The fifth W3C meeting on Do Not Track was held in Washington DC last week. While progress has been made on many aspects of the standard for Do Not Track, several deep disagreements remain between privacy advocates and representatives of the online tracking industry.
Most seriously, ad industry representatives maintain that they need to be allowed to continue setting third-party tracking cookies on browsers that send the Do Not Track HTTP header. This coalition of companies say they "only" want to track opted-out users for security purposes, market research, testing and improving their various advertising and tracking products, auditing, copyright enforcement and other "legal compliance" purposes, and "frequency capping" in order to manage online advertising campaigns — but not any other purposes.
Privacy advocates have offered to make enormous concessions in order to make Do Not Track adoption practical for Internet advertisers. Most extremely, this could allow companies to retain IP addresses and User Agents for short periods — and for a number of months in order to defend against clickfraud, "impression fraud," and security attacks, provided it is kept separate from other data.1
Despite these extreme concessions, most of the third-party tracking companies in the W3C process have demanded the right to keep setting unique ID cookies and using them for almost any purpose. Unless this situation changes, the W3C will be unable to set a policy standard for "Do Not Track" that actually offers any meaningful privacy for Internet users' reading habits.
In short, industry is trying to twist "Do Not Track" around so that it only means "Do Not Target". If things turn out that way, Internet users who do not want their online reading habits recorded by invisible tracking companies will have only one choice: use ad blocking tools to stop online tracking code themselves. In order for this to work, they will have to block a huge portion of the advertising on the Web, too.
1. These practices are already used by some ad companies, but many others lag behind.
You may have already heard about CISPA, the cybersecurity bill moving quickly through the House that would let companies like Google, Facebook, and AT&T snoop on our communications and hand sensitive user data to the government without a court order. Promoted under the guise of protecting America from cybersecurity attacks, the truth is that this legislation would carve out shockingly large exceptions to the bedrock privacy rights of Internet users.
That’s why EFF is joining a coalition of other organizations in speaking out against this cyber spying bill – and we’re calling on the Internet community to join us.
The goal of Stop Cyber Spying Week is simple: get Congress to back off of any cybersnooping legislation that sacrifices the civil liberties of Internet users. Here’s what you can do to help:
1. Join the Twitter campaign – because Congress is vacuuming up Too Much Information. We’re engaging in a revolutionary kind of Twitter activism. Use our new Congressional Twitter handle detection tool to find your member of Congress on Twitter. Then write them tweets about the kind of things you do online that are none of the government business. Show your congressperson the many things you do online – the personal, the mundane, whatever – so they can see just how much personal, unnecessary data could be vacuumed up as a result of the legislation’s dangerously vague language. Use the hashtags #CongressTMI and #CISPA.
.@NancyPelosi Does the military really need to know I signed up for Google+ when it first came out, but haven’t posted since? #CongressTMI Stop #CISPA https://eff.org/r.1X2
2. Send an email to Congress. We need to make it clear to Congress that they can’t push legislation that undermines all existing privacy laws. Use EFF’s action center to email your Congressional representatives to tell them to oppose CISPA.
3. Publish a statement opposing CISPA. Post an update to your blog or social networking site telling folks to join you in opposing any cybersecurity legislation that sacrifices civil liberties.
Congress is currently considering CISPA – the Cyber Intelligence Sharing & Protection Act – a bill that purports to protect the United States from “cyber threats” but would in fact create a gaping loophole in all existing privacy laws. If CISPA passes, companies could vacuum up huge swaths of data on everyday Internet users and share it with the government without a court order. I oppose CISPA, and I’m calling on Congress to reject any legislation that:
* Uses dangerously vague language to define the breadth of data that can be shared with the government.
* Hands the reins of America’s cybersecurity defenses to the NSA, an agency with no transparency and little accountability.
* Allows data shared with the government to be used for purposes unrelated to cybersecurity.
Join me in opposing this bill by posting this statement on your own page and using this online form to send a letter to Congress against CISPA:
4. Make your opposition to CISPA heard. Write op-eds, blog articles, status updates or Tweets. Tell the world why you are opposing CISPA and why Internet users need to be able to read and communicate in private. And keep an eye on the EFF Deeplinks blog –we’ll take a closer look at the grave civil liberties implications of this bill, from its lack of public accountability to why cybersecurity and national security should be kept separate.
What are you doing to oppose CISPA? Tell EFF! Email email@example.com with a description and any relevant links. Also check out our new FAQ about the bill.
This week, EFF—along with a host of other civil liberties groups—are protesting the dangerous new cybersecurity bill known as CISPA that will be voted on in the House on April 23. EFF has compiled an FAQ detailing the how the bill's major provisions work and how they endanger all Internet users' privacy.
Update 1: The White House released a statement on Tuesday criticizing CISPA and said any cybersecurity bill with information sharing provisions "must include robust safeguards to preserve the privacy and civil liberties of our citizens." The White House declared they would not support a bill that would "sacrifice the privacy of our citizens in the name of security." Below are all the ways CISPA would violate that principle.
CISPA stands for The Cyber Intelligence Sharing and Protection Act, a cybersecurity bill written by Rep. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) (H.R. 3523). The bill purports to allow companies and the federal government to share information to prevent or defend from cyberattacks. However, the bill expressly authorizes monitoring of our private communications, and is written so broadly that it allows companies to hand over large swaths of personal information to the government with no judicial oversight—effectively creating a “cybersecurity” loophole in all existing privacy laws. Because the bill is so hotly debated now, unofficial proposed amendments are also being circulated and the actual bill language is in flux.
Under CISPA, can a private company read my emails?
Yes. Under CISPA, any company can “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the company. This phrase is being interpreted to mean monitoring your communications—including the contents of email or private messages on Facebook.
Right now, well-established laws, like the Wiretap Act and the Electronic Communications Privacy Act, prevent companies from routinely monitoring your private communications. Communications service providers may only engage in reasonable monitoring that balances the providers' needs to protect their rights and property with their subscribers' right to privacy in their communications. And these laws expressly allow lawsuits against companies that go too far. CISPA destroys these protections by declaring that any provision in CISPA is effective “notwithstanding any other law” and by creating a broad immunity for companies against both civil and criminal liability. This means companies can bypass all existing laws, as long as they claim a vague “cybersecurity” purpose.
What would allow a company to read my emails?
CISPA has such an expansive definition of "cybersecurity threat information" that many ordinary activities could qualify. CISPA is not specific, but similar definitions in two Senate bills provide clues as to what these activities could be. Basic privacy practices that EFF recommends—like using an anonymizing service like Tor or even encrypting your emails—could be considered an indicator of a “threat” under the Senate bills. As we have stated previously, the bills’ definitions “implicate far more than what security experts would reasonably consider to be cybersecurity threat indicators—things like port scans, DDoS traffic, and the like.”
A more detailed explanation about what could constitute a “cybersecurity purpose” or “cyber security threat indicator” in the various cybersecurity bills can be read here.
Under CISPA, can a company hand my communications over to the government without a warrant?
Yes. After collecting your communications, companies can then voluntarily hand them over to the government with no warrant or judicial oversight whatsoever as long is the communications have what the companies interpret to be “cyber threat information” in them. Once the government has your communications, they can read them too.
Under CISPA, what can I do if a company improperly hands over private information to the government?
Almost nothing. CISPA would affirmatively prevent users from suing a company if they hand over their private information to the government in virtually all cases. A broad immunity provision in the proposed amendments gives companies complete protection from user lawsuits unless information was given to the government:
(I) intentionally to achieve a wrongful purpose;(II) knowingly without legal or factual justification; and(III) in disregard of a known or obvious risk that is so great as to make it highly probably that the harm of the act or omission will outweigh the benefit.
As Techdirt concluded, “no matter how you slice it, this is an insanely onerous definition of willful misconduct that makes it essentially impossible to ever sue a company for wrongly sharing data under CISPA.” This proposed immunity provision is actually worse than the prior version of the bill, under which companies could be sued if they acted in “bad faith.”
UPDATE: The most current version has switched back to the standard giving companies immunity as long as they act in "good faith" - still a very weak standard that would leave users with no recourse in virtually all cases.
What government agencies can look at my private information?
Under CISPA, companies can hand “cyber threat information” to any government agency, which then passes that information to the Department of Homeland Security (DHS). Once it’s in DHS’s hands, the bill says that DHS can then hand the information to other intelligence agencies, including the National Security Agency, at its discretion.
Can the government use my private information for other purposes besides “cybersecurity” once they have it?
Yes. When the bill was originally drafted, information could be used for all other law enforcement purposes besides “regulatory purposes.” A new amendment narrows this slightly. Now—even though the information was passed along to the government for only cybersecurity purposes—the government can use your personal information for either cybersecurity or national security investigations. And as long as it can be used for one of those purposes, it can be used for any other purpose as well.
Can the government use my private information to go after alleged copyright infringers and whistleblower websites?
Up until last Friday the answer was yes, and now it’s changed to maybe. In response to the overwhelming protest from the Internet community that this bill would become a backdoor for SOPA 2, the bill authors have proposed an amendment that rids the bill of any reference to “intellectual property.”
The bill previously defined “cyber threat intelligence” and “cybersecurity purpose” to include “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.” Now the text reads:
(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information
But it is important to remember that this proposed amendment is just that: proposed. The House has not voted it into the bill yet, so they still must follow through and remove it completely.
A more detailed explanation of how this provision could be used for copyright enforcement and censoring whistleblower sites like WikiLeaks can be read here.
What can I do to stop the government from misusing my private information?
CISPA does allow users to sue the government if they intentionally or willfully use their information for purposes other than what is described above. But any such lawsuit will be difficult to bring. For instance, the statute of limitations for such a lawsuit is two years from the date of the actual violation. It’s not at all clear how an individual would know of such misuse if it were kept inside the government.
Moreover, suing the government where classified information or the “state secrets privilege” is involved is difficult, expensive, and time consuming. EFF has been involved for years in a lawsuit over Fourth Amendment and statutory violations stemming from the warrantless wiretapping program run by the NSA—a likely recipient of “cyber threat information.” Despite six years of litigation, the government continues to maintain that the “state secrets” privilege prevents the lawsuit from being heard.
Given that DHS is notorious for classifying everything—even including their budget and number of employees—they may attempt to prevent users from finding out exactly how this information was ever used. And if the information is in the hands of the NSA and they claim “national security,” then it would get even harder.
In addition, while CISPA does mandate an Inspector General should issue a report to Congress over the government’s use of this information, its recommendations or remedies do not have to be followed.
Why are Facebook and other companies supporting this legislation?
Facebook and other companies have endorsed this legislation because they want to be able to receive information about network security threats from the government. This is a fine goal, but unfortunately CISPA would do far more than that—it would eviscerate existing privacy laws by allowing companies to voluntarily share users’ private information with the government.
Facebook released a statement Friday saying that they are concerned about users’ privacy rights and that the provision allowing them to hand user information to the government “is unrelated to the things we liked about HR 3523 in the first place.” As we explained in our analysis of Facebook’s response: the “stated goal of Facebook—namely, for companies to receive data about cybersecurity threats from the government—does not necessitate any of the CISPA provisions that allow companies to routinely monitor private communications and share personal user data gleaned from those communications with the government.” Read more about why Facebook should withdraw support from CISPA until privacy safeguards are in place here.
What can I do to stop this bill?
It’s vital that concerned Internet users tell Congress to stop this bill. Use EFF’s action center to send an email to your Congress member urging them to oppose this bill.
We’re also joining other civil liberties organizations in Stop Cyber Spying Week, a week of action to protest CISPA. The goal of this week of action is simple: get Congress to back off of any cybersnooping legislation that sacrifices the civil liberties of Internet users. We’ve set up a dedicated Twitter tool to help Internet users tweet messages to their Congressional representatives opposing CISPA.
Numerous commentators have noted the sore thumb in the group of supporters for The Cyber Intelligence Sharing and Protection Act (CISPA): Facebook. Why would a social network be endorsing a bill that would allow companies to pass personal information about Internet users to the government without any form of judicial oversight? A number of recent articles have discussed the issue, and already one digital rights group has launched a campaign to convince Facebook to drop support of the bill. In response to the criticisms, Facebook’s Vice President of US Public Policy Joel Kaplan published a statement on Friday admitting that there were privacy concerns with the bill. He also noted that Facebook’s major cybersecurity goal is to receive more data about cybersecurity threats from the government—something that doesn’t necessitate the sweeping data sharing provisions currently outlined in CISPA.
In the statement, Kaplan stated:
[W]e recognize that a number of privacy and civil liberties groups have raised concerns about the bill—in particular about provisions that enable private companies to voluntarily share cyber threat data with the government. The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity.
Even as he noted the civil liberties criticisms, Kaplan assured users that Facebook has "no intention" of sharing private user data with the government and stated that CISPA "would impose no new obligations on us to share data with anyone."
But let’s be clear: Internet users don’t want promises from companies not to intercept our private communications and share that data with one another and the government. We want strong laws that make such egregious privacy violations illegal, that require the government to follow legal process (judicial oversight in most case), and that allow us or the government to sue persons who break the law. Ironically, hard-won, long-standing privacy laws—like the Wiretap Act and the Electronic Communications Privacy Act—already exist, although they are by no means ideal. There are already too many exceptions that allow the government to gain access to sensitive user data. But CISPA would upend these existing legal protections and leave the door wide open to companies handing sensitive personal information to the government without so much as a subpoena, let alone a warrant.
Kaplan discussed Facebook’s motivation for supporting the bill: "if the government learns of an intrusion or other attack, the more it can share about that attack with private companies (and the faster it can share the information), the better the protection for users and our systems." He also noted that the "things we liked about HR 3523 in the first place—[were] the additional information it would provide us about specific cyber threats to our systems and users." This stated goal of Facebook—namely, for companies to receive data about cybersecurity threats from the government—does not necessitate any of the CISPA provisions that allow companies to routinely monitor private communications and share personal user data gleaned from those communications with the government.
Kaplan expressed hope that Congress would produce "legislation that helps give companies like ours the tools we need to protect our systems and the security of our users’ information, while also providing those users confidence that adequate privacy safeguards are in place." If Facebook wants more timely and accurate data about cybersecurity threats from the government while providing "adequate" privacy safeguards, it should withdraw support from CISPA until those safeguards are in place.
Judges Increasingly Catching On to Copyright Trolls' Unfair Tactics
Life under the bridge is a bit less comfortable for copyright trolls these days, as a series of legal losses continues to undermine their misguided business model. Trolls make their money through variations on a simple scheme: file mass copyright lawsuits against thousands of people at once without regard for whether they're in the right court, get a judge to give them power to obtain identifying information for the anonymous “Does,” and then send settlement demand letters threatening to name these Does in a lawsuit if he or she doesn’t pay up. In many cases, troll lawsuits are based on allegations of downloading pornography, creating additional pressure to settle rather than risk the embarrassment of being publicly named as watching dirty movies online.
The strategy may be simple, but courts are increasingly rejecting it. In the past few months, judges around the country have picked up the pace and gone after both the legal tactics used for trolling and the lawyers engaging in them.
One battleground is in Florida, where copyright trolls are on a real losing streak. Earlier this month a federal judge in the Northern District of Florida dismissed 27 cases targeting over 3,500 Does — because the lawyer Tarik Hashmi was practicing without a license.
That victory for the legal system follows two major decisions that have collectively taken a shaky legal tactic off the table for trolls. Florida trolls had attempted to use a state law to force ISPs to identify suspected file-sharers. Two different judges rejected that legal theory, quashing subpoenas or dismissing cases outright for nearly 1000 anonymous defendants. Notably, the motions in these cases were brought by the ISPs themselves, which are not happy to be assisting in the process of extorting their customers.
Those decisions are characteristic of what Northern District of Illinois Judge James F. Holderman called a "stiffening judicial headwind" against copyright trolls’ abuse of the legal system. Judge Holderman provided that analysis in an opinion rejecting conspiracy charges [pdf] brought by a troll on similarly legally suspect grounds.
In the Northern District of California, Judge Howard R. Lloyd has been even more direct with the lawyers bringing troll suits. In an order issued late last month [pdf] in Hard Drive Productions v. Does 1-90 the Judge wrote:
the court will not assist a plaintiff who seems to have no desire to actually litigate but instead seems to be using the courts to pursue an extrajudicial business plan against possible infringers (and innocent others caught up in the ISP net).
It's clear that many judges are running out of patience for extrajudicial shakedown operations wasting court resources and victimizing Internet users at large. The Northern District of Texas Court Judge David C. Godbey granted sanctions motions brought by EFF and Public Citizen late last year against prolific porn troll lawyer Evan Stone, complaining in his opinion about Stone's "staggering chutzpah." Judge Godbey's colleague Judge John McBryde echoed that sentiment in another opinion [pdf], saying that Stone "failed to demonstrate the level of candor the court expects of members of the bar of this court."
Sadly, these judges' views are not universally held: too many courts are letting these cases go forward even after being apprised of their fundamental flaws. Several Internet service providers (with amicus support from EFF) have asked a federal judge who signed off on some of these lawsuits in a widely cited opinion to reconsider her determination or let them raise the issue before an appellate court. With hundreds of cases pending, and hundreds of thousands of individuals' right to anonymity online at stake, it is high time for an appeals court to put some uniformity on the law and stop the trolls’ unsavory tactics.
EFF recently received records from the Miami-Dade Police Department in response to a Public Records request for information on its drone program. These records provide additional insight into domestic drone use in the United States, and they reinforce the importance of public access to information on who is authorized to fly drones inside US borders.
The COA and the other records EFF received show that Miami-Dade’s drone program is quite limited in scope. The two small drones the MDPD is flying—Honeywell T-Hawks—are able to fly up to 10,000 feet high, can record video or still images in daylight or infrared, and can “Hover and stare; [and] follow and zoom,”(pdf) according to the manufacturer. However, the COA limits their use to flights below 300 feet. The drones also must remain within visual line of sight of both a pilot and an observer and can only be flown during the day. They cannot be flown within the Miami city limits or over any high-rise buildings, populated beaches, outdoor assemblies of people, or heavily trafficked roadways (which seems to severely limit their range).Also, the MDPD has stated it doesn’t use the drones to record incidents or store image files and that the drone is set up to “clear the picture upon the next picture being captured.” (It is not clear from MDPD’s records whether the department has another system set up to retain the image files.)
MDPD sent EFF a copy of its “Standard Operating Procedures” for flying the T-Hawks, though these procedures are still in draft form. However, neither they nor the COA discuss any legal restrictions on flights or information collected to protect privacy or civil liberties. MDPD said in a separate email that the department does not require a warrant or any other form of court process prior to flying the drones.
Although EFF would like to see the MDPD incorporating court oversight into its use of drones, we commend the department for following the example of the Texas Department of Public Safety and being forthcoming about its drone program. We hope the FAA will use these agencies as a model as it prepares its response to EFF’s lawsuit and Freedom of Information Act request for copies of all COAs the agency has issued to fly drones domestically.
The United Arab Emirates signed a deal with telecommunications company, Etisalat, to embed citizens' national ID information into mobile phones. They will now be exploring a system that would utilize an NFC or Near Field Communication application, which allows cell phones to communicate data via radio frequency within very close range. The UAE has had a national ID system since 2004, with IDs carrying a chip similar to one on a credit card and holding a person's name, birthday, gender, photograph, fingerprint, and ID number.
Etisalat, based in the UAE, has had a history working with the Emirati government on various initiatives. Notably, the company helped the government develop surveillance malware to be installed on Blackberry devices. However, it was quickly revealed that the "network upgrade" in disguise was in fact meant to spy on its mobile users.
EFF has long opposed national ID systems because they are fraught with potential abuse in every aspect of their creation and operation. Not only is it extremely costly to implement, the risk of fraudulent and flawed identification cards is very serious: these cards needs to distributed on such a scale that even a small percentage of errors could cause major social disruption. Moreover, such a mass collection of data leaves a high potential for abuse by both private and public actors.
Since carrying an ID card is mandatory in the UAE, this may mean that Emirati citizens may begin to be required to carry their phones on them at all times. Their objectives for working towards implementing this system currently unknown. However, integrating personal data with mobile phones can only bring trouble.
47% of All Internet Users Experience Censorship, Says OpenNet Initiative
According to the OpenNet Initiative (ONI)--a joint initiative of Harvard University, the University of Toronto and the SecDev Group--47% of the world's Internet users experience some form of fractured Internet. ONI bases their research on technical testing in 74 countries, 42 of which the researchers found engage in "some form of filtering of content." Though the aforementioned statistic (47%, or 960 million Internet users) includes countries like Morocco that engage only in "selective" blocking of websites, 31% of the world's Internet users live in countries that engage in "substantial" or "pervasive" online censorship.
Vietnam Aiming to be Enemy #1 (of the Internet)
Vietnam--which has been named an "enemy of the Internet" by Reporters Without Borders two years in a row--appears to be vying for first place on that list, in light of two recent news items. The first is a report that claims that the trial of eleven detained activists, including several bloggers, is "imminent." The report, from Radio Free Asia, calls the charges against the activists as "part of a larger crackdown" on activists and citizen journalists in the country.
In separate news, a brief from exiled political organization Viet Tan outlines a new decree by Vietnam's government that would require Internet users to register with their real names. In addition, it would require foreign Internet companies to relocate their data centers and establish local offices in Vietnam. According to Viet Tan, "These new rules could have serious consequences for companies such as Google and Facebook which have millions of Vietnamese users but are not physically located in the country." The draft decree, which can be found on Viet Tan's website, is dubbed "Decree on the Management, Provision, Use of Internet Services and Information Content Online."
EFF will be closely following the developments surrounding this proposed decree.
Iran Denies Plans to Cut Off Citizens from Internet
While Iran has not backtracked on its plans for a "halal Internet", this week Iranian authorities condemned a rumor that the country was planning to cut its citizens off from the global Internet by August. While that's all well and good, as MSNBC points out, "a firewalled Internet, much like those in China and North Korea, is not propaganda. In Iran, it's not a matter of if, but when."
Chinese Internet Users Cut Off--Briefly--From the World
For more than an hour on Thursday, Chinese Internet users were cut off from the global Internet, while Chinese sites were inaccessible from users outside of mainland China. While the cause of the blackout has not yet been determined, several media outlets theorized that it was either a result of the massive earthquakes near Sumatra (that may have damaged an undersea cable) or that the "Great Firewall" was undergoing routine maintenance.