In India, a massive effort is underway to collect biometric identity information for each of the country’s 1.2 billion people. The incredible plan, dubbed the “mother of all e-governance projects” by the Economic Times, has stirred controversy in India and beyond, raising serious concerns about the privacy and security of individuals’ personal data.
The plan is moving ahead at a clip under the auspices of the National Population Register (NPR) and the Unique ID (UID) programs, separately governed initiatives that have an agreement to integrate the data they collect to build the world’s largest biometric database. Upon enrollment, individuals are issued 12-digit unique ID numbers on chip-based identity cards. For residents who lack the necessary paperwork to obtain certain kinds of employment or government services, there’s strong incentive to get a unique ID. While the UID program is voluntary, enrollment in the NPR program is mandatory for all citizens.
The NPR program's stated objectives are to streamline the delivery of government services such as welfare or subsidies, prevent identity fraud, and facilitate economic development, but some critics contend that the plan has its roots in an agenda focused on national security. Indian journalist Aman Sethi argues in a New York Times Op-Ed that the NPR originated with a 1992 government campaign to deport undocumented Bangladeshi immigrants, and that the creation of a comprehensive identity database was intended “exclusively to assist law enforcement.” And while UID was originally created to target India’s poorest 200 million citizens to facilitate service delivery, it has since been expanded to cover the country’s entire population.
The UID program is administered by the Unique Identity Authority of India (UIDAI), an executive body created to oversee the issuance of unique ID numbers for the stated purpose of facilitating access to benefits and services. At the helm of UID is Nandan Nilekani, a billionaire who made his fortune in the tech industry before ascending to his current role as chairman of the UIDAI.
While the NPR program has been moving ahead since 2004 with a relatively low level of public opposition, the more recently introduced UID project has sparked controversy. UID took center stage during a political feud last December when Parliament’s Standing Committee on Finance rejected a bill establishing the National Identification Authority of India, which would have granted the UID program statutory mandate. Although the bill was submitted in 2010, the UIDAI had already begun processing individuals and issuing numbers pending Parliamentary approval of the legislation, operating under the authority of the executive branch. The committee rejected the reasoning that they had the authority to do so, calling the program’s legality into question.
In late January, a compromise deal was struck between the NPR and the UID program administrators following a political turf war, when officials announced “the NPR and UID projects would proceed side by side to ensure that all Indian citizens have a unique number by June 2013.” Project administrators from UIDAI and India’s Ministry of Home Affairs, which oversees the Indian Census and the NPR program, announced that they would collaborate to de-duplicate the data to eliminate overlap for integration purposes.
Collecting Biometric Data
To date, some 170 million individuals have been registered in the UID program. To perform the data collection, the UIDAI has executed Memoranda of Understanding (MOU) with partners -- including states, union territories and 25 financial institutions -- to act as registrars for implementing the scheme, according to a Parliamentary committee report.
The registrars, in turn, contract with tech firms such as Wipro, a company that has issued at least 6 million UID numbers in Maharashtra. Agents gather the data by going from village to village to set up processing camps, toting laptops and scanning equipment along with them and scrambling to process as many individuals as possible each day. In addition to demographic information, individuals’ biometric information is collected with iris scanners, fingerprint scanners, and face cameras that employ facial recognition technology. Morpho, a technology company, is a primary UID contractor that develops and maintains systems to crosscheck new applications by sifting through the biometrics database and prevent actual or fraudulent duplication.
The UID program is known as Aadhar, which also refers to the unique 12-digit number citizens are issued upon enrollment. According to recent news reports, a pilot program will link Aadhar with financial and banking services in 50 districts in a move that the UIDAI program director says will “change the financial landscape of the country.”
Nilekani has championed the UID program as a tool that can aid low-income sectors of India’s population by streamlining the delivery of public services and creating a system that is more inclusive to the poor. Yet R. Ramakumar of the Tata Institute of Social Sciences in Mumbai pushes back against this point in an op-ed in The Hindu, charging, “the UID would be an alibi for the state to leave the citizen unmarked in the market for social services.”
And if the interviews with Delhi’s poorest residents in this report is any indication, there’s also a danger that some marginalized individuals could slip through the cracks altogether.
An issue of greater concern, however, is that the biometric database could open the door to significant violations of personal privacy. The Aadhar system became mired in controversy last December surrounding the Parliamentary Standing Committee on Finance’s rejection of legislation that would have given it statutory mandate. In a report, lawmakers based their disapproval on concerns about security, data theft and the fact that that a national data protection law has yet to be enacted.
“The collection of biometric information and its linkage with personal information of individuals without statutory amendment appears to be beyond the scope of subordinate legislation,” committee members wrote.
They also seized on the risk, uncertainty, and potential for privacy violations that would be ushered in under the massive scheme:
“Considering the huge database size and possibility of misuse of information, enactment of a national data protection law, which is at a draft stage, is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate database…The committee is afraid that the scheme may wind up being dependent on private agencies…”
Despite these concerns, the UID program continues, while at the same time, biometric data collection for the NPR moves ahead on a separate track. Mandatory registration for all citizens in the NPR went into effect with the 2004 amendment of the Citizenship Act, providing that “the Central Government may compulsorily register every citizen of India and issue National Identity Card[s].”
Civil Society Responds
The Center for Internet and Society (CIS) has criticized the system due to design flaws that pose security and privacy concerns.
"We don’t need Aadhar because we already have a much more robust identity management and authentication system based on digital signatures that has a proven track record of working at a ‘billions-of-users scale on the Internet with reasonable security,” CIS Director Sunil Abraham noted in a Business Standard op-ed. “The UID project based on the so-called ‘infallibility of biometrics’ is deeply flawed in design. These design disasters waiting to happen cannot be permanently thwarted by band-aid policies.
"Biometrics are poor authentication factors because once they are compromised they cannot be re-secured unlike digital signatures. Additionally, an individual’s biometrics can be harvested remotely without his or her conscious cooperation. The iris can be captured remotely without a person’s knowledge using a high-res digital camera." (For more detailed information on CIS's work on India's UID program, see here, here, here, here, here, and here.
Delhi-based NGOs have also condemned UID as an affront to civil liberties that violates citizens' basic constitutional right to privacy.
In his Op-Ed, Ramakumar echoes Indian economist Amartya Sen in arguing that the system could open the door to abuse by law enforcement:
“There is a related concern: police and security forces, if allowed access to the biometric database, could extensively use it for regular surveillance and investigative purposes, leading to a number of human rights violations. As Amartya Sen has argued elsewhere, forced disclosure and loss of privacy always entailed ‘the social costs of the associated programs of investigation and policing.’ According to him, ‘some of these investigations can be particularly nasty, treating each applicant as a potential criminal.’"
Meanwhile, famed activist Arundhati Roy voiced scathing criticism against India’s biometric collection scheme, saying, “The UID is a corporate scam which funnels billions of dollars into the IT sector. To me, it is one of the most serious transgressions that is on the cards. It is nothing more than an administrative tool in the hands of a police state.”
It is irrationally excessive to collect this sensitive biometric data in a centralized nation-wide ID scheme. The massive collection of biometric information in a centralized ID scheme is not necessary nor proportionate in a democratic society.
EFF has documented (here, here, and here) the function creep risks that this data collection poses to privacy and security, including in those countries with data protection laws like the European Union. Informed analysis of the long-term consequences of the misused and secondary uses of this data collection and its impact in people’s lives should have been given to all citizens before the collection even started. There is still time to ask the Indian government to dismantle that colossal database, like the UK did.
Today, we join the Free Software Foundation in celebrating a Day Against DRM. DRM software restricts the way users can interact with content, which hits close to home for an organization like EFF. Even worse, "anti-circumvention" laws that regulate whether users can bypass DRM, like section 1201 of the DMCA, effectively give that software the force of law.
A decade ago, most of the major players in the music industry were committed to using DRM on their products, restricting the devices users could use to play the songs they had purchased. Since then, that practice has all but disappeared, giving choice back to users and opening the market for more innovation.
For years, we've been arguing that cell phone location data should only be accessible to law enforcement with a search warrant. After all, as web enabled smart phones become more prevalent, this location data reveals an incredibly revealing portrait of your every move. As we've waged this legal battle, the government has naturally disagreed with us, claiming that the Stored Communications Act authorizes the disclosure of cell phone location data with a lesser showing than the probable cause requirement demanded by a search warrant.
Since the new year, a number of significant developments has led to increased awareness on this important topic. First, the Supreme Court issued its landmark decision in United States v. Joneswhich held that the warrantless attachment of a GPS device on a car violated the Fourth Amendment's right to be free from unreasonable government searches. In concurring opinions, Justices Sotomayor and Alito both noted that technology had the power to shrink privacy, particularly with respect to locational privacy, as the information gleaned from web enabled smartphones supplanted the need for law enforcement to physically install GPS devices in order to track someone. Then in March, we filed an amicus brief along with a number of other civil liberties organizations, urging the Fifth Circuit Court of Appeals to rule that cell phone location data requires a search warrant. In April, the ACLU released the results of a coordinated FOIA request that found law enforcement officials throughout the country were routinely obtaining cell phone location tracking information with differing legal methods and standards, and were frequently getting this information without a search warrant.
Its this last point -- the differing standards for disclosure and legislative attempts to make those standards uniform -- that sets up Weinstein's comments (you can hear the full audio here). Noting that Jones requires a warrant for GPS data, but that courts have reached conflicting opinions on whether a search warrant is necessary for cell phone location tracking records that are held by wireless company providers, he rightfully noted "there really is no fairness and no justice when the law applies differently to different people depending on which courthouse you're sitting in." But unfortunately, the DOJ's solution for this problem is for Congress to say that cell phone location tracking records held by third parties -- typically the cell phone providers -- are not subject to the search warrant's probable cause requirement, as it would "cripple" law enforcement. To be clear, despite Weinstein's comments that he's only speaking for himself, DOJ's explicit position is that no warrant is necessary, as that's what they've consistently toldcourts, including the Fifth Circuit.
The problem with the DOJ's position is that it fails to take into account privacy. The only way to ensure "fairness" and "justice," is to demand that our Fourth Amendment rights not be violated by law enforcement working closely with cell phone providers to access your location information without your knowledge. We've already seen that despite the ruling in Jones, law enforcement and the wireless industry are finding ways to continue their pre-Jones practices of warrantless surveillance amid a stunning lack of transparency. We're slowly seeing legislative action in the right direction on these important issues. On the federal level, Senator Ron Wyden (D-Or) has proposed the GPS Act, that would require law enforcement to obtain a search warrant to access location information. In California, we sponsored a bill with the ACLU of Northern California, to require law enforcement to get a search warrant anytime it wants location information about another person in California. And earlier this week, Representative Ed Markey (D-Mass) sent a request (PDF) to the biggest wireless carriers, demanding information about their relationship with law enforcement.
Requiring the police to obtain a search warrant -- the traditional method for balancing law enforcement needs with individual privacy -- and demanding the wireless industry be transparent about how they deal with law enforcement requests for location information are critical steps in the right direction, towards "fairness" and "justice," location privacy and transparency.
After a year-long seizure and six more months of secrecy, the court records were finally released concerning the mysterious government takedown of Dajaz1.com – a popular blog dedicated to hip hop music and culture.The records confirm that one of the key reasons the blog remained censored for so long is that the government obtained three secret extensions of time by claiming that it was waiting for “rights holders” and later, the Recording Industry Association of America, to evaluate a "sampling of allegedly infringing content" obtained from the website and respond to other “outstanding questions.”
In other words, having goaded the government into an outrageous and very public seizure of the blog, the RIAA members refused to follow up and answer the government’s questions. In turn, the government acted shamefully, not returning the blog or apologizing for its apparent mistake, but instead secretly asking the court to extend the seizure and deny Dajaz1 the right to seek return of its property or otherwise get due process.The government also refused to answer Congressional questions about the case. ICE finally released the domain name in December of 2011, again with no explanation.
It’s not hard to guess what some of the unanswered “outstanding questions” might have been. Dajaz1.com, was seized with much fanfare by the Immigrations and Customs Enforcement (ICE) division of the Department of Homeland Security over the 2010 Thanksgiving weekend. It was widely reported at the time that Dajaz1 should never have been targeted, that much of the blog’s content was lawful, and that many of the allegedly infringing links were given to the site’s owner by artists and labels themselves – including Kanye West, Diddy, and a vice president of a major record label.So, at a minimum, we imagine the government was asking the RIAA to provide some evidence that the seizure was justified in the first place.
EFF teamed with the California First Amendment Coalition, represented by Josh Koltun, and our efforts were joined by Wired, in seeking the unsealing of the court records.Confronted with the prospect of having to defend the ongoing secrecy in court even after had it returned the domain, the government agreed to allow the records to be unsealed.
Now that the full court records are out, this seizure raises critical questions about the government’s use of its new powers to shut down lawful speech in the form of domain seizures for alleged copyright infringements. It also demonstrates the basic unfairness of the processes and secrecy invoked here and possibly in hundreds of other domain name seizures across the country.For nearly a year, the government muzzled Dajaz1.com – denying the blog’s author the right to speak and the public’s right to read what was published there – and then compounded matters by claiming extreme secrecy and blocking the Dajaz1 and the public’s access to information about the case.
Equally troubling, the records confirm what was already suggested by the initial affidavit used to obtain the seizure order: that ICE, and its attorneys, are effectively acting as the hired gun of the content industry at taxpayers' expense. Instead of relying on rightsholders to determine whether a seizure was appropriate, the government should have been conducting its own thorough investigation.If it had acted in anything like good faith, it could have determined that the site wasn't a proper target even before the seizure, or at least could have discovered and rectified the mistake before a year had passed.
Today, governments and organizations around the globe are celebrating World Press Freedom Day, marked by the United Nations in Tunisia this year at a week-long conference. As usual, the U.S. will play a prominent role in the celebration, with the State Department sending its own delegation, and a U.S. representative delivering remarks at the opening ceremony.
But as the State Department touts its press freedom record in a press release today and encourages other countries to improve their own laws, it’s also important to critically look at the U.S.’s current approach to press freedom, in particular their statement that “the United States honors and supports media freedom at home and abroad.”
Journalists' sources in the U.S. have been the hardest hit in recent years. The current administration has used the Espionage Act to prosecute a record six whistleblowers for leaking information to the press—more than the rest of the previous administrations combined. Many of these whistleblowers have exposed constitutional violations such as the NSA’s warrantless wiretapping program and the CIA’s waterboarding practices—issues clearly in the public interest—and now face years in prison. Meanwhile, the Justice Department has brought no prosecutions for the crimes underlying the exposed allegations.
In addition, a grand jury is reportedly still investigating WikiLeaks for violations of the Espionage Act for publishing classified information—a practice that has traditionally been protected by the First Amendment and which other newspapers engage in regularly. It would not only be completely unprecedented to prosecute a publisher under the archaic statute, but would also endanger many U.S. based publications like the New York Times. And as former State Department spokesman P.J. Crowley has remarked, the U.S. government’s investigation into WikiLeaks undermines the United States’ ability to pressure countries like Russia and China to allow greater press freedom.
The U.S. also has repeatedly detained Oscar-nominated filmmaker and journalist Laura Poitras at the border. Poitras has received critical acclaim for two films she has produced about the U.S.' post-9/11 wars, and is in the midst of making her third film on the subject. As Glenn Greenwald reported, “On several occasions, her reporter’s notebooks were seized and their contents copied, even as she objected that doing so would invade her journalist-source relationship,” clearly violating her rights as a reporter.
And while the State Department said today that they “advocate for freedom of expression and raise media freedom issues, including specific cases, in bilateral discussions with other governments and in multilateral bodies,” the administration has come under fire for lobbying the Yemeni government to keep a prominent Yemeni journalist Abd al-Ilah Haydar Al-Sha’i in jail. Al-Sha'i has aggressively covered civilian casualties resulting from US drone strikes in the region and has previously working for multiple US publications such as ABC News and the Washington Post.
On the local level in the U.S., many police departments have engaged in heavy-handed tactics against the press covering political protests, most notably Occupy Wall Street protests. Journalists have been harrassed, assaulted and over 70 have been arrested. An assortment of news organizations led by the New York Times have formally complained to the NYPD about such behavior, and a recent lawsuit alleges constitutional violations stemming from such incidents.
These arrests caused the U.S. to plummet 27 places in Reporters Without Borders’ World Press Freedom rankings to 47thoverall.
Traditionally, the United States has sought to stand as a shining example to emerging democracies in how it should treat its press, and by and large the U.S. still enjoys the best press freedoms in the world. But these recent incidents have put a stain on that reputation. The U.S. needs to lead by example if it wants to see further progress, or we risk seeing the gains we’ve made over the past century disappear into the abyss of hypocrisy and lack of care.
As Justice Hugo Black once remarked, “Only a free and unrestrained press can effectively expose deception in government.” The U.S. had demonstrated agreement with the statement applied abroad, but the only way to promote press freedom is to practice it at home as well.
UPDATE: Late last week, the FBI returned the seized server to the colocation facility that May First/People Link and Riseup shared. Yesterday, May First released video footage of the server's return. As we learn more details about the situation, we'll keep you posted.
The FBI is at it again -- executing broad search warrants, disrupting legitimate Internet traffic, and getting nothing in return.
Since the end of March, a number of anonymous bomb threats have been emailed to the University of Pittsburgh. Through its investigation, the FBI discovered the threats were being relayed through a server hosted by the progressive cooperative Internet Service Provider (ISP) May First/People Link (May First). The server was used by the European Counter Network (ECN), an Italian based activist group, and stored in a colocation facility in New York shared by May First and Riseup, an organization that provides secure communication tools for activists around the world. When the FBI paid May First a visit at their offices in New York, May First reached out to EFF, and we agreed to help. The next day the FBI returned to May First's offices, this time with a subpoena, requesting information about the server. We helped them respond to the subpoena and May First turned over what minimal information it had; namely that the server was running the anonymous remailer program Mixmaster, which removes header information and, similar to Tor, reroutes email in order to maintain a sender's anonymity.
The fact that the FBI's investigation led them to an anonymous remailer should have been the end of the story. It should have been obvious that digging deeper wouldn't lead to helpful information because anonymous remailers don't always leave paper trails. They're specifically designed with the capability to turn logging off in order to maintain anonymity.1 And if logging was turned off -- as it was here -- there would be nothing useful to be gained by examining the servers.
Nonetheless, on April 18, the FBI seizedtheserver from the colocation facility shared by May First and Riseup with a search warrant (PDF). The actual investigative effect of the seizure was zero. Even after the server was seized, the bomb threats continued. No arrests have been made. And while one group came forward and claimed responsibility, so far nothing suggests any connection to the seized server.
More troubling, however, is the collateral damage. The search warrant authorized the seizure of emails, communications, and files contained on the server, as well as records of IP addresses connected to the server and the dates and time of those connections. And the server was used by a wide range of people who had nothing to do with the bomb threats. As May First and Riseup explained in their joint press release:
Disrupted in this seizure were academics, artists, historians, feminist groups, gay rights groups, community centers, documentation and software archives and free speech groups. The server included the mailing list “cyber rights” (the oldest discussion list in Italy to discuss this topic), a Mexican migrant solidarity group, and other groups working to support indigenous groups and workers in Latin America, the Caribbean and Africa. In total, over 300 email accounts, between 50-80 email lists, and several other websites have been taken off the Internet by this action. None are alleged to be involved in the anonymous bomb threats. The seized machine did not contain any riseup email accounts, lists, or user data. Rather, the data belonged to ECN.
Yet the expansive search warrant contained no limitations to curb law enforcement's ability to rummage through the server, and look at anything it wanted. Sadly, it's not the first time the government's heavy hand went too far and resulted in an expansive -- and expensive -- seizure of digital devices.
EFF's clients the Long Haul Infoshop and East Bay Prisoner Support (EBPS), recently settled a lawsuit over an improper FBI and police raid of its offices. The Long Haul case started back in 2008, when the FBI and the University of California, Berkeley Police Department (UCBPD) were working together to investigate a series of threats emailed to animal researchers at UC Berkeley. Law enforcement determined the emails were sent from an Internet Protocol (IP) address assigned to the Long Haul Infoshop in Berkeley, California, a collective and community meeting place that provided internet access to the public. If law enforcement had been more diligent and thoughtful, they would have taken the time to figure out what, if any, useful information it could obtain by looking at the public access computers, since they had no information connecting the Long Haul organization itself with the emails. Yet, the police instead applied for -- and were granted -- a search warrant that authorized the search of all computers and storage drives in the building. The FBI and UCBPD cut the locks and entered into the Long Haul and seized not only the public access computers, but also computers from locked offices used in publishing Long Haul's newspaper, Slingshot, as well as from EBPS, that had its own office at Long Haul's Infoshop. Unsurprisingly, like the FBI's investigation in Pittsburgh, they found nothing to help in their investigation of the threats, and no one was arrested. The only thing to come out of this search was a bill. Together with the ACLU of Northern California, we sued the FBI and UCBPD in 2009 on behalf of Long Haul and EBPS and after three years of litigation, the lawsuit was settled in March 2012 when the UCBPD and FBI agreed to pay $100,000 in damages and attorneys fees, with UCBPD acknowledging Long Haul was not involved in the threats.
These incidents aren't just limited to the FBI. In another example of government overreach, last year Immigration and Customs Enforcement (ICE) agents traced an IP address to the home of Nolan King and seized six hard drives in connection with a criminal investigation. As we've explained, search warrants executed solely on the basis of an IP address are likely to waste law enforcement's time and resources, rather than actually produce real evidence, because IP addresses are typically not personally identifiable. That's exactly what happened to King. Turns out he was running a Tor exit node from his home, and thus the agents wouldn't (and didn't) find any of the evidence they were looking for. The government's overreach caused Mr. King to suffer the stress and embarrassment of having officers swarm his house and take his property, when he had done nothing wrong, and the police gained no evidence or leads into their investigation.
Returning to the seizure of the server from May First and Riseup's colocation facility, the fact that the server was used to facilitate anonymous speech -- particularly by whistleblowers and democracy activists in oppressive countries -- adds another layer of concern. While bomb threats are certainly not the type of speech protected by the First Amendment, there's no way for an anonymous remailer to distinguish between good and bad speech. And any attempt by the government to deal with bad speech by turning off all speech raises serious constitutional concerns.
So enough is enough. The government's ability to search a person and their property -- and in this case, shut down speech -- is an extraordinary power that can easily be abused. Law enforcement needs to do its research before resorting to an extremely intrusive search warrant that intrudes on innocent people's privacy, causes significant disruption to harmless activity, and silences speech. And as we've argued before, search warrants for electronic devices shouldn't be limitless, but narrowly drawn by a judge to limit law enforcement's ability to rummage through reams of data having nothing to do with the investigation at hand.
As events continue to unfold, know that EFF is actively involved in this situation, working hard to ensure the government's search warrant power won't be used to take more than what it should, or to stifle free speech and anonymity on the Internet.
1. A previous version of this post mistakenly stated anonymous remailers are "specifically designed to leave no logs." That mistake has now been corrected.
The Office of the United States Trade Representative (USTR) released its annual Special 301 report on Monday, a review of other countries’ intellectual property laws and enforcement standards. The Report lists countries that are singled out for having “bad” intellectual property policies on a tiered set of “watch lists”: the Watch List and the Priority Watch List. The USTR uses the threat of placement on one of these Watch Lists to pressure other countries to adopt heightened copyright, trademark and patent laws that mirror or in some cases exceed U.S. law. By being placed on this list, the USTR hints at the possibility of trade law repercussions. Although it does not directly lead to imposition of trade sanctions (as is the case for the top Priority Country designation), being put on the watch lists or singled out for an “out of cycle” review does lead to increased scrutiny and bilateral pressure for trading partners to change their laws.
What’s particularly obnoxious about the watch lists and the annual Special 301 process is that countries are being asked to adopt very particular implementations of international legal standards and interpretations of controversial parts of U.S. law that only reflect the interests of intellectual property (IP) rightsholder industries. At the same time, they do not provide any evidence that such implementation is necessary as a matter of international law, or even good policy. For instance, countries have been listed for introducing copyright exceptions and limitations that would be permitted under international law or even U.S. law, such as fair use that facilitates the creation of user-generated content and technological innovation. This is why, outside the U.S., the annual Special 301 reports are seen as a one-sided and arbitrary mechanism the USTR uses to bully countries into enacting intellectual property laws through a vague and opaque process that directly manifests the desires of the copyright industries.
So how exactly does the USTR determine which countries deserve the Special 301 treatment? It hasn't published its criteria, but the final determinations seem to follow recommendations made every year by Big Pharma and the International Intellectual Property Alliance on behalf of their member content industries. Failure to “adequately” implement the 1996 WIPO Internet treaties (which is code for failing to adopt DMCA-style bans on bypassing digital locks) seems to feature quite regularly. This year, Canada, India, and Israel all made it on to the Priority Watch List for this reason. Similarly, failing to “adequately” address “online piracy” gets repeat mention. In previous years, countries (e.g. Chile, Israel) have been listed for trying to introduce copyright exceptions such as fair use.
For the first time in 2010, the USTR opened up the submission process to provide an opportunity for public interest advocates to file responses to private rightsholders’ interest reports. EFF and Public Knowledge submitted recommendations to address gross deficiencies in the process, including the complete lack of transparency in their standards for determining “adequate and effective [intellectual property rights] protection”.1 Moreover, we recommended that an independent external review of country data and statistics occurs to determine the true sources of “concerns” claimed in the report. The USTR has continued to accept comments and have held public hearings before the Special 301 subcommittee. However, the lack of any substantial objective assessment or increased transparency in the process, demonstrates that these have essentially made no impact on this process.
What’s so disheartening is that there’s evidence that this list is in fact effective in ratcheting up copyright laws around the world. Spain is commended in this year’s report for passing its highly controversial website shutting and blocking “Sustainable Economy” Law. As we’ve noted before (here and here) that leaked diplomatic cables published on Wikileaks show that the US pressured successive Spanish government administrations to pass the controversial law under threat of being listed on the Special 301 Watch List, and more recently, being upgraded to the Priority Watch List. Before the passage of this law, Spain had been on the pragmatic side of copyright legislation. As the legislation was getting passed, digital activists and Internet rights lawyers recognized that in practice, enforcement of the law would skirt due process, violate personal privacy, and limit free expression. The passage of the law sparked countrywide protests and even a boycott of all artists and studios that supported the legislation, but to no avail. Since Spain had met the requests of U.S. officials and IP rightsholder groups, it is not listed in either of the 2012 report’s watch list.
Mike Masnick of Techdirt has covered the publication of the Special 301 Report for several years, rightfully criticizing the ridiculously blatant demonstration of corporate influence over U.S. foreign copyright policies. He wrote about the 2011 report last year:
The really sickening part in all of this is that the USTR makes no effort to determine what sorts of IP laws are effective or reasonable. None. It just pushes other countries to ratchet up their IP laws to more and more draconian levels. Basically, if anyone thinks they have a better idea on how intellectual property laws should be done, the US government shames them with this report.
As Michael Geist noted in his blogpost on this year’s Special 301 Report, Canada already has strong copyright laws and enforcement penalties, but the USTR has continually listed Canada on the Priority Watch List to pressure it into adopting particular measures sought by US rightsholders. He says this undermines the credibility of the entire Special 301 process in the eyes of other governments. Geist made a submission with Public Knowledge to the USTR this year. It said [pdf]:
...the USTR should be guided by U.S. law in evaluating the laws of other countries. Viewed from a U.S. law perspective, Canadian copyright laws provide adequate and effective protection to US IP rights owners... Furthermore, Canadian authorities effectively enforce copyright laws. Consequently, rates of infringement in Canada are low and the markets for creative works are expanding. Placement of Canada on the Special 301 Watch List or Priority Watch List in the face of this evidence would be unjustified. It would only lead to undermining the legitimacy of the Special 301 process.
It’s not news that the USTR’s activities reflect the fact that this and previous administrations have been doing the bidding of the big content industry lobbyists for many years. The Anti-Counterfeiting Trade Agreement (ACTA), the Trans-Pacific Partnership agreement (TPP), and free trade agreements between the U.S. and dozens of countries around the world reflect the special interests and lobbying power of the Big Content and Big Pharma rightsholder industries. The Special 301 process has proven to be a durable and extremely effective mechanism for pressuring other governments to enact over-reaching copyright laws, to the detriment of citizens’ rights around the world and the US technology sector’s export markets. But in light of this year’s events, the 2012 Special Report underscores the urgent need for our foreign policy on IP to be based on fair and transparent process and an objective assessment of empirical evidence.
The campaign of attacks targeting Syrian opposition activists on the Internet has taken a new turn. Since the beginning of the year, Syrian opposition activists have been targeted using severalTrojans, which covertly install spying software onto the infected computer, as well as a multitude of YouTube and Facebook login credentials. Last week, TrendMicro's Malware Blog described a website which purportedly offered Skype encryption software, but was actually a Trojan that installed DarkComet 3.3, a remote administration tool that allows an attacker to capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more--and sends that sensitive information to an address in Syrian IP space. This week, EFF has found an almost identical website located at http://skype-encryption.sytes.net/, shown in the screenshot below.
Clicking "download" downloads the fake Skype encryption application, called "Skype Encryption v2.1," shown in the screenshot below.
Launching the application produces a window that gives you the option to "Encrypt" or "DeCrypt," shown in the screenshot below.
When you click "Encrypt," the application launches a message asking you to please wait while it encrypts your connection, shown in the screenshot below. To be clear, this application does not encrypt anything. Instead of encrypting your Skype traffic, the application downloads a Trojan from http://220.127.116.11/SkypeEncryption/Download/skype.exe. This is the same Syrian IP address used in attacks described by TrendMicro, Symantec, Cyber Arabs, and in several of EFF's blog posts.
Once your connections are allegedly encrypted, the application launches a window that says, "Your Connections are Now Completely Encrypted ! ..... Enjoy," as shown in the screenshot below.
Syrian Internet users should be especially careful about downloading applications from unfamiliar websites. The fake Skype encryption site showed many obvious signs that it might not be legitimate, from the misspelling of "encryption" to the abuse of Comic Sans, but we can expect future attacks to be more sophisticated.