SXSW represents one of EFF's greatest opportunities to reach out directly to the filmmakers, writers, musicians, and software engineers who create online content, as well as the fans who want to post, critique, and remix that content. Every vote takes us one step closer to bringing EFF issues to SXSW. Vote now, because voting closes on Friday, August 27th.
Last month, we wrote about a New Jersey case in which the former publisher of a magazine and dating website for gay youth had declared bankruptcy. He and his former business partners were fighting over ownership of various business assets of XY Magazine and XY.com, including extensive personal information about more than a million customers. XY's privacy policies, however, had promised customers that their personal information would never be given to anybody.
The Federal Trade Commission warned (pdf) that any transfer or further use of the data would not only violate the privacy promises that XY had made to consumers, but would also likely be unlawful under the Federal Trade Commission Act, which prohibits unfair and deceptive acts and practices. The Commission suggested that the data be destroyed, which we agreed would be the best course of action.
We're happy to report that this potential privacy fiasco has ended well for XY's customers. The parties reached an agreement (pdf) under which the publisher is required to destroy all personally identifiable information about XY's customers. He may keep a limited amount of data for a short time to authenticate the identities of customers who have ordered back issues of the magazine, but he may not use that information to contact or locate any customers.
While this is a good outcome, the case highlights a problem that we're likely to see again and again. Companies provide services that rely on personal information supplied by consumers. Some of those companies will be sold or go out of business. The information that they've collected from their customers is a valuable asset, and its possible sale to the highest bidder will implicate the privacy of millions of people.
XY's customers were fortunate that the parties reached an agreement to destroy their personal data, but the Bankruptcy Code itself doesn't handle this scenario very well. Companies that possess customers' personal information are likely -- through their own privacy policies -- to give themselves permission to sell that information if they go out of business or have a change in ownership. And in the rare case where a company promises its customers that their personal information will never be disclosed to anyone, a bankruptcy court can still allow the data to be leased or sold if that transfer wouldn't otherwise violate the law.
Efforts to protect net neutrality that involve government regulation have always faced one fundamental obstacle: the substantial danger that the regulators will cause more harm than good for the Internet. The worst case scenario would be that, in allowing the FCC to regulate the Internet, we open the door for big business, Hollywood and the indecency police to exert even more influence on the Net than they do now.
On Monday, Google and Verizon proposed a new legislative framework for net neutrality. Reaction to the proposal has been swift and, for the most part, highly critical. While we agree with many aspects of that criticism, we are interested in the framework's attempt to grapple with the Trojan Horse problem. The proposed solution: a narrow grant of power to the FCC to enforce neutrality within carefully specified parameters. While this solution is not without its own substantial dangers, we think it deserves to be considered further if Congress decides to legislate.
Unfortunately, the same document that proposed this intriguing idea also included some really terrible ideas. It carves out exemptions from neutrality requirements for so-called "unlawful" content, for wireless services, and for very vaguely-defined "additional online services." The definition of "reasonable network management" is also problematically vague. As many, many, many have already pointed out, these exemptions threaten to completely undermine the stated goal of neutrality.
Here's a more detailed breakdown of our initial thoughts:
Limited FCC Jurisdiction — Good:
Those who have followed EFF’s position on net neutrality will know that, while we strongly support neutrality in practice, we are opposed to open-ended grants of regulatory authority to the FCC. On that score, the Google/Verizon proposal takes a promising new approach. It would limit the FCC to case-by-case enforcement of consumer protection and nondiscrimination requirements and prohibit broad rulemaking. In essence, it tries to limit the FCC to the type of authority that the FTC has — the authority to investigate claims as they are made.
This limitation, if enforced, could help avoid many of the problems we’ve been concerned about, such as the possibility that a future FCC might decide to take on the role of “Internet indecency” police or, as a result of regulatory capture, might become an innovation gatekeeper, blocking new ideas by small innovators in order to protect the interests of big dinosaurs.
The proposal also rightly exempts software applications, content and services from FCC jurisdiction. Suggestions that the content layer should be directly regulated by the FCC were among the most wrong-headed in past debates about this issue.
The provision does suggests the use of “private non-governmental dispute resolution processes,” which is somewhat troubling — we’ve seen how such processes can be gamed by repeat players.
Standard-Setting Bodies — Interesting:
The proposal also has an interesting suggestion for handling concerns about politicization of the FCC processes and the need for a deep technological understanding to make good decisions in this area: standard-setting bodies. It suggests that “reasonable network management” should be “consistent with the technical requirements, standards or best practices adopted by an independent, widely recognized Internet community governance initiative or standard-setting organization.”
This idea is intriguing, but there are some reasons to be wary. Standard-setting bodies can sometimes do a better job of recognizing and resisting bad technological arguments than political or agency bodies. And technical bodies successfully developed many of the standards that make the Internet great. But as we well know at EFF, standards bodies are not immune to bad ideas. We spent years fighting anti-consumer efforts in various standard-setting fora around DRM and trying to correct some bad standards that had been set in the area of evoting. In those instances, we found that allegedly "independent" standards bodies were often closed to the voices of consumers and small innovators, wrapped in secrecy, and lacking basic mechanisms needed to ensure accountability. If standards bodies are to be introduced as part of a network neutrality oversight scheme, that language needs to guarantee that the processes are completely transparent and representative of the interests of user and independent developer communities.
The definition of “reasonable network management” needs to be clarified and refined. While we think the way that standard-setting organizations are included in the definition is interesting and potentially constructive, the language on what makes some network management ”reasonable” is extremely unclear. For EFF, the first test for a network neutrality proposal is this: would it have clearly prevented Comcast from interfering with BitTorrent? In the Google/Verizon proposal, because of ambiguous exceptions like the one that allows an ISP “otherwise to manage the daily operation of its network“, we can't be sure that that's true.
The cutout for “additional online services” is also very disturbing. Many have pointed out that it could be the exception that swallows the nondiscrimination rule. After all, much of the innovation we expect to occur in the future will involve services “distinguishable in scope and purpose from broadband Internet access service, but could make use of or access Internet content, applications or services." If discrimination is allowed for all such things, then there could easily be little left on the “neutral” part of the Internet in a few years. There may be some services that need traffic prioritization, such as urgent medical services, but the approach in the proposal creates no real limits on what could be allowed as an “additional online service.” It would be much better if space for these services was addressed through waivers or other processes that put the burden on the company suggesting such services to prove that they are needed. And such processes must be fully transparent — not just consumers but the FCC must be in a position to know how these services work and what impact they are having. They must also be open to real debate and opposition.
“Lawful” Content and Wireless Exclusions — Fail:
The proposal essentially ignores some of the key problems that EFF and others have had with previous network neutrality proposals. These loopholes could undermine the goals of neutrality, or lead to unanticipated and regrettable outcomes.
It still limits nondiscrimination to “lawful” content without defining the term or giving any indication of who decides what is “lawful,” opening the door to entertainment industry and law enforcement efforts that could hinder free speech and innovation Last year, the big media companies took advantage of similar language to push for a “copyright loophole” to net neutrality that would have allowed them to pressure ISPs to block, interfere with, or otherwise discriminate against perfectly legal activities in the course of implementing online copyright enforcement measures and a similar loophole existed for law enforcement. So long as your ISP claimed that it was trying to prevent copyright infringement or helping law enforcement, it could be exempted from the net neutrality principles. This was the focus of EFF's comments to the FCC in January, 2010 and our Real Net Neutrality campaign.
As many others have noted, the exclusion of wireless from all but the transparency requirements is a dreadful idea. Neutrality should be the rule for all services, and a distinction between wired and wireless not only defies reason, it also abandons the portion of the Internet that is currently most lacking in openness and neutrality. Users are increasingly demanding the ability to do many, if not all, of the same things in a wireless environment as they do in a wired one. Regardless of what regulation may look like or whether there is any regulation at all, there shouldn’t be a distinction between the neutrality available on wired services and that available on wireless services.
We share these initial thoughts in order to surface some details that may be lost in the controversy sparked by this proposal. Others are weighing in with valuable comments as well, and we are paying close attention to their views. We urge policymakers to do the same.
Recent news has made it abundantly clear that the government uses the Internet and social networking sites as tools for investigation. But what’s not clear, and what the government has been reluctant to reveal, is how this information has been collected and utilized. To get answers, EFF, with help from Berkeley Law’s Samuelson Clinic, made a series of Freedom of Information Act (FOIA) requests asking various law enforcement agencies to disclose documents detailing their use of social networking sites in their investigations. When the government refused to comply with these requests, we went to court to compel them to respond. The latest disclosures from this litigation reveal just some of the ways the government is obtaining and using information from the Internet.
In addition to using this information for law enforcement investigations, the government has been considering using it for all background checks in security clearances. The ODNI has released this study [PDF] from 2008 on the potential of Internet searches in government security clearances. With just a name, address, date of birth, and social security number, government-hired Internet investigators were able to find “noteworthy” search results for as many as 53% of the 349 study participants. “Noteworthy” information included the proclivity to put personal information online, but also included so-called “questionable” material such as disclosure of “underage drinking, profanity, extreme religious and/or political views on public forums.”
Social networking sites like MySpace were also included in the background investigations. And while investigators limited themselves to searching only “public” information on these sites, they still found even more damaging (termed “adverse”) results. These “adverse” results included overly descriptive posting of personal or work information as well as references to or pictures depicting illegal drug use. The study found that approximately 48% of those investigated had at least two or more pieces of “adverse” or “noteworthy” information accessible online and that the highest percentages of those having adverse information on the Internet were in the 18 to 24 year old age group.
The disclosures also show the government’s increasing interest in documenting or “mapping” social networks. The ODNI study explicitly mentions the value of obtaining further information about individuals from interviews of “friends” and business associates, and a presentation [PDF] released by DEA presents one example where a “fugitive on the run” was located by finding a video after examining social networking websites for the profile of either the fugitive or his associates. The DEA presentation also notes the use of online tools such as MySpace Visualizer and YouTube Visualizer, which can visually chart the associations between users of these services.
Security exploits were not the only covert practice endorsed in the government’s disclosures. For example, the DEA presentation cryptically mentions the ability to potentially “recover ‘private’ content only shared among those chosen by the page owner.” Another document, the FBI Intelligence Information Report Handbook [PDF], mentions using “covert accounts” to access protected information. And a document describing Secret Service procedures [PDF] for monitoring electronic communications includes recommendations on how to avoid leaving “electronic footprints” by utilizing “stand-alone” computers with “anonymous accounts from an ISP” during surveillance.
As the FOIA litigation progresses, more documents will become available here. Stay tuned.
On behalf of the Electronic Frontier Foundation, we would like to thank all of you who contributed and supported our work at the Black Hat and DEF CON conferences in Las Vegas last week. In particular we would like to acknowledge Jeff Moss and the Black Hat and DEF CON organizers for their ongoing support of EFF each year.
The EFF members - first time donors and long time members alike - continue to impress us with their generosity. Thanks to all of you who attended our talks, gave kind words of support, joined EFF at our membership table, donated "just because," or used your own ingenuity to fundraise in our honor. This of course includes all of the Defcon 18 Getaway Contest participants (who raised nearly $10,000 together!), our contest sponsors: Tenable Network Security, iSEC Partners, and IOActive, as well as our prize donors: DEF CON, Vegas 2.0, iSEC Partners, and Ninja Networks.
The community support was stronger than ever this year. Cheers to the Vegas 2.0 crew for hosting an amazing sixth annual Summit party as an EFF fundraiser. Headlined by Dual Core and the MiniBosses, the Summit rocked the Top of the Riv and raised a record-high total of donations at the door and from the on-stage auctions. Thank you to BSidesLasVegas for collecting for EFF and congratulation on another great event! Our gratitude to stealth for bringing back Hackers and Guns and for his years of support (going back to the Dunk Tank!). Big ups to everyone who got a Mohawk-Con buzz to benefit EFF, including our own Kellie Brownell! We are grateful to these groups and the many others who found creative ways to help EFF. We are happy to report that together we raised far more money this year for EFF in Las Vegas than we ever have before!
And the computer security community's much appreciated support keeps coming! We will soon auction the waffle iron used and signed by the DEF CON Comedy Jam III Security Fail panel, as well as a Ninja Networks "Pirate #1" boss badge from this year's party. We will also be auctioning a limited edition DEF CON skateboard deck signed by security luminaries including the Dark Tangent, Dan Kaminsky, Dead Addict, Moxie Marlinspike, Kevin Mitnick, Joe "Kingpin" Grand, Miss Jackalope, Dual Core, and many, many more! Details to come. Check out the deck here (kittehs not inkludid):
EFF is a small non-profit that has developed an exceptionally strong voice over its 20 year history. Most funding comes from you, EFF's loyal individual members, giving what you can every year (and sometimes more often!) to ensure that we can fund our activism and our work in the courts and in rulemaking. Regardless of whether you gave $5 or $5,000, it's the grassroots support from you and events like The Next HOPE, Shmoo Con, Black Hat, Security B-Sides, and DEF CON that allows EFF to stay strong and continue defending digital rights. Thank you.
Every year, people astonish and amaze us with the inventive ways in which they raise funds for EFF. EFF supporters have given away free games, shaved people's hair into mohawks, and drawn cartoons to show their support for digital civil liberties. For the second year in a row, Michael Wigren of WKID "Froggy" Radio in Vevay, Indiana, has chosen the potentially dangerous pastime of grape-stomping as the medium through which he demonstrates his devotion to EFF.
Wigren is participating in the 2nd Annual Media Celebrity Grape Stomp for Charity in Vevay, Indiana, where newscasters, radio personalities, and other local celebrities will go toe-to-toe in grape barrels to out-stomp the competition. Each of the top three celebrities will walk away with a check for their favorite charity organization. The event will take place on August 28th at noon, during the Swiss Wine Festival on the Paul Ogle Riverfront Park in Vevay, Indiana at the official grape stomping stage. If you are in the area, stop by to show your support for Wigren, WKID, and the Electronic Frontier Foundation!
Recent news reports have presented somewhat contradictory analysis of government plans in the United Arab Emirates (UAE), Saudi Arabia, and other countries to block the use of BlackBerry smart phones as a form of pressure on Research in Motion, BlackBerry's Canadian manufacturer. All the reports agree that these governments feel RIM has made at least some BlackBerry messages too private and secure, but reports disagree about how private they actually are and exactly what RIM is being asked to do.
Many observers have noted that we're likely to stay in the dark about some of these details. As Jonathan Zittrain put it, "we're only seeing a small slice of a government-to-company negotiation — the public threat part — so exactly what's being asked hasn’t been disclosed, and neither the government nor RIM have much incentive to say more." We particularly appreciate the analyses of the situation from Prof. Zittrain and our former colleague Danny O'Brien at the Committee to Protect Journalists. Both emphasize that only a portion of BlackBerry communications are really strongly encrypted: those sent through BlackBerry's business-oriented BlackBerry Enterprise Service, but not those sent through the ordinary BlackBerry Internet Service. (Of course, all BlackBerry users — and other smartphone users — can optionally use other encryption tools to protect themselves. The subtle distinction between BES and BIS is just one reminder that users need to be skeptical about exactly what kind of protection they're getting. It also raises concerns that Blackberry's recent statements that fail to differentiate between the products may be misleading a large number of their customers — we believe Blackberry should immediately clarify this).
In any case, the UAE government's rhetoric that it must have a backdoor into all communications is very alarming. It reminds us of the situation here in the United States during the 1990s, when the Federal government repeatedly sought to keep strong cryptography out of the general public's hands and to put U.S. government backdoors into communications products. We often call that time the "crypto wars." During them, the civil liberties and business communities fought to make sure Americans would be allowed to use the best available privacy tools to protect their communications. EFF was heavily involved in the crypto wars, litigating the Bernstein case to protect programmers' rights to publish encryption software. Ultimately the government dropped plans like the Clipper Chip that would have been a backdoor into Americans' communications and dramatically reduced the government regulations that stood in the way of Americans getting strong cryptography in their tools.
But the UAE government position seems like 1995 all over again, with government officials insisting that some privacy tools are just too secure to let the public use them.
Press reports also suggest that UAE officials have compared their announced restrictions to "lawful intercept" laws (like the U.S. Communications Assistance for Law Enforcement Act) that force communications carriers to provide wiretapping assistance to government officials. But those laws have never forbidden users from using their choice of encryption software or forced carriers to block any communications, domestic or foreign, because of how they were encrypted or who had the keys. So millions of people in every country routinely use strong cryptography to protect their communications at home or when they travel.
The UAE's and Saudi Arabia's announced restrictions are particularly scary because it seems that the same rationale will lead to government blocks on all sorts of other communications — from web mail to virtual private networks — that those governments deem too private and secure. They also show that the right to use encryption technology to protect privacy needs to be defended all around the world. Quite possibly, the crypto wars never ended.
"The tracking files represent the leading edge of a lightly regulated, emerging industry of data-gatherers who are in effect establishing a new business model for the Internet: one based on intensive surveillance of people to sell data about, and predictions of, their interests and activities, in real time."
What the industry knows about you may surprise you. The articles examine the world of tracking cookies, and other less well-known tracking technologies like flash cookies and beacons. They found that "the nation's 50 top websites on average installed 64 pieces of tracking technology onto the computers of visitors, usually with no warning."
Using information gathered this way, the advertising industry is able to accurately guess substantial information about you — often including your gender, age, income, marital status, credit-rating, and whether you have children or own a home. The findings are used not only to determine what advertisements you see, but sometimes to decide what kind of discounts or credit card offers you're allowed access to.
The series also reveals the stunning story of how a 2008 power struggle at Microsoft Corp. undermined Web privacy standards. When the product design team behind Microsoft Internet Explorer 8.0 proposed adding stronger privacy safeguards, Microsoft's advertising department objected. The software features would have granted Web users substantially better privacy and protection from tracking than exists today. But Microsoft, seeking to maintain alliances with the online advertising industry, ultimately rejected the features. The story shows that the advertising industry has considerably more influence over web-browser design than one might expect.
The "What They Know" project is already the largest and highest-profile investigation by the mainstream media into consumer Web privacy to date. No doubt more articles are on the way, and the project's Twitter account is providing many smaller updates. It's already affecting the conversation in Washington DC, where important efforts by both Congress and the FTC are underway to rein in this dangerous and unregulated industry.
So, kudos to the team at the Wall Street Journal. Hopefully their efforts will encourage more serious approaches to privacy from regulators, law-makers, software companies, advertising companies and ordinary consumers.