In what is becoming a well-settledpattern, Righthaven again finds itself on the losing end of a motion, with its case thrown out and owing the defendant – here, Leland Wolf, proprietor of the It Makes Sense Blog – costs and attorneys' fees for bringing a baseless copyright case. The lawsuit, Righthaven v. Wolf, is also notable for being the leading case among more than 50 that were filed in Colorado. Pending a motion to dismiss, the Colorado court stayed the remaining cases. With this ruling, the court has hopefully rung the death knell for the other remaining live cases in that district (joining the Nevada cases that have also been dismissed.)
Some background: In March, Righthaven sued Mr. Wolf for alleging infringing a Denver Post photograph titled “TSA Agent performs enhanced pat-downs," by virtue of a parody of the photo posted on his blog. Mr. Wolf moved to dismiss the case for lack of subject matter jurisdiction; EFF filed an amicus brief supporting that motion, explaining that Righthaven lacks ownership of any exclusive right granted under Section 106 of the Copyright Act.
Judge John L. Kane agreed, holding that Righthaven assigned to the Denver Post’s parent “the bare right to sue for infringement – no more, no less.” As such, Righthaven was neither a “legal owner” nor a “beneficial owner” of the copyright, and consequently could not bring a suit under the Copyright Act.
To its credit, the court also recognized the enormous pressure the prospect of statutory damages (on top of the expense of litigation) can place on defendants, even those with meritorious defenses, and called out Righthaven’s business model for the settlement mill that it tried to be:
[A] party with a bare right to sue may file numerous infringement actions of questionable merit with the intention of extorting settlement agreements from innocent users. This possibility becomes even more likely when the financial viability of the entity filing suit depends upon the proceeds from settlement agreements and infringement suits. Even though copyright law expressly provides for an award of costs and reasonable attorney fees to a party prevailing in its defense of a meritless infringement action, the economic realities of securing counsel and paying in advance the costs of litigation turns this remedy into a Potemkin Village. Both fundamentally and practically, the reality is at odds with the constitutional prioritization of public access to copyrighted works.
The court’s opinion also highlighted the important balance that the copyright laws are intended to protect. Specifically,
[C]opyright law necessarily balances the derivative goals of rewarding the creative labor of authors of original works with the primary goal of promoting further creativity by allowing public access to copyrighted works.
We are pleased that the Court refused to allow Righthaven to proceed with a lawsuit based on a copyright that it never owned and never had any plans to exploit. Finding otherwise would frustrate the important balance the court highlighted, and “the public interest in access to copyrighted materials.” Well done, Judge Kane.
Books are books whether we read them in a library or on a Kindle or iPad, but California laws are lagging when it comes to protecting reader privacy in the digital age. That's why EFF is a supporter of the Reader Privacy Act, a bill that has passed the California legislature and is awaiting Governor Brown's signature to become law.
Who's looking over Californians' digital shoulder and why does it matter? You can take our quiz to find out what's at risk -- and how Californians can protect their private reading records. Then tell Governor Brown to sign the Reader Privacy Act to ensure Californians don’t have to compromise their privacy when downloading electronic books, using online book services or even buying books from their local bookstore.
EFF has long complained about export restrictions by the U.S. Departments of Treasury and Commerce that deny citizens access to vital communications tools. In the past, this has affected, among others, Zimbabwean activists trying to obtain hosting providers, Syrian businesspeople networking on LinkedIn, and ordinary Iranians trying to download web browsers.
The government has been responding, albeit in piecemeal fashion: in 2010, technology companies were granted a general license from the Department of Treasury’s Office of Foreign Assets Control (OFAC) to export communications tools that could “boost Internet-based communication” and the “free flow of information” Iranian, Sudanese, and Cuban citizens – but since then we’ve seen a wave of democracy activism reach Syria too, something EFF commented upon in July.
Now we've seen some movement on Syria, but not enough. On August 18, amidst increasing regime violence toward opposition forces, the White House issued an Executive Order blocking a new range of transactions, including (Section 2(b)) “the exportation, re-exportation, sale, or supply, directly or indirectly, from the United States, or by a United States person, wherever located, of any services to Syria,” in light of the Syrian government’s escalating violence against civilians. This seemed like very bad news for Syrians who want to use communications tools to help with the protests.
Fortunately, recognizing the importance of communications tools and social networks to Syrian activists, the Treasury Department's Office of Foreign Assets Control (OFAC) quickly issued a general license allowing the export of “certain services incident to Internet-based communications.” The license specifically notes that transactions that are not otherwise exempt from certain earlier prohibitions, and that are related to the exchange of personal communications over the Internet, are permitted. Examples specifically laid out in the license include instant messaging, chat and email, social networking, photo- and video-sharing, web browsing, and blogging. The license also lays out what is not authorized for exportation, and while the language is a little unclear, it appears to allow export of technologies and services for all purposes other than those for commercial endeavors – so democracy activists should be in the clear.
But the story doesn’t end there. Restrictions from the Department of Commerce’s Bureau of Industry and Security (BIS) still appear to prevent communications tools and services from being exported to Syrians without a license. We think that because of these restrictions, Syrians still cannot access Google products Chrome and Earth, cannot download Java, among various other tools, and cannot use hosting services like Rackspace, SuperGreenHosting and others.
So the Treasury Department’s OFAC is out of the way, but the Commerce Department’s BIS restrictions remain, meaning that companies are still blocking certain communications tools from getting to Syrians. And until the government makes the bigger step of stopping the piecemeal nature of their relaxation of restrictions, we’ll have the same problems we’ve long complained about. These sorts of export restrictions are overbroad and contain elements which have no effect on the Syrian regime, while preventing Syrian citizens from accessing a wealth of tools that are available to their activist counterparts in neighboring countries and around the world. Furthermore, the penalties that result in violations of the regulations can be severe, so amidst confusing regulations, companies appear to be implementing broad restrictions on their services rather than run any risk. This happened recently when the open-source platform SourceForge blocked the IP addresses of users in five sanctioned countries.
What Needs to Happen
Two things ought to be done here, as soon as possible. First, and most importantly, the government -- the whole government -- should remove the license requirements and restrictions for communications technologies used by democracy activists. In the short term this should happen for Syria, in light of the ongoing struggle there. In the longer term, it’s time for the U.S. to stop this piecemeal approach and affirmatively allow unlicensed distribution of communications tools and services to people in all countries of the world.
Second, companies hesitant about allowing Syrians to use communications tools and services should take the simple steps necessary to seek a BIS license. While we don't think that such licenses should be required, the process is in fact quite simple, and frankly, the Syrians cannot wait. A company that wishes to export to Syria can file an online application with the Commerce Department’s Bureau of Industry and Security (BIS) for a license, which then should be resolved within 90 days. While registration is required before applying, any company that has ever gotten an export license before is likely already registered. Alternatively, companies may also request “interpretative guidance” as to whether or not they require a license from BIS, which takes only 30 days.
EFF Wants to Help
Given the situation on the ground in Syria, we need to focus there first. We reiterate our call for the Obama administration to affirmatively make clear throughout its various agencies that providing digital communications and information tools to citizens around the world, especially those under repressive governments, is not only legal, but encouraged. And in the meantime, we challenge those companies who are concerned about the BIS restrictions to take the simple steps necessary to apply for a license. In fact, we think this is so important that EFF would be willing to help a company that wants to take these steps but doesn’t have the resources to do it. Companies should contact EFF's Legal Director, Cindy@eff.org, if you'd like our help.
EFF is thankful to Senators Franken and Grassley for introducing this important amendment, which we believe is a huge step in the right direction. But the legislation could be better still. As the bill is currently written, government employees who violate employment agreements remain vulnerable to contract-based prosecutions under the CFAA. We urge Congress to protect all computer users against such charges, no matter where they work.
Earlier this week, digital activists alerted us to a concerning situation in Austin, Texas: officers at the local police department had announced a plan to search out all of the individuals running open wifi connections in Austin and warn them about potential dangers of running an open network. Thankfully, quick mobilization by our friends at EFF Austin helped stall this plan before it could take effect.
The officers at the Austin Police Department reportedly planned to seek out open wifi networks and then "make contact with residents who have open wireless connections and teach them the importance of securing them." They listed concerns such as exceeding the number of connections permitted by your ISP or being vulnerable to having someone piggy-back on your Internet connection to engage in illegal activity. To us, the police officers' plan was basically wardriving coupled with unsolicited scare-tactics from law enforcement agents. We’re also skeptical about the police’s role in educating users about ISP terms of service, which we submit is hardly the best use of law enforcement’s limited resources.
We were particularly concerned and disappointed by the Austin Police Department’s bleak characterization of open wifi. While the APD officers were keen to educate users about the potential negative ramifications of running an open wifi network, they failed to let people know that there are numerous societal benefits to opening your network. Anyone who has been lost in a city wishing they could snag an Internet connection for a map can attest to the benefits of having an open network connection. And many others, like security expert Bruce Schneier, have called for open wifi because it’s just plain polite.
Missing from the cited analysis is any recognition of potential benefits to be gained from publicly sharing one’s wireless access point. Lately, the virtues of contributing to any shared commons tends to be overshadowed by fears of bad actors (both real and imagined).
As we’ve discussed before, the current state of closed wifi networkings is a tragedy of the commons. If people had mechanisms for opening their wireless connections without jeopardizing bandwidth or privacy, we could all enjoy a world where people in most urban or semi-urban places could easily access the Internet, and even rural areas could be dotted with open networks. That’s why EFF has called for an open wifi movement—advocating for a world in which people could share their wifi connections with others without excessive burdens on their bandwidth or increased security risks. Our movement needs both technical solutions and a shift in social expectations. We’re pleased that a coalition of interested groups and technologists has begun to form around this issue, and we’re looking forward to launching a joint effort in the coming months.
For now, we urge the Austin Police Department to keep in mind the myriad benefits of open and freely available Internet access to the people of Austin.
This week brings new restrictions in Syria and Pakistan, while watchdog group Freedom House releases a new brief on the growing challenges to Internet freedom.
Syria Blocks WordPress
This has been a tumultuous year for Syrians and for the Syrian Internet. In response to protests beginning in February, the Syrian government unblocked Facebook, Blogspot, and YouTube for the first time since 2007. While some observers saw it as a move toward a freer Internet, others viewed it as better enabling surveillance; the latter turned out to be right.
Now, amidst a new wave of protests, the Syrian government has reverted to their old methods, blocking WordPress on at least one ISP. But as one circumvention-savvy Syrian Twitter user said, "They blocked WordPress… as if people are still using the Syrian proxy." If you want to help support Syrian Internet users, one thing you can do is set up a Tor relay.
Pakistan Inches Closer to Facebook Ban
Pakistan, no stranger to Internet censorship, has made new moves this week to block Facebook and other social sites. First, Interior Minister Rehman Malik threatened to block Google and YouTube, saying that if the companies weren't willing to help Pakistan fight terrorism, then the country would have to resort to blocking (ignoring, of course, the fact that Pakistanis are well-versed in circumvention technology).
Then, as the result of a previously filed petition, the Lahore High Court ordered the Ministry of Information and Technology to block Facebook, on the grounds that "Islamic values are being derogated in the name of information that is hurting feeling of billions of Muslims." Facebook famously refused to remove cartoons depicting the Prophet Mohammed in May 2010, resulting in temporary bans on Facebook in Pakistan and several other countries. Free expression activists in the country--who reported a temporary outage of Facebook and Twitter early Friday--have stated that blocking Facebook will "affect civil liberties, [as well as] minorities, and human rights defenders" that use the site for their work.
For a local take on what's happening in Pakistan, editor Jahanzaib Haque has an opinion piece in the Express Tribune, taking a look at the various ways in which Pakistani authorities are trying to curb speech. Haque writes:
All the government is actually doing — by condoning this across-the-board banning of sites and monitoring in cyberspace — is stepping on the rights of its citizens, and impinging on their freedom of information and expression, and privacy.
Freedom House issues new report on growing challenges to Internet freedom
Freedom House is a watchdog group that issues yearly reports on the state of Internet freedom worldwide. Today, in anticipation of the upcoming Internet Governance Forum, they've released a brief by Daniel Calingaert, Deputy Director of Programs for the organization, on the growing challenges to Internet freedom.
Highlighting important challenges to free expression, such as "just-in-time" blocking, intermediary liability, surveillance, and government-enabled cyberattacks, Calingaert makes several recommendations to the U.S. and European governments to strengthen Internet freedom. Namely, he recommends:
Challenge restrictive internet laws and practices
Address internet censorship as a barrier to free trade
Require transparency in sales and services to internet-restricting countries
Introduce export controls on censorship and surveillance technology
In April we launched "Who Has Your Back", a campaign calling on major Internet companies like Google, Amazon and Microsoft to stand with their users when it comes to government demands for users’ data. Today, we’re pleased to see that two of the thirteen companies highlighted in our petition, Apple and Dropbox, have agreed to one of our requests: that they stand up for user privacy in Congress by joining the Digital Due Process coalition.
ECPA was passed by Congress in 1986, before the World Wide Web was even invented and when cell phones were still a rarity. Yet to this day, ECPA is the primary law governing how and when law enforcement can access personal information and private communications stored by communications providers like Google, Facebook, your cell phone company or your ISP.
Unfortunately, ECPA is weak, confusing, and outdated. For example, it doesn’t specifically address location information at all, which has led to years of fighting in the courts about whether or not the government needs a search warrant to track your cell phone. Meanwhile, whether or not ECPA requires the government to get a warrant before seizing private communications content like your emails and IM chats turns on absurd factors like how old the messages are and, according to the Justice Department, whether or not you’ve read them yet. Frighteningly, the government also seems to think that the privacy of your search history stored with Google or Yahoo! or Microsoft’s Bing isn’t protected by ECPA at all.
It’s past time that Congress gave ECPA a much-needed digital upgrade so that it better fits the always-on, location-enabled technological landscape of the 21st century. That’s why DDP is pushing for amendments to ECPA to ensure that the government can’t track your cell phone or obtain your online content—like your private emails, social network messages, photos, search history, word processing documents and backup files—without first going to court to get a search warrant based on probable cause.
Since DDP launched last Spring, our efforts have prompted serious discussion in Washington, D.C. about the need to reform ECPA, withCongressholdingfivehearings on the issue and introducing severalbills that address some of the coalition’s recommendations. That was the first stage in the process of baking stronger and clearer privacy protections into the law. Now comes the harder part: actually getting a good bill passed by Congress and signed by the President.
As we enter that next phase in the fight for electronic privacy reform, it’s good to know that we’ll have Apple and Dropbox on our side. We’re especially pleased to have these new allies as we approach the 25th anniversary of ECPA’s passage on October 21st, which will be a focal point in our campaign to get a 21st century upgrade to our electronic privacy laws.
We’re updating our "Who Has Your Back" chart and awarding a gold star to both Apple and Dropbox for joining us in this effort.
Part one in a short series on EFF’s Open Source Security Audit
By Dan Auerbach and Chris Palmer
We recently did a security audit in which we uncovered and helped to fix vulnerabilities in the popular open source messaging clients Pidgin and Adium. We were motivated by our desire to bolster the security of cryptographic software that we often recommend to individuals and organizations as a defense against surveillance. In particular, one tool that we are enthusiastic about is the widely-used Off-The-Record (OTR) plugin for Pidgin and Adium.
Not to be confused with Google’s similarly named “Off The Record” chat, the plugin can be used with any popular instant messaging services enabled in Pidgin or Adium, including MSN, AIM, Yahoo!, and Google talk itself. OTR is an anti-surveillance tool used by people around the world, from activists in authoritarian regimes to business folk looking to communicate securely with clients to families who want a private conversation with a distant loved one. If you are using Pidgin to talk from a Google account and have the OTR plugin enabled, then nobody---including Google---is in a position to read your encrypted communications en route to the other party. Though there are other options available for encrypted messaging, we especially like OTR because it has many desirable features, and unlike other encryption, it's easy to use.
However, there is little value in having a nicely-conceived encryption tool if the implementations that people actually use are filled with security bugs! Therefore, we decided to do an audit to find and fix some of those bugs. We chose to focus our efforts on the libpurple messaging client library used by both Adium and Pidgin and some of the software that it depends on (notably GnuTLS and libxml2). Strengthening the security of these libraries is vital to ensuring that people have the option of truly private, encrypted communication at their fingertips. We found and fixed quite a few bugs, which you might be able to see now and in the coming weeks and months by looking for security updates (for example, look under the "libpurple" section here) within the various code bases. As always, we recommend immediately downloading any security updates for your software, especially if that software is being used to combat surveillance.
While we hope that the software libraries that we looked at are more secure now that potential vulnerabilities have been patched, ensuring effective security is an ongoing process. Given the crucial role played by this software as a platform for OTR and other encrypted messaging solutions, we hope that it will get the security attention that it deserves and continue to be reviewed regularly by the developers actively working on the projects as well as the community of users with an interest in encrypted communication. If you use Pidgin or Adium and would like to download OTR to protect yourself against surveillance, you can do so here.