Deep Links from Electronic Frontier Foundation
Here’s the deal: right now, there’s a petition demanding reform to the Electronic Communications Privacy Act (known by its acronym, ECPA), a would-be privacy law passed in 1986. The Justice Department has argued this outdated law gives them the right to read your old emails and the documents you store in the cloud with a simple subpoena, rather than a judge-issued warrant. That’s crazy—and unconstitutional—but we’ve got a chance to fix it. If we can get 100,000 signatures on this petition before December 12, President Obama will be forced to go on the record on this issue.
ECPA reform is within our reach. It’s got momentum in Congress and a ton of support from industry. And although this is a very different issue from NSA mass spying, the attention on over-reaching surveillance has brought new life to the debate. Now we just have to show there’s grassroots support for protecting the privacy of our documents and emails. Signing this petition is the first step.
Related Issues: Privacy
Share this: || Join EFF
Despite the U.S. Trade Representative's concerted efforts to push through a deal, the Trans-Pacific Partnership Agreement (TPP) will not be completed by the self-imposed deadline of the end of this year. That announcement, made in Singapore today at a closed press conference, is welcome: the U.S. Trade Representative's accelerated timeline has served as yet another means of restricting transparency, and a key pressure point in its campaign to get the U.S. Congress to abdicate its oversight role by granting "fast track authority." If you're in the U.S., you can contact your legislators and tell them to oppose that effort.
The closed press conference itself was representative of the needless secrecy surrounding the negotiation of this agreement. While the TPP ministers laid out the new timeline and opened the floor to questions, public interest groups were limited to the lobby of the building—not even allowed to stand in the back of the room and watch.
Of course, the announcement also comes just days after a leaked document showed major rifts in the positions of different countries and highlighted a number of substantive proposals where the United States has failed to secure international support for its stances. The TPP ministers announced "substantial progress" in the agreement, but no firm explanation of how the situation had changed since the release of those documents.
Without such an explanation, the public continues to rely on leaks to get important information about the agreement. And while they have been very helpful, leaks are no substitute for transparency. With both this most recent and earlier disclosures—such as the WikiLeaks publication last month of an entire draft proposal for the chapter titled "Intellectual Property"—the public gets just a snapshot, which may be out of date and incomplete.
There is one surefire way for negotiating countries to eliminate these leaks. They could simply release these documents, which are, after all, being negotiated in the public's name. Instead, the public has gotten glances only through the efforts of whistleblowers and groups like WikiLeaks. Even absent substantive complaints about the text—which are many—the completely opaque negotiation process is enough to strip the agreement of its legitimacy.
For the U.S. Trade Representative to ask for fast track authority against that backdrop is audacious, and for Congress to even consider it is irresponsible. Even without public text, the pushback against this agreement has been overwhelming. In just the past week we've seen Chilean legislators demanding their government provide more transparency to negotiations, Nobel prize-winning economist Joseph Stiglitz raise 12 "grave risks" presented by the leaked chapter, and even the Holy See take a stance against the policy-laundering associated with opaque multinational agreements.
Efforts to rush the agreement to completion despite those complaints are misguided at best, so it's a good thing that those efforts have stalled for the time being. But any reprieve is likely to be short, and in the new year negotiators are likely to ramp up the pressure.
The U.S. Trade Representative has been negotiating as if it already had fast track authority; our best hope in the U.S. of getting some oversight for this agreement is to ensure it doesn't get it. Contact your legislators today and tell them: no fast track authority for shady backroom deals.Related Issues: Free SpeechInternationalTrans-Pacific Partnership AgreementTransparency
Share this: || Join EFF
Commercial unmanned aerial systems are set to start flying over US airspace in 2015. In November the Federal Aviation Administration released its final privacy rules for the six drone “test sites” that the agency will use to evaluate how drones will be integrated into domestic air traffic. These new privacy requirements were issued just days after Senator Markey (D-MA) introduced a new bill, the Drone Aircraft Privacy and Transparency Act, intended to codify essential privacy and transparency requirements within the FAA's regulatory framework for domestic drones and drone test sites.
In 2012 Obama signed the Federal Aviation Administration Modernization and Reform Act, which mandated that the FAA implement “test sites” to fly domestic drones before opening the door to nationwide regulations and licensing for commercial drone flying. 24 states have applied to be FAA drone test sites. While the FAA's rules do establish minimal transparency guidelines for the new drone test sites, the new rules apply only to the test sites and do not apply to the drones that are already authorized to fly.
While we appreciate the steps the FAA has taken so far, the agency could and should go further to require similar transparency from all drone operators. The FAA has already authorized almost 1,500 permits for domestic drones since 2007, but, despite our two Freedom of Information Act lawsuits for drone data, we still don’t know much about where these drones are flying and what data they are collecting.
It is especially important for the FAA to define basic data collection procedures for domestic drones because the technology enables a kind of surveillance not achievable by manned aerial or ground-based law enforcement or commercial entities. Some drones are capable of staying in the air for 16-24 hours at a time, much longer than a manned aircraft ever could. Drones can fly altitudes above 20,000 feet with super high resolution cameras and can monitor and track many people at once or intercept phone calls and text messages. Drones also cost far less to purchase, operate and maintain than helicopters and planes.
A number of drone bills have been introduced in Congress over the last two years, but Senator Markey's proposed legislation is demanding of both the FAA and drone operators when it comes to protecting the constitutional rights of Americans. The Drone Aircraft Privacy and Transparency Act calls for the FAA to institute and enforce guidelines for all licensed domestic drone flights—not just test sites—that include clear data minimization procedures, as well as transparency rules that require drone test site operators to disclose their data collection practices and how drone operators use, retain, and share all collected data.
Markey's bill requires the FAA to create a publicly searchable database of all awarded drone operator licenses, the logistical details of their operation, and each drone operator's data collection and minimization statement. Creating a database like this is within the FAA’s purview. The agency already runs other databases about aircrafts in national airspace, listing who is in the air, accident reports, and safety information.
Law enforcement agencies across the country are already flying drones without set national privacy guidelines in place. But at this point our most successful tactic for learning more about drones has been to sue for access to information. The American public shouldn't have to submit a FOIA request just to know if drones are overhead. Senator Markey’s bill is a strong start to what needs to be an ongoing conversation about the future of American privacy standards in light of the coming age of domestic drones. We need more lawmakers to speak up for greater transparency and accountability of both government and commercial operation of drones in our national airspace.
Until there are laws in place that mandate transparency, we encourage you to submit requests to your local law enforcement agency and city council to learn more about drone flights in your area. We've partnered with MuckRock, an open government organization dedicated to helping people send requests for public records, to campaign for greater transparency about drones that are already flying in the United States. If you're wondering what your own police agency may be doing with drones, go here and fill out this simple form so MuckRock can send in a public records request for you.
Related Issues: PrivacySurveillance DronesTransparencyRelated Cases: Drone Flights in the U.S.
Share this: || Join EFF
Today, there are full-page advertisements running in the New York Times, Washington Post, Politico, Roll Call, and The Hill. They all have the same message: big tech companies are calling on Congress to rein in the mass surveillance. You can read the full message on the newly-launched Reform Government Surveillance site.
This is a victory for users—with the companies taking a giant step forward in supporting their customers’ rights. The five basic principles they announced today include:
- Limiting Governments’ Authority to Collect Users’ Information
- Oversight and Accountability
- Transparency About Government Demands
- Respecting the Free Flow of Information
- Avoiding Conflicts Among Governments
While these are all valuable, the first one particularly heartened us: “Governments should limit surveillance to specific, known users for lawful purposes, and should not undertake bulk data collection of Internet communications.” With these principles, the companies are joining digital citizens worldwide in demanding a stop to the unrestrained, mass surveillance of our digital lives.
This is an important moment in the fight for surveillance reform. Right now, the United States Congress is facing a fundamental decision about how it will handle mass surveillance confirmed by the Snowden disclosures. There are bills that would rein in the mass surveillance in a meaningful way and others that would entrench the worst of the NSA’s surveillance practices into law. The primary bill championing reform is the USA FREEDOM Act, which EFF has praised as a strong step in the right direction even if it doesn’t go as far as we’d like. On the other hand, Senator Feinstein is pushing the so-called FISA Improvements Act, which attempts to legalize the bulk data collection of the NSA. (Join EFF in killing the bill.)
The events of the last six months have shown that pressure from the general public can help change things for the better. Since June, users around the world have been demanding an end to bulk collection of our digital communications—and have been calling on companies to join us in the fight. Just after the world began to see internal NSA documents exposing massive unchecked spying, EFF and Access Now launched a petition calling on big companies to demand surveillance reform. We targeted it at those companies that had been named in the Washington Post and Guardian articles about PRISM, the code-name for a secret NSA surveillance program.
The leaked files indicated the government had access to servers of nine major U.S. companies, including Facebook, Google, and AOL. The companies dispute that they had cooperated with the government in allowing direct access to millions of peoples’ digital communications, though sometimes with strange phrasings in their denials. We asked questions about the program, and then launched a grassroots campaign in partnership with Access Now demanding that US tech companies join individuals in calling for surveillance reform.
More recently, we learned that the NSA was getting direct access to major service providers, by stealing information off of links between the companies’ data centers—without the companies’ knowledge. This shows that policy reform is not the only thing necessary. While policy reform can protect against unconstitutional surveillance orders coming through the front door, encryption is just as important, protecting the backdoor against warrantless spying. In response, EFF called for tech companies to take steps to encrypt their data, as well as take the policy fight to Congress and the courts.
Over the last few weeks, several major companies have announced plans to increase encryption (see Encrypt the Web Report). Companies like Twitter, Facebook, and Google already had many of the encryption measures we think should be standard across the board; companies like Microsoft and Yahoo have committed to taking definite steps the near future.
But notably absent from the coalition are telecom companies, like Verizon and AT&T. These companies have long been considered the weak link when it comes to government access request. AT&T just announced that it would not respond to shareholder requests to be transparency about its relationship with the NSA.
So while this is a moment to celebrate, the battle is far from won. We’re looking forward to encouraging these companies to engage even more in fighting for users’ privacy rights in Congress even as they increase their digital security. We also urge companies to sign onto our robust international surveillance and human rights principles, which are in alignment with the five principles published by the tech companies, but include more protections for users.Related Issues: NSA SpyingRelated Cases: First Unitarian Church of Los Angeles v. NSA
Share this: || Join EFF
Today, EFF—along with Engine, the App Developers Alliance, and Public Knowledge—filed a brief asking the Supreme Court to retain some sanity in the law and tighten up the rules around fee shifting. Fee shifting, sometimes called "loser pays," is already in the Patent Act. While the statute currently says that "the court in exceptional cases may award reasonable attorney fees to the prevailing party," the Federal Circuit has created a standard that makes this law essentially meaningless—fees are granted in but the smallest fraction of cases.
Properly applied, fee shifting can be an important tool to reign in patent trolls. Those trolls use the ballooning cost of patent litigation to extort quick settlements from potential defendants. Facing years in court and millions of dollars in legal fees, it's no wonder that so many defendants chose to not fight back. Of course, not fighting back only emboldens the trolls.
As we wrote in our brief:
The consequence of the Federal Circuit's withering of Section 285 protection is the creation of an industry of patent abusers, decimating the very small businesses and startups that drive American innovation. The intimidating cost of patent litigation is often sufficient to defeat those small parties before they even enter the courthouse door. These costs are not just legal fees: they are also the stress associated with litigation; employee time lost in deposition, discovery, and trial; and the stifling of productive output during the pendency of litigation. Thus, facing the threat of a lawsuit, a potential defendant finds itself with virtually no choice but to settle, even if it believes it has a meritorious noninfringement or invalidity case. And the proverbial analogy continues full-circle: feeding a troll just emboldens that troll to act again, while blighting the innovators upon whom the trolls feed.
Enter fee shifting. If defendants had reason to believe they might recover their costs and fees, even in some cases, it only stands to reason that more companies would join the ranks of those taking the fight back to the trolls.
The Supreme Court is not alone in looking into fee shifting. The Innovation Act, which just passed out of the House of Representatives, includes a provision that would strengthen fee shifting. And the White House, too, has explicitly endorsed expanding fee shifting. We'll be watching closely in the coming months and continue to petition courts and policy makers to level the playing field by giving those who face the threat of patent trolls tools to fight back.Files: octane_v_icon_eff_amicus_brief.pdfRelated Issues: Patents
Share this: || Join EFF
For several weeks now, former Navy chaplain and Colorado Assembly candidate Gordon Klingenschmitt has been on a campaign to shut down the YouTube account of People for the American Way's Right Wing Watch (“RWW”) project. RWW reports and comments on the political views of folks like Klingenschmitt, using their own words. As we all learned in Writing 101: show, don’t tell.
Klingenschmitt apparently doesn’t appreciate the criticism those clips engender, so he’s been using false copyright claims to get them taken down. Now, with help from EFF and Hogan Lovells, PFAW is fighting back, demanding that Klingenschmitt end his campaign.
Some background: RWW’s YouTube account has over 2,000 video clips, from a variety of sources, cataloguing statements by right-wing political and religious figures. These video clips are used by RWW in its blog, and also by journalists and other opinion makers, in order to expose what RWW sees as extremist rhetoric. Among those clips are several dozen excerpted from Klingenschmitt’s show, also hosted on YouTube, called Pray in Jesus’ Name.
In response, Klingenschmitt’s filed a series of Digital Millennium Copyright Act (“DMCA”) takedown notices with YouTube targeting those clips. Because YouTube has a policy of shutting down accounts after three takedown notices, Klingenschmitt’s bogus complaints caused RWW’s entire account to be taken offline - twice.
Why bogus? Because the videos are clearly protected fair uses. The clips are noncommercial and transformative. The clips are placed in a distinct news and editorial context, for entirely different purposes from those motivating the original work. As such, RWW’s work is precisely the type of use the fair use doctrine was designed to protect. RWW uses only short clips, no more than necessary for the purpose of facilitating public commentary. And, the clips do not harm any market for Klingenschmitt’s works. Finally, the RWW blog and YouTube channel serve the public interest by advancing political criticism and debate.
It appears that Klingenschmitt does not care much about legal niceties like fair use. He’s publicly bragged about the campaign, and made it abundantly clear that his goal is not legal but political. RWW has challenged every takedown notice, using YouTube’s counter-notification process, and Klingenschmitt has never taken the next step of actually backing up his bogus claim by filing a lawsuit against PFAW (which he has to do to keep the videos down after a counter-notice). Instead, he just sends more notices.
As we have noted before, the “three strikes and you’re out” approach to DMCA notices taken by YouTube and other service providers is ripe for this kind of abuse. YouTube has made some improvements, but there’s much more service providers could do. (PFAW has a petition to YouYUbe asking them to change theri policies; you can support it here).
In the meantime, however, Klingenschmitt is now on notice: RWW’s clips are lawful fair uses, and it’s time to stop claiming otherwise. Klingenschmitt has plenty of tools for challenging RWW’s reporting and commentary, beginning with his own show. After all, the best answer to speech you don’t like is more speech. But he needs to take the DMCA out of his toolkit, now.Files: eff.hl_.lttkling.pdfRelated Issues: Free SpeechNo Downtime for Free SpeechIntellectual PropertyDMCA
Share this: || Join EFF
Stephanie Lenz’s effort to hold Universal Music Group accountable for abusing the Digital Millennium Copyright Act (“DMCA”) to take down a home video of her toddler “dancing” to Prince in the kitchen is one step closer to fruition. Today, EFF and co-counsel Keker & Van Nest LLP filed an opening brief on behalf of Ms. Lenz in the federal Court of Appeals for the Ninth Circuit. And, as we explain in the brief, the case concerns whether Internet users—from Ms. Lenz to remix artists to scholars to documentary filmmakers—have any real protection against wrongful accusations of copyright infringement.Privacy info. This embed will serve content from youtube.com
Over the years, the case has garnered a great deal of media coverage. One reason for the interest is that Ms. Lenz was accused of infringement for doing something parents do all the time: documenting and sharing precious moments in the lives of their children. And it was not infringement: Ms. Lenz’s video was an obvious fair use, and protected expression under the First Amendment. Unfortunately, Universal's takedown policy was blind to fair use, and, therefore, guaranteed to result in these kinds of takedowns.
Section 512(f) of the DMCA is supposed to prevent this kind of abuse, by allowing users to hold copyright holders accountable when they misrepresent, in a DMCA notice, that the copy posted online is infringing. Universal claims that Congress never intended to require content owners to consider fair use before sending such notices.
Universal is wrong. When it passed the DMCA, Congress didn’t intend to give copyright holders a broad power to make other people’s speech disappear, without robust protection against abuse. That’s why Congress required copyright holders to consider whether a given use is authorized by law, as well as whether the copyright owner or its agent gave permission.
The brief also urges the Court to clarify that the sender of a takedown notice is required make reasonable determinations about the law. In other words, if a copyright holder is going to claim someone violates copyright law, it should first have some idea of what qualifies as a violation. Too often, we have seen copyright owners send takedown notices informed by only the vaguest notion of what actually qualifies as infringement. As we explain:
A law that grants a private actor the power to do what even a court cannot—cause the prior restraint of speech based on a purely ex parte review—alters not only the traditional contours of copyright protection but of our fundamental free speech doctrines. Such a law can only be tolerated, if at all, if the exercise of that power is tied to an obligation to understand what the law is, and to make reasonable assertions based on that understanding.
Ms. Lenz’s case offers the Ninth Circuit an opportunity to confirm that the DMCA balance remains what Congress intended and what the statute plainly provides. Let's hope the court takes it.var mytubes = new Array(1); mytubes = '%3Ciframe src=%22http://www.youtube.com/embed/N1KfJHFWlhQ?rel=1%26amp;autoplay=1%26amp;wmode=opaque%26?autoplay=1%22 width=%22400%22 height=%22250%22 class=%22video-filter video-youtube vf-n1kfjhfwlhq%22 frameborder=%220%22%3E%3C/iframe%3E'; Files: lenz.opening.public.pdfRelated Issues: Free SpeechIntellectual PropertyDMCARelated Cases: Lenz v. Universal
Share this: || Join EFF
Patent reform is moving along nicely on Capitol Hill, but today we got some more really big news. The Supreme Court has agreed to take on the question of patentable subject matter. Specifically, it's time to talk about software patents.
A brief refresher: under the law, one cannot patent laws of nature, natural phenomena, or abstract ideas. Recently, the Supreme Court clarified this standard in two cases (here and here) that dealt with laws of nature. Despite clear guidance from the Court, when the Federal Circuit addressed the question as it relates to abstract ideas (read, software), it basically punted, failing to produce any meaningful rule of law for lower courts to follow. Even worse, it continued to muddy the waters by upholding crazy abstract patents like the one for watching an advertisement online before getting access to copyrighted content.
Today, the Supreme Court stepped in. It agreed to hear a case called Alice v. CLS Bank. We wrote about why that mattered here, but suffice it to say that the Court will be facing fundamental questions about whether many so-called software patents are impermissibly abstract.
We're glad that patent reform has momentum and that policymakers are targeting patent trolls. But the root of that problem, which has largely been missing from the public debate, is patent quality, specifically of software-related inventions. There can be no doubt: we have a problem with low-quality, abstract software patents in this country. We are incredibly glad to see the Supreme Court take on this important question and we look forward to weighing in.Related Issues: PatentsRelated Cases: Abstract Patent Litigation
Share this: || Join EFF
We’ve asked the companies in our Who Has Your Back Program what they are doing to bolster encryption in light of the NSA’s unlawful surveillance of your communications. We’re pleased to see that four companies—Dropbox, Google, SpiderOak and Sonic.net—are implementing five out of five of our best practices for encryption. In addition, we appreciate that Yahoo! just announced several measures it plans to take to increase encryption, including the very critical encryption of data center links, and that Twitter has confirmed that it has encryption of data center links in progress. See the infographic.
By adopting these practices, described below, these service providers have taken a critical step towards protecting their users from warrantless seizure of their information off of fiber-optic cables. By enabling encryption across their networks, service providers can make backdoor surveillance more challenging, requiring the government to go to courts and use legal process. While Lavabit’s travails have shown how difficult that can be for service providers, at least there was the opportunity to fight back in court.
While not every company in our survey has implemented every recommendation, each step taken helps, and we appreciate those who have worked to strengthen their security. We hope that every online service provider adopts these best practices and continues to work to protect their networks and their users.
Crypto Survey Results
UPDATE, November 20, 2013: Facebook and Tumblr have provided further information to supplement the Encrypt the Web Report. We're pleased to report that Tumblr is planning to upgrade its web connections to HTTPS this year and implement HSTS by 2014, and Facebook is working on encrypting data center links and implementing STARTTLS.
UPDATE, November 22, 2013: Google has provided further information to supplement the report on its use of HSTS. See the updated chart below and the notes for more information.
UPDATE, December 5, 2013: Microsoft has provided further information, announcing a plan to expand encryption across all its services, including encrypting links between data center and implementing forward secrecy by the end of 2014.Encrypts data center linksSupports HTTPSHTTPS Strict (HSTS)Forward SecrecySTARTTLSundeterminedlimitedundeterminedundetermined
(in progress, facebook.com)undeterminedundeterminedin progress for select domains, see notes
(verizon.net)undeterminedavailableundeterminedplanned 2014: default for mail, available for all servicesundetermined
Notes: The information in this chart comes from several sources; the companies who responded to our survey questions; information we have determined by independently examining the listed websites and services and published reports. Some of the surveyed companies did not respond to the survey.
Recognizing that some of these steps will take time to implement, we gave credit to companies that either (1) have implemented or (2) have concrete plans to implement the listed encrytion process, as noted.
For STARTTLS, the red and grey shading indicates whether or not the company is a major email service provider. While encourage all companies to implement STARTTLS, even if they only provide email for their own employees, the issue is most critical for companies that provide email communications to the public.
Google implements HSTS on a set of services1, including mail, drive and accounts, via pre-loading in the Chrome browser. This list was also preloaded in the Firefox browser, however, due to a bug, this preload list is currently non functional (Nov. 22, 2013). We understand that a resolution is in progress.
This graphic is also available as an image file.
Why Crypto Is So Important
The National Security Agency’s MUSCULAR program, which tapped into the fiber-optic lines connecting the data centers of Internet giants like Google and Yahoo, exposed the tremendous vulnerabilities companies can face when up against as powerful an agency as the NSA. Bypassing the companies’ legal departments, the program grabbed extralegal access to your communications, without even the courtesy of an order from the secret rubber-stamp FISA court. The program is not right, and it’s not just.
With that in mind, EFF has asked service providers to implement strong encryption. We would like to see encryption on every step of the way for a communication on its way to, or within, a service provider’s systems.
For starters, we have asked companies to encrypt their websites with Hypertext Transfer Protocol Secure (HTTPS) by default. This means that when a user connects to their website, it will automatically use a channel that encrypts the communications from their computer to the website.
We have also asked them to flag all authentication cookies as secure. This means cookie communications are limited to encrypted transmission, which directs web browsers to use these cookies only through an encrypted connection. That stops network operators from stealing (or even logging) users' identities by sniffing authentication cookies going over insecure connections.
To ensure that the communication remains secure, we have asked companies to enable HTTP Strict Transport Security (HSTS). HSTS essentially insists on using secure communications, preventing certain attacks where a network pretends that the site has asked to communicate insecurely.
All of these technologies are now industry-standard best practices. While they encrypt the communications from the end user to the server and back, the MUSCULAR revelations have shown this is not enough. Accordingly, we have asked service providers to encrypt communications between company cloud servers and data centers. Anytime a users’ data transits a network, it should be strongly encrypted, in case an attacker has access to the physical data links or has compromised the network equipment.
In addition, we have asked for email service providers to implement STARTTLS for email transfer. STARTTLS is an opportunistic encryption system, which encrypts communications between email servers that use the Simple Mail Transfer Protocol (SMTP) standard. When a user emails someone on a different provider (say, a Hotmail user writing to a Gmail user), the mail message will have to be delivered over the Internet. If both email servers understand STARTTLS, then the communications will be encrypted in transit. If only Gmail does but Hotmail does not (the current situation), they will be in the clear and exposed to eavesdropping, so it’s critical to get as many email service providers as possible to implement the system.
Finally, we have asked companies to use forward secrecy for their encryption keys. Forward secrecy, sometimes called ‘perfect forward secrecy,’ is designed to protect previously encrypted communications, even if one of the service providers’ keys is later compromised. Without forward secrecy, an attacker who learns a service provider’s secret key can use it to go back and read previously incomprehensible encrypted communications—perhaps ones that were recorded months or years in the past.
- 1. The HSTS domains are wallet.google.com; checkout.google.com; chrome.google.com; docs.google.com; sites.google.com; spreadsheets.google.com; appengine.google.com; encrypted.google.com; accounts.google.com; profiles.google.com; mail.google.com; talkgadget.google.com; talk.google.com; hostedtalkgadget.google.com; plus.google.com; plus.sandbox.google.com; script.google.com; history.google.com; security.google.com; goto.google.com; market.android.com; ssl.google-analytics.com; drive.google.com; googleplex.com; groups.google.com; apis.google.com; chromiumcodereview.appspot.com; chrome-devtools-frontend.appspot.com; codereview.appspot.com; codereview.chromium.org; code.google.com; dl.google.com; translate.googleapis.com; oraprodsso.corp.google.com; oraprodmv.corp.google.com; gmail.com; googlemail.com; www.gmail.com; www.googlemail.com; google-analytics.com; and googlegroups.com.
Share this: || Join EFF
Al igual que el año pasado y el anterior a ese, la EFF recibe las fiestas de fin de año con una nueva lista de deseos; cosas que nos encantaría que sucedieran para nosotros y cada usuario de internet en el mundo por estas fiestas. Estas son algunas de las acciones de parte de gobiernos, empresas e individuos, que nos encantaría ver en este nuevo año.
Los ciudadanos, organizaciones, funcionarios de privacidad, y gobiernos deberían unirse en torno a los Principios Internacionales sobre la Aplicación de los Derechos Humanos a la Vigilancia de las Comunicaciones y sumar sus voces para dejar claro que la vigilancia masiva viola las normas internacionales de derechos humanos.
- El Congreso de EE.UU. debería crear un nuevo Church Committee para averiguar lo que en realidad están haciendo las agencias de inteligencia; Dado que la vigilancia masiva es un problema mundial, también necesitamos comisiones de investigación parlamentarias alrededor del mundo tratando de responder la misma pregunta.
- El Congreso debería aprobar una reforma significativa a la ley de fraude y abuso informático y la ley de privacidad de las comunicaciones electrónicas.
El Departamento de Justicia debería notificar a todos los que han sido condenados por un delito utilizando evidencia, derivada directa o indirectamente, a partir de los programas de vigilancia sin orden judicial (y no sólo notificar a un minúsculo y privilegiado grupo de acusados??).
- Todas las las empresas de comunicaciones deberían publicar informes de transparencia que muestren el alcance y la naturaleza de las solicitudes gubernamentales de información del usuario. La industria de Internet, liderada por Google, ha hecho de este un estándar para la transparencia de las empresas, pero las compañías de telecomunicaciones están todavía totalmente desaparecidas en acción.
Todos los sitios de Internet deberían adoptar las mejores prácticas de cifrado para cada una de las conexiones en cada momento, incluyendo PFS, STARTTLS, HSTS, y el tráfico cifrado entre los centros de datos.
- En 2014, cada autoridad de certificación y fabricantes de navegadores deberían comprometerse a adoptar el sistema de certificado de Transparencia de Google para detectar y detener la emisión de certificados falsos que facilitan el espionaje a los usuarios de Internet.
- Las compañías que venden libros, películas, música u otros medios digitales deberían comprometerse con el principio de que “si usted lo compró, le pertenece”. Eso significa: no DRMs y no a los acuerdos de licencia furtivo.
Cada dispositivo inalámbrico debería permitirte cambiar tu dirección MAC (un número de serie del hardware), y ningún nuevo estándar de tecnología debería ser diseñado para transmitir los números de serie de hardware persistentes en el aire o en una red. (Si el dispositivo sigue enviando el mismo número de serie del hardware, como dispositivos wifi y teléfonos celulares, entre otros, quien sea que esté en el otro extremo o que logre incerceptar su comunicación puede reconocer su identidad y hacer un seguimiento de su ubicación. Las empresas y los gobiernos ya están tomando ventaja de esto para construir bases de datos masivas de nuestros dispositivos.)
- Los sitios Web deberían publicar las versiones antiguas de sus términos de servicio y políticas de privacidad, con sus fechas exactas de vigencia, para ayudar a los usuarios a comprender lo que ha cambiado con el tiempo. Compañías como Facebook deben dejar, como mínimo, de bloquear al Internet Archive para que este cree y visualice un registro histórico de sus políticas.
- Las empresas que entran en el espacio de las comunicaciones seguras (así como aquellas que ya han estado un rato ahí!) deberían explicar con exactitud qué tan seguros son y por qué. Estas empresas deberían recibir auditorías técnicas públicas por expertos y explicar claramente cómo se enfrentan a retos fundamentales y clásicos de seguridad. Al mismo tiempo, deberían explicar clara y públicamente si, y en qué medida podrían verse obligada a registrar o ceder los datos de sus usuarios o ayudar a romper la seguridad de los mismos (incluso la publicación de claves criptográficas o contraseñas, mediante la emisión de certificados digitales falsos, o mediante la modificación de su software).
- La industria de la vigilancia debería asumir la responsabilidad de garantizar que no está facilitando la vigilancia masiva y otras violaciones de los derechos humanos.
No hace falta decir que 2013 ha sido un año importante para la transparencia, la seguridad, la privacidad y más. Veámoslo a lo grande haciendo que algunos de estos importantes deseos se hagan realidad.Related Issues: DRMDefend Your Right to Repair!Terms Of (Ab)UseInternationalInternational Privacy StandardsMass Surveillance TechnologiesState Surveillance & Human RightsCell TrackingEncrypting the WebLocational PrivacyNSA SpyingRFIDSecurityComputer Fraud And Abuse Act ReformTransparency
Share this: || Join EFF
An article yesterday in the Washington Post disclosed the NSA's massive cell phone location program. The program, codenamed CO-TRAVELER, is designed to track who meets with whom and covers everyone who carries a cell phone, all around the world.
With neither public debate nor court authorization, CO-TRAVELER collects billions of records daily of cell phone user location information. It maps the relationships of cell phone users across global mobile network cables, gathering data about who you are physically with and how often your movements intersect with other cell phone users. The program even tracks when your phone is turned on or off.
The trillions of collected records, which add up to twice the amount of data in the Library of Congress’ print collection, are saved and stored in the NSA’s mammoth database called FASCIA. While allegedly aimed at foreigners and mobile phones overseas, the NSA admits that it has “incidentally” collected location information on U.S. persons.
CO-TRAVELER ignores fundamental values in the Constitution the NSA has sworn to uphold, including the right against unreasonable search and seizure as well as freedom of association. Thinking globally, the program disregards international human rights law, which is currently in the process of being reaffirmed in a draft resolution by the UN General Assembly.
The Fourth Amendment Protects Cell Phone Location Data
EFF has been working for years to get the courts to recognize that the government must get a warrant before seizing cell phone location records. The court decisions are split. In 2008 the Third Circuit federal appeals court correctly held that federal magistrates have the discretion to require the government to get a search warrant based on probable cause before obtaining cell phone location records. But the Fifth and Sixth Circuit have approved the seizure of cell phone location records without a warrant. The Supreme Court has yet to rule on cell phone location, but did hold that planting a GPS device on a car requires a warrant, without reaching a decision on whether the warrantless tracking itself would violate the Fourth Amendment.
CO-TRAVELER does not simply collect location information. It creates a portrait of travel times and people who crossed paths, revealing our physical interactions and relationships. The cell site information goes beyond email and phone calls and ordinary telephony data, allowing the U.S. government to know who we are with in-person and where. This is information that would be impossible to collect using traditional law enforcement methods.
An NSA official said that the agency’s collection methods are “tuned to be looking outside the United States.” This appears to be an attempt to assert that U.S. law does not apply because they are not “targeting” U.S. persons. Without the protections of U.S. law, the spying is regulated only by Executive Orders–orders by the President that are not subject to substantive oversight, and can be modified at any time. It’s likely that this program falls under Executive Order 12333. EO 12333 has few limits on surveillance overseas, even if it is a U.S. person.
CO-TRAVELER Violates the First Amendment
The CO-TRAVELER program is based on guilt by association, tracking location to determine our relationships and where we meet. The First Amendment protects our right to associate with individuals and groups without disclosing that information to the government. This is an essential right because it allows people to discuss their ideas, concerns, and feelings with others without the shadow of government surveillance. And this is not just a right recognized in the United States: the right to freely associate with individuals or groups has also been recognized in the UN Universal Declaration of Human Rights, the European Convention on Human Rights, and in countless other human rights charters.
EFF is currently representing 22 organizations from across the political spectrum who sued the NSA for violating their First Amendment right of association by illegally collecting their call records. The case, First Unitarian v. NSA, brings to light the real implications of mass surveillance–people are afraid to associate and meet based on likeminded interests.
Equally threatening to the rights guaranteed by the First Amendment are the speech-chilling effects of cell phone location tracking. Even if you use encryption online, when you meet someone in person and aren’t even on the phone, your movements may be tracked and recorded and stored. The Washington Post article reports that the NSA tracks when a cell phone has been turned off, for how long, and what nearby devices are also being used and shut off. The NSA provides further scrutiny of people who switch their phones on and off for brief periods or use throw-away phones.
Yet these security practices are common methods that journalists (or anyone else who might be privacy conscious) use to ensure security and trust when they meet with confidential sources and conduct investigations. Under this program, it is harder than ever for a journalist to guarantee a reasonable degree of privacy and security to their sources.
Privacy is an Internationally Recognized Human Right
While the NSA likes to claim it takes great care in not collecting the data of U.S. persons, the billions of people tracked by their programs have a basic human right to privacy. Right now the United Nations General Assembly is discussing a resolution that reaffirms that the human right to privacy is carried over and effective in the digital age.
EFF is part of the global movement demanding the protection of our most basic right to privacy, no matter the country or citizenship of a person. We signed on to a list of thirteen principles that a state should use to determine whether or not a surveillance program will encroach on fundamental human rights. Join us by adding your name to the global petition for privacy today.
We will continue to fight against the NSA’s unconstitutional and overbroad surveillance programs in the courts and in Congress, and advocate for deeper oversight of the NSA from all branches of government.Related Issues: Free SpeechInternational Privacy StandardsPrivacyCell TrackingLocational PrivacyNSA SpyingRelated Cases: US v. JonesFirst Unitarian Church of Los Angeles v. NSAFifth Circuit Cell Phone Tracking Case
Share this: || Join EFF
Lamentamos profundamente que en el Dictamen aprobado por las Comisiones Unidas de Justicia y Estudios Legislativos Segunda, no se hayan incorporado estándares de derechos humanos que exige la Constitución y los tratados internacionales de los que México es parte. En dicho dictamen se incluyen disposiciones que afectan gravemente el derecho a la privacidad.
En particular, nos preocupa la ausencia de salvaguardas adecuadas para evitar el abuso de técnicas de investigación, tales como la intervención de comunicaciones privadas y la localización geográfica, en tiempo real, de equipos de comunicación móvil. Por ejemplo: el Código no contempla el control judicial para la localización geográfica, en tiempo real, de equipos de comunicación móvil, o para ordenar la conservación de datos personales en posesión de particulares, lo cual es incompatible con lo que establecen la Constitución y los Tratados Internacionales en materia de derechos humanos. De esta forma, se abre la puerta a la utilización arbitraria de estas herramientas, lo cual puede afectar gravemente la privacidad y la seguridad de cualquier persona.
En este sentido, las organizaciones firmantes hemos propuesto que el Código se adecúe a los Principios Internacionales sobre la Aplicación de los Derechos Humanos a la Vigilancia de las Comunicaciones. Estos principios son el resultado de más de un año de consultas entre la sociedad civil y expertos en privacidad y tecnología, y han recibido el respaldo de más de 300 organizaciones y expertos.
En atención a dichos principios, hemos propuesto al Senado de la República que toda técnica de investigación que conlleve la recolección, retención o acceso a datos personales –incluyendo las comunicaciones y los datos de localización geográfica– contemple, como en una gran cantidad de democracias en el mundo, una serie de medidas que garanticen la rendición de cuentas en el uso de dichas herramientas y de esta forma se inhiben los riesgos de abuso. En particular se ha propuesto la incorporación de los siguientes principios:
- Autorización Judicial: Se cuente con autorización de un juez federal, el cual debe ponderar la idoneidad, necesidad y proporcionalidad de la medida para la intervención de comunicaciones privadas, la retención de datos y la localización geográfica, en tiempo real, de equipos de comunicación móvil, deben contar. Se propuso un mecanismo de emergencia para que en ciertos casos el acto de investigación fuera llevado a cabo de inmediato y la autorización judicial pudiera tener efectos retroactivos, de manera que no se entorpezca el legítimo fin que representa la investigación de delitos. Sin que se deje de garantizar la rendición de cuentas.
- Causa Probable: Que se establezca su estricta necesidad y proporcionalidad de intervención de comunicaciones privadas. Para ello debe verificarse la existencia de datos que establezcan un alto grado de probabilidad de que el imputado ha cometido o participado en un hecho delictivo. Durante el proceso de elaboración del Dictamen, las Comisiones Unidas eliminaron este requisito que se encontraba previsto en su primer anteproyecto.
- Notificación al Afectado: Notificación a las personas que sean afectadas por una medida de vigilancia deban ser notificadas sobre cualquier decisión que autorice la vigilancia de sus comunicaciones o revele otros datos personales. Fue propuesto que la notificación podría ser diferida temporalmente para evitar poner en riesgo una investigación, exista riesgo de fuga o de destrucción de evidencia o exista un riesgo inminente de peligro para la vida de una persona.
- Supervisión Independiente: Un mecanismo independiente de supervisión para garantizar la transparencia y la rendición de cuentas de la vigilancia de las comunicaciones, como existe en diversos países.
- Transparencia: Obligaciones de transparencia estadística periódica, con el desglose y detalle suficientes para conocer y evaluar el alcance, volumen y eficacia de las medidas de vigilancia de las comunicaciones. Al ser información estadística, de ninguna manera se pone en riesgo una investigación, pues no se revelan detalles específicos sobre la misma.
- Integridad y Seguridad: Que los modos de colaboración impuestos a entidades públicas o privadas para llevar a cabo las medidas de vigilancia no deben poner en riesgo la seguridad e integridad de las comunicaciones, los sistemas y las redes. No debe obligarse a proveedores de servicios a construir la capacidad de vigilancia o de control en sus sistemas, ni a recoger o retener determinada información exclusivamente para fines de vigilancia.
A pesar de que las medidas propuestas constituyen las mejores prácticas a la luz de la jurisprudencia y práctica internacionales y de ninguna manera entorpecen la investigación de delitos, el Senado decidió no incorporarlas al CNPP, además, no fue otorgada una justificación pública, ni en las Comisiones Unidas, ni en la exposición de motivos del Dictamen, respecto del motivo por el cual nuestras propuestas fueron ignoradas. Las organizaciones firmantes reiteramos la necesidad de que el Código Nacional de Procedimientos Penales sea modificado, de manera que sean recogidos los Principios Internacionales sobre la Aplicación de los Derechos Humanos a la Vigilancia de las Comunicaciones y se garantice la compatibilidad de este instrumento con las obligaciones de derechos humanos del Estado Mexicano.
Alconsumidor A.C.; ARTICLE 19, Oficina para México y Centroamérica; Asociación Mexicana de Derecho a la Información AMEDI; Colaborativo México; ContingenteMX; Centro Nacional de Comunicación Social, Cencos; FUNDAR Centro de Análisis e Investigación; Propuesta Cívica A.C.; SocialTIC; Son Tus Datos; Electronic Frontier Foundation.Related Issues: InternationalState Surveillance & Human Rights
Share this: || Join EFF
Good news! Today, the House of Representatives voted 325-91 in favor of the Innovation Act, the best troll-killing bill we've seen yet. And earlier this week the White House put out a strong statement in support of the legislation. All that's left is the Senate, which has promised to take up the issue before the end of this year.
The Innovation Act isn't perfect. It doesn't go nearly far enough to reform the demand letter problem. Its provisions protecting consumers and end-users, while present, aren't as robust as we would hope. And it dropped expanded covered business method review, a provision that would have helped ensure that the Patent Office issues fewer patents for "inventions" that aren't particularly inventive.
But the Innovation Act is nonetheless a huge step in the right direction. It gives defendants tools to fight back, makes ligitation cheaper and includes an important fee-shifting provision, so companies that stand up to the trolls have a chance to recover their fees and costs at the end of litigation. It requires trolls to make their case up front by providing basic information about their patents and the supposed infringement. And it prohibits trolls from hiding behind shell companies.
Today's vote makes clear that policymakers understand that patent trolls impose an unacceptable tax on innovation and that their conduct, which often amounts to little more than run-of-the mill extortion, must be stopped. We got here in no small part because of those of you who helped by making calls, emailing your members of Congress, and using social networks to get the word out. Thank you! And stay tuned: now we head to the Senate.Related Issues: PatentsPatent Trolls
Share this: || Join EFF
Privacy is due for an upgrade. Today, the Electronic Frontier Foundation joins a nationwide day of action calling for reform of the Electronic Communications Privacy Act (ECPA), the 1986 law used by the government to access your online documents, messages, and emails stored in the cloud without a warrant.
ECPA is sorely outdated. It was enacted before web-based email became ubiquitous and “the cloud” meant only airborne water vapor. The law purports to allow for any opened emails or unopened emails left on a server for more than 180 days to be treated like abandoned property. Although the courts disagree, some agencies believe that ECPA allows law enforcement to access stored content with a mere subpoena. That interpretation created a senseless distinction—law enforcement was required to meet a much lower standard to access your saved webmail than the warrant standard that would be required if the same emails were printed and stored in your file cabinet. ECPA should not be used to bypass 4th Amendment protections that cover our personal email accounts, our social media messages, or anything else using cloud storage.
In the midst of the global outrage sparked by the 2013 revelations of warrantless NSA surveillance, we've also learned that the National Security Agency actively collaborates with the FBI and other government agencies to access private emails and Internet data stored by U.S. companies. Even if we are successful in reining in the NSA's overly broad and unconstitutional surveillance, without ECPA reform other government agencies could still claim the legal authority to continue the massive collection of millions of innocent people's personal communications and data without due process.
Bills to reform ECPA have gained huge bipartisan support. Earlier in the year, the Senate Judiciary Committee voted unanimously to update our outdated electronic privacy law. And now, a similar bill is being debated in the House. The problem is that government agencies like the Securities and Exchange Commission are asking for a special carve out permitting the agency to access email and data stored by Internet service providers without a warrant. This exception, if granted, would completely undermine meaningful, and much needed, ECPA reform.
EFF is a member of the Digital Due Process coalition, a collection of tech companies, start-ups, privacy advocates, and think tanks working to update ECPA to ensure that laws continue to protect the rights of users as technologies advance and usage patterns evolve. Today, please join us in demanding for long-overdue updates to our archaic electronic privacy laws.
2. You can send an email to your representatives in Congress using the EFF action center: Don't Let Privacy Law Get Stuck in 1986: Demand s Digital Upgrade to the Electronic Communications Privacy Act
Related Cases: Warshak v. United StatesUS v. Jones
Share this: || Join EFF
In the next few days, the United Nations General Assembly will vote on a draft resolution reaffirming the right to privacy in the digital age.
The draft resolution passed out of the UN third committee last week with a strong support of 50 Member States. Now that it's facing the whole 193-members of the United Nations General Assembly, it's time for you to tell the world leaders that #privacyisaright. Take action and sign the 13 Principles to end the vast collection of data of innocent individuals at home and abroad.
Though the current draft resolution has seen a few changes over the last few weeks as it went through amendment process, it remains a strong statement that will help in the fight to reassert the digital privacy rights of citizens around the world.
Critically, the draft resolution reaffirms a core principle of international human rights law: states cannot ignore their human rights obligations simply because their surveillance activities occur outside of their borders. The draft resolution, if adopted, will make it harder for the US and its Five Eyes allies to claim that their human rights obligations stop at their borders in an effort to justify their mass surveillance activities. As we have previously said, "Just as modern surveillance transcends borders, so must privacy protections."
Tell the world leaders: end mass surveillance at home and abroad. Sign the 13 Principles now.
Share this: || Join EFF