New "Smart Meters" for Energy Use Put Privacy at Risk

The ebb and flow of gas and electricity into your home contains surprisingly detailed information about your daily life. Energy usage data, measured moment by moment, allows the reconstruction of a household's activities: when people wake up, when they come home, when they go on vacation, and maybe even when they take a hot bath.

California's PG&E is currently in the process of installing "smart meters" that will collect this moment by moment data—750 to 3000 data points per month per household—for every energy customer in the state. These meters are aimed at helping consumers monitor and control their energy usage, but right now, the program lacks critical privacy protections.

That's why EFF and other privacy groups filed comments with the California Public Utilities Commission Tuesday, asking for the adoption of strong rules to protect the privacy and security of customers' energy-usage information. Without strong protections, this information can and will be repurposed by interested parties. It's not hard to imagine a divorce lawyer subpoenaing this information, an insurance company interpreting the data in a way that allows it to penalize customers, or criminals intercepting the information to plan a burglary. Marketing companies will also desperately want to access this data to get new intimate new insights into your family's day-to-day routine–not to mention the government, which wants to mine the data for law enforcement and other purposes.

This isn't just a California issue. Many threats to the privacy of the home—where our privacy rights should be strongest—were detailed in a 2009 report for the Colorado Public Utility Commission. The federal government has been promoting the smart grid as part of its economic stimulus package, and last year, EFF and other groups warned the National Institute of Standards and Technology about the privacy and security issues at stake. For example, security researchers worry that today’s smart meters and their communications networks are vulnerable to a variety of attacks. There are also questions of reliability, as PG&E faces criticism from California customers who have seen bills skyrocket after the installation of the new "smart meters." Unsurprisingly, California legislators are questioning the rapid rollout. Texas customers are also complaining.

There are far more questions than answers when it comes to this new technology. While it's potentially beneficial, it could also usher in new intrusions into our home and private life. The states and the federal government should ensure that energy customers get the protection they deserve.

[Permalink]

Federal Intellectual Property Enforcement Gears Up

The Obama Administration has been slowly ramping up its attention to intellectual property issues. Over the past few months, we've seen an IP "summit" at the White House. We've seen the successful nomination of a new cabinet-level "IP Czar" position. We've seen the announcement of a new DOJ task force for IP issues. What does it all portend?

Unfortunately, many signs suggest that the administration is paying far more attention to the interests of the entertainment industry than to the public good. At the same time, there are a few positive efforts and indications, so we're holding out hope that things could improve.

The first bad omen came last December, when Vice President Biden invited the RIAA, MPAA and other representatives of the mainstream entertainment industry to a closed-door "Piracy Summit" at the White House. Although Biden's office sold the summit as "bringing together all the stakeholders" in the piracy debate, it failed to invite a single representative of the public interest or the technology industry.

One outcome previewed at the summit was the formation of a new Department Of Justice "Intellectual Property Task Force", which was formally announced in February. Unfortunately, the Department of Justice already has a history of coming down disproportionately hard on victims of the copyright conflict. And while the task force's announcement stressed that IP crime "threatens not only our public safety but also our economic wellbeing," it didn't even pay lip-service to the harms to privacy, free speech, and innovation in the industry's long war on piracy.

Later in February, the government's new IP Enforcement Coordinator (IPEC), Victoria Espinel, announced that "the Federal Government is currently undertaking a landmark effort to develop an intellectual property enforcement strategy" and asked for public input into what this strategy should look like. A major component of the request seeks information about "the costs to the
U.S. economy resulting from intellectual property violations," which in the past has mainly been expressed through skewed, erroneous accounts of the supposed effects of piracy from entertainment industry lobbyists. However, the IPEC is also demanding an unprecedented level of rigor from these studies:

Submissions directed to the economic costs of violations of intellectual property rights must clearly identify the methodology used in calculating the estimated costs and any critical assumptions relied upon, identify the source of the data on which the cost estimates are based, and provide a copy of or a citation to each such source. [Emphasis mine.]

Since some of these poorly executed studies have appeared to successfully persuade members of Congress to change copyright law only in ways that favor the entertainment industry, it's refreshing to see the IPEC pushing for greater validity. To that end, we look forward to seeing the Obama Administration publicly debunk the empty rhetoric that circulates around questions of unauthorized file sharing and its economic effects.

There are other bright points. Late last year, the Administration supported looser international copyright protections for reading materials for the blind. Limitations and exceptions to copyright are a critical "safety valve" in copyright that helps preserve free expression, access to knowledge, and other human rights, and we hope to see them defended by the Administration in other contexts as well.

While IP enforcement appears to have center stage, there are other double-standards and unintended consequences in copyright and trademark law, all of which could benefit from some attention from the White House. The orphan works conundrum remains unsolved. Copyright term and licensing issues stymie creators and archivists. The anti-circumvention provisions of the DMCA still obstruct innovators.

But will the Obama Administration and Congress choose to face these tough, important issues? At the next IP summit, will advocates for questions like these have a seat at the table? Or will the public interest side of intellectual property law and policy continue to languish unaddressed? Time will tell.

[Permalink]

Epic Fail in Congress: USA PATRIOT Act Renewed Without Any New Civil Liberties Protections

Yesterday evening, the U.S. House of Representatives voted overwhelmingly to renew three expiring provisions of the USA PATRIOT Act, after the Senate abandoned the PATRIOT reform effort and approved the extension by a voice vote on Wednesday night.

Disappointingly, the government's dangerously broad authority to conduct roving wiretaps of unspecified or "John Doe" targets, to secretly wiretap of persons without any connection to terrorists or spies under the so-called "lone wolf" provision, and to secretly access a wide range of private business records without warrants under PATRIOT Section 215 were all renewed without any new checks and balances to prevent abuse. Despite months of vigorous debate, when PATRIOT renewal bills providing for greater oversight and accountability were approved by the Judiciary Committees of both the House and the Senate, Democratic leaders' push for reform fizzled in the face of staunch Republican opposition buoyed by recent hot-button events such as the attempted bombing of an airliner on Christmas Day and the shooting at Fort Hood.

The renewed PATRIOT provisions were originally set to expire on December 31, 2009, but Congress ran out of time last year and temporarily extended them until February 28th, this coming Sunday. The new extension is expected to be signed by the President before then.

The one silver lining? Despite a push by Republican leaders for a four-year extension, the renewed provisions are now set to expire in one year. So, although this battle's been lost, the effort to roll back PATRIOT's worst excesses is far from over. Thank you to everyone who took action to support PATRIOT reform this past year; we hope that you'll continue the fight with us in the next year.

[Permalink]

Pentagon Discloses Hundreds of Reports of Possibly Illegal Intelligence Activities

The Department of Defense has released more than 800 heavily-redacted pages of intelligence oversight reports, detailing activities that its Inspector General has “reason to believe are unlawful.” The reports are the latest in an ongoing document release by more than a half-dozen intelligence agencies in response to a Freedom of Information Act (FOIA) lawsuit filed by EFF in July 2009.

The reports, submitted to the Intelligence Oversight Board (IOB) by various Department of Defense components, cover the period from 2001 through 2008. The IOB’s role within the Executive Office of the President is to ensure that each component of the intelligence community works within the Constitution and all applicable laws. As such, the Inspector General of each intelligence agency is required to submit periodic reports to the IOB, which in turn is required to forward to the Attorney General any report identifying an intelligence activity that violates the law. Intelligence oversight reporting is rarely disclosed to the public.

This new release, from various Defense components including the Army and the Joint Chiefs of Staff, comes in four parts, see here. Much of the reported improper activity consisted of intelligence gathering on so-called “U.S. Persons,” including citizens, permanent residents and U.S.-based organizations. Although Defense agencies are generally prohibited from collecting such information (except as part of foreign intelligence or counter-intelligence activity), it is apparent from the unredacted reports released to EFF that some DoD components have had chronic difficulty complying with that prohibition.

Some specific items of interest include:

Part 1

• Pg 98: A report that the Joint Forces Command, working with the FBI, improperly collected and disseminated intelligence on Planned Parenthood and a white supremacist group called the National Alliance, as part of preparations for the 2002 Olympics.
• Pg 122-137: A NORAD intelligence briefing improperly included intelligence on an anti-war group called Alaskans for Peace and Justice in 2005.
• Pg 257-258: A 2006 report that NORAD had procedural problems relating to collecting information on U.S. Persons.

Part 3

• Pg 53-54: A report from 2003 of a closed investigation into prisoner abuse at Abu Ghraib and other sites in Iraq.
• Pg 60: A report from 2006 of improper intelligence (in the TALON program) on an anti-recruiting group.
• Pg 112: A report from 2007 of an Army Reserve officer routinely collecting data on U.S. Persons exercising their free speech rights.

Part 4

• Pg 19: A 2008 report that Army Signals Intelligence in Louisiana intercepted civilian cell phone conversations.
• Pg 65: A 2008 report that Army Cyber Counterintelligence officers attended the Black Hat hacker conference without disclosing their Army affiliation and without prior authorization to do so.
• Pg 173: A report that the Air Force Office of Special Investigations (AFOSI) set up a “honey pot” computer system to identify foreign threats in May 2006. In October 2007, AFOSI realized that the honey pot system might have been in violation of a sealed Foreign Intelligence Surveillance Court (FISC) order that required a Foreign Intelligence Surveillance Act (FISA) warrant for such activity. AFOSI was not privy to the FISC order and only knew of it from public media reporting. The operation was suspended. Amazingly, when the Air Force asked the Justice Department to see the FISC order at issue, DOJ’s National Security Division denied the Air Force’s request.

According to the release schedule ordered by a federal judge last December, we expect to receive additional IOB reports from the CIA, National Security Agency, the Office of the Director of National Intelligence and the Department of Defense later this month. We will post the documents to our website as we receive them.

[Permalink]

Google Buzz Privacy Update

Over the weekend, Google announced significant changes to its new social networking service, Buzz. Responding to criticism (including EFF's), Google moved away from the system in which Buzz automatically sets you up to follow the people you email and chat with most. Instead, Google has adopted an auto-suggest model, in which you are shown the friend list with an option to de-select people before publishing the list. While a full opt-in model would be less likely to result in inadvertent disclosures of private information, this is a significant step forward.

In addition, Google said it would show current Buzz users the setup process again, giving a second chance to review and confirm the follower list "over the next couple weeks." We recommend that all current Buzz users immediately turn off the public list, and review their friend list before making it public again. (Instructions)

Google will also stop automatically connecting Picasa Web Albums and Google Reader shared items, and allow users to hide Buzz from Gmail or disable it completely.

These problems arose because Google attempted to overcome its market disadvantage in competing with Twitter and Facebook by making a secondary use of your information. Google leveraged information gathered in a popular service (Gmail) with a new service (Buzz), and set a default to sharing your email contacts to maximize uptake of the service. In the process, the privacy of Google users was overlooked and ultimately compromised.

Though Google responded quickly to these privacy concerns, they never should have happened in the first place. While Buzz previously had a lot of these privacy options available, the user interface failed to provide users with the setting users had reasonably expected. Google should follow fair information practices and make secondary uses of information only with clear, unequivocal user consent and control.

Part of the problem may have stemmed from Google's testing process. The BBC reports that Google only tested Buzz internally with its employees, omitting "extensive trials with external testers - used for many other Google services." Google employees are sophisticated power-users who will meticulously review the available settings. However, a good user interface for privacy must work for all users, and match the default settings with the expectations of the users. Only through broad based testing can Google be sure that users are giving informed consent.

Next week Google will face a federal judge and ask for approval of the Google Books settlement. EFF has raised privacy concerns, including the possibility that Google might make secondary uses of the Books information. Buzz's disastrous product launch highlights the danger posed by this possibility, and showcases the need for firm enforceable commitments to protecting user privacy.

Reports are coming in of additional privacy issues.

The Register reports that "Google Buzz is susceptible to exploits that allow an attacker to commandeer accounts and even learn where victims are located." While a security blog now reports this was fixed, Google should conduct a thorough security review to ensure that no other problems persist.

PC World notes that Google's "vanity URL" functionality presents users with an unfortunate choice: Either expose your email address to the general public, or host your profile at a monstrously long numeric URL. Google ought to provide a third, middle-of-the-road option by allowing users to select a simple and memorable URL which is not based on their email address.

[Permalink]

Hello Streisand Effect: Takedown Hall of Shame Grows by Four

(The Streisand Effect describes the phenomenon by which an attempt to suppress information results in faster, broader dissemination of that information. Roughly explained, attempted censorship -- particularly by a famous or well-known entity -- can flag the information as more interesting.)

Last October, we launched the Takedown Hall of Shame to highlight the most egregious attempts to silence speech online with bogus intellectual property complaints. Today, we’re inducting four more would-be censors into the pantheon of speech bullies. They are:

• Peabody Energy, for issuing outstandingly spurious trademark claims against a spoof site criticizing their "clean coal" group;
• Yahoo, for an impressive attempt to return a cat to the bag after a leak of its guide to snooping services for law enforcement was posted to a whistleblower site;
• Perez Hilton and the Miss Universe Organization for endeavoring to stop a non-profit from airing an ad commenting on a public same-sex marriage controversy initiated by their videos; and
• Universal Music Group, for attempting to muzzle online criticism of the rapper Akon.

The antidote for speech you disagree with is more speech -- not overreaching legal threats. Hopefully, we'll see companies exercise more discretion and transparency when dealing with speech they dislike, instead of reaching for the nearest blunt legal instruments.

[Permalink]

EFF Helps Blogger Subpoenaed by TSA, TSA Backs Down

On December 31, 2009, the Transportation Security Administration backed off on an ill-considered administrative subpoena it issued to trasportation industry blogger, Christopher Elliott. EFF assisted Mr. Elliott in responding to the subpoena.

The subpoena was hand-delivered to Mr. Elliott by a TSA representative on the evening of December 29, 2009. It sought all documents "concerning your receipt of TSA Security Directive 1544-09-06 dated December 25, 2009." The much-criticized directive had been given to hundreds of employees of TSA and the airlines and described some of the passenger-related security measures put into place in the immediate aftermath of the unsuccessful attempted bombing of a Northwest Airlines flight on December 25, 2009. The directive expired on December 30, 2009. Mr. Elliott obtained it in the course of his coverage of the situation and had sought TSA comment before publishing. The subpoena demanded all documents by the close of business on December 31, 2009, just two days after the agent delivered it.

Mr. Elliott’s counsel Anthony Elia, assisted by EFF and others, responded to TSA by objecting to the subpoena both on the grounds that it did not provide a reasonable time for Mr. Elliott to respond and because it improperly sought to require a journalist to reveal his sources and materials. Upon receipt of the objection, TSA first granted an extension to Mr. Elliott, then withdrew the subpoena entirely.

TSA also withdrew a similar subpoena it had issued to blogger Steve Frischling, but reportedly not until after the agents improperly threatened Mr. Frischling’s job and pressured him into giving them his computer, which they then apparently damaged. The facts of what occurred to Mr. Fischling are deeply troubling.

TSA should have known better than to use its civil administrative subpoena power to try to force these reporters to divulge their sources. This incident reinforces the need for a federal reporter shield law that fully embraces the new era of blogs, tweets and other nontraditional journalism tools. Nonetheless, we’re pleased that cooler heads prevailed at TSA this time.

[Permalink]

Good News from WIPO: U.S. Delegation Supports Visually Impaired Citizens

This week the World Intellectual Property Organization's Standing Committee on Copyright and Related Rights is meeting in Geneva to discuss a proposed treaty intended to increase access to books and other information in formats accessible to the world's blind, visually impaired and print disabled citizens.

There's a chronic shortage of accessible format material across the world. In the U.S. it's estimated that only 5% of published works are available in formats accessible to visually impaired persons. In the U.K. it's 4% and in India it's 0.5%. The treaty is intended to address two things that have led to this situation: first, the lack of exceptions in countries' national copyright laws that would permit creation of accessible format copies of works for the visually impaired without having to seek prior permission from copyright owners; second, uncertainty about the legality of importing and exporting accessible format material created under a national exception or special licence in one country for use by visually impaired citizens in another country. This is an international problem in need of a global solution. As a 1985 report which considered these issues recommended, an international instrument is needed to facilitate the creation and distribution of accessible format material across borders. It requires an international solution.

This afternoon, in a thoughtful and clear statement, the U.S. delegation to WIPO acknowledged the concerns of the visually impaired community and suggested how the international copyright community should proceed in addressing the needs of those with print disabilities.

Key excerpts are below, but the statement is worth reading in its entirety. It is refreshing to see such an influential voice at WIPO come out in support of a balanced system of international copyright law that serves the needs of all the world's citizens.

Our commitment to reaching an international consensus on copyright exceptions for persons with print disabilities

First, the United States believes that the time has come for WIPO Members to work toward some form of international consensus on basic, necessary limitations and exceptions in copyright law for persons with print disabilities. This international consensus could take multiple forms, including a model law endorsed by the SCCR, a detailed Joint Recommendation to be adopted by the WIPO General Assemblies, and/or a multilateral treaty. The United States is open to discussing and exploring all these options.

...

The United States believes that the initial most productive course of action may be a work program that begins with a series of serious, focused consultations aimed at producing a carefully-crafted Joint Recommendation of the Berne Assembly and the WIPO General Assembly. We further believe this initial Joint Recommendation could be a step toward the development of a treaty establishing basic copyright limitations and exceptions for persons with print disabilities.

The first goal of international consensus in this area

In our consultations and review it has become clear to us that the most pressing problem — the one identified repeatedly by experts — is the cross-border distribution of special format materials made for persons with print disabilities, whether these special format materials are made under copyright exceptions in national law or special licensing arrangements. Therefore, the United States believes that our first goal should be to reach international consensus on the free exportation and importation of special format materials for persons with print disabilities in all countries.

...

Further international consensus on basic exceptions for print disabilities The United States is also prepared to participate in a WIPO work program to establish further international consensus on specific exceptions and limitations for persons with print disabilities that should be part of national copyright laws.

...

A balanced system of international copyright law

We recognize that some in the international copyright community believe that any international consensus on substantive limitations and exceptions to copyright law would weaken international copyright law. The United States does not share that point of view. The United States is committed to both better exceptions in copyright law and better enforcement of copyright law. Indeed, as we work with countries to establish consensus on proper, basic exceptions within copyright law, we will ask countries to work with us to improve the enforcement of copyright. This is part and parcel of a balanced international system of intellectual property.

[Permalink]

Real ID Follies Continue with PASS ID Waiting in the Wings

As 2009 draws to a close, we're inching ever deeper into the corner that Congress painted us into by passing Real ID under the table in 2005. (Recall that Real ID is the failed, Bush-era attempt to turn state drivers licenses into national ID cards by forcing states to collect and store licensee data in databases, and refusing to accept non-compliant IDs for federal purposes, like boarding a plane or entering a federal building.)

The official deadline for states to comply with the Department of Homeland Security's (DHS) final Real ID rule is December 31, 2009, and an estimated 36 states will not be in compliance by then, leading to some ambiguity for many citizens. For example, will residents of Montana be able to board planes in January 2010 with only a driver’s license (a state-supplied, technically non-compliant document) and without a passport (an identity document issued by the federal government)?

Past history strongly suggests that DHS will issue last-minute waivers to states that have not amped up their drivers licenses to adhere to Real ID. Early in 2008, states that actively opposed Real ID received waivers from DHS, nominally marking the states as "compliant" despite strongly-stated opposition to ever implementing Real ID.

But waiting in the wings is PASS ID, a bill that attempts to grease the wheels by offering money to the states to implement ID changes. Despite having the appearances of reform, PASS ID essentially echoes Real ID in threatening citizens' personal privacy without actually justifying its impact on improving security. For this reason, PASS ID is not popular -- privacy advocates refuse to support the bill because it still creates a national ID system. It still mandates the scanning and storage of applicants' critical identity documents (birth certificates, visas, etc.), which will be stored in databases that will become leaky honeypots of sensitive personal data -- prime targets for malicious identity thieves or otherwise accessible by individuals authorized to obtain documents from the database. And on the other side, short-sighted surveillance hawks are unhappy with the bill because they support the privacy violations architected into the provisions of the original Real ID Act.

As such, advocates of PASS ID are publicly wringing their hands over the deadline in order to encourage Congress to approve the PASS ID Act before the end of the year. But the fracas over health reform is suffocating any chance for meaningful debate about the merits of PASS ID before the Dec. 31st deadline.

A pragmatic analysis should show that Real ID is dead. To date, 24 states have enacted resolutions or binding legislation prohibiting participation in Real ID, and the varied, desperate efforts to reanimate it are misguided. Whether the states or the federal government signs the invoice, the cost ultimately falls to taxpayers, who should be troubled that neither Real ID nor PASS ID is likely to fulfill the stated goal of stopping terrorists from obtaining identity documents. (Just this week, noted security expert Bruce Schneier linked to a report about government investigators successfully using fake identity documents to obtain high-tech "e-passports," which were then used to buy plane tickets, and board flights -- the point being that a fancy, "secure" identity document doesn't stop individuals from exploiting a weak bureaucracy.)

On the other hand, the resulting databases filled with scanned identity documents will create tantalizing targets for identity thieves and headaches for people whose digital documents are pilfered; and a national ID system will invite mission creep from the government as well as private entities like credit reporting agencies and advertisers. It's high time for reason to replace the reflexive defense of a failed scheme. Congress should repeal Real ID for real and seek more inspired, protective solutions to identity document security.

[Permalink]

Google CEO Eric Schmidt Dismisses the Importance of Privacy

Yesterday, the web was buzzing with commentary about Google CEO Eric Schmidt's dangerous, dismissive response to concerns about search engine users' privacy. When asked during an interview for CNBC's recent "Inside the Mind of Google" special about whether users should be sharing information with Google as if it were a "trusted friend," Schmidt responded, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

Unfortunately, Schmidt's statement makes it seem as if Google, a company that claims to care about privacy, is not even concerned enough to understand basic lessons about privacy and why it's important on so many levels -- from protection against shallow embarrassments to the preservation of freedom and human rights. In response to Schmidt, Security researcher Bruce Schneier referenced an eloquent piece he wrote in 2006 that makes the case that "[p]rivacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect." Schneier writes:

For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that -- either now or in the uncertain future -- patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable.

Gawker was quick to point out the personal hypocrisy of Schmidt's dismissive stance, noting that for about a year, Schmidt blacklisted CNET reporters from Google after the tech news company published an article with information about his salary, neighborhood, hobbies, and political donations -- all obtained from Google searches. Techdirt noted additionally that Schmidt's statement is painfully similar to the tired adage of pro-surveillance advocates that incorrectly presume that privacy's only function is to obscure lawbreaking: "If you've done nothing wrong, you've got nothing to worry about."

In a talk about privacy given to the American Library Association, EFF Fellow Cory Doctorow highlights the error in logic that leads to short-sighted conceptions of privacy like Schmidt's:

We have an unfortunate tendency to conflate personal and private with secret and we say, "Well, given that this information isn't a secret, given that it's known by other people, how can you say that it's private?" And we can in fact say that there are a lot of things that are [not] in secret that are in private. Every one of us does something private and not secret when we go to the bathroom. Every one of us has parents who did at least one private thing that's not a secret, otherwise we wouldn't be here.

So this decision — this determination — over when and under what circumstances your personal information is divulged tracks very closely to how free and how much power you have in a society. When you look at really stratified societies, particularly the great totalitarian empires of the last century, the further up the ladder you go, the more raw power you wield, the more raw power you have over this disclosure of your personal information. And the further down the ladder you go, the less power you have.

The understanding that privacy is a key liberty informs EFF's many privacy efforts, including to improve search engine practices and policies, uncover details about snooping on social networking sites, tighten up laws around behavioral tracking online, argue for better reader privacy, and more. Google, governments, and technologists need to understand more broadly that ignoring privacy protections in the innovations we incorporate into our lives not only invites invasions of our personal space and comfort, but opens the door to future abuses of power.

[Permalink]