Last month, we wrote about Cisco’s plans to help the Chinese government build a massive camera surveillance network in the city of Chongqing. This is the same company that sold equipment to China to build the Great Firewall, which prevents Chinese Internet users from accessing much of the Internet, including online references to the Tiananmen Square protests, information on China’s human rights abuses, and social media sites such as Facebook and Twitter.
Reports indicate that Cisco has also customized its technology to help China with surveillance of political activists. We've had our eye on Cisco for years; in 2010, they were at the top of our list of "companies of interest" selling surveillance technologies to repressive regimes.
A lawsuit brought by Ward & Ward, PLLC against Cisco Systems, Inc., alleges that the company knowingly enabled the Chinese Communist Party’s harassment, arrest, and torture of Chinese political activists. Yesterday, as outlined in a blog post by his lawyers, one of the plaintiffs in the lawsuit, dissident writer Du Daobin, was questioned by Party officials regarding his involvement.
According to his lawyers, "Mr. Du's persecution began in 2003, when he was arrested while his house was raided by Chinese authorities. On June 11, 2004, he was charged with 'inciting to subvert state power' and was sentenced to three years in prison for posting pro-democracy articles online. Instead of immediately serving that sentence, he was placed under probation for four years, after which it was determined that he violated the terms of his probation and was then forced to serve his original three year prison sentence. During his imprisonment, Mr. Du was subjected to extreme physical and psychological torture. By the time of his release in 2010, Du was suffering from extreme malnutrition, cardiac issues, could no longer walk without assistance, and was dependent on a wheelchair."
Mr. Du is once again under threat for challenging an American company’s policies and speaking out against censorship in China. EFF has created a petition calling on Cisco to use its influence to tell the Chinese government not to commit further human rights abuses in order to protect the company. We also call on Cisco to stop selling tools of repression in China and elsewhere around the world.
Two weeks ago, the Mexican newspaper El Milenio reported on a U.S. Department of Homeland Security (DHS) Office of Operations Coordination and Planning (OPC) initiative to monitor social media sites, blogs, and forums throughout the world. The document discloses how OPC’s National Operations Center (NOC) plans to initiate systematic monitoring of publicly available online data including “information posted by individual account users” on social media.
The NOC monitors, collects and fuses information from a variety of sources to provide a “real-time snap shot of the [U.S.] nation’s threat environment at any moment.” The NOC also coordinates information sharing to “help deter, detect, and prevent terrorist acts and to manage [U.S.] domestic incidents.” The NOC has initiated systemic monitoring of publicly available, user-generated data to follow real-time developments in U.S. crisis activities such as natural disasters as well as to help corroborate data received through official sources with ‘on-the-ground’ input.
The monitoring program appears to have its basis in a similar program used by NOC in its Haitian disaster relief efforts, where information from social media sources provided a vital source of real-time input that assisted NOC’s response, recovery and rebuilding efforts surrounding the 2009 earthquake. The new initiative attempts to leverage similar information sources in assessing and responding to a broader range of crisis activities, including terrorism, cybersecurity, nuclear and other disasters, health epidemics, domestic security, and border threats. While the addition of real-time social media sources can be extremely beneficial in disaster relief-type efforts, the breadth of activities covered by the initiative as well as the keywords and websites scheduled for systemic monitoring raise potential concerns, and the safeguards put in place by the initiative may not be sufficient to address these.
The NOC report entitled, “Privacy Impact Assessment of Public Available Social Media Monitoring and Situational Awareness Initiative”, reveals that NOC’s team of data miners are gathering, storing, analyzing, and sharing “de-identified” online information. The sources of information are “members of the public...first responders, press, volunteers, and others” who provide online publicly available information. To collect the information, the NOC monitors search terms such as “United Nations”, “law enforcement”, “anthrax”, “Mexico”, “Calderon”, “Colombia”, “marijuana”, “drug war”, “illegal immigrants”, “Yemen”, “pirates”, “tsunami”, “earthquake”, “airport”, “body scanner”, “hacker”, “DDOS”, “cybersecurity”, "2600" and “social media”. The report also contains a list of sites targeted for monitoring, including numerous blogs and news sites, as well as Wikileaks, Technorati, Global Voices Online, Facebook and Twitter. As the report was released in January 2011, this monitoring may already be taking place.
While the monitoring envisioned by the report is broad in scope, the initiative includes a number of safeguards that attempt to address privacy concerns. But these safeguards do not go far enough. Furthermore, while the NOC is attempting to limit the circumstances under which agents are permitted to collect or disclose personal data, these limitations only apply to DHS agents operating under this specific initiative. DHS “may use social media for other purposes including...law enforcement, intelligence, and other operations...” Other U.S. government agencies and initiatives have different rules and regulations that are subject to change.
With respect to the safeguards, NOC agents on social networks are prohibited from “post[ing] information, actively seek[ing] to connect..., accept[ing]... invitations to connect, or interact[ing] with others” including, presumably, responding to messages sent by other users. It is not clear, however, that this prohibition is sustainable in light of the NOC's objective. For example, NOC agents are authorized to “establish user names and passwords to form profiles and follow relevant government, media, and subject matter experts on social media sites.” Social networking sites are premised on the concept of “interacting with others.” Distinctions such as ‘following’ a user on Twitter and ‘connecting’ with such a user are not clear-cut.
Genuine attempts are being made to limit monitoring to publicly available information while excluding private sources. For example, agents may be prohibited from collecting information found on Facebook profiles which are restricted to “friends only.” However, problems may arise with respect to more ambiguous “semi-public” spaces that are emerging in many online venues. If NOC agents are authorized to “follow” a user on Twitter, are they allowed to “friend” a Facebook (or Google+) user whose profile contains purely public “relevant government, media, and subject matter”? What about information posted by other people following that user under the extended “friends of friends” setting? The NOC initiative may find it difficult to navigate such distinctions.
Monitoring of purely public online information to assess situational threats can also lead to abuse. During the G20 meeting in Toronto, Canada, police monitoring of real-time on the ground social media interactions was used to locate and arrest large numbers of peaceful protesters. As noted by Constable Drummond, a law enforcement agent deeply involved in Canadian G20 social media surveillance efforts:
“...people have a tendency to have tunnel vision when posting things on sites, feeling faceless and untraceable. It is with those postings that we were able to use our talent and use the information posted to our advantage. It allowed our officers to monitor public sites that protestors were using to share information.”
In the lead up to G20 in Pittsburgh, two individuals were arrested for broadcasting police positions on twitter in an attempt to help peaceful protesters. In the UK, Paul Chambers, a 27-year-old accountant, was convicted of “menacing” for posting a joke on his twitter feed which was taken by government agents to be an airport security threat. As Chambers used the NOC listed search term ‘airport’ in his joke, it may have come to NOC’s attention had it been tweeted in the U.S.
The report reminds individuals that if they do not want the NOC to collect their public data, they should not make it public in the first place: “[a]ny information posted publicly can be used by the NOC.” It places the responsibility of protecting privacy on end users, stating that “primary account holder[s] should be able to redress any [privacy] concerns through the third party social media service [and] should consult the privacy policies of the services they subscribe to for more information.” Moreover, DHS considers publication of the report as sufficient ‘notice’ to users that their public data may be monitored.
Unfortunately, following these policies is not as simple as it seems. Studies have shown that privacy policies are “hard to read” and are “read infrequently”, and even educated Facebook users who were concerned about privacy had trouble limiting data sharing with third parties. Moreover, they are nearly always subject to change. Facebook’s privacy policies have morphed continuously over the years, and have eroded privacy by making previously private information publicly available to everyone. Due to constantly shifting privacy settings, it is not clear that the NOC's definition of ‘public' and 'private’ align with user expectations.
Once NOC has identified useful raw online data for the DHS, attempts are made to “extract only the pertinent, authorized information and put it into a specific web application.” The report explicitly emphasizes that the data extracted from the raw information is to be “free of personal identifiable information”, and efforts are made to carry out this objective. The report claims that if personal data is collected beyond what is authorized, the NOC will immediately redact this information. This “de-identified” information will be shared with federal and state governments when “appropriate”, as well as with the private sector and foreign governments as “otherwise authorized by law.”
This raises concerns, however, as there is significant research (read here, here, here, and here) demonstrating that de-identification is not always effective. With enough information, individuals can often be “re-identified” through complex computational systems. The details of the actual techniques of the de-identification process deserve broader debate that is open to public scrutiny.
This newly discovered initiative is part of a broader trend of monitoring and using online information in various investigative contexts. What should users both inside and outside the US learn from these discoveries? As always Internet users should certainly think carefully before posting information about themselves on public sites and remember that privacy policies are constantly subject to change. Not only do we know that the government is watching, we have some clues as to how it is doing it.
In a major blow to one of the most pernicious copyright trolls now operating, the US Copyright Group (USCG), federal judge Robert Wilkins of the District of Columbia has effectively dismissed thousands of Doe defendants due to lack of jurisdiction.
The ruling, which partially echoesarguments EFF has made in cases around the country, comes in a mass copyright case that was notable for just how very massive it was -- 23,322 Doe defendants. The plaintiff in the case, represented by USCG, is Nu Image, a California corporation that claims to own the rights to the movie "The Expendables." Following the normal protocol in these cases, Nu Image/USCG filed a copyright infringement complaint again anonymous BitTorrent users who had allegedly downloaded the movie, listing their supposed IP addresses, and then asked the court for permission to subpoena their identities. The court initially granted the request. Two months later, however, when it learned that Nu Image/USCG hadn't gotten around to issuing a single subpoena and that the vast majority of the defendants likely did not reside in D.C., the court ordered Nu Image/USCG to explain why the suit should proceed there.
Nu Image/USCG responded with the now-familiar theories that courts apply a liberal standard to "jurisdictional discovery" -- meaning, initial investigations to determine where a person can be sued -- and, besides, some of the Does who live outside DC might have committed infringement there. Not good enough, said the court:
The Court’s broad discretion includes imposing reasonable limitations on discovery, particularly where, as here, the Court has a duty to prevent undue burden, harassment, and expense of third parties. . . . Furthermore, while jurisdictional discovery is liberally granted, a plaintiff is not entitled to take it solely because he requests it—he still must make the requisite showing of good cause.
Applying a variety of standards, including a copyright-specific provision that ties jurisdiction to the residency of the defendant, the court concluded that Nu Image/USCG could not establish the court's jurisdiction over any defendant that did not reside in D.C. Therefore, Nu Image/USCG could issue subpoenas only where, using generally available geolocation services, it could determine that the defendant was likely to be located there.
Wryly observing that it understood that using single lawsuit as a vehicle to identify thousands of Does was "convenient" for Nu Image/USCG, the court noted that this approach put a significant burden on others -- including the court itself:
[T]he Court must take into account the delay and unproductive utilization of court resources in prosecuting this lawsuit if the Plaintiff is allowed to seek discovery with respect to all 23,322 putative defendants, only to result in the eventual dismissal of the vast majority of those John Does later when it is revealed that they are not District of Columbia residents.
Torrentfreak has run the numbers and concluded that just 84 of the IP addresses the plaintiffs originally submitted are likely to be connected to computers located in D.C. Thus, over 23,000 Does can breathe a sigh of relief.
Aside from the sheer number of Does affected, this decision is notable for two more reasons. First, it is based on jurisdiction. Most of the other decisions that have effectively dismissed the mass copyright cases have been based on improper joinder, or the idea that it is not fair to lump together hundreds or even thousands of people based solely on the allegation that they used the same software to share the same work (or group of works).
Second, it comes out of the District of Columbia which, due to some unfortunate legal decisions, like this one, has been perceived as a sympathetic venue for copyright trolls. This decision should help shift that perception, and fast.
It's great to see yetanotherfederaljudge recognize the problems with mass copyright litigation. Kudos to Judge Wilkins for refusing to allow USCG to play fast-and-loose with fundamental due process rights.
EFF activist Eva Galperin interviews EFF criminal defense attorney, Hanni Fakhoury, on the newest edition of Line Noise, the EFF podcast. Whether law enforcement wants to search your home computer, tries to browse through your smart phone at a traffic stop, or seeks to thumb through your camera at customs, you should know your rights.
Learn more about your privacy rights by reading our Know Your Rights guide, or test your skills with our quiz.
This edition of Line Noise was recorded on-site from the San Francisco studio of Bamm.tv
Despite a string of courtroom losses, copyright troll Righthaven continues to pursue its misguided infringement litigation. Tuesday, EFF filed an amicus brief in support of a defendant moving to dismiss Righthaven v. Wolf, the lead case in the federal court in Colorado.
Righthaven sued blogger Leland Wolf and his It Makes Sense blog for a parody of a photo printed in the Denver Post documenting a TSA agent performing a pat-down search. In a pattern used in dozens of other cases, Righthaven created the lawsuit by first scouring the Internet for blogs and discussion forums that posted the photo, and then sued for infringement, claiming it had acquired the copyright of the photo before it started legal action.
As those following the Righthaven developments know, a critical document unearthed by EFF shows that the copyright assignments done in Righthaven lawsuits based on Las Vegas Journal Review content are a sham -- a discovery that has led to the dismissal of six Righthaven suits in Nevada. In this case, Wolf's lawyers found a similar agreement with Denver Post owner MediaNews Group. As EFF's brief explains, the agreement makes any assignment of MNG copyrights to Righthaven -- including its rights in the TSA photo, which Righthaven claimed were assigned to it -- effectively meaningless. Copyright law does not permit non-owners to bring infringement actions; since Righthaven never became an owner, it had no business filing suit against Wolf or anyone else.
In Tuesday's amicus brief, EFF asks the judge to dismiss this case, as well as many others that are based on the same improper assignment. Righthaven has filed 57 lawsuits based on the sham copyright assignment of the TSA photo, and the majority of those cases are still open in Colorado federal court. The Colorado court stayed all the cases except Wolf. However, before the stay, over a third of the cases were settled, allowing Righthaven to extract revenue based on a copyright that it did not own. It's well past time for Righthaven's baseless litigation campaign to come to a decisive end.
The Nymwars rage on. Over the past several weeks Google has been engaged in a very public struggle with its users over its “real names” policy on Google+, prompting blog posts and editorials debating the pros and cons of allowing pseudonymous accounts on social networking sites. But there is one person for whom insisting on the use of real names on social networking sites is not enough. Unsurprisingly, that person is Facebook’s Marketing Director, Randi Zuckerberg. Speaking last week on a panel discussion about social media hosted by Marie Claire magazine, Zuckerberg said,
I think anonymity on the Internet has to go away. People behave a lot better when they have their real names down. … I think people hide behind anonymity and they feel like they can say whatever they want behind closed doors.
Take a moment and let that sink in. Randi Zuckerberg doesn’t just think that you should be using your real name on Facebook or Google+ or LinkedIn -- she thinks pseudonyms have no place on the Internet at all. And why should we take the radical step of stripping all Internet users of the right to speak anonymously? Because of the Greater Internet F***wad Theory, or the “civility argument,” which states: If you allow people to speak anonymously online, they will froth at the mouth, go rabid, bully and stalk one another. Therefore, requiring people to use their real names online should decrease stalking and bullying and generally raise the level of discourse.
The problem with the civility argument is that it doesn’t tell the whole story. Not only is uncivil discourse alive and well in venues with real name policies (such as Facebook), the argument willfully ignores the many voices that are silenced in the name of shutting up trolls: activists living under authoritarian regimes, whistleblowers, victims of violence, abuse, and harassment, and anyone with an unpopular or dissenting point of view that can legitimately expect to be imprisoned, beat-up, or harassed for speaking out.
As a private company, Facebook is free to set its own policies. Facebook can and does choose real names over free speech and diversity of users –- that’s where the money is. If you don’t like Facebook’s rules, you can just go elsewhere, right? Now Randi Zuckerberg is advocating an Internet in which there is nowhere else to go. An Internet in which everyone has to use their real name is not necessarily going to be any more polite, but it is guaranteed to be a disaster for freedom of expression. Let’s not go there.
Opposition to India's New Intermediary Liability Regulations
The world’s largest democracy has been known to censor online content from time to time, typically under the guise of national security or obscenity. The Indian Computer Emergency Response Team is tasked with issuing blocking orders, while Section 144 of the Code of Criminal Procedure allows police commissioners to identify and order the blocking of material that contains a threat or nuisance to society.
As we noted on June 10, a new regulation [pdf] set to take effect soon prohibits intermediaries--such as content hosts and service providers--from hosting a slew of content, including: blasphemous or defamatory content, content which invades another’s privacy, content that is ‘racially or ethnically objectionable’, content that ‘harms minors in any way,’ and content that ‘infringes any patent, trademark, copyright or other proprietary rights.’
The directive also prohibits the hosting of content that "threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation."
Intermediaries must remove such content within 36 hours of being notified of a complaint, while those who refuse to adhere to the vague guidelines can be held liable. And cyber cafés--which drive the majority of Internet consumption in India and which are already heavily regulated and monitored--are included in the list of intermediaries and under the new rules would also be required to submit records of browsing activity to the government each month.
The rules are set to be approved by Parliament later this month, though according to the Washington Post, at least one official has suggested the government is open to changes in the regulations. Various groups, including India’s Centre for Internet and Society and the Cyber Cafe Association of India, have publicly objected to the policy as it currently stands.
China's censors can't keep up
According to a New York Timesreport, the recent train crash in China’s Zhejiang Province has sparked a flurry of free(er) expression on China’s weibos, Twitter-like microblogging services. While censors monitor weibos and remove content, their fast-paced nature makes it more difficult to control the influx of posts.
With official government orders for media groups not to report on the crash, the content on the various weibo platforms seems to only have increased. In a recent interview with On the Media Danwei.org founder Jeremy Goldkorn has stated that “so far, social media has beaten back government propaganda.”
New report on faith-based censorship
In a new report from the OpenNet Initiative, ‘faith-based Internet censorship’--the practice of controlling online information on the basis of religious principles--is analyzed across fifteen majority-Muslim countries. The report provides detailed analysis of the religious concepts, legal frameworks, and technical filtering that underlie the practice and looks at the various ways in which religion is used to justify the censorship of several content categories.
Though the degree of online censorship varies drastically between the fifteen countries highlighted in the paper, author Helmi Noman notes a unifying conundrum experienced by rights advocates in the various countries:
“Because proponents of faith-based censorship consider it a nonnegotiable divine policy, violators are labeled sinners rather than rights advocates, which leaves little room for democratic debate.”
Noman rightly points out that the absence of internationally accepted human rights frameworks in national laws presents difficulties for those fighting censorship in their countries.
–noun a fictitious name used by an author to conceal his or her identity; pen name.
There are myriad reasons why individuals may wish to use a name other than the one they were born with. They may be concerned about threats to their lives or livelihoods, or they may risk political or economic retribution. They may wish to prevent discrimination or they may use a name that’s easier to pronounce or spell in a given culture.
Online, the reasons multiply. Internet culture has long encouraged the use of "handles" or "user names," pseudonyms that may or may not be tied to a person’s offline identity. Longtime online inhabitants may have handles that have spanned over twenty years.
Pseudonymous speech has played a critical role throughout history as well. From the literary efforts of George Eliot and Mark Twain to the explicitly political advocacy of Publius in the Federalist Papers or Junius' letters to the Public Advertiser in 18th century London, people have contributed strongly to public debate under pseudonyms and continue to do so to this day.
A new debate around pseudonymity on online platforms has arisen as a result of the identification policy of Google+, which requires users to identify by "the name your friends, family, or co-workers usually call you". This policy is similar to that of Facebook’s which requires users to "provide their real names and information." Google’s policy has in a few short weeks attracted significant attention both within the community and outside of it, sparking debate as to whether a social platform should place limits on identity. A considerable number of Google+ users have already experienced account deactivation as a result of the policy, which Kirrily "Skud" Robert, a former Google employee kicked off the service for identifying as "Skud," has closely documented.
Those in favor of the use of "real names" on social platforms have presented a number of arguments: that real names improve user behavior and create a more civil environment; that real names help prevent against stalking and harassment by making it easier to go after offenders; that a policy requiring real names prevents law enforcement agents from “sneaking in” to the service to spy on users; that real names make users accountable for their actions.
While these arguments are not entirely without merit, they misframe the problem. It is not incumbent upon strict real-name policy advocates to show that policies insisting on the use of real names have an upside. It is incumbent upon them to demonstrate that these benefits outweigh some very serious drawbacks.
Consider, for example, Wael Ghonim, the now-famous Egyptian whose Facebook page, We Are All Khaled Said, inspired thousands to join in the January uprising. Though the page was created in the summer of 2010, not long after the death of Khaled Said at the hands of policemen, it wasn’t until later that year that it began to truly gain momentum. And yet, its presence in the protests almost didn’t happen: In November 2010, the page went down after its administrator (now known to have been Ghonim) was reported for using a pseudonym. While Facebook was able to offer a solution, allowing an "identified" person to step in for Ghonim, this case was largely exceptional, owing to Ghonim’s ability to connect to Facebook staff and solve the problem. Not everyone has these types of connections, and there’s no way of knowing how many people have fallen through the cracks, so to speak, because they were unaware of how to appeal an account deactivation. In Ghonim’s case, using his real name would have placed him under considerable risk. And while pseudonymity provides no guarantees, it makes it considerably more difficult for authorities to identify activists.
There are myriad reasons why an individual may feel safer identifying under a name other than their birth name. Teenagers who identify as members of the LGBT community, for example, are regularly harassed online and may prefer to identify online using a pseudonym. Individuals whose spouses or partners work for the government or are well known often wish to conceal aspects of their own lifestyle and may feel more comfortable operating under a different name online. Survivors of domestic abuse who need not to be found by their abusers may wish to alter their name in whole or in part. And anyone with unpopular or dissenting political opinions may choose not to risk their livelihood by identifying with a pseudonym.
As Supreme Court Justice John Paul Stevens put forth in deciding McIntyre v. Ohio Elections Comm’n 514 U.S. 334, 357 (1995),
"Anonymity is a shield from the tyranny of the majority. It thus exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation—and their ideas from suppression—at the hand of an intolerant society. The right to remain anonymous may be abused when it shields fraudulent conduct. But political speech by its nature will sometimes have unpalatable consequences, and, in general, our society accords greater weight to the value of free speech than to the dangers of its misuse."
Just as using "real" names can have real consequences, mandating the use of "real" names can too, excluding from the conversation anyone who fears retribution for sharing their views. While one added value of requiring real names might be increased "civility" of the conversation, it is most certainly to the detriment of diversity.
The bloggers at Geek Feminism have compiled a wiki highlighting the people who are harmed by a real names policy, demonstrating the hundreds of potential reasons why an individual may use a name other than his or her own. Though many examples on the list demonstrate cases of at-risk individuals whose use of a pseudonym is for the purpose of safety, there are other important reasons that one may choose pseudonymity as well.
Take the example of Michael Anti, the Chinese journalist whose birth name is Jing Zhao. Anti was kicked off of Facebook in January of 2011, presumably after someone reported him for using a name other than the one with which he was born. Despite having used the pen name "Michael Anti" for almost a decade, in his writing for the New York Times and elsewhere, Facebook insisted on strict enforcement of its policy.
On Google+, similar examples have arisen, as have false positives, prompting Google+ to change some of its processes, including a shift from immediate account deactivation to offering users a warning and an opportunity to align their name with the policy.
Nevertheless, policies requiring "real" names are nearly impossible to enforce at scale, and as several examples have demonstrated, enforcement tends to be skewed against individuals who are well-known or have enemies, a result of community reporting mechanisms.
It is well within the rights of any company--Google, Facebook, or otherwise--to create policies as they see fit for their services. But it is shortsighted for these companies to suggest that "real name" policies create greater potential for civility, when they only do so at the expense of diversity and free expression. Indeed, a shift toward crafting policies requiring "real" names will have a chilling effect on online free expression.