There's been a lot of action on consumer privacy in DC over the past year, and while some of that action seems to have stalled (more on that in another post), there's still movement in the private sector—mainly around "Do Not Track (DNT) and Tracking Protection Lists (TPLs).
Follow the W3C Discussion!
W3C is an open process that invites participation from many different stakeholders. Even if you can't make it to Boston, you can follow along by visiting:
In April, DNT and TPL were subjects of a W3C workshop on Web Tracking and User Privacy in Princeton, New Jersey. The workshop report and presentations are available here. Since then, Mozilla—the first major browser to support DNT—has released its "field guide" to DNT for developers.
These issues are now being tackled in the W3C's Tracking Protection Working Group (TPWG), co-chaired by Aleecia McDonald of Mozilla and Matthias Schunter of IBM Research-Zurich, which aims to develop consensus standards around DNT and TPLs.
EFF is participating in the W3C process to advocate for user privacy. EFF Technology Projects Director Peter Eckersley is attending the first face-to-face workshop in Cambridge, Massachusetts this week, as is Stanford's Jonathan Mayer, whose work on DNT is available at DoNotTrack.Us. A second face-to-face workshop is planned for the beginning of November in Santa Clara, California.
EFF just received documents that reveal additional post-9/11 Defense Department misconduct, including attempts by the Army to investigate participants at a conference on Islamic law at the University of Texas Law School and Army-issued National Security Letters (NSLs) to telecommunications providers in violation of the law.
EFF received these documents in response to a 2009 Freedom of Information Act (FOIA) lawsuit that we filed against the DoD and a half-dozen other federal agencies involved in intelligence gathering. In the lawsuit, we demanded the immediate release of reports about potential and actual agency misconduct, and the agencies have since released thousands of heavily-redacted pages, some of which we have discussed here, here, here and here.
Now, thanks to a recent Supreme Court case, we have more. In March 2011, after the DoD released most of its records to EFF, the Supreme Court decided an important FOIA case called Milner v. Department of Navy, 131 S.Ct. 1259 (2011). The case involved one of the exemptions to FOIA, 5 U.S.C. §552(b)(2), that allows agencies to withhold information “related solely to the internal personnel rules and practices of an agency.” A 1981 case from the DC Circuit Court of Appeals interpreted this exemption broadly to cover “predominantly internal” materials whose disclosure would “significantly ris[k] circumvention of agency regulation or statutes,” and since that time agencies, including and especially the DoD, have relied on this broad interpretation of (b)(2) to withhold a ton of important information. In March, the Supreme Court overturned this reading of the exemption and held (b)(2) is limited solely to records relating to employee relations and human resources issues.
The Milner decision is important for our case because the DoD and other agencies withheld a significant amount of information under the broader interpretation of (b)(2). As our case is still in litigation, the agencies are now required to release that previously-withheld information to us (or determine it can be exempted under another section of the FOIA).
The small amount of re-released documents we’ve received so far fills in some of the holes in the picture of the federal government’s post-9/11 intelligence violations, just as it raises more questions. Here’s what the records reveal, with the graphics comparing the first government disclosures with the newly released records (move the slider back and forth to see the different versions):
In 2004, an Army Special Agent issued three NSLs (pdf) for customer phone records directly to a communications company. The NSL statute, 18 U.S.C. §2709, only authorizes the FBI to issue NSLs, and specifically prohibits NSL recipients from telling anyone, including the customer, about the request. As the Army does not have the authority to issue NSLs, this Special Agent clearly violated the law. The Army did not discover the illegal requests until after the Agent received customer records from the communications company. Perhaps the most amazing thing about the story is that, according to the report,
neither the Army unit nor the FBI Field Offices [with which the Army agent was working] were aware that these requests had to be made by the FBI.
If we can’t rely on our government employees to know and understand the law, how can we rely on them to apply it appropriately?
Investigation of University of Texas Conference Attendees
A 2004 Army intelligence violation report (pdf) noted that two Army lawyers attended a conference on Islamic law at the University of Texas Law School without disclosing their military affiliation. Some conference participants discovered who they were and challenged why they were there. The Army lawyers, believing that the conference participants had asked “inappropriate questions,” decided to investigate them. Without any investigative authority or jurisdiction (the military’s authority to investigate civilians in the United States is very limited), two Army Special Agents went to UT to ask about three conference attendees. The Army’s internal investigation into the matter concluded that the Special Agents had,
improperly conducted investigative activity directed against three civilians within the U.S., who were outside Army counterintelligence investigative jurisdiction and failed to refer the matter to the FBI as they were required to do.
This report confirms once again that the US government has been improperly targeting Muslims in the United States. As we reported previously, records we received from the Department of Homeland Security (DHS) noted that in 2008, DHS's Office of Intelligence and Analysis improperly collected intelligence (pdf) about a non-violent Muslim conference in Georgia, including details about conference speakers who were Americans, and in 2007, DHS I&A improperly investigated (pdf) the U.S.-based religious organization the Nation of Islam. And just last week, Wired reported that the FBI "is teaching its counterterrorism agents that “main stream” [sic] American Muslims are likely to be terrorist sympathizers."
Joint FBI/DoD Surveillance Operations
Finally, several pages (pdf) refer to joint missions between the FBI and DoD, including a Joint FBI/National Criminal Investigations Service (NCIS) counterespionage operation in which an NCIS “asset” apparently went undercover into a US organization. This violates a DoD regulation that severely limits the ability of DoD employees to participate in US organizations’ activities without disclosing “their affiliation with the intelligence component . . . to an appropriate official of the organization.” Based on earlier releases, we already knew that several components of the DoD conducted surveillance on US organizations, including Planned Parenthood and anti-war groups, and we already knew the DoD worked together with the FBI on investigations, so it’s unclear why the DoD felt it was so important originally to redact this information.
The release of these documents shows just how broadly the DoD was applying the (b)(2) FOIA exemption to prevent the public from knowing what went on in post-9/11 America. None of the information above should have been redacted under even the broadest, pre-Milner interpretation of (b)(2), and we can only assume these redactions are representative of how the DoD has applied other FOIA exemptions to its records as well. The DoD and other agencies should proactively release the rest of the records withheld under (b)(2). If they don't, we will address this along with other exemption issues as we move forward with litigation in our FOIA case this fall.
Nominations are now open for EFF’s 20th Annual Pioneer Awards, to be presented at Zeum (soon to be known as the Children's Creativity Museum) on November 15th in San Francisco. EFF established the Pioneer Awards in 1992 to recognize leaders on the electronic frontier who are extending freedom and innovation in the realm of information technology. Nominations will be open until Monday, October 17th.
What does it take to be a Pioneer? There are no specific categories, but nominees must have contributed substantially to the health, growth, accessibility, or freedom of computer-based communications. Their contributions may be technical, social, legal, academic, economic or cultural. This year’s pioneers will join an esteemed group of past award winners that includes World Wide Web inventor Tim Berners-Lee, security expert Bruce Schneier, open source advocate Mozilla Foundation, and privacy rights activist Beth Givens.
Learn about how you or your company can help sponsor the awards ceremony here.
Remember, nominations are due no later than midnight on Monday, October 17th! And after you nominate your favorites, we hope you will join us on November 15th to celebrate the work of this year’s winners. Tickets are available now.
In the wake of the Google+ Nymwars, the events of the Arab Spring, and discussion surrounding the Computer Fraud and Abuse Act (CFAA), there is a growing need for both companies and users to have a better understanding of how terms of service (ToS) and community policing methods affect online speech. Social networking platforms like Facebook, Twitter, and Google+--as well as video and photo-sharing sites--are increasingly playing the role of the public sphere, and policies around content removal and account deactivation can have chilling effects on free expression.
The paper puts forth two sets of recommendations, one for companies and one for users.
The authors suggest that companies:
Offer clear, consistent guidelines
Provide clear methods of contact with support teams
Develop robust appeals processes
Embed human rights considerations into their platform design
To users, the authors recommend:
A better understanding of platform rules
Increased engagement with companies
The use of tags and other cues to provide context to content
Backing up content stored on any social platform or cloud service
The importance of each point becomes apparent in recent incidents during the Arab Spring. Take, for instance, the case of Hossam Hamalawy, an Egyptian activist who uploaded a set of photos to Flickr, only for the company to remove them on the basis that the photos were not his. The photos had been retrieved by activists from Egyptian state security offices, and Hamalawy had been explicit about their origins, prompting Flickr to enforce their guidelines, which advise users to upload only content which they've created. While Hamalawy argued that "Flickr is full of accounts with photos that people did not take themselves," Flickr responded by sharing their own struggles with enforcing the rules evenly. In this case, both company and user could have benefited from the recommendations put forth in the paper.
As privately-owned online social spaces increasingly play the role of the public sphere, companies must take into account the various ways in which users are employing their platforms. And while Facebook and Google+ may be reluctant to identify as "activist platforms," the events of the Arab Spring have made it apparent that this is exactly what they are, whether they like it or not.
At the same time, users have a responsibility to understand the rules and regulations of these online spaces; research indicates that most users don't read license agreements. Users should also feel empowered to stand up to companies when they deem rules or processes to be unfair; or as Rebecca MacKinnon advocated in her recent TED talk, users must "take back the Internet" and become more engaged in policy, be it at the government or corporate level.
Ultimately, however, the power resides with companies, and it is incumbent upon them to implement rules and processes that take human rights into account. As CDT put it in their announcement of the paper today, "By giving greater thought and attention to these issues, these companies can have a significant impact on user rights and user satisfaction." We couldn't agree more.
Cotterman was coming into the United States from Mexico at the Lukeville Port of Entry in Arizona. Without suspecting he was carrying anything illegal, customs officers detained him at the border for 8 hours before letting him enter the country. The agents confiscated two laptops and a digital camera, and took them 170 miles away to Tucson for forensic examination. The next day, without a warrant or any suspicion that the electronic devices contained anything illegal, agents imaged three hard drives on the computers and reviewed pictures on the digital camera. After two days of forensic examination, the agents ultimately found child pornography on the computers.
The appellate court found the three-day search and seizure reasonable under the Fourth Amendment, despite the absence of any individual suspicion of wrongdoing or a search warrant. A dissenting judge warned that the decision “gives the Government a free pass to copy, review, categorize, and even read all of that information in the hope that it will find some evidence of any crime.”
In our amicus brief, written by Michael Price and Malia Brink of the NACDL, we urge the court to reconsider its decision, which we caution leads to a border where government officials – not the Constitution – dictate the legal boundaries of a search. The Fourth Amendment, while relaxed at the border, demands more than just a free pass for the government to search whatever it wants for no reason at all.
Update: Jiew's trial will resume on February 14, 2012.
Chiranuch Premchaiporn, more commonly known by her pseudonym, “Jiew,” is the director of one of Thailand’s most popular alternative news sites, Prachatai. EFF has been following Jiew’s work--and her commitment to free expression--for quite some time. In October 2010, following a conference on Internet freedom, Jiew was arrested upon re-entering Thailand. EFF conducted an interview with her shortly afterward.
Jiew was charged under the intermediary liability section of Thailand’s 2007 Computer Crime Act, as well as for the crime of “Lèse Majesté,” which has often been used in Thailand to enforce censorship. For the two crimes, Jiew faces a combined sentence of 82 years. In February, at the start of her trial, we expressed our grave concerns; Now, after a recess of nearly eight months, Jiew’s trial resumed on September 1 and remains ongoing, with September 20 marking the first day of the defense. Each day of the trial has attracted international observers from both foreign governments and NGOs, including Freedom Against Censorship in Thailand (FACT), which has blogged several days of the trial.
What is most alarming about this case is that, under the Computer Crime Act, Jiew--as the director of Prachatai--is being held responsible for comments left by users on the site. Whereas in the United States, site hosts are largely protected under Section 230 of the Communications Decency Act, in Thailand (and in numerous other countries), there are no such protections. Therefore, any content host can be held liable for comments left by others; this often has the effect of self-censorship, in that content hosts will moderate or turn off comments to avoid potential liability.
The risks are not for bloggers alone; major Internet companies--like Facebook or Twitter--could also be held responsible for content produced by their users. This presents a real challenge for companies wishing to operate in Thailand, and may have deleterious effects on business there. Earlier this week, the Asia Internet Coalition--which includes members such as eBay, Google, and Yahoo!--issued a statement expressing concern for the effects of Thailand’s intermediary liability laws on business in the country:
By holding an intermediary liable for the actions of its users, this case could set a dangerous precedent and have a significant long-term impact on Thailand's economy. It could also end up denying Thai Internet users access to many of the online services they use everyday. Intermediaries, basically any online platform that allows users around the world to connect, such as social networks, online marketplaces and web forums, are a critical component of the Internet today
The Asia Internet Coalition believes that responsible intermediaries should be protected from prosecution over the actions of users and that clear notice and takedown policies must be in place.
EFF agrees with the Asia Internet Coalition. Jiew is facing a decades in prison for the act of being an editor and, if convicted, her case could set a precedent that could have chilling effects on both innovation and free expression in Thailand.
We also express our support for Jiew during this time, and applaud Human Rights Watch for awarding Jiew (along with 47 other writers facing persecution) with the 2011 Hellman/Hammett grant for her commitment to free expression. Upon receiving the award, Jiew said:
Even though this award gives me support, and encourages me to face the threats on the rights & freedoms of expression--which makes me grateful--at the same time it also makes me feel sad. We cannot deny that the significance of me being the first Thai who receives this award. It means that this is an indicator that the freedom of expression in this country has drastically declined since the 19 September 2006 coup.
A little background: abstract ideas are not eligible for patent protection under § 101 of the Patent Act. This is fundamental to the patent bargain; without this limitation, parties could obtain harmful monopolies on simple ideas, e.g., ways of running a business or cooking a meal, and be able to (in theory at least) prohibit people from implementing or even thinking those same ideas. In Bilski, the Supreme Court held that the patent at issue, which covered hedging risks for commodity trading, unpatentable because it was too abstract. But the Court also held that other business method patents might be sufficiently concrete. In other words, no blanket exclusions – each should be considered on its own merits.
Unfortunately, this case-by-case approach has made patent litigation even more unpredictable. Just last week, the Federal Circuit issued a ruling in Ultramercial, LLC v. Hulu, a case involving a patent covering a “Method and System for Payment of Intellectual Property Royalties by Interposed Sponsor on Behalf of Consumer over a Telecommunications Network.” More specifically (and in English), the patent claims an 11-step process for distributing “media products that are covered by intellectual property rights protection” that essentially consists of pairing the content with an ad and restricting access until the user views the ad.
The Federal Circuit, faced with the question of whether the patent’s subject matter was too abstract, found that it was not. The Court reasoned that “many” of the “steps are likely to require intricate and complex computer programming,” and, even more troubling, stated that:
In addition, certain of these steps clearly require specific application to the Internet and a cyber-market environment. One clear example is the third step, “providing said media products for sale on an Internet website.” … Viewing the subject matter as a whole, the invention involves an extensive computer interface.
On its face, this all sounds well and good, until one considers the patent’s own depiction of its allegedly not abstract invention:
To be clear, the Federal Circuit only decided the question of whether the patent was impermissibly abstract, not whether it was obvious or not novel or otherwise unpatentable (those questions may still be answered by the lower court).
Ultramercial is not the only patent-eligibility case the Federal Circuit has recently considered. For example, just last month, in Classen Immunotherapies v. Biogen IDEC, the Court found patents for methods of evaluating and improving safety of immunization schedules not impermissibly abstract based on the fact that the patents claimed the actual act of administering the immunization after devising a new schedule.
And just two weeks before its Classen decision, the Federal Circuit issued a ruling in CyberSource Corp. v. Retail Decisions, Inc., in which it went the other way. The Court held that a patent that covered obtaining and comparing intangible data (such as IP and email addresses) pertinent to business risks to detect fraud in credit card transactions over the Internet was ineligible for patent protection because it was too abstract. Central to the Court’s decision was that the process of comparing relevant data could occur with or without a computer, and wholly in someone’s mind – in other words, it was an unpatentable mental process.
Taken together, these post-Bilski cases confuse, rather than clarify, the standard for impermissible abstraction. In four cases (Bilski, Ultramercial, Classen, and CyberSource), two patents were too abstract (patents for hedging risks and detecting credit card fraud) and two were not (patents for showing ads before copyrighted content and devising immunization schedules). For laypeople and attorneys alike, it is hard to understand why the latter two patents were any more concrete than the former. One might argue that the upheld patents required added complexity (computer programming and administering an immunization), but the abstract patents would likewise require additional steps to execute. What distinguishes those steps that are too abstract from those that are not?
Thus it appears patent holders – and the targets of legal threats based on those patents – are in a worse position than ever, unable to make sound predictions about which business method patents are too abstract to be enforced. It is bad enough that innovators must work around patents covering processes that border on the abstract, but it is even worse that those in the field face the uncertainty that has followed Bilski.
When a state government stores public property information in an electronic format, the format of its storage shouldn't change citizens' right to access the information, right? Well, wrong -- at least in California after a recent Court of Appeal decision. But, in an encouraging sign, on Wednesday, the California Supreme Court granted a petition to hear the case and review the lower court's decision.
The case, which we blogged about here, involves an attempt by the Sierra Club to obtain Orange County's GIS basemap -- essentially, a collection of public property information stored in a database in a GIS-compatible format -- through a California Public Records Act ("CPRA") request. Orange County refused the request and, instead, offered to license the database to the Sierra Club for a tidy $300,000 fee.
At both the trial and appellate level, the courts upheld Orange County's decision to withhold the database. The parties did not dispute that the information contained within the database was public information that could be obtained in a paper format, albeit a voluminous one. Instead, Orange County argued, and the lower courts agreed, that by virtue of storing the information contained within the paper public records in a database, the information became part of "computer software," thus placing it within an exemption to the CPRA.
The proposition that the lower courts' decisions stand for -- that a state entity can strip otherwise public information of its "public" status, simply by virtue of its inclusion within "computer software" -- has grave implications for California's commitment to transparency and open governance in the digital world. In an amicus letter in support of the Sierra Club's petition to the Supreme Court, we argued that this concern, above all else, required the Court's attention.
Despite the petition's long odds (the California Supreme Court receives around 5,000 petitions annually, and only grants review in 2% of cases), the Court unanimously voted to grant the Sierra Club's petition and to hear the case.
We're thrilled the Court recognized the significance of the case to the future of the CPRA. As we did at both the appellate and petition stage, EFF plans to file an amicus brief urging the Court to adopt a rule that enables broad citizen-access to public information, regardless of the format in which that information is stored.