Global minilinks for 2008-05-10

Posted by Danny O'Brien

• Press Freedom in the Arab World Goes Online
  An overview of the effect of the Net on freedom of speech in the Middle East. "The internet has been a godsend for freedom of expression in the Arab world," says the Egyptian-American syndicated columnist Mona Eltahaw.
• Google Grilled on Human Rights
  "We've seen little more than talk and defensiveness from Google since the problems emerged", says Amnesty International member proposing a shareholder vote on Google's behaviour in China.
• Vigils, Fundraising for Malaysia's Jailed Blogger
  Where almost every politician has a blog, citizen blogger Raja Petra remains under arrest for sedition. Petra's readers have already raised more money than is needed to pay his fine.
• MEPs Want More IP for Sports
  Sports teams and companies lobby the European Parliament to expand IP rights to cover more of sports.
• CCTV Has Failed to Cut Crime in the UK
  Surveillance camera footage used in less than 3% of cases.
• Privacy Competition for the Commonwealth
  The Privacy Commissioners of Australia, Hong Kong, New Zealand, Canada, the Northern Territory, New South Wales and Victoria launch a $3000 competition about privacy for high school students.
• UK Starts Forcing Keys From Suspects
  The first cases under RIPA, where the police can compel individuals to disclose passwords or private keys.
• Freedom for Fouad Al Farhan
  Egypt's prominent imprisoned blogger is freed, after months of online campaigning.
• Google Changes Trademark Ad Policy in UK to Match US
  Allows European companies to advertise on keywords connected to a competitors' brand.
• Cuba Lifts Ban on Home Computers
  Internet access still forbidden.

[Permalink]

The Struggles of France's Three Strikes Law

Posted by Danny O'Brien

As 2008 began, the international music industry was proudly predicting the dawning of a new age of co-operation between rightsholders, Internet companies and governments. The dynamic new President of France, Nicolas Sarkozy, together with Denis Olivennes, the head of France's largest consumer electronics and media retailer, had announced a new policy of "graduated response" for the French Net. Users accused of repeated copyright infringement online would be first warned, then suspended from the online world, and finally banned for a year if they did not tow the line. Music industry representatives heralded it as a model that should be imitated across the globe: in IFPI's 2008 report, its CEO John Kennedy said this was the year that "ISP responsibility" for protecting the music industry "becomes a reality".

Six months on from the original Olivennes report, with growing objections across Europe, collapsing support for Sarkozy's administration at home, and still no "three strikes" law on any statute books, the entertainment industry is getting a little antsy. Last week, the French RIAA, le Syndicat national de l'édition phonographique (SNEP), announced a deadline to Sarkozy's ministers. Hervé Rony, SNEP spokesman, said "it would not be acceptable" for the three strikes law to miss the French Parliament's Summer schedule.

It looks like SNEP's demands are not going to be met. Before the "Loi Olivennes" can even reach parliament, it has to be examined by the French Counseil d'Etat, the senior jurists that advise the French executive and acts as France's supreme court.

They are not rushing their analysis. Just why might be gleaned from the leaked copy of the law sent to them for consideration (provided by Squaring the Net in French). Even after being moderated from earlier drafts, the document still describes a stunning shift in judicial and enforcement, both offline and on.

After explaining exactly why drastic measures are necessary (to "prevent the hemorrhaging of cultural works on the Internet") 1 the document outlines a powerful new government body, the High Authority for the Distribution of Works and the Protection of Rights on the Internet (La Haute Autorité pour la diffusion des œuvres et la protection des droits sur Internet, or HADOPI).

As judge, jury, and executioner of "three strikes", HADOPI is born with wide-ranging powers over all French Internet users. The High Authority acts on reports of suspected infringement from rightsholder groups. Based on those accusations alone it can contact, warn, suspend and finally deny Net service to any French citizen. The High Authority has the right to obtain and peruse a year's worth of personal records from ISPs in the pursuit of their targets. They can order ISPs to include new filtering systems into their infrastructure, and can fine them up to 5,000 euros if they provide Net service to anyone on placed on the Authority's national Internet blacklist.

French Net users do not only have a new Authority sitting in judgment over them: the Loi Olivennes also requires them to police their own networks for the benefit of rightsholders. They will have an obligation to oversee their own network for Internet copyright infringement, and are liable for any infractions, even by strangers. Your only defense against the HADOPI guillotine is if you install on your home network one of their recommended "security devices". It's unclear what these may be: at minimum, it will be software to lock down your network shared drives, and ensure you never open your Wi-Fi again. The stage is set, though, for the government to recommend for home use the fingerprinting and monitoring systems that the copyright cartels are trying to push on YouTube and the phone companies. (And if you think such spyware at home is unlikely, remember that NBC recently pressured Microsoft to include such filters on your MP3 player).

If HADOPI's powers to cut users off, create government-required spyware at the ISP and home level, and pry into the private records of ordinary French citizens at the behest of a few music and movie companies seems draconian, you're not alone. This week, the French Internet trade group ASIC, which includes AOL, Yahoo, Google, Wikipedia, MySpace and others, wrote to the Ministry to complain about the disproportionality and injustices in the HADOPI procedure.

The beleagured Sarkozy administration (the President's support is now at 28%) is facing a great deal of criticism on many policy fronts, is looking at a packed legislative agenda for the Summer, and needs to divert executive resources for the upcoming French presidency of the EU. The last thing it wants to do now is to attempt to rush through a proposal that is deeply unpopular with both the public and business for the benefit of a single industry.

Three strikes is still on the agenda, both at the Élysée and in the recording industry's talking points. But its continuing rough ride through the French political system should stand as a warning to any other nation seriously considering it as a policy.

1. 1. And, incidentally, misleads the Counseil d'Etat as to how widely the Olivennes proposal is being imitated elsewhere. The document claims that Canada is considering "three strikes", and that the United States has already implemented a similar solution as "a result of agreements between ISPs and rightsholders". Neither is true.

[Permalink]

Knitwit BBC Goes After Dr Who Fans

Posted by Danny O'Brien

Here's a fascinating UK legal analysis of an incident we see occurring all over the world: an over-eager rightsholder undermining Internet goodwill by pursuing their own fans for supposed IP infringements.

Andre Guadamuz, is a lecturer at the Edinburgh University school of law, and organizes the fantastic British conference on "geek law", Gikii. He was recently put in contact by the Open Rights Group with Mazzmatazz, a Dr Who fansite which posts knitting patterns of the current batch of Dr Who monsters, including those obedient servants of man, the Ood (see above).

BBC Worldwide, the commercial wing of the public service BBC, sent the site a demand to remove "any designs connected with DR WHO" -- even though the site was offering them free to anyone who wants to knit their own loveable Who-related terrors.

Guadamuz covers the legal ground, and suggests that, like many rightsholders, the BBC has less power to stop fans from creating their own transformative works than they might think. Sadly, that's not enough to save the woolly Ood designs which were taken down out of concern for just the threat of legal action.

As Guadamuz notes, the BBC and Dr Who production staff should know better than to pursue a campaign of online threats against their own fans. These are the people that kept the BBC's now-lucrative Who franchise going during years of neglect by its owners; these are the people who actively promote the current series; and, in the UK at least, these are the people who pay the bulk of BBC's salaries.

Like Dr Who's Ood, fans are happy to serve their favorite franchises when treated well. But if the BBC starts treating them like this, they can all too easily rise up and attack the very brand value the BBC is overzealously seeking to protect.

[Permalink]

House Passes Controversial PRO IP Act

Posted by Richard Esguerra

Today, the House passed the controversial PRO IP Act (H.R. 4279) 410 to 11, with 12 representatives not voting.

While Public Knowledge and other groups successfully persuaded the House to remove the most damaging provision in the bill (seemingly written solely to increase damages in the RIAA's file-sharing lawsuit campaign), the bill would nonetheless significantly expand federal enforcement of copyright law.

The most outrageous provisions would create new and unnecessary federal bureaucracies devoted to intellectual property enforcement. None seems more ridiculous than language creating a Cabinet-level "IP enforcement czar" that would report to the President and coordinate enforcement efforts across government, a proposal that has been loudly opposed by the Department of Justice. Why is Congress spending our tax dollars on a new layer of officialdom that the cops themselves don't want or need?

Moreover, the bill also includes provisions — such as expanded forfeiture penalties and language "clarifying" that copyright registration is not required for criminal enforcement of the copyright -- that could be read to open the door to increased prosecution against individuals or innovators as well as large-scale commercial pirates.

The Senate has yet to introduce a companion bill, although some IP enforcement proposals in the Senate may serve as a basis for a bill. Stay tuned for more information should a bill turn up.

But there is a bright spot on the horizon -- Congress is finally revisiting important "orphan works" legislation that could expand the ability of technology users, archivists and libraries to store and exhibit works whose owners can't be found.

[Permalink]

Ominous Signs of a Forthcoming "Compromise" on Telco Immunity - Tell the House To Stand Firm

Posted by Kevin Bankston

This morning, CongressDaily reported that Senator Jay Rockefeller is now privately circulating a new "compromise" proposal on surveillance legislation, only a day after it was reported that the telecoms themselves have begun shopping their own "compromise" proposals around the Hill. You may remember Sen. Rockefeller as the force behind the surveillance bill passed by the Senate in February, which included blanket retroactive immunity for phone companies like AT&T that are alleged to have participated in the National Security Agency's illegal warrantless wiretapping program.

Although the details of the Rockefeller proposal are still unclear, indications are that the so-called "compromise" on telco immunity may well be nearly identical to the original Senate immunity provision, with only a few cosmetic changes.

Time may be running out. Key House Democrats are continuing to voice their hope that a final compromise may be reached in the next couple of weeks. For example, the ominous message from House Intelligence Chairman Silvestre Reyes in today's report was that "I think we've got 90 percent of it done...I think there's a compromise position" that could solidify before the Memorial Day recess.

Unless citizens stand up and make their voices heard now, there appears to be a very serious threat that the House could soon succumb to the President's relentless demands for immunity to cover up his illegal spying program and throw Americans out of court. The phone companies still have a massive lobbying effort and deceptive fearmongering advertising campaign on their side — the only things on the side of civil liberties and the rule of law are public opinion and your voice.

Contact your Congressperson now and tell them to say no to sham "compromises" and stand strong against immunity for lawbreaking telcos.

[Permalink]

A New Look at the Hub of AT&T's Spying Program

Posted by Rebecca Jeschke

Our class action lawsuit against AT&T for collaborating with the National Security Agency in the massive, illegal program to wiretap and data-mine Americans' communications includes powerful evidence of a secret room in San Francisco.

But the hub of the spying program may be just outside of St. Louis, in a Missouri town called Bridgeton. A special report from local station KMOV puts the pieces together in a comprehensive and disturbing story about this dragnet surveillance, with the help of AT&T whistleblower Mark Klein. Watch the video on the KMOV site for a fresh look at a key piece of this spying puzzle.

[Permalink]

EFF Answers Your Questions About Border Searches

Posted by Jennifer Granick

Readers of my deeplink on safeguarding your laptop and digital devices from warrantless searches at the border responded with both questions and answers. Some readers wondered whether you have an obligation not to destroy information on your laptop. Others pointed out that U.S. citizens may be detained, but not turned away, at the U.S. border. Many technologists wrote to offer cryptographic solutions, or warnings about encryption schemes that are not as secure as they should be. In this post, I answer the question about destruction of information and reproduce or summarize, with permission, others' suggestions about protecting your laptop from arbitrary searches. I haven't done any independent analysis of these techniques or tools, so your mileage may vary.

• Duty to delete? A complete discussion of the federal law of destruction of evidence, and of state law on the topic, is beyond the scope of this post (see here for a textbook on the subject). However, individuals who are not anticipating being sued and who do not know they are under criminal investigation generally have no obligation to preserve information on their laptops. If you have notice of an impending civil suit or government investigation, then you are obligated to preserve relevant material. Failure to preserve evidence for a civil suit can result in any of the potential sanctions for discovery violations, including fines and adverse jury instructions. Under federal criminal law, knowing destruction of evidence relevant to a pending judicial proceeding or administrative investigation can be punished with up to twenty years in prison. Further, destroying evidence in furtherance of an illegal scheme may also be aiding and abetting, or conspiracy.

  In sum, international travelers trying only to protect privileged information, trade secrets or private communications or photos, have no obligation under federal law to preserve these documents on a laptop so that they may be reviewed by border guards.

• Secure passwords: As for techniques to protect yourself and your privacy, security expert Bruce Schneier offers a guide to securing passwords against an offline password-guessing attack.
• Whit Diffie's advice to Mac users: Don't allow passphrases for encrypted disk files to be saved on your keychain.

  Crypto pioneer Whitfield Diffie observes that while the Mac Disk Utility encryption offers perfectly fine AES128 encryption, you must opt out to avoid having the key you give stored on you keychain, i.e., encrypted in your login password. Since login passwords are rarely more than a few characters long the effect is render your encrypted file vulnerable to a forensic study of the disk. Once a key has been written on the disk, you have to scrub the whole disk very carefully before you can be sure it is gone.

• Gone but not forgotten: EFF co-founder John Gilmore warns that merely deleting files will not remove them from your hard drive. You must overwrite the file contents. Macs have a "Secure Erase Trash" and Linux machines have "shred -u", that also overwrites the file contents and the file names before removal. A variety of Windows secure wipe utilities are available online.

  John adds that secure erasure doesn't work on flash drives (which have an extra layer of data allocation software to do "wear leveling" so that lots of writing to particular parts of the chip don't wear out that part prematurely). There are technical ways to physically erase some parts of some flash drives, but I don't know any file systems that can actually do it.

• Power off before the border: Shut your machine down totally before taking it through customs, ideally many minutes in advance so that the RAM storage insecurity discovered by EFF, Princeton University and other researchers cannot be used to get your disk encryption keys.
• Eight steps to secure data: Chris Soghoian, a graduate student at the School of Informatics at Indiana University, offers his "Guide to Safe International Data Transport." (Disclosure: I represented Chris pro-bono in connection with his boarding pass generator in 2006 and 2007.)
• Truecrypt: Finally, many people wrote in about Truecrypt and its provision of "plausable deniability." A user can have an encrypted partition (which can be hidden as any file on your hard drive) and within that partition hide another partition. One password will reveal one partition and another separate password will reveal the other. Because of the way Truecrypt encrypts the partition table itself, an observer cannot detect a hidden partition even if she has access to the "regular" encrypted share. This gives a traveler something to decrypt if a Customs official asks, while keeping the rest of your information secure. Remember, however, that lying to a federal law enforcement officer about material facts is a crime, so if you choose to answer a question about whether there are additional encrypted partitions, you are obligated to answer truthfully.

I hope these pragmatic tips help people keep their data secure from arbitrary searches at the border.

For more information on digital border searches, view our open letter to Congress or visit EFF's Action Center.

[Permalink]

MSN Music Debacle Highlights EULA Dangers

Posted by Jennifer Granick

When Microsoft announced that it will no longer support former MSN Music customers who want to play their DRM disabled music on new computers, DRM-hating consumer advocates justifiably cried out, “I told you so!” But this debacle is not just another example of the dangers of DRM: its also a reminder of the danger of overreaching end user license agreements, or EULAs

Just as DRM allows unprecedented corporate control over music and movies, the EULAs that Microsoft and other content vendors force users to click through before downloading songs, shows or films help enforce and expand that control. For example, EULAs usually claim that whatever happens, you can't sue the company--even for problems that are entirely of the company’s own making. And EULAs are often used to try to limit a company’s obligation to live up to its apparent promises.

What this means is that buying music (or software) on line is quite different from making your purchase at the store. When you buy a regular CD, you own it. You're allowed to do anything with it you like, so long as you don't violate one of the exclusive rights reserved to the copyright owner. So you can play the CD at your next dinner party (copyright owners get no rights over private performances), you can loan it to a friend or make a copy for use on your iPod. Every use that falls outside the limited exclusive rights of the copyright owner belongs to you, the owner of the CD. And if it won’t play, you get to bring it back and get a refund. Both technology and custom give vendors a lot more power when selling digital goods. Unlike the CD purchase, when I download from Microsoft Music, I don't just get the music, I get the “Service Agreement” as well. And if the Service Agreement tells me that there just might not be any Service, then I could be stuck with the digital version of an empty jewel box.

MSN Music’s EULA is a case in point. When active, MSN Music's webpage touted that customers could “choose their device and know its going to work”.

But when customers went to purchase songs, they were shown legalese that stated the download service and the content provided were sold without warrantee. In other words, Microsoft doesn't promise you that the service or the music will work, or that you will always have access to music you bought. The flashy advertising promised your music, your way, but the fine print said, our way or the highway.

Microsoft isn't alone. Many other DRMed music services also make false promises to customers including Apple iTunes, RealNetworks and Napster 2.0.

Which applies, the marketing promises or the fine print?

[Read the entire post]

Do You Own Your Software? WoW Glider Case Not Just About Getting to Level 70.

Posted by Corynne McSherry

Unbeknownst to most software users, a lawsuit now at a critical stage could drastically expand the ability of software vendors to restrict how their customers can use their software.

Blizzard Entertainment, the company that makes the hugely popular massively multi-player online role-playing game World of Warcraft, sued Michael Donnelly, the developer of Glider, a program that helps WoW users raise their character level to 70 by “playing” for the user while the user goes to get a cup of coffee, read the paper, etc. The WoW licensing agreement ostensibly forbids using programs like Glider. Blizzard says that Donnelly illegally interfered with that agreement by selling Glider and, therefore, encouraging users to breach the license agreement by using the program.

Here’s the scary part: Blizzard also insists that because the license agreement forbids using Glider with WoW, Glider users are committing copyright infringement when they load copies of WoW into RAM in order to play the game. (Blizzard says Donnelly is contributing to that infringement.) If Blizzard’s theory were correct, Glider users could be on the hook for statutory damages, which could start at $750 per RAM copy. Blizzard’s theory would also give software vendors the power to stop the sale of software that interoperates with their product.

But Blizzard’s theory is wrong, because it confuses a copyright holder's intellectual property rights in the software it develops with a buyer's rights in the actual copy of the software. An owner of software has a right to copy it if that copy is essential to the customer’s use of the software. (See Section 117 of the Copyright Act.) This rule is a crucial part of the balance Congress crafted between the rights of the copyright holder to manage and benefit from its expressive work, and the rights of the public to innovate, recreate and otherwise use and build on that work.

Blizzard argues that players aren’t owners but merely software licensees, so section 117 doesn’t apply. But court after court has held that the question of whether a user is an owner for purposes of Section 117 depends the substance of the transaction, not just how one party wants to describe it. For example, if you buy the software, keep it on your own computer and don’t have to return it when you are done, you probably own it.

This is not to say that there might not be a contract, like the license agreement, that restricts use of the software. But violation of that agreement is a matter of contract law, not copyright, which means that different standards apply and there is no minimum statutory damages requirement.

Blizzard has filed for summary judgment on its claims. Given the facts of the case—Glider is, after all, a program that helps some folks cheat at WoW—there is a danger here that the court will lose sight of the implications of its ruling for all software users. Public Knowledge filed an amicus brief last week calling the court’s attention to those implications. We hope the court will take heed, and reject Blizzard’s absurd and overreaching copyright theory.

[Permalink]

Global minilinks for 2008-05-04

Posted by Danny O'Brien

• Global Online Freedom Act To Get Hearing
  Rep. Chris Smith's bill to force companies to comply with US government standards on censorship, filtering and privacy in certain countries moves ahead.
• Egyptians use Facebook to Deter Censorship
  Dissidents collectively acting online to organize real world protests.
• China Beats US for Internet Population
  Now has 221 million users, to United State's 216 million.
• Jailed Chinese Journalist Shi Tao's Poem Follows Olympic Torch's Route Online
  The string of online activists jailed by the Chinese government dogs its Olympics preparations.
• Bypassing a Laptop's Fingerprint Login - Using Its Own Dirty Mouse
  Kim Cameron shows that a laptop has plenty of finger marks to undermine its own security system.
• Declared Income of All Italian Citizens Posted on Web
  Not a data leak, but a deliberate attempt to "fight tax evasion" by the outgoing Italian administration.
• A Short Film Commemorating the 1943 Dutch Population Registry Attack
  In occupied Holland, the resistance had to take desperate measures to stop misuse of collected personal data.
• EULAs in the UK
  British consumer groups and lawyers are becoming more and more concerned by EULA language.
• Google Hands Over Personal Data to Brazilian Authorities
  After fighting against revealing Orkut identities, Google has finally given data on 300 users to a Brazilian senate committee.
• Russian Prosecutors Eye Internet Censorship
  "The new proposal is for any website deemed to have hosted extremist material to be blocked by providers in Russia 'within a month,' Sizov said."
• Performing Rights Society Doing Well From Internet
  The UK collecting society is benefitting from a deal with YouTube and other digital platforms.

[Permalink]