EFF in the News
This settles a long-running ambiguity in how US law should handle search warrants when data is increasingly scattered in storage centers around the world. And it could represent a new privacy assurance for foreigners under investigation by American authorities and even for Americans whose data ends up in foreign data centers. “This is a big win for privacy,” says Nate Cardozo, an attorney with the Electronic Frontier Foundation. “It circumscribes the US government’s power abroad. It reiterates the rule that US law doesn’t apply outside the US …[And] it keeps foreigners’ data secure from the US government, which has shown again and again that it’s willing to overstep reasonable bounds on its power.”
Jamie Williams, a legal fellow and lawyer for the Electronic Frontier Foundation, says the CFAA needs to be amended to clarify what is and isn't a crime, so "prosecutors do not have broad discretion to just go after whatever violation they choose to at any particular point in time for any given reason."
She says the EFF has been arguing for CFAA reform ever since the Aaron Swartz case. Swartz was a computer prodigy and activist who faced charges of computer fraud and possibly years in federal prison because he downloaded millions of pages of academic articles. Swartz supporters, including Harvard Law professor Lawrence Lessig, say the Justice Department had taken this out of hand. Swartz hanged himself in 2013.
Williams says overly broad interpretations of the statute will become more and more relevant as more of our thermostats and other household devices are connected to the cloud. Those are also "protected" devices under the CFAA, and she says sharing those passwords could also be seen as violations of the terms of service and thus the CFAA. The tech companies agree, and so does the dissenting judge.
One big red flag to watch out for in situations like this is to compare a downloaded app’s list of permissions to the list of permissions required by the authorized version, advises Noah Swartz of the Electronic Frontier Foundation.
“The way that you can tell if it’s malware is if it requests more permissions than the app says it does,” he explained to Consumerist. “So you can go check in the Play Store and see what permissions Pokémon Go app would normally request, and then you can see what the app on your phone requests.”
In the case of the recent fake Pokémon Go app that was being circulated, for example, the permissions it was requesting should’ve made it somewhat easy to spot: while the real version of the app only wants location data and the ability to say things to your phone, the malware version wanted access to users’ contacts, a full data connection — basically, “it wanted all of these things that the normal one didn’t,” Swartz notes.
But Aaron Mackey, a legal fellow at the Electronic Frontier Foundation, a U.S. group promoting civil rights in the digital world, said he believed the lawsuit would fail.
He said the plaintiffs would have to prove that Facebook was "actively participating" in terrorist attacks. He also said the Communications Decency Act provides a "broad shield" of protection for online platforms like Facebook.
"What they are really asking for is for Facebook to not provide service to certain individuals or to certain parts of the world because they're afraid of the speech that might result," he said. Any attempt to impose broad filters on expression would "sweep up a whole lot of legitimate speech" as well, he said.
Aaron Mackey, a legal fellow at the Electronic Frontier Foundation says such lawsuits that blame websites for the actions of their users threaten to curtail access to platforms in Middle Eastern countries where users rely on social media to bypass censorship. New social media rules that are too strict in filtering terms related to hate speech, Mackey says, could also strike down “robust political debate” about the topics like the Middle East even if the content does not seek to incite violence.
“That would be a net loss for journalists, bloggers, academics and normal Americans chatting online,” he says. “It would also disempower people in countries who rely on social media for news and debate.”
That approach has drawn criticism. Mixing “secret” and regular messages is not secure by definition, said Nate Cardozo, a staff attorney at the Electronic Frontier Foundation. “It’s too easy to mess up. It’s too easy to send a message believing that it’s secure, but accidentally send it in the insecure mode.”
Shahid Buttar, director of grassroots advocacy for the San Francisco-based digital rights group Electronic Frontier Foundation, said while his organization advocates for public viewing of body camera footage, the issue becomes tricky when it comes to these sensitive police interactions.
"This is one of the problems with police body cameras," he said. "These are private conversations."
"Police officers are already using mobile tools to collect other biometrics like fingerprints and face recognition when they detain people on the street, and there have been cases where officers have collected DNA on the street as well — even from kids they have detained," said Jennifer Lynch, senior staff attorney at the Electronic Frontier Foundation.
The whole thing is financed by advertising. Each kiosk's twin 55-inch displays will carry targeted ads based on an audience profile algorithmically derived from the information the kiosks collect from their users. But as the old internet saw goes: If you're not paying for the product, you are the product. And that should give New Yorkers pause, says Lee Tien, a lawyer with the Electronic Frontier Foundation.
"If CityBridge is using a business model that is not charging, and they are spending a bunch of money putting these things in, they are going to be monetizing the data hard," Tien says. "That means that they are always thinking about how to collect your data and how to profit off of it."
Lee Tien, senior staff attorney at the Electronic Frontier Foundation, was on the technical advisory committee that led to the pay-by-mile pilot program. His victory was ensuring volunteers could "pay" without being tracked.
"You can do odometer readings," he says. "We wouldn't object to that. There are ways you can design the system to collect money from people without invading privacy."
Asked if there is a way that the state could do GPS tracking with the promise that data would otherwise be kept private, Tien responds: "The problem is if an entity would do that and make that promise, the FBI and courts could also order them to preserve that data or hand it over as soon as they get it. Giving it to the government and trusting them doesn't work."