We can’t help but have a mixed reaction to Apple’s announcement of its new cloud services. On the one hand, some of the services offer real (long overdue) benefits for consumers and copyright owners. One the other hand, as with all things Apple, the price is high, and we’re not talking about the $24.99 iMatch fee.
Let’s start with some of the good. For years the music industry has complained that it could not adjust its business models to "compete with free." Apple's new iCloud service – and iTunes Match – shows, once again, that it's completely possible to "compete with free" when you provide added value.
As we all now know, Google and Amazon have rolled out their own music-in-the-cloud services. But those services are bulky and slow upload times may discourage music fans. Apple's service will be different. Specifically, it will scan users' hard drives (allegedly in minutes) and offer access to Apple’s high-quality version of each song in a user’s library, no matter how one got the song (if Apple does not have access to a particular song, it will upload the user's own copy). As a practical matter, that means some users will now be able to “come in from the cold” and access lawful copies of music that they obtained illegally. For this, Apple will charge an annual $25 fee, and it has reportedly agreed to pay the labels $150 million in licensing fees. Fans now have additional access to their music (of a higher quality), the labels are getting paid, and maybe, just maybe, some of the profits will be passed on to the artists that made the music. This looks a lot like successfully competing with free to us.
But as with all things Apple, there’s a catch – and it’s an ironic one. The promise of cloud computing was that it would give users more flexibility than ever before. But Apple’s cloud services (which will allow users to store much more than just music) limit consumer options by locking users into Apple devices.
Over and over, Apple has affirmed its commitment to the idea that a manufacturer should be able to dictate how things can interoperate with a product at every layer – from the software, applications, and services that can be developed and sold, to the consumer's use of the device, to the other devices that can physically plug into it. The consequences of this approach have been all too clear. In its App store, for example, Apple has rejected several applications that competed with Apple's own offerings, including apps that allow users to synch their iPads with iTunes and to check multiple Gmail accounts at once. More broadly, Apple has been aggressively asserting the right to license accessories, like speakers and headphones, that work with its products. The result? Closed platforms and fewer choices.
Apple claims it needs to build a walled garden to "protect and improve" the user experience. From where we’re sitting, it looks like what Apple really wants is to control the user experience and re-set traditional expectations about what users can do with the products they buy.
If Apple truly cares about its customers, it should support their right to control their own devices – on the ground and in the cloud.
A week ago today, EFF launched the Tor Challenge – calling on people and organizations to help Internet activists across the globe by operating Tor relays. Today, we’re adding a new incentive to encourage additional Tor relays.
Tor is a service that masks your IP address. Activists, bloggers, and humanitarian aid workers around the world depend on Tor to maintain their anonymity online and access websites that have been blocked by their governments. The Tor Project has an acute need for volunteers to run relays, which individuals can set up on their computers or on virtual machines.
Every relay makes a difference to Tor in terms of speed and security. As the arms race between circumvention tools and censors speeds up, we need hundreds more to make sure that every blocked relay is quickly replaced.
– Karen Reilly, the Tor Project
Since we launched our campaign, we’ve been awed by the generosity of organizations and individuals worldwide. We’ve increased our original goal from 100 new relays to 400 new relays. In a week’s time, participants in our challenge have generated over 300 new relays.
We are especially impressed to see that some people are putting their Tor nodes in the cloud -- renting remote servers and operating multiple relays. To help get us through the last leg of the Challenge, we’re adding an incentive to encourage more people to follow their example. If you have questions about setting up multiple relays, email firstname.lastname@example.org.
Every individual or organization that sets up 5 or more relays will receive a Tor Challenge poster by famed artist Molly Crabapple. The cartoon What is Tor? shows wily raccoons routing traffic around the octopus of surveillance.
And this isn’t just any poster. In the words of author and Internet activist Cory Doctorow:
Holy awesomesauce! If ever there was a cryptoanonymity primer involving top-hat wearing octopuses, this is it!
To show our appreciation for your contribution to online anonymity, the EFF staff will sign your poster and, if you’d like, note your contribution on our blog and Twitter feed. Just set up your 5 exit or middle relays, report them using our online form and then send an email to email@example.com with a shipping address. We will ship the poster to you as soon as we’ve verified that your relays are active. Note: To be eligible, the relays must have been set up after May 21, 2011. Update: Incentive program has ended. Sorries!
Please set up your Tor relays today and help us achieve our goal of generating 400 new relays to protect anonymity and combat online censorship.
The success of Wikileaks in obtaining and releasing information has inspired mainstream media outlets to develop proprietary copycat sites. Al-Jazeera got into the act first, launching the Al-Jazeera Transparency Unit (AJTU), an initiative meant to "allow Al-Jazeera's supporters to shine light on notable and noteworthy government and corporate activities which might otherwise go unreported." AJTU assures users that "files will be uploaded and stored on our secure servers" and that materials "are encrypted while they are transmitted to us, and they remain encrypted on our servers."
On May 5, the Wall Street Journal (WSJ), a subsidiary of Dow Jones & Co., Inc., launched its own site, SafeHouse. That same day, the Atlantic published a story describing SafeHouse as a “secure uploading system” with “separate servers,” two layers of encryption, and a policy of discarding information about uploaders “as quickly as possible.” You can “keep yourself anonymous or confidential, as needed,” the SafeHouse site promises, as you “securely share documents with the Wall Street Journal.”
Immediately after its launch, however, online security experts ripped SafeHouse apart. The Atlantic published its story online at noon on May 5 and by 5 p.m., the page was updated with a link directing readers to the Twitter feed of Jacob Appelbaum, a security researcher and Wikileaks volunteer, who had already exposed an embarrassing number of security problems with SafeHouse.
They Reserve the Right to Sell You Out
Despite promising anonymity, security and confidentiality, AJTU can “share personally identifiable information in response to a law enforcement agency’s request, or where we believe it is necessary.” SafeHouse’s terms of service reserve the right “to disclose any information about you to law enforcement authorities” without notice, then goes even further, reserving the right to disclose information to any "requesting third party,” not only to comply with the law but also to “protect the property or rights of Dow Jones or any affiliated companies” or to "safeguard the interests of others.” As one commentator put it bluntly, this is “insanely broad.” Neither SafeHouse or AJTU bother telling users how they determine when they'll disclose information, or who's in charge of the decision.
Whistleblowing by definition threatens "the interests of others." Every time someone uploads a scoop to SafeHouse, they jeopardize someone's interest in order to inform the public of what’s actually going on. That's the whole point. In the United States, submitting documents to journalists is protected speech under the First Amendment. But people in totalitarian countries cannot expose the secrets of their governments without breaking those governments' laws. And neither news outlet acknowledges that governments might abuse their police power to find out who leaked damaging information -- even here in the good old U.S. of A.
You Have to Make Promises No Whistleblower Can Keep
By uploading to SafeHouse, you represent that your actions "will not violate any law, or the rights of any person." By uploading to AJTU, you represent that you "have the full legal right, power and authority" to give them ownership of the material, and that the material doesn't "infringe upon or violate the right of privacy or right of publicity of, or constitute a libel or slander against, or violate any common law or any other right of, any person or entity."
This isn't a representation most whistleblowers can make honestly. The whole point of a leak is to expose internal information to the public. Even if your documents aren't stolen, you might be violating someone's rights.
SafeHouse further requires users to agree that WSJ can transfer the material to any country where Dow Jones does business. This means that the “law enforcement authorities” provision could even implicate laws of other countries with more intense internet monitoring, laws with which the whistleblower is unfamiliar. That makes it pretty hard to honestly claim that the content does not violate "any law."
Communications are Neither Anonymous Nor Confidential
Despite their public claims to the contrary, both SafeHouse and AJTU disclaim all promises of confidentiality, anonymity, and security.
SafeHouse offers users three upload options: standard, anonymous, and confidential. The “standard” SafeHouse upload "makes no representations regarding confidentiality." Neither does the “anonymous” upload which, as Appelbaum pointed out, couldn't technically provide it anyway. For “confidential” submissions, a user must first send the WSJ a confidentiality request. The request itself, unsurprisingly, is neither confidential nor anonymous. And until the individual user works out a specific agreement with the paper, nothing is confidential.
Similarly, AJTU makes clear that "AJTU has no obligation to maintain the confidentiality of any information, in whatever form, contained in any submission." Worse, AJTU's website by default plants a trackable cookie on your web browser which allows them “to provide restricted information to third parties.” So much for anonymity!
These Sites Don't Deliver What They Promise
It's understandable that news organizations would want to have access to news scoops provided by whistleblowers. That sort of competition is great. But these websites are misleading and based on our review of the fine print, use of them by people who risk prosecution or retaliation for bringing sunshine to corruption, illegal behavior, or other topics worthy of whistleblowing, is risky at best and dangerous at worst.
This article was co-authored by Leafan Rosen, law student at Rutgers Camden School of Law.
In its ongoing battle against music piracy, the Recording Industry Association of America (RIAA) is backing a bill in the California legislature, SB 550, which permits the police to disregard the Fourth Amendment. SB 550 would allow law enforcement to search without a warrant any CD, DVD, Blu-Ray or other “optical disc” manufacturer to ensure the discs they are producing carry legally required identification marks. SB 550 easily passed in the Senate yesterday and is now headed to the State Assembly.
The Supreme Court has long recognized that the Fourth Amendment’s prohibition on unreasonable searches and seizures applies to commercial property.1 In most instances, a warrant is required to search a business. However, there is a narrow exception that permits warrantless searches of “closely regulated” industries if: (1) there is a substantial government interest in the search; (2) the warrantless search is necessary to further that interest; and (3) there are constitutionally adequate substitutes for a warrant. Plus, the warrantless searches must be limited in time, place and scope.2
SB 550 attempts to frame the optical disc manufacturing industry as “closely regulated”, bringing it within this otherwise narrow exception to the warrant requirement. But there are at least four problems with this theory.
1. Optical Disc Manufacturing Is Not a “Closely Regulated” Industry
A “closely regulated” industry is one that has a history of government oversight and regulation.3 Usually, this means industries that have some connection to the public’s health and safety, such as automobile junkyards, liquor license holders, firearm dealers, mine operators and nursing homes, that require permits to operate.
Optical disc manufacturers, by contrast, have little history of government oversight. Someone who wants to manufacture CDs or DVDs can just open shop and start production; there are no registration or licensing requirements specific to optical disc manufacturers, apart from the requirement they stamp every disc with a unique identifier.
2. There Is No Substantial Government Interest
All the industries mentioned above have an effect on the public’s health and welfare, which is why the government has a substantial interest in regulating them. This is true even of automotive shops, as car theft leads to higher insurance premiums for consumers. Regulating stolen car parts takes unsafe vehicles off the road, and discourages people from getting shoddy mechanical work with stolen parts. And most importantly, it reduces the violence associated with car theft. The same concern about public health is why the government regulates mining, one of the most dangerous professions in the world.
But there is no substantial government interest in regulating disc manufacturers. According to the bill's sponsor, state Senator Alex Padilla (D-Pacoima), fraudulent CDs and DVDs “steal revenue from artists, retailers and our entertainment sector” and “undermine our economy and California's role as a global leader in music and film.” Of course, it's important to help make sure artists are rewarded for their hard work. But pursuing that goal shouldn’t come at the cost of ignoring the constitutional rights of California small businesses. And of course, permitting the warrantless searches themselves may undermine the California economy if optical disc producers decide to move their business out of the state altogether to escape the law.
3. Warrantless Searches Are Unnecessary
Search warrants are not impossible to obtain. For more than 200 years, law enforcement officers have obtained search warrants and been able to effectively investigate crime. In California, law enforcement can submit search warrant affidavits by telephone or email.4
Nor is there anything inherently different about investigating optical disc manufacturers that justifies a blanket exception to the Fourth Amendment. If law enforcement agencies tasked with investigating illegal gun and drug trafficking, fraud and physical violence can comply with the Fourth Amendment’s warrant requirement, what makes investigating music piracy any different?
Obtaining a warrant requires only that the police have probable cause to believe a particular manufacturer is engaging in illegal activity. If they have that belief, a warrant can be obtained and a plant searched. The police can still have the element of surprise on their side, as a search warrant does not require prior notice to the businesses or the public.
4. There Are No Limits to the Searches Authorized by SB 550
SB 550 claims that the “scope of the inspection shall be restricted to the physical review of items and collection of information necessary to verify compliance” with state law. But in the next paragraph, the bill empowers law enforcement to:
Take inventory of all manufacturing equipment
Review any record, book or document concerning the business
Remove any disc, production part, record or book for as long as wanted and without any time limitation
These aren’t limits, but a blank check: without a warrant or any suspicion of wrongdoing, law enforcement can take whatever they want, wherever they want, for as long as they want. Nothing about this is “reasonable” under the Fourth Amendment.
SB 550 Is Nothing More Than A Criminal Fishing Expedition
Rather than creating a tool to regulate the optical disc industry, SB 550 arms law enforcement with sweeping new powers with little justification. It’s doubtful that warrantless snooping of optical disc plants will have any effect on the losing battle against piracy. It’s clear that the market for CD sales is shrinking with the advent of digital music files, internet radio stations, and online music lockers. Perhaps the RIAA needs to rethink its business model rather than push for a powerful—and unconstitutional—tool.
All Californians—not just the optical disc industry—should stand up to protect the Fourth Amendment. Now is the time to write your local Assembly member to oppose SB 550 and require law enforcement to come back with a warrant!
1. See v. City of Seattle, 387 U.S. 541 (1967).
2. See generallyNew York v. Burger, 482 U.S. 691 (1987).
3. Marshall v. Barlow’s, Inc., 436 U.S. 307 (1978).
4. California Penal Code § 817(c).
On June 3, EFF will begin live coverage of a critical discussion about online freedom of expression held by the 47 member states of the U.N Human Rights Council during its seventeenth session in Geneva. The meeting will include the introduction of a landmark report to the Council by United Nations Special Rapporteur Frank La Rue that advocates safeguards to protect free expression online including privacy and anonymity.
La Rue has spent the past year meeting with local organizations, including EFF, in numerous cities around the world. He has traveled to Stockholm, Buenos Aires, Bangkok, Cairo, Johannesburg and Delhi to gather information about key trends that stifle free expression online. These actions include the blocking of content, monitoring and identifying activists and critics, criminalizing legitimate expression, and adopting restrictive legislation to justify such measures. In his report, La Rue recommends that United Nations member states recognize the legitimacy of anonymous expression (a core EFF value) and the critical protection it affords. La Rue argues in his report that “privacy is essential for individuals to express themselves freely.”
La Rue’s statement and his recommendations are an essential step in making online anonymity the focus of policy discussions. Anonymity protects dissent by eliminating fear of reprisals and breaking the silence of self-censorship. It also plays a crucial role in environments hostile to journalism. In Mexico, one of the most dangerous countries for the press in the Americas, local journalists face constant threats and harassment for covering controversial issues such as corruption, drug trafficking and public security. For example, a well-known anonymous blog about the Mexican drug war assaults has provided graphic details about the violence--information that has not appeared on Mexican television or in local newspapers.
The report by the Special Rapporteur raises concerns about justifying broad surveillance powers under the name of national security or counter-terrorism. La Rue should be commended for questioning the ostensible motives for online surveillance. He points out that such measures “often [take] place for political, rather than security reasons in an arbitrary and covert manner.” La Rue should also be praised for recognizing the disturbing global trend towards expanding law enforcement and governmental power to monitor Internet users’ activities without legal safeguards against abuse.
In our submission [pdf] to the Special Rapporteur, EFF explained that the digital records of people's movements online is an important category of transactional data that requires the same protections applied to online content. Governments should procure a court order based on probable cause before tracking people’s actions online.
The La Rue report details the use of social networking sites (often heralded as “free expression tools”) to “identify and to track the activities of human rights defenders and opposition members.” La Rue warns the Council that, “...in some cases [governments] have collected usernames and passwords to access private communications of Facebook users.” This was the case during the Tunisian uprising when the Tunisian government targeted bloggers, activists, and dissidents by launching a cyber attack on Google, Yahoo, and Facebook to steal usernames and passwords. La Rue’s report acknowledges that several states have established a real-name identification system which requires that users fully identify themselves before they can post comments or upload content online. Such a system can compromise their ability of activists to express themselves anonymously, particularly in countries where human rights are frequently violated.
In our submission to the Rapporteur, EFF pointed out that since 2003, the South Korean government has sought cooperation with Internet Service Providers to develop real-name systems to eliminate online anonymity. Although not required by law, there’s a similar trend in the terms of service adopted by some Internet media services in the U.S. For example, Facebook’s Statement of Rights and Responsibilities requires Facebook users to provide their real name and other identifying information. This practice creates serious risks for dissidents and human rights workers, who must choose between revealing their identities, which can lead to government reprisals, and using a pseudonym, which leaves their accounts vulnerable to deletion for terms-of-service violations.
La Rue also acknowledges in his report that many countries are taking steps “to reduce the ability of Internet users to protect themselves from arbitrary surveillance, such as limiting the use of encryption technologies.” These acts remind us how important it is for Internet users to have access to strong encryption and the implications of U.S. export controls on cryptography.
La Rue also criticizes the criminalization of defamation laws. In Peru, a well-known blogger, Jose Godoy, was sentenced for aggravated defamation for criticizing a former Peruvian minister and Congressman. As the Committee to Protect Journalists has reported over the years, criminal defamation laws and over-broad judicial decisions affect independent journalism in many countries in Latin America.
La Rue concludes his report by:
Calling upon States to ensure that individuals can express themselves anonymously online.
Calling upon States to refrain from adopting real-name registration systems.
Underscoring that national security or counterterrorism cannot be used to justify restricting the right to expression unless an imminent legitimate threat is demonstrated.
Underscoring the obligation of States to adopt effective privacy and data protection laws in accordance with article 17 of the International Covenant on Civil and Political Rights and the Human Rights Committee’s general comment No. 16.
Calling all States to decriminalize defamation.
The Human Rights Council began its seventeenth session on May 30 and will conclude its meeting on June 17. The Association for Progressive Communications has delivered an statement during the general debate on the first day of the session, and will be organizing an event after the Council's session at the United Nations on Friday, 1:00-3:00 p.m. CET. EFF will be keeping the public informed with more information about the discussions after La Rue’s report is delivered on June 3.
EFF today filed a petition with the Department of Justice and the FCC asking the administration to deny AT&T Inc.’s proposed takeover of T-Mobile USA, based on concerns about the risk of non-neutral behavior as a result of decreased competition. You can read EFF’s letter here.
As we said:
EFF has maintained that the preferable way to avoid discriminatory conduct and achieve network neutrality by carriers is through fostering competition and preventing the consolidation of market power. Thus, if the administration, both the Department of Justice and the FCC, seeks to support a more neutral, more innovation-friendly communications infrastructure, it should use its efforts to assist in the creation of more competitors, rather than fewer. The merger represents a step in the wrong direction.
EFF recently launched a campaign calling on companies to stand with their users when the government comes looking for data. (If you haven’t done so, sign our petition urging companies to provide better transparency and privacy.) This article will provide a more detailed look at one of the four categories in which a company can earn a gold star in our campaign: fighting for users' privacy rights in court.
This category recognizes those companies that have gone to court to fight for their users' privacy interests in response to government demands for information--companies that have actually filed briefs and made legal arguments defending their users' privacy rights. A gold star in this category is especially important considering that in many cases, only the company itself will be in a position to challenge the government's attempt to obtain user information. Those companies that have done so publicly are deserving of public commendation.
Therefore, we gave Yahoo! a full gold star for its work last year in the Colorado federal court, fighting the Justice Department's attempt to seize a Yahoo! user's email without probable cause. Not only did Yahoo! oppose the government's demand in court, it also convinced the court to unseal the otherwise secret proceeding so that EFF could file a brief in the case. In the face of stiff opposition, the government ultimately backed down and withdrew its demand.
We also gave a gold star to Google, both for teaming up with EFF on its brief in last summer's Yahoo! email case, and for resisting a Justice Department subpoena for search logs in 2006. Amazon got a star, too, for repeatedlyfighting to protect the privacy of its users' book purchases in the face of both federal and state government demands. Finally, we tipped our hat to Twitter for successfully convincing the government to allow the unsealing of a demand for information about Twitter users associated with Wikileaks, although we only awarded half a star because that success did not involve the filing of any briefs in court or rely on any legal arguments concerning users' privacy rights.
A star in this category is important and worthy of praise but it may not completely tell the story about a company's actions to protect its users. It's fair to assume that some internet companies--including some on our "Who's Got Your Back" list--have worked hard behind the scenes to protect their users, whether by informally convincing the government to withdraw or scale back requests for user information, or by opposing government demands in court proceedings that are under seal or that have not been reported. But since we have no way to confirm which companies have done so, it's impossible for us to factor such cases into our rankings. We urge companies that have quietly fought for their users' privacy in such circumstances to publicize those efforts wherever possible, and move for courts to unseal the details of such cases, so that they might earn a star in this category and be publicly recognized for their work.
The PROTECT IP Act, known as PIPA, yesterday passed through the Senate Judiciary Committee with only minimal changes. The current draft bill is here. The good news is that the approval was quickly met by a much-welcome hold on the legislation from Senator Wyden of Oregon.
Wyden sums up our concerns with the bill very nicely:
At the expense of legitimate commerce, PIPA’s prescription takes an overreaching approach to policing the Internet when a more balanced and targeted approach would be more effective. The collateral damage of this approach is speech, innovation and the very integrity of the Internet.
On the more granular side, we have a few additions to the issues raised in our earlier post about PIPA:
The amended bill versus the bill as introduced
The current amendment includes an especially unfortunate edit that the Senate Judiciary Committee failed to highlight in a summary of changes. PIPA enables both the Attorney General and private parties to bring cases against websites “dedicated to infringing activities.” Under the first version of the bill, if a plaintiff “through due diligence” couldn’t find someone within the United States to sue, the Attorney General but not a private litigant was allowed to pursue a claim directly against the domain name of the site. This kind of action is called in rem and refers to a court’s power to issue orders against property without involvement of the owner or other person related to the property. After yesterday's amendments, PIPA allows private litigants to sue in rem as well. As a general matter, the ability to get court orders against an entire website without the site owner’s prior knowledge, much less ability to protest, in and of itself raises concerns about due process. It also raises First Amendment concerns given that the actions target entire websites, including lawful speech on those sites. Extending this power to private parties increases the likelihood that it will be abused.
When COICA was introduced in the Senate last fall, EFF wrote about its dangerous implications for the Internet’s domain name system (DNS). These remain true for PIPA, despite the removal of a provision that would have required registrars and registries to block domain names pointing to sites “dedicated to infringing activities.” Because blocking via registries and registrars underlies Immigration and Customs Enforcement’s ongoing practice of seizing domain names, taking this device out of PIPA is small gain. The bill will still require targeted DNS server operators like ISPs to prevent an identified domain name from resolving to the domain's IP address, thereby preventing their users from accessing those sites. As a result, the warnings that we and others gave last year about serious security vulnerabilities and a fractured Internet are unchanged.
But the new bill goes even further. Where COICA didn't bother to define “domain name system server," PIPA says this:
the term “domain name system server” means a server or other mechanism used to provide the Internet protocol address associated with a domain name
The inclusion of the words “or other mechanism” vastly increases the potential scope of the definition, at the risk of extreme and unintended consequences. The term could sweep in, for example, operating systems, email clients, web clients, routers, and a host of other technology. This may be a simple blunder due to technical ignorance on the part of the drafters, defining “server” so broadly as to mean effectively “client.” If so, that’s troubling enough. If not, this bill has even more grave implications for the health of the network than we thought.