When the European Parliament rejected the Anti-Counterfeiting Trade Agreement after hundreds of thousands of Europeans took to the streets in protest, it signaled disappointment in some of the extreme IP policies encouraged by ACTA that threatened the functioning of the Internet. But at the same time, the protests reflected a sweeping rejection of the secretive, government-directed process that spawned the agreement in the first place. The world’s Internet users showed that they are no longer willingto accept outdated and counterproductive policies born out of closeted discussions that fail to take into account the interests of ordinary people.
Trade agreements including ACTA, TPP and free trade agreements between the United States and its trading partners (FTAs), tend to be bad news for international policy. Trade agreements are typically premised on high stakes tradeoffs and competing government agendas. Trade agreements impose mandatory obligations that require signatories to transfer provisions into domestic law. This global obligation-based system can have the effect of binding governments to inflexible, long-term rules that manifest as a drag on the fast-paced environment of online innovation. For instance, since 2002 the U.S. has signed several bilateral free trade agreements compelling trading partners to rewrite their IP laws based on the flawed U.S. Digital Millennium Copyright Act. As a result, U.S. trading partners, including many developing nations, have adopted lopsided legal copyright regimes that do not serve the best interests of their citizens. While business interests usually feature prominently into trade negotiations, the interests of Internet users and many developing nations are rarely granted the same level of consideration. In the case of ACTA, both civil society and many developing nations were intentionally excluded from these negotiations.
Trade agreements, however, aren’t the only kind of international deal making that consistently sells users short. Similar problems can play out in established intergovernmental organizations, too. A primary example of this is the International Telecommunications Union (ITU), a bureaucratic agency made up of 193 member states and corporate “associate” members that include some of the world’s most powerful telecommunications companies. When it hashes out treaties, the ITU epitomizes many of the worst traits of Internet policymaking -- it is an exclusive, government-directed process that is hostile to the distributed decision-making model that has fostered the Internet’s growth.
Outdated Telephone Regulations Don't Translate to the Internet
For a number of years now, a few ITU Member States have sought to expand the agency’s regulatory scope to encompass some Internet-related issues. Yet the ITU appears stuck in the same outmoded mindset that was applied to regulating global telephone networks. Rules and rule-making that made sense for the smooth functioning of global telephone systems such as numbering do not transfer well to the Internet environment. While telephone number may have played a central role in individual’s day-to-day lives, its capacity for societal harm is limited. Those old ITU technical policies don’t translate well to the complex and transformative medium that is the Internet, but a few ITU Member States, nevertheless, have been pushing for expanding its mission beyond its original goals.
One dangerously problematic provision in the ITU Constitution, or example, includes a State’s "right" to stop or suspend access to telecommunications services in order to address any communication that is dangerous to state security. In other words, the ITU Constitution permits “kill switches”— it allows governments to cut off the lifeline of communications networks in times of political protest, as the world witnessed states doing during the recent event in Egypt and Libya.
In an effort to remain relevant, the ITU has already issued a number of technical standards (ITU-T) and reports relating to various aspects of Internet policy, including on cybersecurity and cybercrime. However, these have not been binding, nor have they witnessed broad adoption or been elevated to the level of international regulations.
This coming December, the ITU’s underlying core regulatory instrument, the International Telecommunication Regulations (ITRs), will be revised at a gathering of global governments known as the World Conference on International Telecommunications (WCIT). This meeting is particularly significant because it’s the first time the treaty will be revised since the Internet was widely adopted. And given concerns about the problematic Internet-related provisions already in place, considerable attention has been directed at the ITU’s upcoming meeting in December, when its 193 member states intend to vote on whether to regulate certain aspects of Internet policy at an international level.
Just as with other international treaties or trade agreements, the International Telecommunication Regulations (ITRs) are legally binding on all the ITU’s Member States. This means that while it’s still up to lawmakers to decide whether, or to what extent, they should implement the updated ITRs into domestic law, democratic countries, including those with weak democratic institutions or a lack of robust advocacy organizations will be more likely to adopt any flawed provisions that make their way into the treaty.
Since the mid-1800s, the ITU has been tasked with international regulation of telecommunications services, regulating areas such as public switched networks, spectrum management, basic telecommunications, and voluntary standards, all of which are agreed upon by its 193 member states. It continues to exert international regulatory control over many elements of traditional telecommunications. Yet while the UN agency was once highly influential on the global stage, its relevance on a number of issues has been in a state of decline since the rise of the Internet as the primary mode of international communication. Attempts to bring certain aspects of Internet regulation into the ITU’s purview have been interpreted by some as an attempt to regain that former position of global economic power.
Solutions Needed Across the Board
An expanded ITU role in Internet governance is far from ideal. Some countries appear to be using the ITU as a venue to try and push forward policy agendas that are hostile to an open Internet, such as Russia’s apparent failed attempt to put through a cybersecurity treaty for some time. Large European telecoms appear to be using the forum in an attempt to gain a business advantage over foreign competitors (at great potential cost for online innovation).
That’s not to say that everything the ITU does is bad. To this day, the ITU continues to educate governments on best practices for telecommunication and act as a resource center for countries, especially developing nations. Most importantly, the organization provides technology to aid development on the premise that efficient communications systems further a society's growth.
At the end of the day, however, global Internet users would once again find themselves on the losing end if ITU Member States manage to insert provisions into its treaty that deals with the global Internet. While some level of international coordination is necessary to avoid a fragmented network and to ensure policies are useful across varied jurisdictions, the nature of the ITU policy-making makes it inherently ill suited as an institution to deal with the Internet. There may be many legitimate concerns surrounding existing Internet governance arrangements, particularly for developing countries. It is no longer acceptable to ignore those problems. Nevertheless, the ITU is not the answer to those problems.
The Peruvian National Anthem proudly proclaims: “We are free! May we always be so!” Yet the Peruvian Congress is considering a sweeping new computer crime bill that threatens the privacy and online free expression of law-abiding Peruvians. Peruvians should stand against this ill-conceived bill that will place limits on what they are allowed to do with their own computers. Peruvians should take a cue from Canadians, who mobilized resistance against its online surveillance bill earlier this year.
The bill's current words for security experts working to expose security flaws. As currently written, the bill threatens coders’ ability to access information systems for security testing without explicit permission. If the Peruvian Congress moves to enact this bill as currently written, Peruvian engineers who study others’ systems for legitimate security research and testing may become criminals. A bill like this threatens the ability of new, engineering-driven companies to develop a wide range of innovative third-party applications and platforms that are capable of interacting and interoperating with online companies. It also shuts down the possibility of fostering a local security industry that seeks to responsibly report security vulnerabilities, so as to improve security of Peru’s critical infrastructure.
The bill also threatens the privacy of law-abiding Peruvians. The Peruvian government plans to give police and prosecutors greater online surveillance powers to collect personal identifiers—including IP addresses, mobile device identifiers, and device owner's names—by excluding these identifiers from its current constitutional and regulatory framework protections.
Personal identifiers (such as IP addresses) when linked to another piece of information can reveal far more sensitive information than ever before, such as online identities, activities, social contacts, and location trails. Once an IP address is linked to an individual, it becomes easy to construct a dossier that can be profiled, mined, and analyzed. Mobile device identifiers also disclose a vast amount of personal information. New technologies can easily track people’s mobile devices to reveal their locations, this is why effective legal safeguards and check and balance are needed.
While the bill explicitly states its intention to exclude Peruvians’ IP addresses and other identifiers from constitutional protection, it also compels telecommunications and Internet companies to hand over these identifiers to law enforcement and prosecutors upon a judge’s authorization. This murky landscape shouldn't be murky: Personal identifiers should keep enjoying the same level of protection as currently guaranteed by the Peruvian Constitution and other regulatory frameworks, including its judicial guarantee.
In sum, the Peruvian Congress should postpone voting on the bill, and hold an open and democratic debate. This bill, as currently written, converts legitimate activities of ordinary people into "criminal" activities. Moreover, it jeopardizes the rights of law-abiding Peruvian citizens and hinders the development of an innovative technology industry. Stay tuned: We will keep an eye on the overall proposal as the debate unfolds.
UPDATE: Twitter has issued an apology to Guy Adams and clarified that they did "mess up" by notifying NBC about the tweet. They do, however, continue to claim that the tweet in question violated their Rules despite a sentence that states: "If information was previously posted or displayed elsewhere on the Internet prior to being put on Twitter, it is not a violation of this policy." The NBC executive's email was published online more than a year ago here.
Among the popular social networking sites, Twitter has often stood out for its stance on free speech. The company has stood up for its users in court, has pontificated on its role in protecting users' right to speak freely, and has even dubbed itself "the free speech wing of the free speech party." That is why, when British journalist Guy Adams' account was suspended after he tweeted the public e-mail address of an NBC executive, we were shocked.
According to Adams, his account was suspended for violating the Twitter Rules; specifically, he was informed that tweeting an e-mail address was in violation of those guidelines. A section of the platform's "help center" specifically states:
Posting another person’s private and confidential information is a violation of the Twitter Rules.
Some examples of private and confidential information are:
credit card information
social security or other national identity numbers
addresses or locations that are considered and treated as private
non-public, personal phone numbers non-public, personal email addresses
Keep in mind that although you may consider certain information to be private, not all postings of such information may be a violation of this policy. If information was previously posted or displayed elsewhere on the Internet prior to being put on Twitter, it is not a violation of this policy.*
In this case, the e-mail address in question—that of NBC Executive Gary Zenkel—was his corporate address, and has been published online for more than a year. Furthermore, NBC's firstname.lastname@example.org email address pattern can easily be found via a quick Google search. It therefore seems clear that Adams was not, in fact, in violation of the Twitter Rules. Complicating the matter, Adams' tweets were aimed at mocking NBC, which Twitter has partnered with for the Olympics. Worse yet, an NBC Executive claimed that employees from Twitter had contacted NBC's social media department to let them know about the tweet and how to report them.
The good news is that, this morning, Adams' account was reinstated. The reasoning provided by Twitter, however, is still problematic. Adams reported receiving the following message from the company:
Per our previous correspondence, your account was suspended because a complaint was filed stating that you had violated our Terms of Service regarding the posting of private information (such as a non-public email address), as stated in our Guidelines & Best Practices (https://twitter.com/rules). We have just received an updated notice from the complainant retracting the original request. Therefore, your account has been unsuspended, and no further action is required from you at this time.
It seems that after ample media coverage, NBC changed its mind and revoked their complaint. Though Twitter won't comment on specific cases, it's apparent from their message to Adams that the company still believes he broke the rules.
This is why Twitter needs an appeals system.
Companies make mistakes. Companies also have the right to create whatever rules they desire, but they also have the responsibility to be clear about those rules and, as we argued last year in a paper co-written with the Center for Democracy and Technology and the Berkman Center for Internet & Society, create clear processes and channels of communications with users.
Twitter has not done that.
On the other hand, YouTube (for example), offers a clear appeals process for users whose content has been removed, explained in detail here. Facebook, which just over a year ago would send banned users a message notifying them that "[this] decision is final and cannot be appealed," now offers an easy-to-use appeals form for users whose accounts have been deactivated (note: you must be logged out to access the form). Twitter, on the other hand, allows users to reply to notification e-mails, but typically responds with repeat automated e-mails. As Adams—a prominent journalist—noted, the company would not return his calls or e-mails.
Twitter is indeed a smaller company than Google or Facebook, but with more than 500 million users, it is imperative that they open up the lines of communication and reassure their users that they have a means of arbitration, when needed.
This week, the Senate will be voting on a slew of amendments to the newest version of the Senate’s cybersecurity bill. Senators John McCain and Kay Bailey Hutchison have proposed several amendments that would hand the reins of our nation’s cybersecurity systems to the National Security Agency (NSA). All of the cybersecurity bills that have been proposed would provide avenues for companies to collect sensitive information on users and pass that data to the government. Trying to strike the balance between individual privacy and facilitating communication about threats is a challenge, but one thing is certain: the NSA has proven it can’t be trusted with that responsibility. The NSA's dark history of repeated privacy violations, flouting of domestic law, and resistance to transparency makes it clear that the nation's cybersecurity should not be in its hands.
In case you need a refresher, here’s an overview of why handing cybersecurity to the NSA would be a terrible idea:
An executive order generally prohibits NSA from conducting intelligence on Americans’ domestic activities
Executive Order 12333 signed by President Reagan in 1981 (and amended a few times since1), largely prohibits the NSA from spying on domestic activities:
no foreign intelligence collection by such elements [of the Intelligence Community] may be undertaken for the purpose of acquiring information concerning the domestic activities of United States persons.
If amended, the Cybersecurity Act would allow the NSA to gain information related to "cybersecurity threat indicators," which would allow it to collect vast quantities of data that could include personally identifiable information of U.S. persons on American soil. Law enforcement and civilian agencies are tasked with investigating and overseeing domestic safety. The NSA, on the other hand, is an unaccountable military intelligence agency that is supposed to focus on foreign signals intelligence—and it’s frankly dangerous to expand the NSA’s access to information about domestic communications.
NSA has a dark history of violating Americans’ constitutional rightsIn the 1960’s, a Congressional investigation, led by four-term Senator Frank Church, found that the NSA had engaged in widespread and warrantless spying on Americans citizens. Church was so stunned at what he found, he remarked that the National Security Agency’s "capability at any time could be turned around on the American people, andno American would have any privacy left, such is the capability to monitor everything." (emphasis added) The investigation led to the passage of the Foreign Intelligence Surveillance Act, which provided stronger privacy protections for Americans’ communications—that is, until it was weakened by the USA-PATRIOT Act and other reactions to 9/11.
NSA has continued its warrantless wiretapping scandalIn 2005, the New York Times revealed that the NSA set up a massive warrantless wiretapping program shortly after 9/11, in violation of the Fourth Amendment and several federal laws. This was later confirmed by virtually every major media organization in the country. It led to Congressional investigations and several ongoing lawsuits, including EFF’s. Congress passed the FISA Amendments Act to granttelecom companies retroactive immunity for participating in illegal spying and severely weaken privacy safeguards for Americans communicating overseas.Since the FISA Amendments Act (FAA) passed, the NSA has continued collecting emails of Americans. A 2009 New York Times investigation described how a “significant and systemic” practice of "overcollection" of communications resulted in the NSA’s intercepting millions of purely domestic emails and phone calls between Americans. In addition, documents obtained via a Freedom of Information Act request by the ACLU, although heavily redacted, revealed "that violations [of the FAA and the Constitution] continued to occur on a regular basis through at least March 2010"— the last month anyone has public data for.
NSA recently admitted to violating the Constitution.Just last week, the Office of the Director of National Intelligence—which oversees the NSA—begrudgingly acknowledged that "on at least one occasion" the secret FISA court "held that some collection… used by the government was unreasonable under the Fourth Amendment." Wired called it a "federal sidestep of a major section of the Foreign Intelligence Surveillance Act," and it confirmed the many reports over the last few years: the NSA has violated the Constitution.
NSA keeps much of what it does classified and secretBecause cybersecurity policy is inescapably tied to our online civil liberties, it’s essential to maximize government transparency and accountability here. The NSA may be the worst government entity on this score. Much of the NSA's work is exempt from Freedom of Information Act (FOIA) disclosure because Congress generally shielded NSA activities from FOIA2. Even aside from specific exemption statutes, much information about NSA activities is classified on national security grounds. The NSA has also stonewalled organizations trying to bring public-interest issues to light by claiming the "state secrets" privilege in court. EFF has been involved in lawsuits challenging the NSA’s warrantless surveillance program since 2006. Despite years of litigation, the government continues to maintain that the "state secrets" privilege prevents any challenge from being heard. Transparency and accountability simply are not the NSA’s strong suit.
We remain unconvinced that we need any of the proposed cybersecurity bills, but we’re particularly worried about attempts to deputize the NSA as the head of our cybersecurity systems. And even the NSA has admitted that it does "not want to run cyber security for the United States government."
Thankfully, new privacy changes in the cybersecurity bill heading towards the Senate floor have explicitly barred intelligence agencies like the NSA from serving as the center of information gathering for cybersecurity. We need to safeguard those protections and fend off amendments that give additional authority to the NSA. We're asking concerned individuals to use our Stop Cyber Spying tool to tweet at their Senators or use the American Library Association's simple tool to call Senators. We need to speak out in force this week to ensure that America's cybersecurity systems aren't handed to the NSA.
2. Three of the most common statutes that NSA uses to fight transparency: Section 6 of the National Security Agency Act of 1959 (Public Law 86-36, 50 U.S.C. Sec. 402 note), which provides that no law shall be construed to require the disclosure of, inter alia, the functions or activities of NSA; The Intelligence Reform and Terrorism Prevention Act of 2004, 50 U.S.C. Sec. 403- 1(i), which requires under the Responsibilities and Authorities of the Director of National Intelligence that we protect information pertaining to intelligence sources and methods; and 18 U.S.C. Sec. 798, which prohibits the release of classified information concerning communications intelligence and communications security information to unauthorized persons.
Press freedom in Sri Lanka has come under further attack over the course of the past month. On June 29, the Criminal Investigation Department’s Colombo Crime Division raided the office shared by news websites Sri Lanka Mirror and Sri Lanka X News. The latter website is widely known as the official journalistic outlet of the United National Party (UNP), which is the main opposition party against the ruling coalition, United People’s Freedom Alliance. Authorities arrested nine journalists and confiscated much of both websites’ computer equipment for “propagating false and unethical news on Sri Lanka.”
Blogger Patta Pal Boru reported that the journalists, including one editor, were taken into custody under Section 118 of the penal code. However, the relevant portions of the Law of Criminal Defamation had been repealed in 2002, so the Colombo Magistrate ordered that the journalists be released on bail. Employees of the Sri Lanka Mirror filed six “fundamental rights petitions” with the Supreme Court, who heard the case at the end of July. However, after the Deputy Solicitor General responded that the website was not registered and had published “explicit” stories, further hearings were scheduled for February 7.
In order to avoid embarrassments such as the illegal June raid, the government plans to amend the 1973 Sri Lankan Press Council Act so that websites will be regulated by the same agency that regulates printed media. Media Minister Keheliya Rambukwalla said in a Cabinet media briefing on July 5 that the amendments would be designed “to ensure accountability” for national news websites. The amendments will make it easier to prosecute websites under similar content rules as for print media, and will require all websites to register with a government list. The announcement was made on the same day that the UN Human Rights Council endorsed a landmark resolution that upholds online freedom of expression and information.
Sri Lankan media outlets are skeptical that the new Press Council Act amendments are simply a bureaucratic change. Manik de Silva, a director of Sri Lanka's Press Complaint Commission and a member of the country's Editor's Guild, suggested that the amendments are “obviously to control the media… Any strengthening of media laws will be used to further the interest of political parties in power rather than the national interest.” Blogger Patta Pal Boru wrote that with regards to the illegal raids on the Sri Lanka Mirror and Lanka X News, “it is important the public agitate for accountability instead of their current passive acceptance of gross violation of the law by both the Govt. [sic]”
The strict regulation of online and offline news outlets in Sri Lanka is rooted in the decades-long conflict between Tamil separatists and the Sinhalese-majority government. Networking for Rights in Sri Lanka, a media advocacy group composed of exiled journalists and human rights defenders, pointed out in a statement condemning the raids that “TamilNet, a popular news and opinion site on Tamil issues was the first site blocked by the GoSL [Government of Sri Lanka]. On June 19, 2007, on the orders of the GoSL all Internet Service Providers in Sri Lanka blocked the access to the TamilNet website. Since then GoSL has blocked dozens of news and opinion web sites reporting on Sri Lanka.”
While the fronts of political conflict have shifted considerably since the resolution of the civil war in 2008, draconian media regulations meant to protect government interests have only increased in number. In a November 2011 statement, officials in Sri Lanka blocked several high-profile websites and released a statement that accused them of a “deliberate character assassination campaign” against the image of country, heads of State, ministers, senior public officials, and “very very Important People.” The EFF is deeply concerned by the legal challenges to Internet freedom in Sri Lanka, and will continue to monitor both cases against the journalists and the planned Press Council Act amendments.
In Israel, a heated debate is underway about whether Israel’s Interior Ministry will move ahead with the creation of a governmental biometric database containing digital fingerprints and facial photographs, which would be linked to “smart” national ID cards containing microchips. At the heart of the issue is a major concern about privacy: Aggregated personal information invites security breaches, and large databases of biometric information can be honeypots of sensitive data vulnerable to exploitation.
On July 23, Israel’s High Court of Justice held a hearing on a petition filed by civil rights advocates who sought to strike down a law establishing a governmental biometric database and an associated two-year pilot program. The law approving the database, enacted in 2009, met with public resistance until the government backed down and agreed to begin with only the pilot program. The pilot was supposed to be a test for determining whether it was actually necessary to move forward with building the biometric database, but an Interior Ministry decree that sanctioned the program did not actually contain any criteria to measure whether the program succeeded or failed.
While three justices voiced harsh criticism of the database, they didn’t move to cancel the project altogether. Instead, they determined that the pilot program description has to present clear criteria for success and failure, so that it would be conducted as a true test. The ruling requires the Interior Ministry to examine the very necessity of a central database, and to seriously weigh possible alternatives. The court also called for an independent review of the program, and preserved petitioners’ right to return and present their claims against the database and pilot program.
In the course of the hearing, several justices characterized the proposed database as a “harmful” and “extreme” measure. They have good reason to be skittish: Last fall, officials discovered that information in Israel’s primary population database had been hacked in 2006, and the personal records of some 9 million Israelis—both living and dead—were uploaded to the Internet and made freely available. The database contained substantial information including full names, identity numbers, addresses, dates of birth and death, immigration dates and familial relationships. Given this blemished track record, there is naturally a concern that a database that also contained biometric information would meet the same fate.
“Every once in a while, we find the census in .torrent files all over the web,” noted Jonathan Klinger, an attorney who teamed up with Association for Civil Rights in Israel (ACRI) lawyer Avner Pinchuk in opposing the biometric database. The petitioners included ACRI, the Movement for Digital Rights, Professor Karin Nahon of the University of Washington and Hebrew University, and Doron Ofek, an information security expert.
“The State in fact accepted the position of the petitioners and the Justices, according to which the order establishing the biometric database is illegal and does not enable an examination of the database’s necessity,” noted Pinchuk, the ACRI attorney. “The Interior Ministry’s intention to establish a database even before this essential flaw is amended demonstrates the hastiness and aggression that have characterized this dangerous project since its inception.”
Israel's biometric database is just one of several massive governmental identification programs moving forward at the global level. India is still working toward creating the world’s largest database of irises, fingerprints and facial photos, while Argentina is building a nationwide biometric database of it own. As more of these identity schemes crop up across the world, serious critical examination of these systems is urgently needed.
At the Black Hat security conference in Las Vegas this week, Javier Galbally revealed that it’s possible to spoof a biometric iris scanning system using synthetic images derived from real irises. The Madrid-based security researcher’s talk is timely, coming on the heels of a July 23 Israeli Supreme Court hearing where the potential vulnerabilities of a proposed governmental biometric database drove the debate. Consider the week’s events a reminder that if the adoption of biometric identification systems continues apace without serious contemplation of the pitfalls, we’re headed for trouble.
When it comes to the collection and storage of individuals’ digital fingerprints, iris scans, or facial photographs, system vulnerability is a chief concern. A social security number can always be cancelled and reissued if it’s compromised, but it’s impossible for someone to get a new eyeball if an attacker succeeds in seizing control of his or her digital biometric information.
Among all the various biometric traits that can be measured for machine identification--such as fingerprints, face, voice, or keystroke dynamics--the iris is generally regarded as being the most reliable. Yet Galbally’s team of researchers has shown that even the method traditionally presumed to be foolproof is actually quite susceptible to being hacked.
The project, unveiled for the first time at the security researchers’ conference, made use of synthetic images that match digital iris codes linked to real irises. The codes, which are derived from the unique measurements of an individuals’ iris and contain about 5,000 pieces of information, are stored in biometric databases and used to positively identify people when they position their eyes in front of the scanners. By printing out the replica images on commercial printers, the researchers found they could trick the iris-scanning systems into confirming a match.
The tests were carried out against a commercial system called VeriEye, made by Neurotechnology. The synthetic images were produced using a genetic algorithm. With the replicas, Galbally found that an imposter could spoof the system at a rate of 50 percent or higher. A Wired article hit on the significance of this discovery:
“This is the first time anyone has essentially reverse-engineered iris codes to create iris images that closely match the eye images of real subjects, creating the possibility of stealing someone’s identity through their iris.”
This revelation not only exposes a security hole in a commercial iris-recognition system, but also proves that prominent tech firm and FBI contractor B12 Technologies--which is building a database of iris scans for the Next Generation Identification System--was wrong when it when it noted on its website that biometric templates “cannot be reconstructed, decrypted, reverse-engineered or otherwise manipulated to reveal a person’s identity.”
Any new detection of biometric system flaws is relevant in the context of the massive governmental identification programs moving forward at the global level. There’s India’s bid to create the world’s largest database of irises, fingerprints and facial photos, for example, and Argentina’s creation of a nationwide biometric database containing millions of digital fingerprints. Just this week in Israel, High Court justices criticized a planned biometric database as a “harmful” and “extreme” measure. Lawmakers who approve such identification schemes should give serious consideration to any new information surfacing about biometric system vulnerabilities.
It's always heartening to see Congressmen make efforts to stand up for privacy rights. Yesterday, Rep. Hank Johnson launched AppRights.us, a website dedicated to promoting privacy, security, and transparency around mobile apps. Operating under the motto that "our apps should serve us—not spy on us," Johnson's website asks for feedback about issues surrounding mobile devices.
Mobile privacy and consumer rights are important issues to EFF, and we hope that Rep. Johnson keeps our previous work on the topic in mind—most notably our Mobile User Privacy Bill of Rights. This document contains key points for developers to keep in mind when it comes to respecting their users' privacy—including transparently focusing data collection on solely what is needed, as well as giving users more control over their personal data. EFF also recently filed comments with the Federal Communications Commission about mobile device privacy, bringing light to current troubling industry practices.