EFF has long pointed out that technology companies are complicit in human rights violations when they knowingly sell customized human surveillance technologies to repressive regimes that are then used to target people for arrest, torture, and disappearance. Now a lawsuit filed recently against Nokia Siemens in Virginia by Isa Saharkhiz, an imprisoned Iranian dissident, and his son Mehdi Saharkhiz, brings this issue to the fore. The lawsuit accuses the Nokia Siemens Network of:
"knowingly, negligently and willfully provid[ing] the infamous, abusive and oppressive Iranian government with sophisticated devices for monitoring, eavesdropping, filtering, and tracking mobile phones."
This case brings home the human costs of the corporate sale of surveillance technologies to repressive regimes. The European Parliament declared in its Resolution on Iran, the customized sale of its technology was “instrumental in the persecution and arrest of Iranian dissidents." Even Nokia agrees, noting, "There have been credible reports from Iran that telecommunications monitoring has been used as a tool to suppress dissent and freedom of speech."
The facts of the case are troubling. Isa Saharkhiz, a distinguished Iranian journalist and a key political reformer behind the 1999 Tehran Spring of press freedom, was arrested on June 20, 2009 in the small village of Tirkadeh in northern Iran where he had been hiding. The intelligence agents found him by tracking his mobile phone using the powerful surveillance capabilities of Nokia's Intelligence Solutions tools, a mass surveillance product it sold to the state-owned telecommunications provider allegedly controlled by the Iranian Revolutionary Guard and freely accessible to notoriously brutal Iranian intelligence agencies.
Nokia's comprehensive human surveillance system, which it sold and tailored to the Iranian government’s needs in 2008, has two main parts: the Monitoring Center which enables centralized deep packet inspection of voice and data communications; and the Intelligence Platform, which provides real-time data mining intelligence. These services, in whole or in part, are what enabled the Iranian authorities to find and arrest Mr. Saharkhiz.
To its credit, Nokia now states in its "pressroom" and has told European Parliament that it "exited the monitoring center business" in March 2009 due to concerns about human rights issues. Others dispute how true this is, but at least that's a start. Nokia's public statements, however, are sharply different than those it has made in court, where it had boldly claimed that because it is a corporation, it is categorically immune from responsibility for its role in aiding and abetting torture and illegal arrest.
Even if they have now "exited the business," at least in part, Nokia's decision to maximize profit by selling customized tools of repression deserves close scrutiny and those hurt by its decision deserve their day in court. Nokia claims that it is "in the process of assessing our policies and processes," and if this is genuine, we have some suggestions which we will be blogging about in the days and weeks to come and welcome direct discussion on these issues. We also invite Nokia to join the Global Network Initiative, and seriously consider its core commitments to human rights as part of your assessment process.
In the meantime, Mr. Saharkhiz rots in jail and his family suffers, in part due to Nokia's desire to make a quick buck. As Nokia itself admits:
"misuse of communication technologies to infringe human rights is wrong and, ultimately, that those who do so must be accountable for their actions."
Again, if this is more than just public relations spin, the time is now for Nokia to "be accountable" for its role in the repression of Mr. Saharkhiz and likely thousands of others. And it must do so not just in the press room, but in the court case, dropping its cynical claims that corporations should never be held accountable for their role in human rights violations.
Access, a new organization devoted to global Internet Freedom, has launched a campaign today to support the Saharkhiz case and to hold Nokia accountable. We urge EFFers who are concerned about misuse of technologies to aid repression to join their fight against selling surveillance technologies to repressive countries by signing the No to Nokia petition. Let Nokia know that they should do their part to help free the political dissidents and that they should stop making broad claims of corporate irresponsibility in court.
As noted in our first post, EFF recently received new documents via our FOIA lawsuit on social network surveillance, filed with the help of UC Berkeley’s Samuelson Clinic, that reveal two ways the government has been tracking people online: Citizenship and Immigration’s surveillance of social networks to investigate citizenship petitions and the DHS’s use of a “Social Networking Monitoring Center” to collect and analyze online public communication during President Obama’s inauguration. This is the second of two posts describing these documents and some of their implications.
In addition to learning about surveillance of citizenship petitioners, EFF also learned that leading up to President Obama’s January 2009 inauguration, DHS established a Social Networking Monitoring Center (SNMC) to monitor social networking sites for “items of interest.” In a set of slides [PDF] outlining the effort, DHS discusses both the massive collection and use of social network information as well as the privacy principles it sought to employ when doing so.
While it is laudable to see DHS discussing the Fair Information Practice Principles [PDF] as part of the design for such a project, the breadth of sites targeted is concerning. For example, among the key “Candidates for Analysis” were general social networking sites like Facebook, MySpace, Twitter, and Flickr as well as sites that focus specifically on certain demographic groups such as MiGente and BlackPlanet, news sites such as NPR, and political commentary sites DailyKos. According to the slides, SNMC looks for “‘items of interest’ in the routine of social networking posts on the events, organizations, activities, and environment” of important events. While the slides indicate that DHS scrutinized the information and emphasized the need to look at credible sources, evidence, and corroboration, they also suggest the DHS collected a massive amount of data on individuals and organizations explicitly tied to a political event.
In addition, while the slides do emphasize the minimization and elimination of “Personally Identifiable Information” (PII) from the public data, the slides note that “[o]penly divulged information excluding PII will be used for future corroboration purposes and trend analysis during the Inauguration period.” Thus, it is unclear whether or not the information was deleted permanently after the inauguration proceedings were complete. Moreover, there have been several recent studies and papers showing how, even without PII, comments and information about people online can be “re-identified” through the use of sophisticated computational techniques and thus create privacy concerns.
Finally, while there have been some reports in the past year of similar social network monitoring for large-scale public events, to date the public has not seen such detailed information about the government’s approach to monitoring, especially on its data preservation practices. As our FOIA lawsuit continues, we hope to learn more about such activities and help bring further transparency and accountability to the ways in which government agencies and law enforcement officials collect and analyze information about us online.
One great trend for Internet users' privacy and security has been that search engines — among other popular sites — are making their services available in a secure HTTPS form.
But users can still run into a privacy problem when they click on search results: the destination page could be unencrypted, potentially revealing lots of information to eavesdroppers about a user's interests and activities. For instance, suppose you search for [coronary artery disease] on a search engine, and you click on the search engine's outbound result link to Wikipedia's page at http://en.wikipedia.org/wiki/Coronary_artery_disease. Even if your connection to the search engine was protected by HTTPS, your connection to Wikipedia won't be!
This week the developer of the search engine Duck Duck Go let us know that Duck Duck Go is doing exactly that, using EFF's HTTPS Everywhere rules to automatically generate secure outbound links where possible. (For example, Duck Duck Go is rewriting not only links to Wikipedia but also links to sites like Twitter and Facebook into HTTPS.)
This is a great step toward making HTTPS use much more routine and ubiquitous. We were also thrilled to discover that StartPage, a pioneer in search privacy, is also generating secure outbound Wikipedia links. Hopefully more search engines will adopt this practice soon!
The Court notes and must take seriously the argument advanced by the defendants, as well as those made by Amici, regarding whether the unauthorized access alleged here amounts to contract-based violations of Ticketmaster's terms of service that are actionable under civil laws.
Because it found the facts to be complicated and in dispute, the Court held that the issues raised by EFF could be best evaluated after trial, which will allow for a more complete presentation of the government's arguments and proof. The court was especially interested in the government's belated claim that liability could be based on proof of circumvention of what the court called "code-based restrictions." EFF did not directly address the "code-based restrictions" issue in its amicus because it was not the focus of the indictment.
EFF asked the Ninth Circuit Court of Appeals Tuesday to review its ruling in Vernor v. Autodesk, a decision that could undermine the rights of software buyers and other consumers.
Last month, a three-judge panel held that copyright's first sale doctrine – the law that allows you to resell books and that protects libraries and archives from claims of copyright infringement – may not apply to software if the vendor saddles the transfer with enough restrictions to transform what the buyer may think is sale into a mere license. Plaintiff Timothy Vernor has asked the full court to review this decision, and EFF – along with the Association of Research Libraries, the American Library Association, the Association of College and Research Libraries, and Public Knowledge – filed an amicus brief in support of this rehearing.
Copyright owners should not be able to trump the first sale doctrine by using a few "magic words" in a license agreement. By undermining the crucial balance between copyright owners and users that supports valuable resources like libraries, used bookstores, and rentals, the practice hurts both our ability to save a few dollars and our ability to retain, archive and access older, out-of-print materials. We hope that the court agrees to review the case and treats it as an opportunity to put consumer rights and expectations ahead of the overreaching demands of software vendors.
EFF recently received new documents as a result of our FOIA lawsuit on social network surveillance, filed with the help of UC Berkeley’s Samuelson Clinic, that reveal two ways the government has been tracking people online: surveillance of social networks to investigate citizenship petitions and the Department of Homeland Security’s use of a “Social Networking Monitoring Center” to collect and analyze online public communication during President Obama’s inauguration. This is the first of two posts describing these documents and some of their implications. (Read part one.)
Narcissistic tendencies in many people fuels a need to have a large group of “friends” link to their pages and many of these people accept cyber-friends that they don’t even know. This provides an excellent vantage point for FDNS to observe the daily life of beneficiaries and petitioners who are suspected of fraudulent activities.
This social networking gives FDNS an opportunity to reveal fraud by browsing these sites to see if petitioners and beneficiaries are in a valid relationship or are attempting to deceive [United States Citizen and Immigration Services] about their relationship. Once a user posts online, they create a public record and timeline of their activities. In essence, using MySpace and other like sites is akin to doing an unannounced cyber “site-visit” on a [sic] petitioners and beneficiaries.
(Emphasis added). In other words, USCIS is specifically instructing its agents to attempt to “friend” citizenship petitioners and their beneficiaries on social networks in the hope that these users will (perhaps inadvertently) allow agents to monitor their activities for evidence of suspected fraud, including evidence that their relationships might not live up to the USCIS’ standard of a legitimate marriage.
Of course, there are good reasons for government agencies and law enforcement officials to use all the tools at their disposal, including social networks, to ferret out fraud and other illegal conduct. And while one might just chalk this up to another case of “caveat friendster," it does raise some questions about the agency’s conduct.
First, the memo makes no mention of what level of suspicion, if any, an agent must find before conducting such surveillance, leaving every applicant as a potential target. Nor does the memo address whether or not DHS agents must reveal their government affiliation or even their real name during the friend request, leaving open the possibility that agents could actively deceive online users to infiltrate their social networks and monitor the activities of not only that user, but also the user’s friends, family, and other associates. Finally, the memo makes several assumptions about social networking users that are not necessarily grounded in truth and reveal the author’s lack of understanding of the ways people use social networking sites. First the memo engages in armchair psychology by assuming a large friend network indicates “narcissistic tendencies.” Second, and perhaps more disturbing, the memo assumes a user’s online profile always accurately reflects her offline life. While Facebook and MySpace would like their users’ profiles to always be current and accurate, users may have valid reasons for keeping some of their offline life out of their online profiles (for example, many users still feel their relationship status is private). Unfortunately, this memo suggests there’s nothing to prevent an exaggerated, harmless or even out-of-date off-hand comment in a status update from quickly becoming the subject of a full citizenship investigation.
In response, the Ohio Democratic Party promptly published a YouTube video capitalizing on this, illustrating its point with short clips from Redden's acting career. One of the clips came from a film by Arginate Studios, LLC, which then used the DMCA (Digital Millennium Copyright Act) to send a take down demand to YouTube. YouTube removed the video. Under the DMCA, the political video would be unavailable on YouTube for at least 10 days (a significant portion of the time remaining before the election), though the video remains available on Vimeo:
While the use of copyright to take down political speech in the weeks before an election is hardly new (CDT just published a detailed report), this is a particularly egregious example. Why? Because the reuse of a few seconds of Aringate's video to to illustrate a political point is such an obvious fair use.
As an initial matter, the use is extremely transformative (adding new meaning and message). The original video by Arginate is an entry in a film festival's "Road Movie" genre, featuring Redden as Sam Carpenter, a man who provides some special tickets to two women in a bar. The political video's use, on the other hand, was to provide evidence that the supposed steelworker was actually a paid actor. The use could hardly be more transformative. As the Supreme Court explained, transformative works "lie at the heart of the fair use doctrine’s guarantee of breathing space within the confines of copyright."
Moreover, the political ad only used a few seconds of the original film. While courts have held that "entire verbatim reproductions are justifiable where the purpose of the work differs from the original," a fair use is particularly justifiable when it uses the minimum necessary to make its point.
Since the original remains available for free online, it can hardly be said that there is any harm to the market for the original work. As the Supreme Court said, "a use that has no demonstrable effect upon the potential market for, or the value of, the copyrighted work need not be prohibited in order to protect the author’s incentive to create.”
Finally, fair use analysis considers whether the new work benefits the public interest. Communicating with the public about an upcoming election is a core aspect of public debates, and the new video contributes to that debate.
Arginate Studios should be ashamed to have claimed the video was infringing, and should withdraw its takedown notice immediately. YouTube should put the video back up. And Arginate should take a closer look at Section 512(f) of the DMCA — which provide penalties for misrepresenting that an online video is infringing — before sending any more notices.