As the U.S. and European consumer organizations met with intellectual property (IP) and trade agencies last week, interactions with state agency representatives over U.S. IP policies helped to further expose some underlying flaws in state policy approaches regulating global IP enforcement. It is clear that IP/trade agencies’ biased understanding of what constitutes a “stakeholder” and a “key interest” in agreements like the Anti-Counterfeiting Trade Agreement (ACTA), as well as their unfounded high valuation of what they call “IP-intensive” industries, are some of the problems that underlie the U.S. global IP enforcement agenda.
EFF is a member of the Trans-Atlantic Consumer Dialogue (TACD), a forum for U.S. and EU consumer rights organizations to meet and develop joint policy recommendations to the U.S. government and the European Union that advance consumer protections. Since 1998, over 70 member organizations have regularly released resolutions and statements of recommendations on issues covering food, information society, intellectual property, and transnational trade.
From June 4 to 6, the TACD met in Washington, D.C. to discuss new issues and future resolutions, and to meet with the U.S. and EU delegates to address policy recommendations that they have forwarded to state agencies. The focus of Tuesday afternoon was U.S. intellectual property policies. It remains clear that the U.S. is committed to secretly negotiating trade agreements that would extend restrictive regulation over the Internet. Given that this was the first meeting since ACTA had been signed in October 2011, this was a significantly pertinent issue.
A keynote speech by Ambassador Miriam Sapiro, Deputy U.S. Trade Representative (USTR), set the tone for the rest of the afternoon’s discussions. She again and again emphasized the importance of “multi-stakeholder input” and the necessity to increase transparency and opportunities for “public comment” during meetings over trans-Atlantic trade policies. Hopefully, she is referring to a process of negotiation that truly takes broad public interest into account: One that is inclusive of all relevant stakeholders, such as civil society, the private sector, as well as the technical community itself. If governments and companies are the only ones invited to the negotiating table to discuss Internet and IP policies, the process can hardly be called “multi-stakeholder.”
In the Q&A following her speech, a member of the TACD questioned the USTR’s true commitment to transparency in light of the negotiations over almost all recent bilateral and regional trade agreements (such as ACTA) that have excluded civil society. In response, the USTR spokesperson insisted that they have been transparent, claiming that they were “going to stakeholders” to determine what their issues were. They then claimed that “negotiating in public” prevents governments and “stakeholders” from putting all their interests on the table in a way that would compromise the agreement. Given that civil society has mostly been excluded from the negotiating table, their definition of a stakeholder could strictly be referring to private industry interests.
At the plenary session following this keynote, the Chief Economist from the U.S. Patent Trade Office (USPTO) were joined by two civil society members of TACD and an economics scholar at a panel to discuss a recent publication called the Intellectual Property and the U.S. Economy: Industries in Focus. In March 2010, the USPTO established the Office of the Chief Economist, tasked with assessing the direct impacts of intellectual property policy on the U.S. economy. This report was the first substantial paper that it produced, and it purportedly “examines both the important trends and economic characteristics of these highly IP- intensive industries and their meaningful contributions to the U.S. economy.” The USPTO representative claimed that this report was still “preliminary,” heavily emphasizing that this was not a “policy recommendation.”
Even so, this report has been widely cited by copyright and IP maximalists in arguing for more restrictive copyright policies because they claim the report definitively demonstrates how essential IP-protected industries are to the U.S. economy. Knowledge Economy International (KEI) excellently outlines some of the gaping flaws in this report. KEI asserts that the USPTO defines any “IP-intensive” job to cover anything that remotely benefits from copyright, patent, or a trademark. Under this definition, a bagger at a grocery store, a car mechanic, or even a bank teller could be deemed a job that is protected by IP. Such bloated economic figures seems to bolster the claim that IP must be protected above all interests because it is deemed such a integral part of the economy.
Following this panel session, TACD members met with U.S. and European Union government representatives to discuss concerns over IP policies. During discussions, the U.S. representatives emphasized the need to protect intellectual property interests, citing to the aforementioned misleading report on IP and the economy, claiming that the USPTO’s report definitively proves how “IP-intensive” jobs, and therefore IP-intensive industries, need prioritized policy protection. They went on to say that agreements like ACTA enable “better” enforcement of IP, and suggested that such agreements protect and even create more jobs. Moreover, they claimed that ACTA is much more transparent “relative to other trade agreements” and that opposition to the agreement is all based on unfounded rhetoric. Finally, the U.S. side addressed SOPA and PIPA, stating that these bills are not truly dead, and that some form of legislation must be passed to address the ongoing problem of “online piracy.”
In response, TACD members went around the table and brought up their issues with ACTA and other mechanisms enabling restrictive copyright enforcement. These comments mainly addressed the exclusion of civil society participation, as well as the collateral damage its IP policies would inflict through its restrictive enforcement measures. Below are some of the topics discussed:
When asked that would happen to ACTA if the EU Parliament were to vote to reject the agreement, the U.S. representatives did not give a definitive answer. They claimed vaguely that counterfeiting is a global issue and that it would not necessarily have to involve the EU, concluding that they are “still looking into it.”
One of the most threatening provisions of ACTA is one that enables the creation of an independent committee that would oversee implementation and enforcement of the agreement in each of the signatory countries. The concern is that the members of this committee would not be democratically elected and that the trend of secrecy will continue on through this venue. A consumer rights group representative asked whether they had set any of the rules and plans for this committee. Interestingly, the U.S. representatives claimed that there have been no discussions about this ACTA committee.
Considering the complete secrecy over the negotiations, one consumer group representative asked the U.S. federal agencies what aspect of the agreement they were worried about being seen and what kinds of interests were they protecting in maintaining such confidentiality. The answer and explanation was that if versions of the agreement had been publicly available, “key interests” would have created expectations about their desired provisions being adopted in ACTA; and that it would be problematic for these interests if their demands had to be abandoned in the final version of the agreement for the sake of compromise and resolution. Another consumer rights advocate challenged them and said that these key players, such as private industry, already did know what was carried within this agreement anyway. The TACD member representative asserted that the public’s ability to see the content of this agreement was vastly more important than the negotiating flexibility that would be derived from keeping it secret
The annual TACD meeting is an important venue for civil society members to attend and directly communicate IP and Internet policy concerns with federal agency representatives. On several occasions, TACD members demanded explanations on how confidentiality is consistent with any notion of democratic rulemaking. However, U.S. federal agency representatives continued to repeat the same dubious justifications to legitimize the exclusion of civil society from international trade and IP policies. It continues to be clear that government agencies do not grasp the true meaning of transparency. Moreover, without proper honest assessments of the impact and side effects of IP protections on the society and economy, the development of pragmatic IP policy will never be possible.
In light of the data breach at LinkedIn last week, in which 6.5 million unsaltedSHA-1 hashes of account passwords were leaked publicly, we thought this would be a good opportunity to remind users about best practices for managing passwords online in order to stay safe. In particular, we want to emphasize that users should never re-use passwords across multiple accounts, and that using a password safe provides an easy way to manage lots of strong passwords across multiple online accounts. We understand there are trade-offs between secure password management and convenience; we think a good balance is achieved by using a password safe for at least the vast majority of online accounts, with the option to memorize a few strong and distinct passwords for the cloud services one needs to access most frequently and from new devices.
What's the consequence of the LinkedIn leak?
The leak doesn't directly tell attackers LinkedIn users' passwords, but it enables a trivial and fast way for attackers to confirm their guesses about passwords, and to check exactly which LinkedIn accounts use a particular password. For example, an attacker can instantly get a list of any and all LinkedIn users whose password was "password123", "secret", or any other term. More significantly, this process can be automated to quickly check quadrillions of possible passwords: every word in every language, forwards and backwards, with various digits at the end; every two- or three-word English phrase; every Bible verse or line from Shakespeare, or every citation to any of these; and much more. It's also straightforward for attackers to try every short sequence of letters, whether it's meaningful or not.
This is significant because attackers actually do these things whenever a password database like LinkedIn's gets leaked. In fact, because of LinkedIn's failure to use a salt (which would make the password-checking algorithm more specific to the site or to each individual user), attackers can simply compare the database against pre-computed versions of all of the above, and more, quickly getting an exhaustive list of exactly who has used every guessable password, in an extremely broad sense of "guessable".
Why is it so bad to reuse passwords?
At first blush, you might think that changing your LinkedIn password is sufficient to stay safe. However, if you re-use the same password for other online services, you are at risk for all of those services so long as a data breach occurs in any of them and your password is revealed. That's because attackers love to re-try cracked passwords with known or guessed usernames on other sites. In this sense, your security across all web services for which you use a given password is only as strong as the weakest link. As a concrete example, if you use the same password for LinkedIn, Gmail, and Bank of America, then it is critical that you change your passwords for the latter two websites, else there is a good chance your Gmail and Bank of America accounts could be compromised.
This is widely believed to be one of the most common ways by which accounts on very security-conscious web sites get cracked and the accounts broken into: because users have used the same password on some other site which gets penetrated in a way that reveals their password.
Does altering my username make me safe even if I use the same password?
The short answer is no. Any data breach that occurs could include enough personally identifiable information that an attacker could figure out your username for different web services.
How do I manage different passwords for each account?
We know it's hard to remember a different password for every account, since many web users have dozens or even hundreds of different accounts.
To address this difficulty, you can use a password safe — a program that runs locally on your computer and stores passwords securely. These exist as standalone applications such as KeePass (which is available in different flavors for Windows, OS X, Linux, Android and iOS), or OS X's Keychain, and there are also password safes in many browsers. When you use a password safe, you no longer have to memorize these passwords, and so it becomes feasible to store dozens or hundreds of passwords. Instead, you just remember one password to unlock the password safe.
What if I need to access online services from multiple devices?
It's very easy to transfer a password safe database between devices using a USB flash drive. Or you can store your password database in the cloud. Indeed, since good password safe databases are themselves encrypted (e.g. KeePass), you can safely also upload the database to a cloud storage service, allowing you to download the encrypted database to multiple devices, which you can subsequently unlock and decrypt with your password.
If there are a handful of devices you use all the time, just be sure to transfer the password safe database to each of these devices. This is a minor inconvenience, but the security gain of using a password safe far outwieghs this inconvenience. Moreover, backing up your password safe minimally to a USB flash drive or a cloud storage service is a good idea, so that you don't lose all your passwords if a single device crashes. Finally, some password safe programs can do a secure network-based sync across multiple devices, so updating the password safe on one device will allow the new passwords to propagate to other devices.
What about services that I need to access from new devices? For example, traveling abroad and needing access to my Gmail account from an Internet cafe?
The safest solution in this case arguably is still to carry a USB flash drive, so long as you can keep it secure. However, it may make sense to memorize a few strong passwords for high-value cloud services that you use all the time for situations like this. It is important to emphasize that accessing cloud-based services from an Internet cafe is very risky, since there could be a keylogger on the computer that steals your password. We recommend changing your password whenever you have to access such an Internet service from an untrusted computer.
In the particular case of Gmail — as well as some financial institutions and some employers' networks — you can also enable an extra security feature called two-step (or two-factor) authentication. This requires you to provide an extra piece of information when you log in, based on data stored separately in a mobile phone (or a smart card). By adding a requirement to have a particular object on top of the requirement to know a particular password, you can get a greater level of protection against attacks like keyloggers if you have to log in from an untrustworthy computer. Although this makes logging in more effort, it can make you dramatically safer.
How frequently should I change my password?
It's typically more important not to re-use passwords across accounts than it is to change them. Don't let recommendations to change your passwords become a reason to re-use a password in multiple places. That said, it's good practice to change passwords from time to time. Very roughly, one should consider changing passwords annually, but this is not a one-size-fits-all problem. If you are frequently typing in a password on an untrusted device, or if you are accessing a high-value service, changing more frequently is a good idea. In particular, you always want to change your password if there is any indication that your account might be compromised.
How do I make sure my passwords are strong enough?
Password safes often include a feature to generate pseudorandom passwords for you. They will end up looking like random strings of however many characters you choose. Choosing longer passwords of 20-30 characters is a great idea, even for unimportant services. For important ones, you may want to make your password even longer. With a password safe, using a longer password needn't be more effort than a shorter one, because the password safe can automatically type the password for you, or temporarily put it in your computer's clipboard so you can paste it into a site you access.
When it comes to generating a password that you're going to memorize yourself — for purposes like unlocking your computer's hard drive, or unlocking your password safe — don't just use a pass word; instead think of a pass phrase. It turns out that short strings that may seem random and hard to guess like '1xRtBd3' actually are far easier for computer to crack than long strings of randomly chosen (or close to it) English words, for example: 'captainswimminglymauvedolphin'. The latter password is also far easier to memorize. But it is important to note that for most kinds of passphrases, one should never use any text (including a name or phrase) that has ever been published verbatim anywhere. So in particular, 'captainswimminglymauvedolphin' is no longer a good passphrase.
We touch upon the issue of passphrase strength in our white paper on border security, and there is also a famous webcomic about the subject. Although passphrase strength is much more important in an offline context where an attacker has arbitrarily many attempts to guess a passphrase, we still recommend strong passphrases for online services given data breaches that effectively turn the online threat model into an offline threat model.
Last year, Congress passed patent reform legislation; it didn’t help. The courts, too, have failed to pick up the slack. The result? A chill on innovation. American inventors—especially those who don’t often engage with the patent system until they’re facing a lawsuit—want to dedicate their resources to building the next great product or service, not fighting patent wars.
Now, here's the less obvious: We keep learning of more and more ways innovators can navigate the system and hack it to serve its original purpose. We’re particularly excited about the newest, the Defensive Patent License. Below we explain that and some other self-help options we’ve seen lately. Of course, some are better than others, but it’s fair to say that there’s an option for everyone.
The Defensive Patent License: Defensive patenting—acquiring patents to deter future litigation—is not a new idea. In fact, companies have been doing that for some time. Unfortunately, the practice has encouraged companies to seek patents for anything and everything, which—thanks to an overburdened Patent Office—has resulted in a generation of overbroad patents that, if the company folds, often end up in the hands of a patent troll.
The idea behind not-yet-operational Defensive Patent License (“DPL”) takes the good from defensive patenting (attempts to stem litigation) and removes the bad (the risk that patents obtained defensively will be used downstream by a troll). The license would work like this:
DPL patent holders must offer a nonexclusive, royalty-free license for any patent they own to anyone who requests one, as long as the licensee agrees not to sue the licensor or any other member of the DPL community for patent infringement.
The licensee must offer its patents under the DPL with the same conditions to anyone who requests one.
The licenses remain in effect throught the patent's life, even if it is later sold.
The licenses can only be revoked if an offensive patent suit is filed.
The DPL borrows heavily from the ethos surrounding the free and open source software community, honoring the important freedoms to operate and innovate openly. As such, it is those communities who will most likely use, and benefit from, the DPL.
The DPL represents an important answer to the fundamental problems with the patent system, but it’s not for everyone. For example, the DPL contemplates that a company will dedicate its entire patent portfolio to the license to avoid the problem of members only contributing their “junk” patents and holding on to their “crown jewels.” For various reasons, some companies may not be in a position to do that.
Luckily, the DPL is not the only self-help tool out there.
Twitter’s Innovator’s Patent Agreement: Earlier this year, Twitter announced its Innovator’s Patent Agreement (“IPA”), an important tool for companies looking to do right by their engineers. The IPA, currently up on GitHub for comments, is simple: if you assign your patent to Twitter, Twitter promises it won’t use that patent to sue anyone, except for defensive purposes.
Because the IPA doesn’t give any third party a license to the patents, it does not go quite as far as the DPL. Also, a party who adopts the IPA can choose to do so on a patent-by-patent basis. Importantly, however, the terms of the IPA will run with the patent, no matter to whom it gets sold. This means that if a patent ends up in the hands of a troll, that troll will be prohibited from using it offensively.
Open Source Licenses: The GNU General Public License (“GPL”), the most widely-used free software license, covers both copyright and patent rights. Its terms allow developers to use covered software for free, so long as those developers dedicate, free-of-charge, any changes or improvements to the public, also under GPL terms. The GPL is often cited as a crucial element in the successful rise of Linux.
Another important open source license that primarily protects Linux is the one at the heart of the Open Innovation Network ("OIN"). Founded by some of the largest Linux users, OIN allows any company to join the network, so long as it agrees to not use its patents offensively against Linux. By joining OIN, members get a license to the hundreds of patents OIN owns. As such, its mechanics are similar to the DPL, but its mission (and terms) are limited to Linux.
Other open source licenses, such as BSD licenses, the Apache License, and the Mozilla Public License, for example, cover various types of open source software. These licenses, each in its own way, ensure that important developments in open source software remain open. They do this job well, but unfortunately are limited to the software they specifically cover.
Private Companies: Private, for-profit companies also provide various ways to navigate the patent system. For example, RPX allows companies to buy into its large patent portfolio, which it promises to never use offensively against its customers. Moreover, RPX constantly grows its portfolio to cover its members’ particular needs.
Article One Partners offers a different service, providing a platform for the award of cash prizes to those who provide prior art that may be used to invalidate patents. Article One’s clients request research, which third parties provide. The third party who provides the highest quality research wins a $5,000 reward, and may form a relationship to further work with the Article One client. (Peer to Patent is Article One’s important non-profit analog.) This type of service streamlines the process of invalidating bad patents, something we’ve long supported.
This list is just the tip of the iceberg; other non-profit and for-profit organizations provide tools to help navigate a patent system gone awry, and we look forward to more joining the fray. None of these solutions is perfect, but each offers inventors of different sizes different ways to focus on innovating, and not fighting wasteful patent battles. The real solution is systemic: if software patents are here to stay, then the time to create a system that works for them is long overdue. EFF is working hard to make that happen. In the meantime, we encourage innovators to adopt one of these solutions that works best for them.
The US Public Policy Council of the Association of Computing Machinery (ACM), representing ACM, came out against CISPA, the cybersecurity legislation recently passed by the US House. ACM is the world's largest organization for computer professionals. They are joining a diverse group of individuals and organizations opposing this bill, including a wide array of digital civil liberties organizations like EFF, computer scientists like Bruce Schneier and Tim Berners-Lee, and companies like the Mozilla Foundation.
CISPA is intended to protect America against cyberthreats, but destroys core privacy protections by providing vague definitions and unfettered access to personal communications by companies and government agencies. In one such example, ACM criticized the expansive definition for "cyberthreat information," which could "encompass everything from port scans to destruction of entire networks." We agree, and voiced identical concerns when CISPA was first released.
Vague definitions are accompanied by a vague standard for companies to make "reasonable efforts to limit the impact on privacy." Though the standard is well intended, ACM correctly identifies that the vague standard "fails to invoke any framework, standards, oversight, or controls to be used" for personal information. They also conclude that the bill creates "no meaningful support for collection minimization" and shares information that "could have nothing to do with cybersecurity"—problems that we have consistently highlighted in our commentary on CISPA. These large gaps in privacy protections highlight some of the core shortfalls we have voiced about CISPA.
Digital civil liberties groups, companies, and computer researchers are glad ACM joined the opposition to CISPA. The upcoming bills in the Senate share many similarities to CISPA and must be stopped. This is the reason why we vow to take the fight to the Senate, ask you to sign our petition against the Cyberspying Bills, and tweet your Congressmen.
As well it should be. The open access movement, which began well over a decade ago, is garnering more and more attention lately. Earlier this year, we saw the resounding defeat of the misguided Research Works Act, which would have severely restricted the amount of research that could be released under open access conditions. A group of researchers launched the "Cost of Knowledge" campaign responding to the proposal, and allowed other academics to publicly boycott the bill’s primary supporter, the publishing behemoth Elsevier. In response to that boycott and other pressure, Elsevier withdrew its support for the Research Works Act in February, effectively killing the bill.
Of course, open access has long had the support of many scholars and major universities. For example, Harvard is among a large and growing group of schools that requires open access as a matter of policy. And earlier this year, the Harvard Faculty Advisory Council went a step further, issuing a memo that said "major periodical subscriptions cannot be sustained," and urging all faculty to submit their work to specifically open access journals. That memo was a wakeup call: if even Harvard was worried about the cost of academic journals, imagine the impact that cost must be having on institutions that don't have access to the same level of resources.
But now non-academics are paying attention, too, as the 25,000 signatures on the Access2Research petition attest. That support may reflect increased attention to issues related to copyright since January's blackout protests against the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA). Traditional journals insist that scholars sign over the copyright to their work, and then leverage those rights to charge institutions and taxpayers exorbitant fees for subscriptions or single articles — even though these are the same institutions and and taxpayers who supported the original research. By contrast, open access journals allow any users to "read, download, copy, distribute, print, search, or link to the full texts of their articles, crawl them for indexing, pass them as data to software, or use them for any other lawful purpose, without financial, legal, or technical barriers other than those inseparable from gaining access to the internet itself."
Support for open access then, like opposition to bills like SOPA and PIPA, is a common-sense position that has traditionally been hampered by a concentrated lobby in Washington working against the diffuse public interest. Online activism campaigns are helping to focus and target that diffuse interest to make real change. What is more, we're moving from reacting to bad proposals toward promoting a positive copyright agenda. Open access should be central piece of that platform.
We now know how much we can achieve when we work together with a shared goal. The challenge now is to harness that to a shared understanding of the direction of travel, if perhaps not the precise route. But if we, with all the diversity of needs and views that this movement contains, we can find the core of goals that we all agree on, then what we now know is that we have the capacity, the depth, and the strength to achieve them.
1. The petition is still open for new signatures, in case you haven't signed and wish to.
Editor's note: On Tuesday, June 12, it was reported (in Persian) that Ronaghi Maleki had ended his hunger strike and that his demands had been met.
Nearly halfway through 2012, Iran's escalating campaign against freedom of expression--which we wrote about back in January--continues. The latest story to emerge from the country is that of Hossein Ronaghi Maleki, a blogger who has recently embarked on a hunger strike in protest of his 15-year prison sentence as well as authorities' refusal to grant him prison leave despite a severe medical condition. According to Amnesty International, Ronaghi Maleki developed kidney disease while in prison, has undergone at least four operations, and now requires another to remove his left kidney.
Ronaghi Maleki is yet another casualty of Iran's war against freedom of expression. Arrested in December 2009 at the age of 27, he was taken to Tehran's Evin Prison, where he spent 376 days in solitary confinement before being sentenced to fifteen years in prison for the crimes of "spreading propaganda against the regime," "membership of the Internet group Iran Proxy" and "insulting the Iranian supreme leader [Ayatollah Ali Khamenei] and the president [Mahmoud Ahmadinejad]."
Today, supporters of the young blogger are raising awareness on Twitter using the hashtag #SaveMaleki, which Amnesty International has incorporated into a letter-writing campaign, encouraging supporters to write to officials demanding Ronaghi Maleki's immediate release. Details on joining Amnesty's campaign are available here.
Hossein Ronaghi Maleki is a prisoner of conscience, his "crime" the peaceful exercise of expressing himself online. EFF supports Amnesty International's call for Ronaghi Maleki's immediate and unconditional release.
Worried about the Lieberman-Collins Cybersecurity Act? You should be. As we've explained before, it poses serious threats to online rights. Here's a one-page handout you can use as a reference. It's great for sharing with friends, handing to Senate staffers, publishing online, or using as talking points when explaining the issue to someone for the first time. Download it here and please spread it around!
The Cybersecurity Act (S. 2105) Threatens Online Rights
The Cybersecurity Act (S. 2105), sponsored by Sen. Lieberman and Sen. Collins, compromises core American civil liberties in the name of detecting and thwarting network attacks. While Internet security is of the utmost importance, safeguarding our networks need not come at the expense of our online freedoms. That’s why civil liberties groups, security experts, and Internet users oppose this bill.
The Cybersecurity Act is fundamentally flawed and dangerous for online rights:
The bill uses dangerously vague language to define "cybersecurity threat indicators" (information that companies can share with the government), leaving the door open to abuse (intentional or accidental) in which companies share protected user information with the government without a judge ever getting involved.
Data collected under the Cybersecurity Act can be shared with law enforcementfor non-cybersecurity purposes if it “appears to relate to a crime” either past, present, or near future. This is overbroad and contrary to the spirit of our Constitution. Senator Wyden, talking about a similar provision in CISPA, noted “They would allow law enforcement to look for evidence of future crimes, opening the door to a dystopian world where law enforcement evaluates your Internet activity for the potential that you might commit a crime.” The CSA suffers the same "future crime" flaw.
If companies overstep their authority, violating the privacy of Internet users for non-cybersecurity purposes or oversharing sensitive data with the government, it will be very difficult for individuals to hold these companies accountable by taking them to court. The bill puts incredibly high burdens on the plaintiff in such a case to prove that a company was not monitoring for the purpose of detecting cybersecurity threats and did not have a "good faith" belief that they were allowed to do it (whether they are right or wrong); or that they "knowingly" and "willfully" violated the restrictions of the law. Furthermore, the bill allows companies to bypass much of preexisting law designed to limit company disclosure of private communications – bedrock privacy law like the Wiretap Act and the Electronic Communications Privacy Act.
The Cybersecurity Act would allow sensitive private communications to flow to the NSA, a U.S. military agency — contrary to a long held value that military agencies should not be engaged in collecting data on American citizens.
This bill has been criticized by open government groups who rightly point out that the bill creates new exemptions to FOIA—making it that much harder for people to understand how much and what kind of data is being shared with the government and ensure that the government and companies do not abuse this authority.
There is much our country can and should do to safeguard our networks, but sacrificing the civil liberties of Internet users is neither desirable nor necessary for that goal. As a constituent and an Internet user concerned about my online rights, I urge my Senator to support privacy protective amendments and oppose the Cybersecurity Act.
In an important ruling for free speech, the Court of Appeals for the Seventh Circuit today affirmed that a parody of a popular online video called "What What (In the Butt)" (NSFW, unless you happen to work at EFF!) was a clear case of fair use and that the district court's early dismissal of the case was correct.
South Park aired the "What What" parody in a 2008 episode critiquing the popularity of absurd online videos. Two years later, copyright owner Brownmark Films sued Viacom and Comedy Central, alleging copyright infringement.Recognizing the episode was an obvious fair use, a federal judge promptly dismissed the case. Brownmark appealed, claiming that fair use cannot be decided on a motion to dismiss, no matter how obvious. Viacom fought back, and EFF filed an amicus brief in support, explaining that being able to dismiss a case early in litigation—before legal costs can really add up—is crucial to protect free speech and discourage frivolous litigation.
The appeals court agreed, calling the district court’s decision “well-reasoned and delightful”:
We hold that the district court could properly decide fair use on [an early motion] . . .Despite Brownmark’s assertions to the contrary, the only two pieces of evidence needed to decide the question of fair use in this case are the original version of WWITB and the episode at issue.
The opinion joins a growing body of precedent affirming that it's proper to dismiss some copyright cases early, and that it's possible in appropriate cases to determine whether a use is noninfringing without engaging in lengthy discovery. These rulings are important not only to protect speech, but also in fighting back against copyright trolls. Trolls depend on the threat of legal costs to encourage people to settle cases even though they might have legitimate defenses.Citing EFF’s brief, Seventh Circuit acknowledged the problem:
[I]nfringement suits are often baseless shakedowns. Ruinous discovery heightens the incentive to settle rather than defend these frivolous suits.
Exactly.We’re pleased to see another court strike a blow in favor of free speech and explicitly recognize the growing problem of abusive copyright claims.Let’s hope future courts follow suit.