The Vulnerabilities Equities Process in Unaccountable, Secretive, and Nonbinding
A group calling itself the Shadow Brokers recently released powerful surveillance tools publicly on the Web and promises to publish more dangerous tools for the price of one million bitcoin – or to whomever makes the best offer, if they can’t get to a million.1
EFF is pleased to welcome researcher Gennie Gebhart, the newest member of the activism team. Gennie will be working to defend your right to privacy and security online.
Gennie has a Master’s degree in Library and Information Science from the University of Washington. She’s published research on Internet censorship, zero rating, and access to knowledge. While at UW, she co-founded the university’s Open Access Initiative.
I caught up with Gennie to ask her a few questions about her past work and what she’ll be bringing to EFF.
What are you most excited about working on here?
It has always been about gaining control over technology and never about copyright law.
Major TV producers have finally said what they really want from the Federal Communications Commission (FCC) in exchange for breaking up the cable companies' monopoly over set-top boxes. As they continue to push fake copyright arguments that experts in copyright law have roundly refuted, they have now made clear the price they want consumers and independent content creators to pay.
The Rock Against the TPP concert tour continues to gather steam as it makes its way around the country, giving voice to users whose concerns about the Trans-Pacific Partnership are being ignored. This Friday, the event will hit San Francisco, and there's still time for you to claim your free tickets. Hip hop stars Dead Prez and punk legend Jello Biafra are headlining the event, joined by nine other acts in an event that will rock long into the night. EFF will also be there, as well as at a teach-in on the following day, to explain how the secretive deal will impact your digital rights.
Watch some exciting footage from previous events in Seattle and Portland in the video below:
UPDATE (9/8/16): An earlier version of this blog post incorrectly suggested that no authorized audio devices or connectors that used the Lightning port existed prior to yesterday’s announcement. It also implied that the only way to achieve lossless sound quality on an iPhone was through a wired connection, which was also incorrect. We’ve edited the post accordingly.
In a few hours, Senator Wyden will be going on the floor of the Senate to argue against updates to Rule 41 of the Federal Rules of Criminal Procedure.
In a case which threatens to cause turmoil for thousands if not millions of websites, the Court of Justice of the European Union decided today that a website that merely links to material that infringes copyright, can itself be found guilty of copyright infringement, provided only that the operator knew or could reasonably have known that the material was infringing. Worse, they will be presumed to know of this if the links are provided for "the pursuit of financial gain".
Imagine: you're a programmer who loves to code. You're studying at college, but you're also working as a freelance web developer. In what spare time you have, you polish and release your best work under an open source license, for the world to use. Your father has grown sick and may be dying, and so you take a short break to travel back to the country of your birth to visit him.
Let’s Send a Message to the FCC: Consumers, Not Hollywood, Should Drive the Pay TV Market
The FCC is about to make a decision about whether third-party companies can market their own alternatives to the set-top boxes provided by cable companies. Under the proposed rules, instead of using the box from Comcast, you could buy your own from a variety of different manufacturers. It could even have features that Comcast wouldn’t dream of, like letting you sync your favorite shows onto your mobile phone or search across multiple free TV, pay TV, and amateur video sites.
EFF is pleased to announce the addition of Camille Ochoa to the Activism team as Coordinator of Grassroots Advocacy. Camille has already been with EFF on the Operations team for over a year, and has recently worked with the Activism team to call attention to California's flawed gang databases as well as problematic police surveillance. She is now moving to the Activism team full-time to drive forward EFF's Electronic Frontier Alliance.
Edward Snowden’s 2013 release of once-secret documents about U.S. intelligence surveillance of the private communications of Americans and non-U.S. persons focused much-needed attention on the problem of how to control the burgeoning U.S. surveillance-industrial complex.
But while the USA Freedom Act began to limit national security surveillance to some extent—and we hope for more limits given that FISA Section 702 is scheduled to expire in December 2017—it did little to address the underlying problem of excessive executive branch secrecy. We remain largely in the dark about many of the facts of surveillance conducted by the U.S. government and its foreign intelligence community allies.
Last month we submitted comments to Customs and Border Protection (CBP), an agency within the U.S. Department of Homeland Security, opposing its proposal to gather social media handles from foreign visitors from Visa Waiver Program (VWP) countries. CBP recently provided its preliminary responses (“Supporting Statement”) to several of our arguments (CBP also extended the comment deadline to September 30). But CBP has not adequately addressed the points we made.
The Texas Department of Criminal Justice (TDCJ) sent shockwaves through the prisoner rights community in April when it announced a new policy forbidding inmates from participating in social media. The memo, distributed in English and Spanish within prisons, read:
[O]ffenders are prohibited from maintaining active social media accounts for the purposes of soliciting, updating, or engaging others, through a third party or otherwise.
In December 2014, the FBI received a tip from a foreign law enforcement agency that a Tor Hidden Service site called “Playpen” was hosting child pornography. That tip would ultimately lead to the largest known hacking operation in U.S. law enforcement history.
The Playpen investigation—driven by the FBI’s hacking campaign—resulted in hundreds of criminal prosecutions that are currently working their way through the federal courts. The issues in these cases are technical and the alleged crimes are distasteful. As a result, relatively little attention has been paid to the significant legal questions these cases raise.
If you have the power to censor other people’s speech, special interests will try to co-opt that power for their own purposes. That’s a lesson the Motion Picture Association of America is learning this year. And it’s one that Internet intermediaries, and the special interests who want to regulate them, need to keep in mind.
MPAA, which represents six major movie studios, also runs the private entity that assigns movie ratings in the U.S. While it’s a voluntary system with no formal connection to government, MPAA’s “Classification and Ratings Administration” wields remarkable power. That’s because most movie theaters, along with retail giants like Wal-Mart and Target, won’t show or sell feature films that lack an MPAA rating. And a rating of “R” or “NC-17” can drastically limit the audiences who are allowed to view or buy a movie.
Facebook’s recent censorship of the iconic AP photograph of nine year-old Kim Phúc fleeing naked from a napalm bombing, has once again brought the issue of commercial content moderation to the fore. Although Facebook has since apologized for taking the photo down from the page of Norwegian publication Aftenposten, the social media giant continues to defend the policy that allowed the takedown to happen in the first place.
After successfully defending MuckRock’s First Amendment right to host public records on its website earlier this summer, EFF filed documents in court on Monday seeking to end the last lawsuit brought against it in Seattle.
The lawsuit was one of three filed by companies against MuckRock, one of its users, and the city of Seattle after the user filed a public records request in April seeking information about the city’s smart utility meter program, including documentation of the technology’s security.
Baycloud Systems has become the latest company to join the EFF’s Do Not Track (DNT) coalition, which opposes the tracking of users without their consent. Baycloud designs systems to help companies and users monitor and manage tracking cookies. Based in the UK, it provides thousands of sites across Europe with tools for compliance with European Union (EU) data protection laws.
From cell-site simulators in New York to facial recognition devices in San Diego, law enforcement surveillance technologies are spreading across the country like an infectious disease. It’s almost epidemiological: one police department will adopt a new, invasive tool, and then the next and the next, often with little or no opportunity for the citizens to weigh in on what’s needed or appropriate for their communities. Sometimes even elected officials and judges have no idea how technologies are being used by the police under their supervision.
It’s an old legal adage: bad facts make bad law. And the bad facts present in the Playpen prosecutions—the alleged possession and distribution of child porn, coupled with technology unfamiliar to many judges—have resulted in a number of troubling decisions concerning the Fourth Amendment’s protections in the digital age.
The World Wide Web Consortium has embarked upon an ill-advised project to standardize Digital Rights Management (DRM) for video at the behest of companies like Netflix; in so doing, they are, for the first time, making a standard whose implementations will be covered under anti-circumvention laws like Section 1201 of the DMCA, which makes it a potential felony to reveal defects in products without the manufacturer's permission.
This is especially worrisome because the W3C's aspiration for the new version of HTML is that it will replace apps as the user-interface for the Internet of Things, making all sorts of potentially compromising (and even lethal) bugs difficult to report without serious legal liability.
Law Enforcement, Courts Need to Better Understand IP Addresses, Stop Misuse
If police raided a home based only on an anonymous phone call claiming residents broke the law, it would be clearly unconstitutional.
Yet EFF has found that police and courts are regularly conducting and approving raids based on the similar type of unreliable digital evidence: Internet Protocol (IP) address information.
The Consumer Review Fairness Act Is a Noble Bill but Could Leave the Door Open for Copyright Abuse
In August, an entity calling itself the “Shadow Brokers” took the security world by surprise by publishing what appears to be a portion of the NSA’s hacking toolset. Government investigators now believe that the Shadow Brokers stole the cache of powerful NSA network exploitation tools from a computer located outside of the NSA’s network where they had been left accidentally, according to Reuters. A new detail, published for the first time in yesterday’s Reuters report, is that the NSA learned about the accidental exposure at or near the time it happened.
The warrant the FBI used in the Playpen investigation—which resulted in the delivery of malware to over a thousand computers, located around the world—violated Rule 41, an important rule of federal criminal procedure. Although Rule 41 may seem obscure, it plays a vital role in limiting when federal law enforcement agencies can conduct lawful searches and seizures.
President and CEO
1501 Page Mill Road
Palo Alto, CA 94304
September 26, 2016
Dear Mr. Weisler,
It often feels like everyone inside and outside the government agrees that over-classification of government records is a major problem. Yet a series of Freedom of Information Act requests by EFF has found that even when Congress allowed agencies to offer cash rewards to government employees to be less secretive, nobody has been collecting the money.
Once again, major record labels are asking a court to give them power over the Internet’s basic infrastructure. This is the very power that Congress has refused to give them, and the very power they have proven unable and unwilling to use responsibly. This time, their alleged target is the website Youtube-MP3.org, a site that extracts the audio tracks from YouTube videos and allows users to download them.
The European Court of Justice (ECJ) recently announced its decision in Sony v McFadden with important consequences for open wireless in the European Union. The court held that providers of open wifi are not liable for copyright violations committed by others, but can be ordered to prevent further infringements by restricting access to registered users with passwords.
The Office of the United States Trade Representative (USTR) has failed the American public. Let's count the ways.
Do you get creeped out when an ad eerily related to your recent Internet activity seems to follow you around the web? Do you ever wonder why you sometimes see a green lock with “https” in your address bar, and other times just plain “http”? EFF’s team of technologists and computer scientists can help. We engineer solutions to these problems of sneaky tracking, inconsistent encryption, and more. Our projects are released under free and open source licenses like the GNU General Public License or Creative Commons licenses, and we make them freely available to as many users as possible. Where users face threats to their free expression, privacy, and security online, EFF’s technology projects are there to defend them.
Many users rely on cloud-based machine learning and data collection for everything from tagging photos of friends online to remembering shopping preferences. Although this can be useful and convenient, it can also be a user privacy disaster. With new machine learning features in its latest phone and desktop operating system releases, Apple is exploring ways to provide these kinds of services and collect related user data with more regard for privacy. Two of these features—on-device facial recognition and differential privacy—deserve a closer look from a privacy perspective. While we applaud these steps, it's hard to know how effective they are without more information from Apple about their implementation and methods.
For more than a year, EFF has been investigating how police in California misuse the state’s law enforcement database with little oversight from officials. An investigation published by the Associated Press today shows that abuse of law enforcement systems is a nationwide problem.
The AP’s investigation analyzed records from all 50 states and three dozen of the country’s largest cities. The reporters found that officers have routinely used law enforcement and driver databases to stalk ex-partners, dig up dirt on their neighbors, and even spy on celebrities and journalists.
Should the government be able to get a warrant to search a potentially unlimited number of computers belonging to unknown people located anywhere in the world? That’s the question posed by the Playpen case, involving the FBI’s use of malware against over a thousand visitors to a site hosting child pornography. The prosecutions resulting from this mass hacking operation are unprecedented in many ways, but the scope of the single warrant that purportedly authorized the FBI’s actions represents perhaps the biggest departure from traditional criminal procedure.
The Need for Particularity
More in this series:
Over the last few weeks, a broad coalition of civil liberties and social justice organizations rained down letters, tweets, and op-eds on Gov. Jerry Brown, urging him to sign A.B. 2298, a bill to begin the process of overhauling the state's CalGang gang affiliation database.
On Wednesday, it all paid off.
Gov. Brown signed the legislation, creating a requirement that law enforcement inform a person before they add them to a shared gang database such as CalGang. The new law also gives the person the opportunity to challenge their inclusion in a gang database in court. Starting in January 2018, law enforcement agencies will be required to produce detailed transparency reports on each of their shared gang databases.
This week, EFF has been at the World Trade Organization (WTO)'s annual Public Forum. Best known to the general public as the locus of anti-globalization protests at its 1999 Ministerial Conference, it's ironic that the WTO is today the most open and transparent of trade negotiation bodies—an honor it holds mainly because of how closed and opaque the trade negotiations conducted outside the WTO are, such as the Trans-Pacific Partnership (TPP), or on its margins, the Trade in Services Agreement (TISA).
When a new law threatens to stifle online speech, to limit our use of the Internet, or allow others to control our digital devices, we can push back in a variety of ways—participating in formal consultations, calling or petitioning our representatives, exposing the proposal through the media, and bringing a legal challenge if the law passes, and so on. When individual companies threaten our rights, we also have options, ranging from boycotting that company, to "shaming" it into changing its practices, or if nothing else works, bringing a lawsuit or invoking regulatory action.
On October 11, 2016, the U.S. Supreme Court is scheduled to hear oral arguments in the long-running Apple-Samsung litigation. The issue is whether Apple, by virtue of having its design patents infringed by Samsung, is entitled to all of Samsung’s profits made from the infringing phones (regardless of how much that design contributed to the value of the phone).
Yesterday we exposed the dangers of Shadow Regulation; the secretive web of backroom agreements between companies that seeks to control our behavior online, often driven by governments as a shortcut and less accountable alternative to regulation.
Today we are proposing a set of criteria, summarized in the infographic below, which turns this critical account of private agreements gone wrong, into a positive agenda for how they could be done better. EFF co-founder John Perry Barlow wrote: