On June 3, EFF will begin live coverage of a critical discussion about online freedom of expression held by the 47 member states of the U.N Human Rights Council during its seventeenth session in Geneva. The meeting will include the introduction of a landmark report to the Council by United Nations Special Rapporteur Frank La Rue that advocates safeguards to protect free expression online including privacy and anonymity.
La Rue has spent the past year meeting with local organizations, including EFF, in numerous cities around the world. He has traveled to Stockholm, Buenos Aires, Bangkok, Cairo, Johannesburg and Delhi to gather information about key trends that stifle free expression online. These actions include the blocking of content, monitoring and identifying activists and critics, criminalizing legitimate expression, and adopting restrictive legislation to justify such measures. In his report, La Rue recommends that United Nations member states recognize the legitimacy of anonymous expression (a core EFF value) and the critical protection it affords. La Rue argues in his report that “privacy is essential for individuals to express themselves freely.”
La Rue’s statement and his recommendations are an essential step in making online anonymity the focus of policy discussions. Anonymity protects dissent by eliminating fear of reprisals and breaking the silence of self-censorship. It also plays a crucial role in environments hostile to journalism. In Mexico, one of the most dangerous countries for the press in the Americas, local journalists face constant threats and harassment for covering controversial issues such as corruption, drug trafficking and public security. For example, a well-known anonymous blog about the Mexican drug war assaults has provided graphic details about the violence--information that has not appeared on Mexican television or in local newspapers.
The report by the Special Rapporteur raises concerns about justifying broad surveillance powers under the name of national security or counter-terrorism. La Rue should be commended for questioning the ostensible motives for online surveillance. He points out that such measures “often [take] place for political, rather than security reasons in an arbitrary and covert manner.” La Rue should also be praised for recognizing the disturbing global trend towards expanding law enforcement and governmental power to monitor Internet users’ activities without legal safeguards against abuse.
In our submission [pdf] to the Special Rapporteur, EFF explained that the digital records of people's movements online is an important category of transactional data that requires the same protections applied to online content. Governments should procure a court order based on probable cause before tracking people’s actions online.
The La Rue report details the use of social networking sites (often heralded as “free expression tools”) to “identify and to track the activities of human rights defenders and opposition members.” La Rue warns the Council that, “...in some cases [governments] have collected usernames and passwords to access private communications of Facebook users.” This was the case during the Tunisian uprising when the Tunisian government targeted bloggers, activists, and dissidents by launching a cyber attack on Google, Yahoo, and Facebook to steal usernames and passwords. La Rue’s report acknowledges that several states have established a real-name identification system which requires that users fully identify themselves before they can post comments or upload content online. Such a system can compromise their ability of activists to express themselves anonymously, particularly in countries where human rights are frequently violated.
In our submission to the Rapporteur, EFF pointed out that since 2003, the South Korean government has sought cooperation with Internet Service Providers to develop real-name systems to eliminate online anonymity. Although not required by law, there’s a similar trend in the terms of service adopted by some Internet media services in the U.S. For example, Facebook’s Statement of Rights and Responsibilities requires Facebook users to provide their real name and other identifying information. This practice creates serious risks for dissidents and human rights workers, who must choose between revealing their identities, which can lead to government reprisals, and using a pseudonym, which leaves their accounts vulnerable to deletion for terms-of-service violations.
La Rue also acknowledges in his report that many countries are taking steps “to reduce the ability of Internet users to protect themselves from arbitrary surveillance, such as limiting the use of encryption technologies.” These acts remind us how important it is for Internet users to have access to strong encryption and the implications of U.S. export controls on cryptography.
La Rue also criticizes the criminalization of defamation laws. In Peru, a well-known blogger, Jose Godoy, was sentenced for aggravated defamation for criticizing a former Peruvian minister and Congressman. As the Committee to Protect Journalists has reported over the years, criminal defamation laws and over-broad judicial decisions affect independent journalism in many countries in Latin America.
La Rue concludes his report by:
Calling upon States to ensure that individuals can express themselves anonymously online.
Calling upon States to refrain from adopting real-name registration systems.
Underscoring that national security or counterterrorism cannot be used to justify restricting the right to expression unless an imminent legitimate threat is demonstrated.
Underscoring the obligation of States to adopt effective privacy and data protection laws in accordance with article 17 of the International Covenant on Civil and Political Rights and the Human Rights Committee’s general comment No. 16.
Calling all States to decriminalize defamation.
The Human Rights Council began its seventeenth session on May 30 and will conclude its meeting on June 17. The Association for Progressive Communications has delivered an statement during the general debate on the first day of the session, and will be organizing an event after the Council's session at the United Nations on Friday, 1:00-3:00 p.m. CET. EFF will be keeping the public informed with more information about the discussions after La Rue’s report is delivered on June 3.
EFF today filed a petition with the Department of Justice and the FCC asking the administration to deny AT&T Inc.’s proposed takeover of T-Mobile USA, based on concerns about the risk of non-neutral behavior as a result of decreased competition. You can read EFF’s letter here.
As we said:
EFF has maintained that the preferable way to avoid discriminatory conduct and achieve network neutrality by carriers is through fostering competition and preventing the consolidation of market power. Thus, if the administration, both the Department of Justice and the FCC, seeks to support a more neutral, more innovation-friendly communications infrastructure, it should use its efforts to assist in the creation of more competitors, rather than fewer. The merger represents a step in the wrong direction.
EFF recently launched a campaign calling on companies to stand with their users when the government comes looking for data. (If you haven’t done so, sign our petition urging companies to provide better transparency and privacy.) This article will provide a more detailed look at one of the four categories in which a company can earn a gold star in our campaign: fighting for users' privacy rights in court.
This category recognizes those companies that have gone to court to fight for their users' privacy interests in response to government demands for information--companies that have actually filed briefs and made legal arguments defending their users' privacy rights. A gold star in this category is especially important considering that in many cases, only the company itself will be in a position to challenge the government's attempt to obtain user information. Those companies that have done so publicly are deserving of public commendation.
Therefore, we gave Yahoo! a full gold star for its work last year in the Colorado federal court, fighting the Justice Department's attempt to seize a Yahoo! user's email without probable cause. Not only did Yahoo! oppose the government's demand in court, it also convinced the court to unseal the otherwise secret proceeding so that EFF could file a brief in the case. In the face of stiff opposition, the government ultimately backed down and withdrew its demand.
We also gave a gold star to Google, both for teaming up with EFF on its brief in last summer's Yahoo! email case, and for resisting a Justice Department subpoena for search logs in 2006. Amazon got a star, too, for repeatedlyfighting to protect the privacy of its users' book purchases in the face of both federal and state government demands. Finally, we tipped our hat to Twitter for successfully convincing the government to allow the unsealing of a demand for information about Twitter users associated with Wikileaks, although we only awarded half a star because that success did not involve the filing of any briefs in court or rely on any legal arguments concerning users' privacy rights.
A star in this category is important and worthy of praise but it may not completely tell the story about a company's actions to protect its users. It's fair to assume that some internet companies--including some on our "Who's Got Your Back" list--have worked hard behind the scenes to protect their users, whether by informally convincing the government to withdraw or scale back requests for user information, or by opposing government demands in court proceedings that are under seal or that have not been reported. But since we have no way to confirm which companies have done so, it's impossible for us to factor such cases into our rankings. We urge companies that have quietly fought for their users' privacy in such circumstances to publicize those efforts wherever possible, and move for courts to unseal the details of such cases, so that they might earn a star in this category and be publicly recognized for their work.
The PROTECT IP Act, known as PIPA, yesterday passed through the Senate Judiciary Committee with only minimal changes. The current draft bill is here. The good news is that the approval was quickly met by a much-welcome hold on the legislation from Senator Wyden of Oregon.
Wyden sums up our concerns with the bill very nicely:
At the expense of legitimate commerce, PIPA’s prescription takes an overreaching approach to policing the Internet when a more balanced and targeted approach would be more effective. The collateral damage of this approach is speech, innovation and the very integrity of the Internet.
On the more granular side, we have a few additions to the issues raised in our earlier post about PIPA:
The amended bill versus the bill as introduced
The current amendment includes an especially unfortunate edit that the Senate Judiciary Committee failed to highlight in a summary of changes. PIPA enables both the Attorney General and private parties to bring cases against websites “dedicated to infringing activities.” Under the first version of the bill, if a plaintiff “through due diligence” couldn’t find someone within the United States to sue, the Attorney General but not a private litigant was allowed to pursue a claim directly against the domain name of the site. This kind of action is called in rem and refers to a court’s power to issue orders against property without involvement of the owner or other person related to the property. After yesterday's amendments, PIPA allows private litigants to sue in rem as well. As a general matter, the ability to get court orders against an entire website without the site owner’s prior knowledge, much less ability to protest, in and of itself raises concerns about due process. It also raises First Amendment concerns given that the actions target entire websites, including lawful speech on those sites. Extending this power to private parties increases the likelihood that it will be abused.
When COICA was introduced in the Senate last fall, EFF wrote about its dangerous implications for the Internet’s domain name system (DNS). These remain true for PIPA, despite the removal of a provision that would have required registrars and registries to block domain names pointing to sites “dedicated to infringing activities.” Because blocking via registries and registrars underlies Immigration and Customs Enforcement’s ongoing practice of seizing domain names, taking this device out of PIPA is small gain. The bill will still require targeted DNS server operators like ISPs to prevent an identified domain name from resolving to the domain's IP address, thereby preventing their users from accessing those sites. As a result, the warnings that we and others gave last year about serious security vulnerabilities and a fractured Internet are unchanged.
But the new bill goes even further. Where COICA didn't bother to define “domain name system server," PIPA says this:
the term “domain name system server” means a server or other mechanism used to provide the Internet protocol address associated with a domain name
The inclusion of the words “or other mechanism” vastly increases the potential scope of the definition, at the risk of extreme and unintended consequences. The term could sweep in, for example, operating systems, email clients, web clients, routers, and a host of other technology. This may be a simple blunder due to technical ignorance on the part of the drafters, defining “server” so broadly as to mean effectively “client.” If so, that’s troubling enough. If not, this bill has even more grave implications for the health of the network than we thought.
This blog post was also published on the Index on Censorship blog.
Despite a super injunction in place to keep his name and the story of his extra-marital affair out of the tabloids, a British footballer has found that where there’s the Internet, there’s a way...for the story to get out, that is.
Partially in response to the draconian nature of the super injunction the footballer obtained, tens of thousands of Twitter users published his name, briefly turning it—along with the name of his alleged mistress—into a Twitter trending topic, with purportedly as many as 75,000 individuals tweeting the name. The athlete—who has now been named in British media as well as in Parliament as Ryan Giggs—reportedly obtained a court order in British High Court to demand Twitter reveal the identities of users who had posted the tweets. We call this public backlash to overbroad censorship attempts the Streisand effect.
Publishing truthful information about a matter of public concern is and should be protected expression. Yet these injunctions prevent the press and the public from reporting on details of a court case, and can even include preventing a mention of the fact that an injunction has been taken out.
The controversial super injunction procedure was created by the 1998 Human Rights Act and aimed, nobly, at protecting individuals' privacy, while also protecting their right to freedom of expression. However, the balance here is plainly off. International freedom of expression organization, Article 19, has noted that super injunctions are a form of prior censorship that is not permitted under international human rights law—including permitted limits to Article 19 of the Universal Declaration of Human Rights and Article 10 of the European Convention on Human Rights.
It's easy to see why. In this case, as in reportedly many others, super injunctions have become a tool of powerful public figures to try to stop embarrassing facts from being discussed, and in this instance the injunction process is ironically being used to require Twitter to pierce the anonymity of its customers based on the content of their speech. Particularly in this situation—where very public figures who actively seek public attention much of the time are trying to ensure that the public only learns the heroic, and not the embarrassing, facts about them—these broad super injunctions raise deep concerns.
While the situation raises raises many questions, three issues jump out at us:
Blaming the Platform - UK needs Intermediary Protection
In the United States, intermediaries like Twitter are protected by Section 230 of the Communications Decency Act of 1996. CDA 230 provides online intermediaries that host speech with protection against a range of laws that might otherwise hold them legally responsible for what their users say and do. In essence, CDA places the responsibility for speech on the individual speaker rather than on the platform.
As Eric Goldman noted in a position paper for an OECD experts workshop on Internet intermediaries on the benefits of immunity regimes for Internet publishers:
“The United States has seen an explosion of entrepreneurial activity from Internet publishers of reputational information—a process fostered by 47 U.S.C. § 230, which Congress enacted in 1996 as part of the Communications Decency Act. Content originators remain liable for their content, but 230 provides Internet publishers with a powerful immunization for content originated by third parties. With 230’s protection, Internet publishers are developing innovative ways to supply consumers with helpful reputational information, freed from concerns that innovation will increase their liability for user content..."
CDA 230, along with the First Amendment, would protect Twitter (and likely most U.S. Twitter customers) should the footballer attempt to enforce a U.K. judgment here in the U.S., assuming Twitter is not subject to jurisdiction of the U.K. courts.
That's good news, but the failure of the U.K. to adequately protect intermediary platforms under UK law raises deep concerns.
It is now painfully clear that the judicial ruling is not stopping the facts about this matter from being spoken and that there is a strong public interest in this gossipy news about very public celebrities. As the British Courts themselves recently observed in a similar case:
"The Court should guard against slipping into playing the role of King Canute. Even though an order may be desirable for the protection of privacy, and may be made in accordance with the principles currently being applied by the courts, there may come a point where it would simply serve no useful purpose and would merely be characterised, in the traditional terminology, as a brutum fulmen. It is inappropriate for the Court to make vain gestures."
Continued insistence on this injunction, and continued efforts to impose liability, run the risk of creating an atmosphere where British court rulings have reduced authority because they are viewed as unrealistic and out of touch with modern technology.
The British courts deserve better and it may fall to the British Parliament to change the ‘super injunction’ law in order to fix this problem.
Once Again Twitter's Policy of Notifying Users is Key
In January, Twitter rightfully received the world's praise for insisting on notifying its users when the U.S. government demanded information about several Twitter users. Now Twitter's policy of notifying users may be triggered again, in the event that they receive appropriate legal process requiring them to identify users who republished the information. EFF has called on other service providers to make the same promise to notify users that Twitter has made, so that if a "super injunction" hits any other service providers, users can take steps to protect themselves.
We’ve previously written about the Kerry-McCain "Commercial Privacy Bill of Rights," which tries to create a general federal privacy framework rooted in the Fair Information Practices (although we’re not sure how well it succeeds). Currently, federal privacy law is sector-specific, often applying only to certain types of information or certain categories of "covered entities," and thus leaving gaps in privacy protection. A good comprehensive federal privacy law could fill those gaps.
At the same time, privacy advocates are also fans of state privacy laws. States are often privacy innovators. A classic example is California’s pioneering data breach notification law, which helped shed light on just how often (and how badly) holders of our personal data mess up—and has since been copied by many states. There’s still no federal breach notification law.
More generally, many states have laws that authorize state officials (and in more limited circumstances, consumers) to bring consumer protection lawsuits against unfair or deceptive trade practices. In California, Business & Professions Code § 17200 can be enforced not only by the state attorney general but also by: 58 county district attorneys; 5 city attorneys (for each of the cities with populations over 750,000); and full-time city attorneys for any of the other 400+ smaller cities (with the consent of the county district attorney). District attorneys across California—Alameda, Los Angeles, Sacramento, San Diego, San Francisco, San Mateo, and Sonoma (to name a few)—have actively used § 17200.
But these powerful state-level laws for protecting consumer privacy might be endangered. Under the U.S. Constitution’s Supremacy Clause, both the Constitution and federal law “shall be the supreme Law of the Land; ... any Thing in the Constitution or Laws of any state to the Contrary notwithstanding.” (Article VI, clause 2) Lawyers call this “preemption” - and it means that the federal law will trump the state law. Congress can expressly preempt state law, but even if Congress doesn’t say so outright, courts may find that a state law is preempted because it conflicts with federal law or because Congress intended to “occupy the field.”
On the other hand, Congress can also expressly set a federal “floor” but allow the states to impose stricter rules. For example, as the legislative history of the Wiretap Act states, “The proposed provision envisions that States would be free to adopt more restrictive legislation, or no legislation at all, but not less restrictive legislation.” S. Rep. No. 1097, at 98 (1968), reprinted in 1968 U.S.C.C.A.N. 2112, 2187.
So an obvious question is how the Kerry-McCain bill addresses state privacy laws. Our main conclusion: Kerry-McCain would preempt many state privacy laws, because § 405(a) of the bill expressly preempts all state laws “relating to” covered entities “to the extent that such provisions relate to the collection, use, or disclosure of” either “covered information” as defined in the bill or “personally identifiable information or personal identification information addressed in provisions of the law of a State.” (There are some carve-outs for state laws concerning the collection, use, or disclosure of health or financial information, required notifications pursuant to a data breach, and state laws that “relate to acts of fraud.” § 405(b)(2).)
The broad scope of preemption results from three factors. First, a comprehensive privacy law—regulating offline as well as online activity—by definition runs into the many state laws that currently protect information privacy. Second, Kerry-McCain isn’t a federal “floor” law like the Wiretap Act. It’s the opposite, setting a federal “ceiling.” So if it were enacted, states would be hampered from passing stronger protections for consumer privacy. Third, Kerry-McCain reaches entities like common carriers and non-profit organizations that the Federal Trade Commission (which under the bill would develop regulations) normally can’t regulate.
Thus, for example, Kerry-McCain likely preempts all state laws that protect the privacy of your phone records. Current California law protects telephone subscribers’ personal calling patterns, including numbers called, from being made available without first obtaining the residential subscriber’s written consent. Cal. Pub. Util. Code § 2891(a), et seq.; Cal. Penal Code § 638(a) (prohibiting any person from purchasing, selling, or offering or conspiring to purchase or sell “any telephone calling pattern records or list, without written consent of the subscriber”).
Such preemption might not be so bad if Kerry-McCain replaced the lost state protection with equivalent federal protection—but it doesn’t. California law provides a private right of action (to sue the telephone company and its employees) under § 2891(e); there’s no private right of action under Kerry-McCain.
The preemptive effect of Kerry-McCain would also affect enforcement of California law more broadly. Recall the earlier discussion of Business & Professions Code § 17200; it may be preempted as well. But even if it’s not, § 405(b) of the bill radically changes the enforcement picture, because of all state officials, only state attorneys general may bring actions that sound “in whole or in part” upon violations of Kerry-McCain—county district attorneys, city attorneys, etc., cannot. Remedies are restricted as well. Actions are authorized only in cases of economic or physical harm. § 403(a)
In short, we think that Kerry-McCain would preempt many state laws and weaken enforcement of those laws that it doesn’t preempt. We think that strips away the hard-won consumer protections many states have enacted, and could prevent new state-level protections from being passed in the future. We hope that the bill can be amended to eliminate these problems.
Update II: Apparently not frightened off by Apple's letter defending its developers, Lodsys went ahead and sued at least seven developers in the Eastern District of Texas for patent infringement. In its original cease-and-desist letters, Lodsys gave developers 21 days to respond. But – apparently in response to Apple's letter – Lodsys went ahead and filed suit sooner, claiming that it needed to "preserve its legal options." We continue to monitor the situation and follow developments in the litigation.
Update: We were pleased to learn that Apple has decided to stand up for its developers. Its detailed letter to Lodsys, sent yesterday, explains in no uncertain terms why the patent infringement allegations are baseless and improper. Let's hope this ends the matter.
We've been waiting expectantly for Apple to step up and protect the app developers accused of patent infringement solely for using a technology that Apple required they use in order to sell their apps in Apple's App Store. Apple's failure to defend these developers is troubling and highlights at least two larger problems: patent trolls and developers' vulnerability when harassing and counter-productive patent litigation comes around.
In case you missed it, Lodsys – a troll whose sole business model is owning and suing on patents – has sent letters to many of Apple's app developers accusing them of infringing a patent that covers the in-app purchasing functionality that Apple provides as part of its operating system. In addition to these accusations, Lodsys' letters demanded payment. Unfortunately, suing app developers – who often lack the resources required to defend a lawsuit – is a trend we’re seeing more and more often.
What’s different here, however, is that Apple provides this functionality to its developers and requires that they use it. Apple itself is protected from liability – Apple took a license from Lodsys' predecessor to use this very patent (which was likely part of a larger blanket license). And the apparently one-sided Apple-developer agreement does not require that Apple indemnify developers from suits based on technology that Apple provides.
This is a problem that lawyers call a misallocation of burden. The law generally works to ensure that the party in the best position to address an issue bears the responsibility of handling that issue. In the copyright context, for example, the default assumption is that the copyright owners are best positioned to identify potential infringement. This is because, among other reasons, copyright owners know what content they own and which of their works have been licensed. Here, absent protection from Apple, developers hoping to avoid a legal dispute must investigate each of the technologies that Apple provides to make sure none of them is patent-infringing. For many small developers, this requirement, combined with a 30 percent fee to Apple, is an unacceptable cost. Even careful developers who hire lawyers to do full-scale patent searches on potential apps surely would not expect to investigate the technology that Apple provides. Instead, they would expect (with good reason) that Apple wouldn't provide technologies in its App Store that open its developers up to liability – and/or would at least agree to defend them when a troll like Lodsys comes along.
By putting the burden on those least able to shoulder it, both Apple and Lodsys are harming not just developers but also the consumers who will see fewer apps and less innovation. We hope that going forward companies like Apple will do what's right and stand up for their developers and help teach the patent trolls a lesson.
EFF is proud to support SB 914, a bill that requires the police to obtain a warrant before searching a recent arrestee’s cell phone.
SB 914 is a response to a January decision of the California Supreme Court in People v. Diaz. In that case, the court authorized police officers to search any person’s cell phone after they had been arrested under a narrow exception to the Fourth Amendment’s warrant requirement that permits law enforcement officers to search the area immediately around a person “incident to arrest.” This exception has two traditional rationales: ensuring officer safety by allowing a search for weapons, and protecting evidence from immediate destruction. By permitting the warrantless search of a cell phone under this exception, the Court gave officers carte blanche to rummage through all the private data and information people keep on their cell phones – emails, text messages, call history, websites they’ve visited, and their calendars, to name just a few examples –regardless of whether the police believed there was evidence of the crime on the cell phone and without any judicial oversight.
Courts throughout the country have been grappling with this issue and have reached conflicting results, with some courts authorizing warrantless searches of cell phones and others not. In an amicus brief (pdf) recently filed before the Oregon Supreme Court, EFF argued that warrantless searches of cell phones incident to arrest violate the Constitution’s right to privacy. This is all the more troubling because cell phones pose no danger to the police, the threat of destruction of evidence can be easily remedied through simple preservation methods, and many arrests do not result in criminal prosecution at all.
SB 914 is a proactive attempt to legislate Constitutional protection and reverse Diaz’s dangerous course. Introduced by California Senator Mark Leno and sponsored by the Northern California ACLU, the bill reasonably balances law enforcement needs with people’s privacy rights by allowing the police to look through cell phones only when they have convinced a magistrate judge there is likely evidence of the crime on the phone.
The bill is expected to be on the Senate floor soon. All Californians should ask their state lawmakers to support SB 914 and tell law enforcement that if they want access to the personal and private data stored on cell phones, they need to come back with a warrant.