With protests raging throughout the country, the Syrian government is responding with deadly force. Citizens seeking freedom are relying on digital tools to organize and communicate -- so much so that the government temporarily shut off Internet access. The parallels to the Iranian uprising in 2009 are striking, and they are not lost on the Obama Administration. In fact, President Obama explicitly linked the current Syrian situation with the Iranian uprisings of 2009, noting that “Syria has followed its Iranian ally” in violently responding to peaceful protests. “The image of a young woman dying in the streets is still seared in our memory,” he recalled, referring to the YouTube video of 26-year-old Neda Agha-Soltan dying from a gunshot wound in Tehran.
Yet while the U.S. Treasury Department formally recognized the need for personal communications tools in the case of Iran (and Sudan and Cuba) in March 2010, it remains silent about Syria. This must change.
In March 2010, the U.S. Treasury Department announced that it was amending its trade restrictions for Iran, Sudan, and Cuba to allow the export of "certain services and software incident to the exchange of personal communications over the Internet,” such as social networking, instant messenger, photo sharing, and e-mail products. EFF applauded this action, which cleared the way for American companies to distribute important free speech tools to individuals who would otherwise struggle to make their voices heard. However, even at that time EFF noted the continued ambiguity over regulations for other countries, including Syria. We encouraged the Obama administration to continue proactively reviewing export rules and to clear any ambiguity for Internet companies who want to offer their services in otherwise-restricted countries.
For Syria, the time for such clarification is now. Exports to Syria are controlled by the Export Administration Regulations (administered by the Commerce Department), the Syria Sanctions Regulations (administered by the Treasury Department), and the Syria Accountability Act (signed by President Bush in 2004). Among these regulations are complicated rules and exceptions for certain technologies, software, and information, and it is anything but clear how they all interact. In the midst of such complexity, and severe penalties for violations, who can blame companies for playing it conservative and restricting all Syrian users from their products?
And it seems that the companies are in fact being conservative. We have indications that Google Chrome and Earth and Code are not available in Syria, nor are some Microsoft downloads and iTunes with its access to podcasts from around the world, all due to concerns about U.S. government export restrictions. There are likely others.
In fact, there is reason to believe that U.S. law does permit web companies to make certain services available to Syrian citizens. First, the Treasury Department’s embargos for Syria specifically exempt from regulation “any postal, telegraphic, telephonic, or other personal communication that does not involve the transfer of anything of value.” Certainly instant messengers, e-mail programs, or social networks can be considered “personal communication.” Furthermore, the Export Administration Regulations specifically exempt the export of publicly available, mass market encryption software that is published for free and anonymous download.
More broadly, however, the 1988 Berman Amendment (specifically, these amendments added section 5(b)(4) to the Trading with the Enemy Act and section 1702(b)(2) to the International Emergency Economic Powers Act), strips the President of his power to “directly or indirectly” regulate the export of “information and informational materials” – a definition expanded by the 1994 Free Trade in Ideas Amendment to include all such materials “whether commercial or otherwise, regardless of format or medium of transmission.” Regrettably, and without any apparent basis for doing so, the Treasury Department has narrowly construed these amendments when implementing them in export regulations. For example, the Treasury Department continues to regulate export transactions related to the “substantive or artistic alteration or enhancement of informational materials” as well as the “provision of services to market, produce or co-produce, create or assist in the creation of information and informational materials.”
Yet even if there are ways to thread through the restrictions, the lack of clarity is plainly having an effect. And Syrians should not have to wait. The Obama Administration should proactively and definitively make clear that providing digital communications and information tools to citizens of otherwise-restricted countries like Syria is not only legal, but encouraged.
Such a declaration would fall in line with the administration’s recent statements regarding both Syria and broader Internet freedom, and would also be consistent with the Administration’s rationale for previously amending export controls for other countries. When the Treasury Department deregulated exports of Internet products to Iran, for example, it believed it would “foster and support the free flow of information – a basic human right – for all Iranians." The State Department also concluded that the free flow of information in Iran was “essential to the national interest of the United States.” The same should be true for Syrians and Syria.
Without the availability of U.S.-based digital communication and information tools, the video of the young Neda’s death would likely never have been shared at all. It’s time for the Obama administration to make clear to the people of Syria, and of other repressive regimes around the world, that the U.S. government will not block their access to the digital communication and information tools they need to help them build a more free society.
Special thanks to EFF intern Jarred Taylor for assisting with legal analysis
Jobseekers be wary: the hard-won privacy rights granted to you by federal and state law might not follow you into the digital space.
For forty years, individuals in the United States applying for jobs have held certain protections under the Fair Credit Reporting Act (FCRA). For example, in many circumstances a consumer who is rejected from a job due to information in an employment background check can review the information in that report and petition to have any inaccuracies corrected. 1 These rights are often supplemented by stronger state-level consumer protections, such as California’s Civil Code 1786 which allows a consumer access to her background check report even if she isn’t rejected from the position for which she applied. But as employment background checks move into the digital world—via websites such as Background Record Finder or mobile apps like the recently-released BeenVerified app—will jobseekers be able to maintain their protections?
There are dozens of websites that offer online background checks (Privacy Rights Clearinghouse’s Online Information Brokers list indexes several of them). These services cast a wide net over a consumer’s digital data—gathering up facts from court records, criminal records, driving history, voter registration, and sometimes even elements of one’s credit history. Increasingly, these services are also culling information from the social net—an individual’s Facebook profile, Flickr photos, Twitter stream, and more.
BeenVerified, which offers free and low-cost background checks through a website and recently-released mobile app, has been heralded as a "great tool for small and medium businesses to be able to conduct free, or cost-effective background checks."
But could FCRA as written apply to BeenVerified? It’s uncertain, though there’s definitely the potential - especially if BeenVerified promotes itself as a background-checking service for employers the way Spokeo did. While also uncertain, it’s more likely that BeenVerified would be covered by more stringent consumer protection laws, such as California’s Civil Code 1786, which covers investigative reports done by an employer in-house (instead of using a third-party background checking company). Employers who use these services may risk violating FCRA and other consumer reporting laws.
But these digital background checking companies are using the oldest trick in the book to circumvent the law. They add a little line to their terms of service, such as BeenVerified’s terms, which state:
WE ARE NOT A CREDIT REPORTING AGENCY FOR PURPOSES OF THE FAIR CREDIT REPORTING ACT (“FCRA”). AS SUCH, THE ADDITIONAL PROTECTIONS AFFORDED TO CONSUMERS, AND OBLIGATIONS PLACED UPON CREDIT REPORTING AGENCIES, ARE NOT CONTEMPLATED BY, NOR CONTAINED WITHIN, THESE TERMS AND CONDITIONS.
By merely stating that they can’t be used in ways covered by FCRA (even though they provide services identical to what would be covered by FCRA), BeenVerified attempts to duck the responsibilities imposed upon it by state and federal consumer protection laws. Whether this truly excises any legal responsibility from the reporting service or the employer might be open to debate—and perhaps interpretation by the Federal Trade Commission.2
So where does that leave the consumer? Unless and until the FTC or Congress decides to get involved in the debate, jobseekers probably can’t look to the law to protect their rights in the digital world. For now, we need the market to start self-regulating. Companies like BeenVerified have an opportunity to voluntarily adopt practices that safeguard consumer rights and privacy. This should happen now, without waiting however many years it may take for policymakers and the FTC to decide how they want to handle mobile employment background checks.
Voluntary best practices for online and mobile background checking services should strike a balance between consumer rights and feasibility. The eight OECD Fair Information Practices can provide guidance to these companies as they work to establish policies that safeguard consumer rights in the digital world. But there are a few common-sense, basic privacy safeguards these online and mobile background checking companies should implement right now:
Allow individuals to look up their own records at no cost and provide a way to correct inaccuracies, in the same way a consumer can correct inaccuracies in a credit report.
Allow individuals to suppress access to certain sensitive data sets—including current address and phone number—if they have a clear need for address confidentiality. This could include current and former law enforcement officers, public defenders, and judges as well as those enrolled in state address confidentiality programs, like victims of stalking and domestic violence.
Indicate the original source of any data, so that individuals who discover inaccuracies can also correct the inaccuracies at the source.
Ensure that data that has been restricted or suppressed is permanently suppressed—so that it does not repopulate the next time the data set is refreshed.
This is merely a start; there are a range of other ways companies like BeenVerified can voluntarily improve consumer rights, improve the accuracy of their data sets, and educate employers about the laws surrounding background checks.
We urge BeenVerified and others in that industry to consider the ramifications to individuals and take steps to safeguard the long-held consumer rights, even if for now it is unclear whether FCRA and similar laws will be enforced on these services. The power of the Internet and new technologies to make information more accessible is no excuse for disregarding the privacy rights of individuals.
1. This is only one of the consumer rights under FCRA, and there are a number of important exceptions to these rights that should be understood. Visit Privacy Rights Clearinghouse to learn more about FCRA and background checks. Note that a consumer can also obtain a copy of her consumer report annually from consumer reporting agencies. Learn more.
2. The FTC does not have rulemaking authority when it comes to FCRA, so they may be reluctant to take on employer’s use of online data brokers.
EFF has called on companies to stand with their users when the government comes looking for data. (If you haven’t done so, sign the petition urging companies to provide better transparency and privacy.) This article will provide a more detailed look at the last of the four elements required for a company to earn a gold star in our campaign: Fight for user privacy in Congress.
In prior blog posts about the "Who Has Your Back?" campaign, we've explained that companies largely rely on internal policies when the government comes seeking data about users. If those policies are weak, murky, or left unshared, we as users are prevented from making informed decisions about the privacy risks we face.
But we shouldn't be dependent on company policies to protect our privacy. The law should protect it too, even as technologies change. And the companies that hold our data should stand with users in making the necessary legal updates. That's why the "Who Has Your Back?" campaign urges companies to take steps like joining in the effort towards lasting, permanent improvements — an industry-wide raising of the bar for user privacy — by joining the Digital Due Process coalition (DDP). Members of DDP are working to set legal standards that uphold due process, privacy, and law enforcement effectiveness — like requiring search warrants from the government when it seeks private communications and information, and requiring the government to prove to a court that the data being requested is relevant to actual, authorized law enforcement action.
More specifically, the companies and advocacy organizations essentially agree that the outdated Electronic Communications Privacy Act (ECPA) needs to be simplified, updated, and unified by Congress to reestablish meaningful rules of the road when it comes to government requests for user/customer data from a company. To that end, the coalition has been successful so far: Senator Leahy has already introduced S. 1011, an ECPA reform bill that's the first step in the process of baking stronger and clearer privacy protections into the law.
Having these standards made into law will go a long way in clarifying what a company's obligations are when the government comes knocking in search of user data. Ambiguity in the existing law is one challenge faced by companies struggling to develop privacy and transparency commitments that benefit users and increase trust. That's why standing up for your privacy in Congress—with actions like joining the Digital Due Process coalition, as Amazon, AT&T, Facebook, Google, and Microsoft have—is a gold-star move.
Eleven teams, comprised of the Bay Area's sharpest legal minds from law firms, universities and technology companies, faced-off last Tuesday at EFF's annual pub quiz trivia night. At stake: the coveted EFF Pub Quiz Cup and a year's worth bragging rights. The competition was fierce, with each team diving deep into their brains for the most trivial details in cases and statutes. Seven rounds later, the winners emerged:
EFF’s Cyberlaw Pub Trivia Night is an important opportunity for us to thank our friends in the legal community who help protect online freedom in the courts. Among the many firms that dedicate their time, talent and resources to the cause, we would especially like to thank Winston & Strawn LLP, Fenwick & West LLP and Howard Rice for sponsoring this year’s Trivia Night. Special thanks to Yelp for providing some sweet swag as prizes for the winning team.
Test Your Internet Law Expertise
You too can play along at home. If you read the EFF blog regularly or recently aced EFF’s Know Your Rights Quiz, you may be feeling pretty confident about your knowledge of Internet law. But could you answer seven rounds of questions like these? Courtesy of EFF’s 4th Annual Cyberlaw Pub Trivia Night:
1. The first federal published opinion to use the word “Internet” was U.S. v. Morris, 928 F.2d 504 (2d Cir. 1991). Morris was accused of...
a) Obscenity for a pornography BBS
b) Computer crime for releasing a worm
c) Illegally exporting cryptography
d) Taking unlawful sports bets by email
2. In 1952, the Supreme Court decided U.S. v. Reynolds, establishing the state secrets privilege. When the underlying information was declassified in 2000, it turned out no state secrets were actually involved. The case involved the:
a) Crash of a B-29 Superfortress
b) Recovery of a weather balloon that landed in the general vicinity of Roswell, New Mexico
c) Negligence at the White Sands Proving Ground
d) Contracts for supplies for the Bay of Pigs invasion
4. Nintendo gave its attorney John Kirby a sailboat named the Donkey Kong, along with "exclusive worldwide rights to use the name for sailboats," to commemorate his defense win over the plaintiff’s trademark. Name the plaintiffs’ trademark.
At the Pub Quiz, the answers were graded by EFF's crack team of legal experts. Here, you'll have to grade yourself. Answers to today's quiz below.
Congress is considering a bill that would federalize E-Verify, creating a single, government-controlled database of highly sensitive, detailed information about every legal worker in the United States. EFF joined the ACLU, the National Center for Transgender Equality, the Liberty Coalition, and dozens of other civil liberties and labor groups in urging Congress to uphold worker privacy and reject the Legal Workforce Act.
The Legal Workforce Act (H.R. 2164) would require all employers to use an Internet-based program called E-Verify to check every worker against an error-prone database. In letters sent to both houses of Congress, the coalition of advocacy groups decried the implementation of a nationwide system that could lead to downstream abuses by intelligence and law enforcement groups. The proposed bill could create a bureaucratic nightmare for American businesses while trampling on the privacy rights of workers.
The civil liberties groups raised particular concerns over identity theft. The Chronology of Data Breaches—a review of all public, sensitive records exposed through data breaches in the U.S.—lists over 534 million records since 2005, showcasing how prone large databases are to breaches of all sorts. And these data breaches have real repercussions—increasing the likelihood of identity theft by up to four times, according to a 2009 Javelin Research & Strategy study. The E-Verify proposal would make a database that includes information on every legal United States worker, creating an enticement to malicious hackers and an enormous risk of unintended disclosure.
EFF and the other advocacy groups wrote:
We believe the risks to individual privacy are too great and the likely benefits are too small to justify inserting the federal government into every hiring decision made by every employer across the country... A nationwide mandatory E-Verify system would be one of the largest and most widely accessible databases of private information ever created in the U.S. Its size and openness would present an irresistible target for identity thieves. Additionally, because the system would cover everyone eligible to work in the United States, it could quickly expand to a host of other uses for the intelligence community, law enforcement, and corporate America.
EFF also raised concerns about a pilot biometric authentication program proposed by the bill. This program would allow any employer to fingerprint all employees and would create private sector “enrollment providers”. These providers would combine biometrics, information from employers, commercial databases, and information from the Department of Homeland Security and Social Security Administration—all for the purpose of identity verification. Such a card would exacerbate the existing problems with E-Verify by adding additional sensitive information and allowing it to be kept in the hands of private companies.
In Pakistan, where substantial online and offline censorship already exist, reports have emerged that users of the ISP Mobilink must add proxy 10.215.2.32 port 3128 to browse the Internet, resulting in censorship of key words and phrases in search engines, as well as several individual web pages, mostly related to Balochistan.
According to Shahzad Ahmad at the OpenNet Initiative, “Mobilink’s new filtering system will directly affect a large portion of Pakistan’s online community, which comprises 17 percent of the country’s population, or around 28 million people.”
Ahmad also notes that there is “no public knowledge of new legislation” that would have caused Mobilink to implement the new filtering.
Two Kuwaiti citizens, Nasser Abul and Lawrence Al-Rashidi, are to be tried for criticizing members of the royal families of neighboring states Saudi Arabia and Bahrain on Twitter. According to a Reuters report, both men will remain in detention until a hearing is scheduled and will likely face charges of harming Kuwait’s interests and defamation.
Earlier this year, Bahrain arrested several bloggers and social media users, possibly as a result of content posted on Twitter. The country has also blocked access to individual Twitter accounts.
Though bloggers have previously been arrested in Kuwait, this is the first known case of the country arresting individuals for content posted on a social networking site.
According to numerous online reports (including one from the International Business Times), Google+--Google’s new social networking site--was blocked by Chinese authorities within 24 hours of its beta launch.
Various accounts have since emerged contradicting the reports, with some Chinese residents stating that they can access the new site. One blog post, from Shanghai resident Brian Glucroft, states that Google+ remained unblocked as of 8:30pm local time on July 1 (8:30am EDT/5:30am PDT), but that access to the site was “slowed.”
With only a few days and a 4th of July weekend left, our second annual DEF CON Getaway Contest is getting down to the wire! Thirty-seven participants have raised nearly $4,500 — but it's not over!
You have until 11:59:59 p.m. Pacific Daylight Time on Tuesday, July 5, 2011 to win the Grand Prize Package including a standard suite at the Rio Hotel and Casino, two DEF CON 19 Human badges, two tickets to Vegas 2.0's (in)famous kickoff party theSummit, two badges for the ultra-exclusive Ninja Networks Party, AND an EFF Swag Super Pack. The Second Place Winner will receive two DEF CON 19 Human badges and two tickets to the Vegas 2.0 Party. The Third Place Winner will receive one DEF CON 19 Human badge and one ticket to the Vegas 2.0 Party.
JUST ADDED! We are happy to award an EFF DEF CON 19 t-shirt to all team captains raising $300 or more! This limited run of 325 shirts will only be available to DEF CON 19 Getaway Contest participants, and on site in Las Vegas this summer!
Currently in the lead is ISD Podcast with $1,913.37, followed by team Holy Handgrenades with $1,317.04! ArtC has just edged into third place with $465. Do you have what it takes to win?
Contest registration is still open, so why not commemorate America's independence by rallying support for EFF? Form a team; put a badge up on your blog; get your friends and family to pitch in; spread the word on sites like Twitter, Identi.ca, and Facebook -- there are lots of ways to help EFF and compete for the prizes while extending our freedom to tinker, explore, and hack. See Official Rules for full details.
Check back for our final results next week. Thanks to everyone supporting EFF and spreading the word about the defense of online rights!
Yesterday we reported that EFF and the other civil society members of the Civil Society Information Society Advisory Committee to the Organization for Economic Co-operation and Development (CSISAC) had declined to endorse a draft Communique on Internet policy-making principles produced by the OECD. Since then, the OECD and key government representatives reopened negotiations with civil society, business and the technical industry stakeholders, in an effort to find mutually acceptable text to accommodate our concerns. Unfortunately that was not successful, and EFF and other members of the OECD's Civil Society Information Society Advisory Council have declined to endorse the full and final version of the Communiqué released on 29 June.
EFF and CSISAC are committed to continuing to participate in the OECD's multistakeholder policy development process. EFF has been actively involved in providing input into OECD's policy work through CSISAC for the last two years. We believe that OECD is a vital place for civil society to work and appreciate the genuine commitment of all involved in creating the Communique to engage with civil society and listen to our perspectives and concerns. EFF was involved in CSISAC's negotiation efforts over the last few weeks to find mutually acceptable text for the Communique's principles. We, along with all the other parties involved, participated in these discussions in good faith. Given that, EFF's decision not to endorse the final principles was not taken lightly.
We agree with much that is in the Communique. We support policies for fostering the open Internet, individual empowerment, evidence-based policy-making, and the commitment to multistakeholder policy development. However, we are troubled by the detailed framing of many of the principles, which are not compatible with several core CSISAC values, including respect for fundamental human rights and freedoms and the rule of law, and promotion of access to knowledge.
In our view, the Communiqué over-emphasizes protection and enforcement of intellectual property rights at the expense of fundamental rights and freedoms. At the same time, it fails to acknowledge the importance of balanced IP regimes –- including robust limitations like fair use -- to spur innovation. For EFF, the key concern was that the Communiqué could allow governments to use Internet intermediaries to police their networks and platforms for potential intellectual property infringement, which would impede citizens' access to information and freedom of expression.
The Communiqué envisages that Internet intermediaries will take voluntary measures to address and deter intellectual property infringement. These could include filtering or blocking of web content, or disconnection of Internet users upon a repeat allegation of copyright infringement under a Three Strikes or Graduated Response policy. The Communiqué provides: "Sound Internet policy should encompass norms of responsibility that enable private sector voluntary co-operation for the protection of intellectual property. Appropriate measures include lawful steps to address and deter infringement, and accord full respect to user and stakeholder rights and fair process." Why would they do this? In order to limit their liability. While the Communique recognizes the need for limitations on Internet intermediary liability, that could be read as being conditioned on intermediaries taking particular actions. The Communique provides: "Limitations play an important role in promoting innovation and creativity, the free flow of information, and in providing the incentives for co-operation between stakeholders. Within this context governments may choose to convene stakeholders in a transparent, multi-stakeholder process to identify the appropriate circumstances under which Internet intermediaries could take steps to educate users, assist rights holders in enforcing their rights or reduce illegal content, while minimising burdens on intermediaries and ensuring legal certainty for them, respecting fair process, and more generally employing the principles identified in this document."
Various references throughout the text to "access to lawful content" would also require Internet intermediaries to make determinations about the lawfulness of online content, even though Internet intermediaries are neither competent to do this, nor the appropriate party to do so. Taken together, this could be read as a subtle effort to reopen or at least re-interpret one of the foundational principles that has allowed the Internet to flourish -- limitations on liability of Internet intermediaries who are "mere conduits" in facilitating Internet communications. This would be at odds with the protection against unbounded liability currently afforded to "mere conduit" Internet intermediaries in US and EU law.
And perhaps most troubling of all, this is taking place in a high-level intergovernmentally-agreed document at a time when there is vigorous ongoing debate in international, regional, and national fora about the appropriate role and responsibilities of Internet intermediaries and the scope of protection against liability afforded to intermediaries in various countries' laws.
"Because of the impact that Internet intermediaries can have over their users' freedom of expression online, how countries approach these issues really will determine the future of the single global Internet" noted EFF International IP Director Gwen Hinze. "Any changes to the conditions governing limitations on Internet intermediary liability will have a significant and detrimental impact on Internet users' ability to seek, receive and impart information, and could harm the Internet's end-to-end architecture."
The international context in which this is all taking place is also significant. In his recent landmark report, the U.N. Special Rapporteur on Freedom of Expression and Opinion online recommended that censorship measures such as blocking or filtering content should never be delegated to private entities - and that no one should be held liable for content on the Internet which they did not author.
"At the international level, we are watching a lack of policy coherence among countries who are endorsing contradictory Internet governance principles in different international venues including at the Council of Europe, the OECD, the recent G8, and as proposed by European Commissioner Neelie Kroes recently." says EFF International Rights Director Katitza Rodriguez. "Any principles adopted should ensure the protection of international human rights standards that seek to protect freedom of expression and association on the Internet, as well as the rule of law – rather than supporting overbroad copyright enforcement measures that violate international human rights standards."
CSISAC's press release on the 29 June version of the Communique is here. and a complete account of CSISAC's concerns with the Communiqué is here.