At EFF, we like to give credit where it is due. Over the past few years, we’ve repeatedlycalled out the Burning Man Organization (BMO) for using online ticket terms to require participants to assign to BMO, in advance, the copyrights to any pictures they took on the playa. The assignment was designed to allow BMO to send takedown notices under the Digital Millennium Copyright Act (DMCA) if it discovers photos online that it finds objectionable. We also criticized how the terms limited participants’ ability to donate their works to the public domain or to license their works through Creative Commons, and restricted ticket holders' ability to make fair uses of BMO trademarks, such as the (trademarked) term "Burning Man," on any website.
Our comments sparked a small uproar in the Burning Man community, which eventually led to a series of conversations (some of which involved EFF) about Burning Man image use policies. Those conversations have at last borne fruit: Tickets for the 2011 event just went on sale, accompanied by new terms that were intended, in part, to acknowledge the concerns we had expressed. We’re happy to report that BMO has made some real progress. However, we have to admit that we're disappointed some very onerous terms remain.
The new terms make some important improvements. For example, they specifically authorize participants to share their works under a Creative Commons Attribution-NonCommercial-ShareAlike license (by-nc-sa). They also state that participants are free to make fair uses of Burning Man trademarks. And they clarify what it means to make “personal use” of one’s images.
We are less sanguine about BMO’s new approach to DMCA takedowns. Rather than requiring users to assign their copyright in their pictures to BMO in advance, the terms now appoint BMO a joint owner in the photos. While cosmetically more palatable than simply taking exclusive ownership, this new legal maneuver does nothing to tackle the real problem: BMO can still send out DMCA takedown notices at will, which means it can censor a work without bothering to even consult the author.
In addition, BMO still reserves the right to demand that participants take down their images “for any reason whatsoever in Burning Man's sole discretion.” Thus, while the contract includes a detailed statement discussing the principles behind BMO's image use policy (e.g., battling the commercialization of the event), the organization refuses to commit that it will only demand that images be taken offline when those principles are violated (e.g., purely commercial uses). And while it has now offered to notify participants if it decides to sue on their behalf, BMO will only extend that basic courtesy if (1) it just happens to have the person’s contact information; and (2) it actually files a lawsuit (meaning, no notice if BMO is just exercising its DMCA censorship powers).
All told, Burning Man deserves credit for revisiting its policies and taking significant steps toward bringing those policies in line with its commitment to promote a “society that connects each individual to his or her creative powers.” But it’s too bad the organization was unable to give up its takedown powers. As we noted last year, a benevolent censor is still a censor—and BMO may not always be so benevolent. And we continue to fear that other event organizers will follow suit, and that assignment and abrogation of rights will become standard terms in all online contracts. This is not a place where BMO should be exercising leadership.
This month, we were reminded how important it is that social media companies do what they can to protect the sensitive data they hold from the prying eyes of the government. As many news outlets have reported, the US Department of Justice recently obtained a court order for records from Twitter on several of its users related to the WikiLeaks disclosures. Instead of just turning over this information, Twitter “beta-tested a spine” and notified its users of the court order, thus giving them the opportunity to challenge it in court.
We have been investigating how the government seeks information from social networking sites such as Twitter and how the sites respond to these requests in our ongoing social networking Freedom of Information Act (FOIA) request, filed with the help of UC Berkeley’s Samuelson Law, Technology & Public Policy Clinic. As part of our request to the Department of Justice and other federal agencies, we asked for copies of the guides the sites themselves send out to law enforcement explaining how agents can obtain information about a site’s users and what kinds of information are available. The information we got back enabled us to make an unprecedented comparison of these critical documents, as most of the information was not available publicly before now.
We received copies of guides from 13 companies, including Facebook, MySpace, AOL, eBay, Ning, Tagged, Craigslist and others, and for some of the companies we received several versions of the guide. We have combed through the data in these guides and, with the Samuelson Clinic’s help, organized it into a comprehensive spreadsheet (in .xls and .pdf) that compares how the companies handle requests for user information such as contact information, photos, IP logs, friend networks, buying history, and private messages. And although we didn’t receive a copy of Twitter’s law enforcement guide, Twitter publishes some relevant information on its site, so we have included that in our spreadsheet for comparison.
The guides we received, which were dated between 2005 and 2010, show that social networking sites have struggled to develop consistent, straightforward policies to govern how and when they will provide private user information to law enforcement agencies. The guides also show how those policies (and how the companies present their policies to law enforcement) have evolved over time.
For example, the 2008 version of Facebook’s guide explains in detail the different types of information it collects on its users, but it does not address the legal requirements necessary to obtain this data. In contrast, the 2009 version groups this information into three categories (basic subscriber information, limited content, and remaining content) and describes, under the Electronic Communications Privacy Act (ECPA), the different legal processes required to obtain the various data. However, the 2010 version merely says that the company “will provide records as required by law.” Facebook doesn’t explain why it changed its language from year to year. While the 2010 guide’s language may allow the company to be flexible in responding to requests under a complicated and outdated statute, it does so through a loss of transparency into how it handles these requests.
MySpace’s guides also show an evolution. The September 2005 and March 2006 versions of MySpace’s guides distinguish between public and private user information, requiring only a subpoena for IP logs, contact information, and private messages. The June 2006 and November 2007 versions establish several different categories of user information that require different legal processes, ranging from a subpoena for a user’s name to a search warrant for access to a user’s private messages.
Also, in early versions of its guide, MySpace outlines that it will preserve data requested by law enforcement agents for 90 days. Law enforcement agents can then request a 90-day extension for a total preservation period of 180 days. This changed in the November 2007 guide, where MySpace said that it would “preserve the specific information identified in the request for up to 180 days and will extend the preservation as necessary at your request.” The November 2007 guide also describes MySpace’s Sentinel SAFE project, a previously unmentioned campaign designed to identify and remove registered sex offenders from the social network. Once MySpace matches a profile to a registered sex offender, it removes the user from the site and preserves the complete profile. Law enforcement officers who provide the appropriate legal process can then access the profile. The November 2007 guide goes even further in helping law enforcement—it details how agents can find MySpace information on a user’s computer, such as through IM client logs, cookie data, cached MySpace pages, and stored login information. The guide doesn’t say what prompted these substantial changes, but it is likely linked to the controversy surrounding alleged sexual predators on MySpace and the agreement MySpace made with several state attorneys general to do more to protect children.
There were also more subtle differences between the guides. While the guides are written to educate law enforcement about the type of user information the companies maintain and the legal process required to get it, some, such as MySpace and Yahoo!, provide law enforcement with sample language for data request letters, subpoenas, and search warrants. The requesting law enforcement agency can then use the template created by the companies.
Also, while ECPA allows companies to charge law enforcement for the time it takes to get the requested user information, only Yahoo!’s guide actually discusses this issue. The Yahoo! guide includes a fee schedule to approximate how much law enforcement will have to pay to obtain various types of user data from the company. For example, Yahoo! charges approximately $20 for basic subscriber records or “groups with a single moderator” and approximately $30-40 per user for the contents of subscriber accounts, including email. Also, where law enforcement requests deleted content, Yahoo! states it will “seek reimbursement for any engineer time incurred in connection with the request.”
Another difference between the guides shows up in how the companies deal with emergency requests from law enforcement. Under ECPA, the sites are allowed to disclose information without legal process when the companies believe there is a threat of death or serious physical injury. Most companies merely note that ECPA permits them to disclose this information in certain defined situations. However, some companies seem to go above and beyond the ECPA requirements. For example, MSN states that it “will respond” to these requests “outside normal business hours,” and eBay and MySpace have set up a special hotline or “First Responder” service that can (in eBay’s case) “return calls within 24 hours and process complaints quickly.” In all the guides we received, Yahoo!’s was the only one to remind law enforcement that Yahoo! “is not required” to disclose this information. Yahoo also requires law enforcement officers to explain why normal disclosure would be insufficient and why the information Yahoo! has will help avert the threat.
Facebook was the only company to make clear that its strict policies against fake accounts apply to law enforcement as well. In its 2008 and 2009 guides it notes that it will disable all accounts that provide false or misleading information, including police accounts, and in its 2010 guide it notes that it will “always disable accounts that supply false or misleading profile information or attempt to technically or socially circumvent site privacy measures.”
Of the guides we received, only Craigslist provides law enforcement disclosure information on its website (Twitter does too, but we didn’t get a copy of its guide in response to our FOIA request). This is unfortunate. Social media sites’ users should be able to see how the companies that hold their data respond to government requests for it. And, as we know, this affects a large number of real people. Twitter states that it has 175 million users. Myspace has over 100 million, and Facebook states it has 500 million. Without access to this information, it is impossible to evaluate how well these companies protect their users’ data.
For more information on how social media companies treat their users' data, see our spreadsheet, available in .xls and .pdf, or the individual guides here.
For years, EFF has been warning that the anti-circumvention provisions of the Digital Millennium Copyright Act can be used to chill speech, particularly security research, because legitimate researchers will be afraid to publish their results lest they be accused of circumventing a technological protection measure. We've also been concerned that the Computer Fraud and Abuse Act could be abused to try to make alleged contract violations into crimes.
We've never been sorrier to be right. These two things are precisely what's happening in Sony v. Hotz. If you have missed this one, Sony has sued several security researchers for publishing information about security holes in Sony’s PlayStation 3. At first glance, it's hard to see why Sony is bothering — after all, the research was presented three weeks ago at the Chaos Communication Congress and promptly circulated around the world. The security flaws discovered by the researchers allow users to run Linux on their machines again — something Sony used to support but recently started trying to prevent. Paying lawyers to try to put the cat back in the bag is just throwing good money after bad. And even if they won — we'll save the legal analysis for another post — the defendants seem unlikely to be able to pay significant damages. So what's the point?
The real point, it appears, is to send a message to security researchers around the world: publish the details of our security flaws and we'll come after you with both barrels blazing. For example, Sony has asked the court to immediately impound all "circumvention devices" — which it defines to include not only the defendants' computers, but also all "instructions," i.e., their research and findings. Given that the research results Sony presumably cares about are available online, granting the order would mean that everyone except the researchers themselves would have access to their work.
Not content with the DMCA hammer, Sony is also bringing a slew of outrageous Computer Fraud and Abuse Act claims. The basic gist of Sony's argument is that the researchers accessed their own PlayStation 3 consoles in a way that violated the agreement that Sony imposes on users of its network (and supposedly enabled others to do the same). But the researchers don't seem to have used Sony's network in their research — they just used the consoles they bought with their own money. Simply put, Sony claims that it's illegal for users to access their own computers in a way that Sony doesn't like. Moreover, because the CFAA has criminal as well as civil penalties, Sony is actually saying that it's a crime for users to access their own computers in a way that Sony doesn't like.
That means Sony is sending another dangerous message: that it has rights in the computer it sells you even after you buy it, and therefore can decide whether your tinkering with that computer is legal or not. We disagree. Once you buy a computer, it's yours. It shouldn't be a crime for you to access your own computer, regardless of whether Sony or any other company likes what you're doing.
Last year, Ninth Circuit Chief Judge Alex Kozinski and Josh Goldfoot from the DoJ's Criminal Division directly confronted some of EFF's concerns about overreaching theories of secondary copyright infringement. Playing on EFF founder John Perry Barlow's seminal essay, Judge Kozinski and Mr. Goldfoot titled their work "A Declaration of the Dependence of Cyberspace," and in it, they argue that current secondary liability doctrines can and should be used aggressively to tackle online infringement.
Former EFF intern and accomplished photographer Paul Szynol has responded with an interesting essay, which will be published today in Next Digital Decade, Essays on the Future of the Internet.In his response excerpted below, with which we generally agree (although we differ somewhat on the details) Paul cogently warns that today's vague, secondary liability rules may smother innovation from inventors big and small.
The book launch for Next Digital Decade will be streamed live from 9:45am to 2:30pm Pacific (12:45 to 5:30pm Eastern).
Broadly stated, the rationale at the heart of the secondary liability doctrine is this: an entity that knowingly helps to facilitate the commission of an illegal act (such as copyright infringement, for example) should be penalized for its contribution to the illegal activity.1 If a technology company induces its customers to use its product for infringing purposes, for instance, both the users and the company should be liable for such infringement—the users for direct infringement and the company for contributory infringement, which is a species of secondary liability.
The doctrine is appealing as a practical solution to widespread infringement because it targets the entities that enable illegal behavior—e.g., the Napsters and Groksters of the world—and thus eradicates the distribution mechanism that enables infringement in the first place. Judge Kozinski and Mr Goldfoot (I'll generally refer to them as "the authors" from here on), like the movie and music industries, certainly believe that the doctrine of secondary liability should be readily used as a handy and effective tool for weeding out copyright infringement. According to the authors, people "who provide powerful tools that can be used for good or evil have some responsibility to make sure that those tools are used responsibly." Put more bluntly, however, if you outlaw the tool, you needn't chase after the users, so in practice it's less a question of ethics and more a question of convenience and efficiency.
One of the principal problems with this approach, however, is the fact that the boundaries of secondary liability are not precisely set, and, short of extreme cases, it is not at all clear under what circumstances a product manufacturer will be liable for secondary infringement. Such wholesale endorsement for secondary liability doctrines should therefore give us some pause. For example, at what point does a software company that develops a peer-to-peer application utilized by end users to exchange copyrighted materials begin to "contribute" to the infringement and become secondarily liable? Does the company contribute simply by writing software that is merely capable of infringing uses?2 Or does the company contribute only if the software's primary use is, by design, infringing? Or, further yet, does the company contribute only if a substantial portion of the end-users utilize the technology for infringing purposes? If so, how much of the user base must engage in infringing activity for it to be a substantial portion?3 Or, as yet another option, does the company "contribute" only if it promotes infringing uses of its software? And, if that's the case, how much promotion is too much promotion? For example, is the advertising slogan "Rip. Mix. Burn." too much of an inducement to make infringing copies of music?4
These are fundamental, starting-point questions about the secondary liability doctrine, and one would expect that case law or legislation provides a clear answer to each. Yet the law is ambiguous (and the authors are altogether silent) on these points. Outside of extreme cases, no one knows with certainty—including lawyers, judges, company officers, engineers and academics—when secondary liability might attach to a product that facilitates the transmission of copyrighted materials. The legal system's failure to provide clear guidelines is the equivalent of posting a sign on a freeway that says "obey the speed limit" without giving an actual speed.
The effect is potentially detrimental to the entire technology sector. A clear rule is a predictable rule, and a predictable rule is one on which innovators can rely when developing a product. Without clear guidance from the legal system, tech companies are forced to engage in a "fingers crossed" product design process, and, subsequently, face a market that can be an explosive landmine of infringement liability. The potential economic damage to a company found guilty of secondary liability can be substantial, to say the least. Since statutory damages for copyright infringement range from $750 to $150,000 per infringement, a maker of a multi-use technology may confront liabilities on a scale that can threaten the viability of even the wealthiest corporations. The risk is further exacerbated by the recent trend of unpredictable and often very bloated damage awards granted to copyright plaintiffs. Such risk can dissuade even the most resolute investors from marketing their invention—and it can literally bankrupt the braver among them. The loss of a robust distribution tool harms the content sector, too, since a powerful method for distributing content to end users will not be brought to market.
Judge Kozinski and Mr Goldfoot are not concerned with the chilling effect that the legal system's ambiguity can have on technology innovation. In fact, they reject the proposition, and confidently point to the pharmaceutical and auto industries as counter-examples: Both industries have to comply with legal regulation yet manufacturers in both industries nevertheless innovate.
It's not a very persuasive comparison. First, the auto industry is hardly a hotbed of innovation. We might really like power windows and power steering, but, as advancements over prior art, these innovations are an order of magnitude smaller than the innovation we've seen on the Internet. Second, the players in the auto and pharmaceutical industries are frequently different from the players in the technology sector. It is rare, after all, if not unheard of, that a single person invents valuable medicine—the medical R&D process takes place in the laboratories of some of the wealthiest companies under the sun. In addition, medical innovation is subject to review and approval by government regulatory agencies, so by the time a medicine reaches the market, it has already been approved by the government. Innovation in information technology, in contrast, is often the result of the proverbial garage inventor who releases the technology entirely on its own. Think of eBay, Napster, Apple, Google and Microsoft, each of which had a modest start in someone's home or garage at the hands of one or two people (and many subsequently acquired similarly independent garage innovations). The distinction between a multinational company and a garage inventor is critical. First, there is no government imprimatur for multi-use technologies. Second, in contrast to wealthy companies that can afford sophisticated legal teams, garage inventors typically lack the economic resources necessary to pay for a comprehensive legal review of product design prior to the product's release. That inability increases the likelihood that the garage inventor will—unwittingly—design its product in a way that leads to legal liability, or the likelihood that, after releasing the product and receiving angry threats of litigation, the garage inventor will have to backtrack and redesign the product in order to avoid liability. These are very expensive measures. If the inventor can afford them, the inventor will have spent money that it would have saved had the law simply been clearer in the first place; if the inventor cannot afford them, the outcome is even worse: the start-up will simply fold, thus wasting its investment costs, while consumers will miss out on the product altogether.
That outcome is bad enough, but it's the third reason for the comparison's inadequacy that should give all of us some pause: because the legal landscape around copyright secondary liability is so unclear, even if the would-be inventor did have the resources to hire outside counsel, lack of clarity in the law means that, unless the product clearly crosses a line, lawyers—no matter how high their hourly rates—won't be able to confidently provide the inventor with a legal imprimatur. In other words, no matter how much a company tries, lack of clear standards means that its lawyers might "get it wrong," and the company may face infringement liability if it releases the product, or incur the costs of post-release redesign, or both. That is a very expensive proposition, and its corollary is clear: faced with potential liability exposure and potential redesign costs, each of which could figure in the millions or even billions of dollars,5 some would-be inventors and investors will, as rational economic actors, forego the whole enterprise—not because they analyzed the risk and found it potentially too costly, but because the law's ambiguity meant they simply couldn't properly analyze the risk in the first place. Notably, the foregoing outcome will apply to garage inventors and big companies alike. The garage inventor whose coffers won't be able to withstand the potential cost will retreat to the sound of a distant death knell; the big company will retreat because it knows that its deep pockets makes it an attractive target for a lawsuit and therefore may well decide that the potential litigation and licensing costs, even if not fatal, just aren't worth it. Again, consumers will miss out on a new product.
An ambiguous secondary liability doctrine also disadvantages American products in a global market: U.S. companies will have to worry about drowning in the unpredictable and poorly charted quicksand of secondary liability, while their international competitors will have clear legal rules in front to guide them. The domestic market suffers as well: By creating barriers to entry (high and unreliable due diligence costs as well as post-release redesign costs), the ambiguity favors entrenched entities over newcomers. Advocating secondary liability without removing the ambiguity also contradicts the authors' claim that the same set of laws should apply to offline and online worlds: The fuzzy secondary liability doctrine which they so strongly espouse in connection with technology wouldn't fly in the physical world. For example, should a car company be held liable for drivers who speed? After all, it would be easy enough to add a "speed limit compliance chip." Yet auto manufacturers are not forced to pay any portion of a speeding driver's ticket. Offline, in other words, bad actors—the users of technology—are punished for their own transgressions. Online, however, the law chases the manufacturers—and applies ad-hoc, ambiguous standards to their products. It would seem that the authors want Internet-specific laws after all.
None of this sounds like wise intellectual property policy. The legal system has a cconstitutional imperative to incentivize inventors, after all, and it achieves this objective in part by providing both content producers6 and innovators with a stable and predictable legal climate, such as the "bright line" rule devised by the Supreme Court in its 1984 Sony ruling.7 In its current state, the law threatens to punish rather than reward those who have the courage to release an innovative technology if that technology may be misused by its adopters and if that technology has yet to be contemplated and cleared by the judiciary or legislature. That is not an environment that encourages innovation. If the intent of the judiciary and the DoJ Department of Justice is indeed to mightily wield the secondary liability sword across the technology sector, the doctrine must be clearly defined, so that the rules of engagement are clearly stated and U.S. innovators can design their products with confidence—not in fear.
1. The specific theories of secondary liability have more nuanced elements, such as the requirements of materiality for contributory infringement and direct financial benefit for vicarious infringement. Since these elements are not critical to the essay’s main thesis, I’ve avoided spelling them out in detail.
2. An argument that the Supreme Court famously rejected in its 1984 "Betamax" decision. Sony Corp. of America v. Universal City Studios, Inc., 464 U.S. 417 (1984)
3. See, for example, the Napster litigation. According to the District Court’s opinion, 87% of the content on Napster was copyrighted, and "virtually all Napster users" transferred copyrighted content. A & M Records, Inc. v. Napster, Inc., 114 F. Supp. 2d 896 (N.D.Ca. 2000). A decade later, a critical question remains essentially unanswered: how much lower would those percentages have to be for a manufacturer to be safe from secondary liability?
4. The standard introduced in is "clear expression", which is not much of a lodestar for someone seeking to gauge risk with any degree of precision. Metro-Goldwyn-Mayer Studios Inc. v. Grokster, Ltd., 545 U.S. 913, 914 (2005). One could persuasively argue that Apple’s very large, very prominent and very ubiquitous "Rip. Mix. Burn." billboards amounted to "clear expression."
5. It’s worth emphasizing that the billion dollar figure is not hyperbole —just ask SAPS, which , in late November of this year,recently lost its legal dispute with Oracle and was ordered to pay $1.3 billion in damages. See Sam Diaz, Jury: SAP Owes Oracle $1.3 Billion for Copyright Infringement, ZDNet, Nov. 23, 2010. The facts of that case are quite different from the examples given here, of course, but the award is a very conspicuous reminder that such astronomical damage awards are a startling reality of present day copyright litigation.
6. In Community for Creative Non-Violence v. Reid, the Supreme Court acknowledged "Congress’ paramount goal in revising the 1976 Act of enhancing predictability and certainty of copyright ownership." 490 U.S. 730, 749 (1989).
Last week, the FCC announced the "FCC Open Internet Apps Challenge," a contest to attract software that helps ordinary users measure whether their Internet services — both mobile broadband and traditional "fixed" broadband — are consistent with open Internet principles. The FCC is also asking for submissions of "research papers that analyze relevant Internet openness measurement techniques, approaches, and data." This is a welcome effort from the FCC, and we hope to see software developers and researchers help the public better discover how our networks and service providers are treating our Internet communications.
While we have many points of concern about the FCC's net neutrality rules, EFF has always highlighted data, evidence, and provider transparency as unequivocally vital pieces of the complex net neutrality puzzle. Remember that in October of 2007, the Associated Press and EFF confirmed that Comcast was interfering with subscribers' BitTorrent activity. But the story didn't actually begin there — for several weeks beforehand, EFF had been receiving scattered, anecdotal reports of unusual BitTorrent behavior. However, until we had developed testing methods and tools to obtain some reliable data, there were countless technical questions yielding deeply complicated policy questions. Like, is Comcast actually responsible for the effects users are seeing, or is it some kind of bug? If Comcast is responsible, how irreversible or deep-seated is the method being used? Is this the kind of technical problem that users can address without inviting government regulation (from the FCC or otherwise)? Is there a form of government intervention that would be appropriate and effective to alleviate the actual BitTorrent blocking and other actions like it?
The best answers to these questions relied — and will continue to rely — on the public having real knowledge about how our Internet connections are functioning and whether or not ISPs are providing the open Internet that users want. EFF made an early attempt at providing such information gathering software with the Switzerland Network Testing Tool; the Measurement Lab is building an open platform to help give researchers more reliable, accurate tools for measuring Internet features; and hopefully the FCC contest inspires yet more innovation. As we continue to explore the challenges of maintaining an open Internet, strong data about the networks will be an important pillar in the defense of freedom of expression, user control, innovation, and more.
Submissions will be accepted from February 1 to June 1, 2011, and the winners will be invited to the FCC headquarters in Washington D.C. to meet FCC Chairman Genachowski, present their work to the commission, and have their work featured by the FCC online. Visit the challenge.gov portal for details about the contest.
Among the compromised accounts are Facebook pages administered by a reporter with Al-Tariq ad-Jadid, Sofiene Chourabi, video journalist Haythem El Mekki, and activist Lina Ben Khenni. Unsatisfied with merely quelling online freedom of expression, the Tunisian government has used the information it obtained to locate bloggers and their networks of contacts. By late last week, the Tunisian government had started arresting and detaining bloggers, including blogger Hamadi Kaloutcha, and cyberactivist Slim Ammamou, who alerted the world to his whereabouts at the Tunisian Ministry of the Interior using Google Latitude. This weekend, Tunisian citizens began to report on Twitter and in blogs that troops were using live ammunition on unarmed citizens and started communicating with one another to establish the numbers of dead and injured.
Most notably, Tunisians have been posting videos of the protests, including the dead and wounded on Facebook, the only video-sharing site which is not currently being blocked by the Tunisian government, which makes access to Facebook especially important for the protest movement.
Because of the Tunisian government’s attacks on citizens’ login credentials, Tunisians should take the following steps to protect themselves:
If HTTPS is available, use HTTPS to login to Facebook, Google, and Yahoo. If you are using Firefox, EFF’s HTTPS Everywhere plug-in will do this for you automatically.
If you have logged in to Facebook, Google, or Yahoo recently over HTTP, login using HTTPS and change your password.
Additionally, EFF calls on Google, Yahoo, and Facebook to take action to protect the privacy of its users by alerting them of the potential compromise of their accounts and encouraging them to take the above steps.
Finally, Facebook has reported that is in the process of taking technical steps to protect the privacy of their users. We hope that they include the following:
Make Facebook logins default to HTTPS, if only in Tunisia, where accounts are especially vulnerable at this time. Google and Yahoo logins already default to HTTPS.
Consider allowing pseudononymous accounts for users in authoritarian regimes, where political speech under your real name is dangerous and potentially deadly. Many Tunisian activists are unable to reinstate Facebook accounts that have been erased by the Tunisian government because they were not using their real names.
Websites providing services to Tunisian citizens cannot afford to sit on the sidelines while the Tunisian government launches malicious attacks on the privacy of users and censors free expression. Facebook, Google, and Yahoo should take these concrete steps as quickly as possible to inform and better protect their users.
Thank you to all of the Electronic Frontier Foundation supporters who were able to make a contribution this past year. Truly your donations, advocacy, and steadfast moral support have helped make EFF the formidable organization that it is today. We have come a long way from our first victory in Steve Jackson Games v. Secret Service to our most recent major win over bogus copyright infringement claims in Universal Music Group v. Augusto, and our work continues. In case you missed it, take a look at EFF's year-end video for an 8-bit recap of just a few major accomplishments in 2010.
This week we will begin sending tax receipts to all recent donors as well as EFF Member Cards to donors of $65 or more! EFF is a 501(c)(3) charitable organization and your gift is tax deductible to the full extent provided by law.
Don't forget to match your gift with your employer:
Ask your human resources department if your employer matches donations.
Fill out the paperwork and forward it to EFF for completion (if necessary). While EFF remains a nonpartisan organization, some employers may ask that you specify non-political activities for your donation.
You're done! It's a simple step that maximizes your impact and keeps EFF going strong.
Since late November, the whistleblower website Wikileaks has been in the process of releasing in waves over 250,000 leaked United States diplomatic cables. Known as "Cablegate," this is the largest publication of confidential documents by any organization. (Catch up on Wikileaks developments by reviewing EFF’s page on this issue).
Wikileaks’ disclosures have caused tremendous controversy, with critics of Wikileaks claiming the leaks of classified information could endanger lives and harm international diplomacy. Others have commended Wikileaks, pointing to a long history of over-classification and a lack of transparency by the United States government.
Regardless of the heated debate over the propriety of Wikileaks’ actions, some of the cables have contributed significantly to public and political conversations all around the world. In this article, we highlight a small selection of cables that been critical to understanding and evaluating controversial events.
“Dancing Boy” Scandal Alleges Child Prostitution, Possible Drug Use among U.S. Private Contractors
The Guardianreported on a cable describing an incident in which employees of DynCorp, a U.S. military contractor, hired a “dancing boy” for a party. The term “dancing boy,” also known as bacha bazi, is a euphemism for a custom in Afghanistan in which underaged boys are dressed as women, dance for gatherings of men and are then prostituted. Read more. The incident allegedly involved soliciting local Afghan police for a bacha bazi as well as usage of illegal drugs. The cable detailed that Hanif Armar, minister of the Interior of Afghanistan, urged the United States to help contain the scandal by warning journalists that reporting on the incident would endanger lives.
The incident contributed important information to the debate over the use of private military contractors in Afghanistan. The articles published in the wake of Wikileaks’ publication of the cable are far more critical than the original reporting on the issue. For example, back in July of 2009, the Washington Post described the incident as “questionable management oversight,” in which “DynCorp employees in Afghanistan hired a teenage boy to perform a tribal dance.” This cable helped the Post and the public understand there was more to this story than a tribal dance.
Pfizer Allegedly Sought to Blackmail Nigerian Regulator to Stop Lawsuit Against Drug Trials on Children
A cable released by Wikileaks says that Pfizer “had hired investigators to uncover corruption links to [Nigerian] Attorney General Michael Aondoakaa to expose him and put pressure on him to drop the federal cases.” The Guardianreported that the drug giant was trying to convince the Nigerian attorney general to settle lawsuits arising from medical testing of the oral antibiotic Trovan that it administered to children living in Kano during a meningitis epidemic in 1996. The cable also noted that Pfizer Nigeria Country Director Enrico Liggeri felt the lawsuits “has had a ‘chilling effect’ on international pharmaceutical companies because companies are no longer willing to conduct clinical testing in Nigeria.” This episode helped the public understand more about the controversies surrounding drug testing in underdeveloped countries, as well as the politics behind Nigeria's settlement of the multi-billion dollar lawsuit for $75 million.
U.S. Failed to Bully Spain Into Adopting Untested Anti-P2P bill
A diplomatic cable released by Wikileaks to the Spanish paper El Pais shows that the United States used bullying tactics to attempt to push Spain into adopting copyright laws even more stringent than those in the U.S. As EFF reported, a U.S. official apparently pressured the government of Spain to adopt novel and untested legislative measures that have never been proposed in the United States. The Wikileaks revelations came just in time, providing critical information in a December legislative session, and saving Spain from the kind of misguided copyright laws that could cripple innovation and facilitate online censorship.
U.S. to Uganda: Let Us Know If You Want to Use Our Intelligence for War Crimes
The United States has long supported the efforts of the Ugandan government to defeat the Lord's Resistance Army, as part of a conflict known for its brutality and the use of child soldiers. One cable released by Wikileaks indicated the United States was considering selling arms to Uganda. The Guardianreported that the U.S. ambassador accepted verbal promises from the Ugandan defense minister that they would “consult with the US in advance if the [Ugandan army] intends to use US-supplied intelligence to engage in operations not government [sic] by the law of armed conflict.” That same article noted that the United States has been concerned that the Ugandan government is engaged in actions which might violate the laws of war.
Learning that U.S. intelligence might be used outside the laws of law, and that the U.S. government merely wanted a consultation, helped the public understand more about the American-Ugandan cooperation against the LRA, and informed the debate over the methods used to combat rebellions in Africa. This is not an idle concern- the very next day a cable detailed the use of extrajudicial execution of a Ugandan prisoner.
U.S. Haggling over Guantánamo Detainees
President Obama promised to close the Guantánamo Bay detention camp since his campaign for the office, and reiterated the promise once he took office. Yet the controversial detention facility remains open. An article by the New York Times analyzed cables released by Wikileaks which indicated the United States is having difficulties in fulfilling this promise and is now considering some unique solutions. The cables show that U.S. diplomats have been searching for countries that would take detainees, often bargaining with foreign countries over the placement of prisoners. In return for accepting detainees, the receiving country might get a one-on-one meeting with Obama, assistance obtaining International Monetary Fund assistance, or some other helping hand from the United States. In one cable, Saudi Arabian King Abdullah recommended that the U.S. implant an electronic chip in each detainee for location tracking, using technology developed for livestock.
The debate over Wikileaks will continue for some time. But these examples make clear that Wikileaks has brought much-needed light to government operations and private actions which, while veiled in secrecy, profoundly affect the lives of people around the world and can play an important role in a democracy that chooses its leaders. As founding father James Madison explained, "a popular government without popular information or the means of acquiring it is but a prologue to a farce or tragedy or perhaps both." Regardless of whether you agree with WikiLeaks, Cablegate has served an important role in bettering public understanding on matters of public concern.