EFF and other privacy and consumer groups like Privacy Rights Clearinghouse and Consumer Action have publicly responded to industry allegations that effective privacy regulations would harm the economy and innovation. A letter by sixteen trade groups—including the American Advertising Federation and the U.S. Chamber of Commerce—addressed to party heads of the U.S. Senate Committee on Commerce, Science, and Transportation, urged senators to ignore needed changes in privacy laws. The privacy coalition took issue with these claims, pointing to the very real privacy harms suffered by consumers online. Currently, most users are unaware of the pervasive nature of online tracking—and have no way to stop it. Helping consumers feel confident in their privacy will encourage innovation in the digital environment, spurring a robust online economy.
Americans’ privacy is under siege in the current online ecosystem. Companies with large troves of sensitive information have suffered data breaches left and right, putting consumers at risk of identity theft. Because much of what we do online is protected First Amendment activity—reading, speaking, writing, associating—we must expect significant government interest in that data as well. Yet users cannot easily block unwanted tracking programs—assuming they know about them in the first place. The letter that EFF signed onto explains the lack of proper privacy protection in current law, the innovative opportunities of pro-privacy technologies, and the importance of updating privacy law to address new trends in technology—supercookies and browser fingerprinting, location-based services, and behavioral tracking, to name a few.
For example, EFF has supported Do Not Track technologies and policies that would protect consumers from hidden third parties who track users. The proposed technology is simple: a machine-readable header that tells websites that you do not want to be tracked. On the policy end, EFF has supported a regulatory framework whereby companies respect a consumer's wishes not to be tracked by third-party sites. Do Not Track is a response to the failure of self-regulatory mechanisms to protect consumers from invasive tracking programs by third-party sites.
The pro-privacy letter to the Senate Committee says:
The industry groups that wrote to you hope that you will be satisfied with the status quo, that you will ignore the mounting evidence of identity theft and data breaches, and that you will simply allow things to continue as they have. We urge you to reject that view. We are firmly committed to innovation and economic growth and we share the enthusiasm that new technologies and new businesses generate. But it is clear that there must be stronger safeguards in place to protect the interests of consumers and Internet users. The self-regulatory 'notice and choice' approach has simply failed.
EFF would like to thank the contest entrants and the numerous team supporters for making our second annual DEF CON Getaway Contest a success! Together, we've surpassed last year's competition with a participant total of $7,542.04 for online rights defense — great work! This year, the battle for supremacy continued to the very end. Without further ado, here are this year's top contest fundraisers:
Grand Prize Winner: Team ISD Podcast!
Congratulations! You've won a standard suite at the Rio Hotel and Casino, two DEF CON 19 Human badges, two tickets to Vegas 2.0's (in)famous kickoff party theSummit, two badges for the ultra-exclusive Ninja Networks Party, two passes to the iSEC Partners party, AND an EFF Swag Super Pack!
Second Place Winner: Team ArtC!
Well done! Art will receive two DEF CON 19 Human badges, two tickets to the Vegas 2.0 Party, two passes to the iSEC Partners party, and an EFF Swag Super Pack!
Third Place Winner: Team Holy Handgrenades!
WOOT! HH will receive one DEF CON 19 Human badge, one ticket to the Vegas 2.0 Party, two passes to the iSEC Partners party, and an EFF Swag Super Pack!
And that's not all! We will award an exclusive EFF DEF CON 19 t-shirt to ALL fundraising captains who raised more than $300! This limited run of 325 shirts will only be available to DEF CON 19 Getaway Contest participants, and on site in Las Vegas this summer! Specially designed for DEF CON by Joe Alterio of the very creative charity, Robots & Monsters, this year's shirt plays with the plain text truth that encryption saves lives. All prize winners will be contacted via email.
Longtime readers will remember the WIPO Broadcasting Treaty, which EFF has opposed since 2004 because it would harm consumers, citizen journalists, the free flow of information on the Internet, and innovation. Since 2006, EFF and a broad coalition [PDF] of public interest groups, libraries, creative industry members, telecommunications and technology companies have been explaining how granting broadcasters and cablecasters the intellectual property rights envisaged by the draft Treaty would wreak havoc on the Internet community.
After much debate and little agreement about key aspects of the Treaty, such as its objectives, specific scope, and object of protection, negotiations stalled in 2007. But it now seems to have come back from the dead in a little-noticed but highly-coordinated effort to grant broadcasters exclusive, 50-year intellectual property rights over Internet transmissions. WIPO member states agreed on June 24 [PDF] to meet for two days before the next Copyright committee meeting in November specifically to try to reach agreement on a new treaty proposal, with the goal of asking WIPO member states in 2012 to schedule an intergovernmental Diplomatic Conference at which the revised Treaty could be adopted.
The renewed interest in the Broadcasting Treaty has been spurred both by complaints from incumbent broadcasting organizations, and a campaign from the WIPO Secretariat to conclude the Treaty after more than 12 years of negotiations with no consensus. The Secretariat commissioned three studies, organized several regional seminars, and in April held an informal consultation which led to the creation of a new document with "elements" for a treaty. Meanwhile South Africa submitted a new treaty proposal of its own, and sports broadcasters have been lobbying hard for a treaty at both the April and June meetings in Geneva. All of this was aimed at kick-starting the stalled negotiations and finalizing a Broadcasting Treaty. For now, it appears to have worked.
Why should we be worried about this? Broadcasters claim that a treaty is needed to protect against signal piracy, and that the Broadcasting Treaty is simply "updating" their rights for the digital age. But what's really at stake here is something more far-reaching. This Treaty will set the legal rules that will govern the distribution of information on the Internet. The current draft Treaty would grant exclusive, 50-year intellectual property rights to distributors of information that apply in parallel with copyright protections, even when transmitters have had no role in creating the content being transmitted. Although it's not entirely clear, the new South African proposal [PDF] and the "Non-Paper" [PDF] on elements for a new treaty also seem to contemplate intellectual property rights for broadcasters and cablecasters. This move raises the same set of public policy concerns brought up by the existing draft Treaty, which threatens to stifle innovation and the creative freedom of anyone working with audio or visual content in the Internet environment.
Granting broadcasters and cablecasters intellectual property rights that apply independently of copyright in the programs being broadcast, together with legally enforceable technological protection measures, raises concerns for access to public domain works. These measures would add complexity to copyright clearance regimes for creators of podcasts and documentary films, and interfere with consumers’ ability to make home recordings permitted under national copyright laws. Granting broadcasters and cablecasters exclusive rights to authorize retransmissions of broadcasts over the Internet will harm competition and innovation by allowing broadcasters and cablecasters to control the types of devices that can receive transmissions. It will also create new liability risks for Internet intermediaries that retransmit information on the Internet.
On top of the problems posed by the current draft Treaty, there’s now a move to expand the scope of the Treaty to webcasting. The recent South African proposal [PDF] and the new Non-Paper [PDF] both advocate the need to account for "technological developments" and propose a "technology-neutral" approach. This sounds innocuous, but should be understood in the context of the history of the WIPO negotiations. "Technology-neutral" is code for extending new rights to transmissions via the Internet. This is a brazen effort to re-open a long-standing agreement that the Treaty would only give rights to "traditional" broadcasters and cablecasters. Many countries objected to expanding the Treaty to Internet broadcasters because of the harm it could cause to other Internet communications. This move is also inconsistent with the 2007 mandate given by the WIPO General Assembly—to finalize a treaty for broadcasting "in the traditional sense."
The key issue here is the scope of the treaty. Broadcasters claim that they need a new treaty to deal with "signal piracy." No one disputes that signal piracy is a serious issue that needs to be addressed. The disagreement is how to address this problem in a way that does not cause significant harm to citizens’ freedom of expression, and all the other stakeholders in the Internet economy. No empirical evidence has been presented that demonstrates what exact harm is not already being addressed by the existing copyright regime and remedies in national laws, and why broadcasters need intellectual property rights to deal with signal theft.
We continue to believe the preferable model for addressing these issues is the narrower signal-based approach in the Brussels Satellite Convention. But broadcasters continue to push for intellectual property rights that would overlap with copyright. This would trigger unintended consequences for freedom of expression and stakeholders in the Internet economy at a time when the future of broadcasting is already unclear.
Giving broadcasters an unprecedented set of legal privileges is a sure-fire way to damage speech and innovation on the global Internet. If "signal piracy" is the concern, then a narrow, signal-focused approach is what is called for, not a global replication of the existing copyright regime.
With protests raging throughout the country, the Syrian government is responding with deadly force. Citizens seeking freedom are relying on digital tools to organize and communicate -- so much so that the government temporarily shut off Internet access. The parallels to the Iranian uprising in 2009 are striking, and they are not lost on the Obama Administration. In fact, President Obama explicitly linked the current Syrian situation with the Iranian uprisings of 2009, noting that “Syria has followed its Iranian ally” in violently responding to peaceful protests. “The image of a young woman dying in the streets is still seared in our memory,” he recalled, referring to the YouTube video of 26-year-old Neda Agha-Soltan dying from a gunshot wound in Tehran.
Yet while the U.S. Treasury Department formally recognized the need for personal communications tools in the case of Iran (and Sudan and Cuba) in March 2010, it remains silent about Syria. This must change.
In March 2010, the U.S. Treasury Department announced that it was amending its trade restrictions for Iran, Sudan, and Cuba to allow the export of "certain services and software incident to the exchange of personal communications over the Internet,” such as social networking, instant messenger, photo sharing, and e-mail products. EFF applauded this action, which cleared the way for American companies to distribute important free speech tools to individuals who would otherwise struggle to make their voices heard. However, even at that time EFF noted the continued ambiguity over regulations for other countries, including Syria. We encouraged the Obama administration to continue proactively reviewing export rules and to clear any ambiguity for Internet companies who want to offer their services in otherwise-restricted countries.
For Syria, the time for such clarification is now. Exports to Syria are controlled by the Export Administration Regulations (administered by the Commerce Department), the Syria Sanctions Regulations (administered by the Treasury Department), and the Syria Accountability Act (signed by President Bush in 2004). Among these regulations are complicated rules and exceptions for certain technologies, software, and information, and it is anything but clear how they all interact. In the midst of such complexity, and severe penalties for violations, who can blame companies for playing it conservative and restricting all Syrian users from their products?
And it seems that the companies are in fact being conservative. We have indications that Google Chrome and Earth and Code are not available in Syria, nor are some Microsoft downloads and iTunes with its access to podcasts from around the world, all due to concerns about U.S. government export restrictions. There are likely others.
In fact, there is reason to believe that U.S. law does permit web companies to make certain services available to Syrian citizens. First, the Treasury Department’s embargos for Syria specifically exempt from regulation “any postal, telegraphic, telephonic, or other personal communication that does not involve the transfer of anything of value.” Certainly instant messengers, e-mail programs, or social networks can be considered “personal communication.” Furthermore, the Export Administration Regulations specifically exempt the export of publicly available, mass market encryption software that is published for free and anonymous download.
More broadly, however, the 1988 Berman Amendment (specifically, these amendments added section 5(b)(4) to the Trading with the Enemy Act and section 1702(b)(2) to the International Emergency Economic Powers Act), strips the President of his power to “directly or indirectly” regulate the export of “information and informational materials” – a definition expanded by the 1994 Free Trade in Ideas Amendment to include all such materials “whether commercial or otherwise, regardless of format or medium of transmission.” Regrettably, and without any apparent basis for doing so, the Treasury Department has narrowly construed these amendments when implementing them in export regulations. For example, the Treasury Department continues to regulate export transactions related to the “substantive or artistic alteration or enhancement of informational materials” as well as the “provision of services to market, produce or co-produce, create or assist in the creation of information and informational materials.”
Yet even if there are ways to thread through the restrictions, the lack of clarity is plainly having an effect. And Syrians should not have to wait. The Obama Administration should proactively and definitively make clear that providing digital communications and information tools to citizens of otherwise-restricted countries like Syria is not only legal, but encouraged.
Such a declaration would fall in line with the administration’s recent statements regarding both Syria and broader Internet freedom, and would also be consistent with the Administration’s rationale for previously amending export controls for other countries. When the Treasury Department deregulated exports of Internet products to Iran, for example, it believed it would “foster and support the free flow of information – a basic human right – for all Iranians." The State Department also concluded that the free flow of information in Iran was “essential to the national interest of the United States.” The same should be true for Syrians and Syria.
Without the availability of U.S.-based digital communication and information tools, the video of the young Neda’s death would likely never have been shared at all. It’s time for the Obama administration to make clear to the people of Syria, and of other repressive regimes around the world, that the U.S. government will not block their access to the digital communication and information tools they need to help them build a more free society.
Special thanks to EFF intern Jarred Taylor for assisting with legal analysis
Jobseekers be wary: the hard-won privacy rights granted to you by federal and state law might not follow you into the digital space.
For forty years, individuals in the United States applying for jobs have held certain protections under the Fair Credit Reporting Act (FCRA). For example, in many circumstances a consumer who is rejected from a job due to information in an employment background check can review the information in that report and petition to have any inaccuracies corrected. 1 These rights are often supplemented by stronger state-level consumer protections, such as California’s Civil Code 1786 which allows a consumer access to her background check report even if she isn’t rejected from the position for which she applied. But as employment background checks move into the digital world—via websites such as Background Record Finder or mobile apps like the recently-released BeenVerified app—will jobseekers be able to maintain their protections?
There are dozens of websites that offer online background checks (Privacy Rights Clearinghouse’s Online Information Brokers list indexes several of them). These services cast a wide net over a consumer’s digital data—gathering up facts from court records, criminal records, driving history, voter registration, and sometimes even elements of one’s credit history. Increasingly, these services are also culling information from the social net—an individual’s Facebook profile, Flickr photos, Twitter stream, and more.
BeenVerified, which offers free and low-cost background checks through a website and recently-released mobile app, has been heralded as a "great tool for small and medium businesses to be able to conduct free, or cost-effective background checks."
But could FCRA as written apply to BeenVerified? It’s uncertain, though there’s definitely the potential - especially if BeenVerified promotes itself as a background-checking service for employers the way Spokeo did. While also uncertain, it’s more likely that BeenVerified would be covered by more stringent consumer protection laws, such as California’s Civil Code 1786, which covers investigative reports done by an employer in-house (instead of using a third-party background checking company). Employers who use these services may risk violating FCRA and other consumer reporting laws.
But these digital background checking companies are using the oldest trick in the book to circumvent the law. They add a little line to their terms of service, such as BeenVerified’s terms, which state:
WE ARE NOT A CREDIT REPORTING AGENCY FOR PURPOSES OF THE FAIR CREDIT REPORTING ACT (“FCRA”). AS SUCH, THE ADDITIONAL PROTECTIONS AFFORDED TO CONSUMERS, AND OBLIGATIONS PLACED UPON CREDIT REPORTING AGENCIES, ARE NOT CONTEMPLATED BY, NOR CONTAINED WITHIN, THESE TERMS AND CONDITIONS.
By merely stating that they can’t be used in ways covered by FCRA (even though they provide services identical to what would be covered by FCRA), BeenVerified attempts to duck the responsibilities imposed upon it by state and federal consumer protection laws. Whether this truly excises any legal responsibility from the reporting service or the employer might be open to debate—and perhaps interpretation by the Federal Trade Commission.2
So where does that leave the consumer? Unless and until the FTC or Congress decides to get involved in the debate, jobseekers probably can’t look to the law to protect their rights in the digital world. For now, we need the market to start self-regulating. Companies like BeenVerified have an opportunity to voluntarily adopt practices that safeguard consumer rights and privacy. This should happen now, without waiting however many years it may take for policymakers and the FTC to decide how they want to handle mobile employment background checks.
Voluntary best practices for online and mobile background checking services should strike a balance between consumer rights and feasibility. The eight OECD Fair Information Practices can provide guidance to these companies as they work to establish policies that safeguard consumer rights in the digital world. But there are a few common-sense, basic privacy safeguards these online and mobile background checking companies should implement right now:
Allow individuals to look up their own records at no cost and provide a way to correct inaccuracies, in the same way a consumer can correct inaccuracies in a credit report.
Allow individuals to suppress access to certain sensitive data sets—including current address and phone number—if they have a clear need for address confidentiality. This could include current and former law enforcement officers, public defenders, and judges as well as those enrolled in state address confidentiality programs, like victims of stalking and domestic violence.
Indicate the original source of any data, so that individuals who discover inaccuracies can also correct the inaccuracies at the source.
Ensure that data that has been restricted or suppressed is permanently suppressed—so that it does not repopulate the next time the data set is refreshed.
This is merely a start; there are a range of other ways companies like BeenVerified can voluntarily improve consumer rights, improve the accuracy of their data sets, and educate employers about the laws surrounding background checks.
We urge BeenVerified and others in that industry to consider the ramifications to individuals and take steps to safeguard the long-held consumer rights, even if for now it is unclear whether FCRA and similar laws will be enforced on these services. The power of the Internet and new technologies to make information more accessible is no excuse for disregarding the privacy rights of individuals.
1. This is only one of the consumer rights under FCRA, and there are a number of important exceptions to these rights that should be understood. Visit Privacy Rights Clearinghouse to learn more about FCRA and background checks. Note that a consumer can also obtain a copy of her consumer report annually from consumer reporting agencies. Learn more.
2. The FTC does not have rulemaking authority when it comes to FCRA, so they may be reluctant to take on employer’s use of online data brokers.
EFF has called on companies to stand with their users when the government comes looking for data. (If you haven’t done so, sign the petition urging companies to provide better transparency and privacy.) This article will provide a more detailed look at the last of the four elements required for a company to earn a gold star in our campaign: Fight for user privacy in Congress.
In prior blog posts about the "Who Has Your Back?" campaign, we've explained that companies largely rely on internal policies when the government comes seeking data about users. If those policies are weak, murky, or left unshared, we as users are prevented from making informed decisions about the privacy risks we face.
But we shouldn't be dependent on company policies to protect our privacy. The law should protect it too, even as technologies change. And the companies that hold our data should stand with users in making the necessary legal updates. That's why the "Who Has Your Back?" campaign urges companies to take steps like joining in the effort towards lasting, permanent improvements — an industry-wide raising of the bar for user privacy — by joining the Digital Due Process coalition (DDP). Members of DDP are working to set legal standards that uphold due process, privacy, and law enforcement effectiveness — like requiring search warrants from the government when it seeks private communications and information, and requiring the government to prove to a court that the data being requested is relevant to actual, authorized law enforcement action.
More specifically, the companies and advocacy organizations essentially agree that the outdated Electronic Communications Privacy Act (ECPA) needs to be simplified, updated, and unified by Congress to reestablish meaningful rules of the road when it comes to government requests for user/customer data from a company. To that end, the coalition has been successful so far: Senator Leahy has already introduced S. 1011, an ECPA reform bill that's the first step in the process of baking stronger and clearer privacy protections into the law.
Having these standards made into law will go a long way in clarifying what a company's obligations are when the government comes knocking in search of user data. Ambiguity in the existing law is one challenge faced by companies struggling to develop privacy and transparency commitments that benefit users and increase trust. That's why standing up for your privacy in Congress—with actions like joining the Digital Due Process coalition, as Amazon, AT&T, Facebook, Google, and Microsoft have—is a gold-star move.
Eleven teams, comprised of the Bay Area's sharpest legal minds from law firms, universities and technology companies, faced-off last Tuesday at EFF's annual pub quiz trivia night. At stake: the coveted EFF Pub Quiz Cup and a year's worth bragging rights. The competition was fierce, with each team diving deep into their brains for the most trivial details in cases and statutes. Seven rounds later, the winners emerged:
EFF’s Cyberlaw Pub Trivia Night is an important opportunity for us to thank our friends in the legal community who help protect online freedom in the courts. Among the many firms that dedicate their time, talent and resources to the cause, we would especially like to thank Winston & Strawn LLP, Fenwick & West LLP and Howard Rice for sponsoring this year’s Trivia Night. Special thanks to Yelp for providing some sweet swag as prizes for the winning team.
Test Your Internet Law Expertise
You too can play along at home. If you read the EFF blog regularly or recently aced EFF’s Know Your Rights Quiz, you may be feeling pretty confident about your knowledge of Internet law. But could you answer seven rounds of questions like these? Courtesy of EFF’s 4th Annual Cyberlaw Pub Trivia Night:
1. The first federal published opinion to use the word “Internet” was U.S. v. Morris, 928 F.2d 504 (2d Cir. 1991). Morris was accused of...
a) Obscenity for a pornography BBS
b) Computer crime for releasing a worm
c) Illegally exporting cryptography
d) Taking unlawful sports bets by email
2. In 1952, the Supreme Court decided U.S. v. Reynolds, establishing the state secrets privilege. When the underlying information was declassified in 2000, it turned out no state secrets were actually involved. The case involved the:
a) Crash of a B-29 Superfortress
b) Recovery of a weather balloon that landed in the general vicinity of Roswell, New Mexico
c) Negligence at the White Sands Proving Ground
d) Contracts for supplies for the Bay of Pigs invasion
4. Nintendo gave its attorney John Kirby a sailboat named the Donkey Kong, along with "exclusive worldwide rights to use the name for sailboats," to commemorate his defense win over the plaintiff’s trademark. Name the plaintiffs’ trademark.
At the Pub Quiz, the answers were graded by EFF's crack team of legal experts. Here, you'll have to grade yourself. Answers to today's quiz below.
Congress is considering a bill that would federalize E-Verify, creating a single, government-controlled database of highly sensitive, detailed information about every legal worker in the United States. EFF joined the ACLU, the National Center for Transgender Equality, the Liberty Coalition, and dozens of other civil liberties and labor groups in urging Congress to uphold worker privacy and reject the Legal Workforce Act.
The Legal Workforce Act (H.R. 2164) would require all employers to use an Internet-based program called E-Verify to check every worker against an error-prone database. In letters sent to both houses of Congress, the coalition of advocacy groups decried the implementation of a nationwide system that could lead to downstream abuses by intelligence and law enforcement groups. The proposed bill could create a bureaucratic nightmare for American businesses while trampling on the privacy rights of workers.
The civil liberties groups raised particular concerns over identity theft. The Chronology of Data Breaches—a review of all public, sensitive records exposed through data breaches in the U.S.—lists over 534 million records since 2005, showcasing how prone large databases are to breaches of all sorts. And these data breaches have real repercussions—increasing the likelihood of identity theft by up to four times, according to a 2009 Javelin Research & Strategy study. The E-Verify proposal would make a database that includes information on every legal United States worker, creating an enticement to malicious hackers and an enormous risk of unintended disclosure.
EFF and the other advocacy groups wrote:
We believe the risks to individual privacy are too great and the likely benefits are too small to justify inserting the federal government into every hiring decision made by every employer across the country... A nationwide mandatory E-Verify system would be one of the largest and most widely accessible databases of private information ever created in the U.S. Its size and openness would present an irresistible target for identity thieves. Additionally, because the system would cover everyone eligible to work in the United States, it could quickly expand to a host of other uses for the intelligence community, law enforcement, and corporate America.
EFF also raised concerns about a pilot biometric authentication program proposed by the bill. This program would allow any employer to fingerprint all employees and would create private sector “enrollment providers”. These providers would combine biometrics, information from employers, commercial databases, and information from the Department of Homeland Security and Social Security Administration—all for the purpose of identity verification. Such a card would exacerbate the existing problems with E-Verify by adding additional sensitive information and allowing it to be kept in the hands of private companies.