Razan Ghazzawi and eleven of her colleagues at the Syrian Center for Media and Freedom of Expression were arrested today during a raid on their office. The Syrian Air Force's Intelligence Division in civilian dress and vehicles took the arrestees to an undisclosed location. This is the second time Ghazzawi has been arrested in the past few months; she was freed 15 days after the previous arrest. She is a U.S.-born Syrian who contributes to Global Voices Online and Global Voices Advocacy and has been an outspoken about her opposition to the Syrian regime. Mazen Darwish, the director of the organization and long time human rights advocate, was also one of those arrested. Here is a list of all of those detained:
These arrests may be a sign of broad new efforts to crack down on bloggers and activists amid the horrifying state violence against political dissidents in the past few weeks. The regime may also be planning to exploit the online network of those arrested to find other activists and bloggers, and to continue making arrests until they can silence all dissident voices. We have written previously about arrested Syrian bloggers, including Hussein Ghrer who was taken to prison in October and continues to await trial.
The international community should take notice of these alarming events unfolding in Syria and call on authorities to end their campaign of violence and extreme state oppression against their citizens.
For ongoing updates on these arrests, please check the hashtag #FreeRazan on Twitter.
You can also visit the Facebook page calling for her release.
Ten years ago this week, the Budapest Open Access Initiative (BOAI) was released to the public. This seminal document explained how technology could revolutionize academic publishing, and defined "open access" as the free and unrestricted availability of peer-reviewed journal literature online. Perhaps most importantly, the BOAI laid out a strategy for making open access a reality. In the decade since its publication, the 13 original signatories behind the initiative have been joined by a still-growing collection of over 5500 individuals and 600 organizations.
The history of the movement goes deeper, of course, and is intertwined with that of the Internet; given the academic roots of the Internet and the World Wide Web, that connection is hardly a surprise. Tim Berners-Lee's announcement introducing the Web stated that the Web "project started with the philosophy that much academic information should be freely available to anyone." Academics newly connecting to the network intuitively understood the appeal of online publication, and the first major collection of self-archived papers, arXiv.org, appeared a full decade before the BOAI in 1991.
These programs have been major boons to the academic community and the general public, providing greater distribution for authors and better access to research for scholars. Unfortunately, there's one group that isn't happy with the successes of the open access movement: traditional publishers. Those companies, who produce the "big name" journals like Nature, Science, and the New England Journal of Medicine, don't like open access because it threatens their very lucrative position in the middle of the academic world.
They're right to feel threatened. Increasingly, academics are realizing that these publishers are acting as the worst sort of middleman, providing little value and reaping extreme profits. There's even a movement to boycott some of the major publishers altogether. And just one look at the business model of these publishers confirms, that movement's on to something.
The legacy academic publishers profit from selling access to material that the public has already paid for many times over. First, the research that goes into journal articles is frequently funded by the government, through grants or university budgets. Then academics (who are often employees of those same public universities) conduct the research and write an article based on their conclusions. The academics submit it to journals, who coordinate a peer review process. The peers that do the actual reviewing, though, aren't employees of the publisher. They review voluntarily, and often work for -- you guessed it -- publicly funded universities.
And for the role they play, publishers usually demand an exclusive copyright assignment to the article. Then they publish it in a journal priced so exorbitantly high -- in 2008, a subscription to the "Journal of Comparative Neurology," for example, cost $21,852 -- that members of the public can generally only access them at a university library.
The publishers aren't going to give up a racket like that without a fight. So not only have they been backers of general misguided copyright bills, like the Internet blacklist legislation defeated last month, but they've also pushed for specific laws that would undermine open access journals and policies. Take for example the Research Works Act, introduced this year in the House, which would outlaw NIH's Public Access Policy requirements for any work that passed through a commercial publisher's hands, regardless of the public funds involved. That bill is the latest in a series of publisher-backed proposals like the Fair Copyright in Research Act, which died in committee a few years back.
In the decade since the BOAI was published, its authors' hope for a powerful public good to emerge from the combination of scholarship and new networking technology has proven possible, if not easy. As with the other fields that new technology disrupts, the legacy players are willing to kick and scream against it. But the promise of open access as set out by the BOAI, to "lay the foundation for uniting humanity in a common intellectual conversation," is too important to give up in the name of preserving profits.
Last week, EFF gave its recommendations to EU parliament on what steps to take to combat a growing and dangerous civil liberties concern: Western companies marketing and selling mass surveillance technology to authoritarian regimes. This technology has been linked to harassment, arrests, and even torture of journalists, human rights advocates, and democratic activists in many Middle East countries over the past year.
EFF recommended parliament approach the problem through a “know your customer” program whereby companies would investigate purchasers of surveillance technology and would refrain from doing business with a government or its agents if the sale would be used to assist in human rights abuses. This program would be voluntary for companies and encouraged via incentives but could, if necessary, become a formal requirement. As we’ve seen, transparency can be a powerful tool. The industry is notoriously secretive and a little sunlight can help spur protests and force companies to change their business practices.
Privacy International recently released a mapping of companies and countries that have attended the notorious I.S.S. World trade shows, where this technology is bought and sold. But their investigation is far from over and you can go here to help them file Freedom of Information requests, write to your representative, or dig though government spending reports.
In the first part of a new series, EFF will take a look at what we know about some of the worst offenders located in Europe and the United States. Part I will highlight two companies, United Kingdom based FinFisher and France based Amesys:
FinFisher, unit of Gamma International—based in the UK
Gamma International and its subsidiary FinFisher first made headlines after the fall of Hosni Mubarak in Egypt last year, when activists found the company’s records in an abandoned state security building, along with troves of surveillance files. The documents on Gamma and FinFisher showed how they provided Mubarak with a five-month trial of their sophisticated spying technology, most notably FinSpy, which can wiretap encrypted Skype phone calls and instant messages—a service once mistakenly trusted by activists for secure communications.
The Wall Street Journal has since reported about FinFisher’s techniques and its technology’s dangerous capabilities. It works much the same way online criminals steal banking and credit card information. Authorities can covertly install malicious malware on a user’s computer without their knowledge by tricking the user into downloading fake updates to programs like iTunes and Adobe Flash. Once installed, they can see everything the user can. The FinFisher products can even remotely turn on the user’s webcam or microphone in a cell phone without the user’s knowledge.
FinFisher doesn’t pretend to market their products for solely lawful use. In 2007, they bragged that they use and incorporate “black hat (illegal and malicious) hacking techniques to allow intelligence services to acquire information that would be very difficult to obtain legally,” according to a report by OWNI.
Gamma or FinFisher, of course, won’t comment on any of these facts that have come to light over the past year. They hid behind claims of client confidentiality, telling the Wall Street Journal that they “cannot otherwise comment upon its confidential business transactions or the nature of the products it offers." But of course you can’t use claims of confidentiality to hide illegal behavior in the US or the UK. Investigators, especially in the UK and wherever these companies have sufficient contacts to establish jurisdiction, should require them to come clean about their potentially illegal business practices and uphold human rights privacy standards in the tools they offer and the customers to whom they sell.
Amesys, unit of Bull SA—based in France
When trade restrictions on Libya were eased in the early 2000s, Libya’s leader, Muammar Qaddafi, began to capitalize on the change by bringing in Western technology companies to surveil Libya's citizens’ Internet use under the guise of stopping terrorism. Instead, and to no one’s surprise, the technology was “deployed against dissidents, human-rights campaigners, journalists or everyday enemies of the state,” as the Wall Street Journal documented after seeing Qaddafi’s abandoned Internet monitoring center in Tripoli.
The main company tasked assisting Libya with all its surveillance needs was a unit of the French company Bull SA, known as Amesys. With Amesys’ monitoring centers, Libyan authorities could read emails, get passwords, read instant message conversations, and map connections among criminals, or in many cases, journalists or dissidents. OWNI graphically mapped out just how massive the surveillance system was. Documents released by WikiLeaks in November revealed that Amesys gear was even allowing Libya to spy on dissidents and opposition figures living in the United Kingdom. And as AFP reported, Qaddafi’s “regime [had previously] been accused of sending agents to harass and even kill opposition figures in exile.”
Despite the ease in trade restrictions, it was no secret Libya had a long history of human rights abuses and Amesys should have known who they were helping. The head of Libyan intelligence, the notorious Abdullah Senussi, was convicted in absentia in France of the Lockerbie terrorist bombing in 1989 that killed 170 people. Yet the former head of Amesys and current CEO of Bull, Philippe Vannier, was seen in Tripoli meeting with the same Abdullah Senussi in 2007, according to the Wall Street Journal.
Abdullah Senussi has since been indicted by the International Criminal Court for crimes against humanity for his role in the violent crackdown against Libyan citizens this past year.
The Amesys case highlights a problem with many of these companies—they are doing business with human rights violators that may have relations with the US or EU. As Amesys rightly points out, Libya was an “ally” of the west when their contract was signed and boasted of warm relations with France until NATO decided to take sides with the rebel forces late last year. "All Amesys activities strictly adhere to the statutory and regulatory requirements of both European and French international conventions," a spokeswoman said in Amesys’ defense. But this doesn’t excuse their behavior. EFF’s know your customer standards address this problem by creating a framework in which companies study non-partisan human rights reports and not just the legal restrictions against the West’s perceived enemies.
"We are fully prepared to answer any questions which the legal authorities may ask us," the spokesman for Amesys also said. Authorities should take them up on their offer. In France, human rights groups have filed court documents asking for an investigation into Amesys for “possible violations of export rules and complicity in torture.” EFF encourages the French authorities to conduct a full investigation.
But Gamma and Amesys are far from the only transgressors. There are dozens of companies in both the US and EU that have been supplying this gear to authoritarian regimes as well, and EFF will soon highlight more of these companies until Congress and the EU countries act to prevent more of this dangerous technology from falling into the wrong hands.
In a report published last week, members of the United Kingdom Parliament concluded that the Internet plays a major role in the radicalization of terrorists and called on the government to pressure Internet Service Providers in Britain and abroad to censor online speech. The Roots of Violent Radicalisation places the Internet ahead of prisons, universities, and religious establishments in propagating radical beliefs and ultimately recommends that the government “develop a code of practice for the removal of material which promotes violent extremism” binding ISPs.
While the Terrorism Act 2006 authorizes British law enforcement agencies to order certain material to be removed from websites, lawmakers on the Home Affairs Committee stated that “service providers themselves should be more active in monitoring the material they host.” Their report raises serious concerns that political and religious speech will be suppressed. Security expert Peter Neumann who testified before the Committee asked why websites like YouTube and Facebook can’t be as “effective at removing . . . extremist Islamist or extremist right-wing content” as they are at removing sexually explicit content or copyrighted material that violates their own terms of service.
Citing “persuasive evidence about the potential threat from extreme far-right terrorism” and lauding the recent conviction of four London men who used the Internet to plot a bombing of the London Stock Exchange, Parliament Members commended the report saying, “[it] tackles the threat from home-grown terrorism on and off line.” A spokesman for the House of Commons Home Office stated that the Committee would continue to “work closely with police and internet service providers to take Internet hate off the web."
In an interview with the International Business Times, Trend Micro security director Rik Ferguson criticized the Committee’s recommendations and argued that making ISPs “judge, jury and executioner” imposes responsibilities on ISPs that rightfully belong to law enforcement. “Material of a political or religious nature is by definition much more difficult to define and much more difficult to police without crossing the line to impact on freedom of expression,” Ferguson stated.
EFF believes that it is not the role of intermediaries to serve as gatekeepers for law enforcement. Fortunately, we're not alone: the UK's Internet Service Providers' Association argues that "ISPs are not best placed to determine what constitutes violent extremism and where the line should be drawn. This is particularly true of a sensitive area like radicalisation, with differing views on what may constitute violent extremist." Indeed--the strategy set forth by the Committee defines extremism as "vocal or active opposition to fundamental British values." ISPs and other intermediaries must not be charged with determining what constitutes extremism, particularly when the definition of such is so vague. This type of state-mandated online censorship is inherently corruptible, especially when it is justified to combat national security threats.
News emerged from Morocco last week that 18-year-old Walid Bahomane was sent to a juvenile facility to await trial on charges of “defaming Morocco's sacred values” for a Facebook post about the country's monarch. There is now news that yet another young Moroccan is in trouble for online comments about the king.
As the Washington Postreports, a Moroccan court sentenced 25-year-old Abdelsamad Haydour in the city of Taza for “violating the sacred values” of the North African monarchy after posting a YouTube video in which he accused King Mohammed VI of oppressing the Moroccan people, calling the monarch "a dog, a dictator and a murderer."
The country's press law criminalizes "defaming" the monarchy and challenging Morocco's claim to Western Sahara. Over the years, a handful of bloggers and social media users have been charged in Morocco for crossing the country's red lines, however the arrests had been few and far between, with most cases leading to a pardon. Furthermore, the Moroccan Internet is largely uncensored. The proximity of these two cases coupled with reports from activists that no lawyer agreed to defend Haydour, indicates a serious new crackdown on speech in the kingdom.
EFF is disappointed to see these blatant and intensified crack downs on free speech, especially in light of last year's reforms to the Moroccan Constitution following its massive country-wide protests. The right to free expression is essential to a functional democracy and Moroccan efforts to silence people's speech online undermines the legitimacy of their recent constitutional amendmenets. We call on Moroccan authorities to immediately drop the charges against Bahomane and release Haydour, and to discontinue these politically regressive policies.
Everyone, take a deep breath: it seems we’ve had a moment of sanity in the patent wars. Last week, a jury invalidated the dangerous Eolas patents, which their owner claimed covered, well, essentially the whole Internet. The patents were originally granted for an invention that helped doctors to view images of embryos over the early Web. A few years later, smelling quick cash, their owner insisted that they had a veto right on any mechanism used to embed an object in a web document. Really? The patents were obvious—now in 2012, and back in 1994, when the first one was filed. Thankfully, a jury realized that and did what should have happened years ago: it invalidated these dangerous patents.
That's the good news. The bad news: it came after the patents already caused plenty of damage. Companies large and small have taken licenses from Eolas rather than pay millions to fight in court. Many, such as Tim Berners-Lee (who testified during trial), warned about the dangers of the Eolas patents:
The existence of the patent and associated licensing demands compels many developers of Web browsers, Web pages, and many other important components of the Web to deviate from the fundamental technical standards that enable the Web to function as a coherent system.
We couldn't agree more, but let's go a step further. What the Eolas patents make clear is that the system isn’t working. We’ve been saying it for years, yet both Congress and the courts have failed to fix the problem. In the now infamous Bilskicase, the Supreme Court gave the green light to business method patents, and, consequently, to software patents. But the patent system, which is largely a one-size-fits-all program, simply stops making sense when we start to talk about software.
Software Patents Should be an Oxymoron
In order to understand why software patents don’t make sense, you have to understand a little bit about the patent system. The Constitution gives Congress the power
To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.
This single sentence represents an important bargain: when someone invents a novel invention, the government grants him a 20-year monopoly to exploit that invention. At the end of those 20 years, the inventor dedicates that invention to society, allowing others to practice it and build upon it. Traditionally, this monopoly was intended to provide an important incentive, especially where, as with pharmaceuticals, companies have to build factories and laboratories, hire workers, and endure rounds of testing at the FDA before they can sell a drug.
Software often does not require that kind of investment—often all you need is a coder and a computer. Even complex programs don't require 20 years of exclusivity to recoup their investment. We’ve also seen time and again that software developers don’t need patent incentives to create new and great programs. Take, for example, companies like Google and Twitter; neither relied on software patents to grow its early business.
It’s also clear that 20 years is too long to protect software inventions. Many who obtain patents—those who may feel obligated to appease venture capitalists or who get patents for defensive purposes, for example—quickly learn that technology moves so quickly that it’s often been replaced or vastly improved upon by the time by the time the patent is granted. And it’s expensive to get an application through the patent office—costs and fees for “complex software” can range well into the $10,000s! So what do you think happens when a company spends all that money getting a patent and then finds out its product is no longer popular? Enter the patent troll, who buys the antiquated patent and starts suing (more on that below).
Further, software is fundamentally situated as a building block technology. You write some code, and then I improve upon it (the open source folks already have this figured out). But if your code is covered by a 20-year patent, I can’t even test my improvements until that patent expires.
Software Patents Only Benefit Lawyers, Not Inventors
Software patents are nearly five times as likely to be litigated as other patents. In fact, lawsuits surrounding software patents have more than tripled since 1999. What does that mean? It means that if you do business in America, and it involves any even arguably patented software, you'd better have a serious legal budget. Take, for instance, Spotify, the popular music streaming service that came to the States in late 2011. A few weeks after it launched—boom!—Spotify is facing a patent lawsuit (the kind of suit that will easily cost each side millions of dollars). Not only is this bad for U.S. businesses, but it drives innovators out of the country, which is bad for all of us, not least of all because it sends jobs abroad. Increasingly, patents serve as a dangerous tax on innovation in America, especially when it comes to software. And domestically this means that instead of helping grow R & D or engineering departments at software companies, software patents increasingly help grow legal departments.
Software Patents Harm Innovation
So what do you do if you’re a small inventor, working in your free time on coding new software, and all of a sudden you’re threatened with a patent suit? Unfortunately, time and again, we hear of folks closing up shop. When part-time inventors without financial backing, or tinkerers in their free time, stop inventing the next Facebook or tomorrow’s Twitter, we’re all worse off. And right now, that’s the threat software patents pose.
Now, back to Eolas. What would have happened if the jury went the other way? Virtually every website that allows embedded objects, such as images or video, for example, (in other words, nearly every website) would have to pay up. Sadly, this is the norm and not the exception. The jury in this case got the information it needed, but not every defendant can afford to fight, much less inspire Sir Berners-Lee to testify. Dangerous, overbroad software patents have become a tax on innovation that cannot stand. Software patents are harming innovation and our economy. It’s time to rethink our policies.
EFF is committed to defending innovation and fixing the problems with software patents in the long-term. That's why we'll soon be launching our new campaign around software patents, Patent Fail: In Defense of Innovation. Stay tuned.
Update (2012-02-17): After some investigation and facts that came to light as a result of a parallel experiment by researcher Nadia Heninger at UC San Diego and collaborators at the University of Michigan, it seems the scope of the problem with respect to keys associated with X.509 certificates is limited primarily to certificates that exist for embedded devices such as routers, firewalls, and VPN devices. The small number of vulnerable, valid CA-signed certificates have already been identified and the relevant parties have been notified. Nadia's excellent blog post provides a good overview of the situation right now. We are working with her on disclosure and to provide people with tools to audit against these types of vulnerabilities via the Decentralized SSL Observatory.
Using previously published and new data from EFF's SSL Observatory project, a team of researchers led by Arjen Lenstra at EPFL conducted an audit of the public keys used to protect HTTPS. Lenstra's team has discovered tens of thousands of keys that offer effectively no security due to weak random number generation algorithms.
The consequences of these vulnerabilities are extremely serious. In all cases, a weak key would allow an eavesdropper on the network to learn confidential information, such as passwords or the content of messages, exchanged with a vulnerable server. Secondly, unless servers were configured to use perfect forward secrecy, sophisticated attackers could extract passwords and data from stored copies of previous encrypted sessions. Thirdly, attackers could use man-in-the-middle or server impersonation attacks to inject malicious data into encrypted sessions. Given the seriousness of these problems, EFF will be working around the clock with the EPFL group to warn the operators of servers that are affected by this vulnerability, and encourage them to switch to new keys as soon as possible.
While we have observed and warned about vulnerabilities due to insufficient randomness in the past, Lenstra's group was able to discover more subtle RNG bugs by searching not only for keys that were unexpectedly shared by multiple certificates, but for prime factors that were unexpectedly shared by multiple publicly visible public keys. This application of the 2,400-year-old Euclidean algorithm turned out to produce spectacular results.
In addition to TLS, the transport layer security mechanism underlying HTTPS, other types of public keys were investigated that did not use EFF's Observatory data set, most notably PGP. The cryptosystems that underlay the full set of public keys in the study included RSA (which is the most common class of cryptosystem behind TLS), ElGamal (which is the most common class of cryptosystem behind PGP), and several others in smaller quantities. Within each cryptosystem, various key strengths were also observed and investigated, for instance RSA 2048 bit as well as RSA 1024 bit keys. Beyond shared prime factors, there were other problems discovered with the keys, which all appear to stem from insufficient randomness in generating the keys. The most prominently affected keys were RSA 1024 bit moduli. This class of keys was deemed by the researchers to be only 99.8% secure, meaning that 2 out of every 1000 of these RSA public keys are insecure. Our first priority is handling this large set of tens of thousands of keys, though the problem is not limited to this set, or even to just HTTPS implementations.
We are very alarmed by this development. In addition to notifying website operators, Certificate Authorities, and browser vendors, we also hope that the full set of RNG bugs that are causing these problems can be quickly found and patched. Ensuring a secure and robust public key infrastructure is vital to the security and privacy of individuals and organizations everywhere.
On February 15, a verdict will be handed down that determines whether or not the Tunisian Internet Agency (ATI) will need to censor pornography on the Internet. Last May, after receiving--and unsuccessfully attempting to block--an order to censor such websites, the ATI appealed the decision citing, among other things, a lack of financial resources. As a result, the case was sent to the Court of Cassation, Tunisia’s highest court
All Tunisians have a reason to be concerned: Under the rule of Ben Ali, it wasn’t just obscene content that was unavailable to citizens, but political opposition websites, information on human rights, even YouTube.
As a result, Tunisian digital rights activists are wary of letting the government force the ATI to re-install the tools that allowed such overreaching censorship (which in the Ben Ali era were made by American company SmartFilter, owned by Intel). For others--such as the activist community that was active in fighting censorship during the Ben Ali era--it’s a matter of principle. Or as Moez Chakchouk, CEO of the ATI, has argued: “It's not a matter of pornography or not, it's a matter of whether we have censorship or not in Tunisia.”
Indeed, though the current target may be pornography, installing a tool like SmartFilter would enable the ATI to block other categories of websites. And while Chakchouk has spoken out against the idea of any government-mandated censorship outside of the legal process, he is also concerned that putting the tools of censorship in place could easily allow the government to expand its reach.
EFF reiterates our support for Chakchouk and the Tunisian Internet Agency. Tomorrow's decision will not only affect the free speech of Tunisians, but could have broader implications for the region as well. We call on the Court of Cassation to uphold the right of free expression in their decision.