Senator Patrick Leahy yesterday introduced the "Combating Online Infringement and Counterfeits Act" (COICA). This flawed bill would allow the Attorney General and the Department of Justice to break the Internet one domain at a time — by requiring domain registrars/registries, ISPs, DNS providers, and others to block Internet users from reaching certain websites. The bill would also create two Internet blacklists. The first is a list of all the websites hit with a censorship court order from the Attorney General. The second, more worrying, blacklist is a list of domain names that the Department of Justice determines — without judicial review — are "dedicated to infringing activities." The bill only requires blocking for domains in the first list, but strongly suggests that domains on the second list should be blocked as well by providing legal immunity for Internet intermediaries and DNS operators who decide to block domains on the second blacklist as well. (It's easy to predict that there will be tremendous pressure for Internet intermediaries of all stripes to block these "deemed infringing" sites on the second blacklist.)
COICA is a fairly short bill, but it could have a longstanding and dangerous impact on freedom of speech, current Internet architecture, copyright doctrine, foreign policy, and beyond. In 2010, if there's anything we've learned about efforts to re-write copyright law to target "piracy" online, it's that they are likely to have unintendedconsequences.
This is a censorship bill that runs roughshod over freedom of speech on the Internet. Free speech is vitally important to democracy, which is why the government is restricted from suppressing speech except in very specific, narrowly-tailored situations. But this bill is the polar opposite of narrow — not only in the broad way that it tries to define a site "dedicated to infringing activities," but also in the solution that it tries to impose — a block on a whole domain, and not just the infringing part of the site.
We note that the DMCA already gives copyright owners legal tools to remove infringing material piece-by-piece, and to obtain injunctions requiring ISPs to block certain offshore infringing websites. The misuse of the existing DMCA provisions have had a tremendously damaging impact on fair use and free expression. By comparison, COICA streamlines and vastly expands this; it would allow the AG to shoot down a whole domain including all the blog posts, images, backups, and files underneath it. In other words, it's not just possible but probable that a great deal of legitimate, protected speech will be taken down in the name of copyright enforcement.
It is designed to undermine basic Internet infrastructure. When a user enters "eff.org" into their web browser, what responds is a domain name system server that tells the users' browser where EFF's website is located on the Internet. This bill would have the Attorney General prevent the players in that domain name system (possibly including your ISP) from telling you the truth about a website's location.
And it's not clear what a user would see in this situation — would it look like a "404 message," that simply says a site or page could not be found, without explaining why? Would users receive some kind of notice clarifying that the site they were seeking was made inaccessible at the behest of the government? Generally speaking, the bill forces all the Internet "middlemen" to act as if a part of the Internet doesn't exist, even though that page may otherwise be completely available and accessible.
COICA sends the world the message that the United States approves of unilateral Internet censorship. Which governments deny their citizens access to parts of the Internet? For now, it is mostly totalitarian, profoundly anti-democratic regimes that keep their citizens from seeing the whole Internet. With this bill, the United States risks telling countries throughout the world, "Unilateral censorship of websites that the government doesn't like is okay — and this is how you do it."
The bill's imbalances threaten to complicate existing laws and policies. The bill includes poorly drafted definitions that threaten fair use online, endanger innovative backup services, and raises questions about how these new obligations on Internet intermediaries are intended to fit with existing US secondary liability rules and the DMCA copyright safe harbor regime. Moreover, it seems easy to get on the blacklist — the bill sets up a seemingly streamlined procedure for adding domains (including a McCarthy-like procedure of public snitching) — but in contrast, it seems difficult to get off the list, with a cumbersome process to have a blacklisted domain removed.
And what do we get in exchange? Not much, if the goal is to actually limit unauthorized copying online. The bill gives the government power to play an endless game of whack-a-mole, blocking one domain after another, but even a relatively unsophisticated technologist can begin to imagine the workarounds: a return to encrypted peer-to-peer, modified /etc/hosts files (that don't rely on the domain name system for finding things on the Internet), and other tools, which will emerge and ensure that committed pirates have a way to route around the bill's damage to the DNS system.
To us, COICA looks like another misguided gift to a shortsighted industry whose first instinct with respect to the Internet is to try to break it. There are still many questions to be answered, but one thing is for sure — this bill allows the government to suppress truthful speech and could block access to a wealth of non-infringing speech, and the end result will do little to protect artists or mollify the industries that profit from them. Stay tuned for more analysis, information, and steps you can take to fight Internet censorship.
Writing software to protect political activists against censorship and surveillance is a tricky business. If those activists are living under the kind of authoritarian regimes where a loss of privacy may lead to the loss of life or liberty, we need to tread especially cautiously.
A greatdealofpost-mortemanalysis is occurring at the moment after the collapse of the Haystack project. Haystack was a censorship-circumvention project that began as a real-time response to Iranian election protests last year. The code received significant levels of media coverage, but never reached the levels of technical maturity and security that are necessary to protect the lives of activists in countries like Iran (or many other places, for that matter).
This post isn't going to get into the debate about the social processes that gave Haystack the kind of attention and deployment that it received, before it had been properly reviewed and tested. Instead, we want to emphasize something else: it remains possible to write software that makes activists living under authoritarian regimes safer. But the developers, funders, and distributors of that software need to remember that it isn't easy, and need to go about it the right way.
Here are a few essential points:
Secure communications tools need a clearly defined model of the privacy threats they defend against, and the way the design addresses those threats needs to be clearly and rigorously specified.
Careful thought needs to be put into user interface design, so that the end users of the system (who may not speak English, nor be sophisticated computer users) have some hope of understanding what threats the software is and isn't defending against. This is hard to do right, but it's very important: in some cases, if a dissident is a major target for a sophisticated government, they probably shouldn't be using networked computers at all.
Writing secure software is much harder than just writing software; it requires a different mindset and a whole extra set of skills and experience. Unless a project includes experienced, competent security engineers, it is almost certain to include bugs that threaten users' privacy (actually, all complex codebases include security bugs, but good security teams will be able to make them rarer and do a better job of mitigating the damage).
Tools need to be thoroughly tested by the computer security community before they are distributed to activists whose lives and liberty are at stake. Fortunately, plenty of well-tested tools are available to provide privacy and circumvention of censorship, including Tor, ssh, VPNs, or Gmail over HTTPS. All of these tools have their own limitations, and need to be used for the correct purposes, but they are the best choices for activists in at least some situations.
Until you're familiar with the extensive research literature on privacy-preserving communications systems, it's probably best to get involved with (or fund) one of the many existing projects that are trying to defeat Internet censorship, before starting your own. The Tor Project is the largest and most organized of these, and is a good place for developers and funders to find work that needs to be done. There are numerous academic groups doing high-quality research, and some of them also build invaluable privacy tools. There are also some small projects that still need a lot of extra work and security auditing, but which may one day provide extremely important tools for dissidents; the "T(A)ILS" project is one good example.
"You will not solicit login information or access an account belonging to someone else."
"You will not . . . let anyone else access your account, or do anything else that might jeopardize the security of your account."
After months of dragnet litigation and intimidation, some of the thousands of “John Doe” Defendants targeted in mass copyright lawsuits filed in the District of Columbia are fighting back in earnest.
The lawsuits are the brainchild of a Washington, D.C., law firm calling itself the "U.S. Copyright Group" (USCG). USCG investigators have identified IP addresses they allege are associated with the unauthorized uploading and downloading of independent films, including "Far Cry" and "The Hurt Locker." Using those addresses, USCG has filed several "John Doe" lawsuits in D.C., implicating well over 14,000 individuals, and has issued subpoenas to ISPs seeking the identities of the subscribers associated with those IP addresses.
Last week, a group of over 40 Doe Defendants targeted in two of the cases filed an omnibus motion to quash a subpoena seeking their identities and to dismiss the cases against them. The Defendants are represented by Carey Lening, Christina DiEdoardo, Tuna Mecit and Bradford Patrick. Echoing arguments EFF raised in an earlier amicus brief, the Defendants explain that USCG has improperly joined together thousands of defendants and has sued those defendants in the wrong court. In addition, Defendants argue that USCG’s gamesmanship violates the normal procedures for large-scale litigation against people located across the country (the Multi-District Litigation rules), resulting in additional costs and burden to the Defendants. Numerous other Does have moved to quash and/or dismiss as individuals as well.
In addition, the judge in one of the cases has issuedorders requiring USCG to justify suing two of the Does in the District of Columbia, as the Defendants claim to have no contacts with the District.
EFF believes USCG's litigation tactics violate basic due process rights, and we’ve been working hard both to call the court’s attention to those violations and help the Does get access to the resources they need to defend their rights. Kudos to the attorneys who have signed on to defend these Does, and to the Defendants themselves for demanding that USCG play by the rules.
Yesterday, the Ninth Circuit issued an unfortunate revised opinion in United States v. Comprehensive Drug Testing Inc., a case featuring blatantly unconstitutional government action. As the court put it:
“This case is about a federal investigation into steroid use by professional baseball players. More generally, however, it’s about the procedures and safeguards that federal courts must observe in issuing and administering search warrants and subpoenas for electronically stored information.”
One shocking example: the government seized and reviewed the drug testing records for hundreds of players in Major League Baseball—and many other people—even though the judicially authorized warrant was limited to the records of the ten players for whom the government had probable cause.
The Ninth Circuit had in its earlier en banc decision [579 F.3d 989 (9th Cir. 2009)] set forth guidelines meant to ensure that even otherwise lawful warrants authorizing the search and seizure of computers do not give officers too much access to private data that might be intermingled with evidence of a crime: (1) the government must waive the “plain view” rule, meaning it must agree to only use evidence of the crime or crimes that led to obtaining the warrant, and not to use evidence of other crimes; (2) the government must wall off the forensic experts who search the hard drive from the agents investigating the case; (3) the government must explain the "actual risks of destruction of information" they would face if they weren't allowed to seize entire computers; (4) the government must use a search protocol to designate what information they can give to the investigating agents; and (5) the government must destroy or return non-responsive data.
The government, however, challenged these guidelines by seeking “super” en banc rehearing by the full Ninth Circuit (in the Ninth Circuit, ordinary en banc review is done by a panel of 11 judges).
Sadly, while yesterday’s decision reached the same, correct result in this case and denied super en banc rehearing, the revised majority opinion now omits the privacy-protective guidelines. Instead, those guidelines are now part of a 5-judge concurrence and are not binding on magistrate judges issuing warrants.
We're disappointed. True, the Ninth Circuit recognized that government agents have “a powerful incentive . . . to seize more rather than less” (the opinion archly characterizes the government’s view as “Let’s take everything back to the lab, have a good look around and see what we might stumble upon.”). And eliminating the guidelines might avoid Supreme Court review.
Still, if the Ninth Circuit wanted “to avoid turning a limited search for particular information into a general search of office file systems and computer databases,” it would have been far better off with its original, binding rules.
When it comes to copyright enforcement and the government, EFF frequently warns that giving government agents a reason to censor, search, seize, and indict must be taken very seriously. Without safeguards and a thorough accounting of the consequences, laws and policies targeting so-called "pirates" can be used to pry away human rights and undermine fundamental elements of democracy and freedom.
We saw damning evidence of this unfold this past weekend. On Saturday, the New York Times broke news of Russian law enforcement officers raiding an environmental group's offices and confiscating computers. What excuse did the police officers give for raiding the environmental group? Because Russian security services were investigating claims (unfounded, as it turned out) that the group had unauthorized copies of Microsoft software.
The New York Times article goes on to explain that the raid on the environmental group is only a recent example of a growing pattern: "Across Russia, the security services have carried out dozens of similar raids against outspoken advocacy groups or opposition newspapers in recent years." For those familiar with the hard line copyright maximalist position — which holds that all copyright infringement should be swiftly prosecuted with harsh penalties regardless of the context — it was sadly unsurprising. (This risk is one reason that NGOs around the world choose free and open source tools that avoid the risk of copyright claims altogether.)
Fortunately, at this juncture, Microsoft has recognized this as an important human rights issue, and has responded responsibly and innovatively. The company plans to offer protection to advocacy groups and others who might be targeted for political reasons by issuing a blanket software license to advocacy groups and opposition newspapers in Russia and at least some other places in the world. The software license — which would allegedly be made easily and widely available — should help groups insulate themselves from political attacks and human rights violations clothed as accusations that Microsoft software has been stolen. (Whether or not law enforcement officials will respond to such a license when they're about to bust down the door of an advocacy group's office is another question entirely.) Microsoft has not said in which other countries it would offer this blanket license. We urge Microsoft to extend this offer worldwide.
But this issue isn't limited to Microsoft or to software. A sprawling, powerful group-of-groups in the content industry, including movie and music industry lobbyists, software companies, and others, is constantly demanding that governments worldwide be given new powers to search for and seize allegedly pirated materials, and that those governments should act on those powers forcefully. In the name of copyright enforcement, the lobby shortsightedly demands provisions that put human rights at risk throughout the world: the power for governments to censor parts of the Internet with so-called copyright filtering, power for governments' border agents to search travelers' goods for "infringing" items, power for governments to detain alleged infringers pre-trial.
If the copyright lobby gets their way with the Anti-Counterfeiting Trade Agreement (ACTA) or if governments continue to act on the claim that "piracy" demands sweeping changes to Internet privacy and freedom, then we can generalize the New York Times headline — "Russia Uses Microsoft to Suppress Dissent" — into something we'll surely see more often: "Regime Uses Copyright Violations to Curtail Freedoms."
This episode should remind legislators and policymakers worldwide of the real risk that powers enacted in the name of copyright enforcement can to be used to do real harm. Ensuring balance in copyright law is not just good copyright policy — it's necessary to protect human rights and fundamental freedoms worldwide.
UPDATE: On September 23, 2010, Microsoft published details about their software license for non-governmental organizations (NGOs) and media organizations.
The 9th Circuit Court of Appeals, ruling en banc in a case called Mohamed v. Jeppesen Dataplan, yesterday adopted the Bush and Obama Administration's joint Executive Branch power grab in the form of the state secrets privilege. The Court, in a 6-5 en banc ruling, dismissed a case brought by victims of horrendous torture and forced disappearance against a Boeing subsidiary whose employee admitted that they knew they were handling the "torture flights." In refusing to hear the case, even the portions that could be based solely on already public evidence, the Court shunned its role as a co-equal branch of government protecting the rights of individuals against overreaching government. It also demonstrated just how badly we need Congress to step in and reform the state secrets privilege.
EFF had filed an amicus brief in the case, warning about this outcome: "Adopting the government's position would abdicate the Judiciary's Article III responsibility to adjudicate the constitutional and statutory limits on Executive authority."
Unfortunately, abdicating its responsibility is just what the Court did. It ordered summary dismissal of the complaint without allowing any discovery, or presentation of the public evidence or even a plan by the plaintiffs to litigate the case while respecting the necessary secrecy, something that has been regularly done in cases involving national security. And in doing so it created a dangerous risk that the Courts will allow the Executive broad unfettered powers to "turn the Constitution on and off at will," exactly what the Supreme Court refused to do in Boumediene v. Bush. In that case, the Supreme Court directly addressed and rejected the government's main argument in Mohammed, that the case involved a "painful conflict between human rights and national security." The Supreme Court said:
Security subsists, too, in fidelity to freedom's first principles. Chief among these are freedom from arbitrary and unlawful restraint and the personal liberty that is secured by adherence to the separation of powers.
So what does this mean for Jewel v. NSA, EFF's case against the government for mass warrantless wiretapping of ordinary Americans which has also faced broad state secrets claims from the government?
Likely nothing. The Ninth Circuit expressly noted that its analysis would be different where, as with FISA, Congress has passed a specific law on the subject.
In its almost apologetic Jeppesen Dataplan ruling, the 9th Circuit also emphasized that "it should be a rare case where the state secrets doctrine leads to a dismissal at the outset of the case." We strongly agree. And while we think the Court got it wrong in Jeppesen Dataplan, where the victims were foreigners who were injured largely on foreign soil by foreign agents, it would be an even worse tragedy if the Court abdicated its role to protect individual rights and privacy when the victims are millions of American citizens on American soil who have no connection to terrorism and who simply want basic privacy in their use the phone and the internet.
The Censorship Research Center announced on its blog today that it has halted testing of the Haystack anti-censorship software in Iran pending a security review by a third party. Based on this announcement, we recommend that users stop using all versions of the Haystack software immediately.