For a majority of users, the Internet is a space that encourages free expression and the valuable exchange of ideas. Unfortunately, there are numerous cases around the world in which various forces act to silence people's voices online.
Today is World Day Against Cyber-Censorship, a day to remind ourselves that the Web continues to be a fractured battleground for free speech, and to rally users in fighting repression of online speech. Reporters Without Borders also created this day to celebrate the work of brave individuals who have promoted free expression on the Internet. The annual Netizen Prize is awarded to bloggers, online journalists, and cyber-dissidents, who have demonstrated exceptional dedication to this cause.
EFF remains dedicated to reporting cases of online censorship from all regions of the world, and to emphasize the importance of online anonymity in preserving individuals’ right to free speech. On our ongoing feature, This Week in Censorship, we cover global stories of imprisoned bloggers, filtered content, blocked websites, and instances of Internet disconnection.
A broad array of reasons are offered as justification for censorship. Bloggers in Thailand face imprisonment for criticizing the monarch. In Pakistan, the Telecommunications Authority has blocked websites, banned words from SMS texts, and most recently, has released a request for proposals to build a national blocking and filtering system: All in the name of fighting “obscene content.” The Turkish government has implemented a so-called “democratic” opt-in filtering mechanism for content that is deemed unsuitable for children and families.
Another common trend is censorship enabled in the name of battling copyright violations. Through our Global Chokepoints project, we are monitoring instances of pro-copyright laws that justify filtering of content, websites blockages, or Internet disconnection to fight infringement.
Censorship remains rampant in the Middle Eastern region. In Syria, Iran, and elsewhere, bloggers continue to face imprisonment, and common users have limitedaccess to content online due to state-mandated blocking and filtering programs.
Late Friday, the federal district court in Nevada issued a declaratory judgment that makes it harder for copyright holders to file lawsuits over excerpts of material and burden online forums and their users with nuisance lawsuits.
The judgment – part of the nuisance lawsuit avalanche started by copyright troll Righthaven – found that Democratic Underground did not infringe the copyright in a Las Vegas Review-Journal newspaper article when a user of the online political forum posted a five-sentence excerpt, with a link back to the newspaper's website.
Judge Roger Hunt’s judgment confirms that an online forum is not liable for its users’ posts, even if it was not protected by the safe harbors of the Digital Millennium Copyright Act’s notice and takedown provisions.The decision also clarifies that a common practice on the Internet – excerpting a few sentences and linking to interesting articles elsewhere – is a fair use, not an infringement of copyright.
Righthaven CEO Steven A. Gibson dreamed of making himself rich off of lawsuits over trivial uses of newspaper articles.Instead, his company is in ruins, his legal theories have been emphatically rejected and he is under investigation by the Nevada State Bar. His financial backer, an LLC affiliated with the Stephens family (who own the Review-Journal), lost a substantial investment with nothing to show for it. Hopefully this example will serve as a warning to those who are considering profiteering through the court system.In the mean time, we can take some small comfort that the debacle led to good rulings on fair use and online infringement.
This case began when Democratic Underground -- represented by the Electronic Frontier Foundation, Fenwick & West LLP, and attorney Chad Bowers -- was sued by Righthaven.The copyright troll asserted, falsely, that it owned the copyright in the article, which remains available for free on the Review-Journal website.Democratic Underground countersued, asking the court to rule that the excerpt did not infringe copyright and is a fair use of the material, and brought Stephens Media, publisher of the Review-Journal, into the case.
Last June, the Nevada federal court dismissed Righthaven's infringement case because the newspaper publisher was the true owner of the article, but Democratic Underground's counterclaim against Stephens Media continued. After initially attempting to defend the bogus assertion of copyright infringement, Stephens Media conceded it was incorrect, paving the way for the court’s declaration.
The original lawsuit against Democratic Underground was dismissed when Judge Hunt found that Righthaven did not have the legal authorization to bring a copyright lawsuit because it had never owned the copyright in the first place. Righthaven claimed that Stephens Media had transferred copyright to Righthaven before it filed the suit, but a document unearthed in this litigation -- the Strategic Alliance Agreement between Righthaven and Stephens Media -- showed that the copyright assignment was a sham, and that Righthaven was merely agreeing to undertake the newspaper's case at its own expense in exchange for a cut of the recovery. In addition to dismissing Righthaven's claim, Judge Hunt sanctioned Righthaven with fines and obligations to report to other judges its actual relationship with Stevens Media.Righthaven, however, has refused to pay the sanctions, without explanation.
Righthaven has filed hundreds of copyright cases based on its sham copyright ownership claims. Despite several attempts by Righthaven and Stephens Media to re-write their Strategic Alliance Agreement, eight judges have ruled against the scheme to turn copyright litigation into a business. Righthaven, which was founded by Las Vegas attorney Gibson exclusively to file lawsuits, has never won a single case, and has been held liable for several defendants’ attorneys fees.
While Righthaven has appealed seven of the district court decisions against it, it failed to meet important filing deadlines in the appeals court, and only three cases are currently moving forward in the Ninth Circuit Court of Appeals. After Righthaven failed to pay the fees judgments against it, a receiver was appointed to auction off its assets and pay its debts.Righthaven’s domain name was auctioned earlier this year, and last week another Nevada federal judge ordered Righthaven’s intellectual property assets transferred to the receiver.
Meanwhile, Righthaven has continued to refuse to cooperate in the collection efforts against it, failing to pay judgments, provide documents about its assets or -- lately -- even show up at court hearings.Righthaven was ordered to show cause why it should not be held in contempt of court in another case, Righthaven v. DiBiase.EFF, Wilson Sonsini Goodrich & Rosati, and Chad Bowers represent Mr. DiBiase. A contempt hearing is set for March 20, where we will be seeking sanctions against Righthaven and CEO Gibson.
Coders, free speech advocates, game developers, and a host of others flocked to Mighty in San Francisco on March 8 for EFF’s 22nd birthday bash. It was a terrific reunion for a community united in the fight to keep the Internet free and open and to protect free speech and privacy rights in the digital realm. EFF would like to thank the Humble Bundle for helping to make the evening possible.
Plenty of guests came decked out in their EFF garb, joining the ranks of those who made appearances on Twitter earlier that day for wearing their EFF swag to work.
Also in attendance at the EFF bash was local shutterbug Luke Thomas of the San Francisco blog Fog City Journal. Check out his photos below.
EFF would like to extend a huge thank you to everyone who came out to celebrate our birthday party. Thanks to Trash80, CrashFaster, and Dual Core for keeping things lively. Thanks to Luke Thomas for shooting stellar photos. And Thanks to the Fogcutter food truck for serving up delicious California-style fare.
On Tuesday March 6, the French National Assembly (Assemblée Nationale) passed a law proposing the creation of a new biometric ID card for French citizens with the justification of combating “identity fraud”. More than 45 million individuals in France will have their fingerprints and digitized faces stored in what would be the largest biometric database in the country. The bill was immediately met with negative reactions. Yesterday more than 200 members of the French Parliament referred it to the Conseil constitutional, challenging its compatibility with Europeans' fundamental rights framework, including the right to privacy and the presumption of innocence. The Conseil will consider whether the law is contrary to the French Constitution.1
The new law compels the creation of a biometric ID card that includes a compulsory chip containing various pieces of personal information, including fingerprints, a photograph, home address, height, and eye color. Newly issued passports will also contain the biometric chip. The information on the biometric chip will be stored in a central database. A second, optional chip will be implemented for online authentication and electronic signatures, which will be used for e-government services and e-commerce.
François Pillet, a French senator, called the initiative a time bomb for civil liberties, warning that those interested in protecting civil liberties must stop the creation of a database that could be transformed into a dangerous, draconian tool.2 EFF couldn’t agree more. Last year, Privacy International, EFF, and 80 other civil liberties organizations asked the Council of Europe to study whether biometrics policies respect the fundamental rights of every European. Governments are increasingly demanding storage of their citizens’ biometric dataon chips embedded into identity cards or passports, and centrally kept on government databases, all with little regard to citizens’ civil liberties.3 France’s National Commission on IT and Freedoms (CNIL) also published a report criticizing the creation of the centralized biometric database.
France does not have a good track record of initiatives involving biometric identification. In 2009, it introduced biometric passports—which proved to be a disaster. Last year, the French Minister of the Interior admitted that 10 percent of biometric passports in circulation were fraudulently obtained. It is therefore ironic that the justification for the biometrics bill was that it is needed to combat identity fraud.
Biometric databases posed a mission-creep threat since the data can be used for reasons beyond identity fraud. The French legislation lists certain crimes in which authorities could use the biometric databases to identify suspects. History has shown that databases in France created for one purpose have been used for others: In 1998 for example, France created a national DNA database of sex offenders, but its scope was expanded to include data from those convicted of other serious violent criminal offences and terrorism. 4 The database was later expanded to include the data of those who committed a wide range of offenses. 5 Anyone suspected of any crime is now compelled to submit a DNA sample as well.
Moreover, the measure is non-proportionate, given that there are less than 10,000 annual instances of fraudulent identity documents reported in France. It is difficult to argue that this justifies fingerprinting and face digitization of an estimated 45 million individuals and storing this information in a central biometric database.
Disturbingly, it seems that there may be other motives behind this bill, besides the prevention of identity fraud. Several documents suggest that French smart cards and biometrics companies, such as Morpho, Oberthur, Thalès, and Gemalto, have been lobbying heavily for the creation of a national biometric identity card as a means of creating domestic market opportunities for French smart card and biometrics companies. Senator Jean-René Lecerf, who introduced the bill, bluntly noted that while French companies are leaders in biometrics technologies, they do not sell anything domestically. He claims that this creates an export disadvantage compared to competitors based in the United States.
EFF urges the Conseil constitutionnel to consider the negative implications of the new law on the rights and freedoms of French citizens, and especially noting the vast disproportionality to its aims. Furthermore, France’s poor track record on biometric passports and databases expanded far beyond their original purpose does not bode well for the success of this new law. This invasive law brings undue interference into citizens’ private lives. The Conseil constitutionnel should reject it as unconstitutional.
Some notable tweets about the bill:
(In German) https://twitter.com/#!/unwatched/statuses/177773053789470720
(In French) https://twitter.com/#!/Skhaen/statuses/177843296327045120
1. The Conseil is the main authority to rule on whether or not laws that are challenged are in fact unconstitutional.
2. Direct quote (in French): "Monsieur le ministre, nous ne pouvons pas, élus et Gouvernement, en démocrates soucieux des droits protégeant les libertés publiques, laisser derrière nous – bien sûr, en cet instant, je n’ai aucune crainte, en particulier parce que c’est vous qui êtes en fonction – un fichier que d’autres, dans l’avenir, au fil d’une histoire dont nous ne serons plus les écrivains, pourraient transformer en un outil dangereux, liberticide."
3.Other countries with compulsory biometric ID cards or cards that contain a chip with identifying information about the holder in Europe include Albania, Portugal and Spain, with various other countries considering their implementation.
A new iPhone app called Highlight is poised to be this year's breakout hit at South by Southwest, the Austin tech and media conference that has become known as a web service kingmaker after launching services like Twitter and Foursquare to a wide audience in years past. In the context of a major tech conference, Highlight makes an appealing promise: let it run in the background of your phone, persistently collecting your location data, and it will notify you when your friends, their friends, or people with shared interests are nearby. Highlight is only the most prominent in a collection of apps offering this sort of "ambient social networking."
Instead, upon installation, the application tells the user that it requires a connection to her Facebook profile and access to her iPhone's location sensors. Unlike “check in” services like Foursquare, Highlight collects and shares location data with other users continuously unless you manually pause it.
It doesn't take much imagination to figure out how sending such a steady stream of location data to a third party with no posted privacy or data retention policy could go very wrong: the application could be indefinitely storing location histories on their servers for every user, including likely interactions between them. Further, Highlight has access not only to locally stored personal data but also can access the Facebook photos, profile details, and other data on that service.
In other words, in the process of installing and authorizing this app, users don’t know how much information they are handing over. Without more details about their policies and practices, how confident can they be in the security of that data against the threat of government subpoenas, unauthorized intrusions, or rogue employees?
Highlight's creators are probably well-intentioned, and their practices seem to be common in the world of mobile app development. But "industry standard" is no defense, and as companies like Path and Hipster have learned the hard way, the right time to implement good privacy and security practices isn't after there's been a problem and bad media coverage -- it's during the initial development.
App developers need to think about both policies and practices from a privacy perspective, and do their part to respect their users from the ground up. Highlight may yet come out of South by Southwest as the most-buzzed about new service. But unless they remedy their privacy problems, they could be undone just as quickly by another privacy scandal.
Like many operating systems, Ubuntu stores information about how you use your computer. This is often convenient because it helps you quickly open recently used documents or search recently used folders. But it also means that anyone with access to your computer can learn these things as well. In the upcoming release, Ubuntu 12.04 (currently in beta, to be released April 26) is introducing operating system-wide privacy settings that let you delete portions of your activity log, disable logging for specific types of files and applications, or disable activity logging altogether.
Keep in mind that these settings only apply to the GNOME activity log. Many other parts of your operating system log things by default and that logging needs to be disabled separately, if it is possible at all. For example browsers like Firefox and Chrome keep a history of all the websites you visit by default; instant messenging programs like Pidgin and Empathy log your chats by default; when you open a terminal and type commands, those commands get logged to ~/.bash_history; when you use vim, a history of your vim commands gets logged to ~/.viminfo; and a history of everyone who logs into your computer and every command that gets run as sudo gets logged to /var/log/auth.log.
Retrofitting operating systems to support privacy against local attackers is a worthy objective, but not an easy one [pdf]. We hope that Ubuntu and other projects will be in this for the long haul. The first step is probably defining clear API and mechanisms to enable non-GNOME applications to be told about the user's preferences for logging, and opening a lot of bug reports to get them respected.
For now, you can now delete your GNOME activity log from the past hour, day, week, a specific date range, or everything stored on your computer.
You are also able to keep your activity log but not log anything for specific types of files or for specific folders. You might want to, for example, not log any activity in /media/truecrypt1.
You can choose not to log activity for specific applications. This does not disable all logging from those applications. If you add Pidgin to this list, Ubuntu won't save any activity logs for Pidgin, but your chat history still gets saved by default. You need to edit Pidgin's preferences to disable this behavior.
You can optionally send anonymous usage information to the Ubuntu developers. This is disabled by default and requires administrator access on the computer to enable.
And finally, if you want to completely disable all activity logging on your computer, you can turn the Record Activity switch from ON to OFF.
Congress is doing it again: they’re proposing overbroad regulations that could have dire consequences for our Internet ecology. The Cyber Intelligence Sharing and Protection Act of 2011 (H.R. 3523), introduced by Rep. Mike Rogers and Rep. Dutch Ruppersberger, allows companies or the government1 free rein to bypass existing laws in order to monitor communications, filter content, or potentially even shut down access to online services for “cybersecurity purposes.” Companies are encouraged to share data with the government and with one another, and the government can share data in return. The idea is to facilitate detection of and defense against a serious cyber threat, but the definitions in the bill go well beyond that. The language is so broad it could be used as a blunt instrument to attack websites like The Pirate Bay or WikiLeaks. Join EFF in calling on Congress to stop the Rogers’ cybersecurity bill.
Under the proposed legislation, a company that protects itself or other companies against “cybersecurity threats” can “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the company under threat. But because “us[ing] cybersecurity systems” is incredibly vague, it could be interpreted to mean monitoring email, filtering content, or even blocking access to sites. A company acting on a “cybersecurity threat” would be able to bypass all existing laws, including laws prohibiting telcos from routinely monitoring communications, so long as it acted in “good faith.”
The broad language around what constitutes a cybersecurity threat leaves the door wide open for abuse. For example, the bill defines “cyber threat intelligence” and “cybersecurity purpose” to include “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.”
Yes, intellectual property. It’s a little piece of SOPA wrapped up in a bill that’s supposedly designed to facilitate detection of and defense against cybersecurity threats. The language is so vague that an ISP could use it to monitor communications of subscribers for potential infringement of intellectual property. An ISP could even interpret this bill as allowing them to block accounts believed to be infringing, block access to websites like The Pirate Bay believed to carry infringing content, or take other measures provided they claimed it was motivated by cybersecurity concerns.
The language of “theft or misappropriation of private or government information” is equally concerning. Regardless of the intent of this language, the end result is that the government and Internet companies could use this language to block sites like WikiLeaks and NewYorkTimes.com, both of which have published classified information. Online publishers like WikiLeaks are currently afforded protection under the First Amendment; receiving and publishing classified documents from a whistleblower is a common journalistic practice. While there’s uncertainty about whether the Espionage Act could be brought to bear against WikiLeaks, it is difficult to imagine a situation where the Espionage Act would apply to WikiLeaks without equally applying to the New York Times, the Washington Post, and in fact everyone who reads about the cablegate releases. But under Rogers' cybersecurity proposal, the government would have new, powerful tools to go after WikiLeaks. By claiming that WikiLeaks constituted “cyber threat intelligence” (aka “theft or misappropriation of private or government information”), the government may be empowering itself and other companies to monitor and block the site. This means that the previous tactics used to silence WikiLeaks—including a financial blockade and shutting down their accounts with online service providers—could be supplemented by very direct means. The government could proclaim that WikiLeaks constitutes a cybersecurity threat and have new, broad powers to filter and block communication with the journalistic website.
Congress is intent on passing cybersecurity legislation this year, and there are multiple proposals in the House and the Senate under debate. But none is as poorly drafted and dangerously vague as the Rogers bill. We need to stop this bill in its tracks, before it can advance in the House and before the authors can negotiate to place this overbroad language into other cybersecurity proposals.
Internet security is a serious problem that needs to be addressed. But we don’t need to sacrifice our civil liberties to do so. Help us safeguard the web by contacting Congress today.
1. Even though “self-protected entities” are discussed in a section of the bill regarding the private sector, the bill actually defines a “self-protected entity” as “an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.” This language could well be interpreted to encompass the government.
UPDATE (3/13/12): After public pressure, PayPal has revised their policy for censoring publishers of erotic ebooks. We are pleased with the new, speech-friendly policy. See our press release, PayPal's statement, and a statement from the National Coalition Against Censorship.
EFF and a coalition of civil liberties organizations and publishers is calling on PayPal to reverse a policy that shuts off payment services to publishers of certain forms of erotic literature. Under the policy, PayPal has threatened to shut down the accounts of online publisher Smashwords and others, unless they eliminate erotica featuring incest, rape, and bestiality. As scholars and booksellers can attest, these are themes prevalent in many forms of literature, from Grecian myths to the Bible. EFF joined ACLU of California, American Booksellers Foundation for Free Expression, Authors Guild, National Coalition Against Censorship, and others in sending a joint letter to PayPal condemning this policy as contrary to free speech.
Unfortunately, this is not the first time we’ve seen a payment services provider interfering with access to lawful speech. As we saw when Mastercard, Visa, and PayPal created a financial blockade against the whistleblower website WikiLeaks, financial service providers are an important part of the chain of intermediaries upon which online communication depends. When even one of those intermediaries caves to pressure or takes on a censorial role, our rights to read and speak freely are jeopardized. We need to send a signal to all back-end service providers that they have no business interfering with the distribution of lawful content.
As the National Coalition Against Censorship and the American Booksellers Foundation for Free Expression explained in a recent public letter:
The policy positions PayPal as contemporary exponent of its own Index Librorum Prohibitorum. The Catholic Church’s Index of Prohibited Books, like the Hays code in the film industry, has long since lost favor with the American public, and there is no reason to think that they would welcome PayPal in a similar role. The commitment to free speech is firmly embedded in our society, legally and culturally.
And as the ACLU of Northern California explained in their statement against this form of censorship, "Free speech isn't so free when booksellers have to choose between hosting legitimate content and earning a living."
If you are an individual, you can use the EFF action center to sign on to our letter to PayPal. And if you are an organization that would like to join our campaign against this form of censorship, please email firstname.lastname@example.org.
Text of Coalition Letter
PayPal, which plays a dominant role in processing online sales, has taken full advantage of the vast and open nature of the Internet for commercial purposes, but is now holding free speech hostage by clamping down on sales of certain types of erotica. As organizations and individuals concerned with intellectual and artistic freedom and a free Internet, we strongly object to PayPal functioning as an enforcer of public morality and inhibiting the right to buy and sell constitutionally protected material.
Recently, PayPal gave online publishers and booksellers, including Book Strand, Smashwords, and eXcessica, an ultimatum: it would close their accounts and refuse to process all payments unless they removed erotic books containing descriptions of rape, incest, and bestiality. The result would severely restrict the public's access to a wide range of legal material, could drive some companies out of business and deprive some authors of their livelihood.
Financial services providers should be neutral when it comes to lawful online speech. PayPal’s policy underscores how vulnerable such speech can be and how important it is to stand up and protect it.
The topics PayPal would ban have been depicted in world literature since Sophocles’ Oedipus and Ovid’s Metamorphoses. And while the books currently affected may not appear to be in the same league, many works ultimately recognized for their literary, historical, and artistic worth were reviled when first published. Books like Ulysses and Lady Chatterley’s Lover were banned as “obscene” in the United States because of their sexual content. The works of Marquis de Sade, which include descriptions of incest, torture, and rape, were considered scandalous when written, although his importance in the history of literature and political and social philosophy is now widely acknowledged.
The Internet has become an international public commons, like an enormous town square, where ideas can be freely aired, exchanged, and criticized. That will change if private companies, which are under no legal obligation to respect free speech rights, are able to use their economic clout to dictate what people should read, write, and think.
PayPal, and the myriad other payment processors that support essential links in the free speech chain between authors and audiences, should not operate as morality police.
ACLU of California
American Booksellers Foundation for Free Expression
American Society of Journalists and Authors
Association of American Publishers
Association of American University Presses
Bill of Rights Defense Committee
Bytes for All, Pakistan
Comic Book Legal Defense Fund
Coming Together, charity publisher
Electronic Frontier Foundation
Feminists for Free Expression
Fight for the Future
Great Lakes Independent Booksellers Association
Independent Book Publishers Assn.
Index on Censorship
National Coalition Against Censorship
New Atlantic Independent Booksellers Association
New England Independent Booksellers Association
Northern California Independent Booksellers Association
Pacific Northwest Booksellers Association
PEN American Center
Reporters Without Borders
Southern California Independent Booksellers Association
Southern Independent Booksellers Alliance
Tunisian Association for Digital Freedom
Unlimited Publishing LLC
Woodhull Sexual Freedom Alliance