Last week, the Digital Advertising Alliance (DAA), as association of 6 online advertising groups1, published a set of Self-Regulatory Principles for Multi-Site Data. These principles are designed to cover data collection above and beyond the standards the group adopted for behavioral advertising. These principles are a mixed bag. Even while the new standards offer the potential to improve transparency and user choice in some instances, the language of the standards is loose enough to allow many of the concerning practices to continue unabated.2 And, as is often the case with self-regulatory models, the DAA’s new standards won’t be enforced. Companies that violate the principles suffer no consequences.
Regulation of online tracking has been long-debated by industry figures and privacy advocates. At the core of the debate is how to strike a balance between users’ rights to protect their privacy when browsing the web and the needs of companies to implement new online services without burdensome government regulation. Thoughtful self-regulation has been heavily promoted by the advertising industry, and last Monday’s announcement is likely an attempt to obviate possible governmental regulation. This is no surprise; Congress has introduced several bills that could regulate the collection of online data and the advertising industry is thus eager to prove their corporate citizenship when it comes to protecting privacy and choice.
But users should be skeptical about the DAA’s self-regulatory scheme, especially given their less-than-stellar performance record in safeguarding privacy in the past. We can see case studies in the limits of self-regulation in two of the DAA’s major online privacy initiatives: the advertising opt-out tool and the advertising icon.
The DAA’s web-based opt-out tool can be used to install opt-out cookies on one’s browsers. The usability of this approach was evaluated by researchers at Carnegie Melon University in a study published a few weeks ago (Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising). The study found that users struggled to use the DAA tool: they found it difficult to navigate to the actual opt-out page; it wasn't obvious that opting out of all trackers required switching out of the default tab on the opt-out page; they didn’t realize that deleting cookies would negate the opt-outs; and they weren’t able to confirm whether opting out was effective. Perhaps most concerning, users didn’t grasp what the opt-out meant: users assumed that opting-out through the DAA form stopped online tracking, when in fact it merely adjusts the advertisements that are displayed. Tracking doesn't stop.
The DAA is also responsible for the advertising option icon, designed to inform consumers about data collection and use practices. Like the opt-out tool, the advertising icon doesn’t actually do anything to stop online tracking. It’s merely designed to inform and educate users – and it may not even be able to do that. A 2011 survey by Truste found that, while 70% of respondents were aware of online behavioral advertising, less than 5% recognized the DAA’s icons. And as security researcher Jonathan Mayer of Stanford noted, the icon often doesn’t appear at all.
Like the DAA’s previous initiatives, there are no teeth in the Principles for Multi-Site Data. Enforcement is supposed to be achieved through a qualified, objective and independent professional service using procedures and standards generally accepted in the profession. While this is a good starting place, there are no repercussions spelled out for receiving a bad report. There’s no indication that fines or even formal reprimands will be issued to bad actors, and no provision for removing bad actors from the DAA.
This is similar to the DAA’s accountability program for online behavioral advertising, in which the Direct Marketing Association and the Council for Better Business Bureaus (CBBB) accept complaints about companies that are suspected of violating the self-regulatory guidelines. Beyond their byzantine processes for filing and responding to complaints, it’s unclear what the DMA and CBBB will actually do with any of the complaints they receive. On Tuesday, the CBBB released its first summary of decisions regarding online behavioral tracking. In the six instances, the CBBB convinced the company to adjust its practices, in most instances by having the company extend the expiration date of its opt-out cookie. The DAA self-regulatory approach doesn’t actually give consumers a method to say no to online tracking.
The DAA can and should take affirmative steps to protect user privacy. Most importantly, they could adopt forward-thinking standards for respecting Do Not Track, a browser setting currently available in Safari, Internet Explorer and Firefox. When turned on, Do Not Track sends a simple signal that tells websites that a user doesn’t want to be tracked. Users don’t have to visit a special website to turn it on and clearing cookies won’t turn it off; it’s a simple way for users to clearly communicate that they want to be able to use the Internet without handing over loads of sensitive data to companies with which they have no relationship.
While there are benefits to the DAA’s self-regulatory program, it should not be taken as a replacement for other forms of regulation. And the DAA’s self-regulatory principles, while not bad, fall far short of the user benefits of Do Not Track.
1. The DAA is made up of 6 major online advertising groups, including American Association of Advertising Agencies (4A’s), American Advertising Federation (AAF), Association of National Advertisers (ANA), Direct Marketing Association (DMA), Interactive Advertising Bureau (IAB), Network Advertising Initiative (NAI)
2. Jonathan Mayer of Stanford University has a good summary of the principles here.
Join Electronic Frontier Foundation (EFF) Staff Attorney Julie Samuels for drinks next Monday, November 21st in Chicago! Discover EFF's latest work in intellectual property from our resident patent expert, and learn more about the continuing fight to defend your freedom online.
EFF's Speakeasy events are free, informal gatherings that give you a chance to mingle with local members and meet the people behind the world's leading digital civil liberties organization. It is also our chance to thank you, the EFF members who make this work possible.
Speakeasy: Chicago EFF Members-Only Happy Hour
Monday, November 21, 2011 from 6-8 PM
If you are a current EFF member accepting email, you will find a personal invitation with location details in your inbox today! Space is limited, so reserve your spot. If you are traveling through Chicago next week and would like to join in, contact firstname.lastname@example.org for more information.
This is the third in our series (Part 1, Part 2) breaking down the potential effects of the Stop Online Piracy Act (SOPA), an outrageous and grievously misguided bill now working its way through the House of Representatives. This post discusses dangerous software censorship provisions that are new in this bill, as well as the DNS censorship provisions it inherited from the Senate's COICA and PIPA bills. Please help us fight this misguided legislation by contacting Congress today.
In this new bill, Hollywood has expanded its censorship ambitions. No longer content to just blacklist entries in the Domain Name System, this version targets software developers and distributors as well. It allows the Attorney General (doing Hollywood or trademark holders' bidding) to go after more or less anyone who provides or offers a product or service that could be used to get around DNS blacklisting orders. This language is clearly aimed at Mozilla, which took a principled stand in refusing to assist the Department of Homeland Security's efforts to censor the domain name system, but we are also concerned that it could affect the open source community, internet innovation, and software freedom more broadly:
Do you write or distribute VPN, proxy, privacy or anonymization software? You might have to build in a censorship mechanism — or find yourself in a legal fight with the United States Attorney General.
Even some of the most fundamental and widely used Internet security software, such as SSH, includes built-in proxy functionality. This kind of software is installed on hundreds of millions of computers, and is an indispensable tool for systems administration professionals, but it could easily become a target for censorship orders under the new bill.
Do you work with or distribute zone files for gTLDs? Want to keep them accurate? Too bad — Hollywood might argue that if you provide a complete (i.e., uncensored) list, you are illegally helping people bypass SOPA orders.
Want to write a client-side DNSSEC resolver that uses multiple servers until it finds a valid signed entry? Again, you could be in a fight with the U.S. Attorney General.
It would be bad enough to have these types of censorship orders targeted at software produced and distributed by a single company. But for the free and open source software community — which contributes many billions of dollars a year to the American economy — legal obligations to blacklist domains would be an utter catastrophe. Free and open source projects often operate as decentralized, voluntary, international communities. Even if ordered to by a court, these projects would struggle to find volunteers to act as censors to enforce U.S. law, because volunteers usually only perform tasks that they consider constructive. And in the case of larger projects and repositories like Mozilla, to monitor and enforce such court orders against generic functionality could potentially violate licensing obligations and would likely create acrimony, demoralizing and shrinking the communities of contributors and innovators that those projects depend upon.
Essentially any software product or service, such as many encryption programs, that is not responsive to blocking orders could be under threat. And lest you think we exaggerate for effect, recall how some of the provisions of another copyright bill have been used to chill security research.
Those are just the new provisions in SOPA. Like its companion Senate bill, PROTECT-IP, the bill also authorizes the United Sates Attorney General to wreak havoc with the Domain Name System by ordering service providers to block U.S. citizens' ability to access domain names, which will inevitably lead to competing Internet naming infrastructures and widespread security risks. As leading Internet engineers explained (commenting on an earlier version of the bill), this approach:
[W]ill risk fragmenting the Internet's global domain name system (DNS), create an environment of tremendous fear and uncertainty for technological innovation, and seriously harm the credibility of the United States in its role as a steward of key Internet infrastructure. In exchange for this, the bill will introduce censorship that will simultaneously be circumvented by deliberate infringers while hampering innocent parties' ability to communicate.
All censorship schemes impact speech beyond the category they were intended to restrict, but this bill will be particularly egregious in that regard because it causes entire domains to vanish from the Web, not just infringing pages or files. Worse, an incredible range of useful, law-abiding sites can be blacklisted under this bill. These problems will be enough to ensure that alternative name-lookup infrastructures will come into widespread use, outside the control of US service providers but easily used by American citizens. Errors and divergences will appear between these new services and the current global DNS, and contradictory addresses will confuse browsers and frustrate the people using them. These problems will be widespread and will affect sites other than those blacklisted by the American government.
By introducing bills like this, Congress is recklessly endangering Internet innovation and security. The free/open source and Internet engineering communities need to fight back.
Yesterday, EFF—along with the Cato Institute, the Center for Democracy and Technology, Public Knowledge, and TechFreedom—submitted an amicus brief to the Supreme Court in FCC v. Fox, which asks the Court to declare unconstitutional the FCC’s heavy-handed and outdated indecency policy for broadcast TV. The policy stems from the 1978 Supreme Court decision in FCC v. Pacifica, also known as the “Seven Dirty Words” case. The Court held that broadcast media deserved lesser First Amendment protection than other mediums because it had a “uniquely pervasive presence in the lives of all Americans” and was “uniquely accessible to children.”
But as the Second Circuit Court of Appeals noted, “we face a media landscape that would have been almost unrecognizable in 1978.” Back then, the public could consume media in two ways: through broadcast television and radio or newspapers. Now, over three-quarters of all Americans use the Internet, and 87% of households now subscribe to cable or satellite.
Nor is broadcast media “uniquely accessible to children” either. Upwards of 87% of U.S. children ages 12 to 17 use the Internet. And as our brief notes, “when children watch broadcast content, they do so increasingly using non-broadcast platforms.”
This is not an issue that draws down political lines—both right and left can agree: the First Amendment belongs to all mediums. In 2011, there is simply no reason for the court not to give broadcast television the full First Amendment protection provided to the Internet.
This Wednesday, November 16, the disastrous "Stop Online Piracy Act" (SOPA) heads to the House Judiciary committee. In case you need a refresher, SOPA could allow the U.S. government and private corporations to create a blacklist of censored websites, and cut many more off from their ad networks and payment providers. This bill is bad news, and its supporters are trying to push it through before ordinary citizens realize just how much damage it can cause.
If you run a website, you too can join in the protest. One easy way is to go to the American Censorship Day website, which Fight for the Future runs, and follow the instructions there to grab their code to embed on your page. On Wednesday, that code will give visitors the chance to write or call their representatives and sign up for future updates from Fight for the Future without leaving your site. Starting Saturday, Fight for the Future will also post instructions on how to “black out” your site logo as a second method of protest.
The Intelligence Oversight Board, or IOB, is a Presidentially appointed, independent, civilian oversight board charged with ensuring that intelligence investigations comply with laws, executive orders, and internal agency procedures. Toward the end of the Bush Administration, the IOB’s oversight responsibilities were largely gutted, shifting primary responsibility to the Director of National Intelligence. However, shortly after taking office, President Obama rolled back those changes, restoring many of the IOB’s important oversight functions.
Nearly two years after making those changes, though, President Obama still had not announced any appointments to the IOB, nor made clear that any of the members of the President’s Intelligence Advisory Board – the larger Presidential intelligence advisory board of which the IOB is a component – were serving on the IOB. Given the IOB’s renewed importance in the intelligence oversight process, its proper functioning is vital to ensure that intelligence agencies are operating within the bounds of the law.
In September, EFF sued the DNI for failing to respond to the request. A week after we filed suit, DNI produced three documents (pdf) that they claimed satisfied our request.
DNI’s production consisted of the bios of three PIAB members – Chuck Hagel, Lester Lyles, and David Boren – with the words “IOB Chair” or “IOB Member” hand-written on the page.
Another consisted of a press release (pdf) announcing appointments to the PIAB, with the words “IOB Mbrs: Hagel (chair), Boren, and Lyles” written on the press release.
The final document was a list of suggested invitees for DNI’s 2010 holiday party. The list is primarily made up of PIAB members, and the fact that Hagel, Boren, and Lyles also serve on the IOB is noted parenthetically.
So, according to DNI, the IOB currently has three members. Determining if the IOB even had members was EFF’s primary goal from the outset, and we’re pleased we were at least able to learn that much. But the government’s treatment of our request and the documents it produced may raise more questions than they answer.
For example, are those documents really the only responsive records in DNI’s possession? Our FOIA request was fairly broad: we asked for all records “reflecting [t]he composition [or] membership” of the IOB. In response, DNI produced two documents that don’t even mention the IOB (aside from the hand-written notations) and a list of holiday party invitees. If those are the only records reflecting the composition of the IOB, it certainly does not suggest that the DNI and the IOB are working closely to ensure that a robust intelligence oversight program is in place. On the other hand, if those aren’t the only responsive records, it means DNI isn’t complying with its legal obligations under FOIA.
Another question: why the unnecessary secrecy? EFF only filed the request after the White House failed to answer a reporter’s questions about the IOB’s membership. Then, it took DNI eight months and the filing of a lawsuit in federal court to produce 12 pages of entirely uncontroversial material. There simply aren’t legitimate reasons for this type of information stonewalling.
Our litigation is still pending, and it’s our hope that some of these questions will be answered by DNI. But, above all else, it’s our hope that the IOB is satisfying its important oversight responsibilities.
Egypt imprisons Alaa, other pro-democracy bloggers
EFF recently highlighted the case of Alaa Abd El Fattah, one of Egypt’s most influential pro-democracy bloggers, who is now serving fifteen days in jail for refusing to be interrogated by military prosecutors. His supposed crime? Accusing the military of having a direct role in the killing of 27 people during a Coptic Christian protest in October. As the Guardian reported, Alaa’s claim “appears to be supported by extensive witness reports and video footage.”
On Wednesday, Alaa smuggled a letter out of prison and had it published in papers around the world. The letter, which accused the police of torturing his fellow prisoners, increased international pressure on the Egyptian military which, in response, announced hundreds of civilians convicted in military courts since the revolution in January would be set free. But as the Guardian reported, Alaa’s wife criticized the announcement as just “a drop in the ocean.” Since longtime dictator Hosni Mubarak gave up power, more than 12,000 civilians have been given military trials, including other prominent bloggers such as Maikel Nabil Sanad.
Sanad has been in jail and on a hunger strike for more than seventy days now, protesting his alleged “crime”: daring to write, 'The army and the people were never one hand'—a fact that has become increasingly clear, as the army postponed his trial yet again to November 13.
EFF continues to call on the Egyptian authorities to release Abd El Fattah and Sanad, and every other civilian imprisoned for attempting to exercise their inherent right to freedom of speech.
Human Rights Coalition Speaks Out Against UAE Bloggers’ Conviction
Meanwhile in UAE, the trial of the five bloggers arrested in April for signing a petition for pro-democratic reforms continued as they reasserted their boycott of the proceedings.
According to Reporters Without Borders, the activists, including prominent blogger, Ahmed Mansoor, were charged with “threatening state security, undermining public order and insulting the president, the vice-president and the crown prince of Abu Dhabi.” They have continually refused to attend hearings in protest. The bloggers claimed they are only on trial for political reasons and that they’ve been mistreated in detention. Reporters Without Borders also accused UAE of deliberately extending the trial for more than six months with the intent of indefinite detainment.
On Thursday, a coalition of human rights organizations released a statement condemning the perverse due process conditions of the court. A report released by the coalition accused the UAE prosecutors of prejudicial interruptions of the defense, ignoring the defense’s motions, and denying the men confidential meetings with their lawyers.
As the Syrian government continues to crackdown on pro-democracy protests, bloggers are increasingly becoming government targets. Reporters Without Borders released a list of 22 bloggers who are currently imprisoned while indicating “the list is almost certainly incomplete.”
The Committee to Protect Journalists also highlighted two bloggers from Syria who have recently gone missing. Journalist Lina Saleh Ibrahim, a business reporter for Tishreen, and Wael Yousef Abaza, a freelance journalist, have both been missing since October 25th.
EFF joins Reporters Without Borders and the Committee to Project Journalists in condemning the detainment of journalists and bloggers reporting on Syria’s pro-democracy protests. We also reiterate CPJ’s statement about the missing journalists, "The government [of Syria] must immediately clarify whether it is holding these journalists, and if so, why."
US State Department Weighs In on Blue Coat and Websense Steps Up
As we reported last week, despite their initial implausible denials, Blue Coat Systems now admits that their censorship and surveillance software has been found in the government-controlled Syrian Telecommunications Establishment. The US State Department spokesperson has now said in a press conference that they are “reviewing the information that [they] have and monitoring the facts,” noting that the U.S. has very strict controls on most exports to Syria. This is good news, but we hope they will also engage their colleagues in the Commerce and Treasury Departments who have more clear authority to enforce the export controls sanctions regimes.
Especially in light of the ongoing surveillance and human rights violations in Syria, Blue Coat’s shifting story, and the log files showing ongoing connections between Blue Coat and the machines in Syria, the public deserves a transparent accounting of how the Blue Coat technology ended up in Syria, what Blue Coat knew about it and when they knew about it. We hope that State Department’s concerns are only the beginning of this process.
Blue Coat, like many other technology companies, currently does not have a corporate policy against selling to governments engaging in censorship or surveillance against democracy activists, and as we noted before, only seems interested in the export sanctions, not whether its technologies are actually being used as part of state oppression.
In contrast, Websense just issued a clear human rights policy and a challenge to other technology companies to match it. Websense says:
Websense does not sell to governments or Internet Service Providers (ISPs) that are engaged in government-imposed censorship. Government-mandated censorship projects will not be engaged by Websense. If Websense does win business and later discovers that it is being used by the government, or by ISPs based on government rule, to engage in censorship of the Web and Web content, we will remove our technology and capabilities from the project.
The exact parameters may be different for companies more focused on surveillance than censorship, but the thrust here is the right one. In fact, Websense says that it refused to engage in a transaction that looks a lot like what Blue Coat says occurred:
And just last month, we detected—and blocked—two attempts to use our software using cloaked addresses in Europe that were actually fronts for entities in Syria, a country subject to trade sanctions by the United States. This is not rocket science, but it does take some moral fiber, smart people, commitment, and follow-through.
Websense is pointing to the technology sector in the direction of promoting freedom; BlueCoat represents the aiding oppressors. The choice for other tech companies is clear, and kudos to Websense for leading the way.
During the past week, momentum against the House’s draconian copyright bill has gained steam, as venture capitalists, Internet giants and major artists have denounced it for handing corporations unprecedented power to censor countless websites and stifle free speech. In response, the bill’s big-pocketed supporters have gone on the offensive, attempting to mislead the public about the bill’s true reach. In a particularly egregious example, the Chamber of Commerce posted an attack on its website insisting that the Stop Online Piracy Act (SOPA) is not a “blacklist bill."
Before they even saw the House bill, they started calling it the “New Internet Blacklist Bill.” Blacklist? That sounds pretty bad. But before we get carried away, let’s take a look at the actual language of the actual legislation. Can YOU find a blacklist? No? Can you find a list of ANY kind? No?
Of course the word “blacklist” does not appear in the bill’s text—the folks who wrote it know Americans don’t approve of blatant censorship. The early versions of PROTECT-IP, the Senate’s counterpart to SOPA, did include an explicit Blacklist Provision, but this transparent attempt at extrajudicial censorship was so offensive that the Senate had to re-write that part of the bill. However, provisions that encourage unofficial blacklisting remained, and they are still alive and well in SOPA.
First, the new law would allow the Attorney General to cut off sites from the Internet, essentially “blacklisting” companies from doing business on the web. Under section 102, the Attorney General can seek a court order that would force search engines, DNS providers, servers, payment processors, and advertisers to stop doing business with allegedly infringing websites.
Second, the bill encourages private corporations to create a literal target list—a process that is ripe for abuse. Under Section 103 (cleverly entitled the “market based” approach), IP rightsholders can take action by themselves, by sending notices directly to payment processors—like Visa, Mastercard, and PayPal—demanding that they cut off all payments to the website. Once notice is delivered to the payment processor, that processor has only five days to act.1 The payment processor, and not the rightsholder, is then responsible for notifying the targeted website. So by the time Visa or Mastercard—who will no doubt be receiving many of these notices—processes the notice, informs the website, and the website decides whether to file a counter notice, the five days will almost certainly have elapsed. The website will then be left without a revenue source even if it did nothing wrong.
Third, section 104 of SOPA also allows payment processors to cut websites off voluntarily—even if they haven’t received a notice. Visa and Mastercard cannot be held accountable if they cease processing payments to any site, as long as they have a “reasonable belief” that the website is engaged in copyright violations of any kind. Hmm, wonder how long it will take big media to publicly post a list of allegedly infringing sites, and start pressuring payment processors to cut them off? As long the payment processors are willing to comply, the rightsholders can essentially censor anyone they see fit. Even well-meaning payment processors might do this to avoid liability down the road.
The potential for rampant abuse is obvious—whether it’s a frivolous claim that wouldn’t withstand the scrutiny of the official process or an attempt to put an emerging competitor at an extreme disadvantage.
Clearly, contrary to the Chamber of Commerce’s rhetoric, SOPA gives rightsholders many ways to blacklist a website: they can hope the attorney general acts, they can cut off a website with a notice, or they can give notice unofficially and let the payment processors do their dirty work for them. Please help keep the Internet free and take action to help stop this bill!
1. This same provision applies to advertisers when the alleged infringing website does not rely on payment processors for revenue.