As part of an emerging international trend to try to ‘civilize the Internet’, one of the world’s worst Internet law treaties--the highly controversial Council of Europe (CoE) Convention on Cybercrime--is back on the agenda. Canada and Australia are using the Treaty to introduce new invasive, online surveillance laws, many of which go far beyond the Convention’s intended levels of intrusiveness. Negotiated over a decade ago, only 31 of its 47 signatories have ratified it. Many considered the Treaty to be dormant but in recent years a number of countries have been modeling national laws based on the flawed Treaty. Moreover, Azerbaijan, Montenegro, Portugal, Spain, and the United Kingdom are amongst those who have ratified within the last year. However, among non-European countries, only the U.S. has ratified the Treaty to date, making Canada and Australia’s efforts unique. The Treaty has not been harmless, and both Australia and Canada are fast-tracking legislation (Australia's lower house approved a cybercrime bill last night) that will enable them to ratify the Treaty, at great cost to the civil liberties of their citizens.
Leaving out constitutional safeguards
Australia’s invasive bill highlights one of the fundamental flaws of the Convention on Cybercrime: the Treaty’s failure to specify proper level of privacy protection necessary to limit the over-broad surveillance powers it grants law enforcement agencies. This creates problems in countries like Australia since, as the Australia Privacy Foundation points out, Australia lacks the legal constitutional safeguards afforded to many other democratic countries:
The CoE Convention has to be read within the context that applies in CoE countries – where there are substantial and actionable constitutional protections for human rights. The absence of any such countervailing protection for human rights in Australia makes it completely untenable for the Convention to be implemented in Australia without very substantial additional provisions that achieve a comparable balance.
Bills proposed in Canada (read here and here) are also affected by the Convention’s flaws as they adopt the lowest possible standard of protection against many of the invasive powers they grant. The bills provide law enforcement access to sensitive data on the mere suspicion it might be useful to an investigation. Indeed, at times they leave out the safeguards altogether, as noted in a letter from Canadian privacy scholars and civil society organizations:
[the legislation] will give state agents the power to access ...highly sensitive personal information, even where there is no reason to suspect it will assist in the investigation of any offense...What [this] facilitates, simply put, are unjustified and seemingly limitless fishing expeditions for private information of innocent and non‐suspicious Canadians.
Gag orders in place of oversight: Cultivating a culture of secrecy
The Convention’s most systemic flaw is that it seeks to impose detailed invasive surveillance powers without legal protections. Aside from failing to specify detailed adequate safeguards, it also leaves out the types of oversight mechanisms necessary to ensure its broad powers are not abused. Worse, the Convention takes active steps to reduce oversight and transparency by calling for limitations on when individuals can and cannot be notified that they are being surveilled upon.
The Australian bill even criminalizes any attempt to disclose the fact that the powers it grants to law enforcement have been used to spy on an individual. These gag orders will prevent anyone from disclosing the existence and content of interception warrants, all but ensuring innocent individuals will never know their civil liberties have been violated:
...it should be possible for individuals to find out that their communications have been subject to a preservation order or disclosed to law enforcement agencies once there is no longer any prejudice to an ongoing investigation.
Proposed Canadian legislation also paves the way to blanket and perpetual gag orders that will apply by default to the most invasive of the seizure powers it authorizes. These gag orders can insulate abuses of power --when innocent people are surveilled for no good reason--and they will never find out nor will be able to challenge the abuse of their rights, even in situations where there is no longer any risk to an ongoing investigation.
The far-reaching powers this legislation puts in place, if adopted at all, should be accompanied by equally far-reaching oversight regimes, not gag orders. Instead of preventing abuses from ever seeing the light of day, individuals should be notified when they have been surveilled, and the extent, nature and frequency of such surveillance must be subject to rigorous external oversight.
Tamir Israel, staff attorney, Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic.
Blanket gag orders are strongly disfavored under U.S. law, and at least one U.S. court of appeals has found a similar gag order provision partially unconstitutional. A provision of the PATRIOT Act permitted the government to obtain electronic communication transaction records from an Internet Service Providers without a court order. The law imposed a gag order on “National Security Letter” recipients, with extremely limited judicial review that required courts to accept the FBI’s assertions as true and placed the burden on the ISP to challenge the gag order after it had been issued. As EFF argued, such gag orders stifle free expression, and without any judicial oversight, the government was free to do what it wanted. The court agreed that the gag order provision was unconstitutional as written, but it construed the gag rules narrowly so as to pass First Amendment muster. The court found that the U.S. Justice Department could adopt additional procedures to cure the remaining defects—a result that EFF disagrees with because it is Congress’s job to write laws.
Forcing service providers to record your online activity
Countries are also using the Convention to put in place powers aimed at forcing service providers to store customer information for extended periods of time. While the Convention itself foresees targeted preservation orders in scenarios where there is a reason to believe the information would otherwise be vulnerable to loss or modification, Australian and Canadian bills ignore this important limitation. Also, while the Convention envisions a distinction between orders forcing service providers to preserve data they have already collected and orders aimed at forcing service providers to intercept and record data in real time, the misuse of proactive or ‘ongoing’ preservation orders aims to undermine this distinction.
In the U.S. and in Canada, for example, there have been cases where preservation powers have been misused to proactively compel service providers to retain data such as email or text messages that are not yet in their possession or control. Proactive preservation force service providers to record data they would never have otherwise retained, effectively bypassing legal protections in place for real-time electronic interceptions. As the U.S. DOJ notes in its manual on seizing electronic communications:
...should not be used prospectively to order providers to preserve records not yet created. If agents want providers to record information about future electronic communications, they should comply with the electronic surveillance statutes discussed in Chapter 4.
Instead of attempting to avoid such problems, the Australian bill embraces this confusion, and expressly grants law enforcement the right to order ‘ongoing preservation’. This, combined with the complete lack of any obligation to ensure preservation orders are narrowly targeted to capture relevant data at risk of deletion, opens the door to blanket retention orders aimed at real-time interception of communications services on a mass scale:
The Australian law, for example, is phrased in such broad terms that it could be applied indiscriminately, without any assurance that it will only be used to preserve data that is at risk of being destroyed:
The Bill could require an Internet Service Provider to preserve all stored communications (e.g. traffic and content data) for a telecommunications service (e.g. email, text messaging, mobile phone) for a specified period of time. Unless our concerns about the meaning of a ‘service’ are addressed, then under an ongoing domestic preservation notice, a Commonwealth agency could arguably request that a major carrier such as Telstra or Optus, preserve all emails used on its service for a 30 day period.
The proposed Canadian legislation also fails to ensure preservation demands will be used in a targeted manner and is likely to lead to voluntary retention of personal information that would not otherwise have been kept by telecommunications service providers.
Convention premised on outdated concepts of online data
The flaws inherent in the Convention itself are exacerbated by the fact that it was drafted over ten years ago and much has changed since then. The Convention was premised on the notion that ‘traffic data’ (data generated by computers as a by-product of online interactions) is ‘less sensitive’, and so should be more readily accessible to law enforcement. That was then, and this is now: Today’s ‘traffic data’ can include such sensitive information as your otherwise anonymous online identity or your social network of contacts. Mobile companies and our Internet services providers are now recording our whereabouts at every moment, and we are leaving far more detailed footprints that reveal sensitive information of our daily lives. Sensitive data of this nature warrants stronger protection, not an all-access pass.
Other things have changed in the online environment as well. The ongoing move towards cloud computing means that more and more of our information will be stored online. Nowadays, countless millions are trusting web-based email services such as Google Gmail to store years worth of private correspondence, and cloud services such as Dropbox or Google Docs store your most private documents. The Treaty could not envision this reality when it was drafted in 2001.
Ratifying the Cybercrime treaty would introduce not just one bad Internet law into each country's lawbook but invite the enforcement of all the world's worst Internet laws. Australia and Canada should hold this invasive treaty at bay.Governments must now think carefully about what the Treaty’s increased law enforcement powers will mean for citizen rights in this new digital context.
More than five years ago, EFF filed the first lawsuit aimed at stopping the government's illegal mass surveillance of millions of ordinary Americans' private communications. Whistleblower evidence combined with newsreports and Congressional admissions revealed that the National Security Agency (NSA) was tapped into AT&T’s domestic network and databases, sweeping up Americans’ emails, phone calls and communications records in bulk and without court approval.
Hepting v. AT&T, our case challenging the telecom giant’s illegal collaboration with the NSA, faced a barrage of attacks from the government -- including outrageous claims that national security prevented the courts from considering whether AT&T and the government were breaking the law and violating the Constitution. When that gambit seemed to be failing, the White House and the telecoms led a lobbying campaign to convince Congress to pass a law threatening to terminate our suit. When that law passed we filed a follow-up suit directly against the government, Jewel v. NSA, to open a second front in our fight to stop the spying.
On August 31, 2011, at 2 pm in Seattle, the Ninth Circuit Court of Appeals will hear a warrantless wiretapping double-feature, to decide whether the Hepting and Jewel cases can proceed. At stake will be whether the courts can consider the legality and constitutionality of the National Security Agency’s mass interception of Americans’ Internet traffic, phone calls, and communications records.
Jewel v. NSA, EFF’s case directly against the government and government officials, will be argued by EFF Senior Staff Attorney Kevin Bankston. The District Court dismissed Jewel on the grounds that, because millions of Americans had been illegally spied upon, no single American had standing to sue. The alarming upshot of the court's decision is that as long as the government spies on all Americans, the courts have no power to review or halt such mass surveillance even when it is flatly illegal and unconstitutional. EFF will argue that the number of people harmed should have no bearing on whether each individual -- whose own communications and communications records are being intercepted and diverted to the government -- should be able to sue.
On appeal, the government does not seriously defend the District Court’s reasoning but instead renews its old argument that the case should be dismissed based on the state secrets privilege, an argument that the District Court rejected back in 2007 in the Hepting case. That decision held, and EFF argues on appeal, that Congress has overridden the state secrets privilege when it comes to government wiretapping by providing specific security procedures in the Foreign Intelligence Surveillance Act (FISA) that govern how courts are supposed to handle secret evidence relating to electronic surveillance. The Jewel case will be heard in conjunction with Shubert v. Bush, another case against the government over the NSA’s mass surveillance that was dismissed by the District Court at the same time as the Jewel suit. Shubert counsel Ilann M. Maazel will argue that case.
EFF’s case against AT&T, along with approximately 34 other cases against various telecommunications carriers, will be argued by EFF Legal Director Cindy Cohn. The argument arises from the FISA Amendments Act (FAA), the law passed by Congress after a fierce battle in 2008 (and a last-minute flip-flop from then-Senator Obama). With the FAA, lawmakers gave the Executive Branch the unbounded authority to decide to selectively repeal the thirty-year old laws that prohibit companies from violating their customers’ privacy, effectively allowing the Executive to grant favored companies a “get out of lawsuit free” card.
EFF will argue that the law violates the Constitutional separation of powers and due process by, first, giving the President the right to effectively grant civil pardons to carriers and, second, stacking the deck in the courts to prevent meaningful review. EFF’s co-counsel, Harvey Grossman of the Illinois ACLU, will argue that the dismissal of the constitutional claims in the case is separately not allowed under the Constitution.
The outcome of both Jewel v. NSA and Hepting v. AT&T will be crucial not only to those who wish to stop the spying and regain the privacy of our communications, but to upholding the Constitutional limitations on the Executive Branch’s power. Under the Constitution, important decisions about surveillance of Americans are not the Executive’s alone, nor are decisions about whether the Constitution and Congress’ laws must be followed. We need to be vigilant about protecting ourselves, and ultimately the Constitution, against actions that ignore or overstep limits on Executive power, and that's why we're looking forward to these critical arguments in Seattle on August 31.
This spring, agents from Immigration and Customs Enforcement (ICE) executed a search warrant at the home of Nolan King and seized six computer hard drives in connection with a criminal investigation. The warrant was issued on the basis of an Internet Protocol (IP) address that traced back to an account connected to Mr. King's home, where he was operating a Tor exit relay.
An exit relay is the last computer that Tor traffic goes through before it reaches its destination. Because Tor traffic exits through these computers, their IP addresses may be misinterpreted as the source of the traffic, even though the exit node operator is neither the true origin of that traffic nor able to identify the user who is. While law enforcement officers have seized exit relays in othercountries, we weren't aware of any seizures in the United States until ICE showed up at Mr. King's home.
(UPDATE: A reader points us to this blog post detailing a Tor exit relay seizure in the United States in 2009.)
After the computers were seized, EFF spoke with ICE and explained that Mr. King was running a Tor exit relay in his home. We pointed out that ICE could confirm on the Tor Project's web site that a computer associated with the IP address listed in the warrant was highly likely to have been running an exit relay at the date and time listed in the warrant. ICE later returned the hard drives, warning Mr. King that "this could happen again." After EFF sent a letter, however, ICE confirmed that it hadn't retained any data from the computer and that Mr. King is no longer a person of interest in the investigation.
While we think it's important to let the public know about this unfortunate event, it doesn't change our belief that running a Tor exit relay is legal. And it's worth highlighting the fact that these unnecessary incidents are avoidable, and law enforcement agents and relay operators alike can take measures to avoid them in the future.
First, an IP address doesn't automatically identify a criminal suspect. It's just a unique address for a device connected to the Internet, much like a street address identifies a building. In most cases, an IP address will identify a router that one or more computers use to connect to the Internet. Sometimes a router's IP address might correspond fairly well to a specific user—for example, a person who lives alone and has a password-protected wireless network. And tracking the IP addresses associated with a person over time can create a detailed portrait of her movements and activities in private spaces, as we've pointed out in a case in which the government is seeking IP addresses of several Twitter users in connection with the criminal investigation of Wikileaks.
But in many situations, an IP address isn't personally identifying at all. When it traces back to a router that connects to many computers at a library, cafe, university, or to an open wireless network, VPN or Tor exit relay used by any number of people, an IP address alone doesn't identify the sender of a specific message. And because of pervasive problems like botnets and malware, suspect IP addresses increasingly turn out to be mere stepping stones for the person actually "using" the computer—a person who is nowhere nearby.
This means an IP address is nothing more than a piece of information, a clue. An IP address alone is not probable cause that a person has committed a crime. Furthermore, search warrants executed solely on the basis of IP addresses have a significant likelihood of wasting officers' time and resources rather than producing helpful leads.
In the case of Tor, the police can avoid mistakenly pursuing exit relay operators by checking the IP addresses that emerge in their investigations against publicly available lists of exit relays published on the Tor Project's web site. The ExoneraTor is another tool that allows anyone to quickly and easily see whether a Tor exit relay was likely to have been running at a particular IP address during a given date and time. The Tor Project can also help law enforcement agencies set up their own systems to query IP addresses easily. These simple checks will help officers concentrate their investigative resources on tracking down those actually committing crimes and ensure that they don't execute search warrants at innocent people's homes.
If you run an exit relay, consider operating it in a Tor-friendly commercial facility instead of your home to make it less likely that law enforcement agents will show up at your door. Also follow the Tor Project's advice for running an exit relay, which includes setting up a reverse DNS name for your IP address that makes it clear your computer is running an exit relay.
Current EFF members and donors are invited to join Senior Staff Attorneys Marcia Hofmann and Kurt Opsahl for drinks at a secret Seattle location on Wednesday, August 31st, to discuss that day's hearings on EFF's warrantless wiretapping cases before the 9th Circuit Court of Appeals. The court will consider the legality and constitutionality of the now nearly ten-year-old massive domestic surveillance programs that routinely deliver the everyday communications and communications records of millions of ordinary Americans to the National Security Agency. Senior Staff Attorney Kevin Bankston will argue in Jewel v. NSA, and EFF Legal Director Cindy Cohn will challenge the FISA Amendments Act in Hepting v. AT&T. These hearings begin on Wednesday, August 31, 2011, at 2 PM and are open to the public.
EFF's Speakeasy events are free, informal gatherings that give EFF members a chance to mingle with other local supporters and meet the people behind the world's leading digital civil liberties organization. It is also our chance to thank you, the EFF members who make this work possible.
SPEAKEASY: Seattle EFF Members-Only Happy Hour
Wednesday, August 31, 2011, from 6-8 PM
Seattle-area members will receive a personal invitation with location details by email on Tuesday, August 23rd. Your guests are welcome, but space is limited. Attendees must be 21 or older. No-host bar. For more information, contact email@example.com.
Not a member, or let your membership lapse this year? There's still time to sign up today at https://www.eff.org/join!
We've watched this year as Amazon, Google, and Apple have raced to roll out cloud-based music locker services. Each of these company's services signals something in common: an apparent fear of liability for de-duplicating files uploaded by their customers. (De-duplicating means that the service does not store multiple identical files on its servers, even if more than one customer individually uploads the same file.) This can be a huge waste of storage, to little purpose other than pacifying copyright owners more concerned over form than substance. Because of this, Amazon and Google store a distinct and separate file for every single file that is uploaded to their services, and Apple reportedly paid $150 million in licensing fees for, among other things, the ability to avoid this practice.
But it appears that all of this worry and extra work may have been in vain. Just yesterday, a court found that an early music locker service, MP3tunes, which uses a de-duplicating process, “is precisely the type of system routinely protected by the DMCA safe harbor(s).” This outcome represents an understanding of copyright law more in line with how technology actually works, and avoids an absurd result where a music locker needs to waste server space by storing thousands of copies of identical files. This means more efficient music locker services, which is good news for music fans and for companies coming up with new and better ways to give those fans access to music they already own.
The opinion in the Capitol Records vs. MP3tunes case contained other good news (EFF filed an amicus brief in this case earlier this year). For example, the court made clear that the music locker service—whether it de-dupes or not—is like any online service provider (OSP) and, therefore, is entitled to the DMCA safe harbor protections as long as it complies with other DMCA requirements.
One of those requirements is that the OSP maintain a repeat infringer policy. We’ve written before about this somewhat vague provision of the DMCA, and we were happy to see the MP3tunes court reaffirm what we already knew: that an OSP is only required to do “what it can reasonably be asked to do” and it has “no affirmative duty to police [its] users.” The court went even further, implying that a repeat infringer policy need only target “blatant infringers”:
There is a difference between users who know they lack authorization and nevertheless upload content to the internet for the world to experience or copy, and users who download content for their personal use and are otherwise oblivious to the copyrights of others. The former are blatant infringers that internet service providers are obligated to ban from their websites. The latter, like MP3tunes users who sideload content to their lockers for personal user, do not know for certain whether the material they are downloading violates the copyrights of others.
Other highlights from the opinion include: 1) a statement reaffirming that a notice under the DMCA must specifically list each work allegedly infringed and a representative list will not require an OSP to remove other works owned by the notifying party (“the DMCA does not place the burden of investigation on the internet service provider”); 2) a footnote saying that the DMCA applies to state copyright laws, meaning that it applies to sound recordings from before 1972 as well as after; and 3) language showing that services like MP3tunes, which do not directly benefit from infringement, deserve the same protections as popular search engines:
If enabling a party to download infringing material was sufficient to create liability, then even search engines like Google or Yahoo! would be without DMCA protection. In that case, the DMCA’s purpose—innovation and growth of internet services—would be undermined.
The news was not all good for MP3tunes, however. The court found that MP3tunes, upon receiving a valid takedown notice, has an obligation to remove the infringing materials not just from sideload.com (MP3tune's search engine populated with links to music), but from its customers' personal music lockers. The court also found MP3tunes liable for contributory infringement for failing to remove works from those personal lockers and held its founder, Michael Robertson, personally liable for infringement for certain files he downloaded. This is likely to amount to millions of dollars in damages for both Robertson personally and his company.
Overall, we were glad to see the Court get it right that music locker services fall safely within the DMCA’s safe harbors, which Congress designed to foster innovation on the Internet. MP3tunes and all the music locker services that have followed it give music fans more options for storing and listening to the music they already own, helping realize the promise of that innovation.
This is the first in a two-part series explaining the background around the EFF call to action over Cisco assisting the Chinese government in abusing human rights. This article outlines the background of the issue and the first of our two demands to Cisco: intervening on behalf of dissident writer Du Daobin. Our next post will outline specifically how Cisco and other similar networking companies can pledge to uphold human rights.
What responsibility do corporations have to consider human rights when making business deals? Are companies that build and market equipment for the purpose of surveilling and censoring pro-democracy activists in authoritarian regimes culpable when those activists are imprisoned or tortured? Do companies bear a special responsibility if they customize products to improve the efficacy of tracking dissidents and choking free speech? What if the companies train government agents in using the technology to ferret out activists?
Two cases — one in the United States District Court of Maryland and another in the Northern District of California — are attempting to create legal precedent around these issues of corporate social responsibility. In Du v. Cisco, three named plaintiffs – Chinese citizens Du Daobin, Zhou Yuanzhi, and Liu Xianbin – are joining 10 unnamed "John Doe" plaintiffs in suing the American company Cisco Systems for their role in assisting the Chinese Communist Party (CCP) in violating human rights. The complaint against Cisco alleges that the plaintiffs in the case:
Have been and are being subjected to grave violations of some of the most universally recognized standards of international law, including prohibitions against torture, cruel, inhuman or other degrading treatment or punishment, arbitrary arrest and prolonged detention, and forced labor, for exercising their rights of freedom of speech, association, and assembly, at the hands of the Defendants through Chinese officials.
The complaint makes several accusations against Cisco Systems, including:
That Cisco Systems "aggressively sought contracts to provide substantial assistance in helping the Chinese government implement the Golden Shield Project"
That Cisco knew its services and products would be used by Chinese law enforcement, prisons, forced labor camps and also to police Internet usage
That Cisco employees themselves customized or trained others to customize the equipment they sold to China to meet the unique goals of the Golden Shield Project, including targeting disfavored groups in China
That Cisco knew the Golden Shield Project would be used to commit human rights violations
To understand these issues, one must first understand China’s Golden Shield Project, often referred to in the West as the Great Firewall of China. According to the complaint as well as published articles on the topic1, the system employs a series of techniques to monitor and track the Internet usage of people in China and prevent them from accessing a wide swath of online content. The surveillance aspects are extensive; the government is often able to not only track what sites an individual visits, but may also be pinpointing who that individual is, what messages that person posts, and even the content of her communications.
The complaint alleges that the system sold by Cisco, and subsequent training, allows Chinese officials to "access private internet communications, identify anonymous web log authors, prevent the broadcast and dissemination of peaceful speech, and otherwise aid and abet in the violation of Plaintiffs’ fundamental human rights."(para. 2). The government is able to block access to certain content on the Internet – either temporarily or forever – using several techniques, including blocking domain names or entire IP addresses. Access to information that is critical of the CCP or provides unflattering evidence about CCP – such as information about the 1989 Tiananmen Square protests – is frequently inaccessible from within China. Search results for terms like "Egypt" have been blocked for fear they might inspire an uprising, and social networks like Facebook and Twitter are inaccessible. Cisco readily admits to selling this equipment to China, but denies allegations that they customized that equipment for the unique needs of the Chinese government.
At this point, only an initial complaint has been made against Cisco Systems, and it’s likely that much of the evidence that will be used against them, and that that they will use in defense, is not yet available. However, the initial complaint does point to some public evidence. It references a leaked 90 page internal presentation of Cisco from 2002. The document shows that Cisco Systems had extensively evaluated the Chinese government’s needs for a censorship and surveillance system and even noted that the system could be used to target disfavored groups. The documents produced by Cisco specifically note that the Golden Shield Project would (exact quote) "'Combat Falun Gong' evil religion and other hostiles." It also specifically mentions China’s "forced labor" centers and "forced custody and education centers."
As noted above, Du v. Cisco is only one of the two lawsuits currently pending against Cisco Systems for their hand in facilitating human rights abuses in China. The other case, filed by the Human Rights Law Foundation on behalf of members of Falun Gong and pending in the Northern District of California, is attempting to seek class-action status for the many Falun Gong members who were identified, imprisoned, tortured and (in some instances) killed by Chinese government agents relying on information obtained using equipment supplied by Cisco.
Addressing Differences in a Court Room, Not a Torture Chamber
We believe all of the plaintiffs in the cases against Cisco Systems are taking great risks through their involvement in the lawsuits. Recently, Du Daobin’s attorney published a blog noting that his client had been detained and interrogated at length by senior officials from China’s Ministry of Public Security about his role in Du v. Cisco. Mr. Du and the other plaintiffs are currently at risk of further torture, imprisonment, or even "disappearance."
Regardless of whether Cisco "merely" sold surveillance and censorship equipment to China or whether they customized this equipment to pinpoint dissidents, it’s clear that the place to decide this issue is a court of law. The plaintiffs have a right to present their evidence and have a court rule on the legitimacy of their claims. But if the plaintiffs are tortured or imprisoned in China before the trial can take place, no justice will be served.
If Cisco believes what it did was legal, it should be eager to see a court ruling to that effect. Therefore, it’s in Cisco’s own interest to show their commitment to human rights and the rule of law by speaking out now for the safety of the plaintiffs in the case. After all, Mr. Du was asked about his lawsuit against Cisco during the interrogation, so it’s clear that the detention and harassment is being done, at least in part, to protect Cisco by convincing Mr. Du and the others to drop their case.
Even if the detention wasn’t being done to benefit or protect Cisco directly, however, it makes sense that the the Chinese government would pay particular attention to statements from Cisco given the many-year relationship Cisco has cultivated with Chinese government officials. A statement from Cisco affirming their commitment to the rule of law and hopes for the continued safety of Du Daobin and the other plaintiffs could well help to keep these activists safe while the case winds its way through the courts.
Digital rights supporters have sent a steady stream of emails to Cisco Systems over this issue, but it appears that Cisco still doesn’t realize how important it is for for them to stand up for the safety of Du Daobin and the other plaintiffs in the cases.
To clarify, we are asking Cisco to contact their customers and business partners in the Chinese government and tell them not to target the plaintiffs in Du v. Cisco or Doe v. Cisco. We hope Cisco will prove that they don’t condone bullying tactics used to repress free speech and that they believe these disputes should be settled under the rule of law, not the iron fist. We’d be particularly pleased if Cisco would make a public statement about their stance on the continued safety of the plaintiffs – and it would certainly go a long way to improving their public image at this time when the world is watching. But above all, we urge Cisco to use every method at their disposal to ensure that Du Daobin and all of the plaintiffs in both cases make it through the court process, and beyond, unharmed by Chinese officials.
We’ve taken the liberty of writing a script to help guide Cisco through the conversation with their Chinese business partners, making it that much easier for them to fulfill this request:
Dear (insert names of business contacts in China),
As you know, Cisco Systems is currently being sued in the United States over the sale of equipment to you. We’re contacting you today to let you know that we do not wish you to harass, harm or otherwise attempt to dissuade or scare the plaintiffs in those cases. We believe that individuals like Mr. Du Daobin, one of the plaintiffs in the case, have a right to speak freely – even if they use their rights to file a lawsuit against us. We intend to resolve this matter in court and do not need or want any representative from your government to contact Mr. Du Daobin in any way. Please refrain from targeting the plaintiffs in the case against us; give us a chance to respond to the allegations in court.
Hope all those routers and other devices we sold you are still working well.
Your pals at Cisco
There are several things we’d like to see happen now that these cases have been filed against Cisco Systems. We hope to see Cisco Systems held accountable for their actions, if they did indeed facilitate human rights abuses in China. But just as importantly, we’re hoping to see a thoughtful discussion arise from this lawsuit about the responsibilities that corporations have to safeguard human rights in their business deals, especially where those business deals are with governments with well-established records of repression.
We also hope that the United States government will explore what role it should play in ensuring American companies do not supply authoritarian regimes with tools to censor and control individuals.
We’ll be discussing these issues in greater deal in our second post on this topic. For now, we urge supporters to keep sending emails to Cisco and stay tuned to the EFF Twitter feed for additional updates on the case.
1. There are a range of articles written about surveillance and censorship in China. If you’d like to learn more about this issue, here are a few articles to get you started: Surveillance of Skype Messages Found in China, John Markoff, https://www.nytimes.com/2008/10/02/technology/internet/02skype.html (10/1/2008); China boosts internet surveillance, Tania Branigan, http://www.guardian.co.uk/world/2011/jul/26/china-boosts-internet-surveillance (7/26/11); The Architecture of Control: Internet Surveillance in China, James A. Lewis, Center for Strategic and International Studies http://csis.org/files/media/csis/pubs/0706_cn_surveillance_and_information_technology.pdf (7/06); "The Connection Has Been Reset," James Fallows http://www.theatlantic.com/magazine/archive/2008/03/-ldquo-the-connection-has-been-reset-rdquo/6650/ (3/08)
On Tuesday, we reported that Argentina's National Telecommunications Commission (CNC) had issued a directive to local ISPs to block two websites--leakymails.com and leakymails.blogspot.com--in response to an order from a federal judge.
Today, on Google's Latin America blog (in Spanish), Senior Policy Counsel Pedro Less Andrade writes that Google records indicate that some service providers in Argentina are blocking access to the IP address 22.214.171.124, which is linked to more than one million blogs hosted on Google's Blogger service.
IP blocking is a blunt method of filtering content that can erase from view large swaths of innocuous sites by virtue of the fact that they are hosted on the same IP address as the site that was intended to be censored. One such example of overblocking by IP address can be found in India, where the IP blocking of a Hindu Unity website (blocked by an order from Mumbai police) resulted in the blocking of several other, unrelated sites.
As Andrade points out, "There are other less restrictive technical procedures than the one used, which allow ISPs to comply with court orders fully, while affecting only the sites involved."
In this case, it would appear that the block is likely related to the aforementioned case, and that ISPs--in an attempt to comply with the court order--have enacted the overbroad measure of IP blocking rather than blocking the site's URL.
Google reports that they are working with stakeholders to restore access to the hundreds of thousands of blocked blogs and other sites in Argentina.
The parade of cases undermining the first sale exception of copyright law continued this week with an unfortunate ruling from the Second Circuit.
The “first sale” principle is what allows the purchaser of a copy of a book or CD or other copyrighted work to later resell that copy to someone else without infringing the copyright owner’s distribution right. It’s an important free-market limitation on copyright owners’ rights that most of us take for granted. In the recent Second Circuit case, Wiley v. Kirtsaeng, a graduate student lawfully acquired foreign editions of textbooks abroad and then resold them in the United States. The student was subsequently sued by the U.S. textbook owner for copyright infringement. Looking at the statutory language of the first sale provision together with another provision of the Copyright Act concerning importation of copyrighted works, the court concluded that the first sale doctrine applies only to copies that are manufactured domestically, and not to copies manufactured abroad.
The ruling has potentially far-reaching implications. In theory, it could give copyright owners full control to regulate or even prohibit resale of their works so long as the copies of those works are manufactured abroad. Imagine if Apple tried to argue that you couldn’t resell your iPhone that was manufactured in China, or if Toyota tried to argue that you couldn’t resell your Prius that was manufactured in Japan. If a product incorporates some copyrightable componentlikely true for most electronics and many new cars, which include copyrightable software or firmware, though even a copyrighted logo will suffice (more on that below)you might only be able to resell it, if at all, on the copyright owner’s terms.
The ruling also creates a perverse incentive for U.S. businesses to move their manufacturing operations abroad. Surprisingly, the court concedes this point in its opinion but declines to be persuaded by it. It is difficult for us to imagine this is the outcome Congress intended.
Separately, it’s hard to reconcile an outcome in which U.S. copyright law is alternately available (to the copyright owner seeking to enforce U.S. copyright rights) and not available (to the consumer seeking U.S. copyright law’s resale protections). The court even notes that while the books at issue were published abroad, they nevertheless all bore American copyright notices and in some instances invoked provisions of the Copyright Act. That the copyright owner should be permitted to avail itself of the U.S. copyright scheme while the consumer of the copy is barred from doing so seems inconsistent at best.
In a factually similar case from 2008, the Ninth Circuit found that the mere presence of a copyrighted logo enabled a manufacturer to invoke the first sale doctrine to block the unauthorized sale of imported goods. But the court created a limitation on that principle: If the initial sale had occurred with the copyright owner’s authority, then the first sale doctrine would apply. The Wiley court established no such limitation. Under its holding, even a sale authorized by the copyright owner would not trigger first sale provisions. The breadth of the rule is striking.
EFF and others had asked the Supreme Court to review the Ninth Circuit’s earlier decision. The Court agreed; however, the justices were evenly divided on both sides of the issue (Justice Kagan recused herself), so the matter remains unresolved. Given the discrepancy in these circuit holdings and the Supreme Court’s earlier expression of interest, we think it’s likely the Court will pick up the issue again. Hopefully its analysis will support, rather than undermine, time-honored first sale protections.