At the beginning of this year EFF identified a dozen important trends in law, technology and business that we thought would play a significant role in shaping digital rights in 2010, with a promise to revisit our predictions at the end of the year. Now, as 2010 comes to a close, we're going through each of our predictions one by one to see how accurate we were in our trend-spotting. Today, we're looking back on Trend #10, Three Strikes: Truth and Consequences, where we predicted:
In countries across the globe, the entertainment industry has been pushing for laws requiring ISPs to terminate their users' connection at the whim of the entertainment industry. In 2009, they got their wish — in France and South Korea, at least. This year will see the spin battle over what is actually happening in those countries.
Expect media industry reports describing amazing local declines in filesharing, aimed at policymakers in other nations considering the same. And look out for local press reports from these three strikes ground zeroes, documenting the calamitous consequences of disconnections, the lack of financial return to working artists, and the ">political blowback for the politicians who championed these unjust laws.
Although IP rightsholders’ groups such as IFPI continue to push for Three Strikes laws across the world, fewer countries that have adopted these laws in 2010 than we had feared. So far, Three Strikes laws have only been adopted in South Korea and France, although a draft law is pending in New Zealand, and proposed in India. This year saw Ireland’s major ISP, Eircom, adopt a Three Strikes policy in a court-approved lawsuit settlement agreement with the recorded music industry. Meanwhile, the UK Parliament rejected the proposal to force ISPs to terminate subscribers upon repeat allegations of copyright infringement; the Digital Economy Act enacted in 2010 requires ISPs to forward notices of alleged copyright infringement to subscribers but puts the burden on IP rightsholders to bring targeted lawsuits against repeat infringers. Finally, following much criticism of previously leaked draft texts, all references to Three Strikes Internet disconnection obligations for ISPs were removed from the final version of the Anti-counterfeiting Trade Agreement finally released in December.
As we also expected, IP rightsholders and global policy-makers have realized that Three Strikes automatic disconnection laws and policies are a short-term measure, and are now focusing their efforts on Internet intermediary obligations to block webpages. Recognizing that Three Strikes policies are ineffective against the ways that many Internet users now obtain unauthorized content – through one-click file hosting sites and cyberlockers such as Rapidshare -- IP rightsholders have been pushing for laws requiring Internet intermediaries to block websites alleged to be engaged in copyright infringement. We saw this in 2010 with the US COICA Bill and the reserved powers in the UK Digital Economy Act. Expect to see more pressure on this front in 2011.
At the beginning of this year EFF identified a dozen important trends in law, technology and business that we thought would play a significant role in shaping digital rights in 2010, with a promise to revisit our predictions at the end of the year. Now, as 2010 comes to a close, we're going through each of our predictions one by one to see how accurate we were in our trend-spotting. Today, we're looking back on Trend #6, Net Neutrality: The Rubber Hits The Road, where we predicted:
[W]hat will [net neutrality] mean when it makes the transformation from idealistic principle into real-world regulations? 2010 will be the year we start to find out, as the FCC attempts to implement the plan it adopts after its 107-page request for input about how to ensure a neutral Net.
But how far can the FCC be trusted? Historically, the FCC has sometimes shown more concern for the demands of corporate lobbyists and "public decency" advocates than it has for individual civil liberties. Consider the FCC's efforts to protect Americans from "dirty words" in FCC v. Pacifica Foundation, or its much-criticized deregulation of the media industry, or its narrowly-thwarted attempt to cripple video innovation with the Broadcast Flag.
With the FCC already promising exceptions from net neutrality for copyright-enforcement, we fear that 2010 could be the year when the FCC's idea of an "Open Internet" proves quite different from what many have been hoping for.
It seems we overestimated how much the Federal Communications Commission would be able to accomplish.
We’re still looking at the actual rules, which were released publicly several days after the ratifying vote, and we'll comment more when we've completed our review. But from what we've gleaned from FCC statements, and despite some rumors otherwise, the FCC’s current theory for jurisdiction seems to be somewhat new. On the other hand, the substantive principles laid out in the final rules appear to be largely the same as those discussed by policymakers and otherstakeholders throughout the year, and which we have repeatedly warned about for their loopholes and exemptions. We’ve also warned about the Trojan horse we may find on our hands if the FCC’s authority to regulate is approved in the courts.
We’ll be watching to see what 2011 holds; it seems likely that the new Congress will have something to say as well.
At the beginning of this year EFF identified a dozen important trends in law, technology and business that we thought would play a significant role in shaping digital rights in 2010, with a promise to revisit our predictions at the end of the year. Now, as 2010 comes to a close, we're going through each of our predictions one by one to see how accurate we were in our trend-spotting. Today, we're looking back on Trend #4, hardware hacking:
An increasingly active hobbyist community is figuring out how to make a range of devices more useful and open. They are learning how to install new software or make third-party parts, devices, and services work with proprietary high-tech products like video game consoles, printers, portable audio players, home entertainment devices, e-book readers, mobile phones, digital cameras, and even programmable calculators. And, oh yes, contending with restrictions on both cars and garage doors.
In 2010, phone jailbreaking will become even more mainstream, and the concept will be routinely applied to other sorts of devices. EFF's Coders Rights Project will have no shortage of work to do defending users and developers who want to make their hardware do more than it was designed for.
As we predicted, jailbreaking has become more mainstream —in part because of two cell-phone related DMCA exemptions that EFF championed: one to clarify the legality of cell phone "jailbreaking" —software modifications that liberate iPhones and other handsets to run applications from sources other than those approved by the phone maker —and another to renew a 2006 rule exempting cell phone unlocking so handsets can be used with other telecommunications carriers. Both exemptions were granted. Of these, the jailbreaking exemption has received the most attention. More than a million iPhone owners are said to have "jailbroken" their handsets in order to change wireless providers or use applications obtained from sources other than Apple's own iTunes "App Store," and many more have expressed a desire to do so. But the threat of DMCA liability had previously endangered these customers and alternate applications stores.
Importantly, the Copyright Office squarely rejected Apple's claim that installing unapproved programs on iPhones is a form of copyright infringement. The Office recognized that "When one jailbreaks a smartphone in order to make the operating system on that phone interoperable with an independently created application that has not been approved by the maker of the smartphone or the maker of its operating system, the modifications that are made purely for the purpose of such interoperability are fair uses." We couldn't agree more. And last week the Ninth Circuit reinforced the importance of this distinction, noting that violations of license agreements do not always amount to copyright infringement. Blizzard had argued that the manufacturer of an add-on to World of Warcraft was secondarily liable for copyright infringement because it provided software that allowed users to play in unauthorized ways. Not so, said the appellate court, because there was no direct liability to begin with. The license term that forbade WoW players from using Glider was a covenant —a promise not to do something —rather than a condition —limiting the scope of the copyright license. And while violating "antibot" covenants might breach a contract, it does not violate any copyright —by contrast, creating a derivative work might.
This point may seem a bit arcane, but it's crucial because it helps avoid a situation in which violating contracts and EULAs could result in a copyright infringement lawsuit (with the heavy club of statutory damages, attorney's fees and low standards for injunctions) rather than just a simple breach of contract claim. As the court observed: Were we to hold otherwise, Blizzard — or any software copyright holder —could designate any disfavored conduct during software use as copyright infringement, by purporting to condition the license on the player's abstention from the disfavored conduct. The rationale would be that because the conduct occurs while the player's computer is copying the software code into RAM in order for it to run, the violation is copyright infringement. This would allow software copyright owners far greater rights than Congress has generally conferred on copyright owners.
We can expect more litigation on this issue, as users and innovatorsfight back against the use of software license agreements to stifle innovation.
At the beginning of this year EFF identified a dozen important trends in law, technology and business that we thought would play a significant role in shaping digital rights in 2010, with a promise to revisit our predictions at the end of the year. Now, as 2010 comes to a close, we're going through each of our predictions one by one to see how accurate we were in our trend-spotting. Today, we're looking back on Trend #1, Attacks on Cryptography, where we predicted:
In 2010, several problems with cryptography implementations should come to the fore, showing that even encrypted communications aren't as safe as users expect. Two of the most significant problems we expect concern cellphone security and web browser security.
GSM, the technology that underpins most cellphone communications around the world, uses a deeply flawed security technology. In 2010, devices which intercept phone calls will get cheaper and cheaper. Expect to see public demonstrations of the ability to break GSM's encryption and intercept mobile phone calls. We hope that this will prompt the mobile phone industry to replace its obsolete systems with modern and easy-to-use cryptography.
SSL (in its newer versions known as TLS), the basic security technology of the world wide web, is exhibiting similarly severe flaws. Several powerful practical attacks against real-world SSL implementations were published in 2009; more problems and concerns will emerge throughout 2010. SSL security must be improved.
Despite flaws in how SSL is used, it's still the best system for web security around, and so it also needs to become more widely deployed. Google set a fantastic example this week when it set GMail to use SSL by default — in 2010 we hope to see other online service providers follow its example.
Our predictions on this front were solid. In July, security researcher Chris Paget demonstrated at DEFCON how easy it is to trick cell phones into turning off encryption and connecting to a fake base station, thereby allowing a third party to eavesdrop on conversations. The security vulnerabilities that make this attack possible aren't new, but historically would cost hundreds of thousands of dollars to exploit. Paget's system cost roughly $1,500 to assemble — bringing the attack well within the means of the less financially flush.
Three months later, Eric Butler and Ian Gallagher highlighted the insecurity of Internet web sites that don't use SSL by default when they debuted the Firesheep Firefox extension at ToorCon. Firesheep allows an eavesdropper to hijack another user's session on Facebook, Twitter, Yelp, Flickr, and many other popular websites merely by sniffing packets on an open wireless network and capturing the victim's cookie. This means that if a web site isn't using SSL to encrypt users' communications, Firesheep makes it ridiculously simple for someone to access a user's account on that site. In response, a handful of sites started using encryption by default, including GitHub and DropBox, while others, such as Windows Live, have made it an option for the first time.
EFF has made progress on monitoring and aiding HTTPS adoption with our popular HTTPS Everywhere software, and on advancing research on how HTTPS is actually used with our SSL Observatory. Though the Observatory has yet to find evidence of the man-in-the-middle attacks we're most curious about, it's unearthed plenty of evidence that HTTPS is not always used as its designers intended.
UPDATE: In the final days of 2010, GSM's profound security flaws have been in the spotlight at the 27th Chaos Communication Congress in Berlin. As Wired reports, Karsten Nohl and Sylvain Munaut "demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network 'sniffers,' a laptop computer and a variety of open source software."
At the beginning of this year EFF identified a dozen important trends in law, technology and business that we thought would play a significant role in shaping digital rights in 2010, with a promise to revisit our predictions at the end of the year. Now, as 2010 comes to a close, we're going through each of our predictions one by one to see how accurate we were in our trend-spotting. Today, we're looking back on Trend #9, social networking privacy, where we predicted the following:
Social Networking Privacy: Something's Got To Give
For some, social networking sites are the Internet. Facebook now has
over 350 million accounts — roughly the same as the total number of
Internet users worldwide a decade ago. That means that the bad guys
who were exploiting security weaknesses in the wider Net in the last
decade will now turn in force on the bigger networking sites. And by
bad guys, we mean everyone from criminals, to unethical data-mining
companies, to ISPs who can't resist snooping on that remunerative
personal data passing down their pipes, to governments seeking new
ways to track their citizens.
It wasn't all Facebook; Yahoo also got involved in a social networking privacy controversy, and EFF's FOIA work showed the government's social networking efforts. More recently, Firesheep highlighted the dangers of logging in to social networks without SSL, while HTTPS Everywhere provided a means to help.
After a down-to-the-wire push, the Federal Communications Commission this week approved by 3-2 its long-awaited regulatory proposal on net neutrality. We haven’t finished combing through the actual rules document, all 200 pages of which were just released today, but nonetheless the summary documents gave us some important hints about what the rules contain.
The FCC’s Basis for Regulating: Contrary to some expectations, the FCC is offering new theories for its regulatory authority, opting not to re-assert the “ancillary” legal theory rejected by the D.C. Circuit Court of Appeals. Following the ‘throw it against the wall and see what sticks’ approach, the FCC has volunteered a smorgasbord of potential justifications, the sum of which apparently demonstrates that "[b]roadband Internet access services are clearly within the Commission’s jurisdiction." The lead argument appears to be Section 706 of the Telecommunications Act, which requires the FCC to report to Congress and take steps to help create universal broadband availability. We’ll see if the Court agrees that this allows the FCC to create broad rules of the road for the Internet.
The merits of the specific net neutrality proposals notwithstanding, the FCC’s continued attempt to find broad, unfocused basis for jurisdiction is a disconcerting strategy. An ungrounded rationale for regulatory authority is easily abused, opening the door to other, undesirable regulation.
Now to the substance. From what we’ve learned from FCC statements and bulletins, our anticipated concerns were right on target. The rules appear to be riddled with loopholes and exemptions, to the point where the FCC’s declaration that the order represents bright-line rules and a framework for predictability is hard to reconcile. It’s likely there won’t be much clarity around the rules’ application until they get invoked in FCC enforcement actions or otherwise.
(1) Carve-outs for wireless. The FCC order creates a subset of less restrictive rules that apply exclusively to wireless services: Wireless operators need only ensure that consumers are able to access lawful websites and also apps that compete with the providers’ own services (both requirements subject to ‘reasonable network management’ needs). In addition, the rule against unreasonable discrimination does not apply to wireless services. Similar to past proposals, only a transparency requirement in the current order applies equally to wireless and wireline. This is significantly disappointing. We previously noted that from a consumer perspective, we don’t see a valid distinction between wired and wireless internet use. Unfortunately, our urging for similar treatment has gone unheeded.
(2) Loopholes for "unlawful content." As we feared, the FCC’s "no blocking” requirement exempts ISPs that discriminate on the basis of “unlawful content," paving the way for traffic discrimination that is clothed in claims that it is protecting against copyright infringement or other illegal activity.
(3) "Reasonable network management" exceptions. Under the order, 'no blocking' and 'no unreasonable discrimination' rules may be superseded where there are "reasonable network management" requirements. While the order defines reasonable network management in what appears to be a content neutral way, it remains to be seen whether this will be the case in practice or whether, as we have warned, the exception may swallow the rule.
(4) Allowances for "managed" or "special” services." Consistent with our concerns, the order leaves room for non-neutral “specialized services” immune from nondiscrimination rules, without clear boundaries on what those encompass. The rules state that this exemption will be monitored by the FCC for discriminatory and anticompetitive practices. We’ll be monitoring it, too.
(5) Pay for priority. The FCC statement notes that commercial pay-for-priority business arrangements are not likely to pass muster under the "no unreasonable discrimination" rule. This is the main element excerpted from the current order that was not on EFF’s list of concerns. It’s another one that will require close monitoring, however, and may be especially difficult to detect in the midst of complex peering and other relationships between various internet entities.
With the caveat again that we haven’t reviewed rules themselves in entirety, it appears that Chairman Genachowski is dodging resolution on the more difficult determinations, leaving them to future enforcement actions and underscoring our speculation that he may be pursuing political image first and substantive change second, if at all, since the regulations are certainly going to be challenged in court.
So despite the best intentions of many people, we may end up with a lose/lose world in which the regulations not only fail to help combat actual network neutrality problems, but also, like the Trojan Horse, undermine our ability to stop counterproductive FCC regulation of the Internet by this or a future FCC. Let’s hope not. EFF will continue to monitor the situation and watch for ways to help ensure that real net neutrality happens.
Your digital camera may embed metadata into photographs with the camera's serial number or your location. Your printer may be incorporating a secret code on every page it prints which could be used to identify the printer and potentially the person who used it. If Apple puts a particularly creepy patent it has recently applied for into use, you can look forward to a day when your iPhone may record your voice, take a picture of your location, record your heartbeat, and send that information back to the mothership.
This is traitorware: devices that act behind your back to betray your privacy.
Perhaps the most notable example of traitorware was the Sony rootkit. In 2005 Sony BMG produced CD's which clandestinely installed a rootkit onto PC's that provided administrative-level access to the users' computer. The copy-protected music CD’s would surreptitiously install its DRM technology onto PC’s. Ostensibly, Sony was trying prevent consumers from making multiple copies of their CD’s, but the software also rendered the CD incompatible with many CD-ROM players in PC’s, CD players in cars, and DVD players. Additionally, the software left a back door open on all infected PC’s which would give Sony, or any hacker familiar with the rootkit, control over the PC. And if a consumer should have the temerity to find the rootkit and try to remove the offending drivers, the software would execute code designed to disable the CD drive and trash the PC.
Traitorware is sometimes included in products with less obviously malicious intent. Printer dots were added to certain color laser printers as a forensics tool for law enforcement, where it could help authenticate documents or identify forgeries. Apple’s scary-sounding patent for the iPhone is meant to help locate and disable the phone if it is lost of stolen. Don’t let these good intentions fool you—software that hides itself from you while it gives your personal data away to a third party is dangerous and dishonest. As the Sony BMG rootkit demonstrates, it may even leave your device wide open to attacks from third parties.
Traitorware is not some science-fiction vision of the future. It is the present. Indeed, the Sony rootkit dates back to 2005. Apple’s patent application indicates that we are likely to see more traitorware on the horizon. When that happens, EFF will be there to fight it. We believe that your software and devices should not be a tool for gathering your personal data without your explicit consent.
At the beginning of this year EFF identified a dozen important trends in law, technology and business that we thought would play a significant role in shaping digital rights in 2010, with a promise to revisit our predictions at the end of the year. Now, as 2010 comes to a close, we're going through each of our predictions one by one to see how accurate we were in our trend-spotting. Today, we're looking back on Trend #2, the future of books and newspapers:
Since 2000, the music industry has most spectacularly flailed (and failed) to combat the Net's effect on its business model. Their plans to sue, lock-up and lobby their way out of their problem did nothing to turn the clock back, but did cause serious damage to free speech, innovation and fair use.
These days, the book and newspaper industries are similarly mourning the Internet's effect on their bottom line. In 2009, Rupert Murdoch changed the tone of the debate when he called those who made fair use of his papers' content "thieves." We think 2010 and beyond will see others in the print world attempt to force that view, and break the fair use doctrine by lobbying to change accepted copyright law, challenging it in the courts, or by placing other pressures on intermediaries.
A cluster of similar battles around user control are also gathering around e-reader products like Kindle and Google Book Search, many of which rewrite the rules for book ownership and privacy wholesale.
We were largely right about this one, although in a way we didn't forsee. This year we saw the Las Vegas Review Journal newspaper join with some lawyers called Righthaven and lurch down the RIAA's dark path by launching hundreds of "copyright troll" lawsuits against individual bloggers and others. As with the music industry's failed "sue the customers" gambit, this one has done nothing to help the newspaper industry, but has already caused damage to free speech and fair use. In 2011 we hope to see the tide turn, though, as the judges hearing the Righthaven cases are starting to raise concerns about fair use and other problems with this ugly business model.
On e-Readers, though, 2011 was still a year of early market growth, with the iPad entering into the fray and the publishing industry still generally embracing DRM (it took the music industry a few years to give up on DRM so it's disappointing but no big surprise to see the publishing industry do the same). On Google Books we're still waiting, since the federal Judge hearing the big lawsuit took a long day of testimony in the in February but has not yet ruled.