Think you know what to do when law enforcement seeks access to your digital device? Test your skills with our online quiz. Then brush up on your knowledge with our Know Your Rights whitepaper.
We also highly recommend you print our one-page guide explaining what to do when the police ask for access to your device. Leave it by your workstation, tape it up in your server room, and slip a copy into your laptop case—anywhere you have sensitive information on a digital device.
The patent reform legislation that continues to snake its way through Congress makes one thing clear: many in Washington don’t like business method patents anymore than we do. (Business method patents cover a merely a "method" or "process," as opposed to something tangible.)
Now that the House and Senate have each passed their own version of the bill, the two will need to be reconciled. The big issue standing in the way is fee diversion: whether the Patent Office can keep the additional fees it brings in that exceed its budget (Senate bill), or whether Congress can use that money to fund other government programs (House bill).
Issues like fee diversion and the shift from first-to-invent to first-to-file continue to get the lion’s share of the press, but there are some smaller provisions that caught our eyes. For example, both bills include a provision that would allow banks and other financial institutions to more easily challenge business method patents when those patents are asserted against them in litigation. And both the House and Senate bills would prohibit patents covering “any strategy for reducing, avoiding, or deferring tax liability,” which are currently considered patentable business methods.
While many decry reforms like these – especially the one relating to banks – as nothing more than Washington, D.C., political game-playing and Wall Street favors, each in its own right highlights the larger problem with business method patents: instead of spurring innovation (as the patent system is intended to do), they often harm businesses by imposing additional costs (in the form of licenses or litigation), which in turn harms the consumer, as well as the economy at large. So instead of blaming Congress, we applaud any effort to limit business method patents (something the Supreme Court failed to do in Bilski) – and just wish the legislation went further in curbing the often harmful business method patents.
In case you missed it, Spotify's long-awaited U.S. launch is here. Spotify now joins the ranks of services like Rhapsody, Rdio, and Mog that allow users (for a fee) to stream unlimited music from multiple devices, make and keep playlists, and store music on mobile devices.
This is good news for music fans. Spotify has already proven successful in Europe, and, unlike its current U.S. competitors, provides a free, ad-based service where users can access a certain amount of music each month (after that, users can pay for unlimited songs and to have access on their mobile devices). This is just the type of product the record labels have failed time and again to offer their fans: convenient access to different amounts of music, to be consumed in different ways, at different and relevant price points. Instead of being forced to buy full-length CDs at $15.99, fans can now make their own decision about how much they value music and how much of it they want. Of course, the record labels could have launched a service like this years ago. Instead of innovating, they famously sued their fans (and reportedly fought Spotify's U.S. entry) and are now left watching revenue go to others, despite their oft-repeated claims that they could not “compete with free.” Yet, multiple streaming services, music lockers, and others have found a way.
While we are glad to see more choices for music fans – and hopefully more ways for artists to be paid – we still have some major concerns. Chief among them: users' rights to port their data. Because streaming customers do not own their music, they cannot take it with them. Should they decide to try another service (or if a service goes under), users should be able to easily export titles of songs in playlists they created or a list of favorite music, etc. Users should also be able to choose independent add-ons that make the service more valuable, such as alternative means of organizing their music "collections." Without this kind of functionality, users are going to be disappointed, and we are unlikely to see the real competition that helps drive innovation.
More robust network connections, the popularity of tablets and smartphones, and the hype surrounding Spotify lead us to believe that streaming music's time may have come. But if users lose access to the work they’ve invested in searching through music catalogues, setting up playlists and favorites, and otherwise managing their music-listening habits, downloading music (legally or not) will still be a better alternative for many. We urge these new content companies to provide their users tools, such as convenient data portability and support interoperability. Then at last, we might be able to show the record labels that it is indeed quite possible to "compete with free."
Are you planning to be in Las Vegas during Black Hat, DEF CON, and BSidesLasVegas next month? EFF attorneys are available to provide legal information to security researchers about issues such as reverse engineering, vulnerability reporting, copyright, and free speech.
If you have concerns about security research you plan to present in Las Vegas, let us know by Friday, July 15. To set up a less time-sensitive appointment to speak with us at Black Hat, please contact us by Friday, July 22. If we can't assist you, we'll make every effort to put you in touch with an attorney who can.
Unlike some government initiatives, NGI has not been a secret program. The FBI brags about it on its website (describing NGI as “bigger, faster, and better”), and both DHS and FBI have, over the past 10+ years, slowly and carefully laid the groundwork for extensive data sharing and database interoperability through publicly-available privacy impact assessments and other records. However, the fact that NGI is not secret does not make it OK. Currently, the FBI and DHS have separate databases (called IAFIS and IDENT, respectively) that each have the capacity to store an extensive amount of information—including names, addresses, social security numbers, telephone numbers, e-mail addresses, fingerprints, booking photos, unique identifying numbers, gender, race, and date of birth. Within the last few years, DHS and FBI have made their data easily searchable between the agencies. However, both databases remained independent, and were only “unimodal,” meaning they only had one biometric means of identifying someone—usually a fingerprint.
In contrast, as CCR’s FOIA documents reveal, FBI’s NGI database will be populated with data from both FBI and DHS records. Further, NGI will be “multimodal.” This means NGI is designed to allow the collection and storage of the now-standard 10-print fingerprint scan in addition to iris scans, palm prints, and voice data. It is also designed to expand to include other biometric identifiers in the future. NGI will also allow much greater storage of photos, including crime scene security camera photos, and, with its facial recognition and sophisticated search capabilities, it will have the “increased ability to locate potentially related photos (and other records associated with the photos) that might not otherwise be discovered as quickly or efficiently, or might never be discovered at all.”
The FBI does not just collect and store data from people caught up in the criminal justice system; about 1/3 of the data collected and reviewed in IAFIS is from civil sources such as attorney bar applications, federal and state employees, and people who work with children or the elderly. In the past, the FBI has not allowed these records to include photos and has segregated civil records from criminal data. Civil records were also not included in bulk checks for criminal investigative purposes. NGI may take down these barriers, however. There is someevidence to show the FBI is considering including this data in future NGI database searches and, according to the CCR FOIA documents, has already begun to include civil records from DHS and State Department database files such as visa applications, immigration records, and border entries and exits.
So why should we be worried about a program like NGI, which the FBI argues will “reduce terrorist and criminal activities”? Well, the first reason is the sheer size of the database. Both DHS and FBI claim that their current biometrics databases (IDENT and IAFIS, respectively) are each the “largest biometric database in the world.” IAFIS contains 66 million criminal records and 25 million civil records, while IDENT has over 91 million individual fingerprint records.
Once these records are combined into one database and once that database becomes multimodal, as we discussed in our 2003 white paper on biometrics, there are several additional reasons for concern. Three of the biggest are the expanded linking and tracking capabilities associated with robust and standardized biometrics collection systems and the potential for data compromise.
Already, the National Institute for Standards and Technology, along with other standards setting bodies, has developed standards for the exchange of biometric data. FBI, DHS and DoD’s current fingerprint databases are interoperable, indicating their systems have been designed (or re-designed) to read each others’ data. NGI will most certainly improve on this standardization. While this is good if you want to check to see if someone applying for a visa is a criminal, it has the potential to be very bad for society. Once data is standardized, it becomes much easier to use as a linking identifier, not just in interactions with the government but also across disparate databases and throughout society. This could mean that instead of being asked for your social security number the next time you apply for insurance, see your doctor, or fill out an apartment rental application, you could be asked for your thumbprint or your iris scan.
This is a big problem if your records are ever compromised because you can’t change your biometric information like you can a unique identifying number such as an SSN. And the many recent security breaches show that we can never fully protect against these kinds of data losses.
The third reason for concern is at the heart of much of our work at EFF. Once the collection of biometrics becomes standardized, it becomes much easier to locate and track someone across all aspects of their life. As we said in 2003, “EFF believes that perfect tracking is inimical to a free society. A society in which everyone's actions are tracked is not, in principle, free. It may be a livable society, but would not be our society.”
Unfortunately, biometric data collection is not limited to NGI or even to the legacy DHS, FBI and DoD fingerprint collection programs. The federal government and states have been steadily expanding their DNA collection efforts over the last 10 years as well. Currently all 50 states, the federal government and the District of Columbia collect and share DNA records through the FBI’s CODIS database. At least 15 of those states, as of 2010, collect DNA from defendants convicted of misdemeanor offenses. And as of 2009, under the federal DNA Fingerprint Act of 2005 and several recently-expanded state statutes, at least 21 states and the federal government collect DNA samples from any adult arrested for (not just convicted of) a crime. This has led to an exponential increase in the amount of DNA collected in the United States on an annual basis, with nearly 1.7 million samples processed (pdf, p. 8) in 2009, alone. As of 2011, the National DNA Index or NDIS (the federal level of CODIS) contains over 9,748,870 offender profiles, and the states’ individual databases are each expanding as well.
Currently, it doesn’t appear the FBI plans to incorporate the DNA data held by CODIS into NGI. However, NGI has been designed to be flexible and to be able to incorporate additional biometric identifiers as the need arises in the future. This means that we can’t rule anything out. FBI claims NGI “doesn’t threaten individual privacy,” but the government’s continuing efforts to collect, store and track the biometric data for so many Americans and foreigners cannot bode well for a society that values privacy.
This week saw two disappointing decisions by two major American companies, Microsoft and Cisco, that appear to be choosing to become little tech helpers to China's repressive regime rather than choosing to be a force for good. For Cisco, it's more of the same. For Microsoft, it's a disappointing turn.
China’s Internet censorship is perhaps the most pervasive and its filtering system most sophisticated. The Chinese government requires all companies operating there, whether Western or Chinese, to engage in an opaque self-censorship practice limiting access to any content that could potentially undermine state control, including but not at all limited to political content, information about minority groups, and a vast array of proxies and circumvention tools. Google’s 2006 entry into the country ended four years later when, following a series of cyberattacks originating from China, the search giant decided to stop self-censoring results, effectively ending their business there.
China also uses its technological systems to monitor and target individuals that the regime dislikes, most prominently democracy advocates and the "Falun Gong evil religion" which ended up in a Cisco presentation that surfaced in 2008.
Since Google yanked its search services from China in 2010, the market has been left entirely to Chinese companies, with Baidu dominating with 83 percent of the market share. This week, it was reported that Microsoft has struck a deal with Baidu to offer its Bing web search services in English. Like other online platforms that do business with China, Microsoft will be required to self-censor its search results.
Microsoft Bing currently offers search for a number of countries, including China. Interestingly, the Bing censored SafeSearch option, which can reasonably allow parents to limit their children's access to inappropriate material and other similar things, but becomes unreasonable as an country-wide content censorship tool, is enforced for China, as well as for a number of other country-specific Bing instances, including India, Taiwan, and Singapore. The site also enforces SafeSearch for the Arabic-language version of its page, despite the fact that several of the more than twenty Arabic-speaking countries don’t censor the Internet at all.
Just as we applauded Google's decision to cease censorship in China, we have grave concerns about Microsoft’s choice to enter the Chinese market, as it inevitably will result in censorship of search results, and will prevent the Chinese people from accessing their full rights to freedom of expression, including their freedom to access information of interest and use to them. Microsoft should seriously consider whether it wants this role in the world.
As noted above, Cisco's actions have raised concerns about its role as the helper of Chinese oppression for a long time now. It previously came under fire and was the subject of congressional hearings in 2006 and 2008 after a PowerPoint presentation that indicated Cisco had helped create China’s “Great Firewall,” and specifically marketed it to China for use in targeting religious minority Falun Gong surfaced (see page 57). As a result of these slides and likely other information, Cisco faces two lawsuits that accuse the company of complicity in helping China censor the Internet and track down members of a religious minority.
This week, it was reported that Cisco will help the Chinese government build a massive camera surveillance network in the city of Chongqing. Though Cisco stated that they will not be providing the specific camera equipment, The Wall Street Journal’s report alleges that the company will provide the networking equipment required to administer a large-scale surveillance system.
Whether the equipment provided is the cameras or the backend network infrastructure, Cisco appears to have made the choice to help the Chinese government surveil its citizens and, inevitably, target dissidents and disfavored minorities.
In 2006, we suggested in a letter to the House Subcommittee on Africa, Global Human Rights, and International Operations a code of conduct for Internet companies in authoritarian regimes. Those standards remain just as relevant today. Under them, the choice by both Cisco and Microsoft to favor the Chinese government over its own people is a wrong choice. We urge both companies to reconsider.
A coalition of content industry players and ISPs today announced an anticipated collaborative effort to “curb online content theft,” described in more detail on a dedicated website for the initiative. The PR materials put out by the group are more telling for what they don’t say than what they do.
The framework provides for a series of progressive “copyright alerts”—up to six—that ISPs will send their users based on notifications they receive from content owners of alleged infringement on those users’ Internet access accounts. Initial alerts will include “education” resources, further ones will require users to confirm receipt of the alert. Later alerts will provide for “mitigation measures” such as reduced Internet speed and inability to surf the web until the user takes some action, for example, discussing with the ISP or responding to “educational information about copyright.”
What happens after six alerts? The materials emphatically state that ISPs are not required to terminate subscriber accounts as a condition of the agreement with the content industry and that the collaboration does not amount to a “three strikes” regime. But the materials also take pains to assert that the DMCA “requires that the ISPs have in place a termination policy for repeat copyright infringers as a condition of availing themselves of the Act’s ‘safe harbor’ provision.” Translation: The content industry is staking its position that ISPs that don’t terminate subscribers after 5 or 6 alerts will lose their DMCA protection. There are plenty of arguments for why that position is wrong; given that an alert represents nothing more than an allegation untried by a court, we think loss of Internet access would be a draconian measure that Congress did not intend. Nonetheless, it may take an ISP willing to litigate the issue to make the argument.
Next, what opportunities does a user have to respond? The materials state that users can, for $35, request an “independent review” on several grounds before a “mitigation measure” is put in place. (It’s unclear whether users have a vehicle to flag errors in response to earlier alerts in hopes of averting later ones.) The grounds for review include a basis to believe that the user was not engaging in infringement, that the account was incorrectly identified, or that “the alleged activity was the result of the unauthorized use of the Subscriber’s account of which the Subscriber was unaware and that the Subscriber could not have reasonably prevented.” (My emphasis.) Notably, the review process specifically states that failure to secure a wireless router will only be accepted once as a defense, a provision with serious consequences for small businesses such as cafes that provide wireless access to customers and individuals with open wifi. Also notable is the fact that users who wish to raise some defenses including fair use authorization must be willing to have their personal information sent to the content owner who provided the underlying report of infringement.
Finally, copyright “education.” Users will be directed to the “Center for Copyright Information,” which is already replete with big-media rhetoric. Educating users about copyright is a worthy endeavor, but such education must be balanced and objective.
We’re still working through the details of the actual agreement—more thoughts to come.
EFF and five news organizations recently filed an amicus brief (pdf) urging an Indiana appeals court to block a subpoena seeking to expose the identity of an anonymous speaker who posted a comment on the Indianapolis Star's website. This is a case of first impression in Indiana.
The subpoena stems from an underlying lawsuit filed by the former head of Junior Achievement of Central Indiana, a non-profit whose mission is to teach children about business management and finance. Among other things, Jeffrey Miller alleges that Junior Achievement and two of its high-level officers defamed him by claiming that he misappropriated money from the organization.
After the Indianapolis Star published the article Junior Achievement Faces Questions, Audit on indystar.com, a reader anonymously posted a comment suggesting that the leaders of the organization might have mismanaged its finances. Miller fired off a subpoena to the Star seeking to unmask the poster. The newspaper is fighting the demand (pdf) to protect the poster's anonymity.
EFF regularly urges courts (as counsel or amicus) to apply heightened constitutional standards to protect anonymous online expression. While litigants with valid claims against anonymous speakers can normally satisfy those protections, the First Amendment bars attempts to out anonymous critics through the misuse of the subpoena process.
The coalition's amicus brief encourages the court to adopt strong protections for online anonymity. It also explains Indiana's long tradition of anonymous commentary on public affairs and highlights the state's strong constitutional protections for free expression.