In a cursory opinion issued today that left us scratching our heads, a federal judge has ruled that the government does not have to return a domain name seized by Immigration and Customs Enforcement (ICE), because its seizure did not create a substantial hardship. Really?
Puerto 80 is the Spanish company behind popular sports streaming sites Rojadirecta.com and Rojadirecta.org, which were both seized by U.S. ICE earlier this year -- even though a Spanish court found they did not violate copyright law. Puerto 80 filed a petition to have the sites released pending a trial on the merits of the case. The petition explained that government's seizure and continued control of the site was seriously damaging Puerto 80's business and also infringed on its readers' First Amendment right to access its content. EFF, with co-amici Public Knowledge and Center for Democracy and Technology, submitted an amicus brief that elaborated on the First Amendment issues.
Puerto 80's petition explained that while the company can host content elsewhere, its usual visitors might not know how to find it. Too bad, said the court. "Rojadirecta has a large internet presence and can simply distribute information about the seizure and its new domain to its customers," it declared. Perhaps the court thinks Puerto 80 should buy some Google ads? Would the court come to the same conclusion if the site in question was youtube.com? (Maybe so, which is even more frightening).
And the court's First Amendment analysis is flatly wrong. Puerto 80 (and EFF) explained to the court that cutting off access to the site also meant cutting off access to clearly legal content, such as discussion forums. The court dismissed these concerns with a wave:
Although some discussion may take place in the forums, the fact that visitors must now go to other websites to partake in the same discussions is clearly not the kind of substantial hardship that Congress intended to ameliorate in enacting § 983 [the statute that allows for the return of seized property].
Here's the thing: the Supreme Court doesn't agree. The fact that you can get information via a second route does not mean that there is no speech problem with shutting down the first one. In a 1939 case, Schneider v. New Jersey, for example, the Supreme Court held that
one is not to have the exercise of his liberty of expression in appropriate places abridged on the plea that it may be exercised elsewhere.”
It repeated this basic tenet some forty years later in Va. State Bd. of Pharmacy v. Va. Citizens Consumer Council, Inc.:
We are aware of no general principle that freedom of speech may be abridged when the speaker’s listeners could come by his message by some other means . . . .”
As if misapplying the relevant substantive First Amendment analysis weren't bad enough, the court failed to even address the fatal procedural First Amendment flaws inherent in the seizure process: namely, that a mere finding of "probable cause" does not and cannot justify a prior restraint. How the court can conclude that the seizure satisfies the First Amendment in this regard is a mystery.
This ruling is profoundly disappointing, to say the least. And it certainly doesn't bode well for the rights of folks whose websites might be targeted under the PROTECT-IP Act now pending in Congress.
UPDATE, 8/25/11: There are a couple of revisions to this post which are marked inline below, and explained further here.
Earlier this year, two researchpapers reported the observation of strange phenomena in the Domain Name System (DNS) at several US ISPs. On these ISPs' networks, some or all traffic to major search engines, including Bing, Yahoo! and (sometimes) Google, is being directed to mysterious third party proxies.
A report in New Scientist today documents that the traffic is being rerouted through a company called Paxfire. This blog post, coauthored with one of the teams that discovered the phenomenon, will explain the situation in more detail.
Who is rerouting this search traffic?
The proxies in question are operated either directly by Paxfire, or by the ISPs using web proxies provided by Paxfire. Major users of the Paxfire system include Cavalier, Cogent, Frontier, Fuse, DirecPC, RCN, and Wide Open West. Charter also used Paxfire in the past, but appears to have discontinued this practice.
Why do they do this?
In short, the purpose appears to be monetization of users' searches. ICSI Networking's investigation has revealed that Paxfire's HTTP proxies selectively siphon search requests out of the proxied traffic flows and redirect them through one or more affiliate marketing programs, presumably resulting in commission payments to Paxfire and the ISPs involved. The affiliate programs involved include Commission Junction, the Google Affiliate Network, LinkShare, and Ask.com. When looking up brand names such as "apple", "dell", "groupon", and "wsj", the affiliate programs direct the queries to the corresponding brands' websites or to search assistance pages instead of providing the intended search engine results page.
What can I do about it?
If you want to know if the network you're currently on is subject to this type of traffic redirection, you can run a Netalyzr test. And the best protection against the privacy and security risks created by this type of hijacking is to visit sites using HTTPS rather than HTTP, which can easily be achieved using EFF's HTTPS Everywhere Firefox extension.
More technical details below...
A detailed explanation
For most users of the World Wide Web, visiting a website equals clicking on a link to the site or entering the site's name into their browser, and receiving the corresponding page from the site. Users generally assume that the site's name is identical to the site itself, and essentially trust the site's authenticity if it looks as usual and the browser does not pop up phishing warnings or other signs of trouble. Paxfire's misdirection of search traffic undermines this trust.
The ICSI Networking group develops and operates the ICSI Netalyzr, a tool that tests the characteristics of users' Internet connections. Netalyzr's measurements show that approximately a dozen US Internet Service Providers (ISPs), including DirecPC, Frontier, Hughes, and Wide Open West, deliberately and with no visible indication route thousands of users' entire web search traffic via Paxfire's web proxies.
To explain these redirections further, we first need to delve into the workings of the Internet a bit. Since the Internet does not route traffic to names but to network addresses, contacting a website involves translating the site's name (say "www.google.com") to the IP address (say 126.96.36.199) of a computer that runs Google's web server. It is to this address that the browser actually sends its request. The Domain Name System (DNS) is in charge of facilitating this mapping of names to addresses. It is the Internet's equivalent of telephone books.
Usually, ISPs provide DNS servers (directory assistance, essentially) for their users. When a user's computer asks to map a name to an IP address, the user's system contacts the ISP's DNS server, which looks up the correct IP address for the name and returns it to the user. As currently implemented, this process does not provide any guaranteed correctness. In essence, users must trust their ISP's DNS servers to correctly return IP addresses that indeed belong to the site the user intends to visit. In some instances, however, this trust may not be warranted.
For a while now, a number of ISPs have worked in cooperation with Paxfire and similar businesses like Barefruit and Golog to profit from mistakes that users make when typing names into their browsers. Paxfire provides a product for ISPs that rewrites DNS errors (effectively conveying "the name you asked for doesn't exist") to responses sending users to search pages that host advertisements, for which Paxfire then shares the corresponding ad-related revenue with the ISPs. This practice has already been controversial.
Rerouting of requests to and responses from search engines
Paxfire's product also includes an optional, unadvertised, and more alarming feature that drastically expands Paxfire's window into users' traffic. Instead of activating only upon error, this product redirects the customers' entire web search traffic destined for Yahoo!, Bing, and sometimes Google, to a small number of separate web traffic proxies.
These proxies collect receive, examine and process all search terms and results, but only log a small subset of search queries that were entered into a browser search box and are related to major trademark holders, the users' web searches and the corresponding search results, mostly forwarding them the rest to and from the intended search engines. This allows Paxfire and/or the ISPs to directly monitor all searches made by the ISPs' customers Paxfire's code to examine the queries and responses, selecting out those that are of relevance to its business. and build up corresponding profiles, a process on which Paxfire holds a patent. It also puts Paxfire in a position to modify the underlying traffic if it decides to.
Under specific conditions, the Paxfire proxies do not merely relay traffic to and from the search engines. When the user initiates searches for specific keywords from the browser's URL bar or search bar, the proxy no longer relays the query to the intended search engine, but instead redirects the browser's request through affiliate networks, as the equivalent of a click on advertisements. Using the names of popular websites, we have so far identified 170 brand-related keywords that trigger redirections via affiliate programs and result either on the brands' sites or on search assistance pages unrelated to the intended search engine results page.
The subset of customers affected varies from temporally localized deployments to apparently entire customer bases. The DNS-based redirection operates in a surgical fashion, affecting only search engines but not other services such as Google Maps or Yahoo! Mail, and remains completely invisible to the user. The treatment of Google queries varies. Charter and Cogent appear to redirect only Bing and Yahoo, while DirecPC, Frontier and Wide Open West also used to redirect Google to Paxfire proxies located within their own networks. Google has recently put significant pressure (see the answer to the question) on the ISPs to get them to stop redirecting Google searches. As of August 2011, all major ISPs involved have stopped proxying Google, but they still proxy Yahoo and Bing.
Last month, we wrote about Cisco’s plans to help the Chinese government build a massive camera surveillance network in the city of Chongqing. This is the same company that sold equipment to China to build the Great Firewall, which prevents Chinese Internet users from accessing much of the Internet, including online references to the Tiananmen Square protests, information on China’s human rights abuses, and social media sites such as Facebook and Twitter.
Reports indicate that Cisco has also customized its technology to help China with surveillance of political activists. We've had our eye on Cisco for years; in 2010, they were at the top of our list of "companies of interest" selling surveillance technologies to repressive regimes.
A lawsuit brought by Ward & Ward, PLLC against Cisco Systems, Inc., alleges that the company knowingly enabled the Chinese Communist Party’s harassment, arrest, and torture of Chinese political activists. Yesterday, as outlined in a blog post by his lawyers, one of the plaintiffs in the lawsuit, dissident writer Du Daobin, was questioned by Party officials regarding his involvement.
According to his lawyers, "Mr. Du's persecution began in 2003, when he was arrested while his house was raided by Chinese authorities. On June 11, 2004, he was charged with 'inciting to subvert state power' and was sentenced to three years in prison for posting pro-democracy articles online. Instead of immediately serving that sentence, he was placed under probation for four years, after which it was determined that he violated the terms of his probation and was then forced to serve his original three year prison sentence. During his imprisonment, Mr. Du was subjected to extreme physical and psychological torture. By the time of his release in 2010, Du was suffering from extreme malnutrition, cardiac issues, could no longer walk without assistance, and was dependent on a wheelchair."
Mr. Du is once again under threat for challenging an American company’s policies and speaking out against censorship in China. EFF has created a petition calling on Cisco to use its influence to tell the Chinese government not to commit further human rights abuses in order to protect the company. We also call on Cisco to stop selling tools of repression in China and elsewhere around the world.
Two weeks ago, the Mexican newspaper El Milenio reported on a U.S. Department of Homeland Security (DHS) Office of Operations Coordination and Planning (OPC) initiative to monitor social media sites, blogs, and forums throughout the world. The document discloses how OPC’s National Operations Center (NOC) plans to initiate systematic monitoring of publicly available online data including “information posted by individual account users” on social media.
The NOC monitors, collects and fuses information from a variety of sources to provide a “real-time snap shot of the [U.S.] nation’s threat environment at any moment.” The NOC also coordinates information sharing to “help deter, detect, and prevent terrorist acts and to manage [U.S.] domestic incidents.” The NOC has initiated systemic monitoring of publicly available, user-generated data to follow real-time developments in U.S. crisis activities such as natural disasters as well as to help corroborate data received through official sources with ‘on-the-ground’ input.
The monitoring program appears to have its basis in a similar program used by NOC in its Haitian disaster relief efforts, where information from social media sources provided a vital source of real-time input that assisted NOC’s response, recovery and rebuilding efforts surrounding the 2009 earthquake. The new initiative attempts to leverage similar information sources in assessing and responding to a broader range of crisis activities, including terrorism, cybersecurity, nuclear and other disasters, health epidemics, domestic security, and border threats. While the addition of real-time social media sources can be extremely beneficial in disaster relief-type efforts, the breadth of activities covered by the initiative as well as the keywords and websites scheduled for systemic monitoring raise potential concerns, and the safeguards put in place by the initiative may not be sufficient to address these.
The NOC report entitled, “Privacy Impact Assessment of Public Available Social Media Monitoring and Situational Awareness Initiative”, reveals that NOC’s team of data miners are gathering, storing, analyzing, and sharing “de-identified” online information. The sources of information are “members of the public...first responders, press, volunteers, and others” who provide online publicly available information. To collect the information, the NOC monitors search terms such as “United Nations”, “law enforcement”, “anthrax”, “Mexico”, “Calderon”, “Colombia”, “marijuana”, “drug war”, “illegal immigrants”, “Yemen”, “pirates”, “tsunami”, “earthquake”, “airport”, “body scanner”, “hacker”, “DDOS”, “cybersecurity”, "2600" and “social media”. The report also contains a list of sites targeted for monitoring, including numerous blogs and news sites, as well as Wikileaks, Technorati, Global Voices Online, Facebook and Twitter. As the report was released in January 2011, this monitoring may already be taking place.
While the monitoring envisioned by the report is broad in scope, the initiative includes a number of safeguards that attempt to address privacy concerns. But these safeguards do not go far enough. Furthermore, while the NOC is attempting to limit the circumstances under which agents are permitted to collect or disclose personal data, these limitations only apply to DHS agents operating under this specific initiative. DHS “may use social media for other purposes including...law enforcement, intelligence, and other operations...” Other U.S. government agencies and initiatives have different rules and regulations that are subject to change.
With respect to the safeguards, NOC agents on social networks are prohibited from “post[ing] information, actively seek[ing] to connect..., accept[ing]... invitations to connect, or interact[ing] with others” including, presumably, responding to messages sent by other users. It is not clear, however, that this prohibition is sustainable in light of the NOC's objective. For example, NOC agents are authorized to “establish user names and passwords to form profiles and follow relevant government, media, and subject matter experts on social media sites.” Social networking sites are premised on the concept of “interacting with others.” Distinctions such as ‘following’ a user on Twitter and ‘connecting’ with such a user are not clear-cut.
Genuine attempts are being made to limit monitoring to publicly available information while excluding private sources. For example, agents may be prohibited from collecting information found on Facebook profiles which are restricted to “friends only.” However, problems may arise with respect to more ambiguous “semi-public” spaces that are emerging in many online venues. If NOC agents are authorized to “follow” a user on Twitter, are they allowed to “friend” a Facebook (or Google+) user whose profile contains purely public “relevant government, media, and subject matter”? What about information posted by other people following that user under the extended “friends of friends” setting? The NOC initiative may find it difficult to navigate such distinctions.
Monitoring of purely public online information to assess situational threats can also lead to abuse. During the G20 meeting in Toronto, Canada, police monitoring of real-time on the ground social media interactions was used to locate and arrest large numbers of peaceful protesters. As noted by Constable Drummond, a law enforcement agent deeply involved in Canadian G20 social media surveillance efforts:
“...people have a tendency to have tunnel vision when posting things on sites, feeling faceless and untraceable. It is with those postings that we were able to use our talent and use the information posted to our advantage. It allowed our officers to monitor public sites that protestors were using to share information.”
In the lead up to G20 in Pittsburgh, two individuals were arrested for broadcasting police positions on twitter in an attempt to help peaceful protesters. In the UK, Paul Chambers, a 27-year-old accountant, was convicted of “menacing” for posting a joke on his twitter feed which was taken by government agents to be an airport security threat. As Chambers used the NOC listed search term ‘airport’ in his joke, it may have come to NOC’s attention had it been tweeted in the U.S.
The report reminds individuals that if they do not want the NOC to collect their public data, they should not make it public in the first place: “[a]ny information posted publicly can be used by the NOC.” It places the responsibility of protecting privacy on end users, stating that “primary account holder[s] should be able to redress any [privacy] concerns through the third party social media service [and] should consult the privacy policies of the services they subscribe to for more information.” Moreover, DHS considers publication of the report as sufficient ‘notice’ to users that their public data may be monitored.
Unfortunately, following these policies is not as simple as it seems. Studies have shown that privacy policies are “hard to read” and are “read infrequently”, and even educated Facebook users who were concerned about privacy had trouble limiting data sharing with third parties. Moreover, they are nearly always subject to change. Facebook’s privacy policies have morphed continuously over the years, and have eroded privacy by making previously private information publicly available to everyone. Due to constantly shifting privacy settings, it is not clear that the NOC's definition of ‘public' and 'private’ align with user expectations.
Once NOC has identified useful raw online data for the DHS, attempts are made to “extract only the pertinent, authorized information and put it into a specific web application.” The report explicitly emphasizes that the data extracted from the raw information is to be “free of personal identifiable information”, and efforts are made to carry out this objective. The report claims that if personal data is collected beyond what is authorized, the NOC will immediately redact this information. This “de-identified” information will be shared with federal and state governments when “appropriate”, as well as with the private sector and foreign governments as “otherwise authorized by law.”
This raises concerns, however, as there is significant research (read here, here, here, and here) demonstrating that de-identification is not always effective. With enough information, individuals can often be “re-identified” through complex computational systems. The details of the actual techniques of the de-identification process deserve broader debate that is open to public scrutiny.
This newly discovered initiative is part of a broader trend of monitoring and using online information in various investigative contexts. What should users both inside and outside the US learn from these discoveries? As always Internet users should certainly think carefully before posting information about themselves on public sites and remember that privacy policies are constantly subject to change. Not only do we know that the government is watching, we have some clues as to how it is doing it.
In a major blow to one of the most pernicious copyright trolls now operating, the US Copyright Group (USCG), federal judge Robert Wilkins of the District of Columbia has effectively dismissed thousands of Doe defendants due to lack of jurisdiction.
The ruling, which partially echoesarguments EFF has made in cases around the country, comes in a mass copyright case that was notable for just how very massive it was -- 23,322 Doe defendants. The plaintiff in the case, represented by USCG, is Nu Image, a California corporation that claims to own the rights to the movie "The Expendables." Following the normal protocol in these cases, Nu Image/USCG filed a copyright infringement complaint again anonymous BitTorrent users who had allegedly downloaded the movie, listing their supposed IP addresses, and then asked the court for permission to subpoena their identities. The court initially granted the request. Two months later, however, when it learned that Nu Image/USCG hadn't gotten around to issuing a single subpoena and that the vast majority of the defendants likely did not reside in D.C., the court ordered Nu Image/USCG to explain why the suit should proceed there.
Nu Image/USCG responded with the now-familiar theories that courts apply a liberal standard to "jurisdictional discovery" -- meaning, initial investigations to determine where a person can be sued -- and, besides, some of the Does who live outside DC might have committed infringement there. Not good enough, said the court:
The Court’s broad discretion includes imposing reasonable limitations on discovery, particularly where, as here, the Court has a duty to prevent undue burden, harassment, and expense of third parties. . . . Furthermore, while jurisdictional discovery is liberally granted, a plaintiff is not entitled to take it solely because he requests it—he still must make the requisite showing of good cause.
Applying a variety of standards, including a copyright-specific provision that ties jurisdiction to the residency of the defendant, the court concluded that Nu Image/USCG could not establish the court's jurisdiction over any defendant that did not reside in D.C. Therefore, Nu Image/USCG could issue subpoenas only where, using generally available geolocation services, it could determine that the defendant was likely to be located there.
Wryly observing that it understood that using single lawsuit as a vehicle to identify thousands of Does was "convenient" for Nu Image/USCG, the court noted that this approach put a significant burden on others -- including the court itself:
[T]he Court must take into account the delay and unproductive utilization of court resources in prosecuting this lawsuit if the Plaintiff is allowed to seek discovery with respect to all 23,322 putative defendants, only to result in the eventual dismissal of the vast majority of those John Does later when it is revealed that they are not District of Columbia residents.
Torrentfreak has run the numbers and concluded that just 84 of the IP addresses the plaintiffs originally submitted are likely to be connected to computers located in D.C. Thus, over 23,000 Does can breathe a sigh of relief.
Aside from the sheer number of Does affected, this decision is notable for two more reasons. First, it is based on jurisdiction. Most of the other decisions that have effectively dismissed the mass copyright cases have been based on improper joinder, or the idea that it is not fair to lump together hundreds or even thousands of people based solely on the allegation that they used the same software to share the same work (or group of works).
Second, it comes out of the District of Columbia which, due to some unfortunate legal decisions, like this one, has been perceived as a sympathetic venue for copyright trolls. This decision should help shift that perception, and fast.
It's great to see yetanotherfederaljudge recognize the problems with mass copyright litigation. Kudos to Judge Wilkins for refusing to allow USCG to play fast-and-loose with fundamental due process rights.
EFF activist Eva Galperin interviews EFF criminal defense attorney, Hanni Fakhoury, on the newest edition of Line Noise, the EFF podcast. Whether law enforcement wants to search your home computer, tries to browse through your smart phone at a traffic stop, or seeks to thumb through your camera at customs, you should know your rights.
Learn more about your privacy rights by reading our Know Your Rights guide, or test your skills with our quiz.
This edition of Line Noise was recorded on-site from the San Francisco studio of Bamm.tv
Despite a string of courtroom losses, copyright troll Righthaven continues to pursue its misguided infringement litigation. Tuesday, EFF filed an amicus brief in support of a defendant moving to dismiss Righthaven v. Wolf, the lead case in the federal court in Colorado.
Righthaven sued blogger Leland Wolf and his It Makes Sense blog for a parody of a photo printed in the Denver Post documenting a TSA agent performing a pat-down search. In a pattern used in dozens of other cases, Righthaven created the lawsuit by first scouring the Internet for blogs and discussion forums that posted the photo, and then sued for infringement, claiming it had acquired the copyright of the photo before it started legal action.
As those following the Righthaven developments know, a critical document unearthed by EFF shows that the copyright assignments done in Righthaven lawsuits based on Las Vegas Journal Review content are a sham -- a discovery that has led to the dismissal of six Righthaven suits in Nevada. In this case, Wolf's lawyers found a similar agreement with Denver Post owner MediaNews Group. As EFF's brief explains, the agreement makes any assignment of MNG copyrights to Righthaven -- including its rights in the TSA photo, which Righthaven claimed were assigned to it -- effectively meaningless. Copyright law does not permit non-owners to bring infringement actions; since Righthaven never became an owner, it had no business filing suit against Wolf or anyone else.
In Tuesday's amicus brief, EFF asks the judge to dismiss this case, as well as many others that are based on the same improper assignment. Righthaven has filed 57 lawsuits based on the sham copyright assignment of the TSA photo, and the majority of those cases are still open in Colorado federal court. The Colorado court stayed all the cases except Wolf. However, before the stay, over a third of the cases were settled, allowing Righthaven to extract revenue based on a copyright that it did not own. It's well past time for Righthaven's baseless litigation campaign to come to a decisive end.
The Nymwars rage on. Over the past several weeks Google has been engaged in a very public struggle with its users over its “real names” policy on Google+, prompting blog posts and editorials debating the pros and cons of allowing pseudonymous accounts on social networking sites. But there is one person for whom insisting on the use of real names on social networking sites is not enough. Unsurprisingly, that person is Facebook’s Marketing Director, Randi Zuckerberg. Speaking last week on a panel discussion about social media hosted by Marie Claire magazine, Zuckerberg said,
I think anonymity on the Internet has to go away. People behave a lot better when they have their real names down. … I think people hide behind anonymity and they feel like they can say whatever they want behind closed doors.
Take a moment and let that sink in. Randi Zuckerberg doesn’t just think that you should be using your real name on Facebook or Google+ or LinkedIn -- she thinks pseudonyms have no place on the Internet at all. And why should we take the radical step of stripping all Internet users of the right to speak anonymously? Because of the Greater Internet F***wad Theory, or the “civility argument,” which states: If you allow people to speak anonymously online, they will froth at the mouth, go rabid, bully and stalk one another. Therefore, requiring people to use their real names online should decrease stalking and bullying and generally raise the level of discourse.
The problem with the civility argument is that it doesn’t tell the whole story. Not only is uncivil discourse alive and well in venues with real name policies (such as Facebook), the argument willfully ignores the many voices that are silenced in the name of shutting up trolls: activists living under authoritarian regimes, whistleblowers, victims of violence, abuse, and harassment, and anyone with an unpopular or dissenting point of view that can legitimately expect to be imprisoned, beat-up, or harassed for speaking out.
As a private company, Facebook is free to set its own policies. Facebook can and does choose real names over free speech and diversity of users –- that’s where the money is. If you don’t like Facebook’s rules, you can just go elsewhere, right? Now Randi Zuckerberg is advocating an Internet in which there is nowhere else to go. An Internet in which everyone has to use their real name is not necessarily going to be any more polite, but it is guaranteed to be a disaster for freedom of expression. Let’s not go there.