safeguards for privacy.

Right now, all of the amendments –whether good or bad for Internet rights – are being negotiated behind closed door, away from public discussion and accountability.  This means Internet users are being kept largely in the dark until most of the negotiations are over.

We encourage individuals to use our action center to speak out; tell Congress not to sacrifice civil liberties in a rush to pass cybersecurity debate. Hearing from constituents is the best way to ensure privacy rights stay front and center in this debate.

How can I speak out against this bill?

We urge Internet users to contact Congress and tell them to support privacy-protective amendments and oppose the cybersecurity bills.  You can use our action center to send an email or call your Senator.

Related Issues: PrivacyCyber Security Legislation

China: Twitter-Clone Weibo Introduces a Points System for Punishing Content Violations

Chinese microblogging site Sina Weibo introduced new user conditions on Monday under which users will be deducted “points” for violating its content policy. Users will be suspended from the website once they run out of points. Rules that prohibit advocating protests or “spreading rumors” have always been a part of overall Chinese internet policy, but the points system is an innovation.

The new user contract arrives after the parent company Sina admitted that they had not fully implemented Chinese real-name registration rules by the March deadline. Reporters Without Borders suggests that “It remains to be seen whether or how this points system will be applied to the mass of information circulating on Sina Weibo. It may well be a lost cause but the company could be more interested in looking good in the government’s eyes.” Real-name registration is one of the ways in which Weibo users can recover lost points, which will effectively further reduce anonymous expression in China.

Malaysia: Amended Evidence Act Makes Intermediaries Liable, Shifts Burden of Proof to Defendants

The Malaysian government has recently made a series of troubling amendments to the Evidence Act 1950. Among the changes: an amendment that holds intermediaries liable for seditious content posted anonymously on their networks, services, or websites and an amendment that shifts the burden of proof from the government to the defendant. In Malaysia, not only can you be held liable for someone else’s allegedly seditious comment on your website, or an anonymous comment posted using your open wifi connection, but it is up to you to prove that you didn’t do it.

These amendments may lead to profound chilling effect on free expression and innovation because intermediary content providers like corporations, social networks, and bloggers will be obliged to constantly monitor the activity of third-party contributors. In the United States, Section 230 of the Communications Act protects intermediary “interactive computer services” from certain kinds of liability for third-party content, including defamatory or seditious speech. Centre for Independent Journalism executive officer Masjaliza Hamzah said the Malaysian laws “may force some sites to stop the comment feature because having to vet comments themselves may become untenable, and if this happens, it has a huge impact on the interactive nature of online media favored by readers.”

Bahrain: Activist Nabeel Rajab Released from Jail

Nabeel Rajab, president of Bahrain Centre for Human Rights, was released from jail after he posted bail of 300 dinars ($796). Rajab has been imprisoned since May 5 on charges of “cyber-incitement” of illegal rallies using social networking sites and defaming Bahrain's security forces. With over 146,000 Twitter followers, he is a high-profile critic of the King Hamad al-Khalifa and the Bahraini government. Rajab is banned from travelling abroad as part of the conditions of his release. In the past 15 months, Bahraini security forces have detained and beaten many journalists, protestors, and other critics.

Rajab described his arrest as "a political decision" in court earlier this month. He told the court, “I only practiced my right to free expression… I did not commit a crime.” Meanwhile, Rajab’s many supporters include Bahraini human rights activist Abdulhadi al-Khawaja, who began a hunger strike in February after also being detained for allegedly trying to “depose” the royal family. Upon Rajab’s release from jail, Khajawa voluntarily ended his hunger strike and described the event as successfully drawing attention to the issue of imprisoned Bahraini political dissidents.

Ethiopia: Restricting VOIP, Initiating Deep Packet Inspection

Last Thursday, the Ethiopian parliament ratified a new Telecom Service Infringement Law meant to impede Voice over Internet Protocol (VoIP) calls and faxes. The rules are primarily aimed at protecting the state service provider Ethio-Telcom from competition and “telecom fraud” by granting the Ministry of Communications and Information Technology the right to license companies engaged in producing or distributing any information communication technology. Additionally, a “national security” section in the new law includes anti-terrorism and anti-defamation provisions for content regulation. Prominent Ethiopian blogger Endalk has referenced the latest law as a “creative copy of SOPA and PIPA,” both of which fellow blogger Frank Nyakairu had predicted would lead to “opportunistic” spin-offs in multiple African dictatorships. Already, the Committee to Protect Journalists reports that about 25% of exiled journalists in Africa are from Ethiopia. Not only does the Telecom Service Infringement law block journalists’ access to important communication pathways such as VoIP, but the broad “national security” content regulations will give the government even greater official latitude in shutting down the country’s small but active blogging community.

The new telecom regulations are part of an ongoing pattern of increased Internet surveillance and censorship. Even though Ethiopia has internet penetration of less than 1 percent, its online political censorship regime is one of the most complex in sub-Saharan Africa, aided by Chinese capital and technology. Ethiopian ISPs recently initiated covert deep-packet inspection, and also began blocking Tor.

Related Issues: Free SpeechAnonymityBloggers' RightsInnovationInternationalSocial Networks

This morning, the House Judiciary Committee held an important hearing on the FISA Amendments Act (FAA) and the scope of the NSA’s warrantless wiretapping program. The FAA, which gutted privacy protections governing the interception international phone calls and e-mail to and from the United States, is set to expire at the end of the year, and Attorney General Eric Holder says it is his “top priority” to see it renewed.

President Obama had promised during his campaign to demand civil liberties protections and privacy safeguards when the FAA came up for renewal, yet his administration is now demanding Congress to renew it with no changes, despite the fact that the FAA allows for dragnet surveillance of Americans’ international communications.

A detailed explanation of the law’s constitutional deficits can be read here, but as ACLU’s deputy director Jameel Jaffer explained to the committee, the law is written so broadly that a phone call to someone overseas discussing general foreign affairs could be listened in on. Even putting aside the massive constitutional violations perpetrated by the NSA and its warrantless wiretapping program before the FAA was passed in 2008, the NSA has still unlawfully collected “millions” of Americans’ domestic communications since 2009, according to reporting by the New York Times and documents the ACLU received via the Freedom of Information Act (FOIA).

Rep. Trey Gowdy (R-SC) remarked to Jaffer that no court has ruled the FAA unconstitutional. But he conveniently left out the fact that the Obama Justice Department (DOJ) has resisted every effort to have courts hear any evidence on the matter. DOJ is now arguing before the Supreme Court that the ACLU’s lawsuit over the FAA should be dismissed before trial on “standing” grounds, despite lower courts ruling the case should move forward on the merits. In addition, in EFF’s own case challenging the dragnet portion of the NSA warrantless wiretapping program, the government has invoked the “state secrets” privilege, arguing that even if the allegations of constitutional violations are true, the case should be dismissed because it could hurt “national security.”  All this despite the fact that federal courts have ruled the NSA’s warrantless wiretapping program unconstitutional in other cases.

EPIC Privacy executive director Marc Rotenberg, another witness at the hearing, implored the committee to install new transparency requirements so Americans can understand exactly how many people are being spied on. This could be done easily and anonymously without jeopardizing any investigation, he said, and can be modeled on the transparency requirements already in place for domestic wiretaps.

Kenneth L. Wainstein, who worked on creation of FISA during his tenure at the Justice Department during the Bush administration, countered that there is already “oversight” built into FISA, but there is scant proof of that in practice. The administration has kept its interpretation of the FAA secret, has refused to declassify any of the FISA opinions (despite previously promising to), and won’t release numbers on how many Americans have been affected, as multiple Senators have demanded. All of this is particularly troubling since the FISA court received over 1,700 applications for blanket wiretaps last year and none were rejected.

Wainstein’s argument about how supposedly “vital” warrantless wiretapping is to national security also flies in the face of the official Inspector General report, which casted doubts on its usefulness.

The hearing was a step in the right direction, however, and it was encouraging to see so many members of Congress question the dangerous scope of the bill. Rep. Scott said, "An untold amount of NSA data collection is affecting citizens in America," Rep. Conyers demanded an official from the FISA courts testify on the matter, and others questioned the warrantless surveillance of American citizens. Given the massive constitutional implications of renewing FISA, and the ample evidence it is being abused, Congress has a duty to follow through and dramatically reform the bill or refuse to renew it entirely.

If you would like to read more about the extreme importance of the debate surrounding the renewal of FAA read recent pieces by Salon’s Glenn Greenwald and Cato Institute’s Julian Sanchez on the subject. FireDogLake's civil liberties reporter, Kevin Gosztola, also has a comprehensive summary of today's hearing.

Related Issues: NSA Spying

We took a stand for Twitter users Wednesday, and in an amicus brief (PDF) urged a New York City judge to reconsider his decision authorizing a broad subpoena to Twitter that seriously threatens the First Amendment and privacy rights of everyone on the Internet. 

We started writing about the case of Malcolm Harris in February, when the New York City District Attorney's Office sent a subpoena (PDF) to Twitter, requesting information about Harris, one of the 700 protesters arrested on the Brooklyn Bridge in October 2011 in connection with an Occupy Wall Street protest. The prosecutors requested Twitter turn over reams of information it had on Harris, including the content of tweets, IP addresses from where he accessed Twitter, and any email addresses it had on file.

We believe the government is after Harris' location, and the fact that he was a prolific tweeter with almost 1,500 followers and 7,200 tweets -- and an outspoken Occupy Wall Street sympathizer -- would give the government a tremendous amount of insight into the Occupy movement's activities and membership. The fact that the subpoena came out of a criminal investigation for disorderly conduct, a trivial crime with a maximum punishment of a $250 fine or 15 days in jail, made it seem all the more like a politically motivated witch hunt. And the government confirmed that it was indeed trying to use the information from Twitter to figure out Harris' location on the day in question, but inexplicably requested three months of data from Twitter.

The judge's opinion (PDF) authorizing the subpoena was worse than we could have imagined. The court ruled Harris didn't have legal standing to challenge the subpeona because the information -- including all of his tweets -- belonged to Twitter. It allowed the government to get the content of communication -- tweets -- with simply a subpoena, and not a search warrant as required by the Fourth Amendment and the Stored Communications Act. It gave the keys to location information, IP addresses that could be used to determine where a person is when he logs into Twitter, without a search warrant.

Thankfully, Twitter stepped in since the court ruled Harris couldn't, and moved to quash the subpoena (PDF). And now we're stepping in too, teaming up with the ACLU, the New York Civil Liberties Union (NYCLU), and Public Citizen in an amicus brief in support of Harris and Twitter's challenge to the subpoena.

As we say in our brief, individuals have long had the legal ability to challenge government requests to third parties that implicate constitutional rights. After all, the data the government wants pertains to Harris, not Twitter. And while we (and others) applauded Twitter for standing up for its user in this instance, many tech companies holding tons of data about their users won't, leading to potential constitutional violations that have no way to be challenged in court. Its crucial for users to be able to stand up for themselves, instead of hoping that other companies follow Twitter's lead.

We also argue that the subpoena violates the First and Fourth Amendments. In order to protect free speech, the First Amendment demands that the government demonstrate an “overriding and compelling” need for the information and a substantial nexus between the information and a government investigation. The trivial charges and weak excuse, combined with the breadth of the subpoena demonstrate the government has failed to meet this high standard.

With respect to the Fourth Amendment, content and location require a search warrant. In the last few years, thanks to some of the work we've done (and are still doing), courts have begun to recognize that the Fourth Amendment applies even when information is disclosed to a third party for a limited purpose, like when email is sent through a server in order to be delivered to its recipient, or a cell phone company keeps track of your location in order to complete your phone call. And with U.S. Supreme Court Justice Sotomayor's concurring opinion in United States v. Jones -- which ruled that the Fourth Amendment applies to the installation of a GPS tracking device on a car -- commenting it was time to reconsider the idea that disclosing some information for a limited purpose to a third party eliminates any privacy rights in that information, we're hopeful the judicial tide has turned on this issue.

We're also hopeful the judge will reconsider his decision after hearing from us and Twitter. Search warrants are an integral part of balancing law enforcement's voracious appetite with the right to privacy guaranteed in the Constitution. Broad subpoenas in trumped up loitering cases shouldn't undermine this important bulwark against the overzealous government.

Related Issues: Free SpeechPrivacyCell TrackingLocational PrivacySocial NetworksFiles:  Amicus Brief of EFF, ACLU, NYCLU and PK In Support of Harris

EFF Charts the Privacy and Transparency Practices of the Internet's Biggest Companies

For Immediate Release: Thursday, May 31, 2012

San Francisco - When you use the Internet, you entrust your thoughts, experiences, locations, and more to companies like Google, Twitter, and Facebook. But what happens when the government asks these companies to hand over your private information? Will the company stand with you? Today, the Electronic Frontier Foundation (EFF) releases its second annual "When the Government Comes Knocking, Who Has Your Back?" report – this time as a white paper and chart tracking some of the Internet's biggest service providers on their public commitments to their users' privacy and security.

Increasingly, federal law enforcement agents are demanding that Internet companies provide their users' data as part of government investigations – sometimes fairly, sometimes unfairly. EFF's report examines 18 companies' terms of service, privacy policies, public representations, advocacy, and courtroom track records, awarding them gold stars for best practices in categories like "tell users about government data demands" and "fight for user privacy in courts."

"This year, we saw a big increase in the number of companies making a public promise to their users to inform them whenever possible when the government comes knocking," said EFF Legal Director Cindy Cohn. "This notice gives users the chance to fight back against government overreaches and to defend themselves if investigators want to unfairly fish around in their personal information. It appears that promising to notify your customers of government data demands is on the way to becoming an industry standard for responsible companies."

EFF first published its chart last year to recognize exemplary practices by some companies. We were pleased to see that Facebook, Dropbox, and Twitter have each upgraded their practices in the past year. Sonic.net, an ISP based in Santa Rosa, California, earned a gold star in every category. Cloud storage sites Dropbox and SpiderOak and business networking site LinkedIn also fared well, earning recognition in three categories each.

"Online service providers are the guardians of some of your most intimate data – everything from your messages, to location information, to the identities of your family and friends," said EFF Senior Staff Attorney Marcia Hofmann. "We wanted to acknowledge companies that are adopting best practices and taking exceptional steps to defend their users against government overreaches in the courts and in Congress."

In addition to upgrading their own practices, many Internet companies have joined with civil liberties groups into a powerful coalition working to clarify outdated privacy laws so that there is no question about when the government needs a warrant to access sensitive users data.

"This year, we saw a number of major Internet companies join the Digital Due Process coalition, which is aimed at getting Congress to make lasting improvements in the laws that protect our electronic privacy," said EFF Activism Director Rainey Reitman. "This should be a wakeup call to Congress to clarify outdated laws so there is no question that government agents need a court-ordered warrant before accessing sensitive location data, email content, and documents stored in the cloud."

For the full report "When the Government Comes Knocking, Who Has Your Back?":
https://www.eff.org/pages/who-has-your-back

Last year's report can be viewed here:
https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back-2011

Contacts:

Cindy Cohn
   Legal Director
   Electronic Frontier Foundation
   cindy@eff.org

Marcia Hofmann
   Senior Staff Attorney
   Electronic Frontier Foundation
   marcia@eff.org

Rainey Reitman
   Activism Director
   Electronic Frontier Foundation
   rainey@eff.org

Humble Bundle has just launched its most impressive bundle yet, featuring five indie games that have already become classics in their respective genres: Psychonauts, LIMBO, Superbrothers: The Sword & Sworcery EP, Amnesia: The Dark Descent, and Bastion. These games have each been lauded as not just fun and entertaining, but also artistic and meaningful. By putting together such a great package of DRM-free games and offering purchasers the option of designating some of the profits to charity, Humble Bundle is putting users first at the same time it fosters a socially conscious indie gaming ecosystem.

Over the past two years, nearly one million purchases of independent video games have gone to support the Electronic Frontier Foundation through Humble Indie Bundles. These "pay-what-you-want" promotions let gamers set their own price for a lineup of killer games and choose the percentage of each purchase used to support the game developers, Humble Bundle and/or selected charities.

We have written extensively about the benefits of Humble Bundle's model to consumers. The games are distributed DRM-free across three different platforms (Windows, Mac and Linux). In the first Humble Indie Bundle, four of the game developers released their source code under an open license after the Bundle reached a $1,000,000 milestone. The Humble Bundle model shows that there is a way for small copyright owners to compete and succeed in a digital economy without draconian new laws and counter-productive restrictions that punish paying customers.

But the benefits don't stop there. Donations directed to EFF by Humble Bundle customers have helped us to successfully identify and defeat threats to civil liberties online. EFF works to convince Congress and courts that video games -- like websites, blogs, and software code -- should not be limited by regulations and restrictions that undermine our Constitutional right to free speech. Video games are a form of expression that should be protected under the First Amendment.

EFF wants to thank Humble Bundle and its customers who have chosen to support our work, and we encourage other gamers to join our fight to defend your rights. A free and open Internet is vital to innovation, entrepreneurship, creativity and the marketplace of ideas. You depend on it, we depend on it, the world depends on it. And the future of independent games depends on it.

Check out the Humble Indie Bundle V today. Independent games are thriving, and EFF will continue to defend gamers and developers as the industry grows. Support EFF in our efforts by designating a portion of your Humble Bundle purchase to EFF!

Imagine going to court and potentially facing prison time over someone else’s comment in your blog. Thai webmaster Chiranuch Premchaiporn, also known by her online handle Jiew, has been facing that reality since her October 2010 arrest for violating the intermediary liability provisions of the 2007 Computer Crime Act and for "Lèse Majesté," or defamation of the Thai royal family. Jiew was not the author of the offending comments—she was the webmaster of the popular news site Prachatai that hosted them. In 2008, Prachatai published an interview with Chotisak Onsoong, a Thai man known for refusing to stand at attention during the Thai Royal Anthem—a dangerous political act in Thailand, but not technically a crime. The interview received huge attention, drawing over 200 comments from Thai citizens. On April 28, 2008, complaints were filed against Prachatai alleging that several comments on that interview were a defamation to the Monarchy. These complaints led to Jiew’s arrest months later.

A Thai court handed down Jiew’s sentence yesterday, signaling the end of a protected legal battle: a one-year suspended sentence, further reduced to eight months, and a 20,000 baht ($625) fine, which she paid immediately in cash. It’s not the acquittal Jiew had hoped for, but it’s far from the 32-year maximum sentence for the charges against her.

Even though it could have been worse, the verdict still spells bad news for freedom of expression in Thailand. Jiew herself is quick to point out that “I still think the verdict will have an impact on self-censorship."

"By convicting the manager of a news website of a crime, the Thai authorities are showing the extreme lengths they are willing to go to stifle free expression," Brad Adams, Asia director of Human Rights Watch, said in a prepared statement. "More and more web moderators and Internet service providers will censor discussions about the monarchy out of fear they too may be prosecuted for other people's comments."

Internet intermediaries were quick to condemn the ruling. Taj Meadows, Asia Pacific spokesman for Google, wrote via email:

"Telephone companies are not penalized for things people say on the phone and responsible website owners should not be punished for comments users post on their sites. The precedent set today is bad for Thai businesses, users and the innovative potential of Thailand's Internet economy."

Even without the threat of jail time, the Thai government has pressured global Internet intermediaries such as Google, Facebook, and Twitter to censor content. The Ministry of Information and Communications Technology (MICT), which regulates the Internet in Thailand, demanded last year that Facebook delete 10,000 pages for violating the lèse majesté law. Thai Facebook users who click on the “like” or “share” buttons linked to content that violates lèse majesté continue to be prosecuted. Wipas Raksakulthai, the first Thai Facebook user arrested in April 2010, was declared a prisoner of conscience by Amnesty International.

When Twitter announced in January that it would introduce country-by-country content blocking based on geolocation, MICT permanent secretary Jeerawan Boonperm said he would work with Twitter to make sure that tweets in Thailand complied with local law. Jeerawan noted that MICT already had "good cooperation" from Google and Facebook.

Intermediaries large and small continue to be threatened by the lèse majesté law. EFF is happy to see Chiranuch Premchaiporn receive a sentence that will probably not require her to serve jail time, but the threat that this law represents to freedom of expression in Thailand remains dire.

Related Issues: Free SpeechBloggers' RightsInnovationInternational

Last week, a spokesman for the Pakistani Ministry of Information Technology announced that Pakistan was blocking access to Twitter because the site had not removed links to a competition on Facebook to post cartoon images of the Muslim prophet Mohammed. Why Twitter and not Facebook? The spokesman went on to say that Facebook had agreed to address the Pakistani government’s concerns—Facebook later issued a statement saying they had blocked the content about the contest in Pakistan—but they viewed Twitter as recalcitrant.

“The government is in contact with Twitter and had asked them to remove the material. When they didn't, it was decided that the site would be blocked.”

For their part, Twitter released an official statement reiterating their policy of taking down content in response to valid court orders, which they said they have not received from the Pakistani government. Neither Twitter nor Facebook appears to have offices, data centers, or personnel inside of Pakistan, giving rise to questions of whether the Pakistani courts have jurisdiction over either company. Both Facebook and Twitter have the capability to block content on a country-by-country basis. It is disappointing to see Facebook use this capability to censor content in Pakistan while Twitter has held its ground.

Pakistan’s decision to block Twitter put it in bad company. While the government has spent the last couple of years experimenting with all kinds of Internet censorship, blocking Twitter is an uncommon move. The only other country that consistently blocks access to Twitter at this time is the People’s Republic of China. Burma has blocked access to Twitter intermittently, usually timed to coincide with events the government thinks are likely to trigger political protest, such as elections.

Pakistan’s block on Twitter inspired immediate outrage. A few hours after the block was implemented, Interior Minister Rehman Malik (apparently deaf to the irony that no one in Pakistan could read his message of concern) tweeted:

Dear All yes I spoke to PM and informed how people are feeling about it. PM ordered to reopen the twitter.

Access to Twitter was only blocked for eight hours, but the effect on freedom of expression in Pakistan could be more long-lasting. Huma Yusuf, columnist for the Pakistani newspaper Dawn fears that this is merely a precursor to Internet censorship surrounding the upcoming general election and expresses concern that the next ban may not be as short-lived. But if this ban was meant to test the will of Pakistani Twitter users, who protested immediately, or Twitter itself, which did not remove the references to the cartoon-drawing contest, the ban was a failure. If the Pakistani government has learned anything from this experience it's that even if they cannot make Twitter blink, Facebook does cooperate with their requests to block certain kinds of content within Pakistan. We may not see more Twitter blocking when the general election comes, but other forms of blocking, filtering, and censorship of online content seem likely to continue to pose a danger to freedom of expression in Pakistan over the coming year.

Related Issues: Free SpeechContent BlockingInternational