For more than a year, the W3C Tracking Protection Working Group (TPWG) has been hard at work developing a standard called Do Not Track (DNT) to provide users with a simple way to opt out of increasingly pervasive and invisible tracking on the web.
As part of the working draft of the Do Not Track specification, advertisers and other third parties are generally NOT supposed to collect data about users who have DNT turned on. However, certain exceptions are granted where small amounts of data can be kept for narrow purposes such as being able to comply with certain types of legal audits. Members of the working group who are focused on crafting a fair standard work to identify and define the scope of these exceptions. Yet during the W3C meeting, Rachel Thomas – VP of Government Affairs for the Direct Marketing Association – proposed that a sweeping exception be added for “marketing”:
Marketing fuels the world. It is as American as apple pie and delivers relevant advertising to consumers about products they will be interested at a time they are interested. DNT should permit it as one of the most important values of civil society.
Thomas’s proposal was lambasted by Roy Fielding -- a working group member who recently made a controversial change to the Apache web server in response to Microsoft's announcement about how DNT would be implemented in the IE10 setup process:
[…] raising issues that you know quite well will not be adopted is not an effective way to contribute to this process. […] It is not a permitted use because it is the collection of data for the sake of targeted marketing that the user is specifically trying to turn off.
While many industry members of the Working Group who represent publishers and ad networks are more reasonable than Thomas' comment indicates, episodes like this unfortunately seem to be becoming more frequent, and do not serve to move the process forward.
The Importance of a Meaningful Standard
In light of these tactics, the Tracking Protection Working Group must take a hard line. It would be ideal if a standard emerged that was both palatable enough to be adopted widely by industry, and favorable enough to be a significant change from the pervasive tracking taking place right now. Short of that (and setting aside a weak and unadopted standard), the choices are between a fair standard that somewhat protects user privacy, and a weak standard that does almost nothing for privacy yet is adopted by companies.
Of these two options, a fair standard that meets minimum privacy requirements is necessary for the credibility of the process and the outcome—even if it is not widely adopted right away or in the near future. To be clear, we are NOT suggesting a position that all data collected from DNT users ought to be immediately and perfectly anonymized. Real-world considerations like security do justify allowing some identifiable user data to be kept in a limited fashion. However, there must be a minimum standard met so that we can be assured that companies adhering to the standard are actually making meaningful changes to the way that they collect, process, and store data.
The current draft of the DNT specification simply does not provide users with a minimum bar of protection.
Adopting a standard that fails to meet a minimum privacy bar would be disastrous for DNT. Doing this would legitimize intrusive tracking by ad networks and mislead the public about ongoing data collection practices. The Working Group should be extremely focused on the question of ensuring that a meaningful minimum privacy bar is met, despite the recent hullabaloo which distracts from the hard work of serious members of the group.
EFF welcomes a strong voice in the fight against data retention mandates: on Wednesday, a group of Slovak MPs filed a complaint challenging the constitutionality of Slovakia's mandatory data retention law. The law compels telcos and ISPs to monitor the communications of all citizens including those not suspected or convicted of any crime, and in case law enforcement officials demand them for any reason.
The complaint also requests that, if necessary, the court should challenge the validity of the larger European data retention directive before the Court of Justice of the European Union. The Data Retention Directive, adopted in 2006, forces Member States of the European Union to adopt laws that would compel ISPs and telecommunications service providers operating in Europe to collect and retain a subscriber's incoming and outgoing phone numbers, IP addresses, location data, and other key telecom and Internet traffic data for a period of 6 months to 2 years.
The European Information Society Institute (EISi), the Slovak research center which authored the complaint, has championed this battle for the last two years. In a statement, Martin Husovec, the lawyer of the EISi says,
After the General Prosecutor's Office twice rejected our request to file this complaint before the Slovak Constitutional Court, we had no other option that to prepare the template submission before the Constitutional Court ourselves and address the MPs. The liberal MP, Martin Poliačik, took a lead and persuaded other MPs. After two years of our hard work, we now have the case before the Constitutional Court.
A mass untargeted collection of communications records of ordinary, non-suspected people can not be tolerated where freedom is valued. Data retention mandates are a threat to privacy and anonymity, and have been proven to violate the privacy rights of millions of Europeans. And some courts in Europe have already agreed.
The Czech Constitutional Court declared in March 2011 that the Czech mandatory data retention law was unconstitutional. Earlier, in January 2012, the same Court dealt another blow to data retention by annulling part of the Criminal Procedure Code, which would have enabled law enforcement access to data stored voluntarily by operators. Most importantly, the Czech Court used compelling language in articulating the importance of the protection of traffic data. The Court stated that the collection of traffic data and communication data warranted identical legal safeguards since both have the same "intensity of interference". However, a new data retention bill seeks to find its way back into the Czech legal framework, and is waiting for the President's signature.
In March 2010, a German Court declared unconstitutional the German mandatory data retention law. The Court ordered the deletion of the collected data and affirmed that data retention could "cause a diffusely threatening feeling of being under observation that can diminish an unprejudiced perception of one's basic rights in many areas." The lawsuit was brought on by 34,000 citizens through the initiative of AK Vorrat, the German working group against data retention.
In Ireland, the Court has referred to the European Court of Justice the case challenging the legality of the overall data retention directive, thanks to a complaint brought by Digital Rights Ireland. The Irish Court acknowledged the importance of defining "the legitimate legal limits of surveillance techniques used by governments," and rightly emphasized that "without sufficient legal safeguards the potential for abuse and unwarranted invasion of privacy is obvious." Courts in Cyprus and Bulgaria have also declared their mandatory data retention laws unconstitutional.
EFF continues to fight for the repeal of the EU Data Retention Directive and oppose blanket untargetted mass surveillance proposals throughout the world.
Good news! In a decision that is likely to help shape the future of online fair use, a federal court in New York has concluded that digitizing books in order to enhance research and to provide access to print-disabled individuals is lawful.
The case is The Authors Guild, Inc. v. Hathitrust, the lesser-known but faster-moving stepsister to the Authors Guild’s long-running lawsuit against Google for its Google Book Search service. For the past seven years, major university libraries have been collaborating with Google to digitize their collections, with one result being the creation of the HathiTrust Digital Library (HDL). Via the HDL, more than 60 university and research libraries can store, secure, and search their digital collections. Most library patrons aren’t allowed to access the digitized books in their entirety – HDL merely does a keyword search and delivers titles and page numbers as results. This enables users either to find the book at a library or to purchase a copy, but HDL itself doesn’t take the place of book sales for the general public. HDL does allow access of the entire books to blind or other print-disabled individuals.
I cannot imagine a definition of fair use that would not encompass the transformative uses made by Defendants’ MDP and would require that I terminate this invaluable contribution to the progress of science and cultivation of the arts that at the same time effectuates the ideals espoused by the [Americans with Disabilities Act].
The judge noted that making copies to facilitate searching (and finding) information was a highly transformative use because "the copies serve an entirely different purpose than the original works . . . the purpose is superior search capabilities rather than actual access to copyrighted material.”
But what is perhaps most refreshing is that the court paid close attention to the public interest in the project, recognizing that it actually served the purposes of copyright: to promote the progress of science and the useful arts. Citing a brief filed by EFF and several library associations, the court recognized that the HathiTrust projects efforts helped, rather than hindered, access to creative works. That public benefit, the court said, meant that the HDL supported “the underlying rationale of copyright law".
Quite so. Judge Baer got it, and he got it right. Hopefully, his reasoning will be adopted and expanded in the related Google Books case.
Despite protests from civil society organizations, but with applause from the entertainment lobby, Canada announced on October 9th that it has officially joined the Trans-Pacific Partnership Agreement negotiations. Canada joins the TPP not as an equal partner in the agreement but as a “second-tier” negotiator, which means it will have far less input into the agreement than the countries currently negotiating. Some Canadian politicians did find some of the conditions imposed by the USA and other countries unpalatable, but nobody offered any real details as to why.
As a second-tier partner, Canada will have to sign onto sections negotiated over 14 rounds of talks- without seeing the text in advance. Canada’s participation in the TPP talks will begin with the 15th round of negotiations, which take place December 3 – 12, 2012 in Auckland, New Zealand.
In joining the TPP negotiations Ed Fast, Minister of International Trade and Minister for the Asia-Pacific Gateway, commented:
“Canada is pleased to be formally joining the TPP negotiations (…) Joining the TPP is good news for hard-working Canadian families. Opening new markets and increasing Canadian exports to fast-growing markets throughout the Asia-Pacific region is a key part of our government’s plan to create jobs, growth and long-term prosperity. We look forward to helping develop a 21st-century agreement that advances Canadian interests.”
The TPP is a trade agreement, under negotiation by 11 countries. Canada’s formal entry into the negotiations follows the completion of domestic consultations within other negotiator countries, which all TPP members are required to undertake before approving new members.
In less than six years, the Harper government in Canada has concluded trade agreements with nine countries: Colombia, Honduras, Jordan, Panama, Peru, and the European Free Trade Association member states of Iceland, Liechtenstein, Norway and Switzerland. Canada has also begun deepening trade and investment ties with the largest markets in the world, including the European Union—through a revival of ACTA, named CETA—as well India and Japan.
Canadians – and all of us – should be highly attentive to this step. It took Canada more than ten years of contentious debate to pass Bill C-11 into its new copyright law just last June. Yet, as reported by Michael Geist, the copyright lobby that pressured the government into passing this bill, which imposes rules on digital locks and tougher penalties for copyright infringement, is already demanding changes that include rolling back many key provisions of the original bill. For the entertainment lobby, TPP offers the perfect opportunity to push their copyright interests, because the agreement feeds into the aggressive trade agenda of some Canadian politicians.
For instance, regarding Internet intermediaries, the copyright lobby wants Canada to implement measures that would require Internet providers "to take action to prevent recidivists from repeatedly using their services to commit copyright infringement." The plain language demand: a termination system that would cut off Internet access for subscribers accused of infringement. Yes, similar to a 3-strike provision. In an interview with EFF, Michael Geist commented:
“If the TPP were to adopt a three-strikes approach, this would run completely counter to current Canadian law and repeated assurances from the Canadian government that it does not believe such an approach strikes the right balance in copyright. The recent Canadian copyright reforms adopted a notice-and-notice approach—which many believe does a better job of preserving free speech online than the US notice-and-takedown system. Despite consistent pressure from rights holders to add a penalty element to notice-and-notice that could include account termination, the government repeatedly insisted that it had no plans for Internet termination. If the TPP were to impose such an approach, it would undo much of the balance the government tried to strike during the most recent round of reforms.”
The entertainment lobby is also pressuring Canadian officials to undo statutory damages changes from Bill C-11 that created a liability cap of $5,000 for non-commercial infringement. The lobby claims that the non-commercial cap renders statutory damages "ineffective in achieving its goals of full compensation and deterrence in the online environment." It also wants to extend the term of copyright , to provide new powers to Canadian border guards to inspect shipments without court oversight, and to introduce new criminal penalties for copyright and trademark violations.
Canada is internationally known for protecting the rights of its citizens, and for promoting due process under the law. Its joining TPP is a depressing step backwards.
Over 26,000 people have now taken our action alert aimed at US Congressional members. And these latest moves from state representations show that they are finally hearing our voices. Help us keep the pressure on Congress and get them to demand that this process become democratic and transparent.
Yesterday, EFF filed its latest brief in the Jewel v. NSA case, aiming to stop the government from engaging in mass warrantless collection of emails, phone calls, and customer records of ordinary Americans. The matter is set for hearing on December 14, 2012 in federal court in San Francisco, on the question of whether these Americans will get their day in court.
Once again, the government is arguing that the courts cannot consider whether the government is breaking the law and violating the Constitution, relying on the state secrets doctrine. The government asserts that, even if no further information is revealed in the litigation, a decision itself is too dangerous. But contrary to the government's claims, as EFF's brief explains, Congress has created multiple legal claims that can be raised against illegal government surveillance, even in the context of national security. Moreover, the Foreign Intelligence Surveilance Act (FISA), section 1806(f) overrides the state secret privilege and provides that the court must decide whether government surveillance is "lawfully authorized and conducted."
As the brief explains, if the court were to allow the state secrets claim to prevail, the government will have essentially walled off large portions of illegal government conduct from judicial scrutiny:
The government here seeks to transform the state secrets privilege from a powerful but targeted evidentiary shield into a justiciability sword, preventing the Judiciary from engaging in its constitutional duty. Its goal is to convince this court to close its eyes to a program that impacts every American who uses a phone, email or the Internet.
The government's argument relies on the notion that the warrantless surveillance program — which has been investigated by virtually every major news outlet and extensively discussed in public hearings — somehow remains a secret. To show the court otherwise, EFF also compiled the voluminous evidence demonstrating the breadth of public information about the NSA's mass domestic surveillance program for the court, including:
Whistleblower Mark Klein, who not only presented testimony, but presented the schematics demonstrating the NSA surveillance facilities in the AT&T building on Folsom Street in San Francisco and elsewhere.
A multi-agency Inspector General's Report confirming the existence of multiple surveillance programs beyond those aspects admitted by the President in 2006 and labeled the "Terrorist Surveillance Program."
Admissions by Administration officials in Congressional testimony and the press.
Admissions by members of Congress who had been "read into" the programs.
Sadly, yesterday the Supreme Court also decided not to review EFF's case against AT&T, Hepting v. AT&T, for the same spying program. The Supreme Court let stand a 9th Circuit decision that upheld the so-called "retroactive immunity" for the telecommunications companies, which passed Congress in 2008, two years after EFF filed suit against the telecom companies. We're disappointed in the Supreme Court's decision, since it lets the telecommunications companies off the hook for betraying their customers' trust and violating the law by handing their communications and communications records to the NSA without a warrant.
But the fight to stop the illegal spying on the American people continues.
The Department of Homeland Security’s 70 counterterrrorism "fusion centers" produce "predominantly useless information," "a bunch of crap," while "running afoul of departmental guidelines meant to guard against civil liberties" and are "possibly in violation of the Privacy Act."
These may sound like the words of EFF, but in fact, these conclusions come from a new report issued by a US Senate committee. At the cost of up to $1.4 billion, these fusion centers are supposed to facilitate local law enforcement sharing of valuable counterterrorism information to DHS, but according to the report, they do almost everything but.
DHS described its fusion centers as "one of the centerpieces of [its] counterterrorism strategy" and its database was supposed to be a central repository of known or "appropriately suspected" terrorists. In theory, local law enforcement officers, in conjunction with DHS officials, conduct surveillance and write up a report—known as a Homeland Intelligence Report (HIR)—for DHS to review. If credible, DHS would then spread the information to the larger intelligence community.
Yet, the Senate report found the fusion centers failed to uncover a single terrorist threat. Instead, like so many post-9/11 surveillance laws passed under the vague guise of “national security,” the system was overwhelmingly used for ordinary criminal investigations, while at the same time facilitating an egregious amount of violations of innocent Americans’ rights.
An entire section of the Senate report is dedicated to Privacy Act violations and the collection of information completely unrelated to any criminal or terrorist activity in the HIRs. In one instance, a DHS intelligence officer filed a draft report about a US citizen who appeared at a Muslim organization to deliver a day-long motivational talk and a lecture on positive parenting. In another, one intelligence officer decided to report on two men who were fishing at the US-Mexican border. A reviewer commented, “I…think that this should never have been nominated for production, nor passed through three reviews.” A report was even initiated on a motorcycle group for passing out leaflets informing members of their legal rights. A reviewer commented, "The advice given to the groups’ members is protected by the First Amendment."
Over and over again the Senate report quotes reviewers chastising DHS officials for recording constitutionally protected activities and for publishing such reports. One reviewer wrote, “The number of things that scare me about this report are almost too many to write into this [review] form." In some cases, DHS retained cancelled draft reports that may have contained information in violation of the Privacy Act for a year or more after the date of the reports' cancellation. Worse, the intelligence officials responsible "faced no apparent sanction for their transgressions."
While it’s commendable the Senate exposing these civil liberties violations, the problems detailed in the report are not new. Since the government started its various information sharing programs after 9/11, media organizations have extensively documented how, when they’re not being outright abused by local law enforcement, are overwhelmingly used for ordinary investigations that had nothing to do with terrorism. EFF has long warned that completely innocent Americans’ privacy has become collateral damage in the government’s thirst to collect more and more digital information on its own citizens.
Even DHS’ own internal audits of the fusion centers showed they didn't work, according to the Senate report. The privacy disaster is also a boondoggle for taxpayers: DHS can’t account for much of the money it spent on the program, estimating they spent between $289 million and $1.4 billion—a discrepancy of more than $900 million dollars.
Despite these facts, Attorney General Eric Holder issued new guidelines in March for the National Counter Terrorism Center (NCTC) that dramatically expanded the NCTC’s information sharing powers. The NCTC can now mirror entire federal databases containing personal information and hold onto the information for ten times longer than they could before—even if the person is not suspected of any involvement in terrorism. Journalist Marcy Wheeler summed up the new guidelines at the time, saying, “So…the data the government keeps to track our travel, our taxes, our benefits, our identity? It just got transformed from bureaucratic data into national security intelligence.”
Now that the Senate's Permanent Subcommittee on Investigations has issued this unusually harsh report lambasting the same type of information sharing centers, Eric Holder should also rescind his new data retention guidelines for NCTC counterterrorism centers until new safeguards are put in place. EFF also joins the ACLU’s call for full Congressional hearings on the DHS fusion centers. In fact, the government should issue a moratorium on all fusion centers until this problem is fixed. Local governments can also prevent their law enforcement agencies from participating.
While “information sharing” centers were sold to the American people as providing "a vital role in keeping communities safe all across America," it’s clear all they’ve done is play a vital role in violating American's civil liberties.
EFF has a long-term mission to encrypt as much of the Web as possible — in fact, to encrypt all of it. We have been making quite a lot of progress.
HTTPS Everywhere, the browser extension we produce in collaboration with the Tor Project and an awesome community of volunteers, is now used by more than 2.5 million people around the world.1 Today we released version 3.0 of HTTPS Everywhere, which adds encryption protection to 1,500 more websites, twice as many as previous stable releases. Our current estimate is that HTTPS Everywhere 3 should encrypt at least a hundred billion page views in the next year, and trillions of individual HTTP requests.
Install HTTPS Everywhere today to protect your communications from prying eyes, your cookies from identity thieves, and your reading habits from censors.
(Version 3 for Firefox)
We try hard to ensure that HTTPS Everywhere doesn't interfere with the sites it protects. But from time to time, the HTTPS versions of sites are buggy. If you see a page that seems to be broken because of HTTPS Everywhere, you can click on the HTTPS Everywhere icon () in the toolbar and turn off rewrite rules that are affecting that page.
Special thanks go to our ruleset librarian MB, who has done extraordinary work authoring and curating rules for thousands of sites in version 3, and to webmasters of the numerous sites that have recently added HTTPS support.
1.We don't track our users, but we can count the total number of times a given version of HTTPS Everywhere is installed from our site.
Imagine this: A government, faced with public evidence that its foreign spy service was conducting domestic surveillance on its residents—instead of claiming the information is somehow secret and the people responsible are above the reach of the law—admits in public and in the courtroom that it violated basic rights.
That is exactly what happened last week in New Zealand in the controversial copyright infringement case surrounding Megaupload and its founder Kim Dotcom. At the same time in the US, the government is faced a very similar scenario: overwhelming evidence the National Security Agency (NSA) has illegally spied on Americans. However, not only has the government refused to admit any wrongdoing, it is actively trying to prevent courts from coming to any conclusions.
As EFF has previously reported, the case against Megaupload and Dotcom has been controversial from the start. Dotcom was arrested in New Zealand, while the U.S. government seized Megaupload’s property and executed search warrants on its leased servers based on claims of alleged copyright infringement the day after SOPA was declared dead by Congress. The military-style raid by the New Zealand police was criticized as over-excessive. And the loss of access to the servers has left many innocent users without access to their lawful data.
Then in June, the High Court in New Zealand ruled the warrants executed for the raid in New Zealand were invalid, making the resulting searches and seizures “illegal.” Now add that to the recent news that the Government Communications Security Bureau (GCSB)—New Zealand’s equivalent to the NSA—was illegally spying on Dotcom by monitoring all Internet traffic coming to and from his home. (The GCSB is legally barred some spying on residents of New Zealand, and a cursory check of government records shown Dotcom has been an official resident since 2010.)
New Zealand’s Prime Minister said he became aware of the illegal spying a few weeks ago and ordered an inquiry with the agency’s Inspector General. Immediately, the Prime Minister also publicly admitted that the GCSB “had acquired communications in some instances without statutory authority." He also filed a memorandum with the court in the Megaupload case in New Zealand, making the same admissions to the judge.
When the Inspector General came back just two days later and concluded the GCSB did indeed break the law, the Prime Minister personally apologized to Dotcom for violating his rights, adding "Frankly, I'm pretty appalled by what I've seen because these are basic errors."
While there are still unanswered questions in the GCSB case, New Zealand’s apologetic prime minister and vigilant judiciary stand in stark contrast to the current situation in the US, where overwhelming evidence has shown for years the National Security Agency has been warrantlessly wiretapping Americans on domestic soil since a few days after the September 11th terrorist attacks.
But instead of admitting to the spying and apologizing the public, the government has decided to stonewall and obfuscate the truth. In EFF’s long running lawsuit against the NSA—which will be heard in federal court in mid-December—the Obama administration has invoked the controversial ‘state secrets’ privilege, arguing even if all of the allegations are true, the court cannot decide the case because that process, even if done under secure court procedures, might reveal “national security” secrets.
Of course, the facts are indisputable and have been public for years. Government officials have admitted key details in Congressional testimony and on-the-record news interviews. Virtually every major news organization has reported on the NSA’s unconstitutional actions. EFF submitted evidence on behalf of AT&T whistleblower Mark Klein, which includes blueprints and photographs of the NSA’s secret room at AT&T San Francisco facility. Three former NSA employees, who worked closely on its computer systems leading up to 9/11, also have submitted declarations explaining how the agency has spied on Americans on domestic soil in violation of the law.
Further, instead of coming clean to the public about who has adversely affected by illegal spying, the NSA has refused to release even a general estimate on the number of Americans affected (somewhat audaciously invoking privacy as an excuse). Instead of vowing to prevent further violations of citizens’ constitutional rights, both the Bush and Obama administration have stonewalled any attempts to install transparency or privacy safeguards on the program through the FISA Amendments Act. And instead of supporting accountability, both Bush and Obama supported giving AT&T and the other telecom companies complete retroactive immunity for partnering with the NSA in violation of the law.
The New Zealand spy agencies clearly erred when they illegally spied on Dotcom, but the government’s response to the scandal has been commendable, and serves as a good example of how a government can prevent this type of spying from happening in the future. If only Americans had a government that would do the same.