EFF joins millions around the world in mourning the passing of Steve Jobs. Steve was an extraordinary innovator who changed how we think about, develop, use, and experience new technologies, music, and ideas. While we've sometimes found ourselves frustrated with some of Apple's business strategies, we here at EFF have always had tremendous respect for Steve's creative genius and commitment to making products that were powerful, accessible, and elegant. His imagination and vision changed the world. He will be missed.
The European Parliament today formally recognized what has become increasingly clear: some European tech companies have been selling to repressive governments the tools used to surveil democracy activists. In response, it passed a resolution to bar overseas sales of systems that monitor phone calls and text messages, or provide targeted Internet surveillance, if they are used to violate democratic principles, human rights or freedom of speech.
According to Bloomberg, the decision came after a Bloomberg report in August that "a monitoring system sold and maintained by European companies had generated text-message transcripts used in the interrogation of a human-rights activist tortured in Bahrain." The legislation reportedly leaves enforcement to the EU’s 27 member nations.
But European companies aren't the only ones. Recently Narus, a Boeing subsidiary based in Silicon Valley, was revealed to have sold to Egypt sophisticated equipment used for surveillance. (Note: EFF watchers will recognize Narus as one of the companies whose equipment is in AT&T “secret room” used to help the NSA conduct warrantless surveillance in the U.S. at the heart of our Jewel and Hepting cases).
And it's not just a problem in the Middle East. Cisco Systems is facing litigation in both Maryland and California based on their sales of surveillance equipment used by China to allegedly track, monitor and otherwise facilitate the arrest, detention or disappearance of human rights activists and religious minorities who have been subjected to gross human rights violations.
Despite the “head in the sand” approach of some tech companies, this concern is real and is not going away. Members of the U.S. Congress, such as Republican Representatives Chris Smith and Mary Bono and Democratic Senator Richard Durbin, are also watching closely.
It’s time for tech companies to step up and ensure that they aren’t wittingly or unwittingly assisting in the commission of gross human rights violations. While there may be many ways to accomplish this, a simple step would be for companies to voluntarily adopt a robust "know your customer" approach. First, companies selling these specialized surveillance technologies to repressive foreign governments need to take affirmative steps to know who they are selling to and what the technology will be used for, especially when they are providing ongoing service or customization of the systems. The U.S. State Department already publishes annual human rights reports about countries around the world and other objective resources are readily available, including EFF. This wouldn't be much more of a burden than what these sophisticated companies already must do to comply with laws like the Foreign Corrupt Practices Act and the the U.S. export restrictions. Second, companies need to refrain from participating in transactions where there is either objective evidence or credible concerns that the technologies or services are being used, or will be used, to facilitate human rights violations.
We'll be writing more about this. But the message from the EU Parliament is clear: Tech companies need to stop participating in human rights abuses around the world by selling tools that repressive governments need to commit them. Tech companies need to stop serving as "repression's little helpers."
After months of work, and spurred by an initial report by Professor Ted Byfield of New School University's Parsons New School for Design, we’re happy to report a security vulnerability fix in a product called Safe•Connect.
While the immediate story is good, the underlying context should raise real concerns about the dangers inherent in the ongoing obsession of Congress and the content industry with pressuring intermediaries, especially universities, to use their status as network operators to require individuals to install monitoring software like Safe•Connect on their computers in order to appease the content industry. As Stewart Baker, then the Department of Homeland Security’s policy czar warned during a similar incident involving the Sony Rootkit: "It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days."
Network administrators have been interested for years in software meant to enforce rules on other people's computers connected to a network – a technology called Network Access Control (NAC). NAC software runs as an agent on behalf of the network administrator, reporting back information about how the computer is configured, examining its security policies, and, in some cases, making changes. We might describe such software as spyware that network operators ask users to install on their computers, although the Safe•Connect system does not appear to be configured to report back on the content a user stores on his or her computer. Why do network operators want this power? There are many possible reasons, but, most often, it's aimed at making sure the network users have taken security precautions and applied software updates that the network operator considers necessary. Such enforcement software sometimes requires administrative privileges on the users' computer, and in any case its use raises serious questions about computer users' autonomy and right to control and make decisions about their own computers.
In an academic environment, the use of this software on non-university-owned computers — like the personal machines owned by students, teachers and campus visitors — is sometimes controversial. Although it might be used largely in users' own interest, especially when it helps remind less-sophisticated users to apply software upgrades they might otherwise neglect, it can also introduce security and privacy threats of its own. At a minimum, schools should examine this type of software skeptically and should give sophisticated users a way to opt out of installing it. Unfortunately, one source of pressure overshadowing universities' decision-making in this area lately has been Congressional attention to copyright enforcement.
While the RIAA has abandoned its ineffective litigation campaigns, it and the MPAA have increased their efforts to lobbying Congress, pressure intermediaries, and lobby Congress to pressure intermediaries to take every more draconian steps to try to stop copyright infringement. In particular, colleges and universities have always been popular targets for both Big Content and Congress. In addition to threatening letters, ill-advised lawsuits, and propaganda campaigns, anti-P2P zealots have embraced technological “solutions” such as Audible Magic’s CopySense. EFF’s technologists believe these technologies are fundamentally flawed: they are expensive, easily circumvented, and ultimately ineffective. However, the drumbeat coming from Congress may be deterring some universities from looking critically at these technologies, instead encouraging them to adopt quick fixes.
Safe•Connect Security Vulnerability
Enter Safe•Connect, a product developed by Impulse Point, LLC. Safe•Connect is one of a breed of NAC products, designed to keep private networks—particularly college and university networks— “clean.” Impulse Point markets Safe•Connect as capable of enforcing compliance with security policies set by the school’s network administrators. In addition to keeping student’s, teachers’ and campus visitors’ anti-virus software updated and their operating systems patched (security measures that users might be neglecting), the technology is marketed, and in some cases used by schools, to prevent those on campus from running certain peer-to-peer software over the school’s network resources. In other cases, the technology “warns” those on campus that are running P2P software, making sure they know that Big Brother is watching.
It was New School University’s requirement that students and faculty install Safe•Connect on their own computers that led Professor Byfield, a professor of Art, Media and Technology, to raise his initial concerns. Starting with Professor Byfield’s work, and especially curious about Impulse Point’s claimed ability to notify users about and block peer-to-peer systems, EFF and researchers at the University of Michigan started investigating. We obtained a copy of the Policy Key, the application from Safe•Connect that universities require each student, faculty or visitor to install on her personal computer before she is allowed access to the Internet over the university network. After a bit of reverse engineering, the researchers found that an older but widely-distributed version of the Policy Key would accept purported “updates” from a local server with no authentication. So a knowledgeable attacker, even on a non-university network, could pretend to be this server and substitute malicious software of their choice, disguised as Policy Key updates. That means users who ran this version of the Policy Key on their systems could be vulnerable to attacks from strangers even after leaving the universities that originally asked them to install it. This goes to show that asking people to install software just to be allowed onto a network can come with its own set of security risks, since bugs in that software constitute new ways onto users' machines. (The MacOS X Policy Key version also ran as root with improperly-set file permissions, which would let any other software on a MacOS system with the Policy Key installed gain administrative privileges and take over the system.)
Concerned about the thousands of students, faculty and campus visitors who—whether in the name of network security or intellectual property protection—were required to install and run vulnerable software, EFF and the researchers contacted Impulse Point. To their credit, the Safe•Connect developers responded promptly. They pointed out that the vulnerabilities had already been fixed in newer versions for returning students and staff, and they then delivered the security patch to their university network and other customers for those with past versions of the software that were still on their university networks. Impulse Point is also committed to implementing a plan to address those (such as graduating seniors, staff who have left and campus visitors) who were not otherwise likely to get automatic updates.
Bullet Dodged, But Underlying Problems Remain
Overall, we were pleased with Impulse Point’s openness, willingness to respond and speed with which they responded to us. It was a refreshing change from the hostility with which some technology companies respond to security vulnerabilities. We also have no reason to believe any of the identified vulnerabilities were ever exploited in the wild.
But the underlying problem remains: Big Content’s relentless crusade against P2P technology has unintended consequences. Just as the RIAA’s lawsuits embroiled a number of innocent people in expensive litigation and Congress’ DMCA takedown procedures often chill speech protected by fair use, these technological “solutions” can cause collateral damage. The pressure to require students, professors and campus visitors to install and run software on their computers as a way to “protect” the content industry is wrong, and can be dangerous. Even in the context of protecting network security, requiring everyone on campus to run programs that either run as root or can be adapted or manipulated from afar is troubling, but as a quixotic attempt to deter copyright infringement, it definitely goes too far.
A Virginia district court is the latest to call out a copyright troll for using a business model designed to be little more than a shakedown operation to extract quick and easy settlements from hundreds of thousands of John Doe defendants. Judge Gibney says it far better than we could:
The Court currently has three similar cases before it, all brought by the same attorney. The suits are virtually identical in their terms, but filed on behalf of different film production companies. In all three, the plaintiffs sought, and the Court granted, expedited discovery allowing the plaintiffs to subpoena information from ISPs to identify the Doe defendants. According to some of the defendants, the plaintiffs then contacted the John Does, alerting them to this lawsuit and their potential liability. Some defendants have indicated that the plaintiff has contacted them directly with harassing telephone calls, demanding $2,900 in compensation to end the litigation. When any of the defendants have filed a motion to dismiss or sever themselves from the litigation, however, the plaintiffs have immediately voluntarily dismissed them as parties to prevent the defendants from bringing their motions before the Court for resolution.
This course of conduct indicates that the plaintiffs have used the offices of the Court as an inexpensive means to gain the Doe defendants' personal information and coerce payment from them. The plaintiffs seemingly have no interest in actually litigating the cases, but rather simply have used the Court and its subpoena powers to obtain sufficient information to shake down the John Does. Whenever the suggestion of a ruling on the merits of the claims appears on the horizon, the plaintiffs drop the John Doe threatening to litigate the matter in order to avoid the actual cost of litigation and an actual decision on the merits.
The plaintiffs' conduct in these cases indicates an improper purpose for the suits. In addition, the joinder of unrelated defendants does not seem to be warranted by existing law or a non-frivolous extension of existing law.
The Virginia court ordered the plaintiff to show why it should not be sanctioned for this behavior, and also ordered it to “immediately” notify the subpoena recipients (the ISPs) that the subpoenas have been quashed and all defendants but one severed from the case. Also of note, the court ordered the plaintiff to file (under seal), copies of all notices sent to all defendants. It’s unclear what, if anything, the court will do with that information, but we’re hopeful it will help notify the Doe Defendants that they’ve been severed from the suit.
The Eastern District of Virginia orders join a couple of other positive recent rulings. In Texas, repeat plaintiff’s lawyer Evan Stone was scolded by Judge McBryde for not “display[ing] the slightest degree of candor” by failing to disclose that he has:
filed at least sixteen lawsuits similar to the instant action in [another] division of this court, that each of those lawsuits was summarily dismissed, principally for improper joinder of the defendants, and that discovery of the kind, and under the conditions, sought by, and granted to, plaintiff in this action was inappropriate.
And in the Northern District of California, Magistrate Judge Grewal severed all but one of 5,041 Doe Defendants, stating that,
As the court has come to learn in yet another of the recent “mass copyright” cases, subscriber information appears to be only the first step in the much longer, much more intrusive investigation required to uncover the identity of each Doe Defendant. The reason is simple: an IP address exposed by a wireless router might be used by the subscriber paying for the address, but it might not. Roommates, housemates, neighbors, visitors, employees or others less welcome might also use the same address.
We applaud these judges for calling these cases what they really are – little more than a shakedown scheme – and for stopping plaintiffs from running roughshod over due process in order to extort settlements.
In 1986, Falco’s Rock Me Amadeus topped the charts, Madonna dedicated her hit single Papa Don’t Preach to Pope John Paul II, and a ruffle-clad David Bowie crooned along with funky Muppet goblins in Labyrinth. Meanwhile, although the World Wide Web didn’t even exist yet and cell phones were an expensive rarity, Congress was working on a new law to better protect our digital privacy by regulating when the government could access our private communications. That law, the Electronic Communications Privacy Act (ECPA), was signed on October 21, 1986.
After 25 years, ECPA is in dire need of an upgrade to reflect changing technology and ensure that the government can’t read our emails, track our cell phones, or watch where we go on the Web without first going to court and getting a search warrant. To help support the effort to reform ECPA, and in commemoration of the 25th anniversary of ECPA’s signing, EFF is joining Google, CDT, ACLU, CEI, TechFreedom, CCIA, and Americans for Tax Reform to throw the capital's most awesome party - Party Like It's 1986.
If you’re in Washington D.C., join us the evening of October 20th on Capitol Hill for an 80s-themed celebration of digital privacy: RSVP now!
Today, EFF joined nine human rights and digital freedom organizations from around the world in sending a letter to the government of Vietnam calling for the release of blogger and human rights defender Pham Minh Hoang.
Readers may remember Pham Minh Hoang from a blog post we wrote in August. Mr. Hoang is a university professor with dual French and Vietnamese citizenship who has been sentenced to three years in prison and an additional three years under house arrest, for trying to "overthrow the government." His crime was exercising a right held dear by much of the world: using the Internet to speak out. EFF, the Committee to Protect Journalists, ARTICLE 19, Reporters without Borders, and the other rights organizations are calling for the Vietnamese government to recognize Mr. Hoang's rights to free expression and release him.
Concerned individuals should send their own letters to Prime Minister Nguyen Tan Dung and the French Foreign Ministry, addresses below, to showcase the global outcry against this attack on online free speech.
October 4, 2011
Nguyen Tan Dung
Socialist Republic of Vietnam
Office of the State
1 Bach Thao
French Foreign Ministry
Ministere des Affaires etrangeres
37, Quai d’Orsay
Dear Prime Minister Nguyen Tan Dung,
We, international digital freedom and human rights organizations, call on the Government of Vietnam to release blogger, human rights defender, and lecturer Pham Minh Hoang.
Mr. Hoang, a dual French-Vietnamese citizen sentenced on August 10 to three years in prison and an additional three years house arrest, is a well-known blogger whose articles on education, the environment, and Vietnamese sovereignty in respect to China have been widely read. He is also a lecturer in applied mathematics at the Ho Chi Minh City Polytechnic Institute, an activist campaigning against bauxite mining by Chinese firms, and has participated in conferences on Vietnam’s sovereignty over the Paracel and Spratly Islands. Mr. Hoang has worked tirelessly to promote human rights and to empower and encourage civic participation among his pupils and peers.
At Mr. Hoang’s trial, Judge Vu Phi Long ruled that his writings had “blackened the image of the country” and were “aimed at overthrowing the people’s government.” Mr. Hoang, on the contrary, has claimed that he was exercising his free speech and was unaware that he had committed any crimes.
We would like to remind the Government of Vietnam that Mr. Hoang’s blogging activities, as well as his activism, are guaranteed by the Universal Declaration of Human Rights, the UN Declaration on Human Rights Defenders, and the International Covenant on Civil and Political Rights, to which Vietnam is a party to, as well as by Articles 35, 50, 53, and 69 of the Vietnamese Constitution.
We call on Vietnamese authorities to recognize Mr. Hoang’s right to expression, and to lift any charges or convictions related to his protected expressive activities, and—with these charges lifted—to ensure his release.
ACAT-France (Action des chrétiens pour l'abolition de la torture - France)
Committee of Concerned Scientists
Committee to Protect Journalists
Electronic Frontier Foundation
Front Line Defenders
Index on Censorship
Reporters Without Borders
Scholars at Risk
Now that the FCC’s “Open Internet” net neutrality rules have been published in the Federal Register, opening the door to legal challenges, the lawsuits are piling on.
On Friday, Verizon appealed the order in the Washington, D.C., Court of Appeals, arguing that the FCC overstepped its authority in issuing its net neutrality order. Verizon had filed a related claim back in January shortly after the rules were first released, but the court held that suit prior to Federal Register publication was premature. MetroPCS at the time lost a similar challenge on this basis; it has yet to refile post-publication.
Earlier in the week, Free Press filed a petition in the First Circuit for review of the rules. However, Free Press argued that the order doesn’t go far enough, objecting foremost to the relaxed requirements for wireless as opposed to wireline providers. (We agree this distinction is unwarranted.) At least three other groups have also contended that the rules need to be strengthened, with challenges in the Third, Fourth and Ninth Circuits.
These are the same rules that EFF weighed in on when they were first issued by the FCC in December. While we wholeheartedly support net neutrality in principle, we were concerned on two fronts about the Commission’s efforts. We objected to the FCC’s alleged bases for jurisdiction, which would seem to give it more or less unbridled authority to regulate the Internet. We also objected to the substance of the rules, which are riddled with loopholes that would blunt their effect. These include exemptions to the no-blocking requirements for efforts “to address copyright infringement”enabling traffic discrimination in the guise of protecting against unlawful contentand concessions for managed or special services, as well as the carve-outs for wireless operators. On the other hand, many noncommercial broadband Internet providers could be bound by the rules, discouraging public-minded Internet initiatives and innovation by imposing the burdens of FCC compliance.
The rules are due to go into effect November 20. But given past federal court rejection of similar FCC authority arguments and the legal challenges to date, we're not anticipating any quick resolutions.
Update: A Spanish translation of this post is available here.
Chilling Speech Through Violence
Bloggers in the Mexican border town of Nuevo Laredo are being terrorized by the Los Zetas drug cartel, which is trying to silence citizens who speak out against drug-related violence. On the morning of September 24th, police found the headless and mutilated body of a woman with a note referencing an alleged pseudonym, “La Nena de Laredo” (“Laredo Girl”), which she had used to post on Nuevo Laredo en Vivo ("Nuevo Laredo Live"). The woman, who has been identified in some reports as Maria Macias and in others as Marisol Marcias Castaneda, was reportedly an administrative manager at the Prima Hoy newspaper, and also moderated a chat room on Nuevo Laredo en Vivo.
The murder of "La Nena de Laredo" is the second such incident in the border town in as many weeks. On September 14th, police found two bodies hanging from a pedestrian bridge. Signs hanging near the bodies indicated that the still-unidentified man and woman had been killed in retaliation for denouncing the cartel’s activities on a social network. Because the bodies remain unidentified, it is impossible to confirm that the victims really did post to the social networking site, but the message to would-be bloggers, citizen journalists, and whistleblowers is loud and clear.
Throughout Mexico, traditional media outlets are no strangers to threats, kidnappings, and violence against journalists; such threats have often had the effect of forcing journalists to refrain from coverage of violence stemming from the drug trade. In some parts of Mexico, websites such as Blog del Narco and Frontera al Rojo Vivo and social media sites such as Facebook and Twitter are able to provide news about drug-related violence that is not being covered in local newspapers or on television. Posters sometimes use nicknames or pseudonyms to protect their identities, but the murder of "La Nena de Laredo" suggests that such measures are insufficient.
Pseudonyms, Tor, and HTTPS
EFF recommends that bloggers who are concerned about their security and safety should post under a pseudonym, use Tor to prevent eavesdroppers from seeing the sites they visit and prevent websites from collecting data that might reveal their physical location, and use HTTPS to encrypt their private communications when possible.
Some social media sites, such as Facebook and Google Plus, have policies that forbid the use of pseudonyms. These policies do not prevent users from making pseudonymous accounts, but they leave users vulnerable to account suspension. Both Facebook and Google Plus will suspend accounts if other users report them as pseudonymous or fake; it only takes a trivial effort by malicious parties to silence the opposition or quash dissent. Google Plus has instituted a grace period before suspension takes effect, which gives users the opportunity to export their data, but Google may not always apply its grace period consistently. Pseudonymous Facebook users may find themselves suspended without warning and without the opportunity to export their content or social graphs. Twitter, on the other hand, allows pseudonyms.
The good news is that Facebook, Twitter, and Google Plus all support HTTPS. To be sure that your connection to these services is encrypted at all times, EFF suggests using the HTTPS Everywhere extension for the Firefox browser. Note that some third-party applications on Facebook can cause an encrypted connection to "break."
Many of the local forums and social networking sites that ordinary Mexicans use to exchange news about drug cartel violence offer limited support for HTTPS or do not support it at all. Users should be circumspect about posting to these sites, keeping in mind that their chat room conversations and login credentials may be intercepted and read. Administrators of such websites can help to protect their users by taking the following steps:
Support the use of pseudonyms in forums and chat rooms.
Encourage users to download the Tor browser bundle and use Tor when viewing or posting to your site.
Minimize logging. Do not log the IP addresses of visitors to your site.
Support HTTPS throughout your site.
Configure your site to use HTTPS by default.
It is unclear what level of technological sophistication the drug cartels have brought to bear against social media users at this time, but it is clear that the cartels have access to considerable resources.
Twitter Rumors Prompt Legislation
In the meantime, Mexican politicians are facing criticism for going after rumors of violence instead of pursuing the real thing. In August, Gilberto Martinez Vera and Maria de Jesus Bravo Pagola were arrested in the state of Veracruz after they used Twitter to spread rumors of kidnappings and shootings at a local school. The charges against them included terrorism and sabotage, crimes that carry penalties of up to 30 years in jail. The arrest prompted widespread protests from civil liberties and human rights groups, who pointed out that the charges were vastly disproportionate to the alleged crime. The two were eventually released and the charges dropped, but not before Veracruz passed legislation creating a new offense of “Public Disturbance,” carrying a prison sentence of 1 to 4 years and a fine. Because the new additional the penal code was made after the incident had already taken place, Vera and Pagola cannot be charged with the new crime. The state of Tabasco has passed a similar law, mandating up to two years in jail for provoking “chaos or social insecurity” through telephone calls or online postings.
For now, individuals in Mexico using online platforms to criticize, satirize, or shed light on drug cartel violence are facing grave threats. EFF will continue to watch these developing threats to online freedom of expression in Mexico, encourage sites to take steps to protect the privacy and security of their users, and help users take steps to protect themselves.