Thanks to our clients and friends at CREDO Mobile and the Internet Archive, EFF was able to shine a rare light on national security letters (NSLs) this week. The FBI uses NSLs to force Internet providers and telecommunications companies to turn over the names, addresses, and other records about their customers. NSLs almost always come with a secrecy provision that bars the companies—in violation of the Constitution—from publicly disclosing the requests. Worse still, NSL gags generally last forever and are imposed by the FBI without any mandatory court oversight.
Kafka wrote in his parable The Problem of Our Laws, “It is an extremely painful thing to be ruled by laws that one does not know.”
San Francisco is one of the few places in the United States with significant broadband competition, but many renters are barred from taking advantage of alternatives to large Internet service providers like Comcast and AT&T. Many landlords agree to restrict tenants’ choice of ISP in exchange for kickbacks from the favored provider.
On Tuesday, December 6, the San Francisco Board of Supervisors will discuss (PDF) a proposed ordinance that would require landlords of multi-unit buildings to honor reasonable requests to allow service by any state-accredited ISP a tenant chooses.
Books checked out from a library and terms searched on library computers can reveal a teenager’s questions about sexual orientation, a neighbor’s religious leanings, or a student’s political interests. Libraries across the country, particularly public libraries, make it part of their mission to serve the most vulnerable and underserved user groups, including users who are homeless, unemployed, or recent migrants or refugees. And when government agents come looking, these library users need librarians to have their back.
The World Wide Web Consortium (W3C) has a hard decision to make: a coalition including the world's top research institutions; organizations supporting blind users on three continents; security firms; blockchain startups; browser vendors and user rights groups have asked it not to hand control over web video to some of the biggest companies in the world. For their part, those multinational companies have asked the W3C to hand them a legal weapon they can use to shut down any use of online video they don't like, even lawful fair use.
Is the W3C in the business of protecting the open web and its users, or is it an arms-dealer supplying multinational companies with the materiel they need to rule the web? We're about to find out.
The federal government just got new hacking powers with virtually no debate, including in Congress. But the fight isn’t over.
It’s not too late to debate—or even reverse—the update to federal rules governing search warrants, which now lets investigators use one warrant to search an untold number of computers across the world.
Sirius XM Satellite Radio's recent settlement with ex-members of the 60s rock group The Turtles over royalty payments for old recordings has the potential to solidify the dominant position of big music services like Sirius XM, at the expense of new music services, independent and Web-based radio stations, and the listening public. If approved by the court, the settlement would give Sirius XM permission to stream a vast catalogue of music recordings made before 1972 while other music services and radio stations remain at legal risk.
The Supreme Court issued an important ruling today in the long-running patent battle between Apple and Samsung. The appeal involved some of Apple’s infamous design patents on rounded corners. The Federal Circuit had ruled that Apple was entitled to all of Samsung’s profits from the infringing phones. Samsung appealed, arguing that the law did not require such a steep penalty. As Samsung explained, if the Federal Circuit’s rule were allowed to stand, then a car company sued for infringing a design patent on a cup holder could be liable for the total profits from sales of the car.
A group of investors in AT&T have had it with the phone company’s collaboration with law enforcement through the Hemisphere program, in which the company facilitates police access to trillions of phone records. At the spring shareholder conference, Zevin Asset Management plans to force discussion of contradictions between AT&T’s stated commitment to privacy and civil liberties and the Hemisphere program. One of the chief goals is to demand greater transparency over the highly secretive program.
UPDATE August 29, 2017: Uber has announced a roll back of the post-ride tracking and that it will re-enable iOS users to use the “While Using” location privacy setting. As we explained in the post below, there are many legitimate reasons that a rider would want privacy in their final destination. Indeed, Apple recognized the importance of the “While Using” setting, making it always available in the upcoming iOS 11. Even after iOS11 drops this Fall, by removing the post-ride tracking, Uber’s change will enhance the privacy of those who chose the “Always” setting after the last change. However, EFF recommends that all users manually change their Uber location privacy setting back to While Using after they receive the update.
Enabling two-factor authentication—or 2FA for short—is among the easiest, most powerful steps you can take to protect your online accounts. Often, it’s as simple as a few clicks in your settings. However, different platforms sometimes call 2FA different things, making it hard to find: Facebook calls it “login approvals,” Twitter “login verification,” Bank of America “SafePass,” and Google and others “2-step verification.”
In recent months, U.S. Customs and Border Protection agents have sought access to private data on the cell phones of two journalists. Such incidents are offensive because they threaten the independence of the press and pose specific risks to confidential sources. This government overreach also highlights how weak legal protections at the border for digital devices threatens the privacy of all travelers to and from the U.S., including Americans.
The Internet Governance Forum (IGF) is a multi-stakeholder community that discusses a broad range of Internet issues, and seeks to identify possible shared solutions to current challenges. This year was the first year in which the spotlight fell on the use of trade agreements to make rules for the Internet behind closed doors, and a broad consensus emerged that this needs to change.
For the first few days of the 12 Days of 2FA, we’ll focus on two-factor authentication for email. When you forget or lose your password, services will often email you to confirm your identity and reset it. This makes email the golden key to all of your other online accounts. If your email password is compromised with no second layer of authentication to back it up, an attacker can easily access your other accounts in a domino effect.
EFF, Public Knowledge, and the Center for Democracy and Technology Urge The United States Court of Appeals for the Fourth Circuit to Protect Internet Subscribers in BMG v. Cox.
No one should have to fear losing their Internet connection because of unfounded accusations. But some rights holders want to use copyright law to force your Internet service provider (ISP) to cut off your access whenever they say so, and in a case the Washington Post called “the copyright case that should worry all Internet providers,” they’re hoping the courts will help them.
News Media Alliance’s Call to Weaken Protections Is Dangerous
When copyright law and the First Amendment come into conflict, the First Amendment must win. The fair use doctrine—the idea that there are certain ways that you can use a piece of copyrighted work regardless of whether you have the rightsholder’s permission—was written into copyright law to help ensure that copyright holders’ wishes are never elevated above free speech. As such, it’s been an essential tool for defending a free press: without fair use protections, people and companies in the public eye could use copyright law to ban coverage that’s critical of them. It’s alarming, then, to see an association that represents news companies asking the Trump transition team (and presumably Congress) to change the law and weaken fair use.
For the third day of the 12 Days of 2FA, we’ll look at how to enable two-factor authentication (2FA) on Yahoo. After Yahoo disclosed the largest known data breach in the history of the Internet in September, 500 million compromised users have been advised to change their passwords and update the answers to their security questions. On top of these common-sense steps, 2FA is an easy, powerful defense in the face of large-scale, password-stealing hacks.
Technology company leaders are reportedly meeting with President-elect Donald Trump and members of his transition team tomorrow in New York. Mr. Trump’s relationship with technology companies has been frosty, and his statements during the campaign and recent cabinet picks raise serious concerns about the new administration’s commitment to protecting the digital rights of all Americans and fostering innovation. They also point to the deep need for Mr. Trump and his team to talk to those who represent the users of technologies, not just the companies that build and sell those technologies.
EFF is excited to announce that today we are releasing Privacy Badger 2.0 for Chrome, Firefox, and Opera. Privacy Badger is a browser extension that automatically blocks hidden third-party trackers that would otherwise follow you around the web and spy on your browsing habits. Privacy Badger now has approximately 900,000 daily users and counting.
The last email service we’ll cover in the 12 Days of 2FA is Outlook.com. If we haven’t covered your email service here, check twofactorauth.org’s more extensive list of email platforms that offer two-factor authentication. If you only enable 2FA for one account, email is a good choice for most users. Email is often a golden key to all of your other online accounts. When you forget or lose your password, services will often email you to confirm your identity and reset it. If your email password is compromised with no second layer of authentication to back it up, an attacker can use it to access your other accounts.
Red en Defensa de los Derechos Digitales (R3D)—the leading Mexican digital rights organization—has released the 2016 ¿Quién defiende mis datos? report, which evaluates how well Mexican telecommunications companies protect their customers’ privacy. R3D’s second annual report examines publicly-available policies from eight of the biggest telecommunications companies: AT&T, Axtel, Izzi, Megacable, Movistar, Telcel, Telmex, and TotalPlay.
When should the government engage in “remote searches” of computers—i.e., government “hacking” to seize, infiltrate and/or search digital devices—and when should it use less invasive investigative methods? Changes to Rule 41 of Federal Rules of Criminal Procedure went into effect on Dec. 1, making it easier than ever for law enforcement to obtain warrants to hack into digital devices but without answering fundamental questions about how to protect individual privacy and security in the face of these sophisticated search techniques. At a time when courts are already struggling to place appropriate limits on law enforcement’s hacking authority, this amendment was a mistake. The changes will have serious consequences for privacy across the board, not just for “bad guys.” They also open the door to “forum shopping” and have effectively allowed an unelected advisory committee—rather than Congress—to expand the government’s hacking capabilities.
Should IP rights be enforced via shadow regulations that aren’t vetted or endorsed by users? According to a just-released report, the U.S. Intellectual Property Enforcement Coordinator (IPEC) thinks they should. We disagree.
We’ve written here about the danger posed by Internet regulation done through private agreements. These agreements, sometimes called codes, standards, or “best practices,” have a tendency to become shadow regulations, which can limit individual freedom. They’re also a way for governments to control the behavior of Internet users, or to favor some users over others by quietly coercing Internet companies to disguise government policy as “voluntary” private agreements.
The Supreme Court has granted certiorari in TC Heartland v. Kraft Foods, a case that effectively asks the court to decide whether patent owners can sue in practically any corner of the country. EFF supported TC Heartland, the petitioner, at the Court of Appeals for the Federal Circuit and as well in asking the Supreme Court to hear the case. The petition to the Supreme Court became necessary after the Federal Circuit issued a disappointing decision that maintained the status quo.
New Law Will Help Preserve Net Neutrality and Privacy at the Local Level
San Francisco EFFers: you did it! Thanks in part to your phone calls and tweets to the Board of Supervisors, the Board unanimously passed an ordinance last night that will address the problem of landlords unfairly restricting their tenants’ choice of Internet service providers.
Under the ordinance, landlords of multi-unit buildings (four units or more) will be required to honor reasonable requests to allow service by any state-accredited ISP a tenant chooses.
For the fifth day of the 12 Days of 2FA, we turn to the world’s largest social media platform: Facebook. Facebook calls its two-factor authentication “Login Approvals,” but the idea is exactly the same: signing in from a new browser will require something you have (like your phone) as well as something you know (your password), giving your account an added layer of protection.
Imagine being convicted for logging into your spouse’s bank account to pay a bill, a roommate’s broadband account after service has gone down, or a sick friend’s Facebook page. In these cases, if you happen to receive an individualized message or popup banner stating that only legitimate account holders are permitted to access the relevant computer systems, the Ninth Circuit has just refused to draw a clear line to remove you from risk. We’re worried about these decisions; password sharing is so common that popular password managers have sharing functions. But we hope that future courts will take to heart the Ninth Circuit’s attempt to limit these cases to their “stark” facts.
One of the biggest protests of 2016 is still underway at the Standing Rock Sioux Reservation in North Dakota, where Water Protectors and their allies are fighting Energy Transfer Partners’ plans to drill beneath contested Treaty land to finish the Dakota Access Pipeline. While the world has been watching law enforcement’s growing use of force to disrupt the protests, EFF has been tracking the effects of its surveillance technologies on water protectors’ communications and movement.
For the sixth day of the 12 Days of 2FA, we turn to Twitter. Twitter calls its two-factor authentication system “Login Verification,” but the idea is exactly the same: signing in from a new browser will require something you have (like your phone) as well as something you know (your password), giving your account an added layer of protection.
As one of the only social media platforms that does not require your real name, Twitter brings up some trade-offs when it comes to enabling 2FA.
Election audits ought to be like an annual checkup, not a visit to the emergency room
After extensive ups and downs, the election recount efforts in Michigan, Wisconsin, and Pennsylvania have concluded. The main lesson: ballot audits should be less exciting and less expensive. Specifically, we need to make audits an ordinary, non-partisan part of every election, done efficiently and quickly, so they are not subject to emergency fundraising and last-minute debates over their legitimacy. The way to do that is clear: make risk-limiting audits part of standard election procedure.
Apple CEO Tim Cook, Alphabet CEO Larry Page, and 10 other technology company leaders trooped to Trump Tower in New York this week, where the President-elect told them they were “amazing” and said, “I’m here to make you folks do well.” He pledged to do “anything we can do to help.” We’re glad to hear it, and we have a few ideas for steps the new administration can take to fulfill that commitment.
On a cloud storage and sharing service like Dropbox, protecting shared files often means working with others. Protecting your account with 2FA gives your documents and files the best security when the people you share them with do the same. For a more comprehensive list of cloud services that support 2FA, check twofactorauth.org.
Today, together with the Thomas Jefferson Center for the Protection of Freedom of Expression, EFF submitted an amicus brief in Lee v. Tam. Our brief discusses an unusual but important question: are registered trademarks government expression? It is important to get the dividing line between government and private speech correct. This is because, while the government doesn’t get to control what you say, it does get to control what it says. As we argue in our brief, categorizing registered trademarks as government expression would threaten speech in many other areas.
Through the combined efforts of EFF and a coalition of public interest groups -- and four million of you who wrote in to the FCC -- we won carefully tailored and essential net neutrality protections in 2015 and defended them in court in 2016. But how will the incoming Trump administration impact net neutrality in 2017? We’ve collected a range of statements on the positions of Trump, his transition team, and those who are likely to guide the new administration on this issue.
There are a lot of political uncertainties around the incoming Trump administration, but the threats to civil liberties are potentially greater than ever. President Obama failed to rein in the surveillance state, and Mr. Trump has nominated cabinet members like Mike Pompeo who are big fans of bulk surveillance. Now, given Mr. Trump’s campaign posture of being a “law and order” candidate who has openly criticized Apple for standing up for strong encryption, tech companies need to be even more vigilant in fighting for their users in the courts.
Where will the incoming Trump administration come down on issues like surveillance, encryption, and cybersecurity? While it is impossible to know the future, we have collected everything we could find about the stated positions of Trump and those likely to be in his administration on these crucial digital privacy issues. If you are aware of any additional statements that we have not included, please email firstname.lastname@example.org with a link to your source material, and we will consider it for inclusion.
No one can know for sure what the incoming Trump administration will do, but President-elect Donald Trump has repeatedly criticized and threatened the media in the United States. In lieu of attempting the impossible and predicting the future, we’ve gathered all of Trump’s stated positions on free speech and freedom of the press. If you are aware of any additional statements that we have not included, please email email@example.com with a link to your source material, and we will consider it for inclusion.
For the last five years, EFF has greeted the holiday season by publishing a list of things we'd like to see happen in the coming year. Sometimes these are actions we'd like to see taken by companies, and sometimes our wishes are aimed at governments, but we also include actions everyday people can take to advance our digital civil liberties. This year has seen a few victories, including the fact that more and more websites are using HTTPS by default and using Let's Encrypt (and our Certbot client for it), but there's always more to do. In 2017, we're narrowing our focus to technology companies and challenging them to step up and protect their users in what's likely to be a difficult year.
Here are some of the things EFF would like to see technology companies do in 2017:
For the ninth day of the 12 Days of 2FA, we’ll look at how to enable two-factor authentication on PayPal. No matter where on the web you are doing your last-minute online holiday shopping, you are likely to run into the option to pay with PayPal.
PayPal calls 2FA and the associated verification codes “Security Keys.” This can be confusing if you think of security keys as hardware 2FA devices like YubiKeys. Regardless of the naming, the idea and execution are the same as other services we have looked at: if signing in requires something you have (like your phone) as well as something you know (your password), then your account has an added layer of protection.
John Deere is at it again, trying to strip customers of the right to open up and repair their own property. In the new License Agreement for John Deere Embedded Software [PDF], customers are forbidden to exercise their repair rights or to even look at the software running the tractor or the signals it generates.
Back in May, we wrote about a draft report by Australia's Productivity Commission on how Australia's copyright and patent laws could be reformed to foster domestic production and innovation. That report is back in the news this week, after it was released in its final form, and a consultation seeking public feedback was opened.
Hoping once again to rewrite copyright law in its own interest, the copyright establishment—specifically music and publishing—is calling on President-elect Donald Trump to support “strong protections for intellectual property rights,” and to push search engines, hosting companies, and domain name registrars and registries to become copyright cops.
For the tenth day of the 12 Days of 2FA, we’ll go over how to set up two-factor authentication for Bank of America online and mobile banking. Due to unique security needs from bank to bank and user to user, banks tend to call 2FA different things, and you’ll run into different protocols for setting it up at different institutions. Some demand a second factor of authentication not necessarily for log-ins but for particularly sensitive or high-value transactions, for example. Check twofactorauth.org’s more comprehensive list of banks, credit unions, and financial institutions, and get in touch with your own to learn more.
Among the ways in which the Electronic Frontier Alliance supports the digital rights movement is amplifying creative grassroots tactics that concerned individuals around the country are using to promote digital civil liberties. By finding ways to demonstrate these principles within their community, even small groups can help shift cultural norms, as well as public policy.
The Free Culture Club, a student organization at California Polytechnic State University in San Luis Obispo, is supporting creativity and access to knowledge by providing a repository of openly licensed intellectual works in a common campus space.
The Consumer Review Fairness Act Is an Win for Free Speech Online, Despite Possible Flaw
President Obama recently signed the Consumer Review Fairness Act of 2016 (H.R. 5111), which passed both houses of Congress unanimously. The bill addresses a dangerous trend: businesses inserting clauses into their form contracts that attempt to limit their customers’ ability to criticize products and services online. We’re pleased to see Congress taking a big step to protect free speech online and rein in abusive form contracts.
Thailand’s National Legislative Assembly voted unanimously last week to pass an amendment to that country’s Computer Crime Act (CCA), delivering a heavy blow to digital rights in Thailand. Instead of offering citizens protection against fraud, data breaches, theft, or other true cybercrimes, the amendments only worsen the ambiguity and potential for abuse that have marred the CCA since it was first enacted in 2007.
The year started with fireworks: John Legere, CEO of T-Mobile, became furious when an explosive EFF investigation revealed that T-Mobile was throttling video content for many of its customers, potentially violating net neutrality rules. Legere released a colorful selfie video demanding to know who EFF was—and our community responded in force, inundating the tech CEO with countless tweets and messages explaining why people worldwide were proud to count themselves as friends of EFF.
A district court judge has issued a disappointing ruling reversing an earlier decision to require an abusive patent litigant to pay an EFF client’s attorney’s fees. Judge Jerome Simandle of the District Court of New Jersey held that, even thought the patent was invalid, the relevant law was too uncertain to find the case exceptional and award fees.
This was a great year for adoption of HTTPS encryption for secure connections to websites.
HTTPS is an essential technology for security and privacy on the Web, and we've long been asking sites to turn it on to protect their users from spying (and from censorship and tampering with site content). This year, lots of factors came together to make it happen, including ongoing news about surveillance, advances in Web server capacity, nudges from industry, government, and Web browsers, and the Let's Encrypt certificate authority.