Freedom Not Fear: Europe's Growing Protest Against Net Surveillance

Posted by Danny O'Brien

This weekend, marches and meetings across Germany will protest the overreaction of countries to the threat of terrorism, and the re-emergence of a surveillance state in that country. "Freedom Not Fear" is not a small event: over 20,000 people demonstrated in the last protest in September, and over thirty cities will be taking part in this weekend's demonstrations. The organizers hope to expand across Europe for an even larger protest on September 20th of this year [Update: the date has been changed to October 4th].

What has prompted such a fierce reaction? The core of the protest is anger at the European Union's passing of the Directive on Mandatory Retention of Communications Traffic Data, an EU regulation that mandates all European ISPs and phone providers to keep records on every landline, cell and Internet phone call, every email sent, and every Internet connection session, for as long as two years.

The data retention directive was passed in March 2006, with a requirement that EU countries put its requirements into national law by September 2007. Many countries have been dragging their feet, however, faced with the daunting task of weakening existing privacy law, as well as negotiating with communication companies to install and maintain the extensive storage and monitoring equipment required.

But the infrastructure to support the collection of gigabytes of data on innocent citizens is being put in place - and already it has expanded beyond even permissions granted by the new Europe-wide regulations. Denmark's implementation of the directive, one of the first, require ISPs to record the protocol and port number of every TCP/IP session (if "unfeasible", they can opt to only record every 500th packet). On the 19th May, the UK proposed a plan to nationalize data retention entirely: collecting all the data from all ISPs and phone companies and storing it in a central government database for ease of access.

As citizens across the continent realize the extent to which they will be monitored, resistance is growing. Digital Rights Ireland's long-running constitutional challenge to data retention will be heard in the High Court on Thursday, June 5th. The German group leading the protests this weekend, the Working Group on Data Retention, has its own constitutional complaint pending.

Data retention is also rearing its head in the United States, too, with FBI Director Robert Mueller telling Congress last month that compelling ISPs to log Americans' activity for two years would be "tremendously helpful". This weekend's Freedom Not Fear protests are solely in Germany, but the planned September demonstrations will take place across Europe. Perhaps it is time that concerned United States citizens joined the chorus, before data retention has a chance to reach its shores.

[Permalink]

Computer Crime Laws Chill Discovery of Customer Privacy Threats

Posted by Jennifer Granick

Have you ever wanted to test whether an e-commerce website is keeping your data secure? The federal Computer Fraud and Abuse Act -- and state statutes modeled on that law -- are so overbroad and vague that your curiosity could get you in deep legal water. When you access your account with an online retailer, the URL often contains a series of numbers. What if those numbers, instead of being randomly generated, appear to be unencrypted personal information, like the last four digits of your credit card, or your California Bar number. What would happen if you edited the URL to contain a different credit card or Bar number? Perhaps it would give you access to someone else's account. That's something you'd want to know because it means your information is also unsecured and the company has something important to fix.

You'd better think twice before testing your theory. Federal and state laws that criminalize unauthorized access to computers also hobble the rights of customers and security experts to use their own browsers to test whether a computer server adequately protects their data from thieves and fraudsters. This is true even if you don't damage, delete, alter or change anything and are acting solely with the intent to protect yourself and others. Under the Computer Fraud and Abuse Act, codified at 18 U.S.C. 1030, obtaining any information from a simple unauthorized access is a misdemeanor punishable by up to a year in jail, while the existence of other factors (such as causing damage or taking medical information) may make such access a felony. 18 U.S.C. 1030(a)(2)(c), (c)(2)(a). California's computer crime law (Penal Code section 502) also prohibits a number of unauthorized activities with computers and computer networks. Merely accessing a computer system without permission is an infraction under California law. (c)(7), (d)(3).

The problem is that the definition of authorization or permission in computer crime law is both uncertain and narrow. We lack advance permission for almost everything we do on the Internet. Instead, authorization is implied from the circumstances. But while we have hundreds of years of jurisprudence to figure out what happens when particulate matter from a coal mining operation on one parcel floats over to another, or what happens when neighbors are annoyed by the next door mink farm (apparently, the minks are stinky and loud), we don't have that understanding on the web, where the only things transferred are bits and bytes of data. Courts have reacted to this uncertainty in a knee jerk fashion by finding that anything the owner of the web server has prohibited, or even which the user could have known he wouldn't like, is not authorized. In effect, this means that to prove lack of authorization, the prosecutor can trot the website owner into court and simply ask "Did you give this person permission to change the customer ID number in the URL and test whether that revealed personal information?" If the answer is "no", the access was unauthorized.

Making a server owner's subjective preference with regard to uses of Internet connected computers the dividing line between legal and illegal behavior is a real problem. Even if you don’t circumvent any security measures, if you access a web server to test whether your account information or unencrypted passwords are available to hackers, or to download potentially embarrassing recorded comments by the Governor, or to get price information so that your company can market competitive products and services, you could be breaking the law.

Which leaves us with prosecutorial discretion. Not all web activities that technically violate the law are prosecuted. In fact, federal prosecutors will rarely if ever file only misdemeanor charges, and state prosecutors do not pursue such infractions. This doesn't mean there's nothing to worry about, however. When criminal laws are so broad, then anyone may be prosecuted if he or she strikes the authorities the wrong way. That's the current situation, and it has led to overreaching based on distaste for the defendant, not the illegality of his act. Federal prosecutors in Los Angeles put a man in prison for 16 months merely because he sent emails warning customers that their webmail service was insecure. The defendant's intentions had to be bad, argued the prosecutor, because the man was wearing a DEFCON t-shirt at the time of his arrest. Lori Drew, the Missouri mother involved in events on MySpace that drove her young neighbor to suicide, is being prosecuted by that same United States Attorney's Office for violating community norms enumerated in the social network's terms of service. "Hackers" or other perceived troublemakers face penalties while "security researchers" and "academics" are left alone for the same conduct, the difference being whether you wear a black t-shirt, a blue button down, or patches on the elbows.

We need a new paradigm for computer crime law. Former federal prosecutor Orin Kerr, now a law professor at George Washington University, has proposed that courts reject both implied and contract-based notions of authorization and limit the scope of unauthorized access statutes to cases involving the circumvention of code-based restrictions. This proposal solves some, though not all, of the problems with the current statutes. We need more academics, lawyers, and technologists thinking about how to enable users to explore how webservers store their information without opening that information up to attackers who intend to invade privacy or misuse data for their own economic gain.

[Permalink]

Watching the Detectors

Posted by Danny O'Brien

In the absence of NBC or Microsoft coming clean about what they've done - what flags NBC sent, and what flags Microsoft obeys, we've been doing some detective work of our own -- and we'd like your help.

NBC have already said that their activation of their copy-control system was a "mistake". But when the next mistake occurs is the best chance to uncover what copy-protection Vista obeys on digital, over-the-air TV.

We're looking to obtain raw data dumps of the ATSC stream next time your copy of Vista chokes on an over-the-air digital TV feed.

(Note that we're not looking for "Can't Record Program" errors with shows received via either CableCard units or analog TV tuners -- we know that Microsoft obeys copy controls on these systems. We just want cases where over-the-air, broadcast digital (HD) TV has been affected.)

Right now, we're asking owners of the HDHomeRun to watch out for this problem. We're concentrating on this device because many Windows users run this hardware in conjunction with Vista Media Center, so they'll be able to see when the problem arises. Also, it provides only digital HD information to your PC (allowing us to eliminate any analog copy-protection systems). Finally, it's relatively easy to make a complete copy of the digital TV datastream using HDHomeRun's command line utility. Here's how:

1. Go into Live TV mode in VMC and choose the problem NBC channel.

2. Check the HDHomeRun LEDs to determine if tuner 0 or tuner 1 is

   being used. The LEDs are in this order: (Power) (Ethernet, Tuner 0, Tuner1).

3. Record a 60 second sample of the stream:

   Open a cmd prompt and run:

   "C:\Program Files\Silicondust\HDHomeRun\hdhomerun_config" FFFFFFFF save /tuner0 sample.ts

   (specify tuner 1 if VMC is using tuner 1)

   Wait 60 seconds then press Ctrl-C to stop.

4. When you've got your sample, mail EFF at info@eff.org with a specification of your setup, the date, time and channel of the show. We'll get in touch.

If you know how to record the raw datastream (not just the MPEG2 data, the whole transport stream) on other hardware, let us know, and we'll add it to this blog entry.

[Permalink]

Global minilinks for 2008-05-27

Posted by Danny O'Brien

• Michael Geist - Ten More Questions for Industry Minister Prentice
  On the eve of Canada's DMCA, the politician in charge has plenty to answer for.
• German Phone Company in Spying Scandal
  Deutsch Telekom employees analyzed "several hundred thousand landline and mobile connection data sets of key German journalists reporting on Telekom and their private contacts."
• Gamer anger at Nokia's "Lock In"
  UK gamers battle Nokia's N-Gage's DRM and terms of service
• EU Rejects New Intellectual Property Rights for Sport
  "Unjustified protectionism and injurious to press freedom," say publishers.
• Shops Secretly Track Customers via Mobile Phone
  A less salubrious use of GNU Radio.
• Rolling Stone on "China's All-Seeing Eye"
  Naomi Klein on how China's censorship is being exported.
• Canada Watchdogs Investigate Deep Packet Inspection
  Are ISPs invading users' privacy?

[Permalink]

McCain Not Giving Straight Talk on Warrantless Wiretapping

Posted by Kurt Opsahl

On Wednesday, a McCain campaign spokesperson outlined a surprisingly reasonable position on whether to hold telcos accountable for illegally spying on millions of Americans. EFF applauded his position at the time.

But earlier today, the McCain campaign claimed that they had made a mistake, saying the report "incorrectly represented" his position, which now is that "companies who assist the government" should be granted amnesty in the pending FISA legislation.

The revised position is difficult to reconcile with McCain's previous positions on the NSA warrantless wiretapping program.

Right after the New York Times revealed the Bush Administration's warrantless wiretapping program, McCain expressed his doubts about the program, telling MSNBC “Theoretically, I obviously wouldn’t like it."

When interviewed by CBS News, McCain was asked how he would feel if subjected to surveillance:

CBS: Well Senator, how do you personally feel about it. Not only are you a lawmaker, you're also a citizen. If you are on a phone call to somewhere overseas, and you found out the government was listening in, how would you feel about that?

MCCAIN: In my case, or any other innocent American's case, obviously I wouldn't like that, just because of the privacy concerns....

In the telecom litigation, we are suing on behalf of these innocent Americans, all of whom have no connection to terrorism. And they do not like it any more than McCain does.

Speaking to Matt Lauer on the Today show that same month, McCain agreed with that "it is up to a court of law to find out if someone broke the law here and if punishment should be handed out." Immunity for the telecommunications companies, however, would prevent the court from ruling on the legality of the President's program.

More recently, McCain clarified his position on the underlying legal issues with the Boston Globe:

Does the president have inherent powers under the Constitution to conduct surveillance for national security purposes without judicial warrants, regardless of federal statutes?

There are some areas where the statutes don’t apply, such as in the surveillance of overseas communications. Where they do apply, however, I think that presidents have the obligation to obey and enforce laws that are passed by Congress and signed into law by the president, no matter what the situation is.

Okay, so is that a no, in other words, federal statute trumps inherent power in that case, warrantless surveillance?

I don't think the president has the right to disobey any law.

In short, despite the ire of the conservative pundits like Andrew McCarthy, McCain has previously rejected the Bush Administration's legal rationale for the warrantless surveillance program, sympathized with the millions of innocent Americans caught up in the NSA spying, and opined that the Courts should have the chance to determine whether the law was broken.

Given these statements, it is surprising and disappointing that McCain so strongly supports the Bush Administration's efforts to prevent the courts from ruling on the claims of innocent Americans in the telecom litigation. Senator, it's time to straighten your talk: please match your actions with your words, and stand up to defend the rights of Americans to be free from warrantless surveillance.

[Permalink]

If It Looks Like a Duck . . . Seattle Judge Finds Software Was Sold, Not Licensed

Posted by Corynne McSherry

In a major victory for consumers' rights, a federal district judge has firmly rejected software vendor AutoDesk's claim that its license agreement restricts its customers from re-selling the software they lawfully owned.

As we've discussed before, the copyright industries have struggled for years to convince courts and their customers that software is merely licensed, not sold. Why? Because the Copyright Act includes various protections for buyers of copyrighted material that limit sellers' ability to restrict how their customers can use their software. One of the most important of these protections is the "first sale" doctrine, which simply says that once you've acquired a lawfully-made CD or book or DVD, you can lend, sell, or give it away without having to get permission from the copyright owner. Without the "first sale" doctrine, libraries would be illegal, as would used bookstores, used record stores, video rental shops, CD-swapping communities and so on. If those books, records, videos etc. were merely licensed, the seller could simply refuse to give their customers permission to re-sell the material they bought, or put other onerous restrictions on resale. That way, they could force consumers to always buy new software, even if they would prefer to buy an older, possibly less expensive, version.

This proposition is being put to the test in the context of eBay sales. After Autodesk repeatedly alleged that Timothy Vernor was violating copyright law by attempting to sell copies of Autodesk's copyrighted AutoCAD software on eBay, Vernor (with the able assistance of Public Citizen attorney Greg Beck) asked the court to declare that his activity was legal under the first sale doctrine. Autodesk predictably responded by insisting that AutoCAD is licensed, not sold. Nonsense, said the court -- Autodesk may have called the transfer a license, but it didn't look much like one. For example, the license didn't require consumers to return the software when they were done with it, nor to make ongoing payments for continued use. Thus, the "license" might put some restrictions on use, but those restrictions did not void the first sale doctrine.

Kudos to Judge Richard Jones for seeing that if it looks like a duck and quacks like a duck, chances are it's a duck. And big congratulations to Vernor and his counsel, Greg Beck, for striking a major blow for consumer rights.

William Patry has an excellent post on the ruling and what this case can tell us about the DMCA safe harbors.

More information on the case available here.

[Permalink]

B-24 Liberated!

Posted by Corynne McSherry

Last month we told you about Lockheed Martin's effort to use trademark infringement claims to cause the removal of digital images of classic military aircraft from TurboSquid, a stock images site. The central mark at issue was the term “B-24,” which Lockheed managed to register as a trademark for use in connection with scale models of airplanes. We sent an open letter to Lockheed’s licensing agency, demanding that they withdraw their improper objections. We're pleased to report that Lockheed has decided to withdraw its claim, and TurboSquid is putting the images back up forthwith.

This is a good outcome, but the problem remains. Because online communication and commerce often depends on intermediaries like TurboSquid, who may not have the resources or the inclination to investigate trademark infringement claims, it is much too easy for trademark owners like Lockheed to ignore fair use and shut down legitimate content. And not every target of improper claims is going to have the resources to push back.

One way to help prevent future overreaching claims is for trademark owners to learn that a trademark registration doesn’t give you a right to control everyday use of regular descriptive terms. Another is for large trademark owners to set up websites or email "hotlines" where the targets of trademark claims can seek review and prompt withdrawal of the claim if the takedown request was in error. Such a hotline won't stop real abuse, but will provide a relatively painless way for trademark owners to correct honest mistakes. Finally, service providers should institute a form of counter-notice procedure that would allow those who believe they have been accused unfairly to quickly determine the basis for a takedown, and request reconsideration. Real infringers won't bother to take advantage of such a procedure, but fair users could use it to show that their use is permissible (and therefore does not put the service provider at risk).

[Permalink]

John McCain Wouldn't Give the Telcos Immunity if He Were President

Posted by Kevin Bankston

Breaking with President Bush and GOP Congressional leadership, presumptive Republican presidential nominee John McCain said today through one of his representatives that he did not believe that Congress should immunize phone companies from liability for their participation in the NSA's warrantless wiretapping — at least not until Congress has held hearings to find out exactly what conduct was being immunized, and not until the phone companies admit to and apologize for their lawbreaking.

Threat Level's Ryan Singel reports from the Computers, Freedom and Privacy conference:

As president, presumptive Republican nominee John McCain would not support immunity for the telecoms that aided the Bush administration's warrantless spying program, unless there were revealing Congressional hearings and heartfelt repentance from those telephone and internet companies, a campaign surrogate said Wednesday.

The remarks from Chuck Fish, a full-time lawyer for the McCain campaign and a Time Warner vice president, represent a big change on the issue for McCain, who voted in February to keep immunity in the Senate spying bill. Fish was careful to say, however, that he was answering a double hypothetical question — if McCain wins, and if the issue is still alive in 2009.

"First, we need to be explicit we are not talking about granting indulgences," Fish said, clarifying that he meant forgiveness must be matched with repentance.

"There would need to be hearings to find out what actually happened and what harms actually occurred," Fish said, adding that immunity would need to be coupled with clear rules to make sure private records would be protected in future.

EFF wishes more Republicans would recognize, as their Presidential nominee does, that immunity should not even be considered until Congress has made an extensive investigation into the particulars of the Bush administration's warrantless wiretapping program, and that immunity certainly shouldn't be granted if the phone companies refuse to admit to and apologize for their role in the NSA spying.

[Permalink]

Orphan Works Update: Is the Legislation Fair to Copyright Holders?

Posted by Hugh D'Andrade

As we pointed out in our deeplink and podcast on the issue, the Orphan Works legislation currently before Congress is stirring up all sorts of passions (and plenty of FUD). The debate continues this week-- with new contributions from two stalwart allies in the fight to reform copyright law.

Free Culture champion (and former EFF-board member) Larry Lessig has penned an op-ed for the New York Times opposing the bill. (log-in may be required) While he supports the principles behind the bill, he says it will create undue burden on copyright holders:

The proposed change is unfair because since 1978, the law has told creators that there was nothing they needed to do to protect their copyright. Many have relied on that promise. Likewise, the change is unfair to foreign copyright holders, who have little notice of arcane changes in Copyright Office procedures, and who will now find their copyrights vulnerable to willful infringement by Americans.

The change is also unwise, because for all this unfairness, it simply wouldn’t do much good. The uncertain standard of the bill doesn’t offer any efficient opportunity for libraries or archives to make older works available, because the cost of a “diligent effort” is not going to be cheap. The only beneficiaries would be the new class of “diligent effort” searchers who would be a drain on library budgets.

Instead, Lessig proposes a change long advocated by copyright reformers -- the reduction of the term of automatic copyright to 14 years, with an option to cheaply and easily renew the copyright after that time. A worthy goal -- but not likely to be achieved anytime soon, if ever, given the powerful interests that would oppose it.

Lessig's friend and comrade in the Free Culture wars Gigi Sohn at Public Knowledge has written a detailed riposte addressing each of Lessig's points:

First, the diligent effort framework for searches has been endorsed by all the major library and museum groups, as well as by smaller user groups like independent and documentary filmmakers. Contrary to what Larry believes, small and nonprofit institutional users do not want the government (in the guise of the Copyright Office) to define with specificity what a diligent effort is, because no two searches are alike.

. . .

[N]othing in the legislation is unfair to copyright holders. The purpose of the legislation is to match users with copyright holders and get the latter paid. If a copyright holder reappears after a user has done a diligent search, then the copyright holder is entitled to reasonable compensation. This is compensation that the copyright holder would likely never have obtained without orphan works relief, because the user would not have risked paying the huge damages provided by copyright law. Also, to the extent that photographers and other visual artists may be disadvantaged because the current text-based copyright registry system makes it difficult to find the proper owner of their works, the bills provide the exact relief Larry desires – a delay to the effective date of the law pending the development of a series of visual registries that will make searching for the owners of these works simple.

There is plenty of room for reasonable people to agree on these important questions. EFF strongly supports the Orphan Works legislation, while suggesting some changes such as requiring that any database of registered works be free to artists and copyright holders. We encourage people to read up on the issue and make up their own minds. If Orphan Works reform is an issue you believe in, contact your Congressperson now to support the legislation.

[Permalink]

minilinks for 2008-05-21

Posted by Hugh D'Andrade

• Media Failing to Probe Candidates on Civil Liberties
  Fairness and Accuracy in Reporting takes the news media to task for not asking the tough questions of the presidential candidates.
• Senators Question NSL Served to Internet Archive
  Senators have asked the FBI to explain why the feds sought records from the digital library.
• Wiretaps Increase by 20%
  The US government's statistics for 2007 show that (legal) wiretap requests have increased. (Illegal wiretaps are not included in the government's statistics.)
• New Trial in Filesharing Case?
  D'oh! The judge in the landmark Jammie Thomas case now says he may have ruled in error.
• RIAA Describes It's Methods
  The RIAA admits that it can't tell whether songs have been distributed or not in the cases it has brought.
• Napster Drops DRM
  Napster's new online venture has the largest selection of DRM-free tunes on the Internet.
• TV Networks Take on RedLasso
  A rapidly growing site that indexes video clips has been taken to court by the big networks.
• Google's Streetview Causes a Stir in Rome
  Locals in Rome assumed Google's camera car was a surveillance vehicle. Were they right? (log-in may be required)
• Google Updates Streetview to Conceal Identities
  New technology allows Google to blur faces incidentally captured in Streetview.
• Cars that Datamine?
  Stanford scientists are studying ways to allow cars to collect data on your driving habits.
• Patent Court Appointees Under Question
  A law professor claims to have discovered a flaw in the appointment of patent judges -- the appointments may be unconstitutional, calling into question thousands of patent rulings. (log-in may be required)
• New Device for Searching Cellphones
  A new thumb drive can quickly and easily suck data from cellphones.
• Security Gaps When ISPs Hire Third Parties
  The use of third parties to intercept web traffic and direct users to advertising can open major security holes.
• When Technology is Designed to Fail
  "Complexity by design" isn't an accident -- it's a way for providers to maintain control.
• New Site Lists Copyright Takedowns
  YouTomb compiles a list of all the videos ordered removed from YouTube.

[Permalink]