Judges on both coasts of the U.S. have now rejected one of the copyright trolls' favorite tactics - suing an Internet subscriber for "negligence" when someone else allegedly downloaded a movie illegally. Judge Phyllis Hamilton of the Northern California federal court threw out a negligence suit by a Caribbean holding company against a Californian, Joshua Hatfield. The company, AF Holdings, had alleged that Mr. Hatfield allowed unnamed third parties to use his Internet connection to download a pornographic movie using BitTorrent, infringing copyright. Judge Hamilton ruled that Hatfield was not responsible for the actions of strangers. She joins Judge Kaplan of the Southern District of New York, who reached the same conclusions in another case in July.
The "negligence" strategy had three fatal flaws, according to the court. First, an Internet subscriber like Mr. Hatfield has no legal duty to police his Internet connection to protect copyright owners like AF Holdings. Second, even if AF had a valid "negligence" claim against Mr. Hatfield under state personal injury law, federal copyright law would override it. This is called preemption. And finally, even if copyright law didn't trump a negligence claim, Section 230 of the federal Communications Decency Act probably would.
Copyright owner representatives, from the Recording Industry Association of America and the Motion Picture Association of America to the fleet of troll lawyers filing shakedown suits on behalf of porn studios, don't like the protections that federal law gives to Internet providers and their subscribers who allow others to use their network connections. Though the protections are far from perfect, the laws, including Section 230 of the CDA, Section 512 of the DMCA, and the "secondary liability" principles laid down by the Supreme Court, give Internet providers and their subscribers some peace of mind. Opening your Internet connection to the public is a way of strengthening communities and helping innovation, as we've written in this blog and in court papers. This week's ruling, along with the Tabora ruling in New York, send a strong judicial message that copyright owners can't use legal tricks to bypass the law's protections for Internet access points.
There are still many open cases in the federal courts where copyright owners are trying to use this bogus legal theory. People caught up in these cases should be able to use the Hatfield and Tabora rulings to get these suits dismissed quickly, without high legal fees. They may even be able to get their legal fees paid by the plaintiff, as "copyright negligence" claims move ever closer to being declared a frivolous and harassing misuse of the legal system. If you've been targeted by a copyright troll, visit this page for resources.
Today is the first day of the 14th round of negotiations over the Trans-Pacific Partnership agreement (TPP), a secretive, multi-national trade agreement that threatens to extend restrictive intellectual property (IP) laws across the globe and rewrite international rules on their enforcement. EFF will be at the negotiations this week in Leesburg, Virginia, to speak to delegates and provide them with materials with our analysis of the TPP’s IP provisions and their impact on digital freedom.
To summarize, the problems with this agreement are two-fold: (1) Leaked draft texts of the agreement show that the IP chapter would have extensive negative ramifications for users’ freedom of speech, right to privacy and due process, and hinder peoples' abilities to innovate, and (2) the entire process has shut out multi-stakeholder participation and is shrouded in secrecy. The nine nations currently negotiating the TPP are the US, Australia, Peru, Malaysia, Vietnam, New Zealand, Chile, Singapore, and Brunei Darussalam. However, Canada and Mexico have also been invited to join the negotiations, and it is likely they will do so.
On Sunday, September 5, the Office of the United States Trade Representative (USTR) is hosting two events: the “Direct Stakeholder Engagement” and the “Stakeholder Briefing.” The Stakeholder Briefing is essentially an hour-long forum for registered members of the public to ask questions to country delegates about the TPP. The Direct Stakeholder Engagement, however, has two parts. It constitutes both the tabling that takes place outside of the secret meeting areas, and the presentations to delegates that are designed for members of civil society, the public, and other interest groups to share their concerns with the agreement. The length of the presentations have gone from the already inadequate 15 minutes we were allocated at the last meeting in San Diego, down to a mere 10 minutes (2 more minutes were added after the initial announcement that they would only allow us to speak for 8 minutes each). Carolina Rossini, EFF’s International Intellectual Property Director, will speak to negotiators about how the TPP will create incentives for ISPs to police the Internet, and how that will effect users’ right to free speech, privacy, and innovation.
Based upon what we know from the leaked text, the US and Australia are pushing for IP provisions that go beyond any copyright laws we have seen anywhere in the world. It is the job of civil society organizations like Public Citizen, KEI, Public Knowledge, ONG Derechos Digitales, and many others, to use every opportunity to speak to the country delegates, especially those who represent countries that we know (based upon the most recent TPP leak) are less persuaded by the US’ proposals on copyright, and to convince them of the high risks of agreeing to those restrictive IP policies. Ahead of this round of TPP meetings, we created a joint statement responding to the US and Australia’s proposal on exceptions and limitations and sent it directly to all the negotiating delegates.
Given the limited amount of time we have had to speak directly to the delegates negotiating this agreement, how do we know that we're even making an impact? While there is no way to precisely measure this, we do know that the stakes are high, and it is unquestionable that we must be present.
We're going to the TPP negotiations to tell country delegates how, even in the US, there have been many unintended consequences of copyright law on digital rights, through the likes of the US DMCA. We emphasize that the US has many built-in safeguards through fair use and some positive case law that mitigate against the high barriers to education, access to information, and innovation, that copyright law has constructed through overreaching enforcement. Without those safeguards, other countries will be left to enact very restrictive laws that could be even more harmful to users in those countries. In the case of signatory countries that have not had a great track record of being so transparent and democratic (such as say, Malaysia), these laws could even be abused to justify other restrictions on rights, such as censorship of political or religious speech.
Our role at the TPP negotiations is to take advantage of those rare opportunities to speak to the delegates, and ensure that they are aware of these many threatening consequences of adopting an IP chapter as pushed forward by the US. At the same time, we are continuing to work on spreading as much awareness about this agreement as possible. We will be on the ground during the beginning of the 14th round of TPP negotiations, to do everything in our power to ensure the public voice is noticed and considered during these secretive backdoor meetings to regulate the Internet.
Join EFF and more than 25,000 people in sending a message to Congress members to demand an end to these secret backdoor negotiations:
Specifically, they call attention to its provisions that will impact digital freedoms:
Disciplines related to IPR could impact how people gain access to the Internet and could constrain what people may say online or how they can collaborate and share content. It is imperative that the IPR chapter of the proposed TPP agreement not inappropriately constrain online activity. Poorly-constructed IPR disciplines that erode Internet freedom could impede innovation, economic growth, and speech.
Given the Internet’s increasing role in facilitating American exports of digital goods and services, it is crucial that they do not tip the balance in IP enforcement in a way that will only further restrict Internet freedoms and users' digital rights. The letter concludes with their request that the USTR convey to the American people whether other obligations they are pursuing in the agreement will promote an open and free Internet.
EFF welcomes this Congressional effort in fighting for a democratic and transparent process. The terms of international free trade agreements do not just impact the way in which businesses engage in international commerce; these agreements actually shape many domestic policies. As EFF has reported in the past (check out our infographic), the TPP is a secretive, multi-national trade agreement that threatens to extend restrictive IP laws across the globe and rewrite international rules on IPR enforcement. TPP is a terrible model for a trade agreement for the 21stcentury, and its main problems are two-fold:
(1) IP chapter: Leaked draft texts of the agreement show that the IP chapter would have extensive negative ramifications for users’ freedom of speech, right to privacy and due process, Internet liability, and hinder peoples' abilities to innovate.
(2) Lack of transparency: The entire process has shut out multi-stakeholder participation and is shrouded in secrecy, which has raised concerns on its constitutionality.
Help us call on all Congress members to step-up and join this letter [PDF] to fight back against these backroom dealings to regulate the Internet!
With more people constantly connected to the Internet, technology companies are becoming massive repositories of sensitive and personal information. Our communications with family and friends now sit stored on servers belonging to Google or Facebook. Cell phone companies keep track of our location by recording every time we connect to a cell phone tower for up to two years. Unfortunately, the Fourth Amendment has not kept up with this technological reality. And a recent case decided by the Ninth Circuit Court of Appeals, United States v. Golden Valley Electric Association(PDF), highlights the increasing way constitutional rights are adjudicated when it comes to data stored by other companies: through the service agreement a user enters into with a company.
First, some background. The Supreme Court long ago ruled that users lose their expectation of privacy when they turn information over to third parties. The "third party doctrine" has been used by the government to justify warrantless acquisition of cell site tracking records, Twitter account information, and email. They've argued these records belong to the companies, so a user can't complain when the data is turned over to the government. Ultimately, this means that your constitutional rights are in the hands of the companies storing your data. Given the ever increasing demands of law enforcement, companies have little time or resources to fight for user privacy. That means companies have an enormous amount of power in determining your privacy rights. As we've documented in our "Who Has Your Back" campaign, many of the biggest and most popular tech companies have work to do in fighting for user privacy.
A 2010 case from the Sixth Circuit Court of Appeals highlights how a subscriber agreement that governs the relationship between a company and user can potentially become a black hole where the Fourth Amendment goes to die. In United States v. Warshak, the Sixth Circuit became the first federal appellate court to rule that people had a reasonable expectation of privacy in their emails notwithstanding the fact that email typically passes through a third party, the email service provider. That meant law enforcement needed a search warrant to obtain the contents of emails. But Warshak noted it was "unwilling to hold that a subscriber agreement will never be broad enough to snuff out a reasonable expectation of privacy." So although the email provider in the Warshak case didn't say anything about whether it would "audit, inspect, and monitor" emails, messages stored by a service provider that did say it would monitor email in a subscriber agreement wouldn't necessarily be protected by the Fourth Amendment. In short, the court said companies have the ability to strip you of your Fourth Amendment rights.
As troubling as that seems, the flip side is that presumably faced with silence -- like the Warshak service provider -- or even an affirmative statement by a service provider that it will protect your privacy, a reasonable expectation of privacy could still exist. Or stated differently, a service provider can also give you Fourth Amendment protection if it promises to safeguard your privacy.
The Ninth Circuit addresses this precise issue in Golden Valley. The case revolved around a small cooperative utility provider in Alaska, that received an administrative subpoena issued by the DEA seeking customer records it believed were relevant to a criminal investigation. These records included things like the subscriber's name, telephone number, method of payment (including credit card numbers or checking account information), and service initiation and termination dates.
The most important thing the government sought, however, was energy consumption records. By determining whether energy levels were elevated in specific houses, the agents believed they could pinpoint locations where marijuana was being grown. Addressing a very similar situation in 2001, the Supreme Court in Kyllo v. United States ruled that the police needed a search warrant to use a thermal imaging device to measure heat levels in a residence, since the devices could reveal intimate details about the interior of a home. To get around Kyllo, the government sought to get the records from Golden Valley directly instead of planting a police officer in front of the houses, ultimately avoiding the need to get a search warrant. That's because the records belonged to Golden Valley, and therefore, the government argued, customers had no expectation of privacy in them.
Golden Valley challenged the administrative subpoena, a rare act for a company to take, and raised the argument suggested by Warshak: that since it had a company policy of protecting user privacy, a search warrant was required to obtain this information. The Ninth Circuit, however, rejected Golden Valley's argument, finding that Golden Valley failed to show any explicit customer agreement promising to keep records confidential.
At first blush it may seem that Golden Valley highlights a lose-lose situation for users created by the third party doctrine: providers can take away your Fourth Amendment rights in their service agreements, but in the rare instance when they make an effort to preserve your rights by promising to protect your privacy, it doesn't matter anyway because the "records" (created with your data and activity) aren't yours.
But the Ninth Circuit really left a far more important privacy opening. It noted that in some circumstances, "a company’s guarantee to its customers that it will safeguard the privacy of their records might suffice to justify resisting an administrative subpoena." In the specific case before the court, Golden Valley's policy did not rise to a sufficient level of specificity. But going forward in the future, other companies storing sensitive, personal information need to take advantage of Golden Valley's suggestion that service agreements can be more than just a black hole. They should explicitly detail in their service agreements that they will keep user data confidential and that they will stand up for users' privacy by challenging government attempts to obtain data without a search warrant.
At the same time, courts need to heed the words of Justice Sotomayor's concurring opinion in United States v. Jones, where she wrote it was time to stop treating "secrecy as a prerequisite for privacy," and stop assuming "that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection." That way, the fact that our privacy rights are in the hands of companies means more than they're just gone forever.
The Congressional Research Service (CRS), the research division of Congress known for its objective studies, recently released a report on the effects of patent trolls on innovation and the economy. The study (PDF) presents a pretty thorough analysis of the patent troll problem, but what's striking is its existence at all: Could it be that Congress is really starting to pay attention when it comes to fixing the broken patent system?
Patent trolls are litigious entities that don't usually create new products or come up with new ideas. Instead, they buy up patents and use them offensively. Armed with often overbroad and vague patents, the trolls send out threatening letters to those they argue are infringing. According to the CRS report, "The vast majority of defendants settle because patent litigation is risky, disruptive, and expensive, regardless of the merits; and many [patent trolls] set royalty demands strategically well below litigation costs to make the business decision to settle an obvious one." Businesses lose both time and money, and innovation suffers.
We've known for some time just how much of a problem patent trolls pose. Last summer, This American Life made patent trolls mainstream with an extremely popular episode that covered such trolls' crusades against innvovation. Just recently, members of Congress introduced the SHIELD Act, legislation that would create a fee-shifting system, helping destroy any incentives behind trolls' frivolous lawsuits. And now publication of this CRS report shows that the patent troll problem is still on the minds of those with the power to fix it.
Without a doubt, [patent trolls] both add to and subtract from the incentives of patent law, but the FTC and many experts in the field indicate that they currently do more harm than good to innovation and the patent system. The extent of this imbalance—and whether Congress could or should recalibrate it to 'support the beneficial effects, and lessen the detrimental ones'—remains unclear, however.
These conclusions throughout the report reinforce why, now more than ever, it is important to give your feedback to our Defend Innovation campaign.
Here's the thing: if Congress is truly paying attention, we need to make sure they are getting the full story—and that's where our Defend Innovation project and you come in. Go to the site and check out our proposals. Let us know if you agree with them or if you have something better in mind. Once we've collected your feedback, comments, and stories—and we've had over 13,000 participants so far—we are going to bring them to D.C. and let Congress know exactly who is affected, how the system is flawed, and what they can do to really fix it.
This morning, a bipartisan group of Representatives, led by Rep. Zoe Lofgren (D-Calif.), sent a pointed letter to Attorney General Eric Holder and the Secretary of Homeland Security Janet Napolitano protesting the recent spat of domain name seizures—executed on dubious copyright grounds—that have been censoring websites with no due process.
“Our concern centers on your Department’s methods, and the process given, when seizing the domain names of websites whose actions and content are presumed to be lawful, protected speech,” the letter said, which was also signed by Rep. Jared Polis (D-Colo.) and Rep. Jason Chaffetz (R-Ut.).
The Representatives’ letter focused on the case of former hip hop website Dajaz1. Dajaz1’s domain name had been seized for over a year, despite evidence that the website had lawful material, and that “many of the allegedly infringing links to copyrighted songs, and specifically the links that were the basis of the seizure order, were given to the site’s owner by artists and labels themselves” including Kanye West, Diddy, and a vice president of a major record label.
Adding to the injustice, the government refused to cooperate with Dajaz1’s attorneys for months, and sought numerous extensions of the seizure authority in secret. When the court records were finally released, it showed that the government was waiting on the RIAA to evaluate a "sampling of allegedly infringing content" and respond to other “outstanding questions.” While the RIAA fiddled, Dajaz1 lost the right to speak and the public lost its right to read what was published there.
Finally, after a year, control over dajaz1.com was handed back to the owners with no apology, and no explanation. It is disturbing enough that DHS has been effectively acting as the tax-funded hired gun of the content industry, but, even more horrifying, it censored the wrong targets, for no good reason, for a year.
Dajaz1’s case is far from unique, as we found out earlier this week when a similar situation happened to Rojadirecta.com and Rojadirecta.org, the popular sports streaming sites that were seized—again with no due process—back in February 2011. The sites, which have been in the midst of a court fight to return its domains, had been arguing that linking was not infringing, noting that a Spanish court had already found the sites legal. Yet the government still held onto their domain for 18 months. On Wednesday, they again handed back their domains with no explanation.
Dropping the case was, of course, the right move. The government's copyright arguments were incredibly weak (it’s pretty well-settled that linking is not infringement). Even more troubling, the seizures also captured plenty of legal and protected speech. Indeed, many (including EFF) have been making these arguments for well over a year. The real question is why it took so long.
We also demanded the government should explain why it reversed its position, and provide a clear policy rationale so websites around the world could assess their risk for unexplained and unjustified seizures.
The Representatives want answers to the same questions. At the end of their letter, they ask seven specific questions about DHS’ policy, their rationale, and what procedures they plan on implementing so websites’ rights aren’t trampled on again. You can read the full letter here.
EFF is encouraged that Congress is taking an increased interest in making sure First Amendment protected speech is not censored on the Internet due to draconian copyright policy, and we look forward to the Justice Deparment and Homeland Security’s official response.
Australians are fending off threats to their right to privacy from all directions. First, there was Australian Attorney General Nicola Roxon’s push to expand government online surveillance powers, submitted to Parliament in a package of reforms sought in a National Security Inquiry.
Then, on Aug. 22, the Australian Senate approved the Cybercrime Legislation Amendment Bill 2011, granting authorities the power to require phone and Internet providers to store up to 180 days worth of personal communications data. The purpose is to aid in investigations by both foreign and domestic law enforcement agencies, making it especially controversial since it can result in granting foreign governments access to Australian citizens’ communications data. The legislation only allows for data retention in the cases of specifically targeted individuals.
The bill is based on the Council of Europe Convention on Cybercrime – which we've flagged in the past as one of the world’s worst Internet law treaties – and the passage of the bill opens the door for Australia to join the Convention.
At least we can welcome the news that one of the most controversial aspects of Roxon’s National Security Inquiry proposal, a vague mandatory data retention provision that would have required service providers to retain all users’ communications data for up to two full years, seems to have been placed on hold – for now, anyway.
Yet at the same time, the newly approved Cybercrime Legislation Amendment Bill 2011 is viewed by some in Australia as a kind of “data retention lite,” and a precursor to the mass, untargeted surveillance that the more extreme proposal may yet usher in. An outcome of the approval of this bill, after all, is that providers will now have to install systems enabling data retention for up to 180 days – and pay for it themselves.
Public Fights Back
Despite the steady march toward expanded online snooping powers for law enforcement in the name of “national security,” a hefty pile of submissions landed in Parliamentary chambers last week, reflecting strong public opposition to the proposed reforms. A total of 177 submissions, representing thousands of individuals and organizations, flowed in to the Joint Parliamentary Committee on Intelligence and Security even though the government allowed only a brief timeframe for comment.
Below, we collected some reactions of various Australian stakeholders who drafted lengthy submissions to convey their serious concerns. Civil liberties advocates aren’t the only ones worried about where this is going. The Australian Mobile Telecommunications Association and Communications Alliance, a telecom industry group, also chimed in to express concerns about costly new requirements for telecoms that would come attached to these surveillance measures. Since data retention disproportionately burdens smaller ISPs affected by requiring expensive equipment upgrades, the measure has the potential to hamper innovation by discouraging new startups from entering the market.
Re: Making it a Crime to Refuse to Aid in Decryption
One of the worst ideas contained in the National Security Inquiry package is the creation of a new crime under the Telecommunications (Interception and Access) Act of 1979: Refusing to aid law enforcement in the decryption of communications. That interception law gratned law enforcement agencies, such as the Australian Federal Police (AFP) and the Australian Crime Commission (ACC), the ability to legally intercept communications for the first time. Reactions to the proposal hinged on the threat it poses to Australians’ right to silence.
Senator Scott Ludlam, speaking on behalf of the Australian Green Party, had this to say:
While the integrity of Australianʹs right to silence has been damaged by the anti‐terrorism laws, with regard to other criminal offences it remains intact. This proposal further degrades the right to silence, presumably to pre‐trial investigations and undermines the privilege against self incrimination. … The Committee should oppose this proposal as a serious erosion of the legal and human rights of Australians.
Electronic Frontiers Australia, a digital civil liberties organization (which is not formally affiliated with EFF), pointed out a number of problems with this idea:
EFA is concerned about the possible creation of an offence for failing to assist in the decryption of communications for the following reasons:
it undermines the right of individuals to not cooperate with an investigation
it poses a threat to the independence of journalists and their sources, particularly in circumstances involving whistle-blowing activity related to cases of official corruption
it could undermine the principles of doctor-patient and lawyer-client confidentiality and other trusted relationships
there are foreseeable and entirely legitimate circumstances in which decryption of data is not possible, such as where a password has been forgotten and is unrecoverable.
EFA therefore believes that the Committee should reject this proposal.
Re: Extending the Regulatory Regime to “Ancillary Service Providers”
A discussion paper submitted as part of the National Security Inquiry proposal makes it clear that the Australian government is “considering the need for a new interception regime that better reflects the contemporary communications environment,” i.e. a total overhaul of existing legislation to allow law enforcement to pry into communications taking place over platforms like Facebook or Twitter. The discussion paper defines “ancillary service providers” as “Telecommunications industry participants who are not carriers or carriage service providers.” Ultimately, this suggests the government is angling to bring all forms of online communications into the reach of interception laws.
Telecommunications legislation already goes much further than regulation in most other sectors in mandating a role for private sector businesses as agents of the state in surveillance and law enforcement (banking and finance is the other main area where this has happened). These proposals would see a further significant extension of this role. Online intermediaries in particular host our communications with our friends, relatives, co-workers etc. They host a vast amount of information, the volume and scope of which is growing exponentially as we move to the cloud, use social networks, etc. Using online intermediaries as an agent of the State dramatically impacts on the state's surveillance capabilities. Even minor changes in what they are required to do on behalf of government agencies can have very broad implications for people’s privacy.
Ludlam, of the Australian Greens, also blasted the idea.
The Attorney Generalʹs paper does not explain how covering ʹancillary service providersʹ – the many and ever increasing forms of social media – in legislation will address ʹcurrent potential vulnerabilities in the interception regime that are capable of being manipulated by criminalsʹ. The Greens believe it is excessive to extend the reach of surveillance into the retention of all social media exchanges. Does this include all business exchanges on video conferencing platforms?
And EFA pointed out that this proposal could expose anyone to law enforcement scrutiny, not just people suspected of wrongdoing.
Central to many of the services that Australians deliberately sign-up for— e.g. Facebook, Twitter, Pinterest, Apple iCloud, etc.—is the concept of sharing across networks. In surveilling a target’s activities in such services, shared friends or media objects connect target and non-target individuals such that following one surveillance target inescapably involves collateral surveillance necessarily breaching the privacy of non-targets. …. Indeed, “cloud computing” itself underlies “social networking”. As such, the information flows pertaining to individuals cross and recross such services to the point where, again, separating surveillance of a particular target is almost inevitably going to encounter that of other individuals, but in this case in ways that cannot be anticipated and very deeply undermine Australians’ reasonable expectation of privacy.
For more than a year and a half, the Mexican government has been collecting an unprecedented amount of biometric data from minors ages 4 to 17 as part of a youth ID card program. The Personal Identity Card for minors, a document authorities say is intended to help streamline registration in schools and health facilities, comes embedded with digital records of iris images, fingerprints, a photograph, and a signature for each minor.
Documents obtained by EFF under Mexico’s Transparency and Access to Information Act show that as of this past May, nearly 4 million minors had been enrolled into registries associated with the new ID. Public records also revealed that more than 1.2 million ID cards had been issued in the states of Baja California, Baja California South, Colima, Chiapas, Distrito Federal, Guanajuato, Jalisco, Sinaloa, and Morelos. Of those who were issued cards, 1,345 had to go through the registration process again because the quality of their biometric data was inadequate for identification.
The ID card project is part of the integration of Mexico’s National Population Register (RENAPO), which is intended to provide a unique identity system to conclusively prove identities of all Mexican citizens. Under the program, the Ministry of the Interior will issue Citizen Identity Cards and Personal Identity Cards containing biometric information, first to youth, and later extending to Mexico’s entire adult population.
Since July of 2009, when President Felipe Calderón officially announced the creation of RENAPO, numerous observers have sounded the alarm that the endeavor violates individuals' privacy rights. Despite serious concerns raised by a governmental accountability agency and a special commission tasked with studying the program, in January of 2011 Mexico nevertheless became the first country in the world to use iris scans as a component of ID cards.
Mexico’s Secretary of Government (SEGOB) claims that the use of iris recognition, along with other biometric data, serves to combat crime such as human trafficking and to streamline registration and enrollment procedures in schools and health care programs. In official statements, SEGOB claims that "it is a free, official document containing biometrics that make it impossible to forge.” Although Mexican authorities argue that the new document will be 99 percent reliable and “one of the safest in the world,” security researchers have shown otherwise, recently demonstrating security flaws even in ostensibly trustworthy iris scanners.
In April of 2010, The Federal Institute for Access to Public Information (IFAI), an autonomous organization established by Mexico’s freedom of information law to promote a new regime of government transparency, issued a 91-page report outlining the problems associated with such biometric IDs, putting forward several alternative recommendations. The IFAI concluded that requiring just one fingerprint would yield a 99 percent reliability rate, and that the collection of any additional biometric data is wholly unnecessary. The report was also critical of the fact that there are currently no legal protections regulating the use of iris images in Mexico.
IFAI ultimately recommended that Mexico remove some of the biometric data on the new ID cards by gradually reducing the amount of data required. The report argued that capturing the image of both irises, plus ten fingertips, was not proportional to the stated objective of the program. IFAI further concluded that any biometric ID system should be subjected to periodic third-party verifications of the collection, storage, and use of biometric data. Aside from these concerns, IFAI cited huge costs of the project, a lack of transparency in the bidding process, and the risks the program poses to the right to privacy.
Another important voice of dissent also emerged in April 2010, when a special Commission of the Parliament was created to review the development of the ID card. One of the commission’s first measures, which was later ignored by the government, was to call for temporarily halting the implementation of the ID to encourage further research and to include the perspectives of more stakeholders in the process. Significantly, the commission noted that there were no “necessary measures related to data protection [or] transparency ... This means that until we have all the elements in place, it is terrible that the project continues.”
The Commission also seized upon the risk of duplication, as the original idea behind the program was to use this ID to gradually replace the current electoral card, which is presented for voting.
Vanessa Lara Carmona, a professor from the Autonomous University of Mexico (UAEM) who conducted research in tandem with the Latin American Network of Surveillance, Technology and Society Studies, concluded that the ID card for minors would not solve the problem of human trafficking in Mexico—one of its officially stated purposes.Carmona also noted that criticism of a lack of security around the data was the reason why the national ID was not being initially implemented for the entire population, as originally intended.
Despite this serious criticism, the project is still going forward. According to SEGOB, the government’s goal is to issue almost 4.5 million IDs by the end of the year, continuing the collection of massive amounts of biometric data. The next step of the project, expected to unfold in 2013, is to extend the ID cards to adults.
Meanwhile, researchers and government accountability agencies aren’t the only ones raising concerns about Mexico’s biometric ID card policy. A group from a Mexico-based hacker collective that runs public workshops promoting the use of free software for technological autonomy and activism also weighed in to express concerns about what the ID cards mean for Mexico.
“At Hacklab Autonomo, we think that all people should have the choice of whether or not to participate in a database that describes them,” the collective members wrote in a statement sent to EFF. “We are against the growing tendency in our society to monitor, and the way in which this monitoring classifies and discriminates against others and ourselves. We believe that access to technology should be free and we want people to exercise their technological autonomy. When you start the collection of biometric data with the kids and casual laborers, the Mexican government is taking advantage of the defenseless and people in precarious situations as they strive to achieve their goals. … The question is not only what will the Mexican government do with this information, but also, who will they sell it to this time?”