Earlier today, the Federal Trade Commission (FTC) released its final report on digital consumer privacy issues after more than 450 companies, advocacy groups and individuals commented on the December 2010 draft report. The final report creates strong guidelines for protecting consumer privacy choices in the online world. The guidelines include supporting the Do Not Track browser header, advocating federal privacy legislation, and tackling the issue of online data brokers. We’re pleased by the flexible and user-centric nature of the privacy report, but we will continue to monitor how such principles are actually enacted.
Do Not Track & W3C
Echoing the support from the Obama Administration in its recent privacy white paper, the FTC praised the Do Not Track flag, which would provide an in-browser setting that users could use to tell companies that they do not want to be tracked around the web. While acknowledging the important steps media and advertising consortiums like the Digital Advertising Alliance have made toward better informing users about how behavioral advertising works, the FTC emphasized the World Wide Web Consortium’s (W3C) ongoing effort to craft meaningful standards to govern tracking in its multistakeholder process, which includes representatives from EFF. These meaningful standards will ensure that Do Not Track does not become a weakened "Do Not Target" standard. The Commission report stated: “The W3C group has made substantial progress toward a standard that is workable in the desktop and mobile settings, and has published two working drafts of its standard documents. The group’s goal is to complete a consensus standard in the coming months.”
The issue of Do Not Track versus Do Not Target is fundamental to online behavioral tracking. In a dissenting opinion, Commissioner J. Thomas Rosch raised questions about industry figures such as the Digital Advertising Alliance’s influence on W3C process: “It may be that the firms professing an interest in self-regulation are really talking about a “Do Not Target” mechanism, which would only prevent a firm from serving targeted ads, rather than a “Do Not Track” mechanism, which would prevent the collection of consumer data altogether.”
We share Commissioner Rosch’s concerns. EFF is working through the W3C process with the good faith belief that the consensus end-result will provide users with a meaningful form of protection from tracking, not just the display of targeted advertisements. By continuing to engage in this forum with both industry figures and other consumer advocates, EFF is committed to ensuring that a real Do Not Track mechanism is created and we’re sending representatives to Washington D.C. next month to fight for users and innovators in the next W3C meeting.
We were pleased that the FTC sang the praises of the HTTPS Everywhere Firefox Addon (developed by EFF and the Tor Project) as a mechanism to give users privacy and security when they browse the web. If you haven’t downloaded HTTPS Everywhere, you should do it now—it’s free in both senses of the word and we’ve even got a beta version available for Chrome.
Advocacy groups like the Privacy Rights Clearinghouse and the World Privacy Forum have done substantial work articulating the privacy concerns around data brokers. “Data brokers” is a loose term to describe a wide amalgamation of different companies who collect data on individuals through public, semi-public, and occasionally private sources in both the online and offline worlds and then repurpose this data for business purposes, such as selling data in bulk to large advertisers or creating websites that list individual profiles of individuals. As the FTC correctly noted, many consumers are unaware that these companies exist. As the Privacy Rights Clearinghouse explains on its site, companies in this largely unregulated industry may not offer users a way to opt out of having data included in broker lists, may charge fees to have data removed, and may repost data at a later date that was suppressed at a user’s request.
The FTC articulated the problems with data brokers and reaffirmed its support for legislation that would provide individuals with access to their personal data held by these companies. In addition, the FTC urged the data broker industry to create a central website that would explain the access rights and other options (e.g. opt out choices) available to consumers and links to exercising these choices. Notably, the Privacy Rights Clearinghouse has already gotten things started with its Online Data Vendors List.
We think this is a strong first step, but the FTC could easily have urged data brokers to provide a single website through which users can opt-out of having their data listedby any online data brokers. Right now, not all data brokers provide users with a method to opt-out of having their data personally display personal data listed. A user who wants her information removed from these sites has little legal weight to force companies to respect her choice. One exception to this is California’s recently passed Personal Information: Internet Disclosure Prohibition. Introduced by Senator Ellen Corbett, the law prohibits websites from intentionally posting the home addresses of individuals enrolled in California’s Safe at Home program (such as victims of stalking and domestic violence who enroll in the state-wide address protection program). Outside of this very narrow category of users, individuals have no right to have their data suppressed from publicly displayed data broker records.
In general, we’re pleased by the new privacy framework set forth by the Commission. We hope Congress, the Commerce Department, and industry figures will turn to it as they continue crafting policy around user data in coming years.
You might remember that late last year, Congress passed the America Invents Act, a largely toothless law that fails to address many of the biggest problems facing the patent system. In implementing that new law, the Patent and Trademark Office issued proposed guidelines for certain supplemental examination procedures. The PTO also recommended a huge increase in fees for filing certain patent reexaminations. As you might guess, this is a terrible idea.
It's vitally important that public interest groups like EFF and small entities who may lack substantial resources be able to participate in reexams at the PTO. Raising the fees for filing reexams to $17,750 (for filing alone!) promises to discourage that important third-party participation, which the Patent Office claims to care much about. Today, we filed comments with the Patent Office saying as much, and urging the Office to reconsider the fee increase – or at least carve out an exception for public interest groups and other small entities. The Patent Office should use this opportunity to encourage the type of participation in the reexam process that benefits inventors, users, and an agenda that promotes innovation.
On Thursday, U.S. Attorney General Eric Holder signed expansive new guidelines for terrorism analysts, allowing the National Counter Terrorism Center (NCTC) to mirror entire federal databases containing personal information and hold onto the information for an extended period of time—even if the person is not suspected of any involvement in terrorism. (Read the guidelines here).
Despite the “terrorism” justification, the new rules affect every single American. The agency now has free rein to, as the New York Times’ Charlie Savage put it, “retrieve, store and search information about Americans gathered by government agencies for purposes other than national security threats” and expands the amount of time the government can keep private information on innocent individuals by a factor of ten.
The guidelines will lengthen to five years — from 180 days — the amount of time the center can retain private information about Americans when there is no suspicion that they are tied to terrorism, intelligence officials said. The guidelines are also expected to result in the center making more copies of entire databases and “data mining them” using complex algorithms to search for patterns that could indicate a threat. (emphasis ours)
Journalist Marcy Wheeler summed the new guidelines up nicely saying, “So…the data the government keeps to track our travel, our taxes, our benefits, our identity? It just got transformed from bureaucratic data into national security intelligence.”
The administration claims that the changes in the rules for the NCTC—as well as for the Office of the Director of National Intelligence (DNI), which oversees the nation’s intelligence agencies—are in response to the government’s failure to connect the dots in the so-called “underwear bomber” case at the end of 2009, yet there was no explanation of how holding onto innocent Americans’ private data for five years would have stopped the bombing attempt.
Disturbingly, “oversight” for these expansive new guidelines is being directed by the DNI’s "Civil Liberties Protection Officer" Joel Alexander, who is so concerned about Americans’ privacy and civil liberties that he, as Marcy Wheeler notes, found no civil liberties concerns with the National Security Agency’s illegal warrantless wiretapping program when he reviewed it during President George W. Bush’s administration.
As other civil liberties organizations have noted, the new guidelines are reminiscent of the Orwellian-sounding “Total Information Awareness” program George Bush tried but failed to get through Congress in 2003—again in the name of defending the nation from terrorists. The program, as the New York Timesexplained, sparked an “outcry” and partially shut down Congress because it “proposed fusing vast archives of electronic records — like travel records, credit card transactions, phone calls and more — and searching for patterns of a hidden terrorist cell.”
The New York Timesreported, the new NCTC guidelines “are silent about the use of commercial data — like credit card and travel records — that may have been acquired by other agencies,” but information first obtained by private corporations has ended up in federal databases before. In one example, Wired Magazinefound FBI databases contained “200 million records transferred from private data brokers like ChoicePoint, 55,000 entries on customers of Wyndham hotels, and numerous other travel and commercial records.” The FBI would be one of the agencies sharing intelligence with the NCTC.
Despite Congress’ utter rejection of the “Total Information Awareness” program (TIA) in 2003, this is the second time this month the administration has been accused of instituting the program piecemeal. In his detailed report on the NSA’s new “data center” in Utah, Wired Magazine’s James Bamford remarked that the new data storage complex is “the realization” of the TIA program, as it’s expected to store and catalog “all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches.”
Unfortunately, the new NCTC guidelines are yet another example of the government using the word “terrorism” to infringe on the rights of innocent Americans. Aside from the NSA’s aforementioned warrantless wiretapping program, we have seen the Patriot Act overwhelmingly used in criminal investigations not involving terrorism, despite its original stated purpose. As PBS Frontline’s Azmat Khan noted in response to the new guidelines, investigative journalist Dana Priest has previously reported how “many states have yet to use their vast and growing anti-terror apparatus to capture any terrorists; instead the government has built a massive database that collects, stores and analyzes information on thousands of U.S. citizens and residents, many of whom have not been accused of any wrongdoing.”
This problem has been well documented for years, yet Congress and both the Bush and Obama administrations have continued to use terrorism as a justification for expansive laws, and Americans’ constitutional rights have become collateral damage.
Reps. Joe Baca and Frank Wolf have introduced a bill this week that would require game publishers to add a "clear and conspicuous" warning label to most new video games. HR 4204, the Violence in Video Games Labeling Act, is only the most recent in a series of legislative attempts to restrict or otherwise hinder speech in the form of interactive media.
Even though it is not required by law, many video game developers have been self-regulating games for age-level and content with Entertainment Software Ratings Board (ESRB) ratings since 1994. That system is widely understood in the marketplace, and allows consumers and parents to make informed decisions about their video game purchases.
But under the proposed law, a label that says "WARNING: Exposure to violent video games has been linked to aggressive behavior" would be a required addition for all games rated E (Everyone), E10+ (Everyone 10 and older), M (Mature), or A (Adult), regardless of the contents of the game. Only games released with an EC (Early Childhood) rating would be excluded from the labeling requirement. So games like Tiger Woods PGA Tour 13 or Carmen Sandiego Adventures in Mathwould require the warning, but you could get away without for Dora's Ballet Adventure.
Rep. Baca tries to cloak his anti-speech bill by the inapt comparison for tobacco warning labels in the press release announcing the bill. But while there is a wealth of proof that cigarettes are dangerous, studies simply haven't conclusively demonstrated a causal link between video games and aggressive behavior. One recent study, for example, indicated that "exposure to video game violence was not related to any negative outcomes." [pdf]
Further, in a recent Supreme Court decision to strike down a California law restricting the sale of violent video games to minors, the justices emphatically rejected studies that purport to show such a link: "California relies primarily on the research of Dr. Craig Anderson and a few other research psychologists whose studies purport to show a connection between exposure to violent video games and harmful effects on children. These studies have been rejected by every court to consider them, and with good reason."
Not only that, but the Court expressly affirmed the robust First Amendment protection due to video games: "Video games qualify for First Amendment protection. Like protected books, plays, and movies, they communicate ideas through familiar literary devices and features distinctive to the medium." (EFF joined the Progress & Freedom Foundation in filing a brief in that case.)
It's no surprise, then, that Baca's earlier similar proposals have been unsuccessful. The video game blog Kotaku has compared this new bill to the ones Baca introduced in 2009 and 2011 and found only minor differences. Most notable among them: this most recent proposal raises the stakes, covering a broader selection of games and specifying a harsher warning text.
The California law's Supreme Court defeat gives it the highest profile, but there have been other such laws don't make it as far as the Supreme Court. Every other state law that has been challenged on First Amendment grounds has failed lower court scrutiny. Similar laws have been struck down in Louisiana and Illinois, for example, and defeated in Massachusetts.
While these examples went further than Baca's proposal, beyond warning labels to actually restricting the sale of games, the courts have been clear: video games are legally protected speech, and can’t be singled out for special restrictions.
Rep. Baca needs to know that these repeated attempts at misguided legislation based on pseudo-science are not excusable just because they target a new medium. Video games may be a newer art form than the novel, the fairy tale, or the epic poem, but they are no less deserving of constitutional protection.
Tell your Representative today: it's time to stand against HR 4204. If we want to maintain the same level of cultural vibrancy in this new art form as we've enjoyed for all others, we must recognize and protect the freedom of expression embodied within.
In the wake of a horrific rampage, in which Mohamed Merah (now dead after a 32-hour standoff with police) reportedly murdered three French soldiers, three young Jewish schoolchildren, and a rabbi, President Nicolas Sarkozy of France has begun calling for criminal penalties for citizens who visit web sites that advocate for terror or hate. "From now on, any person who habitually consults Web sites that advocate terrorism or that call for hatred and violence will be criminally punished," Sarkozy was reported as saying.
Apart from the obvious flaws in Sarkozy's plan--users, can, of course, use anonymizing tools to view the material or simply access it from a variety of locations to avoid appearing as "habitual" viewers--there are numerous other reasons to be concerned about criminalizing access to information.
First, there's no guarantee that criminalizing access to hate speech or terrorist content will end the very real problems of hate crime and terrorism. Extremist violence didn't start with the Internet and it won't end with it, either.
Second, who defines "hate speech"? In France, that definition includes Holocaust denial, which in the past resulted in Yahoo! discontinuing auctions of Nazi memoribilia (the collectors of which are not, by any stretch, all sympathizers). And negative comments about France's Muslim community have also resulted in criminal penalties, most notably in the case of actress Brigitte Bardot, who has been convicted five times for "inciting racial hatred." While Holocaust denial and comments about Muslims such as those made by Bardot may be deplorable, they should not be criminal.
Finally, while Sarkozy is not--yet--calling for websites to be blocked, it wouldn't be a stretch; after all, France already offers mechanisms for blocking child pornography and "incitement to terrorism and racial hatred." If Sarkozy were to decide censorship is the answer, one major risk would be overblocking: there's nary a country in the world that censors the Internet without collateral damage (in Australia, for example, testing on a would-be censorship regime found the site of a dentist blocked, among others).
EFF has serious concerns about the implications of Sarkozy's comments. When a democratic country such as France decides to censor or criminalize speech, it is not just the French that suffer, but the world, as authoritarian regimes are given easy justification for their own censorship. We urge French authorities to judge crime on action, not expression.
Salvadoran site threatened for reporting on organized crime
According to a report from the Committee to Protect Journalists (CPJ), Salvadoran site El Faro is under threat for investigative reporting conducted in February 2011 on an organized crime network in Northeast El Salvador. The crime ring, said CPJ, involved gang leaders, prominent businessmen, and local politicians, and resulted in journalists from the news site being followed and photographed. CPJ notes that Salvadoran journalists who report on organized crime in the country often report feeling threatened.
Extrajudicial threats allow governments to maintain the appearance of openness while simultaneously cracking down on speech. EFF is concerned for the safety of El Faro's reporters and joins CPJ in demanding the Salvadoran government accountable for their well-being.
China blocks "Ferrari" from social media after fatal crash
Following a fatal car crash in Beijing involving an unidentified Ferrari driver, the Chinese government has ordered the word "Ferrari" to be censored across the country's social networks. According to the Guardian:
Before the clampdown, the sinosphere was rife with rumour that he was the son of a party official. Bo Guagua, son of the recently disgraced Bo Xilai, was named initially; then speculation turned to the illegitimate son of politburo member Jia Qinglin. China's middle classes, who earn about £10 a day, want to know how the children of party bosses can get a car worth $200,000 (£126,000).
Indian court drops lawsuit against Microsoft
Back in December, a series of criminal and civil lawsuits were filed in Delhi courts against Microsoft, Google, and 19 other companies for hosting "objectionable content" on their sites. Yesterday, it was reported that at least one of those lawsuits--against Microsoft--has been terminated by the Delhi High Court after the company argued that there was neither a complaint nor evidence against the company. Yahoo was also reportedly dropped from the case.
While this is good news, Google, Facebook, and the other companies still face lawsuits and may be ordered to filter large volumes of data posted on their social sites. EFF believes that intermediaries must not be held responsible for third-party content and urges the Indian government to consider protections for intermediaries. Not only are intermediary protections good for free expression; they're also good for business.
Obama administration offers help to Iranian citizens
As part of both its broader efforts to address Internet freedom and its efforts to connect with individual Iranian citizens, the Obama administration has issued new guidelines that would allow American companies to more easily export communications tools to Iranians. The announcement was made in a video message by President Obama on the occasion of the Iranian holiday Nowruz.
In an interview with Mashable, Greg Sullivan, the State Department’s senior advisor for strategic communications on Iran, stated that the administration's approach is about "reaching out to Iranian citizens who 'aren't part of the regime,' people who they think 'have had their voice taken away' by the Iranian government."
While EFF is glad to see efforts being made to ensure Iranians can connect, we have concerns that others--including citizens of Syria and Sudan--are not being offered similar concessions. To that end, we will continue to monitor the situation and provide suggestions on how to ensure the free flow of communications tools.
Last week, RIAA CEO Cary Sherman confirmed that the country's largest ISPs will voluntarily roll out by July 1 a "graduated response" program aimed at discouraging unauthorized downloading. A Memorandum of Understanding published last summer outlines the program, which was developed without user feedback. Under the new system, a rightsholder accusing an ISP subscriber of infringment will trigger a series of ever-increasing consequences. The responses are graduated in the sense that they escalate after each accusation, beginning with steps aimed at educating users about copyright and culminating in the Orwellian-sounding "mitigation measures" -- bandwidth throttling or account suspension.
One key problem is the arrangement shifts the burden of proof: rather than accusers proving infringement before the graduated response process starts against a subscriber, the subscriber must disprove the accusation in order to call a halt to it. Worse, accused subscribers have to defend themselves on an uneven playing field. For example, they have only ten days to prepare a defense, and with only six pre-set options available. Of course, there's no assurance that those who review the cases are neutral, and the plan sorely lacks consequences for an accuser who makes mistaken or fraudulent claims.
There are still more problems. The plan calls for "education" after the first accusations, but based on the information now available on the website launched last year by the Center for Copyright Information (the entity charged with administering the system), it's likely to be both deceptive and scare-mongering. And the whole system lacks in transparency: while it includes some minimal reporting requirements, those reports need not be made public.
The final rub: subscribers will doubtless be paying for their own "re-education," as ISPs pass on their portions of the administration costs in the form of higher fees.
What can users do at this point? In some cases, they can vote with their feet. This agreement is voluntary for now, and while the participating ISPs include many major companies -- AT&T, Verizon, Comcast, Cablevision, and Time Warner Cable -- there are other options. Users lucky enough to have a choice of providers for their Internet service should consider switching to a service that opted not to "cooperate." For example, companies like Sonic and Cox Communications have a history of fighting for their users where they can, and are notably absent from this arrangement.
Otherwise, users have little choice for now but to watch their ISP roll out this new system against their interests, and maybe familiarize themselves with the six pre-approved responses available to them after an accusation. EFF will continue to follow developments in this agreement closely, and will be offering users a way to speak out against it soon. Stay tuned to updates about these actions on our EFFector mailing list, or by following EFF on Identi.ca or Twitter.
When it comes to the government's ability to search your electronic devices at the border, we've always maintained that the border is not an "anything goes" zone, and that the Fourth Amendment doesn't allow the government to search whatever it wants for any (or no) reason at all. And this week, the Ninth Circuit Court of Appeals agreed to rehear a case that gave the government carte blanche to search through electronic devices at the border.
In September 2011, EFF and the National Association of Criminal Defense Lawyers filed an amicus brief (PDF) before the Ninth Circuit, asking it to rehear its decision in United States v. Cotterman(PDF), which dramatically expanded the "border search" doctrine that generally allows law enforcement to search a person coming across the international border without a warrant or any suspicion of wrong doing. Cotterman involved a man who attempted to cross into the United States from Mexico at the Arizona border. Customs agents kept him at the border for 8 hours without suspecting him of carrying anything illegal. They seized two laptops and a digital camera without a search warrant, and transported them 170 miles to Tuscon. Still without a search warrant, they searched the hard drives and computers for two days, until they found child pornography on the computers and arrested Cotterman. A three judge panel of the Ninth Circuit found the warrantless search reasonable under the Fourth Amendment as a "border search," despite the fact the search took place far from the actual border. Our amicus brief echoed the warning of dissenting judge Betty Fletcher, who wrote that the majority's decision “gives the Government a free pass to copy, review, categorize, and even read all of that information in the hope that it will find some evidence of any crime.”
On Monday, the entire court took our (and Judge Fletcher's) warning into account and agreed to rehear the case (PDF). In reconsidering the case and the implications it has for all international travelers coming into the United States, we're hopeful the court will get it right this time, and find such a dangerous expansion of the "border search" doctrine unreasonable under the Fourth Amendment. And while waiting for the court's decision, international travellers entering the United States should check out our guide for protecting your electronics during international travel, "Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices."