Judicial decisions are starting to come fast and furious in the movie copyright troll cases – and the trend is mixed but promising for those of us who care about protecting due process.
The good news is that judges continue to recognize the fundamental flaws in these cases. In the Northern District of Illinois, for example, Judge Blanche Manning recently severed Millennium v. Does 1-800, effectively dismissing the case against almost every Doe defendant. The court also suggested that the suit had been brought in the wrong place:
The plaintiff is a Hawaii corporation with its principal place of business in California. As far as the plaintiff knows, none of the defendants are located in Illinois and it merely alleged, without any basis the court can discern, that “on information and belief each Defendant may be found in this district and/or a substantial part of the acts of infringement complained of herein occurred in this District.” Amended Comp. at ¶7. Indeed, apparently none of the Doe defendants who have filed motions to quash are located in Illinois and it appears that easily accessible tools exist to verify the locations of the IP addresses of the other named Doe defendants, see, e.g.,http://whois.arin.net/ui/, many (if not all) of which are not located in Illinois.
Judge Manning has also ordered severance in Lightspeed v. Does 1-1000, on similar grounds.
Another Illinois federal judge has expressed not just skepticism but outrage at the tactics of one copyright troll. Calling the case of CP Productions v. 1-300 both “ill-fated’ and “ill-considered” he not only dismissed the case but read the riot act to the plaintiff’s attorney in open court, demanding to know why, if the case was properly filed in Illinois, he was getting motions to quash from defendants all over the country.
And, as we reported last week the judge in one mass copyright “reverse class action” in the Southern District of Illinois has stayed discovery while it considered whether the plaintiff should be allowed to subpoena the Does’ identities given the fundamental flaws in its case. A hearing on the issue is scheduled for Monday.
These views are not yet universal, however. In late March, Judge Beryl Howell issued an unfortunate decision on motions to quash discovery in three cases filed in the District of Columbia (the plaintiffs are all represented by the US Copyright Group). EFF participated as amicus in one of the cases, Call of the Wild Movie v. Does 1,062. The judge denied the motions, concluding, in essence, that it was too early in the litigation to address deep the procedural flaws in the plaintiffs’ cases. We are particularly disappointed that Judge Howell (1) accepted the idea that using BitTorrent to download the same movie was enough to establish a logical relationship between defendants; and (2) suggested that the Doe defendants are not harmed until they are actually named in a lawsuit, not withstanding the efforts of plaintiffs to extract settlements based, in part, on the coercive effect of being sued far from home with the threat of statutory damages of up to $150,000.
Since then, however, Judge Howell has indicated that she is keeping a close eye on USCG. For example, in one of the cases, Maverick v. Does 1-4350, Judge Howell has ordered the plaintiff to dismiss hundreds of Does where the plaintiff either does not intend to name and sue the Does in D.C. and/or the information for those Does is no longer available. The court noted that “since plaintiff filed its Complaint, it has not named a single defendant in this action” and that while plaintiff had stated it would dismiss numerous Does, it had not bothered to submit a proposed order to that effect, leaving those Does in limbo.
We'll continue to monitor these cases, and to get involved directly where we can.
In addition to unqualified names being meaningless — or, worse than meaningless — there are also meaningless fully-qualified names. And, yes, CAs will sign those names too.
As you may know, the internet domain name system (DNS) has a hierarchical structure: at the top are the top-level domains (TLDs) like .com, .org, and .net. Additionally, each two-letter ISO country code like UK, JP, and CN is also a valid country-code TLD (ccTLD). Finally, there are the lesser-known TLDs like .mobi, .museum, and .int.
Although you can register most any name (that contains letters, numbers, dashes, and arguably underscores) underneath the TLDs, the set of TLDs is fixed. Although ICANN might someday approve a .mars TLD for the red planet, they have not yet done so. If you try to browse to www.olympus-mons.mars, you won’t get anywhere. (Yet.)
However, CAs will sign certificates vouching for the identities of servers under non-existent TLDs and for names that are not legal DNS names (such as phrases containing spaces). Attached to this post, below, is a file containing a list of all the distinct TLDs in all the CA-validated names that the EFF SSL Observatory has observed.
The vast majority of TLDs in the list are invalid and have no meaning on the internet. Browsing it, you’ll see lots of names that are not internet TLDs, like .public, .priv, .nyc, .84/exchange, and so on. My favorite invalid TLD in the list is .foo, a technical term meaning “whatever”.
It might happen that someday ICANN will create some of these TLDs. There is even talk that they might allow people to register (at a high cost) arbitrary TLDs like .milk or .cookies. In that case, these currently-invalid certificates will become valid because they will suddenly refer to usable internet names. For example, imagine if Microsoft were able to, in the future, register the .microsoft TLD so that they could have www.microsoft for their web site address. As the Observatory shows, an attacker can probably get a CA to sign that name today. Such an attacker would be able to hijack Microsoft’s web site on the very minute the new name goes live.
For the geeks among you, here is how I generated the list. (Note that the Observatory home page gives instructions on how to set up your own copy of the Observatory, and how to run it on an Amazon EC2 instance.)
First, select all the TLDs from the names table in MySQL:
mysql> select distinct substring_index(name, '.', -1) as tld
where name regexp '^.+\\..+$'
order by name
into outfile '/tmp/tld5';
Then, remove the numeric “TLDs” (really, the final octet of all those IP addresses that CAs signed). For good measure, sort the list and unique it:
You can spot-check strange names with a simple query:
mysql> select name from names where name like '%.zaventem';
| name |
| ciblex-exchange.ciblex.zaventem |
1 row in set (1.37 sec)
Are you an undergraduate or graduate student who is interested in protecting civil liberties online and fighting for a free and open Internet? Do you have strong writing and research skills? Do you love delving into the latest issues in technology, privacy, intellectual property, and transparency? Apply for EFF’s Summer Activism Internship!
The Activism Intern will work closely with EFF’s activism team to create new campaigns, action alerts, and issue pages, research new issues in digital civil liberties, and update existing web pages on EFF’s sprawling website.
EF is seeking candidates with the following qualifications:
Familiar with EFF’s core issues: privacy, transparency, intellectual property, and freedom of expression.
Available to work from June through August at EFF’s office in San Francisco, CA.
Have strong writing and research skills.
Comfortable updating blogs and social media. Experience maintaining a website preferred.
Candidates should email a cover letter and resume to firstname.lastname@example.org by April 22nd. Please include 2-4 links to online writing samples. Replies will be sent by May 9th. This internship is an unpaid position.
Internet certification authorities (CAs) are charged with the task of
vouching for the identities of secure web servers. When you browse to
https://www.wellsfargo.com/, your browser knows it’s the real wellsfargo.com
because VeriSign, a CA, says it is.
However, if CAs don’t validate the identities of the sites they vouch
for, the whole system breaks down. In this post, I’ll discuss one way in
which CAs frequently fail.
Using data in EFF's SSL Observatory, we have
been able to quantify the extent to which CAs engage in the insecure
practice of signing certificates for unqualified names. That they do so in
large numbers indicates that they do not even minimally validate the
certificates they sign. This significantly undermines CAs’ claim to be
trustworthy authorities for internet names. It also puts internet users at
increased risk of network attack.
Normally, a public CA like Verisign or Comodo should sign only public
names. On the internet, only fully-qualified
domain names are public and routable. For example, “www.eff.org.” is a
fully-qualified name. By contrast, the name “www” is unqualified or
not fully-qualified. This name is not globally unique, and may
refer to a different computer on my network than it does on your network.
(On some networks, it may not refer to any computer at all.)
As a convenience for users, the administrators of local networks will
often configure their networks to use unqualified names for internal
services. This is why, at many companies, you can simply type “mail” or
“wiki” or “intranet” into your browser, and get to your company’s internal
web resources. But these names have — or should have — no meaning on the
In the Observatory we have discovered many examples of CA-signed
certificates unqualified domain names. In fact, the most common unqualified
name is “localhost”, which always refers to your own computer! It
simply makes no sense for a public CA to sign a certificate for this private
name. Some CAs have signed many, many certificates for this name, which
indicates that they do not even keep track of which names they have signed.
Some other CAs do make sure to sign “localhost” only once. Cold comfort!
Although signing “localhost” is humorous, CAs create real risk when they
sign other unqualified names. What if an attacker were able to receive a
CA-signed certificate for names like “mail” or “webmail”? Such an attacker
would be able to perfectly forge the identity of your organization’s webmail
server in a “man-in-the-middle”
attack! Everything would look normal: your browser would use HTTPS, it
would show a the lock icon that indicates HTTPS is working properly, it
would show that a real CA validated the HTTPS certificate, and it would
raise no security warnings. And yet, you would be giving your password and
your email contents to the attacker.
To test the prevalence of the validated, unqualified names problem, I
queried the Observatory database for unqualified names similar to
“exchange”. (Microsoft Exchange is an extremely popular email server, and
servers that run it commonly have “exchange” or “exch” in their names.
Likely examples include “exchange.example.net” and “exch-01.example.com”.)
My results show that unqualified “exchange”-like names are the most popular
type of name, overall, that CAs are happy to sign.
Unqualified Name Pattern
Valid Certificates Observed
“exchange” with characters on either side, e.g. “exchange01” or
“exch” with characters on either side, e.g. “exch01” or “01srvexch”
It is far too easy for an attacker to perform a very convincing MITM
attack against private exchange servers. The bad behavior of CAs helps
Users should avoid using unqualified names to access internal resources.
Instead, create a bookmark to the URL with the fully-qualified name, e.g.
“https://mail.example.com/”. Users should also alert their network
administrators to the problem.
Browsers (and other TLS clients, like email readers and web service
applications) should stop treating certificates for unqualified names and
for IP addresses as valid.
Organizations relying on certificates for unqualified names should use
their own private CA for their private namespace. For example, all those
Exchange shops can use Microsoft's CA software.
Certifcate authorities should stop signing unqualified names, and should
revoke existing certificates for unqualified names. They should also stop
signing IP addresses — especially private, non-routable addresses — and
should revoke existing IP address certificates, too.
The Federal Circuit Court of Appeals in Washington, D.C. heard oral argument yesterday in the closely watched “breast cancer gene” patent case. At issue are two patents covering naturally occurring human genes that, when present, signal an increased likelihood of developing breast cancer. The ACLU and the Public Patent Foundation filed the lawsuit in May 2009, representing 150,000 geneticists, pathologists, and laboratory professionals; in March 2010, the district court found in the plaintiffs’ favor and invalidated the patents.
Because Myriad owned the patents, testing on these two genes could only take place in Myriad’s own labs – meaning that others could not develop tests on those genes, depriving women from alternative (and cheaper) tests. This is the result of a troubling trend of patenting genes, despite long-standing Supreme Court precedent that, in order to be eligible for a patent, an invention must have a "new or distinctive form, quality or property" and may not be a product of nature. The district court agreed with plaintiffs that isolated breast cancer genes – genes that naturally exist in some women – did not meet this standard and invalidated the two patents.
Defendants appealed that ruling and the Federal Circuit heard argument yesterday. It is unclear which way the Court will go (it’s also possible that the Federal Circuit could decide that plaintiffs lacked standing to even bring the suit), but there were some encouraging moments during oral argument. For example, Judge Kimberly A. Moore asked Myriad’s attorney:
Why isn't the ingenuity the process, as opposed to the resultant DNA which is in your body? Why isn't the ingenuity the process of extracting it, the process of figuring out what it's useful for? Why is the ingenuity the thing? I mean, God made it, man didn't make it.
The U.S. government weighed in on behalf of plaintiffs, pointing out that recognizing patents covering genes like the breast cancer gene could lead to efforts to patent other naturally occurring materials, such as lithium and uranium.
EFF will continue to follow this case closely. Like the patents EFF has challenged, the breast cancer gene patents are symptoms of a broken patent system that too often stifles innovation rather than fostering it. What is worse, these patents limit access to potentially life-saving testing and treatment. We hope the Federal Circuit does its part to put the system back on track by affirming the district court's decision...
In written comments, EFF urged the Council of Europe to revise its recommendation and guidelines to ensure that they promote transparency on search records requests, protect privacy vis-à-vis the government, and preserve freedom of expression rights, including readers’ rights to read information online. EFF also commented favorably on language that acknowledges that search engines play a central role as intermediaries by enabling the public to seek, impart and receive information and ideas worldwide.
Because search engines play a central role as intermediaries, search engine records contain sensitive information about a person's intellectual, political, cultural, religious, psychological, and physical (health) beliefs, conditions and actions that can be of interest to state actors and civil litigants. These search records pose the most obvious privacy threat, since they represent some of the most sensitive data about individuals. Other potential threats to personal data come in the form of subpoenas, unauthorized access, civil litigants’ requests, computer hackers, and compelled disclosure of search records to law enforcement and national security investigators.
EFF has asked the Council of Europe to:
• Recommend Member States adopt strong legal safeguards and due process before disclosure of individuals’ search records to governmental entities. Government should allow search engines to notify the person whose search record is sought.
• Ensure that search engines adopt reasonable efforts to notify the person whose search records are sought, unless search engines are prohibited from doing so by law or court order. If possible, agree to a timetable for disclosure to the party requesting data in order to provide a reasonable opportunity for the individual to file an objection with a court before disclosure.
• Ensure that transparency about the disclosure of citizens' search records pursuant to a governmental request applies to search engines. For instance, the guidelines should encourage search engines to publicly disclose an accounting of the nature and frequency of governmental requests for access to search records.
• Encourage search engine providers to offer users the option of searching anonymously on the Internet, and that search engines should enable site-wide SSL to protect users’ information and communications from eavesdropping.
In order to ensure individuals' freedom of expression rights -- especially readers' rights to read information available on the web -- EFF has asked Council of Europe to strengthen the guidelines to say:
• A search engine is not required to conduct any kind of ex ante filtering or blocking and will not be penalized for failure to do so.
• A search engine will not be held liable for failure to remove content upon an extra-judicial request, and that Member States establish processes in their national laws for timely, preliminary judicial review of challenged content.
• A search engine is permitted to clearly disclose to individuals whenever search results have been limited or affected by an action of law and/or by a self-regulatory action of the search engine, and to disclose an accounting of the nature and frequency of governmental orders for content removal, blocking, or filtering.
• A search engine does not need to conduct any kind of filtering or blocking that would constitute monitoring of its service, or affirmatively seek facts indicating illegal activity. Moreover, investigation and monitoring is likely to lead search engines to over-block in order to avoid any possibility of litigation, which means lawful content will inevitably be taken down.
• Self-regulation mechanisms should not include a requirement for a search engine to monitor and police their customers. Self-regulatory guidelines should not curtail individuals’ freedom of expression rights, as well as readers’ rights to access information free from surveillance.
We look forward to hearing back from the Council of Europe after the current meeting in Strasbourg, and hope to see these values upheld.
In yesterday's Senate Judiciary Hearing, "Oversight of the Federal Bureau of Investigation," FBI Director Robert Mueller testified about the Bureau's desire to extend three expiring provisions of the USA PATRIOT Act -- PATRIOT Section 215, authorizing secret court orders for the Internet and financial records of innocent Americans; the "lone wolf" wiretapping provision, which unconstitutionally allows foreign intelligence investigators to bypass traditional wiretapping protections and spy on people inside the U.S. who have no link to any foreign organization; and the "John Doe" roving wiretap provision, which allows blank-check wiretapping orders that don't identify the suspect or the particular phone or Internet connections to be tapped.
During the question and answer portion of Mueller's testimony, Senator Grassley asked the FBI Director: have "any of these three provisions been subject to any negative reports of finding abuse?" Mueller responded, "I'm not aware of any." Well, Director Mueller -- EFF is aware of some.
As part of EFF's FLAG Project, we issued a FOIA request for records of intelligence violations stemming from the FBI's use of the expiring provisions of the PATRIOT Act. In the FBI's response to our request, we uncovered evidence of multiple reports of potential violations (pdf); however, in typical FBI fashion, the reports are almost entirely redacted. As a result, the details of most of the violations remain secret. Nevertheless, by comparing the FBI's response to our PATRIOT Act request with the Bureau's response to another EFF FOIA request, the murky details of at least one potential violation involving PATRIOT provisions became more clear: the FBI, in a case where use of a "John Doe" roving wiretap was authorized, monitored the conversations of "young children" for "approximately" five days.
In documents obtained through EFF's PATRIOT Act request, an email with the subject "IOB database -- Roving Authority" references "Potential IOB Matter 2005-160," yet all details of the report were redacted.
FBI Email suggests that IOB 2005-160 occurred under the roving wiretap authority
By cross-checking the referenced IOB matter-number with documents from our request for the FBI's Intelligence Oversight Board reports, we were able to locate the full report of the FBI's improper conduct. The report describes the FBI's monitoring of young children for five days, despite the fact that none of the voices being monitored matched the voice or language of the target.
IOB Report 2005-160 describes FBI misconduct in case utilizing "John Doe" roving wiretap
The report concludes that the violation occurred as a result of the FBI's faulty drafting and inadequate review of the wiretap renewal application. The entire IOB report is available here (pdf).
In order to shed light on these violations before Congress rubber-stamps another extension of the expiring PATRIOT Act provisions, EFF has contacted Senators Grassley and Leahy (pdf) and provided the Senators with the redacted versions of these reports. While the FBI may not feel compelled to be forthcoming with EFF and the American public, hopefully the Bureau will feel differently about withholding information from elected officials.
And, while EFF is doing our part, we need your help, too. As Congress debates PATRIOT renewal, politicians need to hear from you. Please take a stand for civil liberties by:
When the FBI is monitoring children's phone calls, it's definitely time to rein in the PATRIOT Act.
UPDATE: As security researcher Chris Soghoian reminds us, former Senator Feingold believed that the expiring Section 215 of the PATRIOT Act had also been subject to abuse, based on information he received in classified briefings. At a hearing in 2009, Senator Feingold stated: "I recall during the debate in 2005 that proponents of Section 215 argued that these authorities had never been misused. They cannot make that statement now. They have been misused. I cannot elaborate here. But I recommend that my colleagues seek more information in a classified setting." (at 105).
SECOND UPDATE: Along with Senator Feingold's statements and the FBI's internal reports of possible PATRIOT violations disclosed by EFF, the Department of Justice, Office of Inspector General's 2007 report on the FBI's use of Section 215 Orders found at least two instances of improper use (pgs 41 - 46 of the document). While the details of the potential violations described by Senator Feingold and EFF remain unclear, the OIG report constitutes clear evidence that expiring provisions of the PATRIOT Act have been improperly used.
The numbers confirm the anecdotal evidence: Immigrations and Customs Enforcement (ICE), a division of the Department of Homeland Security (DHS), is stepping up intellectual propertyrelated enforcement, launching almost half as many cases in the past two months as it had in total in 2010. That’s according to ICE's own statistics, summarized in a larger presentation recently delivered by DHS Assistant Deputy Director Erik Barnett to the U.S. Chamber of Commerce's Coalition Against Counterfeiting and Piracy (CACP). That's the Chamber of Commerce of HBGary notoriety, a private trade association that lobbies hard for IP enforcement.
The presentation discusses "Operation in Our Sites," ICE’s no-longer-new domain name seizure strategy for "Taking Aim to Stop the Sale of Counterfeit and Pirated Items." We’ve written about this program before and its questionable tactics for trying to counter online infringement. What's more, DHS seems to have read our posts! We refer you to slide 23 of the presentation.
Given that ICE's "primary mission is to protect national security, public safety and the integrity of our borders through the criminal and civil enforcement of federal law governing border control, customs, trade and immigration," we continue to be surprised by its focus on IP issues that don't have a nexus with public health and safety. Moreover, it's hard to believe that going after those kinds of targets is the best use of ICE's limited resources. Citing EFF, the presentation asks: "What investigations didn't occur while the DHS spent its time and energy pursuing the agenda of large media companies?" Good question.