It can be difficult to understand the intent behind anti-terrorist security rules on travel and at the border. As our board member Bruce Schneier has vividly described, much of it can appear to be merely "security theater"—steps intended to increase the feeling of security, while doing much less to actually achieve it.
This week the U.S. government, without warning or public explanation, introduced a sweeping new device restriction on travelers flying non-stop to the United States from ten airports in eight Muslim-majority countries, and nine airlines from those countries. Passengers on these flights must now pack large electronics (including tablets, cameras, and laptops) into their checked luggage.
Information is still emerging regarding the rationale behind the ban, which went into effect at 3:00 Eastern Time Tuesday morning. The United Kingdom on Monday joined the United States with a similar regulation aimed at a differing set of flights.
These new restrictions on the transport of digital devices that have provoked a growing sense of insecurity among personal and business travelers flying between America, the Middle East and Turkey, and rightly so. Travelers to and within the United States were already concerned over reports of increasing levels of warrantless inspection of their devices at the border of the United States. Earlier this month, U.S. Customs and Border Protection revealed that there were more device searches in February alone than were conducted in the whole of the 2015 fiscal year.
One of the few consolations is that these invasive searches take place with your knowledge, during security searches of your body and personal items. As we recently described in our guide to digital searches at the border, and in our brief to the Fourth Circuit Federal Court of Appeals, the U.S. border is not a rights-free zone: searches should be noted, and if known about, can be challenged as unlawful. There is also the small compensation that, if officials do not demand access to your laptop, tablet or phone, you can at least be confident that your digital possessions have not been invasively searched.
Requiring digital devices to be checked as luggage removes those reassurances, and adds new concerns. If someone else has physical access to your device almost all information security guarantees are off the table. Data can be cloned for later examination. If you encrypt your stored data, you might limit how much direct data can be extracted—but even so, you cannot stop the examiner from installing new spyware or hardware. New software can be installed for later logging or remote control; protections can be disabled or manipulated.
Under these conditions, it's very hard to make any assurances about how safe your personal data can be in transit. Some security researchers have devised exotic ways to reveal physical tampering; others spend their time defeating those systems. But if your device is out of your possession, all bets are off.
This is not to assert that the new regulations are intended to enable these widespread, unaccountable searches. But given the content of the new regulation and the manner in which it was introduced, it's not surprising that rather than improving the confidence of travelers that their life and possessions remain safe and secure, it's led to even more doubt and uncertainty.
Because the United States authorities has provided little transparency into or notice of their decision, we have no idea what protection this regulation is attempting to provide. It is particularly unclear what the security benefit of limiting the ban to a few airlines and airports achieves. (Even if you believe, as officials within the Trump administration have stated, that some nationalities pose a particular threat, potential terrorists are surely smart enough to fly to an intervening nation which has not imposed the same controls, and take one of the multi-stop flights on which the United States still permits laptops as a carry-on.) At best, it seems like the real threat is so limited that the United States feels it not worth the cost to inconvenience other travelers. At worst, it adds to the sense that some crossing the border—for instance, citizens of these nations and American visitors to them—should have fewer protections and practical opportunities for legal defense against invasive searches at the border than others.
Security theater, or not, improving security at the border includes as a goal ensuring the sense of security and confidence that travelers have that their personal data and devices are safe from unlawful interference. To do that, the United States authorities needs to be more transparent in its reasoning, more protective of the highly personal information held on digital devices, and far less arbitrary in its search and treatment of different groups of travelers. A strong set of legal safeguards consistent governing digital device searches of every traveller—whether they are U.S. citizens, residents, or visitors—would be more secure, and safer for all.
Today, the Supreme Court heard arguments in a case that could allow companies to keep a dead hand of control over their products, even after you buy them. The case, Impression Products v. Lexmark International, is on appeal from the Court of Appeals for the Federal Circuit, who last year affirmed its own precedent allowing patent holders to restrict how consumers can use the products they buy. That decision, and the precedent it relied on, departs from long established legal rules that safeguard consumers and enable innovation.
When you buy something physical—a toaster, a book, or a printer, for example—you expect to be free to use it as you see fit: to adapt it to suit your needs, fix it when it breaks, re-use it, lend it, sell it, or give it away when you’re done with it. Your freedom to do those things is a necessary aspect of your ownership of those objects. If you can’t do them, because the seller or manufacturer has imposed restrictions or limitations on your use of the product, then you don’t really own them. Traditionally, the law safeguards these freedoms by discouraging sellers from imposing certain conditions or restrictions on the sale of goods and property, and limiting the circumstances in which those restrictions may be imposed by contract.
But some companies are relentless in their quest to circumvent and undermine these protections. They want to control what end users of their products can do with the stuff they ostensibly own, by attaching restrictions and conditions on purchasers, locking down their products, and locking you (along with competitors and researchers) out. If they can do that through patent law, rather than ordinary contract, it would mean they could evade legal limits on contracts, and that any one using a product in violation of those restrictions (whether a consumer or competitor) could face harsh penalties for patent infringement.
Impression Products v. Lexmark International is Lexmark’s latest attempt to prevent purchasers from reusing and refilling its ink cartridges with cheaper ink. If Lexmark can use patent law to accomplish this, it won’t just affect the person or company that buys the cartridge, but also anyone who later acquires or refills it, even if they never agreed to what Lexmark wanted.
The case will turn on how the Supreme Court applies patent law’s “exhaustion doctrine.” As the Court explained in its unanimous Quanta v. LG Electronics decision, the exhaustion doctrine provides that “the initial authorized sale of a patented item terminates all patent rights.” Meaning, a patent holder can’t use patent rights to control what you can do with the product you’ve purchased, because they no longer have patent rights in that particular object. As we explained in a brief submitted along with Public Knowledge, Mozilla, the AARP, and R Street Institute to the Supreme Court, the doctrine protects both purchasers and downstream users of patented products. Without the exhaustion doctrine, patent holders would be free to impose all kinds of limits on what you can do with their products, and can use patent infringement’s severe penalties as the enforcement mechanism. The doctrine also serves patent law’s constitutional purpose—to promote progress and innovation—by ensuring that future innovators have access to, and can research and build on, existing inventions, without seeking permission from the patent holder.
[n]owhere in its deliberations over the DMCA did Congress express an interest in creating liability for the circumvention of technological measures designed to prevent consumers from using consumer goods while leaving copyrightable content of a work unprotected. In fact, Congress added the interoperability provision in part to ensure that the DMCA would not diminish the benefit to consumers of interoperable devices "in the consumer electronics environment."
Having lost on its copyright claims, Lexmark found a warmer welcome at the Federal Circuit, who last year held that so long as the company “restricted” the sale of its product (in this case through a notice placed on the side of the cartridge) Lexmark could get around patent exhaustion, and retain the right to control downstream users’ behavior under patent law.
The Federal Circuit’s ruling in Lexmark seriously undermines the exhaustion doctrine, allowing patent holders to control users’ behavior long after the point of purchase merely by including some form of notice of the restriction at the point of sale. As we’ve said before, this is especially troubling because downstream users and purchasers may be entirely unaware of the patent owner’s restrictions.
The Federal Circuit’s the ruling is also significantly out of step with how the majority of the law treats these kinds of restrictions. While sellers can use contract law to bind an original purchaser to mutually agreed-upon terms (with some limits) for hundreds of years, courts have disfavored sellers’ attempts to use other laws to control goods after a transfer of ownership. Courts and legal scholars have long acknowledged that such restrictions impair the purchasers’ personal autonomy, interfere with efficient use of property, create confusion in markets, and increase information costs. The Federal Circuit’s ruling is even out of step with copyright law, whose exhaustion principle is codified in the first sale doctrine.
We’re hopeful that the Supreme Court will reverse the Federal Circuit and bring patent law’s exhaustion doctrine back in line.
In a ruling today that will cheer up patent trolls, the Supreme Court said patent owners can lie in wait for years before suing. This will allow trolls to sit around while others independently develop and build technology. The troll can then jump out from under the bridge and demand payment for work it had nothing to do with.
Today’s 7-1 decision arrives in a case called SCA Hygiene v. First Quality Baby Products. This case involves a patent on adult diapers but has a much broader reach. The court considered whether the legal doctrine of “laches” applies in patent cases. Laches is a principle that penalizes a rightsholder who “sleeps on their rights” by waiting a long time to file a lawsuit after learning of a possible infringement. It protects those that would be harmed by the assertion of rights after a lengthy delay. For example, laches would work against a patent owner that saw an infringing product emerge yet waited a decade to sue, after significant investment of time and resources had been put into the product.
The ruling in SCA follows a similar decision in Petrella v. MGM holding that laches is not available as a defense in copyright cases. The Supreme Court has generally rejected “patent exceptionalism” and has oftenreversed the Federal Circuit for creating special rules for patent law. So today’s decision was not especially surprising. In our view, however, there were compelling historical and policy arguments for retaining a laches defense in patent law.
Together with Public Knowledge, EFF filed an amicus brief at the Supreme Court explaining the many ways that companies accused of patent infringement can be harmed if the patent owner sleeps on its rights. For example, evidence relevant to invalidity can disappear. This is especially true for software and Internet-related patents. In his dissent, Justice Breyer cited our brief and explained:
[T]he passage of time may well harm patent defendants who wish to show a patent invalid by raising defenses of anticipation, obviousness, or insufficiency. These kinds of defenses can depend upon contemporaneous evidence that may be lost over time, and they arise far more frequently in patent cases than any of their counterparts do in copyright cases.
The seven justices in the majority suggested that patent defendants might be able to assert “equitable estoppel” instead of laches. But that would likely require showing that the patent owner somehow encouraged the defendant to infringe. In most cases, especially patent troll cases, the defendant has never even heard of the patent or the patent owner before receiving a demand. This means estoppel is unlikely to be much help. Ultimately, today’s ruling is a victory for trolls who would wait in the shadows for years before using an obscure patent to tax those who do the hard work of bringing products and services to market.
Which ISPs did it before? We don’t know—but they’re doing it as you read this!
It’s no secret that many ISPs think they’re sitting on a gold mine of user data that they want to sell to marketers. What some people don’t realize is that some are already doing it. (Unfortunately they’re getting away with this for now because the FCC’s rules haven’t gone into effect yet.)
According to Ad Age, SAP sells a service called Consumer Insights 365, which “ingests regularly updated data representing as many as 300 cellphone events per day for each of the 20 million to 25 million mobile subscribers.” What type of data does Consumer Insights 365 “ingest?” Again, according to Ad Age, “The service also combines data from telcos with other information, telling businesses whether shoppers are checking out competitor prices… It can tell them the age ranges and genders of people who visited a store location between 10 a.m. and noon, and link location and demographic data with shoppers' web browsing history.” And who is selling SAP their customers’ data? Ad Age says “SAP won't disclose the carriers providing this data.”
In other words, mobile broadband providers are too afraid to tell you, their customers, that they’re selling data about your location, demographics, and browsing history. Maybe that’s because it’s an incredibly creepy thing to do, and these ISPs don’t want to get caught red-handed.
And speaking of getting caught red-handed, that brings us to…
4. Hijacking your searches
Which ISPs did it before? Charter, Cogent, DirecPC, Frontier, Wide Open West (to name a few)
When you entered a search term in your browser’s search box or URL bar, your ISP directed that query to Paxfire instead of to an actual search engine. Paxfire then checked what you were searching for to see if it matched a list of companies that had paid them for more traffic. If your query matched one of these brands (e.g. you had typed in “apple”, “dell”, or “wsj”, to name a few) then Paxfire would send you directly to that company’s website instead of sending you to a search engine and showing you all the search results (which is what you’d normally expect). The company would then presumably give Paxfire some money, and Paxfire would presumably give your ISP some money.
It’s hard to believe we’re still on the subtle end of the creepy spectrum. But things are about to get a whole lot more in-your-face creepy, with…
3. Snooping through your traffic and inserting ads
Which ISPs did it before? AT&T, Charter, CMA
This is the biggest one people are worried about, and with good reason—ISPs have every incentive to snoop through your traffic, record what you’re browsing, and then inject ads into your traffic based on your browsing history.
We don’t think this one requires much explaining for folks to understand just how privacy invasive this is. But if you need a reminder, we’re talking about the company that carries all your Internet traffic examining each packet in detail1 to build up a profile on you, which they can then use to inject even more ads into your browsing experience. (Or, even worse—they could hire a third-party company like NebuAd or Phorm to do all this for them.) That’s your ISP straight up spying on you to sell ads—and turning the creepiness factor up to eleven.2 And speaking of spying, we’d be remiss if we didn’t mention…
2. Pre-installing software on your phone and recording every URL you visit
This is even creepier than number three on our list (watching your traffic and injecting ads), because at least with number three, your ISP can only see your unencrypted traffic. With Carrier IQ, your ISP could also see what encrypted (HTTPS) URLs you visit and record what apps you use.
Simply put, preinstalled software like Carrier IQ gives your ISP a window into everything you do on your phone. While mobile ISPs may have backed down on using Carrier IQ in the past (and the situation led to a class action lawsuit), you can bet that if the FCC’s privacy rules are rolled back there’ll be ISPs be eager to start something similar.
But none of these creepy practices holds a candle to the ultimate, creepiest thing ISPs want to do with your traffic, which is…
1. Injecting undetectable, undeletable tracking cookies in all of your HTTP traffic
Which ISPs did it before? AT&T, Verizon
The number one creepiest thing on our list of privacy-invasive practices comes courtesy of Verizon (and AT&T, which quickly killed a similar program after Verizon started getting blowback).
As you can see, there’s a lot at stake in this fight. The FCC privacy rules congress is trying to kill would limit all of these creepy practices (and even ban some of them outright). So don’t forget to call your senators and representative right now—because if we don’t stop Congress from killing the FCC’s ISP privacy rules now, we may end up with a lot more than five creepy ISP practices in the future.
1. To be absolutely precise, your ISP could track and record all your HTTP traffic, and the domain name you visit for HTTPS websites.
2. We’ve heard some arguments that is just what Google or Facebook do, but there’s a big difference. You can choose not to use Google or Facebook, and it’s easy to install free tools that block their tracking on other parts of the web. EFF even makes such a tool, called Privacy Badger! But changing ISPs or paying for a VPN is hard (and some people don’t have more than one choice of ISP). For more, see our post on busting three ISP privacy rollback myths.
But there's another multilateral international body that can also lay claim to authority over international intellectual property rules—the World Trade Organization (WTO). When the WTO first covered copyright and patent rules in a dedicated agreement called TRIPS, it was decried by activists as being far too strict. Today, ironically, those same activists (even EFF) often tout TRIPS as a more appropriate baseline standard for global IP rules, in contrast to the stricter (or "TRIPS-plus") rules demanded for inclusion in preferential trade agreements such as the Anti-Counterfeiting Trade Agreement (ACTA) and the Trans-Pacific Partnership (TPP).
For those who believe in linking copyright and trade, the WTO is an obvious candidate to fill the vacuum left by the TPP's recent demise. At the most recent session of the WTO's TRIPS Council on March 1 and 2, Brazil circulated a paper [PDF] titled "Electronic Commerce and Copyright" to address issues around trade in copyright works in the digital age. This document didn't come out of the blue; it draws strongly upon an earlier discussion paper, also addressing the challenges of copyright in the digital environment, that Brazil and others in its GRULAC (Group of Latin American and Caribbean Countries) group introduced at WIPO in 2015.
Brazil's latest paper highlights three issues around electronic commerce and copyright that it believes belong on the WTO's agenda; not as the basis for a binding treaty, but for discussion and informal coordinated action by member states. These are:
Transparency While copyright holder groups complain that Internet platforms don't pay enough for streaming copyright content (a so-called "value gap"), a big part of the perceived problem is that it's difficult for the creators of that content to know where the money is going. The music industry, in particular, is notorious for the opacity of the payment arrangements between intermediaries and creators such as songwriters and performers. Brazil identifies the need to improve the transparency of these payments, although it doesn't go into detail about how this should be accomplished. When EFF brought musician and entrepreneur Imogen Heap to WIPO, she explained the potential for blockchain technology to provide this much-needed transparency. But rather than invest in exploring this or other transparency initiatives, big media has continued to devote most of its attention to a failing war on piracy.
Balance of rights and obligations The paper correctly identifies the need to maintain balance between the interests of copyright holders and those of users of copyright works, as technologies change and new ways of using such works emerge. But the paper goes off the rails when it suggests that it may be unlawful under the WTO's three-step test for countries to allow users to bypass DRM on copyright works, on the grounds that DRM is "essential for the normal exploitation of works in e-trade." Although we support the paper's bottom-line conclusion that "WTO Members should unequivocally assert the principle that exceptions and limitations available in physical formats should also be made available in the digital environment," we don't think this precludes rolling back penalties for the circumvention of DRM. On the contrary, circumvention is often the only way for users to gain access to content on the devices of their choice, and is imperative for preservation, archival, and reuse of such content.
Territoriality of copyright The final issue addressed in Brazil's paper is the most fundamental one: the disconnect between the global nature of the Internet, and the territorial status of national copyright systems. The problem that Brazil identifies is that by using international credit cards, users can gain access to content through overseas content platforms, and thereby circumvent services based in their own home countries, which are subject to that country's copyright rules. It proposes that "Member states should make their best efforts to make their national copyright legislation applicable to trade relations where content is accessed from within their national borders." But if this means blocking or banning users from accessing overseas content services, we have serious concerns. Such measures are entirely unnecessary anyway, as the world already has a common set of copyright rules as standards for global trade—that's exactly what the WTO TRIPS agreement provides. Brazil hasn't made out a case for more.
So far, other WTO members have shown little appetite for the WTO to undertake new work on copyright rules, with the knowledge that such negotiations would be highly contentious. (This is also why Brazil has chosen to describe it as an "electronic commerce" proposal rather than as an "intellectual property" proposal.) However, the promulgation of "soft law" standards on copyright protection under the aegis of the WTO is a more tenable proposition, and Brazil's aim with this paper is to seed that process. That's why it's important to keep a watchful eye even on non-normative documents such as these, to ensure that if the WTO does take any new measures on global copyright rules, users' rights are preserved.
But an interesting new data point about the wisdom of such a policy emerged this week. It has been reported that Immigration and Customs Enforcement (ICE), part of the United States Department of Homeland Security, had seized the domain vicodin.com, named after a common prescription pain medication. The problem? That domain actually belongs to the manufacturer and registered trademark holder for Vicodin. In other words, it seems that the domain should never have been seized.
We've never been fans of the ICE's domain name seizures. They have been used to violate free speech rights, without any meaningful opportunity for the owner or users of the domain to be heard before the domain is seized. But at least such seizures are issued under a warrant issued by a United States District Court judge, and there is a mechanism of redress (however slow and inconvenient) when a domain is seized wrongfully. That's what happened to the music blog Dajaz1, whose domain was seized by ICE and kept offline for over a year while the recording industry tried and failed to come up with evidence of copyright infringement. And it's what apparently happened today to vicodin.com
If responsibility for the seizure of domain names passes to domain name registries or registrars, at the direction of Big Pharma—as the DNA proposes—all bets are off. We can well imagine that if the DNA's proposal is accepted as an industry-wide practice the number of mistaken domain name seizures will skyrocket, and that its victims will have even less recourse than they have against an ICE seizure.
It's not just pharmacy domains that are at risk. Under a private policy of the registry operator Donuts, an architect of the Healthy Domains Initiative, the Motion Picture Association of America (MPAA) has similar powers as Big Pharma to call for the deletion or transfer of domain names that are alleged to host copyright-infringing material. Although EFF was able to defeat a proposal to make a similar policy into an industry-wide practice, we doubt we'll have heard the last of it.
Domain Name Regulator ICANN met with its community this week in Copenhagen. Big Pharma and Big Content lobbyists were among those who descended on the gathering, to promote their vision of private Internet content enforcement through the domain name system; a privatized SOPA, if you will. So far, ICANN has resisted accepting any such enforcement role, and rightly so. Today's reminder that even the U.S. government can't get this method of enforcement right should send a further note of caution about this misguided approach.
“Californians cannot afford to go back to the digital dark ages,” groups warn.
EFF and a diverse coalition of advocacy groups sent a letter to the California legislature urging elected officials to oppose A,B, 165. This bill would roll back privacy protections for students and teachers by exempting California public schools from the prohibition on warrantless digital searches lawmakers enacted two years ago.
The letter calls for the legislature to protect the legal rights of the 6-million Californians who study and work in public schools. Signers included Transgender Law Center, Courage Campaign, Council on American-Islamic Relations, Health Connected, California Latinas for Reproductive Justice, the American Library Association, and many others.
This attempt to strip away privacy protections comes during a tumultuous political moment in American history, where many political activists, immigrant families, and LGBTQ Americans are rightly fearful of federal policies that endanger their safety, privacy, and other civil liberties. The coalition letter called out these concerns specifically:
"Students or staff from Muslim or immigrant communities are rightly concerned that they or their family members and friends would be at risk if their digital information were wrongfully obtained and misused. Half of California students have at least one immigrant parent – and more than half of these parents are not citizens. Members of the school community may fear reprisal for participating in online or real-world social or political activism that their school’s administration may not support. LGBTQ students or staff may have concerns about their personal and professional relationships and even their safety. And youth who live in poverty, for whom their cell phone may be their primary or only means of accessing the Internet and thus seeking information about health, sexuality, or other sensitive topics, are vulnerable to even greater exposure of their personal lives than other students with greater access to technology in the home."
Last year, EFF, along with our partner organizations, launched Reclaim Invention, a campaign to encourage universities across the country to commit to adopting patent policies that advance the public good. Reclaim Invention asks universities to focus on by bringing their inventions to the public, rather than selling or licensing them to patent assertion entities whose sole business model is threatening other innovators with patent lawsuits.
Now, thanks to Maryland State Delegate Jeff Waldstreicher, the project is taking a step forward. In February, Delegate Waldstreicher introduced H.B. 1357, a bill modeled on Reclaim Invention’s draft legislation, the Reclaim Invention Act.
Like the Reclaim Invention Act, H.B. 1357 would require Maryland state universities to adopt policies for technology transfer that commit them to managing their patent portfolio in the public interest, and outlines what that policy should include. The bill would also void any agreement by the university to license or transfer a patent to a patent assertion entity (or patent troll).
At a hearing earlier this month, the Maryland Assembly’s House Appropriations Committee heard testimony in support of the bill from Delegate Waldstrecher, Knowledge Ecology International (KEI)’s James Love, and data scientist Adam Kreisberg. As KEI’s James Love explained, the bill would allow universities to continue to license or assign patent rights to companies, but would prohibit them from assigning patents “to organizations who are just suing people for infringement.” According to Love, when it comes to public universities, "you don’t want public sector patents to be used in a way that's a weapon against the public.”
[r]esearch has shown that university patents, including those produced by public universities, can end up in the hands of NPRs. For instance, as of 2016, the notorious NPA ‘Intellectual Ventures’ had nearly 500 patents that originated from American universities in its portfolio…including some from the University of Maryland.
If the Maryland legislature passes the bill, Katz states it would “set an example for other states by adopting a framework for academic research that puts public interests front and center.”