Deeplinks
Noteworthy news from around the internet.
Judge Overturns Lori Drew Misdemeanor Convictions
News Update by Matt ZimmermanA federal district court judge today threw out the misdemeanor convictions of Lori Drew after the judge determined that the federal anti-hacking statute under which Drew was prosecuted was inapplicable to the allegation that she violated MySpace's terms of service. Drew was convicted by a jury in November of 2008 of violating the Computer Fraud and Abuse Act (CFAA) which bars "unauthorized access" to a computer. Prosecutors argued that Drew had violated the CFAA by harassing 13-year-old neighbor Megan Meier through the use of a fake Myspace profile, harassment that prosecutors say directly led to Meier's suicide.
EFF, along with the Center for Democracy and Technology, Public Citizen, and 14 law professors and faculty members, filed an amicus brief in August arguing that the court should dismiss the CFAA claims against Drew because terms of service violations do not constitute crimes under the Act. Regardless of whether Drew could be held criminally liable under a different theory, EFF argued that the theory pursued by prosecutors was inappropriate.
U.S. District Judge George H. Wu stated that his opinion would become final when his written opinion was filed, likely next week.
Help Protesters in Iran: Run a Tor Bridge or a Tor Relay
Call To Action by Richard EsguerraAs turmoil over the disputed election in Iran continues, many techs are trying to find ways to help Iranian citizens safely communicate and receive information despite the barriers being established by Iranian authorities. One tactic that even moderately tech-savvy Internet users can employ is to set up a Tor relay or a Tor bridge.
More sophisticated users can skip this paragraph, but for the rest, here's the basic outline. Tor (an acronym of "The Onion Router") is free and open source software that helps users remain anonymous on the Internet. Normally, when accessing websites, your computer asks for and receives a webpage out in the open, a process that exposes your IP address, the URL of the website, and the contents of the site, among other information to third parties. When accessing websites while using Tor, your computer essentially whispers its requests for a website, to another computer, which passes the request on to another computer, which passes it on to another computer, which passes it onto the computer where the website is hosted; the reply returns in the same, chain-message manner. The whispers are encrypted, so that neither outside authorities, nor the computers in the middle of the chain, can tell what is being said, and to whom. And the website itself does not have your IP address either.
Internet users in Iran are using Tor to both (a) circumvent censorship systems and (b) remain anonymous while reading and writing on the Internet. Both are critically important to the safety of protesters, many of whom fear retaliation from the government. Preliminary reports indicate that use of the Tor client in Iran has increased in the days after the contested election.
However, Tor's design relies on a robust network of "volunteer computers" (a.k.a. relays) to pass messages back and forth. This means that the speed and quality of a Tor users' browsing experience relies extensively on the number of volunteer computers there are to pass messages along. This is where volunteers can make a difference -- setting up additional relays improves access for dissident Iranians and other users of the Tor network. The more people who help out, the better and more quickly the network runs. If you're interested in helping out, find and follow instructions for configuring a Tor relay on the Tor website.
Those looking to help fight censorship should also consider providing a Tor bridge. Bridges come into play when an ISP decides to try blocking users' access to the Tor network. (For now, there seems to only be anecdotal evidence of Iran attempting to block the use of Tor. However, Iran has recntly been practicing reactive and centralized blocking, which makes any effective block of Tor far more likely.) The Tor bridge configuration differs from a relay in that your computer does not appear in the public Tor network. Instead, users looking for access to the Internet through Tor can receive your Tor routing information through more private channels, then configure their Tor client to transmit requests through your computer. By not appearing in the public Tor network, your Tor routing information is less likely to end up on an ISP filter and can provide help for a longer period of time -- but recognize that the network needs both relays and bridges.
Tor provides strong protections for its users, but if you plan to use it to access the Net, take time to fully understand its limitations. Check the Tor "Warning" section for more information. You should also consider any limitations that may exist in your arrangement with your ISP.
If you have other questions about setting up a Tor bridge or relay, please check the Running a Tor relay FAQ page. For other concerns, The Onion Router Wiki may help.
For understanding the technical conditions of the Iranian Internet, we have found the Open Network Initiative's ongoing research, Arbor Network's network analyses, and the Tor Project's own blog status reports to be informative.
miniLinks for 2009-06-26
miniLinks by Richard Esguerra- Surveillance in Iran vs. Surveillance in the US
Iran has an Internet monitoring center built by Nokia and Siemens AG -- what kind of domestic spying is happening in the US? - Data Shows Music Fans Are Willing to Buy
TopSpin and Nettwerk have experimented with premium discs, free albums, and free shows, and have found that fans are still more than willing to pay. - Panasonic Blocking Use of Third-Party Batteries
A firmware update to some Pansonic cameras is preventing consumers from using their choice of battery, forcing users to buy only "genuine" Panasonic batteries. - Endless Privacy Concerns After "Clear" Shuts Down
What happens to all the fingerprints, iris scans, and social security numbers collected by the Clear registered traveler service? - Electronic Arts Selling Stores in Games
The video game publisher seeks to move beyond piracy by selling games that, as a rule, encourage payment for an improved experience, like access to the game community and better content. - Musician Makes $19k Using Twitter; $0 on Major Label Solo Album
Amanda Palmer, of the Dresden Dolls, recounts recent examples of using Twitter to reach out to fans directly and garner direct support for her creative efforts, while her major label album sales net nothing. - Does a Private Company Own Your Bus Arrival Times?
A controversy is brewing over NextBus Information Systems, which shut down an iPhone app by claiming to have exclusive ownership of bus arrival data.
Several Facts about Google and HTTPS
Technical Analysis by Peter EckersleyThree simple facts about Google and HTTPS:
One: as we posted last week, we're very pleased to hear that Google is trialling full HTTPS encryption of all Gmail pages.
Two: if Google's trials are successful, and the company does indeed make HTTPS encryption the default protocol for reading and writing Gmail messages, it will have taken a two-step lead on its competitors in the free webmail and social networking spaces. People use Yahoo! Mail, Hotmail, LiveJournal and Facebook for their private communications, but all of the private messages on those services travel over the network unprotected.1 MySpace doesn't even support HTTPS for passwords!
Three: webmail is one thing, but search is another. Sadly, it isn't possible to use Google's excellent search engine over HTTPS. If you attempt to visit google.com via https, you'll just be redirected back to unencrypted HTTP. If you try the same thing at Yahoo or Microsoft, you'll receive unhelpful error messages.
We've been privately urging Google to make their search service available by HTTPS for some time, but nothing has happened. Yahoo and Microsoft should of course do the same. At the moment, the only search engine that offers protection against eavesdropping is a metasearch site called Ixquick (they also have a truly excellent privacy policy). We hope that some day, the major search engines can catch up with Ixquick.
Those are three simple observations. If you're interested in some less-simple technical detail about what HTTPS actually does, why it's important, and what its limitations are, continue reading below the fold.
- 1. Yahoo! Mail is the least worst of these services, since it defaults to HTTPS login, but all of these services are severely lacking in security.
ASCAP and Copyright Doublespeak
Commentary by Fred von LohmannJust a few days ago, we pointed out that ASCAP is arguing in federal court that every time your musical ringtone rings in public, you're violating copyright law by "publicly performing" it without a license. Now ASCAP has fired up its spin control machinery and issued a statement to Billboard, including this talking point, doubtless meant to be reassuring:
To be completely clear, ASCAP’s approach has always been to license these businesses – not to charge listeners/end-users.
This is an archetypal example of copyright doublespeak. What ASCAP should be saying is: "It's not infringing when your ringtone goes off in public." That's because the Copyright Act specifically provides in Section 110(4) that public performances "without any purpose of direct or indirect commercial advantage" are "not infringements of copyright."
Instead, ASCAP's statement essentially amounts to "you're all pirates, but don't fret, we'd never sue you for it, just every company that provides you with services." We've seen similar statements from others in the copyright industries: the RIAA, for example, still has never admitted that ripping a CD you own for use on your own iPod is a noninfringing fair use. Instead, they say "we have no objection to that" or "we'd never sue you for that." Statements like this provide no certainty to consumers, nor to the innovators who are trying to build businesses (whether delivering VCRs, ringtones or iPods) helping consumers enjoy copyrighted works in every conceivable way that does not infringe the limited rights granted to copyright owners.
So, reporters, next time you get this copyright doublespeak from an ASCAP representative, remember to ask the next question: "If I have a musical ringtone, and it rings in a public place, are you saying that I've infringed the copyrights of your members?"
ASCAP Wants To Be Paid When Your Phone Rings
Legal Analysis by Fred von LohmannASCAP (the same folks who went after Girl Scouts for singing around a campfire) appears to believe that every time your musical ringtone rings in public, you're violating copyright law by "publicly performing" it without a license. At least that's the import of a brief [2.5mb PDF] it filed in ASCAP's court battle with mobile phone giant AT&T.
This will doubtless come as a shock to the millions of Americans who have legitimately purchased musical ringtones, contributing millions to the music industry's bottom line. Are we each liable for statutory damages (say, $80,000) if we forget to silence our phones in a restaurant?
ASCAP's outlandish claim is part of its battle with major mobile carriers (including Verizon and AT&T) over whether ASCAP is owed any money for "public performances" of the musical ringtones sold by the carriers. The carriers point out that the owners of the musical compositions (i.e., songwriters and music publishers) are already paid for each ringtone download, but ASCAP claims that it's owed another royalty for the "public performances" (i.e., ringing in a restaurant) of those same ringtones.
Fortunately, ASCAP is wrong. Even if the incidental mobile phone playback of a short snippet in a public place were viewed as a "public performance" (something no court has ever held, and that would also put you in jeopardy for playing your car radio with the window down), the Copyright Act has a specific exception, 17 U.S.C. 110(4), that covers performances made "without any purpose of direct or indirect commercial advantage." That should take care of ringtones going off in the restaurant.
Confronted with Section 110(4), ASCAP makes an even more dangerous and wrongheaded argument -- that the carrier cannot "stand in the shoes of its customer" when asserting a copyright defense like Section 110(4). In other words, because AT&T is in the ringtone business for the money, it's on the hook even if the customer isn't.
To appreciate how anti-consumer this argument is, consider what it would mean in practice. Congress has decided that many activities should be beyond the reach of copyright law, including not only the performances covered by Section 110(4), but also fair use and first sale, among other things. It's thanks to these exceptions and limitations that libraries can lend books, you can use a TiVo, and Apple can sell iPods to help you get the most from your CD collection. ASCAP is arguing, however, that just because you can't be held liable for copyright infringement for these things, a copyright owner could still sue any technology company that helps you enjoy your rights under copyright law.
Fortunately for consumers, ASCAP's theory is foreclosed by the Sony Betamax ruling, where the Supreme Court held that because it's a fair use for you to time-shift TV, it's also perfectly legal for Sony to sell you a VCR to do it. Sony did not have to run a second fair use gauntlet for its commercial VCR-selling business.
In short, if there's no infringement liability for the customer, there can be no secondary liability for the carriers. (ASCAP also has a theory that the carriers are direct infringers because they set up the system that causes phones to ring in public, but that theory is pretty handily wiped out by the recent Cablevision ruling, where the court found that setting up a "remote DVR" service doesn't make you a direct infringer when your customers use it.)
Or, put another way, if it's noninfringing for you, it's also noninfringing for a technology company to provide you with the means to do it.
miniLinks for 2009-06-19
miniLinks by Richard Esguerra- REAL ID Revival Bill Is Another Attempt at a National ID
A new "PASS ID" bill seeks to create a privacy-invasive national ID, just like its antecedent, REAL ID. - IP Colloquium Podcast Tackles Patent Damages Reform
UCLA Law Professor Doug Lichtman and his guests explore the contentious issues around patent reform, including the difficulty of calculating damages and considering the many possible reforms. - Copyright in the Rye
J.D. Salinger has filed a copyright infringement complaint against the writer of a novel attempting to chronicle the later years of a character from "The Catcher in the Rye." - SF-area IT Director Lends Support for Protest in Iran
A principled technologist becomes a hub of information about proxy servers, helping Iranian protesters bypass government censorship. - Librarians Fear Lack of Competition in Google Book Search Deal
Librarians are concerned about price hikes should Google develop a monopoly on the scanning of orphan works.
Record Labels' $1.9 Million Win in Thomas Retrial Constitutional?
Commentary by Fred von LohmannThe jury in the retrial of Ms. Jammie Thomas-Rasset deliberated only a few hours today before concluding that she had willfully infringed the copyrights of 24 songs and awarding $1.92 million in statutory damages ($80,000 per recording) to the record label plaintiffs. The verdict represents a huge increase over the $220,000 award in the original trial, which was overturned by the judge based on a faulty jury instruction pushed by the record labels. Ms. Thomas-Rasset has said she doesn't have the money to pay this award (those wondering whether bankruptcy might protect her should consult EFF's 2007 memo covering the intersection of copyright verdicts and bankruptcy law, as well as In re Barboza, 545 F.3d 702 (9th Cir. 2008)).
Given the size of the statutory damages award, Ms. Thomas-Rasset's legal team will likely be seriously considering a constitutional challenge to the verdict. A large and disproportionate damage award like this raises at least two potential constitutional concerns.
First, the Supreme Court has made it clear that “grossly excessive” punitive damage awards (e.g., $2 million award against BMW for selling a repainted BMW as "new") violate the Due Process clause of the U.S. Constitution. In evaluating whether an award "grossly excessive," courts evaluate three criteria: 1) the degree of reprehensibility of the defendant’s actions, 2) the disparity between the harm to the plaintiff and the punitive award, and 3) the similarity or difference between the punitive award and civil penalties authorized or imposed in comparable situations. Does a $1.92 million award for sharing 24 songs cross the line into "grossly excessive"? And do these Due Process limitations apply differently to statutory damages than to punitive damages? These are questions that the court will have to decide if the issue is raised by Ms. Thomas-Rasset's attorneys.
Second, recent Supreme Court rulings suggest that a jury may not award statutory damages for the express or implicit purpose of deterring other infringers who are not parties in the case before the court. In other words, the award should be aimed at deterring this defendant, not giving the plaintiff a windfall in order to send a message to others who might be tempted to infringe. It's hard to know without having been in the courtroom, but if the record industry lawyers urged the jury to "send a message" to the millions of other American file-sharers out there, they may have crossed the constitutional line.
For more on the details of these constitutional doctrines, I recommend a recent article by Prof. Pamela Samuelson & Tara Wheatland, Statutory Damages in Copyright Law: A Remedy in Need of Reform (full disclosure: Prof. Samuelson is a member of EFF's board of directors). For those who want a shorter summary of the debate in podcast form, I recommend Prof. Douglas Lichtman's IP Colloquim episode entitled Statutory Damages and the Tenenbaum Litigation. While I disagree with some of Prof. Lichtman's conclusions, his guests do a wonderful job summarizing the relevant cases and concepts.
I assume these arguments will first be submitted to the trial judge in post-trial motions. After all, this judge has already indicated that he found the previous $220,000 award to be "unprecedented and oppressive."
Hear, Hear: New York Times Editorial Board Calls for Repeal of FISA Amendments Act
Deeplink by Kevin BankstonResponding to repeated reports that the National Security Agency's surveillance dragnet is continuing to intercept Americans' purely domestic communications in the millions, the New York Times editorial board is calling on Congress to repeal the deeply-flawed FISA Amendments Act (FAA), which broadly expanded the government's spying powers while immunizing the phone companies that illegally cooperated with the NSA program. Here's an excerpt of the editorial, entitled "The Eavesdropping Continues", but we encourage you to visit the Times' site to read the whole thing:
[L]awmakers should be clear about how this happened: last year, 293 members of the House and 69 senators voted for a dangerous and mostly unnecessary expansion of the 1978 Foreign Intelligence Surveillance Act, which protected Americans from unwarranted government spying for 30 years....
Many critics of the legislation, including this page, said that the powers given to the government to eavesdrop were too broad, that the limits placed on them were too vague and that the remedies for error or deliberate violations were too weak.
We do not believe that Mr. Obama is deliberately violating Americans’ rights as Mr. Bush did, and it is to his credit that the government acknowledged part of the problem in April. But this nation’s civil liberties are not predicated on trusting individuals to wield their powers honorably. They are founded on laws.
The 2008 expansion of FISA is a deeply flawed law. Congress needs to repeal it and re-examine, carefully this time, what powers the government really needs to eavesdrop on Americans and what limits and safeguards need to be placed on those powers.
EFF is proud to stand with the Gray Lady in calling for the repeal of the FAA, and hopes that more editorial boards will join in the call. Senate Majority Leader Harry Reid, for one, pledged last year when the FAA passed that the Senate would revisit the issue this Fall as Congress considered whether to renew USA PATRIOT Act provisions that are set to expire. House Speaker Pelosi has also said that FISA may have to be revisited during the PATRIOT debate, and we aim to turn that "may" into a "must".
We have a fighting chance at fixing the NSA spying problem once and for all, this year. But the government won't give up its new power without a fight, and we'll never succeed without your help. So please help get the ball rolling: for all of you Deeplinks readers who've never taken the opportunity to make your voice heard on the NSA spying issue, now is your chance: mail, fax or email a copy of the New York Times' editorial to your representatives in Congress and let them know that you want the NSA's domestic spying to stop!
Google Considering More HTTPS, Other Services to Follow?
Commentary by Richard EsguerraEarlier this week, privacy and security researchers urged Google to improve the security of Gmail, Google Docs, and Google Calendar by enabling the more secure HTTPS encryption by default. As it stands, all users currently log in to Google services over HTTPS. However, most conduct the remaining bulk of their online business with Google -- reading and sending email, editing spreadsheets, and recording appointments -- over HTTP, an unsecure method that gives unfettered access to attackers interested looking at your communications.
Google responded promptly to the letter, saying in a blog post that they are planning tests to investigate the performance trade-offs involved with always-on HTTPS for Gmail, and that the additional cost of processing HTTPS connections would not keep them from implementing it across the board. EFF would like to applaud Google's efforts to offer better privacy defaults to its Gmail users, and we also urge them to prioritize these trials in order to expedite the widespread public implementation of always-on HTTPS. Users should come to expect HTTPS from far more online communication services -- from webmail, to social networking, and even web search. With constant improvements in technology and decreasing computing costs, every provider ought to accelerate efforts to support HTTPS for a wider variety of online communication.
In Surveillance Self-Defense, EFF encourages webmail users to always use HTTPS, whether through browser plugins like CustomizeGoogle for Gmail, or by activating an "always use https" setting, if available. But research has shown that many users don't change the default settings given to them in an application or service. A paper on group calendar software reported that around 80% of the users maintained the default access settings for their calendar -- whether the default was extremely permissive or more privacy protective. For something as important as the security of private email communications, it's clear that encryption should be the default. Users should have strong protection right out of the starting gate for webmail and other online applications.
